From 66c9372dd24cc28411b88a938d701560335b1b43 Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Fri, 7 Jun 2024 12:10:29 +0530 Subject: [PATCH 01/30] added support for new user inventory info event class and updated incomplete mappings --- packages/amazon_security_lake/changelog.yml | 5 + .../discovery/fields/actor-fields.yml | 1716 +++++++++++++++ .../data_stream/discovery/fields/fields.yml | 1667 +-------------- .../discovery/fields/user-fields.yml | 250 +++ .../_dev/test/pipeline/test-discovery.log | 1 + .../pipeline/test-discovery.log-expected.json | 571 +++++ .../elasticsearch/ingest_pipeline/default.yml | 17 +- .../ingest_pipeline/pipeline_object_user.yml | 32 + .../data_stream/event/fields/actor-fields.yml | 1897 +++++++++++++++++ .../data_stream/event/fields/fields.yml | 1749 +-------------- .../data_stream/event/fields/user-fields.yml | 256 +++ packages/amazon_security_lake/docs/README.md | 126 +- packages/amazon_security_lake/manifest.yml | 2 +- 13 files changed, 4875 insertions(+), 3414 deletions(-) create mode 100644 packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/user-fields.yml diff --git a/packages/amazon_security_lake/changelog.yml b/packages/amazon_security_lake/changelog.yml index 4873164d0a95..99c9de6cc695 100644 --- a/packages/amazon_security_lake/changelog.yml +++ b/packages/amazon_security_lake/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.0.0" + changes: + - description: Updated to support OCSF v1.1.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/1111 - version: "1.2.0" changes: - description: Update manifest format version to v3.0.3. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml new file mode 100644 index 000000000000..09dd99e71376 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml @@ -0,0 +1,1716 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The name of the city. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The name of the city. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml index 6147dba2ae12..e8dd58eadca4 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml @@ -7,1662 +7,6 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: actor - type: group - fields: - - name: authorizations - type: group - fields: - - name: decision - type: keyword - description: Authorization Result/outcome, e.g. allowed, denied. - - name: policy - type: group - fields: - - name: desc - type: keyword - description: The description of the policy. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: 'The policy name. For example: IAM Policy.' - - name: uid - type: keyword - description: A unique identifier of the policy instance. - - name: version - type: keyword - description: The policy version number. - - name: idp - type: group - fields: - - name: name - type: keyword - description: The name of the identity provider. - - name: uid - type: keyword - description: The unique identifier of the identity provider. - - name: invoked_by - type: keyword - description: The name of the service that invoked the activity as described in the event. - - name: process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - name: api type: group fields: @@ -1761,7 +105,7 @@ description: The rule version. - name: class_name type: keyword - description: 'The event class name, as defined by class_uid value: Security Finding.' + description: 'The event class name, as defined by class_uid value: Security Finding, User Inventory Info.' - name: class_uid type: keyword description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. @@ -2176,6 +520,12 @@ - name: metadata type: group fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: log_level + type: keyword + description: The log level of the event. - name: correlation_uid type: keyword description: The unique identifier used to correlate events. @@ -2263,6 +613,9 @@ - name: version type: keyword description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. - name: profiles type: keyword description: The list of profiles used to create the event. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml new file mode 100644 index 000000000000..ac4e1b543f6f --- /dev/null +++ b/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml @@ -0,0 +1,250 @@ +- name: ocsf + type: group + fields: + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log index 02aa10f13f38..0dd594d1a16a 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log @@ -1,2 +1,3 @@ {"count":73,"message":"flags feel absolute","cis_benchmark_result": {"rule": {"category": "descidhscate", "desc": "rule_description", "name": "rule_name", "uid":"rule123", "version": "0.1.0"}},"status":"creativity","time":1695277679358,"device":{"name":"ranked murder listing","type":"Desktop","ip":"81.2.69.142","uid":"023e2564-5848-11ee-9c42-0242ac110005","hostname":"lucas.pro","type_id":2,"subnet":"49.28.0.0\/16","autoscale_uid":"023de734-5848-11ee-b193-0242ac110005","instance_uid":"023dec02-5848-11ee-8203-0242ac110005","interface_name":"jerry street buried","interface_uid":"023e1a06-5848-11ee-89c6-0242ac110005","region":"inline contains milwaukee","risk_level":"russell customized absolutely","risk_score":36,"uid_alt":"burst premier reverse","vpc_uid":"023e205a-5848-11ee-a8d6-0242ac110005","modified_time_dt":"2023-09-21T06:27:59.357977Z","first_seen_time_dt":"2023-09-21T06:27:59.356353Z"},"metadata":{"version":"1.0.0","extension":{"name":"chess entry productive","version":"1.0.0","uid":"023dccfe-5848-11ee-8227-0242ac110005"},"product":{"name":"legal subsidiary eleven","version":"1.0.0","path":"financial spot tennis","uid":"023dd33e-5848-11ee-aa6d-0242ac110005","vendor_name":"assumes podcast went"},"profiles":["cloud","container","datetime","host"],"correlation_uid":"023dd7c6-5848-11ee-9d4d-0242ac110005","log_provider":"reliance trust interim","original_time":"database darwin area","processed_time_dt":"2023-09-21T06:27:59.356124Z"},"severity":"Fatal","type_name":"Device Config State: Collect","activity_id":2,"type_uid":500202,"category_name":"Discovery","class_uid":5002,"category_uid":5,"class_name":"Device Config State","timezone_offset":0,"activity_name":"Collect","cloud":{"org":{"uid":"023dbdcc-5848-11ee-bd54-0242ac110005","ou_name":"determined apr sheets"},"provider":"mathematical inclusive insured","region":"gravity bids tennis"},"enrichments":[{"data":{"inexpensive":"abddfg"},"name":"preview belarus licking","type":"separation passes distance","value":"magnitude cancellation weed","provider":"surgical disaster individually"}],"severity_id":6,"status_id":99} {"message":"poster thongs assumptions","status":"Success","time":1695277679358,"device":{"name":"craig functioning literally","type":"Laptop","os":{"name":"spy chronic casual","type":"Android","version":"1.0.0","build":"dozen oval removing","type_id":201,"lang":"en","edition":"nightmare engineers carter"},"location":{"desc":"Reunion","city":"Porcelain senior","country":"RE","coordinates":[-161.6608,-47.0418],"continent":"Africa"},"uid":"7f256308-584d-11ee-8de0-0242ac110005","image":{"name":"saudi enhanced surgical","uid":"7f2554b2-584d-11ee-b26b-0242ac110005"},"mac":"C6:49:F0:76:1D:13:CE:F7","type_id":3,"autoscale_uid":"7f25415c-584d-11ee-b3fc-0242ac110005","hw_info":{"cpu_bits":66},"instance_uid":"7f254ea4-584d-11ee-a68f-0242ac110005","interface_name":"watt profile rs","is_personal":false,"last_seen_time":1695277679358,"region":"airport leaves kitchen","risk_level":"organizational economic connecticut"},"metadata":{"version":"1.0.0","product":{"name":"butterfly knight log","version":"1.0.0","uid":"7f25336a-584d-11ee-b2a5-0242ac110005","lang":"en","vendor_name":"disciplinary rec report"},"profiles":["cloud","container","datetime","host"],"event_code":"spelling","log_name":"len falling educational","log_provider":"tales asset extremely","log_version":"learners headlines linear","original_time":"programmers less barcelona","processed_time":1695280036393},"severity":"Critical","type_name":"Device Inventory Info: Collect","activity_id":2,"type_uid":500102,"category_name":"Discovery","class_uid":5001,"category_uid":5,"class_name":"Device Inventory Info","timezone_offset":65,"activity_name":"Collect","cloud":{"org":{"name":"black lets promotions","ou_name":"recover sol revolutionary"},"provider":"mod force sailing","region":"ticket resident buried"},"enrichments":[{"data":{"nintendo":"abcd"},"name":"visual mv bottom","type":"calibration basics quebec","value":"alice stick spray","provider":"lucy permanent trips"}],"severity_id":5,"status_code":"vancouver","status_id":1,"start_time_dt":"2023-09-21T07:07:16.394812Z"} +{"activity_id":1,"activity_name":"Login Attempt","actor":{"authorizations":[{"decision":"allow","policy":{"desc":"Allow login","group":{"desc":"Employee Group","domain":"example.com","name":"employees","privileges":["read","write"],"type":"internal","uid":"grp101"},"name":"Login Policy","uid":"pol101","version":"1.0"}}],"idp":{"name":"IDP Service","uid":"idp101"},"invoked_by":"web_app","process":{"cmd_line":"/usr/bin/login","created_time":1672444800,"file":{"accessed_time":1672531200,"accessor":{"account":{"name":"john.doe","type":"user","type_id":1,"uid":"acc101"},"credential_uid":"cred101","domain":"example.com","email_addr":"john.doe@example.com","full_name":"John Doe","groups":[{"desc":"Employee Group","domain":"example.com","name":"employees","privileges":["read","write"],"type":"internal","uid":"grp101"}],"ldap_person":null,"name":"John Doe","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr101","uid_alt":"john_doe_alt"},"attributes":777,"company_name":"Example Corp","confidentiality":"high","confidentiality_id":2,"created_time":1672444800,"creator":null,"desc":"Login script","hashes":[{"algorithm":"SHA-256","algorithm_id":4,"value":"abcd1234"}],"is_system":true,"mime_type":"application/x-sh","modified_time":1672444800,"modifier":null,"name":"login.sh","owner":null,"parent_folder":"/usr/bin","path":"/usr/bin/login.sh","product":null,"security_descriptor":"D:P(A;;FA;;;BA)","signature":{"algorithm":"RSA","algorithm_id":1,"certificate":{"created_time":1577836800,"expiration_time":1893456000,"fingerprints":[{"algorithm":"SHA-1","algorithm_id":3,"value":"abc123"}],"issuer":"Example CA","serial_number":"123456","subject":"Example Corp","uid":"cert101","version":"1"},"created_time":1672444800,"developer_uid":"dev101","digest":{"algorithm":"SHA-256","algorithm_id":4,"value":"abcd1234"}},"size":2048,"type":"script","type_id":1,"uid":"file101","version":"1.0","xattributes":{}},"integrity":"valid","integrity_id":1,"lineage":["/sbin/init","/usr/bin/login"],"loaded_modules":["pam","bash"],"name":"login","parent_process":null,"pid":1234,"sandbox":"none","session":null,"terminated_time":1672531200,"tid":5678,"uid":"proc101","user":null,"xattributes":{}},"session":{"count":1,"created_time":1672444800,"credential_uid":"cred101","expiration_reason":"timeout","expiration_time":1672531200,"is_mfa":true,"is_remote":false,"is_vpn":false,"issuer":"IDP Service","terminal":"pts/1","uid":"sess101","uid_alt":"sess102","uuid":"uuid-1234"},"user":{"account":{"name":"john.doe","type":"user","type_id":1,"uid":"acc101"},"credential_uid":"cred101","domain":"example.com","email_addr":"john.doe@example.com","full_name":"John Doe","groups":[{"desc":"Employee Group","domain":"example.com","name":"employees","privileges":["read","write"],"type":"internal","uid":"grp101"}],"ldap_person":{"cost_center":"IT","created_time":1577836800,"deleted_time":null,"email_addrs":["john.doe@example.com"],"employee_uid":"emp101","given_name":"John","hire_time":1546300800,"job_title":"System Administrator","labels":["full-time"],"last_login_time":1672444800,"ldap_cn":"john_doe_cn","ldap_dn":"cn=John Doe,ou=users,dc=example,dc=com","leave_time":null,"location":{"city":"San Francisco","continent":"North America","coordinates":[37.7749,-122.4194],"country":"USA","desc":"Head Office","is_on_premises":true,"isp":"Example ISP","postal_code":"94103","provider":"Example Provider","region":"California"},"manager":{"account":{"name":"jane.manager","type":"user","type_id":1,"uid":"acc102"},"credential_uid":"cred102","domain":"example.com","email_addr":"jane.manager@example.com","full_name":"Jane Manager","groups":[{"desc":"Managers Group","domain":"example.com","name":"managers","privileges":["read","write","manage"],"type":"internal","uid":"grp102"}],"ldap_person":null,"name":"Jane Manager","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr102","uid_alt":"jane_manager_alt"},"modified_time":1622505600,"office_location":"Building A","surname":"Doe"},"name":"John Doe","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr101","uid_alt":"john_doe_alt"}},"category_name":"User Activity","category_uid":5,"class_name":"Login Events","class_uid":5003,"count":1,"duration":3600,"end_time":1672531200,"enrichments":[{"data":{},"name":"GeoIP Enrichment","provider":"GeoIP Service","type":"location","value":"San Francisco, USA"}],"message":"User John Doe attempted a login from San Francisco.","metadata":{"correlation_uid":"cor-1234","event_code":"login_attempt","extension":{"name":"Login Extension","uid":"ext-1234","version":"1.0"},"extensions":[],"labels":["security"],"log_level":"info","log_name":"user_activity","log_provider":"Example Provider","log_version":"1.0","logged_time":1672444800,"loggers":[],"modified_time":1672444800,"original_time":"2023-01-01T00:00:00Z","processed_time":1672531200,"product":{"cpe_name":"cpe:/a:example:product","feature":{"name":"Login Feature","uid":"fea-1234","version":"1.0"},"lang":"en","name":"User Activity Logger","path":"/var/log/user_activity","uid":"prod-1234","url_string":"https://example.com","vendor_name":"Example Vendor","version":"1.0"},"profiles":["default"],"sequence":1,"tenant_uid":"tenant123","uid":"evt-1234","version":"1.0"},"observables":[{"name":"San Francisco","reputation":{"base_score":90,"provider":"GeoIP Service","score":"high","score_id":1},"type":"location","type_id":2,"value":"San Francisco, USA"}],"raw_data":"raw_event_data","severity":"medium","severity_id":2,"start_time":1672444800,"status":"processed","status_code":"200","status_detail":"Event processed successfully.","status_id":1,"time":1672444800,"timezone_offset":-8,"type_name":"login_event","type_uid":1001,"unmapped":{},"user":{"account":{"name":"john.doe","type":"user","type_id":1,"uid":"acc101"},"credential_uid":"cred101","domain":"example.com","email_addr":"john.doe@example.com","full_name":"John Doe","groups":[{"desc":"Employee Group","domain":"example.com","name":"employees","privileges":["read","write"],"type":"internal","uid":"grp101"}],"ldap_person":{"cost_center":"IT","created_time":1577836800,"deleted_time":null,"email_addrs":["john.doe@example.com"],"employee_uid":"emp101","given_name":"John","hire_time":1546300800,"job_title":"System Administrator","labels":["full-time"],"last_login_time":1672444800,"ldap_cn":"john_doe_cn","ldap_dn":"cn=John Doe,ou=users,dc=example,dc=com","leave_time":null,"location":{"city":"San Francisco","continent":"North America","coordinates":[37.7749,-122.4194],"country":"USA","desc":"Head Office","is_on_premises":true,"isp":"Example ISP","postal_code":"94103","provider":"Example Provider","region":"California"},"manager":{"account":{"name":"jane.manager","type":"user","type_id":1,"uid":"acc102"},"credential_uid":"cred102","domain":"example.com","email_addr":"jane.manager@example.com","full_name":"Jane Manager","groups":[{"desc":"Managers Group","domain":"example.com","name":"managers","privileges":["read","write","manage"],"type":"internal","uid":"grp102"}],"ldap_person":null,"name":"Jane Manager","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr102","uid_alt":"jane_manager_alt"},"modified_time":1622505600,"office_location":"Building A","surname":"Doe"},"name":"John Doe","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr101","uid_alt":"john_doe_alt"}} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json index 9866d1851a10..96f7912c63f1 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json @@ -316,6 +316,577 @@ "preserve_original_event", "preserve_duplicate_custom_fields" ] + }, + { + "@timestamp": "1970-01-20T08:34:04.800Z", + "data_stream": { + "dataset": "amazon_security_lake.discovery", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "login-attempt", + "code": "login_attempt", + "duration": 3600000000, + "end": "1970-01-20T08:35:31.200Z", + "id": "evt-1234", + "kind": "event", + "original": "{\"activity_id\":1,\"activity_name\":\"Login Attempt\",\"actor\":{\"authorizations\":[{\"decision\":\"allow\",\"policy\":{\"desc\":\"Allow login\",\"group\":{\"desc\":\"Employee Group\",\"domain\":\"example.com\",\"name\":\"employees\",\"privileges\":[\"read\",\"write\"],\"type\":\"internal\",\"uid\":\"grp101\"},\"name\":\"Login Policy\",\"uid\":\"pol101\",\"version\":\"1.0\"}}],\"idp\":{\"name\":\"IDP Service\",\"uid\":\"idp101\"},\"invoked_by\":\"web_app\",\"process\":{\"cmd_line\":\"/usr/bin/login\",\"created_time\":1672444800,\"file\":{\"accessed_time\":1672531200,\"accessor\":{\"account\":{\"name\":\"john.doe\",\"type\":\"user\",\"type_id\":1,\"uid\":\"acc101\"},\"credential_uid\":\"cred101\",\"domain\":\"example.com\",\"email_addr\":\"john.doe@example.com\",\"full_name\":\"John Doe\",\"groups\":[{\"desc\":\"Employee Group\",\"domain\":\"example.com\",\"name\":\"employees\",\"privileges\":[\"read\",\"write\"],\"type\":\"internal\",\"uid\":\"grp101\"}],\"ldap_person\":null,\"name\":\"John Doe\",\"org\":{\"name\":\"Example Corp\",\"ou_name\":\"IT\",\"ou_uid\":\"ou101\",\"uid\":\"org101\"},\"type\":\"user\",\"type_id\":1,\"uid\":\"usr101\",\"uid_alt\":\"john_doe_alt\"},\"attributes\":777,\"company_name\":\"Example Corp\",\"confidentiality\":\"high\",\"confidentiality_id\":2,\"created_time\":1672444800,\"creator\":null,\"desc\":\"Login script\",\"hashes\":[{\"algorithm\":\"SHA-256\",\"algorithm_id\":4,\"value\":\"abcd1234\"}],\"is_system\":true,\"mime_type\":\"application/x-sh\",\"modified_time\":1672444800,\"modifier\":null,\"name\":\"login.sh\",\"owner\":null,\"parent_folder\":\"/usr/bin\",\"path\":\"/usr/bin/login.sh\",\"product\":null,\"security_descriptor\":\"D:P(A;;FA;;;BA)\",\"signature\":{\"algorithm\":\"RSA\",\"algorithm_id\":1,\"certificate\":{\"created_time\":1577836800,\"expiration_time\":1893456000,\"fingerprints\":[{\"algorithm\":\"SHA-1\",\"algorithm_id\":3,\"value\":\"abc123\"}],\"issuer\":\"Example CA\",\"serial_number\":\"123456\",\"subject\":\"Example Corp\",\"uid\":\"cert101\",\"version\":\"1\"},\"created_time\":1672444800,\"developer_uid\":\"dev101\",\"digest\":{\"algorithm\":\"SHA-256\",\"algorithm_id\":4,\"value\":\"abcd1234\"}},\"size\":2048,\"type\":\"script\",\"type_id\":1,\"uid\":\"file101\",\"version\":\"1.0\",\"xattributes\":{}},\"integrity\":\"valid\",\"integrity_id\":1,\"lineage\":[\"/sbin/init\",\"/usr/bin/login\"],\"loaded_modules\":[\"pam\",\"bash\"],\"name\":\"login\",\"parent_process\":null,\"pid\":1234,\"sandbox\":\"none\",\"session\":null,\"terminated_time\":1672531200,\"tid\":5678,\"uid\":\"proc101\",\"user\":null,\"xattributes\":{}},\"session\":{\"count\":1,\"created_time\":1672444800,\"credential_uid\":\"cred101\",\"expiration_reason\":\"timeout\",\"expiration_time\":1672531200,\"is_mfa\":true,\"is_remote\":false,\"is_vpn\":false,\"issuer\":\"IDP Service\",\"terminal\":\"pts/1\",\"uid\":\"sess101\",\"uid_alt\":\"sess102\",\"uuid\":\"uuid-1234\"},\"user\":{\"account\":{\"name\":\"john.doe\",\"type\":\"user\",\"type_id\":1,\"uid\":\"acc101\"},\"credential_uid\":\"cred101\",\"domain\":\"example.com\",\"email_addr\":\"john.doe@example.com\",\"full_name\":\"John Doe\",\"groups\":[{\"desc\":\"Employee Group\",\"domain\":\"example.com\",\"name\":\"employees\",\"privileges\":[\"read\",\"write\"],\"type\":\"internal\",\"uid\":\"grp101\"}],\"ldap_person\":{\"cost_center\":\"IT\",\"created_time\":1577836800,\"deleted_time\":null,\"email_addrs\":[\"john.doe@example.com\"],\"employee_uid\":\"emp101\",\"given_name\":\"John\",\"hire_time\":1546300800,\"job_title\":\"System Administrator\",\"labels\":[\"full-time\"],\"last_login_time\":1672444800,\"ldap_cn\":\"john_doe_cn\",\"ldap_dn\":\"cn=John Doe,ou=users,dc=example,dc=com\",\"leave_time\":null,\"location\":{\"city\":\"San Francisco\",\"continent\":\"North America\",\"coordinates\":[37.7749,-122.4194],\"country\":\"USA\",\"desc\":\"Head Office\",\"is_on_premises\":true,\"isp\":\"Example ISP\",\"postal_code\":\"94103\",\"provider\":\"Example Provider\",\"region\":\"California\"},\"manager\":{\"account\":{\"name\":\"jane.manager\",\"type\":\"user\",\"type_id\":1,\"uid\":\"acc102\"},\"credential_uid\":\"cred102\",\"domain\":\"example.com\",\"email_addr\":\"jane.manager@example.com\",\"full_name\":\"Jane Manager\",\"groups\":[{\"desc\":\"Managers Group\",\"domain\":\"example.com\",\"name\":\"managers\",\"privileges\":[\"read\",\"write\",\"manage\"],\"type\":\"internal\",\"uid\":\"grp102\"}],\"ldap_person\":null,\"name\":\"Jane Manager\",\"org\":{\"name\":\"Example Corp\",\"ou_name\":\"IT\",\"ou_uid\":\"ou101\",\"uid\":\"org101\"},\"type\":\"user\",\"type_id\":1,\"uid\":\"usr102\",\"uid_alt\":\"jane_manager_alt\"},\"modified_time\":1622505600,\"office_location\":\"Building A\",\"surname\":\"Doe\"},\"name\":\"John Doe\",\"org\":{\"name\":\"Example Corp\",\"ou_name\":\"IT\",\"ou_uid\":\"ou101\",\"uid\":\"org101\"},\"type\":\"user\",\"type_id\":1,\"uid\":\"usr101\",\"uid_alt\":\"john_doe_alt\"}},\"category_name\":\"User Activity\",\"category_uid\":5,\"class_name\":\"Login Events\",\"class_uid\":5003,\"count\":1,\"duration\":3600,\"end_time\":1672531200,\"enrichments\":[{\"data\":{},\"name\":\"GeoIP Enrichment\",\"provider\":\"GeoIP Service\",\"type\":\"location\",\"value\":\"San Francisco, USA\"}],\"message\":\"User John Doe attempted a login from San Francisco.\",\"metadata\":{\"correlation_uid\":\"cor-1234\",\"event_code\":\"login_attempt\",\"extension\":{\"name\":\"Login Extension\",\"uid\":\"ext-1234\",\"version\":\"1.0\"},\"extensions\":[],\"labels\":[\"security\"],\"log_level\":\"info\",\"log_name\":\"user_activity\",\"log_provider\":\"Example Provider\",\"log_version\":\"1.0\",\"logged_time\":1672444800,\"loggers\":[],\"modified_time\":1672444800,\"original_time\":\"2023-01-01T00:00:00Z\",\"processed_time\":1672531200,\"product\":{\"cpe_name\":\"cpe:/a:example:product\",\"feature\":{\"name\":\"Login Feature\",\"uid\":\"fea-1234\",\"version\":\"1.0\"},\"lang\":\"en\",\"name\":\"User Activity Logger\",\"path\":\"/var/log/user_activity\",\"uid\":\"prod-1234\",\"url_string\":\"https://example.com\",\"vendor_name\":\"Example Vendor\",\"version\":\"1.0\"},\"profiles\":[\"default\"],\"sequence\":1,\"tenant_uid\":\"tenant123\",\"uid\":\"evt-1234\",\"version\":\"1.0\"},\"observables\":[{\"name\":\"San Francisco\",\"reputation\":{\"base_score\":90,\"provider\":\"GeoIP Service\",\"score\":\"high\",\"score_id\":1},\"type\":\"location\",\"type_id\":2,\"value\":\"San Francisco, USA\"}],\"raw_data\":\"raw_event_data\",\"severity\":\"medium\",\"severity_id\":2,\"start_time\":1672444800,\"status\":\"processed\",\"status_code\":\"200\",\"status_detail\":\"Event processed successfully.\",\"status_id\":1,\"time\":1672444800,\"timezone_offset\":-8,\"type_name\":\"login_event\",\"type_uid\":1001,\"unmapped\":{},\"user\":{\"account\":{\"name\":\"john.doe\",\"type\":\"user\",\"type_id\":1,\"uid\":\"acc101\"},\"credential_uid\":\"cred101\",\"domain\":\"example.com\",\"email_addr\":\"john.doe@example.com\",\"full_name\":\"John Doe\",\"groups\":[{\"desc\":\"Employee Group\",\"domain\":\"example.com\",\"name\":\"employees\",\"privileges\":[\"read\",\"write\"],\"type\":\"internal\",\"uid\":\"grp101\"}],\"ldap_person\":{\"cost_center\":\"IT\",\"created_time\":1577836800,\"deleted_time\":null,\"email_addrs\":[\"john.doe@example.com\"],\"employee_uid\":\"emp101\",\"given_name\":\"John\",\"hire_time\":1546300800,\"job_title\":\"System Administrator\",\"labels\":[\"full-time\"],\"last_login_time\":1672444800,\"ldap_cn\":\"john_doe_cn\",\"ldap_dn\":\"cn=John Doe,ou=users,dc=example,dc=com\",\"leave_time\":null,\"location\":{\"city\":\"San Francisco\",\"continent\":\"North America\",\"coordinates\":[37.7749,-122.4194],\"country\":\"USA\",\"desc\":\"Head Office\",\"is_on_premises\":true,\"isp\":\"Example ISP\",\"postal_code\":\"94103\",\"provider\":\"Example Provider\",\"region\":\"California\"},\"manager\":{\"account\":{\"name\":\"jane.manager\",\"type\":\"user\",\"type_id\":1,\"uid\":\"acc102\"},\"credential_uid\":\"cred102\",\"domain\":\"example.com\",\"email_addr\":\"jane.manager@example.com\",\"full_name\":\"Jane Manager\",\"groups\":[{\"desc\":\"Managers Group\",\"domain\":\"example.com\",\"name\":\"managers\",\"privileges\":[\"read\",\"write\",\"manage\"],\"type\":\"internal\",\"uid\":\"grp102\"}],\"ldap_person\":null,\"name\":\"Jane Manager\",\"org\":{\"name\":\"Example Corp\",\"ou_name\":\"IT\",\"ou_uid\":\"ou101\",\"uid\":\"org101\"},\"type\":\"user\",\"type_id\":1,\"uid\":\"usr102\",\"uid_alt\":\"jane_manager_alt\"},\"modified_time\":1622505600,\"office_location\":\"Building A\",\"surname\":\"Doe\"},\"name\":\"John Doe\",\"org\":{\"name\":\"Example Corp\",\"ou_name\":\"IT\",\"ou_uid\":\"ou101\",\"uid\":\"org101\"},\"type\":\"user\",\"type_id\":1,\"uid\":\"usr101\",\"uid_alt\":\"john_doe_alt\"}}", + "outcome": "success", + "provider": "Example Provider", + "sequence": 1, + "severity": 2, + "start": "1970-01-20T08:34:04.800Z" + }, + "file": { + "accessed": "1970-01-20T08:35:31.200Z", + "created": "1970-01-20T08:34:04.800Z", + "directory": "/usr/bin", + "hash": { + "sha256": [ + "abcd1234" + ] + }, + "inode": "file101", + "mime_type": "application/x-sh", + "mtime": "1970-01-20T08:34:04.800Z", + "name": "login.sh", + "path": "/usr/bin/login.sh", + "size": 2048, + "type": "script", + "x509": { + "issuer": { + "distinguished_name": "Example CA" + }, + "not_after": "1970-01-22T21:57:36.000Z", + "serial_number": "123456", + "subject": { + "distinguished_name": "Example Corp" + }, + "version_number": "1" + } + }, + "message": "User John Doe attempted a login from San Francisco.", + "ocsf": { + "activity_id": "1", + "activity_name": "Login Attempt", + "actor": { + "authorizations": [ + { + "decision": "allow", + "policy": { + "desc": "Allow login", + "group": { + "desc": "Employee Group", + "domain": "example.com", + "name": "employees", + "privileges": [ + "read", + "write" + ], + "type": "internal", + "uid": "grp101" + }, + "name": "Login Policy", + "uid": "pol101", + "version": "1.0" + } + } + ], + "idp": { + "name": "IDP Service", + "uid": "idp101" + }, + "invoked_by": "web_app", + "process": { + "cmd_line": "/usr/bin/login", + "created_time": "1970-01-20T08:34:04.800Z", + "file": { + "accessed_time": "1970-01-20T08:35:31.200Z", + "accessor": { + "account": { + "name": "john.doe", + "type": "user", + "type_id": "1", + "uid": "acc101" + }, + "credential_uid": "cred101", + "domain": "example.com", + "email_addr": "john.doe@example.com", + "full_name": "John Doe", + "groups": [ + { + "desc": "Employee Group", + "domain": "example.com", + "name": "employees", + "privileges": [ + "read", + "write" + ], + "type": "internal", + "uid": "grp101" + } + ], + "name": "John Doe", + "org": { + "name": "Example Corp", + "ou_name": "IT", + "ou_uid": "ou101", + "uid": "org101" + }, + "type": "user", + "type_id": "1", + "uid": "usr101", + "uid_alt": "john_doe_alt" + }, + "attributes": 777, + "company_name": "Example Corp", + "confidentiality": "high", + "confidentiality_id": "2", + "created_time": "1970-01-20T08:34:04.800Z", + "desc": "Login script", + "hashes": [ + { + "algorithm": "SHA-256", + "algorithm_id": "4", + "value": "abcd1234" + } + ], + "is_system": true, + "mime_type": "application/x-sh", + "modified_time": "1970-01-20T08:34:04.800Z", + "name": "login.sh", + "parent_folder": "/usr/bin", + "path": "/usr/bin/login.sh", + "security_descriptor": "D:P(A;;FA;;;BA)", + "signature": { + "algorithm": "RSA", + "algorithm_id": "1", + "certificate": { + "created_time": "1970-01-19T06:17:16.800Z", + "expiration_time": "1970-01-22T21:57:36.000Z", + "fingerprints": [ + { + "algorithm": "SHA-1", + "algorithm_id": "3", + "value": "abc123" + } + ], + "issuer": "Example CA", + "serial_number": "123456", + "subject": "Example Corp", + "uid": "cert101", + "version": "1" + }, + "created_time": "1970-01-20T08:34:04.800Z", + "developer_uid": "dev101", + "digest": { + "algorithm": "SHA-256", + "algorithm_id": "4", + "value": "abcd1234" + } + }, + "size": 2048, + "type": "script", + "type_id": "1", + "uid": "file101", + "version": "1.0" + }, + "integrity": "valid", + "integrity_id": "1", + "lineage": [ + "/sbin/init", + "/usr/bin/login" + ], + "loaded_modules": [ + "pam", + "bash" + ], + "name": "login", + "pid": 1234, + "sandbox": "none", + "terminated_time": "1970-01-20T08:35:31.200Z", + "tid": 5678, + "uid": "proc101" + }, + "session": { + "count": 1, + "created_time": "1970-01-20T08:34:04.800Z", + "credential_uid": "cred101", + "expiration_reason": "timeout", + "expiration_time": "1970-01-20T08:35:31.200Z", + "is_mfa": true, + "is_remote": false, + "is_vpn": false, + "issuer": "IDP Service", + "terminal": "pts/1", + "uid": "sess101", + "uid_alt": "sess102", + "uuid": "uuid-1234" + }, + "user": { + "account": { + "name": "john.doe", + "type": "user", + "type_id": "1", + "uid": "acc101" + }, + "credential_uid": "cred101", + "domain": "example.com", + "email_addr": "john.doe@example.com", + "full_name": "John Doe", + "groups": [ + { + "desc": "Employee Group", + "domain": "example.com", + "name": "employees", + "privileges": [ + "read", + "write" + ], + "type": "internal", + "uid": "grp101" + } + ], + "ldap_person": { + "cost_center": "IT", + "created_time": 1577836800, + "email_addrs": [ + "john.doe@example.com" + ], + "employee_uid": "emp101", + "given_name": "John", + "hire_time": 1546300800, + "job_title": "System Administrator", + "labels": [ + "full-time" + ], + "last_login_time": 1672444800, + "ldap_cn": "john_doe_cn", + "ldap_dn": "cn=John Doe,ou=users,dc=example,dc=com", + "location": { + "city": "San Francisco", + "continent": "North America", + "coordinates": [ + 37.7749, + -122.4194 + ], + "country": "USA", + "desc": "Head Office", + "is_on_premises": true, + "isp": "Example ISP", + "postal_code": "94103", + "provider": "Example Provider", + "region": "California" + }, + "manager": { + "account": { + "name": "jane.manager", + "type": "user", + "type_id": 1, + "uid": "acc102" + }, + "credential_uid": "cred102", + "domain": "example.com", + "email_addr": "jane.manager@example.com", + "full_name": "Jane Manager", + "groups": [ + { + "desc": "Managers Group", + "domain": "example.com", + "name": "managers", + "privileges": [ + "read", + "write", + "manage" + ], + "type": "internal", + "uid": "grp102" + } + ], + "name": "Jane Manager", + "org": { + "name": "Example Corp", + "ou_name": "IT", + "ou_uid": "ou101", + "uid": "org101" + }, + "type": "user", + "type_id": 1, + "uid": "usr102", + "uid_alt": "jane_manager_alt" + }, + "modified_time": 1622505600, + "office_location": "Building A", + "surname": "Doe" + }, + "name": "John Doe", + "org": { + "name": "Example Corp", + "ou_name": "IT", + "ou_uid": "ou101", + "uid": "org101" + }, + "type": "user", + "type_id": "1", + "uid": "usr101", + "uid_alt": "john_doe_alt" + } + }, + "category_name": "User Activity", + "category_uid": "5", + "class_name": "Login Events", + "class_uid": "5003", + "count": 1, + "duration": 3600, + "end_time": "1970-01-20T08:35:31.200Z", + "enrichments": [ + { + "name": "GeoIP Enrichment", + "provider": "GeoIP Service", + "type": "location", + "value": "San Francisco, USA" + } + ], + "message": "User John Doe attempted a login from San Francisco.", + "metadata": { + "correlation_uid": "cor-1234", + "event_code": "login_attempt", + "extension": { + "name": "Login Extension", + "uid": "ext-1234", + "version": "1.0" + }, + "labels": [ + "security" + ], + "log_level": "info", + "log_name": "user_activity", + "log_provider": "Example Provider", + "log_version": "1.0", + "logged_time": "1970-01-20T08:34:04.800Z", + "modified_time": "1970-01-20T08:34:04.800Z", + "original_time": "2023-01-01T00:00:00Z", + "processed_time": "1970-01-20T08:35:31.200Z", + "product": { + "cpe_name": "cpe:/a:example:product", + "feature": { + "name": "Login Feature", + "uid": "fea-1234", + "version": "1.0" + }, + "lang": "en", + "name": "User Activity Logger", + "path": "/var/log/user_activity", + "uid": "prod-1234", + "url_string": "https://example.com", + "vendor_name": "Example Vendor", + "version": "1.0" + }, + "profiles": [ + "default" + ], + "sequence": 1, + "tenant_uid": "tenant123", + "uid": "evt-1234", + "version": "1.0" + }, + "observables": [ + { + "name": "San Francisco", + "reputation": { + "base_score": 90.0, + "provider": "GeoIP Service", + "score": "high", + "score_id": "1" + }, + "type": "location", + "type_id": "2", + "value": "San Francisco, USA" + } + ], + "raw_data_keyword": "raw_event_data", + "severity": "medium", + "severity_id": 2, + "start_time": "1970-01-20T08:34:04.800Z", + "status": "processed", + "status_code": "200", + "status_detail": "Event processed successfully.", + "status_id": "1", + "time": "1970-01-20T08:34:04.800Z", + "timezone_offset": -8, + "type_name": "login_event", + "type_uid": "1001", + "user": { + "account": { + "name": "john.doe", + "type": "user", + "type_id": "1", + "uid": "acc101" + }, + "credential_uid": "cred101", + "domain": "example.com", + "email_addr": "john.doe@example.com", + "full_name": "John Doe", + "groups": [ + { + "desc": "Employee Group", + "domain": "example.com", + "name": "employees", + "privileges": [ + "read", + "write" + ], + "type": "internal", + "uid": "grp101" + } + ], + "ldap_person": { + "cost_center": "IT", + "created_time": 1577836800, + "email_addrs": [ + "john.doe@example.com" + ], + "employee_uid": "emp101", + "given_name": "John", + "hire_time": 1546300800, + "job_title": "System Administrator", + "labels": [ + "full-time" + ], + "last_login_time": 1672444800, + "ldap_cn": "john_doe_cn", + "ldap_dn": "cn=John Doe,ou=users,dc=example,dc=com", + "location": { + "city": "San Francisco", + "continent": "North America", + "coordinates": [ + 37.7749, + -122.4194 + ], + "country": "USA", + "desc": "Head Office", + "is_on_premises": true, + "isp": "Example ISP", + "postal_code": "94103", + "provider": "Example Provider", + "region": "California" + }, + "manager": { + "account": { + "name": "jane.manager", + "type": "user", + "type_id": 1, + "uid": "acc102" + }, + "credential_uid": "cred102", + "domain": "example.com", + "email_addr": "jane.manager@example.com", + "full_name": "Jane Manager", + "groups": [ + { + "desc": "Managers Group", + "domain": "example.com", + "name": "managers", + "privileges": [ + "read", + "write", + "manage" + ], + "type": "internal", + "uid": "grp102" + } + ], + "name": "Jane Manager", + "org": { + "name": "Example Corp", + "ou_name": "IT", + "ou_uid": "ou101", + "uid": "org101" + }, + "type": "user", + "type_id": 1, + "uid": "usr102", + "uid_alt": "jane_manager_alt" + }, + "modified_time": 1622505600, + "office_location": "Building A", + "surname": "Doe" + }, + "name": "John Doe", + "org": { + "name": "Example Corp", + "ou_name": "IT", + "ou_uid": "ou101", + "uid": "org101" + }, + "type": "user", + "type_id": "1", + "uid": "usr101", + "uid_alt": "john_doe_alt" + } + }, + "process": { + "command_line": "/usr/bin/login", + "end": "1970-01-20T08:35:31.200Z", + "entity_id": "proc101", + "name": "login", + "pid": 1234, + "start": "1970-01-20T08:34:04.800Z", + "thread": { + "id": 5678 + } + }, + "related": { + "hash": [ + "abcd1234", + "abc123" + ], + "user": [ + "john.doe@example.com", + "John Doe", + "usr101", + "john_doe_alt" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "security" + ], + "user": { + "domain": "example.com", + "email": "john.doe@example.com", + "full_name": "John Doe", + "group": { + "id": [ + "grp101" + ], + "name": [ + "employees" + ] + }, + "id": "usr101", + "name": "John Doe", + "target": { + "domain": "example.com", + "email": "john.doe@example.com", + "full_name": "John Doe", + "group": { + "id": [ + "grp101" + ], + "name": [ + "employees" + ] + }, + "id": "usr101", + "name": "John Doe" + } + } } ] } \ No newline at end of file diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml index 2f771d5336c3..19b7b5ccd19c 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -28,7 +28,7 @@ processors: - set: field: event.kind tag: set_event_kind - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','6001','6002','6003','6004'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','5003','6001','6002','6003','6004'].contains(ctx.ocsf.class_uid) value: event - set: field: event.kind @@ -588,17 +588,6 @@ processors: tag: convert_type_id_to_string type: string ignore_missing: true - - script: - lang: painless - tag: script_to_map_observables_into_key_value_pair - description: Map observables into key value pair. - if: ctx.ocsf?.observables != null && ctx.ocsf.observables instanceof List - source: > - for (int i = 0; i < ctx.ocsf.observables.length; ++i) { - if (ctx['ocsf']['observables'][i]['value'] != null) { - ctx.ocsf.observables[i][ctx['ocsf']['observables'][i]['name']] = ctx['ocsf']['observables'][i]['value']; - } - } - convert: field: ocsf.severity_id tag: convert_severity_id_to_long @@ -699,7 +688,7 @@ processors: ignore_missing: true - pipeline: name: '{{ IngestPipeline "pipeline_object_actor" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','6001','6002','6003','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','5003','6001','6002','6003','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null tag: pipeline_object_actor ignore_missing_pipeline: true - pipeline: @@ -754,7 +743,7 @@ processors: ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_user" }}' - if: ctx.ocsf?.class_uid != null && ['3001','3002','3003','3005','3006'].contains(ctx.ocsf.class_uid) && ctx.ocsf.user != null + if: ctx.ocsf?.class_uid != null && ['3001','3002','3003','3005','3006','5003'].contains(ctx.ocsf.class_uid) && ctx.ocsf.user != null tag: pipeline_object_user ignore_missing_pipeline: true - pipeline: diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml index c51d99a351a7..8652741ce9d6 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml @@ -87,6 +87,38 @@ processors: value: '{{{ocsf.user.uid_alt}}}' allow_duplicates: false if: ctx.ocsf?.user?.uid_alt != null + - foreach: + field: ocsf.user.ldap_person.email_addrs + if: ctx.ocsf?.user?.ldap_person?.email_addrs instanceof List + ignore_failure: true + processor: + append: + field: user.ldap_person.email_addrs + tag: append_user_ldap_person_email_addrs + value: '{{{_ingest._value.name}}}' + allow_duplicates: false + - foreach: + field: ocsf.user.ldap_person.labels + if: ctx.ocsf?.user?.ldap_person?.labels instanceof List + ignore_failure: true + processor: + append: + field: user.ldap_person.labels + tag: append_user_ldap_person_labels + value: '{{{_ingest._value.name}}}' + allow_duplicates: false + - convert: + field: ocsf.user.ldap_person.location.is_on_premises + tag: convert_user_ldap_person_location_is_on_premises_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: ocsf.user.ldap_person.location.is_on_premises + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' on_failure: - append: field: error.message diff --git a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml new file mode 100644 index 000000000000..e13a34bbe571 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml @@ -0,0 +1,1897 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The name of the city. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The name of the city. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/event/fields/fields.yml b/packages/amazon_security_lake/data_stream/event/fields/fields.yml index 670974d5c4bc..ae11efc5b145 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/fields.yml @@ -10,1668 +10,6 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: actor - type: group - fields: - - name: authorizations - type: group - fields: - - name: decision - type: keyword - description: Authorization Result/outcome, e.g. allowed, denied. - - name: policy - type: group - fields: - - name: desc - type: keyword - description: The description of the policy. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: 'The policy name. For example: IAM Policy.' - - name: uid - type: keyword - description: A unique identifier of the policy instance. - - name: version - type: keyword - description: The policy version number. - - name: idp - type: group - fields: - - name: name - type: keyword - description: The name of the identity provider. - - name: uid - type: keyword - description: The unique identifier of the identity provider. - - name: invoked_by - type: keyword - description: The name of the service that invoked the activity as described in the event. - - name: process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - name: actual_permissions type: long description: The permissions that were granted to the in a platform-native format. @@ -4608,6 +2946,12 @@ - name: metadata type: group fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: log_level + type: keyword + description: The log level of the event. - name: correlation_uid type: keyword description: The unique identifier used to correlate events. @@ -4695,6 +3039,9 @@ - name: version type: keyword description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. - name: profiles type: keyword description: The list of profiles used to create the event. @@ -6124,84 +4471,6 @@ - name: url_string type: keyword description: The URL string. See RFC 1738. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - name: user_result type: group fields: diff --git a/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml new file mode 100644 index 000000000000..92e575f05d9b --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml @@ -0,0 +1,256 @@ +- name: ocsf + type: group + fields: + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index b2d0bc764227..91fdd617ad66 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -99,6 +99,7 @@ This is the `Event` dataset. | ocsf.actor.authorizations.decision | Authorization Result/outcome, e.g. allowed, denied. | keyword | | ocsf.actor.authorizations.policy.desc | The description of the policy. | keyword | | ocsf.actor.authorizations.policy.group.desc | The group description. | keyword | +| ocsf.actor.authorizations.policy.group.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.authorizations.policy.group.name | The group name. | keyword | | ocsf.actor.authorizations.policy.group.privileges | The group privileges. | keyword | | ocsf.actor.authorizations.policy.group.type | The type of the group or account. | keyword | @@ -142,6 +143,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.accessor.email_addr | The user's email address. | keyword | | ocsf.actor.process.file.accessor.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.file.accessor.groups.desc | The group description. | keyword | +| ocsf.actor.process.file.accessor.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.file.accessor.groups.name | The group name. | keyword | | ocsf.actor.process.file.accessor.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.file.accessor.groups.type | The type of the group or account. | keyword | @@ -170,6 +172,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.creator.email_addr | The user's email address. | keyword | | ocsf.actor.process.file.creator.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.file.creator.groups.desc | The group description. | keyword | +| ocsf.actor.process.file.creator.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.file.creator.groups.name | The group name. | keyword | | ocsf.actor.process.file.creator.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.file.creator.groups.type | The type of the group or account. | keyword | @@ -200,6 +203,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.modifier.email_addr | The image name. For example: elixir. | keyword | | ocsf.actor.process.file.modifier.full_name | The user's email address. | keyword | | ocsf.actor.process.file.modifier.groups.desc | The group description. | keyword | +| ocsf.actor.process.file.modifier.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.file.modifier.groups.name | The group name. | keyword | | ocsf.actor.process.file.modifier.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.file.modifier.groups.type | The type of the group or account. | keyword | @@ -223,6 +227,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.owner.email_addr | The user's email address. | keyword | | ocsf.actor.process.file.owner.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.file.owner.groups.desc | The group description. | keyword | +| ocsf.actor.process.file.owner.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.file.owner.groups.name | The group name. | keyword | | ocsf.actor.process.file.owner.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.file.owner.groups.type | The type of the group or account. | keyword | @@ -261,6 +266,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.signature.certificate.issuer | The certificate issuer distinguished name. | keyword | | ocsf.actor.process.file.signature.certificate.serial_number | The serial number of the certificate used to create the digital signature. | keyword | | ocsf.actor.process.file.signature.certificate.subject | The certificate subject distinguished name. | keyword | +| ocsf.actor.process.file.signature.certificate.uid | The unique identifier of the certificate. | keyword | | ocsf.actor.process.file.signature.certificate.version | The certificate version. | keyword | | ocsf.actor.process.file.signature.created_time | The time when the digital signature was created. | date | | ocsf.actor.process.file.signature.created_time_dt | The time when the digital signature was created. | date | @@ -318,6 +324,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.accessor.email_addr | The user's email address. | keyword | | ocsf.actor.process.parent_process.file.accessor.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.parent_process.file.accessor.groups.desc | The group description. | keyword | +| ocsf.actor.process.parent_process.file.accessor.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.parent_process.file.accessor.groups.name | The group name. | keyword | | ocsf.actor.process.parent_process.file.accessor.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.file.accessor.groups.type | The type of the group or account. | keyword | @@ -346,6 +353,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.creator.email_addr | The user's email address. | keyword | | ocsf.actor.process.parent_process.file.creator.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.parent_process.file.creator.groups.desc | The group description. | keyword | +| ocsf.actor.process.parent_process.file.creator.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.parent_process.file.creator.groups.name | The group name. | keyword | | ocsf.actor.process.parent_process.file.creator.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.file.creator.groups.type | The type of the group or account. | keyword | @@ -376,6 +384,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.modifier.email_addr | The image name. For example: elixir. | keyword | | ocsf.actor.process.parent_process.file.modifier.full_name | The user's email address. | keyword | | ocsf.actor.process.parent_process.file.modifier.groups.desc | The group description. | keyword | +| ocsf.actor.process.parent_process.file.modifier.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.parent_process.file.modifier.groups.name | The group name. | keyword | | ocsf.actor.process.parent_process.file.modifier.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.file.modifier.groups.type | The type of the group or account. | keyword | @@ -399,6 +408,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.owner.email_addr | The user's email address. | keyword | | ocsf.actor.process.parent_process.file.owner.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.parent_process.file.owner.groups.desc | The group description. | keyword | +| ocsf.actor.process.parent_process.file.owner.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.parent_process.file.owner.groups.name | The group name. | keyword | | ocsf.actor.process.parent_process.file.owner.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.file.owner.groups.type | The type of the group or account. | keyword | @@ -437,6 +447,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.signature.certificate.issuer | The certificate issuer distinguished name. | keyword | | ocsf.actor.process.parent_process.file.signature.certificate.serial_number | The serial number of the certificate used to create the digital signature. | keyword | | ocsf.actor.process.parent_process.file.signature.certificate.subject | The certificate subject distinguished name. | keyword | +| ocsf.actor.process.parent_process.file.signature.certificate.uid | The unique identifier of the certificate. | keyword | | ocsf.actor.process.parent_process.file.signature.certificate.version | The certificate version. | keyword | | ocsf.actor.process.parent_process.file.signature.created_time | The time when the digital signature was created. | date | | ocsf.actor.process.parent_process.file.signature.created_time_dt | The time when the digital signature was created. | date | @@ -488,6 +499,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.user.email_addr | The user's email address. | keyword | | ocsf.actor.process.parent_process.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.parent_process.user.groups.desc | The group description. | keyword | +| ocsf.actor.process.parent_process.user.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.parent_process.user.groups.name | The group name. | keyword | | ocsf.actor.process.parent_process.user.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.user.groups.type | The type of the group or account. | keyword | @@ -527,6 +539,7 @@ This is the `Event` dataset. | ocsf.actor.process.user.email_addr | The user's email address. | keyword | | ocsf.actor.process.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.user.groups.desc | The group description. | keyword | +| ocsf.actor.process.user.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.user.groups.name | The group name. | keyword | | ocsf.actor.process.user.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.user.groups.type | The type of the group or account. | keyword | @@ -541,15 +554,21 @@ This is the `Event` dataset. | ocsf.actor.process.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.user.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.xattributes | An unordered collection of zero or more name/value pairs that represent a process extended attribute. | flattened | +| ocsf.actor.session.count | The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. | integer | | ocsf.actor.session.created_time | The time when the session was created. | date | | ocsf.actor.session.created_time_dt | The time when the session was created. | date | | ocsf.actor.session.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | +| ocsf.actor.session.expiration_reason | The reason which triggered the session expiration. | keyword | | ocsf.actor.session.expiration_time | The session expiration time. | date | | ocsf.actor.session.expiration_time_dt | The session expiration time. | date | +| ocsf.actor.session.is_mfa | Indicates whether Multi Factor Authentication was used during authentication. | boolean | | ocsf.actor.session.is_remote | The indication of whether the session is remote. | boolean | +| ocsf.actor.session.is_vpn | The indication of whether the session is a VPN session. | boolean | | ocsf.actor.session.issuer | The identifier of the session issuer. | keyword | | ocsf.actor.session.mfa | | boolean | +| ocsf.actor.session.terminal | The Pseudo Terminal associated with the session. Ex, the tty or pts value. | keyword | | ocsf.actor.session.uid | The unique identifier of the session. | keyword | +| ocsf.actor.session.uid_alt | The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. | keyword | | ocsf.actor.session.uuid | The universally unique identifier of the session. | keyword | | ocsf.actor.user.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.user.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | @@ -560,10 +579,60 @@ This is the `Event` dataset. | ocsf.actor.user.email_addr | The user's email address. | keyword | | ocsf.actor.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.user.groups.desc | The group description. | keyword | +| ocsf.actor.user.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.user.groups.name | The group name. | keyword | | ocsf.actor.user.groups.privileges | The group privileges. | keyword | | ocsf.actor.user.groups.type | The type of the group or account. | keyword | | ocsf.actor.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.user.ldap_person.cost_center | The cost center associated with the user. | keyword | +| ocsf.actor.user.ldap_person.created_time | The timestamp when the user was created. | date | +| ocsf.actor.user.ldap_person.deleted_time | The timestamp when the user was deleted. | date | +| ocsf.actor.user.ldap_person.email_addrs | A list of additional email addresses for the user. | keyword | +| ocsf.actor.user.ldap_person.employee_uid | The employee identifier assigned to the user by the organization. | keyword | +| ocsf.actor.user.ldap_person.given_name | The given or first name of the user. | keyword | +| ocsf.actor.user.ldap_person.hire_time | The timestamp when the user was or will be hired by the organization. | date | +| ocsf.actor.user.ldap_person.job_title | The user's job title. | keyword | +| ocsf.actor.user.ldap_person.labels | The labels associated with the user. For example in AD this could be the userType, employeeType. | keyword | +| ocsf.actor.user.ldap_person.last_login_time | The last time when the user logged in. | date | +| ocsf.actor.user.ldap_person.ldap_cn | The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. | keyword | +| ocsf.actor.user.ldap_person.ldap_dn | The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. | keyword | +| ocsf.actor.user.ldap_person.leave_time | The timestamp when the user left or will be leaving the organization. | date | +| ocsf.actor.user.ldap_person.location.city | The name of the city. | keyword | +| ocsf.actor.user.ldap_person.location.continent | The name of the continent. | keyword | +| ocsf.actor.user.ldap_person.location.coordinates | A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. | geo_point | +| ocsf.actor.user.ldap_person.location.country | The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. | keyword | +| ocsf.actor.user.ldap_person.location.desc | The description of the geographical location. | keyword | +| ocsf.actor.user.ldap_person.location.is_on_premises | The indication of whether the location is on premises. | boolean | +| ocsf.actor.user.ldap_person.location.isp | The name of the Internet Service Provider (ISP). | keyword | +| ocsf.actor.user.ldap_person.location.postal_code | The postal code of the location. | keyword | +| ocsf.actor.user.ldap_person.location.provider | The provider of the geographical location data. | keyword | +| ocsf.actor.user.ldap_person.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. | keyword | +| ocsf.actor.user.ldap_person.manager.account.name | The name of the account (e.g. GCP Account Name). | keyword | +| ocsf.actor.user.ldap_person.manager.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | +| ocsf.actor.user.ldap_person.manager.account.type_id | The normalized account type identifier. | integer | +| ocsf.actor.user.ldap_person.manager.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | +| ocsf.actor.user.ldap_person.manager.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | +| ocsf.actor.user.ldap_person.manager.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | +| ocsf.actor.user.ldap_person.manager.email_addr | The user's email address. | keyword | +| ocsf.actor.user.ldap_person.manager.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | +| ocsf.actor.user.ldap_person.manager.groups.desc | The group description. | keyword | +| ocsf.actor.user.ldap_person.manager.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | +| ocsf.actor.user.ldap_person.manager.groups.name | The group name. | keyword | +| ocsf.actor.user.ldap_person.manager.groups.privileges | The group privileges. | keyword | +| ocsf.actor.user.ldap_person.manager.groups.type | The type of the group or account. | keyword | +| ocsf.actor.user.ldap_person.manager.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.user.ldap_person.manager.name | The username. For example, janedoe1. | keyword | +| ocsf.actor.user.ldap_person.manager.org.name | The name of the organization. For example, Widget, Inc. | keyword | +| ocsf.actor.user.ldap_person.manager.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | +| ocsf.actor.user.ldap_person.manager.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | +| ocsf.actor.user.ldap_person.manager.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.user.ldap_person.manager.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | +| ocsf.actor.user.ldap_person.manager.type_id | The account type identifier. | integer | +| ocsf.actor.user.ldap_person.manager.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | +| ocsf.actor.user.ldap_person.manager.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | +| ocsf.actor.user.ldap_person.modified_time | The timestamp when the user entry was last modified. | date | +| ocsf.actor.user.ldap_person.office_location | The primary office location associated with the user. This could be any string and isn't a specific address. | keyword | +| ocsf.actor.user.ldap_person.surname | The last or family name for the user. | keyword | | ocsf.actor.user.name | The username. For example, janedoe1. | keyword | | ocsf.actor.user.org.name | The name of the organization. For example, Widget, Inc. | keyword | | ocsf.actor.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | @@ -1424,6 +1493,7 @@ This is the `Event` dataset. | ocsf.metadata.extension.uid | The schema extension unique identifier. For example: 999. | keyword | | ocsf.metadata.extension.version | The schema extension version. For example: 1.0.0-alpha.2. | keyword | | ocsf.metadata.labels | The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. | keyword | +| ocsf.metadata.log_level | The log level of the event. | keyword | | ocsf.metadata.log_name | The event log name. For example, syslog file name or Windows logging subsystem: Security. | keyword | | ocsf.metadata.log_provider | The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. | keyword | | ocsf.metadata.log_version | The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. | keyword | @@ -1434,6 +1504,7 @@ This is the `Event` dataset. | ocsf.metadata.original_time | The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. | keyword | | ocsf.metadata.processed_time | The event processed time, such as an ETL operation. | date | | ocsf.metadata.processed_time_dt | The event processed time, such as an ETL operation. | date | +| ocsf.metadata.product.cpe_name | The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. | keyword | | ocsf.metadata.product.feature.name | The name of the feature. | keyword | | ocsf.metadata.product.feature.uid | The unique identifier of the feature. | keyword | | ocsf.metadata.product.feature.version | The version of the feature. | keyword | @@ -1446,6 +1517,7 @@ This is the `Event` dataset. | ocsf.metadata.product.version | The version of the product, as defined by the event source. For example: 2013.1.3-beta. | keyword | | ocsf.metadata.profiles | The list of profiles used to create the event. | keyword | | ocsf.metadata.sequence | Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. | long | +| ocsf.metadata.tenant_uid | The audit level at which an event was generated. | keyword | | ocsf.metadata.uid | The logging system-assigned unique identifier of an event instance. | keyword | | ocsf.metadata.version | The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes. | keyword | | ocsf.module.base_address | The memory address where the module was loaded. | keyword | @@ -1862,24 +1934,74 @@ This is the `Event` dataset. | ocsf.url.url_string | The URL string. See RFC 1738. | keyword | | ocsf.user.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.user.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.user.account.type_id | The normalized account type identifier. | keyword | +| ocsf.user.account.type_id | The normalized account type identifier. | integer | | ocsf.user.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.user.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.user.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | | ocsf.user.email_addr | The user's email address. | keyword | | ocsf.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.user.groups.desc | The group description. | keyword | +| ocsf.user.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.user.groups.name | The group name. | keyword | | ocsf.user.groups.privileges | The group privileges. | keyword | | ocsf.user.groups.type | The type of the group or account. | keyword | | ocsf.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.user.ldap_person.cost_center | The cost center associated with the user. | keyword | +| ocsf.user.ldap_person.created_time | The timestamp when the user was created. | date | +| ocsf.user.ldap_person.deleted_time | The timestamp when the user was deleted. | date | +| ocsf.user.ldap_person.email_addrs | A list of additional email addresses for the user. | keyword | +| ocsf.user.ldap_person.employee_uid | The employee identifier assigned to the user by the organization. | keyword | +| ocsf.user.ldap_person.given_name | The given or first name of the user. | keyword | +| ocsf.user.ldap_person.hire_time | The timestamp when the user was or will be hired by the organization. | date | +| ocsf.user.ldap_person.job_title | The user's job title. | keyword | +| ocsf.user.ldap_person.labels | The labels associated with the user. For example in AD this could be the userType, employeeType. | keyword | +| ocsf.user.ldap_person.last_login_time | The last time when the user logged in. | date | +| ocsf.user.ldap_person.ldap_cn | The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. | keyword | +| ocsf.user.ldap_person.ldap_dn | The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. | keyword | +| ocsf.user.ldap_person.leave_time | The timestamp when the user left or will be leaving the organization. | date | +| ocsf.user.ldap_person.location.city | The name of the city. | keyword | +| ocsf.user.ldap_person.location.continent | The name of the continent. | keyword | +| ocsf.user.ldap_person.location.coordinates | A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. | geo_point | +| ocsf.user.ldap_person.location.country | The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. | keyword | +| ocsf.user.ldap_person.location.desc | The description of the geographical location. | keyword | +| ocsf.user.ldap_person.location.is_on_premises | The indication of whether the location is on premises. | boolean | +| ocsf.user.ldap_person.location.isp | The name of the Internet Service Provider (ISP). | keyword | +| ocsf.user.ldap_person.location.postal_code | The postal code of the location. | keyword | +| ocsf.user.ldap_person.location.provider | The provider of the geographical location data. | keyword | +| ocsf.user.ldap_person.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. | keyword | +| ocsf.user.ldap_person.manager.account.name | The name of the account (e.g. GCP Account Name). | keyword | +| ocsf.user.ldap_person.manager.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | +| ocsf.user.ldap_person.manager.account.type_id | The normalized account type identifier. | integer | +| ocsf.user.ldap_person.manager.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | +| ocsf.user.ldap_person.manager.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | +| ocsf.user.ldap_person.manager.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | +| ocsf.user.ldap_person.manager.email_addr | The user's email address. | keyword | +| ocsf.user.ldap_person.manager.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | +| ocsf.user.ldap_person.manager.groups.desc | The group description. | keyword | +| ocsf.user.ldap_person.manager.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | +| ocsf.user.ldap_person.manager.groups.name | The group name. | keyword | +| ocsf.user.ldap_person.manager.groups.privileges | The group privileges. | keyword | +| ocsf.user.ldap_person.manager.groups.type | The type of the group or account. | keyword | +| ocsf.user.ldap_person.manager.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.user.ldap_person.manager.name | The username. For example, janedoe1. | keyword | +| ocsf.user.ldap_person.manager.org.name | The name of the organization. For example, Widget, Inc. | keyword | +| ocsf.user.ldap_person.manager.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | +| ocsf.user.ldap_person.manager.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | +| ocsf.user.ldap_person.manager.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.user.ldap_person.manager.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | +| ocsf.user.ldap_person.manager.type_id | The account type identifier. | integer | +| ocsf.user.ldap_person.manager.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | +| ocsf.user.ldap_person.manager.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | +| ocsf.user.ldap_person.modified_time | The timestamp when the user entry was last modified. | date | +| ocsf.user.ldap_person.office_location | The primary office location associated with the user. This could be any string and isn't a specific address. | keyword | +| ocsf.user.ldap_person.surname | The last or family name for the user. | keyword | | ocsf.user.name | The username. For example, janedoe1. | keyword | | ocsf.user.org.name | The name of the organization. For example, Widget, Inc. | keyword | | ocsf.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | | ocsf.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | | ocsf.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | | ocsf.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.user.type_id | The account type identifier. | keyword | +| ocsf.user.type_id | The account type identifier. | integer | | ocsf.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.user.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.user_result.account.name | The name of the account (e.g. GCP Account Name). | keyword | diff --git a/packages/amazon_security_lake/manifest.yml b/packages/amazon_security_lake/manifest.yml index a1d954414f19..53269306ce31 100644 --- a/packages/amazon_security_lake/manifest.yml +++ b/packages/amazon_security_lake/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: amazon_security_lake title: Amazon Security Lake -version: "1.2.0" +version: "2.0.0" description: Collect logs from Amazon Security Lake with Elastic Agent. type: integration categories: ["aws", "security"] From fb7867028b6b4f879a10476e88bbf9c7763c1209 Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Thu, 13 Jun 2024 16:35:27 +0530 Subject: [PATCH 02/30] trying to make a working system test --- .../data_stream/event/_dev/deploy/tf/env.yml | 9 +++++ .../event/_dev/deploy/tf/files/test.parquet | Bin 0 -> 15694 bytes .../event/_dev/deploy/tf/files/test1.parquet | Bin 0 -> 138794 bytes .../data_stream/event/_dev/deploy/tf/main.tf | 35 ++++++++++++++++++ .../event/_dev/deploy/tf/variables.tf | 27 ++++++++++++++ .../_dev/test/system/test-default-config.yml | 10 +++++ .../data_stream/event/manifest.yml | 4 ++ 7 files changed, 85 insertions(+) create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/env.yml create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/test.parquet create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/test1.parquet create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/main.tf create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/variables.tf create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/test/system/test-default-config.yml diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/env.yml b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/env.yml new file mode 100644 index 000000000000..b795fcdeb2c1 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/env.yml @@ -0,0 +1,9 @@ +version: '2.3' +services: + terraform: + environment: + - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} + - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} + - AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} + - AWS_PROFILE=${AWS_PROFILE} + - AWS_REGION=${AWS_REGION:-us-east-1} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/test.parquet b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/test.parquet new file mode 100644 index 0000000000000000000000000000000000000000..c253c77751db834c40aa082055f971960c06a866 GIT binary patch literal 15694 zcmdU04|G)3nSV2xOeP^HAa58n;_L`xqBE13{7)RgKnMvCh!6o+C3%^7i39V``2!6I z%kj|EpiOlODNqW?VlaZJv}_@@7F%EqAZS(Us_X6|Dtd55x5t)h?SA*Z_wKuI@-mrF zPPfa+N#4Eh`+nb_`+fJ{_h_tM;9?ne3|nDiweVnI4S6P=%i$~*ejAy5s>LwOO^+Jj zH~Qz{T3VcM7CZIKl1Ts8s2BM2*cu8bXNEr%_cld1pWj4111Qy^-vEd#;DgqdmhkC; z!iMaE*{4ovm}{Ij-+zrD<{Gw)5|dHAc%cdX0$}p2fbz5fRPMEUX5f>Wcd`VG8rDx? zOlshQTst4&gE5=AhKq4FGZ*xl>w{5W`vbA4X_)sQc^Hb}5ET0U(9_a#so~U|x$|Fb zc=fi|?+Vx3>fgMp?$n&SE}gpV^xQM~1$ywcztkd_av!@+BiN!x<2Sjit%PeWZS~rV zyc}mQ@j9LMR^C-&_f{71Z8MitH#E+jnI09`brsPRHhN%qTiTj5i8i0LtG>6spue`D ztE=Bypx5`;_jOwP3wmn%eEY|CzoePEpBX6m?jsJtS{plCGFG2w%JiTZ6aRp^iuPcE z`swC@qepUfC!$}@S;)+K-}a_aKuwBVNCAh_9`QJeOgZv1;8QL7jY1NNTu6=AieIzO zK3lA1M(_Q}lVap5GtIEGH~QO!8ip~EClEoN@JyPND%y_MCQi@n z>zdLx^>SCiyspZwj)A_J%%tUy=H&?%B&TO9L{`%zneeNTODe`jak@qS}h=kb1DXP>WAO3&jz z{aHdx&wO?+H2^t9PFJbjRb+R%Ow=5=rQIK!Kj*xvoplgA)ip8j6X-m!xIli2AL zc4oET=iyDlAHY?#)i5&?-IZGg`j{o#f8e=RK(w)q6k@KcsJNuGth}Pq=_)cQT7a); zE8nU}JFiJ})*iR^wtZym(RbD|;m5Zw6W5dEq~{{RDu}`=9~Y>qqE)DhgX;XG)7o#VSbpu9+Q+AQ~5K={me<5pCk4r(n4LB)Is(O04KYwBE{F-_5%B5*kwHG|7+HX?rRq@bxO``k#?cLkIeL488W9{0Hq-k*J2c4%T z2|+i)W$XVl`C4{6z5OhOFt>aBzCxG7<%Az|V@K?PP_VGbQSPWTFZKn!p_S3Xa&v1a z7V?B5JkXUmT&62ygQ2`K#w(Pk5)37o2}qUxfyym^>Ri>SzjODP#(NS^?AR09-M+uQ zZ_M^BKT0$&-51*b_{QeMj&02wbDG+BwHugEetO$4rd?62B+qA+6^>HmYj8HqSX2wo zXH;AHR>c%FpY<45^&&g;t2!CS?duxE`D}y%YG&(%+{7o!-0H@9bG0YtTj7g!m=rCf zz&jF;G`Z?Qd=SH131%#Z4CpqyJY>VE__%wP7s}> ze+KlLbm%wIUv5E%d_qRYT88;D{6(>-e-a2BEC2-kMj&!a3F1W{9f$t7MFg=(CkgC? z(e=T$P$a;`e6Wl1o0Ls}Rdyu3R|xumhePeDIVTHGG}s1CotXnidiKs;H;T)C(w1Uj z+~eV+QB#)q0FtCf(x*Td&MmN|c=@S;fxctM7(-xDp@=XTQ z$wlw2{LlX|30^;-VUNH9V}JqBv#<+h^2bE@XgCy%@-zMT$|h>c=2yVgO;bmhSK#BQ z_{gJwVy{WJuIa924_2>T`rtFm=Pe5^TU!5udC9)#OAa2IYOX zsHN&&@zGvUT;}8|`ErX*>S-1!H^!q}tm!4;*+bYf|i5zrWz+?l+uczP}=5 z_+s>?GYvP~^5gz5o(;EDUwmfV%(_QcZGQW7>p%&sXk#Ve8rXe9dQ7U(7pK_|TrrNA~rd)Sq11_3Rt}b?NNEcO4tX{AF{`TMaKi zGyU;WtyZ_&J?`}rb^m^N#hyEEUH*05JdgJF*YwK*kDq_?;4979b;=qNodscrqV{1m_&wHP3JFsox6Zb!`cOd(Y6JP&ef_{F%r$tpeTxA`> zt@#V*w`9~AR!;;A3+ZT`!@mcB5d@O{3x@bwd)|K_D5|I_;UgrBU>pvC4+f%XbM5{1cn3P7N?4#kkv z7zJ744Mm#8KE&Pz7bNir&uRyeYfTw(pBGq5wI%~dY4iE{C|nc6-DB<)ohg%xM7RzK znHH-dxHU}FiWw^wc$wwj~M22Cq z0t)vfuzE=qS$P3B`l4X2D}vkS+$(k)Tf|3}GlD444ib_}E;*5Q#=$kcUc%u8UK! zYND?3M0hVufIiMIY9N>vMUjB?)q(GGfe0?cyv=xMSO&T>0&Sc)FurIsj>iG3lH&`m z2rUQNRy4wBXnfxAARjTN+y`Q@aC4HkbC8A2Fg(GSz?>V6c$y*d!XcQg)ZC}_g@F=F z)_X$%&PT#G#{;)IQ7K?qEreFK&;>3*9E@qS2drujMLHBzxuh2pBF0fsSS8SW+bppf zq#hzY8iRC*qNW!7lPxp}{b(r_6{287gsm;6Ly`<==+Q_B8fN3Blys0y@nC=phj}jq zmX?9Q%77-T6Ji~Fy__d`mAQiR$59j+wG;Cue&e(n^4Q#oQw+?+3NjH$Q-G9%tj?%4 zE;A-HR)af5HD_WTtf*iotZ3G)nxSEFN?^=hjq$VwXx((thJJ>vz)+H(GK}wKSUa=a=~ZyjqXG-AW}Sz&=3EXQ6EH>&ShAW3YY4Wh zTVvd(v7XCu4^z^ivAc7n@s=H>NCF{XyK^C6n#?6GwYo(>15Wqu|(Gjv`QPK^;uY#FT<<3Gb0{ z$-LXIBfR-Ys=Ul&riZo0UafWeb#Aqqj#?i$E!{c~ZNgEgYl{hqjhA*8NjZ6xg`B*4 zCYDzjZ;IgY#yP++4aT2m*3Yx;?J)tmlkr1dcdaW-`N)F(iHx0>2Z{u(@BZQqd zB_pgi4~c;Hj)Zl+IhpkWX2t7Bg|Gp|TThv7qsDj$mR7TyRB6Zqcye$FhxW-%i#)nC zINIc3oz`iLyCIA$FrTNa;n1K*Z&n2*PCl+NeyXt^z1gii<0@OAda5c8EpPu6Re5;3 zjg1f%+x=4@vC}Edq(_Ak`|6=75_>~|szHNdO>pFff~)1o-`}b#H|bb{UD~5H_G_)b zztyc?ZBg$9m#Nlf)TtFN*>6WnH=PA=I{ zvF@t`E$RDQWeaIJ^jn3N-M8n#-4+%lpX9NmR^tZP@!k$+)*;I`^tfzx6P=Y;02u7F z#`u-Sy4mecuF530LG`4%O)`a2{i#HK#T5f(!Bnt7F4+J+)ly(>o<^|fy9pU;^E7~x z3pWT#ZYiL4-ASB5E;TUDQH}AU#=7fHcT#O8sR_`jOF6XXyQh;tGwFpZ5-dyDP;^g+ z4Mkc792)cZ4CD(uPgB<}7&eHmGLFwk*A;Kq5LYPgYcSYaW3R^gc8yyq+em-G0mM`ydshAH0AF26We z9aXpz!?^3NHJ-?}UYv_?|6U6)lu5?N<{9C1Y%^UK<|1%G9dmFiA|VH^<#496H?Fpz zi$W;sM0ofz!V6^{w4H`FoY6=X0D9Yeyx)uJMXMzOsU`p~1&AS`Bucon6=e)Y6H5x| zgNY2OFvVMUf@z7yBDh{t{^ zt2!e5UQ00U_d`=O7m9jbzKx6fW0orPhGGLXaEWCQFEIdDT;R1Y#s^^dCCoJ`K!H}eWz~}e-q83VX{0%nYC+d<26QdZDrE;%O z93ns?^Bt}u5nkCh^vFOS5sD$zM9D@}ADkT0%~x7L5^*X(T-hRMBQRPlf~C)@7;{oG zOP^m3ak1hY&w1B_7EL28Xe9SMTC zHYxi_KZ#W_&1k5>;X5K%%L7i;HwS4bzBp-GTEgOobMCy=s;~HzK z5kh6jG+}TBlQ?#;7e{7~Y|6-jMCQA~QA2fOV)3wUm&N^+qphq)r>}q_Bg9)8!kv2D zMe0<;PnW+5Dsc*4^dN%MU-jVfXE01_DCFn4Ao_S`sC8br`x(qS)DA)66}c{-K7c%~ za1}(@Qu`AqQ~7daag6hs+Aq)_4GgajO`S?7`KtqhNk%s<-_mzG1Y$@x(bOr`y0R4X z$s;wa74iTJA5ReFhvihnmi(y&0g$F>YVgR{7cvoi)uGr9(%)mqRD(DC^d}lJT@sq~ zi3WUJF)WQtFj$yyPeCY#b&c#)@)5{jW~6J1R3|qDihNOVDj`f^BwBOOHzh<1^z9$* zcT6yxB?Ncsw{F%-Li%;ja>;}-S81dAmru! z4y2(;hfcnX$tfO$?SY6{F6u>7i@ZakGu6~%k Mw=hg2{7>rt1-KSsS z{_v;2`@D#V5fLe3L_|bHM5L4(5s@NNY$-)b5s}7-5s`}&5iuenVtwCPvu9@QJ$s*= zq?F?Om=7eg_sm{v&6+i9X4cHCHKF9bTNClbwTWxTCvp=x*X88Ia^z1U2k+xI#Yk)#Ig&Rq5J>cy(1nV@_dts;sI3&qU#ZSaLzk9VjRafCfcxPrO}G)E9V4 z1Vu&Ff?pP0eOac%A0la-l!3;Ax^#6_*{pbZs-cX?+!#x4jJbCSGCA-7CXjq%;zmXC z)j&P6rmi|YE0ro5U7v2Mv#7q>pYH^oBWbVfn)dt(fzi}pXDqoh=DuIlAb`cjYO_8y zvlKN+4J=F7Se59@G9CW#+Q}~{PuG-+)<$3BO%RO{q~DOZK{Y{dkbrJQP0(Nw-dkrm zCi&Wljt9Em9fIcufe#nRC3O%d%@han`c!GT=zcTms~XXX6Ge%ln^DSBQTg=RiHlMw zlqdcdQYVbZV|lv&HD@ayed_9=(5h1vDX({e)$!zt82(AM;YSEUoP?veTL|n`wT-Fz z+R|!^xrHjn(J2%UR~OlfbK|T!so5lnLj`L!e2xi}UZ1#LQCa}h74>zu4!+f*vp~Lg zyuYuV#=ItPa9A8mE{?f_1&J0CkcWm<jvs}TN+C)RpU}L6uZ>`M7Elrk^=eO@&5Ypi}?k{bb()q_~XgPJpm7X2$ac0Qng1f zK$?-7I;FHujDdcfy}S%ZCHz>g^|01XPd}C_pE7k84F;0!Lj>E^XY6}m2#mvnni}c{ zO|7aOq-GC(8m{)|JAr3EMM+6fU46PN)zC1otfqWQbyclYOY36Eb!wFD3MQyzv(nlB z=czJ*$Kp?+%5ii`(xYajHw5Ux*w6@0HCB0(Kr>0TAr)(w9J-&foEJAnP^NO6LY4AU zR^+E_8U~tyrDcL^;q)me241m-Y~Il%Ixq}9ny#!JSe~}~R-wvqbV|~wX3g)8q*2UY z%gWMCwT-5~&5I@H#aub;ghBRmPK@VG4XJvoP2=LNL%(}KjUEJRleM(`nB;@!r$Mc0 zEE+!x+QzEV>M4pOuFP!6AS*DIu-UKGs(k((oQ$)v;`l75PR9znb{K=x-JT? zW}z=Ir5rDQ!SsngSS8)8OrB~zo|DM+Y={|$((3Zkx+!&7{CKvz@yYS-04UZwu&Te5 z>N0xTh$&fjG-Y6kJyII6iiW4_?PW+mp6mFY{L1{sOv*f6UtuVevLhGOnV^Gr{Sy7u z@F`3rV;?|E`IjiUV;^wv-%m@%<`T4|o6OKMH96INw-^UCD4+-!ebY^0^PPNp?Z`iV z3NjAG9tCQi)0k}ZEWLhsAR{mf#D`&Y6v+3E_t#I!KX=tGiVU-84T1w9Y(>`n*?UI8 z)hgxnowa9V!=;|BV^tm6PV&7|ApiQ?=^dHc$!?<{D6~QE3qu7jGT< zEjg!__F>bLvUKgVDsKUXjXYwX>5v?fAG^@X;>W^XsB#>g66H+$g-!kgRM-n>8)&fx z&k^~FRQ4U4NR`8_JeZ?Nb zQ9Y}+%vDxx`6Qc53C&wVx|`kx79Es=T)ImWsg1-hIHGTfAB(&~mE-6XiUkPt z43T5HBCww(PziiXEZGwCcF=81#TqBa4$1=y^U|qh<+l#GZKzGX%5e%+%BEgzS$9Q! z{`Au7CVTTq0p=(`NNyrmOtW+3$%0tSi3vkoERoayT{#8)odF?jS=BJ5VO9f<0Z{V| zO~T6f?~}YQQR#Ol-mRvH*8&tw>DZ#CjrBn@Z)vdA;1Ea3X{=xk#_FxsHeAvG@3_7 zsD28FDQ!Ir3~8xCmE-7?zh%O7Qs_D;3=o*zok}_(l}yj56-I0*m4F5g)KKks*e$Gb zoI;iI*D$Pw>q_fkD4jAbU0v>B=f*JwheJeFZ%W*xddZuBLY0#HK4Hv%lU2mAU-^j* zYmU0oMsz`NXj=^b+)<*B*lqhn{X9Fu0b_M+%@6dCGUOj zDExo#u#$hZTI!lW0Vnvv&x)|+Uqh;_3B%B=DPq_ZgRwVy%L5$41ZRRkL$H7=FjXkh z#q9aM`%5fx^YGFUzp@~!s-m{Ev8f(gP`+`pGFj>E-x^pz&K80_-$MDIlt`th+u@prb3m2T{N$ZWSH7RygehKWvTi`C|is+H~|zrD^#Ej z5^Udj=*&Bi=i~0|wx8976RmQf#=SCrqKmU8IyJMds-DKm&}~rvSm^gUt;2nV%qP zGzExL8m$j#(TiVOvGp-|4ol-BHe(xdje`scdP!?PUp)!3I0~B>E_+6yuIiX#Q4?-Ri`| z5iTZr*>j7ZmikcgL#`_%&w~g&Z1_^sb_;)(3xv$$Y=$9Ap@i!9&fh@wdnxlSOyQKL zriZm&fqd_HfBj4gI~ZW51NbskoyPu(J{Vv+K@ch!7Z4|*_N9Tr-*(Ebzzqzn9dF4f zPUTfN7}^+^FmZYEurlEOCRK}iyGd0JU)u9EUuFRd5@ye!Z1_DeC-_;ZjR<_L&pSnC zG4yCQW(2;R!C*l)3=Z1Q${car7C$yCRSxD@UKvr&SRljJD-BhTOIwDSbE=OG7);+h zfaYCTUx=`|6?oP*@2?~(lbuZ)8jRovLHK#1rpY!>RF0WI`*{+!ih9kvBY`d{?3ZCW zqL-K9sDz(0f%AoA1r5{XHWV-?ux65nVEtmu&Z%^mlJRE&W9J)pZzt1D)WmV;l{Nv|w zpi79e>J?(mN-JoyPw58$@NBeF5@w<8@?c$n(;B(0#1sxA#gWUv_b1*z9t4VAelfKi z)F4i~R@GKDifbr-8wV)Hi86MpAaLB(>0`de$71=Cmn(k9bJ-n(;)K5e#TnSrij=(M z13t!+Z87|FKP1{OBLlA)cN$XQueyb!< zLC;p^okkUu?EF~qPC16K~HU39HGX0 z-h<=ftwX>4+zrTHLuqaK)bvcMx7p3(A9s_zLHIbbtZu9YOrWe9>iDu%jnG5PLRb`E z1ADxV7n>nk&iX0 z8XatTQ#oeb@Hgq3Wj}6^VvSpUIOI;9$IJ$85RpR&{$pWn|k*e6N)|&w`NcE|jw77DKPOgB-kHDS4c5V=uP1f`}d22NQ$vVr=E^S$jz^{U3 zxEE$2*QP#xdY>T*z=B8wCOdVF4TEeeP(HnOBm^&>Rdh0C5B>i-F)CB8uUCoD^73Dv3PY|< z3T9f!?_QzqOdYB*&*Fc!OFCb@U$Z$OV1n<-)hMrH`sh-UVT>%V+f68Ml0)dl;QPj3 zeDah9QFO)MbMkZx5qkw*Yw`vjBJWDQ#l+kD@8Hr>6uDQ_9i=EDuY@Z}QM6qlH;|&p zi|cVpZYW+x#};FvXv+3}Q4jB~c&D>Td$5~DSd2C_PAS7k;q3&6URz;n5(@1glxA4!TG0&!dy8HQ)Elx z;^M7Czx^cqleD*3l2%bQJymNiMwmG&2joXS`^lR=B!FAU3snv*EM6H&gfcREXDlru zDy!;o#y7-Uga^gIgPp~CM|Q@59NtgIn2SovVa0^YFPyv*M*vX|Zri;+tdtY_*3ZnS zdOVt*ifS}g%OyO&_uU;#pfa#56H}X8B!2>@i+bxU$0R{)_<^rt&t_sZKy~TVR5kA} z(rueuvxTDw$V88Qhj`~VLr8)WrVWZv$*@jHL|WizV@LYk6E57u%98GCmD#st+~mqxo(}7i+M-eQrL}MrSeCXl$5p;;$N%VOo_AT-7M8TUIx(Lxf!s7)hty(nL}Jcq&Wr>k(V;oH#k&6|51ktH zt6}e-aM5XadD$a7K(c>BxKNdF3RM{p8r*E{BQK2?dyZlJY;G5jN+ zV@?RZ;*fVV)&x#CJQ#K=950O>xPt)(E(Y}382I5Ux_27R zM%$a0eOac%AN*8xDWdxJ8P{sju+f+SYjyDQ5iE1UkykVyU{+7pPN{=IybAV2pG924 zvKgVyK90SAg4F@~vP_3R_!$v3PpejawWAOn6>X5dh1|uMA+Xw^XauC z|M)5DQn2f=R>8T|vUItebQoK=A1F`;u5T&2C)B5><36fAJ-Rkn!m-}?iS-;=MYk%p zL_JjCA-~F%4JOneaCmt*4%bXe*Vk6r8n2JZb6DC>Z{*ZNHFtfgLhZTpGs{u1L1Exr z@S~-*sev`6wK$bx^S2+*#l>(|)=y`Y5O{!XGdDjH%)thcfMB+a6^jbdc9wkle0zy4 zIJFC&En(WUV3rpGk#axgC!^;k@F=YkW$Lp+aRflV9lAgyraZox% zcSk8Gp6m4EPyT8|DSlNAziFOpCk``+0n`Q@jd_GNMESDz=Q~&XpFwl@vUp5aGS#)& z-jB(~+*Mcb8^|(sg-cL{9+~n38?-f2W-v7iSR@Knj-ykTi1GRWBR5coVFR=8NZc_V z7vIHMR57fjB|Tzq-(`0YcR@{I$6! zi(2F=LWNJRKwo}6J(P9TmV%tu-AP$j1HDItn(diY-0R_|ENb1u8%R-Nj%ZwJS7lwv zvsOQ^@1mhAW?bsU0(ld&=jPH;88nv6hiYW&tf;*%)nImGNhk&y^j~24|0rgDQ#=5n ze#@>6mT;^$ek!}-B&gH})A-^)8$6(&tyE{v{Puqe+|cR%HAJDx!H$tvM$)KuprTA& z8GX5UkPJ-hHCXS+G8iyW3~Q>YhSjm6DCBmv$#eRcw4_$8ucJ7cCUYNlN2Cdvh9GXB zF!21a!L5MpGR&E99$q@)m!FuZU5|z)MBnfny&IFIfdQm}xs2N2u$xciaDT(RBV5Dm zh8iiq#25wu1iUWeoOgtsR-%`AOyh^@F3b4E&w*XmvC2DCs+nx7x=TGSaT&WzV-T<8 z>oVThN2xu>nBfjGuV&rMX87guhsn9Z#|~~kcvS7?!t-X(wc?cW{fIsJ}lNC%sU#)StIq_CY^ujZZ=&j?$P4MYL!Bj zj|vwEP{z7Np!89@95fi%s#$8X?f~YH+-~v{7E!nUtKw{f7sp z$fHx~u@j0$>d#SOzdhsHU1LnLXkxHHWVy7ZJr9vzZy4zt051`4P;`PKb8-jkp3 zt9;px|FJtH7y7pJq~|#q>@hP25FD5kn#pW{$?!-hr@6v6p-gp$!tisg3KEA2nr=?q ztTqB*In42$!nnCeZuI*(d7WLx33=BYikUN~_E@q#=8h32!VsY0h)|8%M6IgEZNN;! zk(wD7!NCCz7vfB3QK^h%Sv0LaT~p+%$3UxZ-_`>lPES4pz0h209O+eq8(G*rCB@a8 zmu${+=f?y)dIGwK^w_dmmaY%KB~_?$9G&vl$Eis*mJ0QQL&o*>scPvFP7PChB@+e- zlmxoDJRs*asnuv#`LZ4Vqo1%hYr^0I2tF_MfdW3S$qWwE1zbIPBmKW!0h`Wga1 zzTX}Aes!akF&53C3mh&=X0$^mx+D=RhbD%qX`yh%QdXC`Yf$N3-kF@cfJJ(6Mg{mF zoeVGMM7;MixW5)h5BxwtGiCufznvf^bP?d9(SXc=qLst`C`4<3k7bMDUif)0TZNzZ z9{p6m&7yjm1Zt)mTM;YI;85D2ha% zg?*sjl71@9=&EEvi9Po*5e^5W3``7E`cD`ZD;pc@8txi2$Wwq=kss?n^1$JFW5ZRTjiaqdFIj=Eh*f!M zZ6mzBSW@3xXE`S67Z$T5lx6i5R^AiC!GJY^0Wmc_a_#NqV9o5M{ABdg9ZhKhZbMPu z@ULH!T$V^(00jY zp*{FS?rML&6L=PFWp*73MPa>3$Y(uWK>^mlQRtdfc~z4=u`H199q(@de*Xc@B(G9s`8ci9tApQYTRE{xz$*L;@S|40ztZy_{7(p znRnF1-kx~7l0o5B1LldUTB(06s`|1_hd=nGsW%O6+J3^XnnwfhOUWx<^d^ghLY3p_ zl%Fw$gj}s5Oas~96>A6_7U<})ALhcQ+8RX4OqG+4i3~UpnDK~{Z$0yn`6gjUvM&wu zg_8pA6si<8I+MZfUl#VG)$=N|izdjr)K`M9_tlk8o=h8eLlFeV_MZ5|yw*pNk~lNQ zziyr|-%NqwY>j^eUF9=Oqoa4)K#ZvrBYGX zY5n;y9{S2dfr`nYci@ig)sK;_+x4YcKRg?LSEA=%EN2qEtO@PW)!2YtE#Ek5euQSLuU2VLP%!9B8%NQXPtEm#O0Zbh&VEZ!Z|xVS3|n&{?hAvJM4&VsH~ z+N~RQy)~Yc3uZbD=m!nL0v$nJDg{mcHZ4>+*<5b52@5~_7X}kF1#~-IQMDs$%B!ol zdRJIQNV=?LEBc};0|!C^8)ai3u=GRj*asZ^2XdyY29Qo*H&ZX8AIrDdxFJS9zmaCV zwY^nd5)YO(4Ogu1O1r7d7{j+1j=!N^D{Y1^ zSNT>;qAsha${Q^7e{Vi2?HXM1-YMT=G2J@r$A`Vw*DqyJ2r*ZzM@q*g_W!58C?jfm z<$0mB71$f&fAa0NXejq)SC;3=f6hSYmFRQwU76^;BD_uhQzi=E06&u%MDdb)n0$A1 z-QO7BlJ;y$?II4m>|P}^i0+l-Px777ZHV2DE6I~&$Yen&*(=0{q}}Aoc?b-SBKV#; z+RE?h3f~;cf#s$49@#ZXm&r(M>xv+6UKhi0h!dDh9wTqGdP9)P2xIc=;VbfAB8kb$ z!2G&tl8lMw`)l?(Z>rY-RRzQnZ)D)1$pqP)bv8|8zrNzAnD6 z?4_k5@iKeDif*~f;ukA=fWE9=vh4K-Zw`B2c&UA6MN8~un!-mj;8IWBd*Z**-tSS( zV>itk;khxId!X+P_t|KhjWS*}wmdW9n5gxRj$>f2S)F0)gRNBKHPPCpVjdd(9u@fp ztj)zY#80DbA-|j+8hg{iOOI1o97=gz#wT*4Fz_;uMe=CZWf^zm$)w9V#`L3>6)0_` zg}1c(EC0Usvw~8JF4Nc{EB3mK6W#Q?SV%0k*?YM>E=o>tozLf)k7n?-*#Awr{mnsY zmQ3XIhpz$3_AcO;NdHs))kS&lnH9`0t*%bb=mNK< z#)|SIV}R#7*r>@iC$;*sQ(FuQotOf(GjL-A*V*)k`tTCiq0St!Z0{sde|40IWqEEE zC#0*Z%4YRfJ`&|4D^^gKu12>51esu2d2l1t-x0sr%f4erOenfvx`ab@*%K>NP*pBY zasa4Iu&iD)Qd6hkq;h{prC8?GxSn1=XlhlhxT;=N3%2`Tu%i0f1{kAG>&KGXvQw z$+LwVij&XCR!Npk!HW9JbHwbmz9)dM)PY}?T_BI$qSi9Ovbzo%%LL2np(IIV4S+Ji0QM8&O0h@btrq0-M^>z`w|9*J zOi)Rd?W=V(6X=d7`hmPyYLt??&;{Ts$$;zri0ok33~Mk?Q#F*;SJjCsjVJH1@{xh< zb^n->TZY_z2l|kgVwr{FY^wMHPL<@@rBlnwaZ7zDvQ?60#{^k1_TpM-DCkYPXFO=; zEe)0Z9qSbTRF^tCI>`7>5d#8bo=OROK;dzDd24YLnpF@6-oj2(B4% z*MxVMy!XAM@c+HTO8&LK6MUn-2D-fa?k|zQ*-NbuL1Kt*)ZxXEt1V+f4mta|0_Mcv5 zsrp752vv%~h@nC;Ozup#Qk?~rQAw6vP@bAD2UVG1S*k<44qc-#r;z%U;IK+E%mu2~ zdI^@L#QKw^hD3L6Lt|Mp)M>JmBdgP@$5lJUUan7B}gXA7BKoUp z{IGu5!#RI}JV%dlOC}Twp>4z(!282q7tVh2rVn}ALnT@E_4m(efWPOWlJXj8OL(9v zMc`$uJ;GkI&wA^_)sS|bW(BmG06#)BMqfR*Ed$N`iNVM+P<;PvBgHGwVeR4fuLI+Q z&m)fd5^VMdM-M);f;uiaIG}=+vuqLk8$%EI4A)A4$KVEASO{(QrKJ>kz-oM@W+MtA`<;nbk@>GHPo7=&-4*M!pcJs5n2V!iojrj$(##x9>m*E1DJ6`X~h?&D%J_ zc?;cQUeri5eUB_qg4HTsql6jOe|&X~u6mY}>ktKdxmW0-+O$IFLS#iaLthcn?GKcu zIj=XCgc9`jm{`NGT_bcQzP+R&h%j5w68O!&`-c@o=-~(94nPO%2|jafsaQ8?1eIjj zo=Jkdo-}9+g?wbibPyOoQ88k8wps-tTP1n6ill;UmE_qOX2D^d&59xdF_g~DcrX$z zM1Id^U{$~onl7jVXn;(0`kav&5@Mo%Sd0nwNl(Hs^zTs|28L9}RzNjWm;{!66|L{4 zctH`s4&O5?7>qUm%gK1MUyW2=?pa~&{2xe_Cx4c0uX@88Ry(=}5ap_#0U_t}nBqzQ z^t##nKH*Uzu}#E0%IkvGxSn~aw`mqDHZ_}LNkw94l`@nExKJnD5w8^*K}CihgX{=r z(UBPpvfm9fm?@ill=2#_nW!xo=5e-vsLNRfHQ+i{Y^%*Ig{Om5k@7vO;fJzDd0WNg zO?zh5Uuc~QUWcex)(aTF$PG>U__H-R(aZG7QR*j0Sl`+IXI<+ z4>wjwJDCCu<%5c4M_Kul-3ec*B>zf`8yH^1ANIP7+Wuo}lx_P%9F-FUz687UM*u=r zNZRg%*8PVG3QWk{4Y|?jA0{ZRn7PsEA10{K>4s-{`iBY1%wo0O3El1=CMY&|_Rz>F zEl>Y2K^Y0V!VcmLNDfWhC-!Cg4@e%)O-%EW7vqUXyyW^`iRoT)X`jTLn3rC4m43bC z+C;7Q_QG|E|MZgk5{XB>jGh?o3_spskv4XtCi zd3|z}u71Z@UHx6-b@i9utI0e)QCD=?1Bt;NL319`fHzFi1x`;++~pNG{-MMuFL~|} zP4V1PU8RdtHH2L$UEpwq2Dai+UEoBue!D8IA*}eYDbS#kEz>oTr)KESmOrkgqy4{h z-46Y?PM-K^EHTt0c>l*@iFz-+dR|O}KG+=7uvgDF?^i4^?@xT1yx|rOZ=Bd=j@kF9hd&plt0yO_`LbB`L?aYz+ZR7lsW!O zQ)cBcliq#Y(7EA+DS!AC183K7O!-s4HR&~H%(q)QO?uB+Q>N{lk+)NSGU<7LHtB;G zOj~zeG<7`os)2cAcCK#66LWI4COSViSIh03PvmOeo@h4jSAHs2%f_-#8#o(2ldEOy z*b})%ZyZ=+K0evPG7f$rS4;Yu<+)nAPp!z+I%VZoa<#PX|7xz5*5hBx)mr1g*A0T^ zb-B8?&0e3ISf-Ts+NTWJoBzjDZR5Ah$BQ;I>RP^QC~AA!6l&dW>bd5b+{7M*Va0O> z_1x#pz;g5jlis~IH&N{gG@nT1?wM zm#4*d?NU=_@3K72txaDtWtvy!Y0hn5m8V;yb+sw8ZH=L)eJ!JBouOyNdV_2J21C!0 zrwp9tR#WEUw+ze;oAdM_vv-Rre|D=WGxvMuearVvdgU`Fz3~Su{ajw+-#sZ?{Cr+w zzG}(2d-4(=@iGqYH4U@$r99KzCl2H#UR7Ugdf9+I@KZzT;=_5mzaH)|WsV*(Y}|a* zkg@QX!M6UmVbQV^24>qy(@e{MYv7zcZQw8Xy@7eC)4X5x$2_BP=ASnihcB@DpZcr8 z);c?`h2_~faozYE=f<_rt(q4%P}hGlZaBGqL0oIiLkr`Ys|TNmYjJN`VxV69TwFJE z%Tj}R=Q0E5;BxbR*9!CP+LZ?WnN7%W2*5cnb z8O>Ybx^Er%t|92$(yh*pdVA35wG?VUQFPitK zUP34gPfoY}$h_bBWAlE=Pt5xrFB_sa{4}n|w#`2?@Q?hQwdKwu=Hq=wS;qSRjq5R~ z^Ve}L5VPja|76M>`LhQTq2VunDsN1`()#-J z3IhnmD2byer4)tAd>)oKQ}pAKqN0--w&R@5&iJ04wX;bDZn(K8;uuO^uZZ z!2CGf*=R`QCJM&?yC@KM;?+2_n8?k!J=Xzj39PU@RaVtdm98~##05B9l}q%ICE~)J zpvlcAk3ETgb|w+$xxw+u(<|~cV*oH8E@8ys6OiZoUfd?-FND(){>%{&#$bV7UVuUV z(bbY$xR*!H+IW^=Fc>Ma0+_D#a%!iiA45Fysk8WJNtr3mmE&CWz_Ob1Db-cAnsU*Y zHw20>zuvO7i~I$|g#Zy;1n|7@=aTL3jw~hwfcc=~^kwxC=e3~t-?G8vUH6r={Yy4q z1o(PWrf>XC(0GmBndvj>n~WECGZi;J!1yQc%Jhl$y5)U=KA4dr>FX*?=&46uDP1ZT z9WY}fGB-Ze+n`#g&qYfvM3N~gDtu!mw&L!f^+85@#0Tjnimc1qE@N|h-vs3FpSz+f zP(EX&gIy^ja9|dZwrInh+xW7n;KIMvMs~#BcO9#Y3(eF z%V82#ZRuy<%PPi+5rH$q9j!o>7}(V8UpsE3JoQOqrIhE>G1f zW{7!BSR0AJ>8earV~bN+O=XRyvBNsPIv_Yjw7R%ooA%)j{iLd*7SRgpF#?A*@V|ys zzrp@QOY`j+%Zm$=Rnx>x+tfgkUOnE6o=}|ix2c(RRk)Ud2_1!f6!XID5l=%z^;CTw z0;@N^UQ#a_dQjH2scL9w@(alwS$~UjIZ!`SYMW}N`aulN9z@gBM^j~5eG1xd&idnk zp3WX?V6rOOKeMd)U15By#{E!C1d5vt140rjp3akbM1m(YK@q= zUfyT8&f4UgMTaShhN{O?QelSW26biFnBg0N19N#AR07NjgAr)DTr|boLwGt9$Em#m z*J!N(-NMO9g$P@#)Sr-p08U*-FcdvK;m0LbAEgzkunDJcm4z<@qfB+Wv>XZu<3bZ+ zp?3*@=5*Kjkq1YM00wUq@D@vw3!;W^@18r-iVADCBIO)o0_W?5-*PZlI2)D&EZ zOM<)x*Ezn~kLc+hTUh~b-WBZI-egJ@Wa9*2Ht6*~*&IApg_IT7lW|oOh&^kADuY=| z&9qXPRLWixdkmr6@FlRSaC|c+s zO48R3IP2 zSI=6P=^GtPCzQ*5Aia)rfd;oo@%(`e!_d!fK7{G&**RP8KdnD9@c=u>`eqYS#)eis~jqL?1U=Npf_ zC56R|;75Tm%3D%Ieil7$d6uHcFYU1`s>di2jaud0k7{N0Rmhmv6={Dbx@uN7 zHX2c|chNAVNpa&c>^F9?dhI-DEdC_aw2oRJTZ(T$xAWTNQ<$%r) z*#zM8+wivcCj1&mfVZ5!V4Lz!eeHKOt5g6U|0d8bg4tII3n0wNenY!xv3@!SpUHu+ zPg!+oLxayGFG}{7uc?@L&SwkC!ty3*9+d0L!c=X!HWcDDe&GNeoZ%?%+%{8k@KZy7BLS13bi5}Bh`1J`KK*-nE6 z!>%)5r7NaX3)3Fw-J5*b!48)2<%Tuc^}Z7Rnv$)+SD->!t-*wA`Ij&&cf|pMW?CRb z5t&SEx4>^Cth>S2MDrn zKxD~))D%S)3~*H7H;tmGtS+ssP_+y%5v0t9!FN&w4AX83OMvFLS~NG+S5JY{D{K;Q zVr(Yh`fYi--r}q2#tNgq@{k!LttcXluHi!CJ0c>Q-F(-O`fyXKw#>5yn~o?ix(C<6 z{d64zl{dm`(bzXV6~>?GrBfrQQ(96mnX5%quTOoduBnmKSE5iV;6CuGn8KN#biGG% zsN&400*dRR#)b4o8`6E6Rpj^bjYqbgEfn|Ag-%sK1-Wpef$Fk#sDRX0z0^BdeHt1| z>l@{;LH()#FB+Q~IHt#B*HQ8b$INk$fEfA*W!@ z(U5{|R8ZTSs>mf@lr5yUXihm!6*kq@z=v(B+>BLkqM<%&QRUASz&MfD`@Z$@SOzRm zU<2~>X8JCAvD26G?Iq1M^gevyay8|JEKek`zmr9XXh}PyOIaF5oH9&A%+{S~Tst(5 zfA34IXzVg!rZ*d9e4$E z%*H9wvx4lBqVjfN6j~{kY5Q1)LVhEf&73gvnH{%ATYG|rGdqlwDQcU{?7*q4bk@c) zJA@a5VwuS@R3>O3v%{%sz+t8_TP9g?pHVDBy(7$FcKAsR8>6*l2n!LUXcL%Cjaup| zh0683kgcx22J|<#UOP;xSi3PY?{adICsy=IT%X+i7u=D^ zad+koNc8i7`>!Mr_|>uG>X>^t*Iki2V3Ow-&Wlc@+{Ag00DKXElgW7(aZw`2ZO_+$ z$AsQ#pnD8C`sMHHpY@0WA6H1ZfC)ONjzMVFLn~JttD*p|B9O)IqtH)8e3)8*yQC3gL7vrxijW2 z?c=uf9xy2oqb3-N37EG7vy(gs%n#+bORw%eW;=-Ss;k@+{ZQYO^iKy1T#YZb6R;kl z`mTGG>O1F6-N#C+WF|CAu5~-E88FE>hhl!BfbSIHI}3cnAS`dz_?oljFS~&vMG3g$ zNg18%!gcPp>mWho{nsH^R6sdrr4XRaf5T;^9Cu4nqs+cZg$AW6N;LZt?y|&yNjj93 z32FswO9|U?U_&>X-M{rF})+L7{F5QLSdjlCxv(`FFVc-Z5a3aCu1azkuKjA?N^tn{wPa z|Ev)>p3PrfC?Y6JW67m4clA5nlmCQ1#A1Z`0)_$VysroWYo1debjF-_8L0ldNCfop ztKvjWE* z`C6awh#~CAP41?fFo-GtWhPY|@($QK2;0)R1)_Hyzr|n+JFJe?hq-&DaW1*VJ#jN| zD!-~GRUGmTIL{K!LlWnP!G?=j-O18jO$GoxJjh);2)aW#B{c2{foc9KAxKL;PPN-J zq??$uma0wGy3Iq}!?zBYL{6EcpF_Z3N$?K<{y?aVp@w_jVFauM>Gm7DxyG)fdGkok z$VEflW4Co@2C|vZ&z?us+w>k&y^I%x)EW}gPC_ku(8)X8t#_aYArB!;RH!=Ca4(_Q z4ixA?2k$f}!VXnS`9KZ*rai(URmi+M-GjyGTcUtKq!Pe%lrWtICiJak|86ja-Ko)- zJs@x1b>LPUx?PH2F^S z_~zZvWZi7eL+-u@qqzl7ogc)cQ8~XJj!2aLK$NJ@ zX~H)D(==&Z`+pm38JWZ^Erf7ta;kfJvb$^YfJyKMD*{>q^xUrr!D<6&H^*K7{}|92 z)uLJ76XeEZqkH^A?v@WhZYdz97Z(%oml6C|0Uztm9a9W^@9j`6z)?s34y7{9N~jPV)C4vy^? zr@H&6c4urqOlX&UMvB!mQ=PDTpn8ztoZ6LgTTK<_hJsU_1o{9#qoZxFG@vuq z$g@&0fjwN|uB?E-im8{1J?alV3S`Y|gj6*zB7r^gs9|5=28x^_>6<`=M$BkeJnD8< zfpIEasYw-wyaU1&gzyj$qCf7bF|`Y09KXlQYIdU9U0>Z*SKLI1mOMcu)~ zcR+lE5HDIxyxZDn5Qp-Po%Ywwb)v!D)&P`QFF?)_%6$^$uIWbW2bMb|AGGF4!^3zo zHz^c-%XIfblT`EzzAof!!DmU)@0)2_BXE<9;D~)C*4(FNxEp8a<+{8PtCs8X3A|ZF z2sQx0Jy?|fAB|v4;7$`Ekawl!EXv%7CX{lTx*T)vS(pfm5T=M;tAp19(H25<5r{Am ze)j*>jnE|`-z96p)e=j##N77(ayR@J+Qf@EiBkb8RjgCy9VpmG6l`8XVz6U2?53V+ zvr7`>(F(@eL;vlr`fm)KD!i@*uKbcg{65hXT`g#tE1-+Q5OPyWnH70h6qlzIK#fAY8nb z%!@$y2xjrzxEwa%_{{f&R46z2>2%M3Jl385vX0QUwou#5{UqwCrb(IZvJ*zpW8e+c z-O?QMCPxJ83}9h$bZ$Q5Sy-nDEWF`M)I9_IlMp*XhAlQxi@~0Dg1z|jMCZN*jLyiL z@|sAvCUxiF6Pm$w5}^G61R}RCWJHGX*>|6w0LqmTJe<0lJ}szK1{f1F8Pv}IhG@)A zN$rv+7?Lnfh|^;Pds{5IE#|IR6m#1?1K4(S<&YrEz_yC8ZCqNAn2IUmXBlt8lpcD4 zIGv}t1E;L+vx`0MY$Z^Ozd+ns_c=y**sLw&-amnr)_iz)buWOLNx>-3R@i6M;Q%4t z1jLhb+_ukmh1hllK!_`ol`fpgx@TH|Rz#4dFwy{jlE5!qMux=`UjTTub(8s)w02Iw z$3eKLbx$r8-An~UF{y~nojL1-Kx_ei%p$ffXZUZIr??6r~ zk+bQG#F|yBOv{hSo;BRJLg*+dcd+0$*lqa=L_>!7_9A_QhCM_>CuqQ0V#(JGOI{NV zQ3EJk7Q3&0RWM0K6E~^ikar;PC=s}NIWcM5+DpVFHoU?+D)ayxD7)*v4hDIl%wf5s zkmjJ^0#R@j6kwLW=9`9sZhM>{VUhUYq}g4v4)|DXbcdyZckwqx&sqAVg2bpC_t=vR z?;Tn99G|xeLNAPz@CxmoTrVmsL$Ip|>_EDXkahqmD!XGNLz>wa1MjX4(!T|vlPhw# zo_1F~1%#Q`$fpP-Shv!TCd}2?2JDxS}$aFzm@Q{uB6uM*v=T6x%EQ4h7d|I zrogqid*pk9ziMJ{QV~=914PCtkOBVgdWKay^Z3fWkPv=3y@Eq^cgGG?IeemjlCZ7& z3Sm3@16Jv<>6P$aqU#3t?C!apqHZ~bLUM%cs1(La>m8bO&XYoRPDpGkcCosJVbc~M zp<>_w-d+8i5EO3}==}xMWdwE2DiW0CyICE=CT&6c54_2{E1nnC$a)IWN(c`FA)4sG z9#)OOZX>NYmE}h&5IC%N54<2mP-N0hi8g*-Kx^nBE?a~N&0WE-k+Fy`+0F{%>WKJGK9VQN+FAjDs9 zM8$Rzp5!J$D!sGD_O)$ zaQC-+%b@vBi6-3*U|1wJ{~W+nlLnmCz=e)hEr_(>&Oa<#@_;99CRH5r4n(gaJSTw% zExGI$j0b_1^jz`~E@9_GBnNkW2iOp=#mx;|g~4yY+e+}(ex1a-{Rm@15T5jgqic_7 z5bi>hrzP?Mf^rB@Q2Q-MS?vQx)_|KI%?ZSlaJT-FlC*QfQW?Q zwj2k)dkLu|1?VLJa~Z)r3z(Qeb(~;a_wJ)ANfw8mHOmoD!(EKR#PU`GvEduU@)ai; zh=4hexi}(7Lf0W2hr8t!Aq>O94~UAOcUV`-R6B+XO=^l+E`rdtZ>C}DaP zn9z9JPcuxO22>7zLZ@?x8shHwtw3l`-6E!Q7YO0Db%gNj86Z@LB{RBgqB_bE4dF@L zv%eD!8gh1E@&5=Rxd8BJ(0PAg;Jb44#4sS}i94@TU=SBO(oK!HHYO7gnRSF=(>Dpj z@;@?;Wp)pxTM1!Q+!bfL)x~xa&eOn&R$A~U;PlL+-qAkQNYdLBVG?Fh1Zgp5(RPBd zem%+Q%JT+>H+(V}(k+z+gZM50ljDf_O0tu{?2}-&{@H-BNrC?=4Fhpu42=1$qLI!> z7_EN+3?%~=5aH>HfJkFGLdv+yE}&&H9U5Cj;1@qhoBvz>%D{WmB~?}BCyNk>Aqr7y z+-ENWe12VH!=PIo`3JS$N+1sdB&-are`6p$-J?MIbq^xlxUH`WK@$0-d%Of-9w3+t zH;^E0_-L--f~WBrOmQllsFYm*QFGi4vvGjfgFD1g3BWx`aCb|%+dszOdOA(RRm4gY z3&QWXt#bghcM~#h5i4uQBmsENw?wned5X?B?D;qY?1>QF48abh@Y6<@$cbdREX*M6V z!C5-u47uBybGtK3-$MvD0wJn!@>8q|p4j;iD&C8=1_BwmXXc{@_Nl9*1oSk3Vo`eH z(+p^|mop|P2#e&NSOCajy7B_SUj08LfD0Be*q%@m!PdDdgjaIUE(FX>ho2X360*_( z*f@Z5d@+OV2{*wGJxPU-P43bs0Ka=@sn!AG4av2wbe3xM=NLv$sSw7nvr`BQ<*rx) zgyE;Bo~5d^e2d!k)aMQ0F`P}APD>%yl)J742)aJ1ewb=;5Xc_Fp7pXUklE*>5Y5V6 z_JuAQ=p5B*-6m?FC11({QSd|*0%f^pz6dl?2htaQTgbp!pcsZjSYI|MDx(;e=?oNN zak(4BrHOq18T2)TW%IY`6x94x21|7FX!RkDdx-4io>~dW;m6Lm6N2MFfPUS&Itv7W zb54jB=C1rI;M*t74-xFuo2h%RTw`Eo&UI z^LxmISuE-hKFvM#ja)g$UO_Oo116R=%bqlBD)vrTShX>lr9m%hbCbto_~#-To4e_o zU|07P%w`aAL-GiSsKq+xDMLi0Z$p0XnJOlfJ;J}a=QjvxKsH$*C4ywvaTO z{~v}S%A=mSFHP{paEOp{?tFYZDK5@}I`kW`PY~?6-=*Pj&L+TC0^x0*S}fFethF>C zLY+JJTS6LUKY7!KXvLyanC@HefOhtGgfz4QEjrKQ@31OGq189H39UR_i*R`Ev)>ji zc0aj*FDfaAlUhV=fzO_Fy%YKt$d>~74aqY=juxA{)gUj<>}ZimjJ&Re2z>65Ex_Mf zj32j%#eidyz|>0B?AS`GZrwJ{@o-$M;~M01Bfpq58vErAGw`k9^CA}W`Nw&o_cLYq93>u%lw zL~dE_`_yUWo6}A26C7%|xxDOs-jynm6t}9fEC=!~P;;-{R*={n!vVeLK%Y`QQT@kU zsiy`IiU+|H-8uM{7WYfG&@|?Iql-VJN^0QA zq^#8OKLYQwg!h2NyXi&X?ITa!7DxG0WO%hh0Nr)s$+a>3a}j6KU9eZk^ZuVabZXGA zhP~e@oN&=;czM|)JBmZzfs(^S$?ETuJkQ?N!#RSjxcmlJXQC~t);e{&m#1y zd*Bzq+3(TP+LUt7fb+QQ33!(i-ladFJ%Uxg>H%Ioj~4R|1bKBg9R*hZGJF$ZISwo^ zW$yT2U{UjqDDe;0F1R#D1X*|IF`-d}K}ya-R4U>O&t4*8$+M(UmY!f$?aG~|VliK? zBW$g^;@7CDT&@qnQ44WdY6y6GOtvKuVY$BjBtz6ahp!|-($<5(xbF5>fX!RN!`371 zo&w)R!q@y9E#c??mf`El7pt|bN6=lj^EbegX<5JIX(6jSfe$l))n^#KsKH6KrkRja z-Q-Lh!F^$L22O{|=KH-F09~q%%t7tfgPI$X3w9MGK7y6m9~d=JT0&9dHv`CSgW$sM zl1>oQZyY*G(cPuB@V8j+_@01t7qMXe^VDrx&l#j+x?*`I69J+byJyY<`PClYhN98+ z>83g-@C*VvsMc*D049Phf9@dxw%GtNl-=g@T?oK=s{MxDQUEUY5VpPD##r5~9Ef%>(WK_j5H+YBHygFZu`I{+H z!3ep02}2S!UsXtS7ZS4#1Y37Ed=?n|vyIu?MeDD7k!Bm~S^!!v>b*ey2=-N1Fvdo$nZoZmAn3i@{3XHG z*)zZWpK|i1QZR2=?|}Mj1RqYy8<9>q;upX!`o56N4f|=)IrnP} zEcc|X^^e>%Yh9g(*Zf3oe=L3e#8Xps!Hg(pP5);`{@o zuTHFI5VyL4`gd$%z&O=hmq>BC_^mv5$F~47^99fo1b)duDNf&E;Qij+Nl>NLY{TX} z_sq8e`KkwD9xN*He04egM|7{*&xocw3fQokt@tiuxX(X4ffgGZd$;7dE4K(%=hG5W z941w%Vx2PYfMO}3*z^-(^`WO3`OM!u>ttuQ=DAz83a*S7*P@C>!vAw)gSt&9p8$3v zf$ap?dve@E-(!>;fAyN|x!*(MZ4+dF>dlgFlPV5*2l%@Q{*FUL_KEK^_|pHqhTZc0 zJon`GZb{z}g8iz5-T4fIU8wx&Yw#rcogB`3KXpM!?S z2Q-1CVPP<;rh=_b_ z6B4Nn4)4u#*X{)pTn9vK21M=?*8yb;pgRfl{B~;8b^9}dX1840V@VwIT>28m?|p!M zozIGXbCEFbhP(s5`9Bam+YNlva1!C5!KY&?5be!*Nh~l<9Dq9i5#ZlO`bO2b;SPvphhP&*cx+NBfS&iPVAGsm5Sv#1l7Y?;+Jd+xrhG?_ zK-V7uaDEhi1%ccFkl1JFJPMGWeko?0SJma))I!B^K4217Mi-%zlLdGl2*oOB4Zt3EHv~dG6s~0~)y(ouV9aI{rt% zf0f{$2Yd+Hp5HL|Ca!~kAF>6|b`rvT5;!b_f9MuK%X2~+_WY6*ZToK-CKDe*UmOz}6lmIoS0(08^7eA21apgg7JSC}&USxw}t`Aua3EwYvz_0ieQ) zVE6BVN{O6_+yJ^o*bycvLf#hq9y6^op1gGsm_@%Ld0YDjMzQH<;p@9Yoq6uM&Ti3s zj*zti8E9U8j`7+c^942`2FdYr)gSZRLubM7>xT>;a@#F~Z^gd{1`ocA{!Mm5-$IZU z?xKSMKv|pP9zM_NXEc^~^4klPq8nxYd5jQ$>ef7CEwJG%+%c-)@xQPNMh9LYd~(b? zd?C+WZ~=8pA}Y&WgG%r6%;R@~LUA43iFl8C?x1=u|KEbdbX**Im0`{t%!RPaQQ*{H zVQBd)uzS90N6DBk%2%!T2wd${%f-j3bI$!}Tu*}>I}(Zt9OKu}t+V6qtA7KkLgafI zTBU%XlMoyO0?5gnk1+&YhLNHA2tEDmoVdGe4qV~#{yG17(LSqwP5txaTn5;v6_3{g zMaUU~CMS;l%JHFs&()mM6M!OdjU(FyZS^%Sb@3Vs(Equ(8mGodf!^7Xgu{- zC-f~aZUx30lAXW^S>8N9BS!76KuXs7PsZKD&A^x(G`+Nb5EKJkA|U*^*1!?(f%PC^ zJ#vC1YtE+`R-@At&r~bRW5(+j#NBhB0@B_h-#ccklK_31Sa|3aI!kl#GYs@wbyyk= zT8G}DM%f)p?vA;K7RKEL3xVOym5q&c4R;M1#5a_}UIOd9-9iYKo-9Z_ik-W~467}^ zERYYOm3}=BJ`s19JOQ*B8tsKKiQ`2rvh!}a$sG046!M+8z%6%Q_t zyDOIiWMOK$o+^4N0Bm_dh|0F#5~*{)%mA7}HrQ&rR>a-qD*~;yfdE|qAhg<=uNXjM zcrYbz0jjlyT*|Fo2^Ir)m*|p55 z4W@EoQlpKPa&6xBWZYf-Br2p=?D2%?zZ&DjCYejo7ih75*la{K~}*?UFPtoS3T*_A(FF#J*12+G{tByK8Qcn0eF z8NhiP*=dV3bwv$LX#c9y%p2y^RSGO8+4}o6#Cjvcp4+9+xJg2d=z7Tiky&$lh|C{_V zsp61#;LuURa!6v?wwJYz31mm`ZQrV2q z7i!EiVemA`$6k!PTV50-zvB7yF{$E^cL2ZmMIlff0FN%TVL!mD;}SZo9)TA(d{4a; zcXz)8di^(i*Aa;2f2JX1;Q>}_f1o`*>dTqQwjW`|@gqPBzeTr`pzZ-w5O(p$kx=!h zAdER%e;jugqHJIbtDRsqUmyyP|Ag@{G}xc!=aQeq-4h49CBvPBYBNxQ?D=hsY%6#m zp%FTC$IEed(aWG(9=_wA%IEJB&2tvuu#I)`rwm+JxIuy_kJ@ecY23XC^y;Xc&nx*V zg1YW6G!b5Mm_g-13JIE&)XhHww01ztbf9i4K|Kbj<1lgWU{GbyoWQX;Y4terbF4Ie z4#?fRz;Xb%Zb)vpNGru9zht-qArq+*Qs8zTfp8oFs_-4?Q$+sqzf#NX|CIqbh6h_z zTPVucrVQV*?JnZ6@Fs034&(g5Mb6l{TBgj;X0AEbC9k-P5lCk#|f@ z#bMb;@VEVq?!ayTt$`ob47&5nDdE9WSnQkv%<$W9#|iW)fJWbJ|6NAVfdgmfPeb*c z24wr*+p7e1-RxeXi*Eb9ftoqyB?+dmyv+H1+-*Mt(B^zW%YM;-M*tF*mrZ{FNVQP4 zBYlNBGdS8AcQZGQw#H4xZ1LvOh)_+uQ$KI78Lzl)$f z3uv(NFFtRWQf!A7GkSrq=a199Bds{c#&QsM6&Y|{hyU1YMVJ<`Nw6!3B)ycmAvj0xoq92JSpZ~F5V!z?g ztAMJS+ztq8-)5WpD&~rR742=`T*FbMu-j~F3E>tX6rJItCLot%BMiI8);2reT`)Tz zEz_-gY&(GVhU7V*Ma%4%YtR-)#WZEceQz`GWBKm#j{&o}w&uUV)=pJBHn*2hQSI}9 zL-EoME*Euot$AL)d-&t|f}`2qUF#&YYd%gK-SkOQwdhEyY=}M7j9N9LR{Ww`@YdS= z142rU0R@KG=1+Hx!gpV7`=|2Vee;1L%X?_uxUaSfgke0M*Ng6}wSNYbDfMCZijbRX z>pqk3F2q-~MYv7Y@)M*yPCmhEX-5!LyYT~qchsK9cXus9UHzBR>^o`)3E8~nUScC| z+Y*M%4%ujsh1^a%^x1rO>1PGTE^eotB8+VkRwH*hO(cr(4w(1M{?)jytF~5-R!95JP7`iTe znN`3Z2pM30|7`h}^WCE>1pUff9&-Qe7~y$U(!Y2W!;?V_!fu}J{Yt*O;w!)wym@w! zFzo(RFL4O^$ZCecjvK3M0`oxd&e`d&=DX{@3Iy40I4?OUWa|RZK7!fH*BROn^&5HH ztbI+syJ`)PvKwZB+h*$tQQLxE;&|)%Z!knQ2i5UpbqPu@M&-=0K4Wg0W(B6oLdzT46YJn9-5zfZQBFfIH{FX2Ax(6>)(8nwj)cedKKSz<2W9S2qJ&3nzhR*;eTddg|4_M#`KGqi6v=*C1d zIMcncw(ns8{T|Q;?umum8=H4X)U*Srv4}qSOt(?n3+s*@`R?i+T{QGcpmma)7E?oS zdbZnW&0ojpH*{Qdw)^$juKU9l~M?p2_}6n(|>23=)#3=Ug2vXYBm$agz-i%JU5qxH3=)xJomCkWjcphG2h?CmzX zz(T#_hxzV?9|D_wGi>(DqV+Z`A=R^KA26vYYP5D^8jt#^xDz&aA7&>ndUMsK1oRky zVz#hv}e;#8GL*G!5PIzu#;{1?$$N{w{KP~YNP25z+(j4^fLzDo*ydk zx=V<$zq1`IK?Ll;*uR$GZu~rr{hNOdxN7W=CObIhA3L1yZaLhoF@Fc4?EqTzzs_H< z>e!YVRUOW$wZDKobqG#bcf8sN^zx;|sn(+mbaagXI&iyd$1n5Ui${RKy2}-MyXy=g zJpiPSAUf_b#zuSn5q|D(`LTTW%&%zaZ{6X7F~xd^k+=D$LMAqTfta}c*BNUXeWUBx z@q8RdMNQc)uE341m4xUt5Mj!@_Z5c7v1VuuO;EO81ZT0KxbT&H_t*)5=Xbfb5Wr2# zXt}ogHw>T*TCX8U8~VAE`R>k>fDvv(-%rpw01d))=(h|S9e^DeqL0p=g2mPbj1-uvF1zEygSb`G7G83yte26gh}L| zL~X6RS?3ANF@QmBcV1v%B&A#j$T`H3KVx?GX8_B5D{IluMC&eFA%rB^ax6EQ>lTW? z*XQK)AK>&Wx$nMvKX_L|StTal&hp>H28o|pGaoJ~DVd1>;^zY;B{NEfSCotsukg2| zWEj22Bc4l2#)>DrQh)JqHy%fnJT#-EBsHoG5QaU7mkkf0+`Xd&Sn)h! zYp~#CJvdo18Ul)@6VKCzi>j4O$FIl6kgS3$qO?VzU9^Zd>I8cq6(TJjVi|6UX z@#*LiFrj23gaXeRQn&kf^HbjWbD|JWJTsMOeTz&A=f-!lVD99{t-E15hTFNcfg5ktq~ z`=;Tj#n_3DqWsVc^ej@jT+O(fIzu!@!EsGfGi(hIlR>hN^sE#$-XyXuumGp6{Lk zrVM{@GzvXD426bQ;JKu16q4@|s$l#KsD|Mqg=%;}JP$9y^N1Out4|+>mt!a5<*tgE44;awG-2Wd ze4iFwVR8xhGob>aJAAMZC5krNjH3?B0QvswUgT?cE zgy@VR(PGXp9e*q<3Pr9eN ztm^h#OFwwuw1+=96U@TT-CcZNGQ1JrgHZ5We-GmD^KTz`e9$2DZu|%tkw29pZ$!F& z!k|I2lz5GL;fLrO^U&jyCyi|?A5%SJ@D4*G>u@4@8bIj z^gXe{y| zY1|`cHD%=A*x@3d+SjAMVe;rvGbY_Oth%iBp6OGoZhyRd(zvFFKX@zjCVs|NWrjDN z@R1Nlz?(j~W^&!bLmrwob@ZK&K0N8Zx~W4*+)Ez+zI0Zh%_Jzg{|plo0q^I2kv~g3 z47;^#$V0Qn*UWtE;Yq`$m5qLAR@sm{o5t7NS_!_^l6*tHCJh(EWq`!|bK1n0l!r{>!~B_~a` zWa;C=Y4zWBXJ_>nEOKXz38VF+;j8sirbd_Rsdy0vlE^3cq(UnAHyirTG(T9rwfRr@ zmT%c&550otC-S_ECv%EpB1qgH{b{tmF{Z|ck1`OjoDu1GD6uz$e(>db+BYr>(AaUohUB@IAdq@q8Jthnq>Wez0w4 zO8)ZwlPml)=0AbnrO2mQe;s=_d#mRlXfo)-zAXX%Oo0^o(^V+@mrt;oPp^GPICGv8 z=$%hj!^Qaiy!3eA+&ol=h|%nKGk#|(_(^o}`tmxe_}??&@2rWNA7{(=#R$cy)Gvjf zD+ltZ%P-_h<_H7zQ{>Z}k1F-@WPP2CHyfWue`wVRXAby#{2bReyKBbpSbu~+jQ5;7 zGk&*CxN-fAVyiFcd;NG{{}TE7Z)Kx>TKfv%ZwC2qCKdk`F%@IOE#_(k`Nnbz|Iq48 zjQ-({@I75s-hADCk19>rC1S0${XMPTykgGICzTtCJ;w$3R|2Q2Jpun}8OS1WbxVE| z{&N(rN0$FaxXB)Md3;RE_3z2D4!I0JADK^ydv&*;Tz^CX@(cc?``ZPQoHJuQtLby> z4TBNTbUQEtgFhYy;JYT|x zSe?$?D9@3=8D*SeU;f9e#rndY@`>BmwGT@z{NQ-oJ(9|VyskBQb%kDeQ@$j0%+>Gf zXf@nSw{Dl?8|Jh1h50U}oSgOYaaDhNsNQ_cydCF4o6l#ikA2ENwLU(Q)*Su5KR#S8 ziCbz1js4FQ|GK@j9l}law?@3VgilkkQ~S+~uOs7`^2O!k!QM=&%Oz}D;%roog#RLa zS{(?f@^+EpN7tt<`lfi)hlRXc`x+t_TyBuZFUGA))VcBLI2ri0`Rd)$o=p59w%RRc z-f$7>07djK_|r`NdJgcV^lQS;_zml?j^C*ff4)7s8^TTX2gFgq3~MdpLew`z6hA2M zqWsLIync+nF(3XsKeHF#hz|!H)*EFh3D;jeA9^8N%g?3-&wt4C#AiqO*`?Tz__O@{ z%)KT(y$)0pr^nXm`AhJNsN^d%KkMz&_N320$Em}f#5AJ(%(|mI^Yv-B2~Xx{{SKDK zIK8p_c1pM*KV!}O7!QxDm*2AoJFr@N(wD#9bcB8h4G#WjHM`$oP916!R|W6)n|pczQ9$!uj+mN9`!=R0yiJ1pR4+>yC?p9 z{#!D>80}&FjQq#meq$=-%zxld&3_p$jgR@q@R_wLel`XCoeP|!9@n!(zC<*=TQh(5 z8$8Da_k54*O~hZAuUI3nm$X+qnqPL8aH;3ChN#Upx8Ot7=Nq@gFAOE)1s~;@RJAvM^1jTs=zaftjJoey=ocz8{db9QZa-RffbmK*)~~vPFH`@Y zd_Ea3N@+me-($T}F){W7w|Vu2-W>d<=9i+sGOS>~0CDs z(R8&eJ;~$tXlwM>PM2_H|Cg_`avl2$H?I`8)gIW;M`Aq+-lbM3xH+D4!S^q_U~9K$l7MAJ z`fGwOlin%eDSDMY5&!I?{Yt0A@$=VT_nmO=30p0Hj#~ecq*RIDU_TA&PuWkbZh}|a zTg-1^C0QTq&mo_b{a$gr(W)7M=0Io%Eh_%FTuxg<`UJJF)(9|(4C`0hC0vFMeIk*E zAMB}H_V;LwTE=>e{AY(e9QF))4f3%)ABM-Bi6S7GHjH{LuVi>ZCFzPkTS9$XnAQ4?Dic8s#;< zrmf5GacelAIp^i+YWIw_XOEh|+G-8V_^zVy^6(w)>6h@6FTa|=#XsiA&jzjHZx=iG z+x+=qjdt`enfkmbkE+*S;as!>&nT~^OE`LT;19FqwZZ=En($%T-eU3a8{vCC8ME(5 zpR4gwVvW_^*KEZ-anyjxF7~s8AO0BmYc2kAyM#;rnX+HS@0dAlYq%e4^Se?&uiJ%? zrOl<7-bkKvELsMC*a!%hZHpXv&KZM;_?iPgFGk}D|NK(*t{c*q@*lE3ChcdA{jwnH zRdDWhX8+n2IAyQP6Z_eZ_p=YshJBqwT-grvECeKgQ-#^AH)N8_c3tdI< zUy9$*L3NY$x0^2NsXv3ul)Ux&r{}f-r_j`g(M)`N)N5zh>pawFyg8rG= zWBe$5T3-n4_nrLY&sTRE!ejE@eUHm^#*jg{ztR(a^7BP|KzXF*D{GwSx!F&u=vhI( z38mn5QNJ{-j{||H)+6#4*=Hj|{(AkP?UEk!=*9hq&{IJj3-wOO$J)b`i}d|PdiE}Y zpv3&r>vO*F&*2Uq$*1)B0DpD4oM8XABK*G+8@@x@x9?917Mw7zwE8gs%W z9@6E_m=$%*jfzuI+duZ}H8bo-$JdteWGMl@U|K;x*0nAAPugcwk^>2CB|q2*KXV`S zNPZO7C$6guaUffzfmu7WP)k?F73#FzBfs=l*C+^FsMxG$tvG?~ngd>8oZM-o(ehy|FxK)kpQ z^C0}Y*=2oH9u<3(pQNAFY6S3aLZtjsMpE|RseMuY`X>MVQr7!oMV=2E_k*xj)e`&5 zx1Xzk_Nnr_$`1Qqe(1|Ta>sY>vc?zt_PAF+Tq8$44{1RE51-Gs59>OBsf+3B?;mTr z@W+Jbzi(TFv*+9Ln)8`gM{nSvFIelFyzZvz>#=xrM)+3tTVF?2Q;RK61!|-*X1nMtL{qgs(u9m5_I`uQa=_ z*$eo7rvG~&y-EKkP9v$0R39?xt;^Npy}k#CehcA0U*8vm@3Zus!k^jaZ2L%c4Dmvb zaMh2Oux~Sd=(}BlKg#s)?))ahzn`LysLxmWk`MbPm&9k7U)_Lk=^rW3cLM*NRV|QD zgBu#ZDSw$i2Y+|T_YLyD7yR5-DYTzZziNJ>Pg(i^@oLM(hKNBvR|CTTK4CsY@`?Ja zkN)JMWL!VoE#cD7m{>myeeKHssWTUilF?sTHNvI8^K|@*_U`;HB_BPXZ3QUW{jPlC z^8@kc9qCKPv*ScO8~9iXg252uN&Fhcv!x4`$yKPdMOewxRF?J0ucqYd@+JEbID3Sl z-V5Y4En_Gt?X;w)v&(;*)_=m2@vQH&9xJ4T>rpD7^8(UyS5Czz4XvK!w1pn>qdpQZ zp+@*ITP-(Zo}&PVZ!%uKKl~GF#9-4E-*M)(1a)PAw^Li{300jqq5XK?>)JiYH=4ka1phZ_*i zGrL9clD0l1`x5LsG$|YW3+6xIJQMs!{2XGxcOOP;u!l0?C#~07AMG0UaHxy_EWnSg zL*S=UitJ6tAFmN&{*R3M@aBY{q7S_jDGw9d)ulqtjd~BgT>GWszVK;qqJ@uAwb-t@0e%17`iv0OQ0se*Hm-_#2;E(#U zKLkJRMXQIZMOZB@gkT#1`o6}IYeow_oB}^I+Phi}KRrG63Sd%2BZTHbQA36iV zIY^Oz((P&f_;7R1cdW*In!>NgfBk^?rMIJCy+xd&^>qWa>%(aq{L!_*Psnc%`R>@m zvyA|Yp21(YUBaKpS|PpCH_kq9r(1#l&CJ(Y9IsAv>Z2B+Q}Q*|$x06u?5R|iU*Z0h zFZ4@&CyZ~cQk ztDXqo6L*n6|M(s)(Yy3;vyq+w+&@72v*k&9OUYB5K!LvEec+&~TtL4=`Kj|F1^#J< zID7aN_ISc{s#q!w`9PQOQ`U#^eR+$$r}Ods;rx9wn87{^^zYme|CyhvC&u)@A%B|w zd1psa`~Z5;ONw>y{$?>JxW`e%epE|Bw77bG4zY8ex!JPKkOR^ zi&trR#PstJ!jt|onSa_Zw3mGToI8P2bqRkSo4+*8%lQlB$0SnSSHd4+@(l==e&>XL z4g1RRX4gy)&Z0w0ymKc>Pj0JKW>)%J<{;9n>JDZ)$(DlE;x`zO}ftemO_MERS3p6IHFdgLy)|E0-qSetsw!+!QT`G4h|G|2xKNBu?o zYv&uiIpLD;W$>SI7XTTwOXqpDu#pkKJe#*J{+(s6@xP5E% z9sP?QSAxiO4@AZNL+rkoyB_PWbd8}t*;^{Tj~(`xD}PG(-MP{Kfq%kd{y3r!Jwab% z@ACTzn5=d{eP-I*GwDg$8|QWwefHse&HUYHAAK1wKHnmH+m3KH7xD5l`3YoMC`OvO{N{grEuNAVp#dHkS8g0r*e zrR05EIQJ*}E~pPI_`Zri!u285A6g~7rNKv9o|^ya&p|JJ;^D(P3A6OG+OYk`KehtGA2?u!f6(wPtd|~^ zruck8|57L~>r>#ddQUW8aEIE&yZd_LIV$XXjn+e{u~}W$OkaOM_+t)z=qcDOW9I<+ z!cTrY;#NyqQeh_E=9ACRzGkxG6{w%(KmZA@F)QtCFpm*gC{%wh# zXgRa-I%y4M|FGXt{2vZ_>=2}IEj3DWRHiQ#xZ&~QM-Ddg!el-BjV4OzuP5T zuIBnr#v=p0`QOk_zCGFjgb?3<4}I7BFmvC`<8U8X$Ux*hj5mWOHN$e}!;(p5e%fH8vJ#~Qkzj?gQfbh!i z=qouM{w?RjCu`gvfpajZ2aG7MeEnJ7zu=#wwfGO^iJS*~Vk~F=3HnE*KZ^GQwcg7F z=lXBIaJ+pF^)XO~&oLgb-A8#yUX?{%>u-MRRZ+xpi9dgST@45qR-^uAXT|tD)Yxbv?tiyInSHGmoIUz7)iCQ zzrJ($b6wDr;*X2=pN_wLYS|xC?3wXQNw^OJd>_ew4lXO?hDJ&rmg{D+=D`-3gu;=gj|=c-;s zEU!G5AMp8ne`LEmz#kx<{P}k1_gMB*{gW|$+={-~N|&#X@Lpluk#i@{bL3>aWm^~U zhoUI~i)U1a67uDlbI&g6Zq4xPtU`>9mm|o8I+9kt2rk;wjX*DepuXNe_+(#THqIuOujv!hvswY zHNQZw+V8j$dNS>KMSPLDDSO7B8ZhEd)<65MSsu;+t#|SL?X*0&-@`o?IrsB{bHm6{ zuPwj-V3fzBzzgJo{Vwh)$hjBh7%ibEQyydDOUi?P!^0$R9e;Q>$hGQef2q~y+!Emh z>m~a)S>xn6rszI0Yfv%TpF1Z!)=yxRw|183w$FO2h$b_BdM3Oee!`p$<()h$uqeR4 z6Z~fXl!^av&a6^^-|a)_@qWFOKTYG0&O5gGzCk`i!4Gpe(O!;qSY&34A7+0$s>6TA z&o`v%J-WTbdoNy`4c}Mm*>U}}y2`G}kw^CVfP(c$^S9dBfZIOnt@->t6CUrU zH_o5<9qRadP6haPf}f$jVSUs5OR`s^Qh?v>qZAiEZ)T=HJg;F*e;}TW+fU3suL+O$ z=Nso|=055p=`+ZGE%cx6AL+~VUXP977Xzn|)kp1DzmR^>y!=+>AMyTOBR|?%gQ)l4 z?gOcTpB~}yes-fiG=8G>u<4@6VaRvd1HxnHS{ox&IV-i2@S(aYr0Ksh_;~JEIn}IZLfCG5dWHIH}IaH%FB+{&o%b%izYm z0YYtqyf5d33#mu`Q6H;JDxd5re0vgzGcwbIGy0%cohLu!ldI)odhA)k{l5k8U&#A9 zKkEI%xh=OwxH#RgpU~?5Eg84izJzAoKI)t2bBJE`LxlBH{s}zd=6{VX(^PqW$mfFq zOKsx52&;t6J9stn-sj&d;U9wI-vh%(tEay5{ffMwzg}Fq#4o9Kbf=PYca~b;bp1kJ zfJf^s?hrRWzad<$FH!tcBYk^`AHw+1z2kX7o&&&9P}ULq{E2_)@5mp2Qu68aF;#X0 z$}^w8hR9n)ExlH*{5$`7FCab{FREAAFK2KqLX@UoX`)iKPMKdTp$8=fxdozzzgnk& zP^egG+~4c*0`6=Be&I}gWyT9T!7r#ndFlE155kl2LQnX~=hs0EFcmLYclf1geQFb) zj2FZnJ#{vaY}{f_nEdrK;i>*kiqhUr;2%a+)GAs?w@v!x-!wY>{W#>;I42R^@25m5 z-@^aVe~cc6sH<=f@k8}Uv9B5*-tm!)|KzWY3KUdHVO!)cS4|Ng{}vAK?+krA9#Z;; z)h6^W_QTn&K8{Q}Ok@}*>}{j!Q(}4YfQXmBKg2JL9glT`|NF;(|If$cufM;ZKL7P= f^Uv?6Uz@l0^*?L%f0zDU`iK9&|Mic)byNO-i%wSV literal 0 HcmV?d00001 diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/main.tf b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/main.tf new file mode 100644 index 000000000000..6a02d701f1b7 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/main.tf @@ -0,0 +1,35 @@ +variable "TEST_RUN_ID" { + default = "detached" +} + +provider "aws" { + default_tags { + tags = { + environment = var.ENVIRONMENT + repo = var.REPO + branch = var.BRANCH + build = var.BUILD_ID + created_date = var.CREATED_DATE + } + } +} + +resource "aws_s3_bucket" "security_lake_logs" { + bucket = "elastic-package-security-lake-logs-bucket-${var.TEST_RUN_ID}" +} + +resource "aws_s3_object" "object" { + bucket = aws_s3_bucket.security_lake_logs.id + key = "aws_test_log" + source = "./files/test.parquet" + + # The filemd5() function is available in Terraform 0.11.12 and later + # For Terraform 0.11.11 and earlier, use the md5() function and the file() function: + # etag = "${md5(file("path/to/file"))}" + etag = filemd5("./files/test.parquet") +} + +output "bucket_arn" { + value = aws_s3_bucket.security_lake_logs.arn + description = "The ARN of the S3 bucket" +} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/variables.tf b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/variables.tf new file mode 100644 index 000000000000..156637001321 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/variables.tf @@ -0,0 +1,27 @@ +variable "BRANCH" { + description = "Branch name or pull request for tagging purposes" + default = "unknown-branch" +} + +variable "BUILD_ID" { + description = "Build ID in the CI for tagging purposes" + default = "unknown-build" +} + +variable "CREATED_DATE" { + description = "Creation date in epoch time for tagging purposes" + default = "unknown-date" +} + +variable "ENVIRONMENT" { + default = "unknown-environment" +} + +variable "REPO" { + default = "unknown-repo-name" +} + +variable "bucket_name" { + default = "elastic-package-security-lake-logs-bucket" +} + diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-default-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-default-config.yml new file mode 100644 index 000000000000..8f46f25c3777 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-default-config.yml @@ -0,0 +1,10 @@ +input: aws-s3 +data_stream: + vars: + collect_s3_logs: true + access_key_id: '{{AWS_ACCESS_KEY_ID}}' + secret_access_key: '{{AWS_SECRET_ACCESS_KEY}}' + session_token: '{{AWS_SESSION_TOKEN}}' + bucket_arn: '{{TF_OUTPUT_bucket_arn}}' +assert: + hit_count: 1 diff --git a/packages/amazon_security_lake/data_stream/event/manifest.yml b/packages/amazon_security_lake/data_stream/event/manifest.yml index cfdaa053df25..8a86601a141d 100644 --- a/packages/amazon_security_lake/data_stream/event/manifest.yml +++ b/packages/amazon_security_lake/data_stream/event/manifest.yml @@ -7,6 +7,10 @@ streams: description: Collect Amazon Security Lake Events via AWS S3 input. template_path: aws-s3.yml.hbs vars: + - name: data_stream.dataset + type: text + required: true + default: amazon_security_lake.event - name: collect_s3_logs required: true show_user: true From 6bec44b485b16539d72b250f263679466eaff327 Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Fri, 21 Jun 2024 14:24:09 +0530 Subject: [PATCH 03/30] initial working system tests added pending elastic-package changes to detect rerouted datastreams --- .../discovery/fields/actor-fields.yml | 79 ++-- .../event/_dev/deploy/tf/files/test.parquet | Bin 15694 -> 138794 bytes .../event/_dev/deploy/tf/files/test1.parquet | Bin 138794 -> 0 bytes .../_dev/test/system/test-default-config.yml | 3 +- .../elasticsearch/ingest_pipeline/default.yml | 1 + .../data_stream/event/fields/actor-fields.yml | 77 +-- .../data_stream/event/manifest.yml | 4 - .../data_stream/event/sample_event.json | 437 ++++++++++++++++++ packages/amazon_security_lake/docs/README.md | 76 +-- 9 files changed, 558 insertions(+), 119 deletions(-) delete mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/test1.parquet create mode 100644 packages/amazon_security_lake/data_stream/event/sample_event.json diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml index 09dd99e71376..ccda117be004 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml @@ -74,7 +74,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -155,7 +155,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -215,7 +215,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -233,7 +233,7 @@ type: keyword description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - name: confidentiality_id - type: keyword + type: integer description: The normalized identifier of the file content confidentiality indicator. - name: created_time type: date @@ -254,7 +254,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -314,7 +314,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -332,7 +332,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -362,7 +362,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -422,7 +422,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -446,7 +446,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -506,7 +506,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -563,7 +563,7 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized digital signature algorithm. - name: certificate type: group @@ -590,7 +590,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -623,7 +623,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -635,7 +635,7 @@ type: keyword description: The file type. - name: type_id - type: keyword + type: integer description: The file type ID. - name: uid type: keyword @@ -668,7 +668,7 @@ type: keyword description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - name: integrity_id - type: keyword + type: integer description: The normalized identifier of the process integrity level (Windows only). - name: lineage type: keyword @@ -701,7 +701,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -782,7 +782,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -842,7 +842,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -860,7 +860,7 @@ type: keyword description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - name: confidentiality_id - type: keyword + type: integer description: The normalized identifier of the file content confidentiality indicator. - name: created_time type: date @@ -881,7 +881,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -941,7 +941,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -959,7 +959,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -989,7 +989,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -1049,7 +1049,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -1073,7 +1073,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -1133,7 +1133,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -1190,7 +1190,7 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized digital signature algorithm. - name: certificate type: group @@ -1217,7 +1217,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1250,7 +1250,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1262,7 +1262,7 @@ type: keyword description: The file type. - name: type_id - type: keyword + type: integer description: The file type ID. - name: uid type: keyword @@ -1295,7 +1295,7 @@ type: keyword description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - name: integrity_id - type: keyword + type: integer description: The normalized identifier of the process integrity level (Windows only). - name: lineage type: keyword @@ -1378,7 +1378,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -1438,7 +1438,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -1512,7 +1512,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -1572,7 +1572,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -1646,7 +1646,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -1706,7 +1706,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -1714,3 +1714,6 @@ - name: uid_alt type: keyword description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/test.parquet b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/test.parquet index c253c77751db834c40aa082055f971960c06a866..f91a099bdc6712ef9104e9cd199f883f12ef2232 100644 GIT binary patch literal 138794 zcmeFa4}4WewLhAZoP_YFf2=*nO-0T1)_uLbEl^5pTCevR{)4oI{*&^2<%Z;tq)l>S z{_v;2`@D#V5fLe3L_|bHM5L4(5s@NNY$-)b5s}7-5s`}&5iuenVtwCPvu9@QJ$s*= zq?F?Om=7eg_sm{v&6+i9X4cHCHKF9bTNClbwTWxTCvp=x*X88Ia^z1U2k+xI#Yk)#Ig&Rq5J>cy(1nV@_dts;sI3&qU#ZSaLzk9VjRafCfcxPrO}G)E9V4 z1Vu&Ff?pP0eOac%A0la-l!3;Ax^#6_*{pbZs-cX?+!#x4jJbCSGCA-7CXjq%;zmXC z)j&P6rmi|YE0ro5U7v2Mv#7q>pYH^oBWbVfn)dt(fzi}pXDqoh=DuIlAb`cjYO_8y zvlKN+4J=F7Se59@G9CW#+Q}~{PuG-+)<$3BO%RO{q~DOZK{Y{dkbrJQP0(Nw-dkrm zCi&Wljt9Em9fIcufe#nRC3O%d%@han`c!GT=zcTms~XXX6Ge%ln^DSBQTg=RiHlMw zlqdcdQYVbZV|lv&HD@ayed_9=(5h1vDX({e)$!zt82(AM;YSEUoP?veTL|n`wT-Fz z+R|!^xrHjn(J2%UR~OlfbK|T!so5lnLj`L!e2xi}UZ1#LQCa}h74>zu4!+f*vp~Lg zyuYuV#=ItPa9A8mE{?f_1&J0CkcWm<jvs}TN+C)RpU}L6uZ>`M7Elrk^=eO@&5Ypi}?k{bb()q_~XgPJpm7X2$ac0Qng1f zK$?-7I;FHujDdcfy}S%ZCHz>g^|01XPd}C_pE7k84F;0!Lj>E^XY6}m2#mvnni}c{ zO|7aOq-GC(8m{)|JAr3EMM+6fU46PN)zC1otfqWQbyclYOY36Eb!wFD3MQyzv(nlB z=czJ*$Kp?+%5ii`(xYajHw5Ux*w6@0HCB0(Kr>0TAr)(w9J-&foEJAnP^NO6LY4AU zR^+E_8U~tyrDcL^;q)me241m-Y~Il%Ixq}9ny#!JSe~}~R-wvqbV|~wX3g)8q*2UY z%gWMCwT-5~&5I@H#aub;ghBRmPK@VG4XJvoP2=LNL%(}KjUEJRleM(`nB;@!r$Mc0 zEE+!x+QzEV>M4pOuFP!6AS*DIu-UKGs(k((oQ$)v;`l75PR9znb{K=x-JT? zW}z=Ir5rDQ!SsngSS8)8OrB~zo|DM+Y={|$((3Zkx+!&7{CKvz@yYS-04UZwu&Te5 z>N0xTh$&fjG-Y6kJyII6iiW4_?PW+mp6mFY{L1{sOv*f6UtuVevLhGOnV^Gr{Sy7u z@F`3rV;?|E`IjiUV;^wv-%m@%<`T4|o6OKMH96INw-^UCD4+-!ebY^0^PPNp?Z`iV z3NjAG9tCQi)0k}ZEWLhsAR{mf#D`&Y6v+3E_t#I!KX=tGiVU-84T1w9Y(>`n*?UI8 z)hgxnowa9V!=;|BV^tm6PV&7|ApiQ?=^dHc$!?<{D6~QE3qu7jGT< zEjg!__F>bLvUKgVDsKUXjXYwX>5v?fAG^@X;>W^XsB#>g66H+$g-!kgRM-n>8)&fx z&k^~FRQ4U4NR`8_JeZ?Nb zQ9Y}+%vDxx`6Qc53C&wVx|`kx79Es=T)ImWsg1-hIHGTfAB(&~mE-6XiUkPt z43T5HBCww(PziiXEZGwCcF=81#TqBa4$1=y^U|qh<+l#GZKzGX%5e%+%BEgzS$9Q! z{`Au7CVTTq0p=(`NNyrmOtW+3$%0tSi3vkoERoayT{#8)odF?jS=BJ5VO9f<0Z{V| zO~T6f?~}YQQR#Ol-mRvH*8&tw>DZ#CjrBn@Z)vdA;1Ea3X{=xk#_FxsHeAvG@3_7 zsD28FDQ!Ir3~8xCmE-7?zh%O7Qs_D;3=o*zok}_(l}yj56-I0*m4F5g)KKks*e$Gb zoI;iI*D$Pw>q_fkD4jAbU0v>B=f*JwheJeFZ%W*xddZuBLY0#HK4Hv%lU2mAU-^j* zYmU0oMsz`NXj=^b+)<*B*lqhn{X9Fu0b_M+%@6dCGUOj zDExo#u#$hZTI!lW0Vnvv&x)|+Uqh;_3B%B=DPq_ZgRwVy%L5$41ZRRkL$H7=FjXkh z#q9aM`%5fx^YGFUzp@~!s-m{Ev8f(gP`+`pGFj>E-x^pz&K80_-$MDIlt`th+u@prb3m2T{N$ZWSH7RygehKWvTi`C|is+H~|zrD^#Ej z5^Udj=*&Bi=i~0|wx8976RmQf#=SCrqKmU8IyJMds-DKm&}~rvSm^gUt;2nV%qP zGzExL8m$j#(TiVOvGp-|4ol-BHe(xdje`scdP!?PUp)!3I0~B>E_+6yuIiX#Q4?-Ri`| z5iTZr*>j7ZmikcgL#`_%&w~g&Z1_^sb_;)(3xv$$Y=$9Ap@i!9&fh@wdnxlSOyQKL zriZm&fqd_HfBj4gI~ZW51NbskoyPu(J{Vv+K@ch!7Z4|*_N9Tr-*(Ebzzqzn9dF4f zPUTfN7}^+^FmZYEurlEOCRK}iyGd0JU)u9EUuFRd5@ye!Z1_DeC-_;ZjR<_L&pSnC zG4yCQW(2;R!C*l)3=Z1Q${car7C$yCRSxD@UKvr&SRljJD-BhTOIwDSbE=OG7);+h zfaYCTUx=`|6?oP*@2?~(lbuZ)8jRovLHK#1rpY!>RF0WI`*{+!ih9kvBY`d{?3ZCW zqL-K9sDz(0f%AoA1r5{XHWV-?ux65nVEtmu&Z%^mlJRE&W9J)pZzt1D)WmV;l{Nv|w zpi79e>J?(mN-JoyPw58$@NBeF5@w<8@?c$n(;B(0#1sxA#gWUv_b1*z9t4VAelfKi z)F4i~R@GKDifbr-8wV)Hi86MpAaLB(>0`de$71=Cmn(k9bJ-n(;)K5e#TnSrij=(M z13t!+Z87|FKP1{OBLlA)cN$XQueyb!< zLC;p^okkUu?EF~qPC16K~HU39HGX0 z-h<=ftwX>4+zrTHLuqaK)bvcMx7p3(A9s_zLHIbbtZu9YOrWe9>iDu%jnG5PLRb`E z1ADxV7n>nk&iX0 z8XatTQ#oeb@Hgq3Wj}6^VvSpUIOI;9$IJ$85RpR&{$pWn|k*e6N)|&w`NcE|jw77DKPOgB-kHDS4c5V=uP1f`}d22NQ$vVr=E^S$jz^{U3 zxEE$2*QP#xdY>T*z=B8wCOdVF4TEeeP(HnOBm^&>Rdh0C5B>i-F)CB8uUCoD^73Dv3PY|< z3T9f!?_QzqOdYB*&*Fc!OFCb@U$Z$OV1n<-)hMrH`sh-UVT>%V+f68Ml0)dl;QPj3 zeDah9QFO)MbMkZx5qkw*Yw`vjBJWDQ#l+kD@8Hr>6uDQ_9i=EDuY@Z}QM6qlH;|&p zi|cVpZYW+x#};FvXv+3}Q4jB~c&D>Td$5~DSd2C_PAS7k;q3&6URz;n5(@1glxA4!TG0&!dy8HQ)Elx z;^M7Czx^cqleD*3l2%bQJymNiMwmG&2joXS`^lR=B!FAU3snv*EM6H&gfcREXDlru zDy!;o#y7-Uga^gIgPp~CM|Q@59NtgIn2SovVa0^YFPyv*M*vX|Zri;+tdtY_*3ZnS zdOVt*ifS}g%OyO&_uU;#pfa#56H}X8B!2>@i+bxU$0R{)_<^rt&t_sZKy~TVR5kA} z(rueuvxTDw$V88Qhj`~VLr8)WrVWZv$*@jHL|WizV@LYk6E57u%98GCmD#st+~mqxo(}7i+M-eQrL}MrSeCXl$5p;;$N%VOo_AT-7M8TUIx(Lxf!s7)hty(nL}Jcq&Wr>k(V;oH#k&6|51ktH zt6}e-aM5XadD$a7K(c>BxKNdF3RM{p8r*E{BQK2?dyZlJY;G5jN+ zV@?RZ;*fVV)&x#CJQ#K=950O>xPt)(E(Y}382I5Ux_27R zM%$a0eOac%AN*8xDWdxJ8P{sju+f+SYjyDQ5iE1UkykVyU{+7pPN{=IybAV2pG924 zvKgVyK90SAg4F@~vP_3R_!$v3PpejawWAOn6>X5dh1|uMA+Xw^XauC z|M)5DQn2f=R>8T|vUItebQoK=A1F`;u5T&2C)B5><36fAJ-Rkn!m-}?iS-;=MYk%p zL_JjCA-~F%4JOneaCmt*4%bXe*Vk6r8n2JZb6DC>Z{*ZNHFtfgLhZTpGs{u1L1Exr z@S~-*sev`6wK$bx^S2+*#l>(|)=y`Y5O{!XGdDjH%)thcfMB+a6^jbdc9wkle0zy4 zIJFC&En(WUV3rpGk#axgC!^;k@F=YkW$Lp+aRflV9lAgyraZox% zcSk8Gp6m4EPyT8|DSlNAziFOpCk``+0n`Q@jd_GNMESDz=Q~&XpFwl@vUp5aGS#)& z-jB(~+*Mcb8^|(sg-cL{9+~n38?-f2W-v7iSR@Knj-ykTi1GRWBR5coVFR=8NZc_V z7vIHMR57fjB|Tzq-(`0YcR@{I$6! zi(2F=LWNJRKwo}6J(P9TmV%tu-AP$j1HDItn(diY-0R_|ENb1u8%R-Nj%ZwJS7lwv zvsOQ^@1mhAW?bsU0(ld&=jPH;88nv6hiYW&tf;*%)nImGNhk&y^j~24|0rgDQ#=5n ze#@>6mT;^$ek!}-B&gH})A-^)8$6(&tyE{v{Puqe+|cR%HAJDx!H$tvM$)KuprTA& z8GX5UkPJ-hHCXS+G8iyW3~Q>YhSjm6DCBmv$#eRcw4_$8ucJ7cCUYNlN2Cdvh9GXB zF!21a!L5MpGR&E99$q@)m!FuZU5|z)MBnfny&IFIfdQm}xs2N2u$xciaDT(RBV5Dm zh8iiq#25wu1iUWeoOgtsR-%`AOyh^@F3b4E&w*XmvC2DCs+nx7x=TGSaT&WzV-T<8 z>oVThN2xu>nBfjGuV&rMX87guhsn9Z#|~~kcvS7?!t-X(wc?cW{fIsJ}lNC%sU#)StIq_CY^ujZZ=&j?$P4MYL!Bj zj|vwEP{z7Np!89@95fi%s#$8X?f~YH+-~v{7E!nUtKw{f7sp z$fHx~u@j0$>d#SOzdhsHU1LnLXkxHHWVy7ZJr9vzZy4zt051`4P;`PKb8-jkp3 zt9;px|FJtH7y7pJq~|#q>@hP25FD5kn#pW{$?!-hr@6v6p-gp$!tisg3KEA2nr=?q ztTqB*In42$!nnCeZuI*(d7WLx33=BYikUN~_E@q#=8h32!VsY0h)|8%M6IgEZNN;! zk(wD7!NCCz7vfB3QK^h%Sv0LaT~p+%$3UxZ-_`>lPES4pz0h209O+eq8(G*rCB@a8 zmu${+=f?y)dIGwK^w_dmmaY%KB~_?$9G&vl$Eis*mJ0QQL&o*>scPvFP7PChB@+e- zlmxoDJRs*asnuv#`LZ4Vqo1%hYr^0I2tF_MfdW3S$qWwE1zbIPBmKW!0h`Wga1 zzTX}Aes!akF&53C3mh&=X0$^mx+D=RhbD%qX`yh%QdXC`Yf$N3-kF@cfJJ(6Mg{mF zoeVGMM7;MixW5)h5BxwtGiCufznvf^bP?d9(SXc=qLst`C`4<3k7bMDUif)0TZNzZ z9{p6m&7yjm1Zt)mTM;YI;85D2ha% zg?*sjl71@9=&EEvi9Po*5e^5W3``7E`cD`ZD;pc@8txi2$Wwq=kss?n^1$JFW5ZRTjiaqdFIj=Eh*f!M zZ6mzBSW@3xXE`S67Z$T5lx6i5R^AiC!GJY^0Wmc_a_#NqV9o5M{ABdg9ZhKhZbMPu z@ULH!T$V^(00jY zp*{FS?rML&6L=PFWp*73MPa>3$Y(uWK>^mlQRtdfc~z4=u`H199q(@de*Xc@B(G9s`8ci9tApQYTRE{xz$*L;@S|40ztZy_{7(p znRnF1-kx~7l0o5B1LldUTB(06s`|1_hd=nGsW%O6+J3^XnnwfhOUWx<^d^ghLY3p_ zl%Fw$gj}s5Oas~96>A6_7U<})ALhcQ+8RX4OqG+4i3~UpnDK~{Z$0yn`6gjUvM&wu zg_8pA6si<8I+MZfUl#VG)$=N|izdjr)K`M9_tlk8o=h8eLlFeV_MZ5|yw*pNk~lNQ zziyr|-%NqwY>j^eUF9=Oqoa4)K#ZvrBYGX zY5n;y9{S2dfr`nYci@ig)sK;_+x4YcKRg?LSEA=%EN2qEtO@PW)!2YtE#Ek5euQSLuU2VLP%!9B8%NQXPtEm#O0Zbh&VEZ!Z|xVS3|n&{?hAvJM4&VsH~ z+N~RQy)~Yc3uZbD=m!nL0v$nJDg{mcHZ4>+*<5b52@5~_7X}kF1#~-IQMDs$%B!ol zdRJIQNV=?LEBc};0|!C^8)ai3u=GRj*asZ^2XdyY29Qo*H&ZX8AIrDdxFJS9zmaCV zwY^nd5)YO(4Ogu1O1r7d7{j+1j=!N^D{Y1^ zSNT>;qAsha${Q^7e{Vi2?HXM1-YMT=G2J@r$A`Vw*DqyJ2r*ZzM@q*g_W!58C?jfm z<$0mB71$f&fAa0NXejq)SC;3=f6hSYmFRQwU76^;BD_uhQzi=E06&u%MDdb)n0$A1 z-QO7BlJ;y$?II4m>|P}^i0+l-Px777ZHV2DE6I~&$Yen&*(=0{q}}Aoc?b-SBKV#; z+RE?h3f~;cf#s$49@#ZXm&r(M>xv+6UKhi0h!dDh9wTqGdP9)P2xIc=;VbfAB8kb$ z!2G&tl8lMw`)l?(Z>rY-RRzQnZ)D)1$pqP)bv8|8zrNzAnD6 z?4_k5@iKeDif*~f;ukA=fWE9=vh4K-Zw`B2c&UA6MN8~un!-mj;8IWBd*Z**-tSS( zV>itk;khxId!X+P_t|KhjWS*}wmdW9n5gxRj$>f2S)F0)gRNBKHPPCpVjdd(9u@fp ztj)zY#80DbA-|j+8hg{iOOI1o97=gz#wT*4Fz_;uMe=CZWf^zm$)w9V#`L3>6)0_` zg}1c(EC0Usvw~8JF4Nc{EB3mK6W#Q?SV%0k*?YM>E=o>tozLf)k7n?-*#Awr{mnsY zmQ3XIhpz$3_AcO;NdHs))kS&lnH9`0t*%bb=mNK< z#)|SIV}R#7*r>@iC$;*sQ(FuQotOf(GjL-A*V*)k`tTCiq0St!Z0{sde|40IWqEEE zC#0*Z%4YRfJ`&|4D^^gKu12>51esu2d2l1t-x0sr%f4erOenfvx`ab@*%K>NP*pBY zasa4Iu&iD)Qd6hkq;h{prC8?GxSn1=XlhlhxT;=N3%2`Tu%i0f1{kAG>&KGXvQw z$+LwVij&XCR!Npk!HW9JbHwbmz9)dM)PY}?T_BI$qSi9Ovbzo%%LL2np(IIV4S+Ji0QM8&O0h@btrq0-M^>z`w|9*J zOi)Rd?W=V(6X=d7`hmPyYLt??&;{Ts$$;zri0ok33~Mk?Q#F*;SJjCsjVJH1@{xh< zb^n->TZY_z2l|kgVwr{FY^wMHPL<@@rBlnwaZ7zDvQ?60#{^k1_TpM-DCkYPXFO=; zEe)0Z9qSbTRF^tCI>`7>5d#8bo=OROK;dzDd24YLnpF@6-oj2(B4% z*MxVMy!XAM@c+HTO8&LK6MUn-2D-fa?k|zQ*-NbuL1Kt*)ZxXEt1V+f4mta|0_Mcv5 zsrp752vv%~h@nC;Ozup#Qk?~rQAw6vP@bAD2UVG1S*k<44qc-#r;z%U;IK+E%mu2~ zdI^@L#QKw^hD3L6Lt|Mp)M>JmBdgP@$5lJUUan7B}gXA7BKoUp z{IGu5!#RI}JV%dlOC}Twp>4z(!282q7tVh2rVn}ALnT@E_4m(efWPOWlJXj8OL(9v zMc`$uJ;GkI&wA^_)sS|bW(BmG06#)BMqfR*Ed$N`iNVM+P<;PvBgHGwVeR4fuLI+Q z&m)fd5^VMdM-M);f;uiaIG}=+vuqLk8$%EI4A)A4$KVEASO{(QrKJ>kz-oM@W+MtA`<;nbk@>GHPo7=&-4*M!pcJs5n2V!iojrj$(##x9>m*E1DJ6`X~h?&D%J_ zc?;cQUeri5eUB_qg4HTsql6jOe|&X~u6mY}>ktKdxmW0-+O$IFLS#iaLthcn?GKcu zIj=XCgc9`jm{`NGT_bcQzP+R&h%j5w68O!&`-c@o=-~(94nPO%2|jafsaQ8?1eIjj zo=Jkdo-}9+g?wbibPyOoQ88k8wps-tTP1n6ill;UmE_qOX2D^d&59xdF_g~DcrX$z zM1Id^U{$~onl7jVXn;(0`kav&5@Mo%Sd0nwNl(Hs^zTs|28L9}RzNjWm;{!66|L{4 zctH`s4&O5?7>qUm%gK1MUyW2=?pa~&{2xe_Cx4c0uX@88Ry(=}5ap_#0U_t}nBqzQ z^t##nKH*Uzu}#E0%IkvGxSn~aw`mqDHZ_}LNkw94l`@nExKJnD5w8^*K}CihgX{=r z(UBPpvfm9fm?@ill=2#_nW!xo=5e-vsLNRfHQ+i{Y^%*Ig{Om5k@7vO;fJzDd0WNg zO?zh5Uuc~QUWcex)(aTF$PG>U__H-R(aZG7QR*j0Sl`+IXI<+ z4>wjwJDCCu<%5c4M_Kul-3ec*B>zf`8yH^1ANIP7+Wuo}lx_P%9F-FUz687UM*u=r zNZRg%*8PVG3QWk{4Y|?jA0{ZRn7PsEA10{K>4s-{`iBY1%wo0O3El1=CMY&|_Rz>F zEl>Y2K^Y0V!VcmLNDfWhC-!Cg4@e%)O-%EW7vqUXyyW^`iRoT)X`jTLn3rC4m43bC z+C;7Q_QG|E|MZgk5{XB>jGh?o3_spskv4XtCi zd3|z}u71Z@UHx6-b@i9utI0e)QCD=?1Bt;NL319`fHzFi1x`;++~pNG{-MMuFL~|} zP4V1PU8RdtHH2L$UEpwq2Dai+UEoBue!D8IA*}eYDbS#kEz>oTr)KESmOrkgqy4{h z-46Y?PM-K^EHTt0c>l*@iFz-+dR|O}KG+=7uvgDF?^i4^?@xT1yx|rOZ=Bd=j@kF9hd&plt0yO_`LbB`L?aYz+ZR7lsW!O zQ)cBcliq#Y(7EA+DS!AC183K7O!-s4HR&~H%(q)QO?uB+Q>N{lk+)NSGU<7LHtB;G zOj~zeG<7`os)2cAcCK#66LWI4COSViSIh03PvmOeo@h4jSAHs2%f_-#8#o(2ldEOy z*b})%ZyZ=+K0evPG7f$rS4;Yu<+)nAPp!z+I%VZoa<#PX|7xz5*5hBx)mr1g*A0T^ zb-B8?&0e3ISf-Ts+NTWJoBzjDZR5Ah$BQ;I>RP^QC~AA!6l&dW>bd5b+{7M*Va0O> z_1x#pz;g5jlis~IH&N{gG@nT1?wM zm#4*d?NU=_@3K72txaDtWtvy!Y0hn5m8V;yb+sw8ZH=L)eJ!JBouOyNdV_2J21C!0 zrwp9tR#WEUw+ze;oAdM_vv-Rre|D=WGxvMuearVvdgU`Fz3~Su{ajw+-#sZ?{Cr+w zzG}(2d-4(=@iGqYH4U@$r99KzCl2H#UR7Ugdf9+I@KZzT;=_5mzaH)|WsV*(Y}|a* zkg@QX!M6UmVbQV^24>qy(@e{MYv7zcZQw8Xy@7eC)4X5x$2_BP=ASnihcB@DpZcr8 z);c?`h2_~faozYE=f<_rt(q4%P}hGlZaBGqL0oIiLkr`Ys|TNmYjJN`VxV69TwFJE z%Tj}R=Q0E5;BxbR*9!CP+LZ?WnN7%W2*5cnb z8O>Ybx^Er%t|92$(yh*pdVA35wG?VUQFPitK zUP34gPfoY}$h_bBWAlE=Pt5xrFB_sa{4}n|w#`2?@Q?hQwdKwu=Hq=wS;qSRjq5R~ z^Ve}L5VPja|76M>`LhQTq2VunDsN1`()#-J z3IhnmD2byer4)tAd>)oKQ}pAKqN0--w&R@5&iJ04wX;bDZn(K8;uuO^uZZ z!2CGf*=R`QCJM&?yC@KM;?+2_n8?k!J=Xzj39PU@RaVtdm98~##05B9l}q%ICE~)J zpvlcAk3ETgb|w+$xxw+u(<|~cV*oH8E@8ys6OiZoUfd?-FND(){>%{&#$bV7UVuUV z(bbY$xR*!H+IW^=Fc>Ma0+_D#a%!iiA45Fysk8WJNtr3mmE&CWz_Ob1Db-cAnsU*Y zHw20>zuvO7i~I$|g#Zy;1n|7@=aTL3jw~hwfcc=~^kwxC=e3~t-?G8vUH6r={Yy4q z1o(PWrf>XC(0GmBndvj>n~WECGZi;J!1yQc%Jhl$y5)U=KA4dr>FX*?=&46uDP1ZT z9WY}fGB-Ze+n`#g&qYfvM3N~gDtu!mw&L!f^+85@#0Tjnimc1qE@N|h-vs3FpSz+f zP(EX&gIy^ja9|dZwrInh+xW7n;KIMvMs~#BcO9#Y3(eF z%V82#ZRuy<%PPi+5rH$q9j!o>7}(V8UpsE3JoQOqrIhE>G1f zW{7!BSR0AJ>8earV~bN+O=XRyvBNsPIv_Yjw7R%ooA%)j{iLd*7SRgpF#?A*@V|ys zzrp@QOY`j+%Zm$=Rnx>x+tfgkUOnE6o=}|ix2c(RRk)Ud2_1!f6!XID5l=%z^;CTw z0;@N^UQ#a_dQjH2scL9w@(alwS$~UjIZ!`SYMW}N`aulN9z@gBM^j~5eG1xd&idnk zp3WX?V6rOOKeMd)U15By#{E!C1d5vt140rjp3akbM1m(YK@q= zUfyT8&f4UgMTaShhN{O?QelSW26biFnBg0N19N#AR07NjgAr)DTr|boLwGt9$Em#m z*J!N(-NMO9g$P@#)Sr-p08U*-FcdvK;m0LbAEgzkunDJcm4z<@qfB+Wv>XZu<3bZ+ zp?3*@=5*Kjkq1YM00wUq@D@vw3!;W^@18r-iVADCBIO)o0_W?5-*PZlI2)D&EZ zOM<)x*Ezn~kLc+hTUh~b-WBZI-egJ@Wa9*2Ht6*~*&IApg_IT7lW|oOh&^kADuY=| z&9qXPRLWixdkmr6@FlRSaC|c+s zO48R3IP2 zSI=6P=^GtPCzQ*5Aia)rfd;oo@%(`e!_d!fK7{G&**RP8KdnD9@c=u>`eqYS#)eis~jqL?1U=Npf_ zC56R|;75Tm%3D%Ieil7$d6uHcFYU1`s>di2jaud0k7{N0Rmhmv6={Dbx@uN7 zHX2c|chNAVNpa&c>^F9?dhI-DEdC_aw2oRJTZ(T$xAWTNQ<$%r) z*#zM8+wivcCj1&mfVZ5!V4Lz!eeHKOt5g6U|0d8bg4tII3n0wNenY!xv3@!SpUHu+ zPg!+oLxayGFG}{7uc?@L&SwkC!ty3*9+d0L!c=X!HWcDDe&GNeoZ%?%+%{8k@KZy7BLS13bi5}Bh`1J`KK*-nE6 z!>%)5r7NaX3)3Fw-J5*b!48)2<%Tuc^}Z7Rnv$)+SD->!t-*wA`Ij&&cf|pMW?CRb z5t&SEx4>^Cth>S2MDrn zKxD~))D%S)3~*H7H;tmGtS+ssP_+y%5v0t9!FN&w4AX83OMvFLS~NG+S5JY{D{K;Q zVr(Yh`fYi--r}q2#tNgq@{k!LttcXluHi!CJ0c>Q-F(-O`fyXKw#>5yn~o?ix(C<6 z{d64zl{dm`(bzXV6~>?GrBfrQQ(96mnX5%quTOoduBnmKSE5iV;6CuGn8KN#biGG% zsN&400*dRR#)b4o8`6E6Rpj^bjYqbgEfn|Ag-%sK1-Wpef$Fk#sDRX0z0^BdeHt1| z>l@{;LH()#FB+Q~IHt#B*HQ8b$INk$fEfA*W!@ z(U5{|R8ZTSs>mf@lr5yUXihm!6*kq@z=v(B+>BLkqM<%&QRUASz&MfD`@Z$@SOzRm zU<2~>X8JCAvD26G?Iq1M^gevyay8|JEKek`zmr9XXh}PyOIaF5oH9&A%+{S~Tst(5 zfA34IXzVg!rZ*d9e4$E z%*H9wvx4lBqVjfN6j~{kY5Q1)LVhEf&73gvnH{%ATYG|rGdqlwDQcU{?7*q4bk@c) zJA@a5VwuS@R3>O3v%{%sz+t8_TP9g?pHVDBy(7$FcKAsR8>6*l2n!LUXcL%Cjaup| zh0683kgcx22J|<#UOP;xSi3PY?{adICsy=IT%X+i7u=D^ zad+koNc8i7`>!Mr_|>uG>X>^t*Iki2V3Ow-&Wlc@+{Ag00DKXElgW7(aZw`2ZO_+$ z$AsQ#pnD8C`sMHHpY@0WA6H1ZfC)ONjzMVFLn~JttD*p|B9O)IqtH)8e3)8*yQC3gL7vrxijW2 z?c=uf9xy2oqb3-N37EG7vy(gs%n#+bORw%eW;=-Ss;k@+{ZQYO^iKy1T#YZb6R;kl z`mTGG>O1F6-N#C+WF|CAu5~-E88FE>hhl!BfbSIHI}3cnAS`dz_?oljFS~&vMG3g$ zNg18%!gcPp>mWho{nsH^R6sdrr4XRaf5T;^9Cu4nqs+cZg$AW6N;LZt?y|&yNjj93 z32FswO9|U?U_&>X-M{rF})+L7{F5QLSdjlCxv(`FFVc-Z5a3aCu1azkuKjA?N^tn{wPa z|Ev)>p3PrfC?Y6JW67m4clA5nlmCQ1#A1Z`0)_$VysroWYo1debjF-_8L0ldNCfop ztKvjWE* z`C6awh#~CAP41?fFo-GtWhPY|@($QK2;0)R1)_Hyzr|n+JFJe?hq-&DaW1*VJ#jN| zD!-~GRUGmTIL{K!LlWnP!G?=j-O18jO$GoxJjh);2)aW#B{c2{foc9KAxKL;PPN-J zq??$uma0wGy3Iq}!?zBYL{6EcpF_Z3N$?K<{y?aVp@w_jVFauM>Gm7DxyG)fdGkok z$VEflW4Co@2C|vZ&z?us+w>k&y^I%x)EW}gPC_ku(8)X8t#_aYArB!;RH!=Ca4(_Q z4ixA?2k$f}!VXnS`9KZ*rai(URmi+M-GjyGTcUtKq!Pe%lrWtICiJak|86ja-Ko)- zJs@x1b>LPUx?PH2F^S z_~zZvWZi7eL+-u@qqzl7ogc)cQ8~XJj!2aLK$NJ@ zX~H)D(==&Z`+pm38JWZ^Erf7ta;kfJvb$^YfJyKMD*{>q^xUrr!D<6&H^*K7{}|92 z)uLJ76XeEZqkH^A?v@WhZYdz97Z(%oml6C|0Uztm9a9W^@9j`6z)?s34y7{9N~jPV)C4vy^? zr@H&6c4urqOlX&UMvB!mQ=PDTpn8ztoZ6LgTTK<_hJsU_1o{9#qoZxFG@vuq z$g@&0fjwN|uB?E-im8{1J?alV3S`Y|gj6*zB7r^gs9|5=28x^_>6<`=M$BkeJnD8< zfpIEasYw-wyaU1&gzyj$qCf7bF|`Y09KXlQYIdU9U0>Z*SKLI1mOMcu)~ zcR+lE5HDIxyxZDn5Qp-Po%Ywwb)v!D)&P`QFF?)_%6$^$uIWbW2bMb|AGGF4!^3zo zHz^c-%XIfblT`EzzAof!!DmU)@0)2_BXE<9;D~)C*4(FNxEp8a<+{8PtCs8X3A|ZF z2sQx0Jy?|fAB|v4;7$`Ekawl!EXv%7CX{lTx*T)vS(pfm5T=M;tAp19(H25<5r{Am ze)j*>jnE|`-z96p)e=j##N77(ayR@J+Qf@EiBkb8RjgCy9VpmG6l`8XVz6U2?53V+ zvr7`>(F(@eL;vlr`fm)KD!i@*uKbcg{65hXT`g#tE1-+Q5OPyWnH70h6qlzIK#fAY8nb z%!@$y2xjrzxEwa%_{{f&R46z2>2%M3Jl385vX0QUwou#5{UqwCrb(IZvJ*zpW8e+c z-O?QMCPxJ83}9h$bZ$Q5Sy-nDEWF`M)I9_IlMp*XhAlQxi@~0Dg1z|jMCZN*jLyiL z@|sAvCUxiF6Pm$w5}^G61R}RCWJHGX*>|6w0LqmTJe<0lJ}szK1{f1F8Pv}IhG@)A zN$rv+7?Lnfh|^;Pds{5IE#|IR6m#1?1K4(S<&YrEz_yC8ZCqNAn2IUmXBlt8lpcD4 zIGv}t1E;L+vx`0MY$Z^Ozd+ns_c=y**sLw&-amnr)_iz)buWOLNx>-3R@i6M;Q%4t z1jLhb+_ukmh1hllK!_`ol`fpgx@TH|Rz#4dFwy{jlE5!qMux=`UjTTub(8s)w02Iw z$3eKLbx$r8-An~UF{y~nojL1-Kx_ei%p$ffXZUZIr??6r~ zk+bQG#F|yBOv{hSo;BRJLg*+dcd+0$*lqa=L_>!7_9A_QhCM_>CuqQ0V#(JGOI{NV zQ3EJk7Q3&0RWM0K6E~^ikar;PC=s}NIWcM5+DpVFHoU?+D)ayxD7)*v4hDIl%wf5s zkmjJ^0#R@j6kwLW=9`9sZhM>{VUhUYq}g4v4)|DXbcdyZckwqx&sqAVg2bpC_t=vR z?;Tn99G|xeLNAPz@CxmoTrVmsL$Ip|>_EDXkahqmD!XGNLz>wa1MjX4(!T|vlPhw# zo_1F~1%#Q`$fpP-Shv!TCd}2?2JDxS}$aFzm@Q{uB6uM*v=T6x%EQ4h7d|I zrogqid*pk9ziMJ{QV~=914PCtkOBVgdWKay^Z3fWkPv=3y@Eq^cgGG?IeemjlCZ7& z3Sm3@16Jv<>6P$aqU#3t?C!apqHZ~bLUM%cs1(La>m8bO&XYoRPDpGkcCosJVbc~M zp<>_w-d+8i5EO3}==}xMWdwE2DiW0CyICE=CT&6c54_2{E1nnC$a)IWN(c`FA)4sG z9#)OOZX>NYmE}h&5IC%N54<2mP-N0hi8g*-Kx^nBE?a~N&0WE-k+Fy`+0F{%>WKJGK9VQN+FAjDs9 zM8$Rzp5!J$D!sGD_O)$ zaQC-+%b@vBi6-3*U|1wJ{~W+nlLnmCz=e)hEr_(>&Oa<#@_;99CRH5r4n(gaJSTw% zExGI$j0b_1^jz`~E@9_GBnNkW2iOp=#mx;|g~4yY+e+}(ex1a-{Rm@15T5jgqic_7 z5bi>hrzP?Mf^rB@Q2Q-MS?vQx)_|KI%?ZSlaJT-FlC*QfQW?Q zwj2k)dkLu|1?VLJa~Z)r3z(Qeb(~;a_wJ)ANfw8mHOmoD!(EKR#PU`GvEduU@)ai; zh=4hexi}(7Lf0W2hr8t!Aq>O94~UAOcUV`-R6B+XO=^l+E`rdtZ>C}DaP zn9z9JPcuxO22>7zLZ@?x8shHwtw3l`-6E!Q7YO0Db%gNj86Z@LB{RBgqB_bE4dF@L zv%eD!8gh1E@&5=Rxd8BJ(0PAg;Jb44#4sS}i94@TU=SBO(oK!HHYO7gnRSF=(>Dpj z@;@?;Wp)pxTM1!Q+!bfL)x~xa&eOn&R$A~U;PlL+-qAkQNYdLBVG?Fh1Zgp5(RPBd zem%+Q%JT+>H+(V}(k+z+gZM50ljDf_O0tu{?2}-&{@H-BNrC?=4Fhpu42=1$qLI!> z7_EN+3?%~=5aH>HfJkFGLdv+yE}&&H9U5Cj;1@qhoBvz>%D{WmB~?}BCyNk>Aqr7y z+-ENWe12VH!=PIo`3JS$N+1sdB&-are`6p$-J?MIbq^xlxUH`WK@$0-d%Of-9w3+t zH;^E0_-L--f~WBrOmQllsFYm*QFGi4vvGjfgFD1g3BWx`aCb|%+dszOdOA(RRm4gY z3&QWXt#bghcM~#h5i4uQBmsENw?wned5X?B?D;qY?1>QF48abh@Y6<@$cbdREX*M6V z!C5-u47uBybGtK3-$MvD0wJn!@>8q|p4j;iD&C8=1_BwmXXc{@_Nl9*1oSk3Vo`eH z(+p^|mop|P2#e&NSOCajy7B_SUj08LfD0Be*q%@m!PdDdgjaIUE(FX>ho2X360*_( z*f@Z5d@+OV2{*wGJxPU-P43bs0Ka=@sn!AG4av2wbe3xM=NLv$sSw7nvr`BQ<*rx) zgyE;Bo~5d^e2d!k)aMQ0F`P}APD>%yl)J742)aJ1ewb=;5Xc_Fp7pXUklE*>5Y5V6 z_JuAQ=p5B*-6m?FC11({QSd|*0%f^pz6dl?2htaQTgbp!pcsZjSYI|MDx(;e=?oNN zak(4BrHOq18T2)TW%IY`6x94x21|7FX!RkDdx-4io>~dW;m6Lm6N2MFfPUS&Itv7W zb54jB=C1rI;M*t74-xFuo2h%RTw`Eo&UI z^LxmISuE-hKFvM#ja)g$UO_Oo116R=%bqlBD)vrTShX>lr9m%hbCbto_~#-To4e_o zU|07P%w`aAL-GiSsKq+xDMLi0Z$p0XnJOlfJ;J}a=QjvxKsH$*C4ywvaTO z{~v}S%A=mSFHP{paEOp{?tFYZDK5@}I`kW`PY~?6-=*Pj&L+TC0^x0*S}fFethF>C zLY+JJTS6LUKY7!KXvLyanC@HefOhtGgfz4QEjrKQ@31OGq189H39UR_i*R`Ev)>ji zc0aj*FDfaAlUhV=fzO_Fy%YKt$d>~74aqY=juxA{)gUj<>}ZimjJ&Re2z>65Ex_Mf zj32j%#eidyz|>0B?AS`GZrwJ{@o-$M;~M01Bfpq58vErAGw`k9^CA}W`Nw&o_cLYq93>u%lw zL~dE_`_yUWo6}A26C7%|xxDOs-jynm6t}9fEC=!~P;;-{R*={n!vVeLK%Y`QQT@kU zsiy`IiU+|H-8uM{7WYfG&@|?Iql-VJN^0QA zq^#8OKLYQwg!h2NyXi&X?ITa!7DxG0WO%hh0Nr)s$+a>3a}j6KU9eZk^ZuVabZXGA zhP~e@oN&=;czM|)JBmZzfs(^S$?ETuJkQ?N!#RSjxcmlJXQC~t);e{&m#1y zd*Bzq+3(TP+LUt7fb+QQ33!(i-ladFJ%Uxg>H%Ioj~4R|1bKBg9R*hZGJF$ZISwo^ zW$yT2U{UjqDDe;0F1R#D1X*|IF`-d}K}ya-R4U>O&t4*8$+M(UmY!f$?aG~|VliK? zBW$g^;@7CDT&@qnQ44WdY6y6GOtvKuVY$BjBtz6ahp!|-($<5(xbF5>fX!RN!`371 zo&w)R!q@y9E#c??mf`El7pt|bN6=lj^EbegX<5JIX(6jSfe$l))n^#KsKH6KrkRja z-Q-Lh!F^$L22O{|=KH-F09~q%%t7tfgPI$X3w9MGK7y6m9~d=JT0&9dHv`CSgW$sM zl1>oQZyY*G(cPuB@V8j+_@01t7qMXe^VDrx&l#j+x?*`I69J+byJyY<`PClYhN98+ z>83g-@C*VvsMc*D049Phf9@dxw%GtNl-=g@T?oK=s{MxDQUEUY5VpPD##r5~9Ef%>(WK_j5H+YBHygFZu`I{+H z!3ep02}2S!UsXtS7ZS4#1Y37Ed=?n|vyIu?MeDD7k!Bm~S^!!v>b*ey2=-N1Fvdo$nZoZmAn3i@{3XHG z*)zZWpK|i1QZR2=?|}Mj1RqYy8<9>q;upX!`o56N4f|=)IrnP} zEcc|X^^e>%Yh9g(*Zf3oe=L3e#8Xps!Hg(pP5);`{@o zuTHFI5VyL4`gd$%z&O=hmq>BC_^mv5$F~47^99fo1b)duDNf&E;Qij+Nl>NLY{TX} z_sq8e`KkwD9xN*He04egM|7{*&xocw3fQokt@tiuxX(X4ffgGZd$;7dE4K(%=hG5W z941w%Vx2PYfMO}3*z^-(^`WO3`OM!u>ttuQ=DAz83a*S7*P@C>!vAw)gSt&9p8$3v zf$ap?dve@E-(!>;fAyN|x!*(MZ4+dF>dlgFlPV5*2l%@Q{*FUL_KEK^_|pHqhTZc0 zJon`GZb{z}g8iz5-T4fIU8wx&Yw#rcogB`3KXpM!?S z2Q-1CVPP<;rh=_b_ z6B4Nn4)4u#*X{)pTn9vK21M=?*8yb;pgRfl{B~;8b^9}dX1840V@VwIT>28m?|p!M zozIGXbCEFbhP(s5`9Bam+YNlva1!C5!KY&?5be!*Nh~l<9Dq9i5#ZlO`bO2b;SPvphhP&*cx+NBfS&iPVAGsm5Sv#1l7Y?;+Jd+xrhG?_ zK-V7uaDEhi1%ccFkl1JFJPMGWeko?0SJma))I!B^K4217Mi-%zlLdGl2*oOB4Zt3EHv~dG6s~0~)y(ouV9aI{rt% zf0f{$2Yd+Hp5HL|Ca!~kAF>6|b`rvT5;!b_f9MuK%X2~+_WY6*ZToK-CKDe*UmOz}6lmIoS0(08^7eA21apgg7JSC}&USxw}t`Aua3EwYvz_0ieQ) zVE6BVN{O6_+yJ^o*bycvLf#hq9y6^op1gGsm_@%Ld0YDjMzQH<;p@9Yoq6uM&Ti3s zj*zti8E9U8j`7+c^942`2FdYr)gSZRLubM7>xT>;a@#F~Z^gd{1`ocA{!Mm5-$IZU z?xKSMKv|pP9zM_NXEc^~^4klPq8nxYd5jQ$>ef7CEwJG%+%c-)@xQPNMh9LYd~(b? zd?C+WZ~=8pA}Y&WgG%r6%;R@~LUA43iFl8C?x1=u|KEbdbX**Im0`{t%!RPaQQ*{H zVQBd)uzS90N6DBk%2%!T2wd${%f-j3bI$!}Tu*}>I}(Zt9OKu}t+V6qtA7KkLgafI zTBU%XlMoyO0?5gnk1+&YhLNHA2tEDmoVdGe4qV~#{yG17(LSqwP5txaTn5;v6_3{g zMaUU~CMS;l%JHFs&()mM6M!OdjU(FyZS^%Sb@3Vs(Equ(8mGodf!^7Xgu{- zC-f~aZUx30lAXW^S>8N9BS!76KuXs7PsZKD&A^x(G`+Nb5EKJkA|U*^*1!?(f%PC^ zJ#vC1YtE+`R-@At&r~bRW5(+j#NBhB0@B_h-#ccklK_31Sa|3aI!kl#GYs@wbyyk= zT8G}DM%f)p?vA;K7RKEL3xVOym5q&c4R;M1#5a_}UIOd9-9iYKo-9Z_ik-W~467}^ zERYYOm3}=BJ`s19JOQ*B8tsKKiQ`2rvh!}a$sG046!M+8z%6%Q_t zyDOIiWMOK$o+^4N0Bm_dh|0F#5~*{)%mA7}HrQ&rR>a-qD*~;yfdE|qAhg<=uNXjM zcrYbz0jjlyT*|Fo2^Ir)m*|p55 z4W@EoQlpKPa&6xBWZYf-Br2p=?D2%?zZ&DjCYejo7ih75*la{K~}*?UFPtoS3T*_A(FF#J*12+G{tByK8Qcn0eF z8NhiP*=dV3bwv$LX#c9y%p2y^RSGO8+4}o6#Cjvcp4+9+xJg2d=z7Tiky&$lh|C{_V zsp61#;LuURa!6v?wwJYz31mm`ZQrV2q z7i!EiVemA`$6k!PTV50-zvB7yF{$E^cL2ZmMIlff0FN%TVL!mD;}SZo9)TA(d{4a; zcXz)8di^(i*Aa;2f2JX1;Q>}_f1o`*>dTqQwjW`|@gqPBzeTr`pzZ-w5O(p$kx=!h zAdER%e;jugqHJIbtDRsqUmyyP|Ag@{G}xc!=aQeq-4h49CBvPBYBNxQ?D=hsY%6#m zp%FTC$IEed(aWG(9=_wA%IEJB&2tvuu#I)`rwm+JxIuy_kJ@ecY23XC^y;Xc&nx*V zg1YW6G!b5Mm_g-13JIE&)XhHww01ztbf9i4K|Kbj<1lgWU{GbyoWQX;Y4terbF4Ie z4#?fRz;Xb%Zb)vpNGru9zht-qArq+*Qs8zTfp8oFs_-4?Q$+sqzf#NX|CIqbh6h_z zTPVucrVQV*?JnZ6@Fs034&(g5Mb6l{TBgj;X0AEbC9k-P5lCk#|f@ z#bMb;@VEVq?!ayTt$`ob47&5nDdE9WSnQkv%<$W9#|iW)fJWbJ|6NAVfdgmfPeb*c z24wr*+p7e1-RxeXi*Eb9ftoqyB?+dmyv+H1+-*Mt(B^zW%YM;-M*tF*mrZ{FNVQP4 zBYlNBGdS8AcQZGQw#H4xZ1LvOh)_+uQ$KI78Lzl)$f z3uv(NFFtRWQf!A7GkSrq=a199Bds{c#&QsM6&Y|{hyU1YMVJ<`Nw6!3B)ycmAvj0xoq92JSpZ~F5V!z?g ztAMJS+ztq8-)5WpD&~rR742=`T*FbMu-j~F3E>tX6rJItCLot%BMiI8);2reT`)Tz zEz_-gY&(GVhU7V*Ma%4%YtR-)#WZEceQz`GWBKm#j{&o}w&uUV)=pJBHn*2hQSI}9 zL-EoME*Euot$AL)d-&t|f}`2qUF#&YYd%gK-SkOQwdhEyY=}M7j9N9LR{Ww`@YdS= z142rU0R@KG=1+Hx!gpV7`=|2Vee;1L%X?_uxUaSfgke0M*Ng6}wSNYbDfMCZijbRX z>pqk3F2q-~MYv7Y@)M*yPCmhEX-5!LyYT~qchsK9cXus9UHzBR>^o`)3E8~nUScC| z+Y*M%4%ujsh1^a%^x1rO>1PGTE^eotB8+VkRwH*hO(cr(4w(1M{?)jytF~5-R!95JP7`iTe znN`3Z2pM30|7`h}^WCE>1pUff9&-Qe7~y$U(!Y2W!;?V_!fu}J{Yt*O;w!)wym@w! zFzo(RFL4O^$ZCecjvK3M0`oxd&e`d&=DX{@3Iy40I4?OUWa|RZK7!fH*BROn^&5HH ztbI+syJ`)PvKwZB+h*$tQQLxE;&|)%Z!knQ2i5UpbqPu@M&-=0K4Wg0W(B6oLdzT46YJn9-5zfZQBFfIH{FX2Ax(6>)(8nwj)cedKKSz<2W9S2qJ&3nzhR*;eTddg|4_M#`KGqi6v=*C1d zIMcncw(ns8{T|Q;?umum8=H4X)U*Srv4}qSOt(?n3+s*@`R?i+T{QGcpmma)7E?oS zdbZnW&0ojpH*{Qdw)^$juKU9l~M?p2_}6n(|>23=)#3=Ug2vXYBm$agz-i%JU5qxH3=)xJomCkWjcphG2h?CmzX zz(T#_hxzV?9|D_wGi>(DqV+Z`A=R^KA26vYYP5D^8jt#^xDz&aA7&>ndUMsK1oRky zVz#hv}e;#8GL*G!5PIzu#;{1?$$N{w{KP~YNP25z+(j4^fLzDo*ydk zx=V<$zq1`IK?Ll;*uR$GZu~rr{hNOdxN7W=CObIhA3L1yZaLhoF@Fc4?EqTzzs_H< z>e!YVRUOW$wZDKobqG#bcf8sN^zx;|sn(+mbaagXI&iyd$1n5Ui${RKy2}-MyXy=g zJpiPSAUf_b#zuSn5q|D(`LTTW%&%zaZ{6X7F~xd^k+=D$LMAqTfta}c*BNUXeWUBx z@q8RdMNQc)uE341m4xUt5Mj!@_Z5c7v1VuuO;EO81ZT0KxbT&H_t*)5=Xbfb5Wr2# zXt}ogHw>T*TCX8U8~VAE`R>k>fDvv(-%rpw01d))=(h|S9e^DeqL0p=g2mPbj1-uvF1zEygSb`G7G83yte26gh}L| zL~X6RS?3ANF@QmBcV1v%B&A#j$T`H3KVx?GX8_B5D{IluMC&eFA%rB^ax6EQ>lTW? z*XQK)AK>&Wx$nMvKX_L|StTal&hp>H28o|pGaoJ~DVd1>;^zY;B{NEfSCotsukg2| zWEj22Bc4l2#)>DrQh)JqHy%fnJT#-EBsHoG5QaU7mkkf0+`Xd&Sn)h! zYp~#CJvdo18Ul)@6VKCzi>j4O$FIl6kgS3$qO?VzU9^Zd>I8cq6(TJjVi|6UX z@#*LiFrj23gaXeRQn&kf^HbjWbD|JWJTsMOeTz&A=f-!lVD99{t-E15hTFNcfg5ktq~ z`=;Tj#n_3DqWsVc^ej@jT+O(fIzu!@!EsGfGi(hIlR>hN^sE#$-XyXuumGp6{Lk zrVM{@GzvXD426bQ;JKu16q4@|s$l#KsD|Mqg=%;}JP$9y^N1Out4|+>mt!a5<*tgE44;awG-2Wd ze4iFwVR8xhGob>aJAAMZC5krNjH3?B0QvswUgT?cE zgy@VR(PGXp9e*q<3Pr9eN ztm^h#OFwwuw1+=96U@TT-CcZNGQ1JrgHZ5We-GmD^KTz`e9$2DZu|%tkw29pZ$!F& z!k|I2lz5GL;fLrO^U&jyCyi|?A5%SJ@D4*G>u@4@8bIj z^gXe{y| zY1|`cHD%=A*x@3d+SjAMVe;rvGbY_Oth%iBp6OGoZhyRd(zvFFKX@zjCVs|NWrjDN z@R1Nlz?(j~W^&!bLmrwob@ZK&K0N8Zx~W4*+)Ez+zI0Zh%_Jzg{|plo0q^I2kv~g3 z47;^#$V0Qn*UWtE;Yq`$m5qLAR@sm{o5t7NS_!_^l6*tHCJh(EWq`!|bK1n0l!r{>!~B_~a` zWa;C=Y4zWBXJ_>nEOKXz38VF+;j8sirbd_Rsdy0vlE^3cq(UnAHyirTG(T9rwfRr@ zmT%c&550otC-S_ECv%EpB1qgH{b{tmF{Z|ck1`OjoDu1GD6uz$e(>db+BYr>(AaUohUB@IAdq@q8Jthnq>Wez0w4 zO8)ZwlPml)=0AbnrO2mQe;s=_d#mRlXfo)-zAXX%Oo0^o(^V+@mrt;oPp^GPICGv8 z=$%hj!^Qaiy!3eA+&ol=h|%nKGk#|(_(^o}`tmxe_}??&@2rWNA7{(=#R$cy)Gvjf zD+ltZ%P-_h<_H7zQ{>Z}k1F-@WPP2CHyfWue`wVRXAby#{2bReyKBbpSbu~+jQ5;7 zGk&*CxN-fAVyiFcd;NG{{}TE7Z)Kx>TKfv%ZwC2qCKdk`F%@IOE#_(k`Nnbz|Iq48 zjQ-({@I75s-hADCk19>rC1S0${XMPTykgGICzTtCJ;w$3R|2Q2Jpun}8OS1WbxVE| z{&N(rN0$FaxXB)Md3;RE_3z2D4!I0JADK^ydv&*;Tz^CX@(cc?``ZPQoHJuQtLby> z4TBNTbUQEtgFhYy;JYT|x zSe?$?D9@3=8D*SeU;f9e#rndY@`>BmwGT@z{NQ-oJ(9|VyskBQb%kDeQ@$j0%+>Gf zXf@nSw{Dl?8|Jh1h50U}oSgOYaaDhNsNQ_cydCF4o6l#ikA2ENwLU(Q)*Su5KR#S8 ziCbz1js4FQ|GK@j9l}law?@3VgilkkQ~S+~uOs7`^2O!k!QM=&%Oz}D;%roog#RLa zS{(?f@^+EpN7tt<`lfi)hlRXc`x+t_TyBuZFUGA))VcBLI2ri0`Rd)$o=p59w%RRc z-f$7>07djK_|r`NdJgcV^lQS;_zml?j^C*ff4)7s8^TTX2gFgq3~MdpLew`z6hA2M zqWsLIync+nF(3XsKeHF#hz|!H)*EFh3D;jeA9^8N%g?3-&wt4C#AiqO*`?Tz__O@{ z%)KT(y$)0pr^nXm`AhJNsN^d%KkMz&_N320$Em}f#5AJ(%(|mI^Yv-B2~Xx{{SKDK zIK8p_c1pM*KV!}O7!QxDm*2AoJFr@N(wD#9bcB8h4G#WjHM`$oP916!R|W6)n|pczQ9$!uj+mN9`!=R0yiJ1pR4+>yC?p9 z{#!D>80}&FjQq#meq$=-%zxld&3_p$jgR@q@R_wLel`XCoeP|!9@n!(zC<*=TQh(5 z8$8Da_k54*O~hZAuUI3nm$X+qnqPL8aH;3ChN#Upx8Ot7=Nq@gFAOE)1s~;@RJAvM^1jTs=zaftjJoey=ocz8{db9QZa-RffbmK*)~~vPFH`@Y zd_Ea3N@+me-($T}F){W7w|Vu2-W>d<=9i+sGOS>~0CDs z(R8&eJ;~$tXlwM>PM2_H|Cg_`avl2$H?I`8)gIW;M`Aq+-lbM3xH+D4!S^q_U~9K$l7MAJ z`fGwOlin%eDSDMY5&!I?{Yt0A@$=VT_nmO=30p0Hj#~ecq*RIDU_TA&PuWkbZh}|a zTg-1^C0QTq&mo_b{a$gr(W)7M=0Io%Eh_%FTuxg<`UJJF)(9|(4C`0hC0vFMeIk*E zAMB}H_V;LwTE=>e{AY(e9QF))4f3%)ABM-Bi6S7GHjH{LuVi>ZCFzPkTS9$XnAQ4?Dic8s#;< zrmf5GacelAIp^i+YWIw_XOEh|+G-8V_^zVy^6(w)>6h@6FTa|=#XsiA&jzjHZx=iG z+x+=qjdt`enfkmbkE+*S;as!>&nT~^OE`LT;19FqwZZ=En($%T-eU3a8{vCC8ME(5 zpR4gwVvW_^*KEZ-anyjxF7~s8AO0BmYc2kAyM#;rnX+HS@0dAlYq%e4^Se?&uiJ%? zrOl<7-bkKvELsMC*a!%hZHpXv&KZM;_?iPgFGk}D|NK(*t{c*q@*lE3ChcdA{jwnH zRdDWhX8+n2IAyQP6Z_eZ_p=YshJBqwT-grvECeKgQ-#^AH)N8_c3tdI< zUy9$*L3NY$x0^2NsXv3ul)Ux&r{}f-r_j`g(M)`N)N5zh>pawFyg8rG= zWBe$5T3-n4_nrLY&sTRE!ejE@eUHm^#*jg{ztR(a^7BP|KzXF*D{GwSx!F&u=vhI( z38mn5QNJ{-j{||H)+6#4*=Hj|{(AkP?UEk!=*9hq&{IJj3-wOO$J)b`i}d|PdiE}Y zpv3&r>vO*F&*2Uq$*1)B0DpD4oM8XABK*G+8@@x@x9?917Mw7zwE8gs%W z9@6E_m=$%*jfzuI+duZ}H8bo-$JdteWGMl@U|K;x*0nAAPugcwk^>2CB|q2*KXV`S zNPZO7C$6guaUffzfmu7WP)k?F73#FzBfs=l*C+^FsMxG$tvG?~ngd>8oZM-o(ehy|FxK)kpQ z^C0}Y*=2oH9u<3(pQNAFY6S3aLZtjsMpE|RseMuY`X>MVQr7!oMV=2E_k*xj)e`&5 zx1Xzk_Nnr_$`1Qqe(1|Ta>sY>vc?zt_PAF+Tq8$44{1RE51-Gs59>OBsf+3B?;mTr z@W+Jbzi(TFv*+9Ln)8`gM{nSvFIelFyzZvz>#=xrM)+3tTVF?2Q;RK61!|-*X1nMtL{qgs(u9m5_I`uQa=_ z*$eo7rvG~&y-EKkP9v$0R39?xt;^Npy}k#CehcA0U*8vm@3Zus!k^jaZ2L%c4Dmvb zaMh2Oux~Sd=(}BlKg#s)?))ahzn`LysLxmWk`MbPm&9k7U)_Lk=^rW3cLM*NRV|QD zgBu#ZDSw$i2Y+|T_YLyD7yR5-DYTzZziNJ>Pg(i^@oLM(hKNBvR|CTTK4CsY@`?Ja zkN)JMWL!VoE#cD7m{>myeeKHssWTUilF?sTHNvI8^K|@*_U`;HB_BPXZ3QUW{jPlC z^8@kc9qCKPv*ScO8~9iXg252uN&Fhcv!x4`$yKPdMOewxRF?J0ucqYd@+JEbID3Sl z-V5Y4En_Gt?X;w)v&(;*)_=m2@vQH&9xJ4T>rpD7^8(UyS5Czz4XvK!w1pn>qdpQZ zp+@*ITP-(Zo}&PVZ!%uKKl~GF#9-4E-*M)(1a)PAw^Li{300jqq5XK?>)JiYH=4ka1phZ_*i zGrL9clD0l1`x5LsG$|YW3+6xIJQMs!{2XGxcOOP;u!l0?C#~07AMG0UaHxy_EWnSg zL*S=UitJ6tAFmN&{*R3M@aBY{q7S_jDGw9d)ulqtjd~BgT>GWszVK;qqJ@uAwb-t@0e%17`iv0OQ0se*Hm-_#2;E(#U zKLkJRMXQIZMOZB@gkT#1`o6}IYeow_oB}^I+Phi}KRrG63Sd%2BZTHbQA36iV zIY^Oz((P&f_;7R1cdW*In!>NgfBk^?rMIJCy+xd&^>qWa>%(aq{L!_*Psnc%`R>@m zvyA|Yp21(YUBaKpS|PpCH_kq9r(1#l&CJ(Y9IsAv>Z2B+Q}Q*|$x06u?5R|iU*Z0h zFZ4@&CyZ~cQk ztDXqo6L*n6|M(s)(Yy3;vyq+w+&@72v*k&9OUYB5K!LvEec+&~TtL4=`Kj|F1^#J< zID7aN_ISc{s#q!w`9PQOQ`U#^eR+$$r}Ods;rx9wn87{^^zYme|CyhvC&u)@A%B|w zd1psa`~Z5;ONw>y{$?>JxW`e%epE|Bw77bG4zY8ex!JPKkOR^ zi&trR#PstJ!jt|onSa_Zw3mGToI8P2bqRkSo4+*8%lQlB$0SnSSHd4+@(l==e&>XL z4g1RRX4gy)&Z0w0ymKc>Pj0JKW>)%J<{;9n>JDZ)$(DlE;x`zO}ftemO_MERS3p6IHFdgLy)|E0-qSetsw!+!QT`G4h|G|2xKNBu?o zYv&uiIpLD;W$>SI7XTTwOXqpDu#pkKJe#*J{+(s6@xP5E% z9sP?QSAxiO4@AZNL+rkoyB_PWbd8}t*;^{Tj~(`xD}PG(-MP{Kfq%kd{y3r!Jwab% z@ACTzn5=d{eP-I*GwDg$8|QWwefHse&HUYHAAK1wKHnmH+m3KH7xD5l`3YoMC`OvO{N{grEuNAVp#dHkS8g0r*e zrR05EIQJ*}E~pPI_`Zri!u285A6g~7rNKv9o|^ya&p|JJ;^D(P3A6OG+OYk`KehtGA2?u!f6(wPtd|~^ zruck8|57L~>r>#ddQUW8aEIE&yZd_LIV$XXjn+e{u~}W$OkaOM_+t)z=qcDOW9I<+ z!cTrY;#NyqQeh_E=9ACRzGkxG6{w%(KmZA@F)QtCFpm*gC{%wh# zXgRa-I%y4M|FGXt{2vZ_>=2}IEj3DWRHiQ#xZ&~QM-Ddg!el-BjV4OzuP5T zuIBnr#v=p0`QOk_zCGFjgb?3<4}I7BFmvC`<8U8X$Ux*hj5mWOHN$e}!;(p5e%fH8vJ#~Qkzj?gQfbh!i z=qouM{w?RjCu`gvfpajZ2aG7MeEnJ7zu=#wwfGO^iJS*~Vk~F=3HnE*KZ^GQwcg7F z=lXBIaJ+pF^)XO~&oLgb-A8#yUX?{%>u-MRRZ+xpi9dgST@45qR-^uAXT|tD)Yxbv?tiyInSHGmoIUz7)iCQ zzrJ($b6wDr;*X2=pN_wLYS|xC?3wXQNw^OJd>_ew4lXO?hDJ&rmg{D+=D`-3gu;=gj|=c-;s zEU!G5AMp8ne`LEmz#kx<{P}k1_gMB*{gW|$+={-~N|&#X@Lpluk#i@{bL3>aWm^~U zhoUI~i)U1a67uDlbI&g6Zq4xPtU`>9mm|o8I+9kt2rk;wjX*DepuXNe_+(#THqIuOujv!hvswY zHNQZw+V8j$dNS>KMSPLDDSO7B8ZhEd)<65MSsu;+t#|SL?X*0&-@`o?IrsB{bHm6{ zuPwj-V3fzBzzgJo{Vwh)$hjBh7%ibEQyydDOUi?P!^0$R9e;Q>$hGQef2q~y+!Emh z>m~a)S>xn6rszI0Yfv%TpF1Z!)=yxRw|183w$FO2h$b_BdM3Oee!`p$<()h$uqeR4 z6Z~fXl!^av&a6^^-|a)_@qWFOKTYG0&O5gGzCk`i!4Gpe(O!;qSY&34A7+0$s>6TA z&o`v%J-WTbdoNy`4c}Mm*>U}}y2`G}kw^CVfP(c$^S9dBfZIOnt@->t6CUrU zH_o5<9qRadP6haPf}f$jVSUs5OR`s^Qh?v>qZAiEZ)T=HJg;F*e;}TW+fU3suL+O$ z=Nso|=055p=`+ZGE%cx6AL+~VUXP977Xzn|)kp1DzmR^>y!=+>AMyTOBR|?%gQ)l4 z?gOcTpB~}yes-fiG=8G>u<4@6VaRvd1HxnHS{ox&IV-i2@S(aYr0Ksh_;~JEIn}IZLfCG5dWHIH}IaH%FB+{&o%b%izYm z0YYtqyf5d33#mu`Q6H;JDxd5re0vgzGcwbIGy0%cohLu!ldI)odhA)k{l5k8U&#A9 zKkEI%xh=OwxH#RgpU~?5Eg84izJzAoKI)t2bBJE`LxlBH{s}zd=6{VX(^PqW$mfFq zOKsx52&;t6J9stn-sj&d;U9wI-vh%(tEay5{ffMwzg}Fq#4o9Kbf=PYca~b;bp1kJ zfJf^s?hrRWzad<$FH!tcBYk^`AHw+1z2kX7o&&&9P}ULq{E2_)@5mp2Qu68aF;#X0 z$}^w8hR9n)ExlH*{5$`7FCab{FREAAFK2KqLX@UoX`)iKPMKdTp$8=fxdozzzgnk& zP^egG+~4c*0`6=Be&I}gWyT9T!7r#ndFlE155kl2LQnX~=hs0EFcmLYclf1geQFb) zj2FZnJ#{vaY}{f_nEdrK;i>*kiqhUr;2%a+)GAs?w@v!x-!wY>{W#>;I42R^@25m5 z-@^aVe~cc6sH<=f@k8}Uv9B5*-tm!)|KzWY3KUdHVO!)cS4|Ng{}vAK?+krA9#Z;; z)h6^W_QTn&K8{Q}Ok@}*>}{j!Q(}4YfQXmBKg2JL9glT`|NF;(|If$cufM;ZKL7P= f^Uv?6Uz@l0^*?L%f0zDU`iK9&|Mic)byNO-i%wSV literal 15694 zcmdU04|G)3nSV2xOeP^HAa58n;_L`xqBE13{7)RgKnMvCh!6o+C3%^7i39V``2!6I z%kj|EpiOlODNqW?VlaZJv}_@@7F%EqAZS(Us_X6|Dtd55x5t)h?SA*Z_wKuI@-mrF zPPfa+N#4Eh`+nb_`+fJ{_h_tM;9?ne3|nDiweVnI4S6P=%i$~*ejAy5s>LwOO^+Jj zH~Qz{T3VcM7CZIKl1Ts8s2BM2*cu8bXNEr%_cld1pWj4111Qy^-vEd#;DgqdmhkC; z!iMaE*{4ovm}{Ij-+zrD<{Gw)5|dHAc%cdX0$}p2fbz5fRPMEUX5f>Wcd`VG8rDx? zOlshQTst4&gE5=AhKq4FGZ*xl>w{5W`vbA4X_)sQc^Hb}5ET0U(9_a#so~U|x$|Fb zc=fi|?+Vx3>fgMp?$n&SE}gpV^xQM~1$ywcztkd_av!@+BiN!x<2Sjit%PeWZS~rV zyc}mQ@j9LMR^C-&_f{71Z8MitH#E+jnI09`brsPRHhN%qTiTj5i8i0LtG>6spue`D ztE=Bypx5`;_jOwP3wmn%eEY|CzoePEpBX6m?jsJtS{plCGFG2w%JiTZ6aRp^iuPcE z`swC@qepUfC!$}@S;)+K-}a_aKuwBVNCAh_9`QJeOgZv1;8QL7jY1NNTu6=AieIzO zK3lA1M(_Q}lVap5GtIEGH~QO!8ip~EClEoN@JyPND%y_MCQi@n z>zdLx^>SCiyspZwj)A_J%%tUy=H&?%B&TO9L{`%zneeNTODe`jak@qS}h=kb1DXP>WAO3&jz z{aHdx&wO?+H2^t9PFJbjRb+R%Ow=5=rQIK!Kj*xvoplgA)ip8j6X-m!xIli2AL zc4oET=iyDlAHY?#)i5&?-IZGg`j{o#f8e=RK(w)q6k@KcsJNuGth}Pq=_)cQT7a); zE8nU}JFiJ})*iR^wtZym(RbD|;m5Zw6W5dEq~{{RDu}`=9~Y>qqE)DhgX;XG)7o#VSbpu9+Q+AQ~5K={me<5pCk4r(n4LB)Is(O04KYwBE{F-_5%B5*kwHG|7+HX?rRq@bxO``k#?cLkIeL488W9{0Hq-k*J2c4%T z2|+i)W$XVl`C4{6z5OhOFt>aBzCxG7<%Az|V@K?PP_VGbQSPWTFZKn!p_S3Xa&v1a z7V?B5JkXUmT&62ygQ2`K#w(Pk5)37o2}qUxfyym^>Ri>SzjODP#(NS^?AR09-M+uQ zZ_M^BKT0$&-51*b_{QeMj&02wbDG+BwHugEetO$4rd?62B+qA+6^>HmYj8HqSX2wo zXH;AHR>c%FpY<45^&&g;t2!CS?duxE`D}y%YG&(%+{7o!-0H@9bG0YtTj7g!m=rCf zz&jF;G`Z?Qd=SH131%#Z4CpqyJY>VE__%wP7s}> ze+KlLbm%wIUv5E%d_qRYT88;D{6(>-e-a2BEC2-kMj&!a3F1W{9f$t7MFg=(CkgC? z(e=T$P$a;`e6Wl1o0Ls}Rdyu3R|xumhePeDIVTHGG}s1CotXnidiKs;H;T)C(w1Uj z+~eV+QB#)q0FtCf(x*Td&MmN|c=@S;fxctM7(-xDp@=XTQ z$wlw2{LlX|30^;-VUNH9V}JqBv#<+h^2bE@XgCy%@-zMT$|h>c=2yVgO;bmhSK#BQ z_{gJwVy{WJuIa924_2>T`rtFm=Pe5^TU!5udC9)#OAa2IYOX zsHN&&@zGvUT;}8|`ErX*>S-1!H^!q}tm!4;*+bYf|i5zrWz+?l+uczP}=5 z_+s>?GYvP~^5gz5o(;EDUwmfV%(_QcZGQW7>p%&sXk#Ve8rXe9dQ7U(7pK_|TrrNA~rd)Sq11_3Rt}b?NNEcO4tX{AF{`TMaKi zGyU;WtyZ_&J?`}rb^m^N#hyEEUH*05JdgJF*YwK*kDq_?;4979b;=qNodscrqV{1m_&wHP3JFsox6Zb!`cOd(Y6JP&ef_{F%r$tpeTxA`> zt@#V*w`9~AR!;;A3+ZT`!@mcB5d@O{3x@bwd)|K_D5|I_;UgrBU>pvC4+f%XbM5{1cn3P7N?4#kkv z7zJ744Mm#8KE&Pz7bNir&uRyeYfTw(pBGq5wI%~dY4iE{C|nc6-DB<)ohg%xM7RzK znHH-dxHU}FiWw^wc$wwj~M22Cq z0t)vfuzE=qS$P3B`l4X2D}vkS+$(k)Tf|3}GlD444ib_}E;*5Q#=$kcUc%u8UK! zYND?3M0hVufIiMIY9N>vMUjB?)q(GGfe0?cyv=xMSO&T>0&Sc)FurIsj>iG3lH&`m z2rUQNRy4wBXnfxAARjTN+y`Q@aC4HkbC8A2Fg(GSz?>V6c$y*d!XcQg)ZC}_g@F=F z)_X$%&PT#G#{;)IQ7K?qEreFK&;>3*9E@qS2drujMLHBzxuh2pBF0fsSS8SW+bppf zq#hzY8iRC*qNW!7lPxp}{b(r_6{287gsm;6Ly`<==+Q_B8fN3Blys0y@nC=phj}jq zmX?9Q%77-T6Ji~Fy__d`mAQiR$59j+wG;Cue&e(n^4Q#oQw+?+3NjH$Q-G9%tj?%4 zE;A-HR)af5HD_WTtf*iotZ3G)nxSEFN?^=hjq$VwXx((thJJ>vz)+H(GK}wKSUa=a=~ZyjqXG-AW}Sz&=3EXQ6EH>&ShAW3YY4Wh zTVvd(v7XCu4^z^ivAc7n@s=H>NCF{XyK^C6n#?6GwYo(>15Wqu|(Gjv`QPK^;uY#FT<<3Gb0{ z$-LXIBfR-Ys=Ul&riZo0UafWeb#Aqqj#?i$E!{c~ZNgEgYl{hqjhA*8NjZ6xg`B*4 zCYDzjZ;IgY#yP++4aT2m*3Yx;?J)tmlkr1dcdaW-`N)F(iHx0>2Z{u(@BZQqd zB_pgi4~c;Hj)Zl+IhpkWX2t7Bg|Gp|TThv7qsDj$mR7TyRB6Zqcye$FhxW-%i#)nC zINIc3oz`iLyCIA$FrTNa;n1K*Z&n2*PCl+NeyXt^z1gii<0@OAda5c8EpPu6Re5;3 zjg1f%+x=4@vC}Edq(_Ak`|6=75_>~|szHNdO>pFff~)1o-`}b#H|bb{UD~5H_G_)b zztyc?ZBg$9m#Nlf)TtFN*>6WnH=PA=I{ zvF@t`E$RDQWeaIJ^jn3N-M8n#-4+%lpX9NmR^tZP@!k$+)*;I`^tfzx6P=Y;02u7F z#`u-Sy4mecuF530LG`4%O)`a2{i#HK#T5f(!Bnt7F4+J+)ly(>o<^|fy9pU;^E7~x z3pWT#ZYiL4-ASB5E;TUDQH}AU#=7fHcT#O8sR_`jOF6XXyQh;tGwFpZ5-dyDP;^g+ z4Mkc792)cZ4CD(uPgB<}7&eHmGLFwk*A;Kq5LYPgYcSYaW3R^gc8yyq+em-G0mM`ydshAH0AF26We z9aXpz!?^3NHJ-?}UYv_?|6U6)lu5?N<{9C1Y%^UK<|1%G9dmFiA|VH^<#496H?Fpz zi$W;sM0ofz!V6^{w4H`FoY6=X0D9Yeyx)uJMXMzOsU`p~1&AS`Bucon6=e)Y6H5x| zgNY2OFvVMUf@z7yBDh{t{^ zt2!e5UQ00U_d`=O7m9jbzKx6fW0orPhGGLXaEWCQFEIdDT;R1Y#s^^dCCoJ`K!H}eWz~}e-q83VX{0%nYC+d<26QdZDrE;%O z93ns?^Bt}u5nkCh^vFOS5sD$zM9D@}ADkT0%~x7L5^*X(T-hRMBQRPlf~C)@7;{oG zOP^m3ak1hY&w1B_7EL28Xe9SMTC zHYxi_KZ#W_&1k5>;X5K%%L7i;HwS4bzBp-GTEgOobMCy=s;~HzK z5kh6jG+}TBlQ?#;7e{7~Y|6-jMCQA~QA2fOV)3wUm&N^+qphq)r>}q_Bg9)8!kv2D zMe0<;PnW+5Dsc*4^dN%MU-jVfXE01_DCFn4Ao_S`sC8br`x(qS)DA)66}c{-K7c%~ za1}(@Qu`AqQ~7daag6hs+Aq)_4GgajO`S?7`KtqhNk%s<-_mzG1Y$@x(bOr`y0R4X z$s;wa74iTJA5ReFhvihnmi(y&0g$F>YVgR{7cvoi)uGr9(%)mqRD(DC^d}lJT@sq~ zi3WUJF)WQtFj$yyPeCY#b&c#)@)5{jW~6J1R3|qDihNOVDj`f^BwBOOHzh<1^z9$* zcT6yxB?Ncsw{F%-Li%;ja>;}-S81dAmru! z4y2(;hfcnX$tfO$?SY6{F6u>7i@ZakGu6~%k Mw=hg2{7>rt1-KSsS z{_v;2`@D#V5fLe3L_|bHM5L4(5s@NNY$-)b5s}7-5s`}&5iuenVtwCPvu9@QJ$s*= zq?F?Om=7eg_sm{v&6+i9X4cHCHKF9bTNClbwTWxTCvp=x*X88Ia^z1U2k+xI#Yk)#Ig&Rq5J>cy(1nV@_dts;sI3&qU#ZSaLzk9VjRafCfcxPrO}G)E9V4 z1Vu&Ff?pP0eOac%A0la-l!3;Ax^#6_*{pbZs-cX?+!#x4jJbCSGCA-7CXjq%;zmXC z)j&P6rmi|YE0ro5U7v2Mv#7q>pYH^oBWbVfn)dt(fzi}pXDqoh=DuIlAb`cjYO_8y zvlKN+4J=F7Se59@G9CW#+Q}~{PuG-+)<$3BO%RO{q~DOZK{Y{dkbrJQP0(Nw-dkrm zCi&Wljt9Em9fIcufe#nRC3O%d%@han`c!GT=zcTms~XXX6Ge%ln^DSBQTg=RiHlMw zlqdcdQYVbZV|lv&HD@ayed_9=(5h1vDX({e)$!zt82(AM;YSEUoP?veTL|n`wT-Fz z+R|!^xrHjn(J2%UR~OlfbK|T!so5lnLj`L!e2xi}UZ1#LQCa}h74>zu4!+f*vp~Lg zyuYuV#=ItPa9A8mE{?f_1&J0CkcWm<jvs}TN+C)RpU}L6uZ>`M7Elrk^=eO@&5Ypi}?k{bb()q_~XgPJpm7X2$ac0Qng1f zK$?-7I;FHujDdcfy}S%ZCHz>g^|01XPd}C_pE7k84F;0!Lj>E^XY6}m2#mvnni}c{ zO|7aOq-GC(8m{)|JAr3EMM+6fU46PN)zC1otfqWQbyclYOY36Eb!wFD3MQyzv(nlB z=czJ*$Kp?+%5ii`(xYajHw5Ux*w6@0HCB0(Kr>0TAr)(w9J-&foEJAnP^NO6LY4AU zR^+E_8U~tyrDcL^;q)me241m-Y~Il%Ixq}9ny#!JSe~}~R-wvqbV|~wX3g)8q*2UY z%gWMCwT-5~&5I@H#aub;ghBRmPK@VG4XJvoP2=LNL%(}KjUEJRleM(`nB;@!r$Mc0 zEE+!x+QzEV>M4pOuFP!6AS*DIu-UKGs(k((oQ$)v;`l75PR9znb{K=x-JT? zW}z=Ir5rDQ!SsngSS8)8OrB~zo|DM+Y={|$((3Zkx+!&7{CKvz@yYS-04UZwu&Te5 z>N0xTh$&fjG-Y6kJyII6iiW4_?PW+mp6mFY{L1{sOv*f6UtuVevLhGOnV^Gr{Sy7u z@F`3rV;?|E`IjiUV;^wv-%m@%<`T4|o6OKMH96INw-^UCD4+-!ebY^0^PPNp?Z`iV z3NjAG9tCQi)0k}ZEWLhsAR{mf#D`&Y6v+3E_t#I!KX=tGiVU-84T1w9Y(>`n*?UI8 z)hgxnowa9V!=;|BV^tm6PV&7|ApiQ?=^dHc$!?<{D6~QE3qu7jGT< zEjg!__F>bLvUKgVDsKUXjXYwX>5v?fAG^@X;>W^XsB#>g66H+$g-!kgRM-n>8)&fx z&k^~FRQ4U4NR`8_JeZ?Nb zQ9Y}+%vDxx`6Qc53C&wVx|`kx79Es=T)ImWsg1-hIHGTfAB(&~mE-6XiUkPt z43T5HBCww(PziiXEZGwCcF=81#TqBa4$1=y^U|qh<+l#GZKzGX%5e%+%BEgzS$9Q! z{`Au7CVTTq0p=(`NNyrmOtW+3$%0tSi3vkoERoayT{#8)odF?jS=BJ5VO9f<0Z{V| zO~T6f?~}YQQR#Ol-mRvH*8&tw>DZ#CjrBn@Z)vdA;1Ea3X{=xk#_FxsHeAvG@3_7 zsD28FDQ!Ir3~8xCmE-7?zh%O7Qs_D;3=o*zok}_(l}yj56-I0*m4F5g)KKks*e$Gb zoI;iI*D$Pw>q_fkD4jAbU0v>B=f*JwheJeFZ%W*xddZuBLY0#HK4Hv%lU2mAU-^j* zYmU0oMsz`NXj=^b+)<*B*lqhn{X9Fu0b_M+%@6dCGUOj zDExo#u#$hZTI!lW0Vnvv&x)|+Uqh;_3B%B=DPq_ZgRwVy%L5$41ZRRkL$H7=FjXkh z#q9aM`%5fx^YGFUzp@~!s-m{Ev8f(gP`+`pGFj>E-x^pz&K80_-$MDIlt`th+u@prb3m2T{N$ZWSH7RygehKWvTi`C|is+H~|zrD^#Ej z5^Udj=*&Bi=i~0|wx8976RmQf#=SCrqKmU8IyJMds-DKm&}~rvSm^gUt;2nV%qP zGzExL8m$j#(TiVOvGp-|4ol-BHe(xdje`scdP!?PUp)!3I0~B>E_+6yuIiX#Q4?-Ri`| z5iTZr*>j7ZmikcgL#`_%&w~g&Z1_^sb_;)(3xv$$Y=$9Ap@i!9&fh@wdnxlSOyQKL zriZm&fqd_HfBj4gI~ZW51NbskoyPu(J{Vv+K@ch!7Z4|*_N9Tr-*(Ebzzqzn9dF4f zPUTfN7}^+^FmZYEurlEOCRK}iyGd0JU)u9EUuFRd5@ye!Z1_DeC-_;ZjR<_L&pSnC zG4yCQW(2;R!C*l)3=Z1Q${car7C$yCRSxD@UKvr&SRljJD-BhTOIwDSbE=OG7);+h zfaYCTUx=`|6?oP*@2?~(lbuZ)8jRovLHK#1rpY!>RF0WI`*{+!ih9kvBY`d{?3ZCW zqL-K9sDz(0f%AoA1r5{XHWV-?ux65nVEtmu&Z%^mlJRE&W9J)pZzt1D)WmV;l{Nv|w zpi79e>J?(mN-JoyPw58$@NBeF5@w<8@?c$n(;B(0#1sxA#gWUv_b1*z9t4VAelfKi z)F4i~R@GKDifbr-8wV)Hi86MpAaLB(>0`de$71=Cmn(k9bJ-n(;)K5e#TnSrij=(M z13t!+Z87|FKP1{OBLlA)cN$XQueyb!< zLC;p^okkUu?EF~qPC16K~HU39HGX0 z-h<=ftwX>4+zrTHLuqaK)bvcMx7p3(A9s_zLHIbbtZu9YOrWe9>iDu%jnG5PLRb`E z1ADxV7n>nk&iX0 z8XatTQ#oeb@Hgq3Wj}6^VvSpUIOI;9$IJ$85RpR&{$pWn|k*e6N)|&w`NcE|jw77DKPOgB-kHDS4c5V=uP1f`}d22NQ$vVr=E^S$jz^{U3 zxEE$2*QP#xdY>T*z=B8wCOdVF4TEeeP(HnOBm^&>Rdh0C5B>i-F)CB8uUCoD^73Dv3PY|< z3T9f!?_QzqOdYB*&*Fc!OFCb@U$Z$OV1n<-)hMrH`sh-UVT>%V+f68Ml0)dl;QPj3 zeDah9QFO)MbMkZx5qkw*Yw`vjBJWDQ#l+kD@8Hr>6uDQ_9i=EDuY@Z}QM6qlH;|&p zi|cVpZYW+x#};FvXv+3}Q4jB~c&D>Td$5~DSd2C_PAS7k;q3&6URz;n5(@1glxA4!TG0&!dy8HQ)Elx z;^M7Czx^cqleD*3l2%bQJymNiMwmG&2joXS`^lR=B!FAU3snv*EM6H&gfcREXDlru zDy!;o#y7-Uga^gIgPp~CM|Q@59NtgIn2SovVa0^YFPyv*M*vX|Zri;+tdtY_*3ZnS zdOVt*ifS}g%OyO&_uU;#pfa#56H}X8B!2>@i+bxU$0R{)_<^rt&t_sZKy~TVR5kA} z(rueuvxTDw$V88Qhj`~VLr8)WrVWZv$*@jHL|WizV@LYk6E57u%98GCmD#st+~mqxo(}7i+M-eQrL}MrSeCXl$5p;;$N%VOo_AT-7M8TUIx(Lxf!s7)hty(nL}Jcq&Wr>k(V;oH#k&6|51ktH zt6}e-aM5XadD$a7K(c>BxKNdF3RM{p8r*E{BQK2?dyZlJY;G5jN+ zV@?RZ;*fVV)&x#CJQ#K=950O>xPt)(E(Y}382I5Ux_27R zM%$a0eOac%AN*8xDWdxJ8P{sju+f+SYjyDQ5iE1UkykVyU{+7pPN{=IybAV2pG924 zvKgVyK90SAg4F@~vP_3R_!$v3PpejawWAOn6>X5dh1|uMA+Xw^XauC z|M)5DQn2f=R>8T|vUItebQoK=A1F`;u5T&2C)B5><36fAJ-Rkn!m-}?iS-;=MYk%p zL_JjCA-~F%4JOneaCmt*4%bXe*Vk6r8n2JZb6DC>Z{*ZNHFtfgLhZTpGs{u1L1Exr z@S~-*sev`6wK$bx^S2+*#l>(|)=y`Y5O{!XGdDjH%)thcfMB+a6^jbdc9wkle0zy4 zIJFC&En(WUV3rpGk#axgC!^;k@F=YkW$Lp+aRflV9lAgyraZox% zcSk8Gp6m4EPyT8|DSlNAziFOpCk``+0n`Q@jd_GNMESDz=Q~&XpFwl@vUp5aGS#)& z-jB(~+*Mcb8^|(sg-cL{9+~n38?-f2W-v7iSR@Knj-ykTi1GRWBR5coVFR=8NZc_V z7vIHMR57fjB|Tzq-(`0YcR@{I$6! zi(2F=LWNJRKwo}6J(P9TmV%tu-AP$j1HDItn(diY-0R_|ENb1u8%R-Nj%ZwJS7lwv zvsOQ^@1mhAW?bsU0(ld&=jPH;88nv6hiYW&tf;*%)nImGNhk&y^j~24|0rgDQ#=5n ze#@>6mT;^$ek!}-B&gH})A-^)8$6(&tyE{v{Puqe+|cR%HAJDx!H$tvM$)KuprTA& z8GX5UkPJ-hHCXS+G8iyW3~Q>YhSjm6DCBmv$#eRcw4_$8ucJ7cCUYNlN2Cdvh9GXB zF!21a!L5MpGR&E99$q@)m!FuZU5|z)MBnfny&IFIfdQm}xs2N2u$xciaDT(RBV5Dm zh8iiq#25wu1iUWeoOgtsR-%`AOyh^@F3b4E&w*XmvC2DCs+nx7x=TGSaT&WzV-T<8 z>oVThN2xu>nBfjGuV&rMX87guhsn9Z#|~~kcvS7?!t-X(wc?cW{fIsJ}lNC%sU#)StIq_CY^ujZZ=&j?$P4MYL!Bj zj|vwEP{z7Np!89@95fi%s#$8X?f~YH+-~v{7E!nUtKw{f7sp z$fHx~u@j0$>d#SOzdhsHU1LnLXkxHHWVy7ZJr9vzZy4zt051`4P;`PKb8-jkp3 zt9;px|FJtH7y7pJq~|#q>@hP25FD5kn#pW{$?!-hr@6v6p-gp$!tisg3KEA2nr=?q ztTqB*In42$!nnCeZuI*(d7WLx33=BYikUN~_E@q#=8h32!VsY0h)|8%M6IgEZNN;! zk(wD7!NCCz7vfB3QK^h%Sv0LaT~p+%$3UxZ-_`>lPES4pz0h209O+eq8(G*rCB@a8 zmu${+=f?y)dIGwK^w_dmmaY%KB~_?$9G&vl$Eis*mJ0QQL&o*>scPvFP7PChB@+e- zlmxoDJRs*asnuv#`LZ4Vqo1%hYr^0I2tF_MfdW3S$qWwE1zbIPBmKW!0h`Wga1 zzTX}Aes!akF&53C3mh&=X0$^mx+D=RhbD%qX`yh%QdXC`Yf$N3-kF@cfJJ(6Mg{mF zoeVGMM7;MixW5)h5BxwtGiCufznvf^bP?d9(SXc=qLst`C`4<3k7bMDUif)0TZNzZ z9{p6m&7yjm1Zt)mTM;YI;85D2ha% zg?*sjl71@9=&EEvi9Po*5e^5W3``7E`cD`ZD;pc@8txi2$Wwq=kss?n^1$JFW5ZRTjiaqdFIj=Eh*f!M zZ6mzBSW@3xXE`S67Z$T5lx6i5R^AiC!GJY^0Wmc_a_#NqV9o5M{ABdg9ZhKhZbMPu z@ULH!T$V^(00jY zp*{FS?rML&6L=PFWp*73MPa>3$Y(uWK>^mlQRtdfc~z4=u`H199q(@de*Xc@B(G9s`8ci9tApQYTRE{xz$*L;@S|40ztZy_{7(p znRnF1-kx~7l0o5B1LldUTB(06s`|1_hd=nGsW%O6+J3^XnnwfhOUWx<^d^ghLY3p_ zl%Fw$gj}s5Oas~96>A6_7U<})ALhcQ+8RX4OqG+4i3~UpnDK~{Z$0yn`6gjUvM&wu zg_8pA6si<8I+MZfUl#VG)$=N|izdjr)K`M9_tlk8o=h8eLlFeV_MZ5|yw*pNk~lNQ zziyr|-%NqwY>j^eUF9=Oqoa4)K#ZvrBYGX zY5n;y9{S2dfr`nYci@ig)sK;_+x4YcKRg?LSEA=%EN2qEtO@PW)!2YtE#Ek5euQSLuU2VLP%!9B8%NQXPtEm#O0Zbh&VEZ!Z|xVS3|n&{?hAvJM4&VsH~ z+N~RQy)~Yc3uZbD=m!nL0v$nJDg{mcHZ4>+*<5b52@5~_7X}kF1#~-IQMDs$%B!ol zdRJIQNV=?LEBc};0|!C^8)ai3u=GRj*asZ^2XdyY29Qo*H&ZX8AIrDdxFJS9zmaCV zwY^nd5)YO(4Ogu1O1r7d7{j+1j=!N^D{Y1^ zSNT>;qAsha${Q^7e{Vi2?HXM1-YMT=G2J@r$A`Vw*DqyJ2r*ZzM@q*g_W!58C?jfm z<$0mB71$f&fAa0NXejq)SC;3=f6hSYmFRQwU76^;BD_uhQzi=E06&u%MDdb)n0$A1 z-QO7BlJ;y$?II4m>|P}^i0+l-Px777ZHV2DE6I~&$Yen&*(=0{q}}Aoc?b-SBKV#; z+RE?h3f~;cf#s$49@#ZXm&r(M>xv+6UKhi0h!dDh9wTqGdP9)P2xIc=;VbfAB8kb$ z!2G&tl8lMw`)l?(Z>rY-RRzQnZ)D)1$pqP)bv8|8zrNzAnD6 z?4_k5@iKeDif*~f;ukA=fWE9=vh4K-Zw`B2c&UA6MN8~un!-mj;8IWBd*Z**-tSS( zV>itk;khxId!X+P_t|KhjWS*}wmdW9n5gxRj$>f2S)F0)gRNBKHPPCpVjdd(9u@fp ztj)zY#80DbA-|j+8hg{iOOI1o97=gz#wT*4Fz_;uMe=CZWf^zm$)w9V#`L3>6)0_` zg}1c(EC0Usvw~8JF4Nc{EB3mK6W#Q?SV%0k*?YM>E=o>tozLf)k7n?-*#Awr{mnsY zmQ3XIhpz$3_AcO;NdHs))kS&lnH9`0t*%bb=mNK< z#)|SIV}R#7*r>@iC$;*sQ(FuQotOf(GjL-A*V*)k`tTCiq0St!Z0{sde|40IWqEEE zC#0*Z%4YRfJ`&|4D^^gKu12>51esu2d2l1t-x0sr%f4erOenfvx`ab@*%K>NP*pBY zasa4Iu&iD)Qd6hkq;h{prC8?GxSn1=XlhlhxT;=N3%2`Tu%i0f1{kAG>&KGXvQw z$+LwVij&XCR!Npk!HW9JbHwbmz9)dM)PY}?T_BI$qSi9Ovbzo%%LL2np(IIV4S+Ji0QM8&O0h@btrq0-M^>z`w|9*J zOi)Rd?W=V(6X=d7`hmPyYLt??&;{Ts$$;zri0ok33~Mk?Q#F*;SJjCsjVJH1@{xh< zb^n->TZY_z2l|kgVwr{FY^wMHPL<@@rBlnwaZ7zDvQ?60#{^k1_TpM-DCkYPXFO=; zEe)0Z9qSbTRF^tCI>`7>5d#8bo=OROK;dzDd24YLnpF@6-oj2(B4% z*MxVMy!XAM@c+HTO8&LK6MUn-2D-fa?k|zQ*-NbuL1Kt*)ZxXEt1V+f4mta|0_Mcv5 zsrp752vv%~h@nC;Ozup#Qk?~rQAw6vP@bAD2UVG1S*k<44qc-#r;z%U;IK+E%mu2~ zdI^@L#QKw^hD3L6Lt|Mp)M>JmBdgP@$5lJUUan7B}gXA7BKoUp z{IGu5!#RI}JV%dlOC}Twp>4z(!282q7tVh2rVn}ALnT@E_4m(efWPOWlJXj8OL(9v zMc`$uJ;GkI&wA^_)sS|bW(BmG06#)BMqfR*Ed$N`iNVM+P<;PvBgHGwVeR4fuLI+Q z&m)fd5^VMdM-M);f;uiaIG}=+vuqLk8$%EI4A)A4$KVEASO{(QrKJ>kz-oM@W+MtA`<;nbk@>GHPo7=&-4*M!pcJs5n2V!iojrj$(##x9>m*E1DJ6`X~h?&D%J_ zc?;cQUeri5eUB_qg4HTsql6jOe|&X~u6mY}>ktKdxmW0-+O$IFLS#iaLthcn?GKcu zIj=XCgc9`jm{`NGT_bcQzP+R&h%j5w68O!&`-c@o=-~(94nPO%2|jafsaQ8?1eIjj zo=Jkdo-}9+g?wbibPyOoQ88k8wps-tTP1n6ill;UmE_qOX2D^d&59xdF_g~DcrX$z zM1Id^U{$~onl7jVXn;(0`kav&5@Mo%Sd0nwNl(Hs^zTs|28L9}RzNjWm;{!66|L{4 zctH`s4&O5?7>qUm%gK1MUyW2=?pa~&{2xe_Cx4c0uX@88Ry(=}5ap_#0U_t}nBqzQ z^t##nKH*Uzu}#E0%IkvGxSn~aw`mqDHZ_}LNkw94l`@nExKJnD5w8^*K}CihgX{=r z(UBPpvfm9fm?@ill=2#_nW!xo=5e-vsLNRfHQ+i{Y^%*Ig{Om5k@7vO;fJzDd0WNg zO?zh5Uuc~QUWcex)(aTF$PG>U__H-R(aZG7QR*j0Sl`+IXI<+ z4>wjwJDCCu<%5c4M_Kul-3ec*B>zf`8yH^1ANIP7+Wuo}lx_P%9F-FUz687UM*u=r zNZRg%*8PVG3QWk{4Y|?jA0{ZRn7PsEA10{K>4s-{`iBY1%wo0O3El1=CMY&|_Rz>F zEl>Y2K^Y0V!VcmLNDfWhC-!Cg4@e%)O-%EW7vqUXyyW^`iRoT)X`jTLn3rC4m43bC z+C;7Q_QG|E|MZgk5{XB>jGh?o3_spskv4XtCi zd3|z}u71Z@UHx6-b@i9utI0e)QCD=?1Bt;NL319`fHzFi1x`;++~pNG{-MMuFL~|} zP4V1PU8RdtHH2L$UEpwq2Dai+UEoBue!D8IA*}eYDbS#kEz>oTr)KESmOrkgqy4{h z-46Y?PM-K^EHTt0c>l*@iFz-+dR|O}KG+=7uvgDF?^i4^?@xT1yx|rOZ=Bd=j@kF9hd&plt0yO_`LbB`L?aYz+ZR7lsW!O zQ)cBcliq#Y(7EA+DS!AC183K7O!-s4HR&~H%(q)QO?uB+Q>N{lk+)NSGU<7LHtB;G zOj~zeG<7`os)2cAcCK#66LWI4COSViSIh03PvmOeo@h4jSAHs2%f_-#8#o(2ldEOy z*b})%ZyZ=+K0evPG7f$rS4;Yu<+)nAPp!z+I%VZoa<#PX|7xz5*5hBx)mr1g*A0T^ zb-B8?&0e3ISf-Ts+NTWJoBzjDZR5Ah$BQ;I>RP^QC~AA!6l&dW>bd5b+{7M*Va0O> z_1x#pz;g5jlis~IH&N{gG@nT1?wM zm#4*d?NU=_@3K72txaDtWtvy!Y0hn5m8V;yb+sw8ZH=L)eJ!JBouOyNdV_2J21C!0 zrwp9tR#WEUw+ze;oAdM_vv-Rre|D=WGxvMuearVvdgU`Fz3~Su{ajw+-#sZ?{Cr+w zzG}(2d-4(=@iGqYH4U@$r99KzCl2H#UR7Ugdf9+I@KZzT;=_5mzaH)|WsV*(Y}|a* zkg@QX!M6UmVbQV^24>qy(@e{MYv7zcZQw8Xy@7eC)4X5x$2_BP=ASnihcB@DpZcr8 z);c?`h2_~faozYE=f<_rt(q4%P}hGlZaBGqL0oIiLkr`Ys|TNmYjJN`VxV69TwFJE z%Tj}R=Q0E5;BxbR*9!CP+LZ?WnN7%W2*5cnb z8O>Ybx^Er%t|92$(yh*pdVA35wG?VUQFPitK zUP34gPfoY}$h_bBWAlE=Pt5xrFB_sa{4}n|w#`2?@Q?hQwdKwu=Hq=wS;qSRjq5R~ z^Ve}L5VPja|76M>`LhQTq2VunDsN1`()#-J z3IhnmD2byer4)tAd>)oKQ}pAKqN0--w&R@5&iJ04wX;bDZn(K8;uuO^uZZ z!2CGf*=R`QCJM&?yC@KM;?+2_n8?k!J=Xzj39PU@RaVtdm98~##05B9l}q%ICE~)J zpvlcAk3ETgb|w+$xxw+u(<|~cV*oH8E@8ys6OiZoUfd?-FND(){>%{&#$bV7UVuUV z(bbY$xR*!H+IW^=Fc>Ma0+_D#a%!iiA45Fysk8WJNtr3mmE&CWz_Ob1Db-cAnsU*Y zHw20>zuvO7i~I$|g#Zy;1n|7@=aTL3jw~hwfcc=~^kwxC=e3~t-?G8vUH6r={Yy4q z1o(PWrf>XC(0GmBndvj>n~WECGZi;J!1yQc%Jhl$y5)U=KA4dr>FX*?=&46uDP1ZT z9WY}fGB-Ze+n`#g&qYfvM3N~gDtu!mw&L!f^+85@#0Tjnimc1qE@N|h-vs3FpSz+f zP(EX&gIy^ja9|dZwrInh+xW7n;KIMvMs~#BcO9#Y3(eF z%V82#ZRuy<%PPi+5rH$q9j!o>7}(V8UpsE3JoQOqrIhE>G1f zW{7!BSR0AJ>8earV~bN+O=XRyvBNsPIv_Yjw7R%ooA%)j{iLd*7SRgpF#?A*@V|ys zzrp@QOY`j+%Zm$=Rnx>x+tfgkUOnE6o=}|ix2c(RRk)Ud2_1!f6!XID5l=%z^;CTw z0;@N^UQ#a_dQjH2scL9w@(alwS$~UjIZ!`SYMW}N`aulN9z@gBM^j~5eG1xd&idnk zp3WX?V6rOOKeMd)U15By#{E!C1d5vt140rjp3akbM1m(YK@q= zUfyT8&f4UgMTaShhN{O?QelSW26biFnBg0N19N#AR07NjgAr)DTr|boLwGt9$Em#m z*J!N(-NMO9g$P@#)Sr-p08U*-FcdvK;m0LbAEgzkunDJcm4z<@qfB+Wv>XZu<3bZ+ zp?3*@=5*Kjkq1YM00wUq@D@vw3!;W^@18r-iVADCBIO)o0_W?5-*PZlI2)D&EZ zOM<)x*Ezn~kLc+hTUh~b-WBZI-egJ@Wa9*2Ht6*~*&IApg_IT7lW|oOh&^kADuY=| z&9qXPRLWixdkmr6@FlRSaC|c+s zO48R3IP2 zSI=6P=^GtPCzQ*5Aia)rfd;oo@%(`e!_d!fK7{G&**RP8KdnD9@c=u>`eqYS#)eis~jqL?1U=Npf_ zC56R|;75Tm%3D%Ieil7$d6uHcFYU1`s>di2jaud0k7{N0Rmhmv6={Dbx@uN7 zHX2c|chNAVNpa&c>^F9?dhI-DEdC_aw2oRJTZ(T$xAWTNQ<$%r) z*#zM8+wivcCj1&mfVZ5!V4Lz!eeHKOt5g6U|0d8bg4tII3n0wNenY!xv3@!SpUHu+ zPg!+oLxayGFG}{7uc?@L&SwkC!ty3*9+d0L!c=X!HWcDDe&GNeoZ%?%+%{8k@KZy7BLS13bi5}Bh`1J`KK*-nE6 z!>%)5r7NaX3)3Fw-J5*b!48)2<%Tuc^}Z7Rnv$)+SD->!t-*wA`Ij&&cf|pMW?CRb z5t&SEx4>^Cth>S2MDrn zKxD~))D%S)3~*H7H;tmGtS+ssP_+y%5v0t9!FN&w4AX83OMvFLS~NG+S5JY{D{K;Q zVr(Yh`fYi--r}q2#tNgq@{k!LttcXluHi!CJ0c>Q-F(-O`fyXKw#>5yn~o?ix(C<6 z{d64zl{dm`(bzXV6~>?GrBfrQQ(96mnX5%quTOoduBnmKSE5iV;6CuGn8KN#biGG% zsN&400*dRR#)b4o8`6E6Rpj^bjYqbgEfn|Ag-%sK1-Wpef$Fk#sDRX0z0^BdeHt1| z>l@{;LH()#FB+Q~IHt#B*HQ8b$INk$fEfA*W!@ z(U5{|R8ZTSs>mf@lr5yUXihm!6*kq@z=v(B+>BLkqM<%&QRUASz&MfD`@Z$@SOzRm zU<2~>X8JCAvD26G?Iq1M^gevyay8|JEKek`zmr9XXh}PyOIaF5oH9&A%+{S~Tst(5 zfA34IXzVg!rZ*d9e4$E z%*H9wvx4lBqVjfN6j~{kY5Q1)LVhEf&73gvnH{%ATYG|rGdqlwDQcU{?7*q4bk@c) zJA@a5VwuS@R3>O3v%{%sz+t8_TP9g?pHVDBy(7$FcKAsR8>6*l2n!LUXcL%Cjaup| zh0683kgcx22J|<#UOP;xSi3PY?{adICsy=IT%X+i7u=D^ zad+koNc8i7`>!Mr_|>uG>X>^t*Iki2V3Ow-&Wlc@+{Ag00DKXElgW7(aZw`2ZO_+$ z$AsQ#pnD8C`sMHHpY@0WA6H1ZfC)ONjzMVFLn~JttD*p|B9O)IqtH)8e3)8*yQC3gL7vrxijW2 z?c=uf9xy2oqb3-N37EG7vy(gs%n#+bORw%eW;=-Ss;k@+{ZQYO^iKy1T#YZb6R;kl z`mTGG>O1F6-N#C+WF|CAu5~-E88FE>hhl!BfbSIHI}3cnAS`dz_?oljFS~&vMG3g$ zNg18%!gcPp>mWho{nsH^R6sdrr4XRaf5T;^9Cu4nqs+cZg$AW6N;LZt?y|&yNjj93 z32FswO9|U?U_&>X-M{rF})+L7{F5QLSdjlCxv(`FFVc-Z5a3aCu1azkuKjA?N^tn{wPa z|Ev)>p3PrfC?Y6JW67m4clA5nlmCQ1#A1Z`0)_$VysroWYo1debjF-_8L0ldNCfop ztKvjWE* z`C6awh#~CAP41?fFo-GtWhPY|@($QK2;0)R1)_Hyzr|n+JFJe?hq-&DaW1*VJ#jN| zD!-~GRUGmTIL{K!LlWnP!G?=j-O18jO$GoxJjh);2)aW#B{c2{foc9KAxKL;PPN-J zq??$uma0wGy3Iq}!?zBYL{6EcpF_Z3N$?K<{y?aVp@w_jVFauM>Gm7DxyG)fdGkok z$VEflW4Co@2C|vZ&z?us+w>k&y^I%x)EW}gPC_ku(8)X8t#_aYArB!;RH!=Ca4(_Q z4ixA?2k$f}!VXnS`9KZ*rai(URmi+M-GjyGTcUtKq!Pe%lrWtICiJak|86ja-Ko)- zJs@x1b>LPUx?PH2F^S z_~zZvWZi7eL+-u@qqzl7ogc)cQ8~XJj!2aLK$NJ@ zX~H)D(==&Z`+pm38JWZ^Erf7ta;kfJvb$^YfJyKMD*{>q^xUrr!D<6&H^*K7{}|92 z)uLJ76XeEZqkH^A?v@WhZYdz97Z(%oml6C|0Uztm9a9W^@9j`6z)?s34y7{9N~jPV)C4vy^? zr@H&6c4urqOlX&UMvB!mQ=PDTpn8ztoZ6LgTTK<_hJsU_1o{9#qoZxFG@vuq z$g@&0fjwN|uB?E-im8{1J?alV3S`Y|gj6*zB7r^gs9|5=28x^_>6<`=M$BkeJnD8< zfpIEasYw-wyaU1&gzyj$qCf7bF|`Y09KXlQYIdU9U0>Z*SKLI1mOMcu)~ zcR+lE5HDIxyxZDn5Qp-Po%Ywwb)v!D)&P`QFF?)_%6$^$uIWbW2bMb|AGGF4!^3zo zHz^c-%XIfblT`EzzAof!!DmU)@0)2_BXE<9;D~)C*4(FNxEp8a<+{8PtCs8X3A|ZF z2sQx0Jy?|fAB|v4;7$`Ekawl!EXv%7CX{lTx*T)vS(pfm5T=M;tAp19(H25<5r{Am ze)j*>jnE|`-z96p)e=j##N77(ayR@J+Qf@EiBkb8RjgCy9VpmG6l`8XVz6U2?53V+ zvr7`>(F(@eL;vlr`fm)KD!i@*uKbcg{65hXT`g#tE1-+Q5OPyWnH70h6qlzIK#fAY8nb z%!@$y2xjrzxEwa%_{{f&R46z2>2%M3Jl385vX0QUwou#5{UqwCrb(IZvJ*zpW8e+c z-O?QMCPxJ83}9h$bZ$Q5Sy-nDEWF`M)I9_IlMp*XhAlQxi@~0Dg1z|jMCZN*jLyiL z@|sAvCUxiF6Pm$w5}^G61R}RCWJHGX*>|6w0LqmTJe<0lJ}szK1{f1F8Pv}IhG@)A zN$rv+7?Lnfh|^;Pds{5IE#|IR6m#1?1K4(S<&YrEz_yC8ZCqNAn2IUmXBlt8lpcD4 zIGv}t1E;L+vx`0MY$Z^Ozd+ns_c=y**sLw&-amnr)_iz)buWOLNx>-3R@i6M;Q%4t z1jLhb+_ukmh1hllK!_`ol`fpgx@TH|Rz#4dFwy{jlE5!qMux=`UjTTub(8s)w02Iw z$3eKLbx$r8-An~UF{y~nojL1-Kx_ei%p$ffXZUZIr??6r~ zk+bQG#F|yBOv{hSo;BRJLg*+dcd+0$*lqa=L_>!7_9A_QhCM_>CuqQ0V#(JGOI{NV zQ3EJk7Q3&0RWM0K6E~^ikar;PC=s}NIWcM5+DpVFHoU?+D)ayxD7)*v4hDIl%wf5s zkmjJ^0#R@j6kwLW=9`9sZhM>{VUhUYq}g4v4)|DXbcdyZckwqx&sqAVg2bpC_t=vR z?;Tn99G|xeLNAPz@CxmoTrVmsL$Ip|>_EDXkahqmD!XGNLz>wa1MjX4(!T|vlPhw# zo_1F~1%#Q`$fpP-Shv!TCd}2?2JDxS}$aFzm@Q{uB6uM*v=T6x%EQ4h7d|I zrogqid*pk9ziMJ{QV~=914PCtkOBVgdWKay^Z3fWkPv=3y@Eq^cgGG?IeemjlCZ7& z3Sm3@16Jv<>6P$aqU#3t?C!apqHZ~bLUM%cs1(La>m8bO&XYoRPDpGkcCosJVbc~M zp<>_w-d+8i5EO3}==}xMWdwE2DiW0CyICE=CT&6c54_2{E1nnC$a)IWN(c`FA)4sG z9#)OOZX>NYmE}h&5IC%N54<2mP-N0hi8g*-Kx^nBE?a~N&0WE-k+Fy`+0F{%>WKJGK9VQN+FAjDs9 zM8$Rzp5!J$D!sGD_O)$ zaQC-+%b@vBi6-3*U|1wJ{~W+nlLnmCz=e)hEr_(>&Oa<#@_;99CRH5r4n(gaJSTw% zExGI$j0b_1^jz`~E@9_GBnNkW2iOp=#mx;|g~4yY+e+}(ex1a-{Rm@15T5jgqic_7 z5bi>hrzP?Mf^rB@Q2Q-MS?vQx)_|KI%?ZSlaJT-FlC*QfQW?Q zwj2k)dkLu|1?VLJa~Z)r3z(Qeb(~;a_wJ)ANfw8mHOmoD!(EKR#PU`GvEduU@)ai; zh=4hexi}(7Lf0W2hr8t!Aq>O94~UAOcUV`-R6B+XO=^l+E`rdtZ>C}DaP zn9z9JPcuxO22>7zLZ@?x8shHwtw3l`-6E!Q7YO0Db%gNj86Z@LB{RBgqB_bE4dF@L zv%eD!8gh1E@&5=Rxd8BJ(0PAg;Jb44#4sS}i94@TU=SBO(oK!HHYO7gnRSF=(>Dpj z@;@?;Wp)pxTM1!Q+!bfL)x~xa&eOn&R$A~U;PlL+-qAkQNYdLBVG?Fh1Zgp5(RPBd zem%+Q%JT+>H+(V}(k+z+gZM50ljDf_O0tu{?2}-&{@H-BNrC?=4Fhpu42=1$qLI!> z7_EN+3?%~=5aH>HfJkFGLdv+yE}&&H9U5Cj;1@qhoBvz>%D{WmB~?}BCyNk>Aqr7y z+-ENWe12VH!=PIo`3JS$N+1sdB&-are`6p$-J?MIbq^xlxUH`WK@$0-d%Of-9w3+t zH;^E0_-L--f~WBrOmQllsFYm*QFGi4vvGjfgFD1g3BWx`aCb|%+dszOdOA(RRm4gY z3&QWXt#bghcM~#h5i4uQBmsENw?wned5X?B?D;qY?1>QF48abh@Y6<@$cbdREX*M6V z!C5-u47uBybGtK3-$MvD0wJn!@>8q|p4j;iD&C8=1_BwmXXc{@_Nl9*1oSk3Vo`eH z(+p^|mop|P2#e&NSOCajy7B_SUj08LfD0Be*q%@m!PdDdgjaIUE(FX>ho2X360*_( z*f@Z5d@+OV2{*wGJxPU-P43bs0Ka=@sn!AG4av2wbe3xM=NLv$sSw7nvr`BQ<*rx) zgyE;Bo~5d^e2d!k)aMQ0F`P}APD>%yl)J742)aJ1ewb=;5Xc_Fp7pXUklE*>5Y5V6 z_JuAQ=p5B*-6m?FC11({QSd|*0%f^pz6dl?2htaQTgbp!pcsZjSYI|MDx(;e=?oNN zak(4BrHOq18T2)TW%IY`6x94x21|7FX!RkDdx-4io>~dW;m6Lm6N2MFfPUS&Itv7W zb54jB=C1rI;M*t74-xFuo2h%RTw`Eo&UI z^LxmISuE-hKFvM#ja)g$UO_Oo116R=%bqlBD)vrTShX>lr9m%hbCbto_~#-To4e_o zU|07P%w`aAL-GiSsKq+xDMLi0Z$p0XnJOlfJ;J}a=QjvxKsH$*C4ywvaTO z{~v}S%A=mSFHP{paEOp{?tFYZDK5@}I`kW`PY~?6-=*Pj&L+TC0^x0*S}fFethF>C zLY+JJTS6LUKY7!KXvLyanC@HefOhtGgfz4QEjrKQ@31OGq189H39UR_i*R`Ev)>ji zc0aj*FDfaAlUhV=fzO_Fy%YKt$d>~74aqY=juxA{)gUj<>}ZimjJ&Re2z>65Ex_Mf zj32j%#eidyz|>0B?AS`GZrwJ{@o-$M;~M01Bfpq58vErAGw`k9^CA}W`Nw&o_cLYq93>u%lw zL~dE_`_yUWo6}A26C7%|xxDOs-jynm6t}9fEC=!~P;;-{R*={n!vVeLK%Y`QQT@kU zsiy`IiU+|H-8uM{7WYfG&@|?Iql-VJN^0QA zq^#8OKLYQwg!h2NyXi&X?ITa!7DxG0WO%hh0Nr)s$+a>3a}j6KU9eZk^ZuVabZXGA zhP~e@oN&=;czM|)JBmZzfs(^S$?ETuJkQ?N!#RSjxcmlJXQC~t);e{&m#1y zd*Bzq+3(TP+LUt7fb+QQ33!(i-ladFJ%Uxg>H%Ioj~4R|1bKBg9R*hZGJF$ZISwo^ zW$yT2U{UjqDDe;0F1R#D1X*|IF`-d}K}ya-R4U>O&t4*8$+M(UmY!f$?aG~|VliK? zBW$g^;@7CDT&@qnQ44WdY6y6GOtvKuVY$BjBtz6ahp!|-($<5(xbF5>fX!RN!`371 zo&w)R!q@y9E#c??mf`El7pt|bN6=lj^EbegX<5JIX(6jSfe$l))n^#KsKH6KrkRja z-Q-Lh!F^$L22O{|=KH-F09~q%%t7tfgPI$X3w9MGK7y6m9~d=JT0&9dHv`CSgW$sM zl1>oQZyY*G(cPuB@V8j+_@01t7qMXe^VDrx&l#j+x?*`I69J+byJyY<`PClYhN98+ z>83g-@C*VvsMc*D049Phf9@dxw%GtNl-=g@T?oK=s{MxDQUEUY5VpPD##r5~9Ef%>(WK_j5H+YBHygFZu`I{+H z!3ep02}2S!UsXtS7ZS4#1Y37Ed=?n|vyIu?MeDD7k!Bm~S^!!v>b*ey2=-N1Fvdo$nZoZmAn3i@{3XHG z*)zZWpK|i1QZR2=?|}Mj1RqYy8<9>q;upX!`o56N4f|=)IrnP} zEcc|X^^e>%Yh9g(*Zf3oe=L3e#8Xps!Hg(pP5);`{@o zuTHFI5VyL4`gd$%z&O=hmq>BC_^mv5$F~47^99fo1b)duDNf&E;Qij+Nl>NLY{TX} z_sq8e`KkwD9xN*He04egM|7{*&xocw3fQokt@tiuxX(X4ffgGZd$;7dE4K(%=hG5W z941w%Vx2PYfMO}3*z^-(^`WO3`OM!u>ttuQ=DAz83a*S7*P@C>!vAw)gSt&9p8$3v zf$ap?dve@E-(!>;fAyN|x!*(MZ4+dF>dlgFlPV5*2l%@Q{*FUL_KEK^_|pHqhTZc0 zJon`GZb{z}g8iz5-T4fIU8wx&Yw#rcogB`3KXpM!?S z2Q-1CVPP<;rh=_b_ z6B4Nn4)4u#*X{)pTn9vK21M=?*8yb;pgRfl{B~;8b^9}dX1840V@VwIT>28m?|p!M zozIGXbCEFbhP(s5`9Bam+YNlva1!C5!KY&?5be!*Nh~l<9Dq9i5#ZlO`bO2b;SPvphhP&*cx+NBfS&iPVAGsm5Sv#1l7Y?;+Jd+xrhG?_ zK-V7uaDEhi1%ccFkl1JFJPMGWeko?0SJma))I!B^K4217Mi-%zlLdGl2*oOB4Zt3EHv~dG6s~0~)y(ouV9aI{rt% zf0f{$2Yd+Hp5HL|Ca!~kAF>6|b`rvT5;!b_f9MuK%X2~+_WY6*ZToK-CKDe*UmOz}6lmIoS0(08^7eA21apgg7JSC}&USxw}t`Aua3EwYvz_0ieQ) zVE6BVN{O6_+yJ^o*bycvLf#hq9y6^op1gGsm_@%Ld0YDjMzQH<;p@9Yoq6uM&Ti3s zj*zti8E9U8j`7+c^942`2FdYr)gSZRLubM7>xT>;a@#F~Z^gd{1`ocA{!Mm5-$IZU z?xKSMKv|pP9zM_NXEc^~^4klPq8nxYd5jQ$>ef7CEwJG%+%c-)@xQPNMh9LYd~(b? zd?C+WZ~=8pA}Y&WgG%r6%;R@~LUA43iFl8C?x1=u|KEbdbX**Im0`{t%!RPaQQ*{H zVQBd)uzS90N6DBk%2%!T2wd${%f-j3bI$!}Tu*}>I}(Zt9OKu}t+V6qtA7KkLgafI zTBU%XlMoyO0?5gnk1+&YhLNHA2tEDmoVdGe4qV~#{yG17(LSqwP5txaTn5;v6_3{g zMaUU~CMS;l%JHFs&()mM6M!OdjU(FyZS^%Sb@3Vs(Equ(8mGodf!^7Xgu{- zC-f~aZUx30lAXW^S>8N9BS!76KuXs7PsZKD&A^x(G`+Nb5EKJkA|U*^*1!?(f%PC^ zJ#vC1YtE+`R-@At&r~bRW5(+j#NBhB0@B_h-#ccklK_31Sa|3aI!kl#GYs@wbyyk= zT8G}DM%f)p?vA;K7RKEL3xVOym5q&c4R;M1#5a_}UIOd9-9iYKo-9Z_ik-W~467}^ zERYYOm3}=BJ`s19JOQ*B8tsKKiQ`2rvh!}a$sG046!M+8z%6%Q_t zyDOIiWMOK$o+^4N0Bm_dh|0F#5~*{)%mA7}HrQ&rR>a-qD*~;yfdE|qAhg<=uNXjM zcrYbz0jjlyT*|Fo2^Ir)m*|p55 z4W@EoQlpKPa&6xBWZYf-Br2p=?D2%?zZ&DjCYejo7ih75*la{K~}*?UFPtoS3T*_A(FF#J*12+G{tByK8Qcn0eF z8NhiP*=dV3bwv$LX#c9y%p2y^RSGO8+4}o6#Cjvcp4+9+xJg2d=z7Tiky&$lh|C{_V zsp61#;LuURa!6v?wwJYz31mm`ZQrV2q z7i!EiVemA`$6k!PTV50-zvB7yF{$E^cL2ZmMIlff0FN%TVL!mD;}SZo9)TA(d{4a; zcXz)8di^(i*Aa;2f2JX1;Q>}_f1o`*>dTqQwjW`|@gqPBzeTr`pzZ-w5O(p$kx=!h zAdER%e;jugqHJIbtDRsqUmyyP|Ag@{G}xc!=aQeq-4h49CBvPBYBNxQ?D=hsY%6#m zp%FTC$IEed(aWG(9=_wA%IEJB&2tvuu#I)`rwm+JxIuy_kJ@ecY23XC^y;Xc&nx*V zg1YW6G!b5Mm_g-13JIE&)XhHww01ztbf9i4K|Kbj<1lgWU{GbyoWQX;Y4terbF4Ie z4#?fRz;Xb%Zb)vpNGru9zht-qArq+*Qs8zTfp8oFs_-4?Q$+sqzf#NX|CIqbh6h_z zTPVucrVQV*?JnZ6@Fs034&(g5Mb6l{TBgj;X0AEbC9k-P5lCk#|f@ z#bMb;@VEVq?!ayTt$`ob47&5nDdE9WSnQkv%<$W9#|iW)fJWbJ|6NAVfdgmfPeb*c z24wr*+p7e1-RxeXi*Eb9ftoqyB?+dmyv+H1+-*Mt(B^zW%YM;-M*tF*mrZ{FNVQP4 zBYlNBGdS8AcQZGQw#H4xZ1LvOh)_+uQ$KI78Lzl)$f z3uv(NFFtRWQf!A7GkSrq=a199Bds{c#&QsM6&Y|{hyU1YMVJ<`Nw6!3B)ycmAvj0xoq92JSpZ~F5V!z?g ztAMJS+ztq8-)5WpD&~rR742=`T*FbMu-j~F3E>tX6rJItCLot%BMiI8);2reT`)Tz zEz_-gY&(GVhU7V*Ma%4%YtR-)#WZEceQz`GWBKm#j{&o}w&uUV)=pJBHn*2hQSI}9 zL-EoME*Euot$AL)d-&t|f}`2qUF#&YYd%gK-SkOQwdhEyY=}M7j9N9LR{Ww`@YdS= z142rU0R@KG=1+Hx!gpV7`=|2Vee;1L%X?_uxUaSfgke0M*Ng6}wSNYbDfMCZijbRX z>pqk3F2q-~MYv7Y@)M*yPCmhEX-5!LyYT~qchsK9cXus9UHzBR>^o`)3E8~nUScC| z+Y*M%4%ujsh1^a%^x1rO>1PGTE^eotB8+VkRwH*hO(cr(4w(1M{?)jytF~5-R!95JP7`iTe znN`3Z2pM30|7`h}^WCE>1pUff9&-Qe7~y$U(!Y2W!;?V_!fu}J{Yt*O;w!)wym@w! zFzo(RFL4O^$ZCecjvK3M0`oxd&e`d&=DX{@3Iy40I4?OUWa|RZK7!fH*BROn^&5HH ztbI+syJ`)PvKwZB+h*$tQQLxE;&|)%Z!knQ2i5UpbqPu@M&-=0K4Wg0W(B6oLdzT46YJn9-5zfZQBFfIH{FX2Ax(6>)(8nwj)cedKKSz<2W9S2qJ&3nzhR*;eTddg|4_M#`KGqi6v=*C1d zIMcncw(ns8{T|Q;?umum8=H4X)U*Srv4}qSOt(?n3+s*@`R?i+T{QGcpmma)7E?oS zdbZnW&0ojpH*{Qdw)^$juKU9l~M?p2_}6n(|>23=)#3=Ug2vXYBm$agz-i%JU5qxH3=)xJomCkWjcphG2h?CmzX zz(T#_hxzV?9|D_wGi>(DqV+Z`A=R^KA26vYYP5D^8jt#^xDz&aA7&>ndUMsK1oRky zVz#hv}e;#8GL*G!5PIzu#;{1?$$N{w{KP~YNP25z+(j4^fLzDo*ydk zx=V<$zq1`IK?Ll;*uR$GZu~rr{hNOdxN7W=CObIhA3L1yZaLhoF@Fc4?EqTzzs_H< z>e!YVRUOW$wZDKobqG#bcf8sN^zx;|sn(+mbaagXI&iyd$1n5Ui${RKy2}-MyXy=g zJpiPSAUf_b#zuSn5q|D(`LTTW%&%zaZ{6X7F~xd^k+=D$LMAqTfta}c*BNUXeWUBx z@q8RdMNQc)uE341m4xUt5Mj!@_Z5c7v1VuuO;EO81ZT0KxbT&H_t*)5=Xbfb5Wr2# zXt}ogHw>T*TCX8U8~VAE`R>k>fDvv(-%rpw01d))=(h|S9e^DeqL0p=g2mPbj1-uvF1zEygSb`G7G83yte26gh}L| zL~X6RS?3ANF@QmBcV1v%B&A#j$T`H3KVx?GX8_B5D{IluMC&eFA%rB^ax6EQ>lTW? z*XQK)AK>&Wx$nMvKX_L|StTal&hp>H28o|pGaoJ~DVd1>;^zY;B{NEfSCotsukg2| zWEj22Bc4l2#)>DrQh)JqHy%fnJT#-EBsHoG5QaU7mkkf0+`Xd&Sn)h! zYp~#CJvdo18Ul)@6VKCzi>j4O$FIl6kgS3$qO?VzU9^Zd>I8cq6(TJjVi|6UX z@#*LiFrj23gaXeRQn&kf^HbjWbD|JWJTsMOeTz&A=f-!lVD99{t-E15hTFNcfg5ktq~ z`=;Tj#n_3DqWsVc^ej@jT+O(fIzu!@!EsGfGi(hIlR>hN^sE#$-XyXuumGp6{Lk zrVM{@GzvXD426bQ;JKu16q4@|s$l#KsD|Mqg=%;}JP$9y^N1Out4|+>mt!a5<*tgE44;awG-2Wd ze4iFwVR8xhGob>aJAAMZC5krNjH3?B0QvswUgT?cE zgy@VR(PGXp9e*q<3Pr9eN ztm^h#OFwwuw1+=96U@TT-CcZNGQ1JrgHZ5We-GmD^KTz`e9$2DZu|%tkw29pZ$!F& z!k|I2lz5GL;fLrO^U&jyCyi|?A5%SJ@D4*G>u@4@8bIj z^gXe{y| zY1|`cHD%=A*x@3d+SjAMVe;rvGbY_Oth%iBp6OGoZhyRd(zvFFKX@zjCVs|NWrjDN z@R1Nlz?(j~W^&!bLmrwob@ZK&K0N8Zx~W4*+)Ez+zI0Zh%_Jzg{|plo0q^I2kv~g3 z47;^#$V0Qn*UWtE;Yq`$m5qLAR@sm{o5t7NS_!_^l6*tHCJh(EWq`!|bK1n0l!r{>!~B_~a` zWa;C=Y4zWBXJ_>nEOKXz38VF+;j8sirbd_Rsdy0vlE^3cq(UnAHyirTG(T9rwfRr@ zmT%c&550otC-S_ECv%EpB1qgH{b{tmF{Z|ck1`OjoDu1GD6uz$e(>db+BYr>(AaUohUB@IAdq@q8Jthnq>Wez0w4 zO8)ZwlPml)=0AbnrO2mQe;s=_d#mRlXfo)-zAXX%Oo0^o(^V+@mrt;oPp^GPICGv8 z=$%hj!^Qaiy!3eA+&ol=h|%nKGk#|(_(^o}`tmxe_}??&@2rWNA7{(=#R$cy)Gvjf zD+ltZ%P-_h<_H7zQ{>Z}k1F-@WPP2CHyfWue`wVRXAby#{2bReyKBbpSbu~+jQ5;7 zGk&*CxN-fAVyiFcd;NG{{}TE7Z)Kx>TKfv%ZwC2qCKdk`F%@IOE#_(k`Nnbz|Iq48 zjQ-({@I75s-hADCk19>rC1S0${XMPTykgGICzTtCJ;w$3R|2Q2Jpun}8OS1WbxVE| z{&N(rN0$FaxXB)Md3;RE_3z2D4!I0JADK^ydv&*;Tz^CX@(cc?``ZPQoHJuQtLby> z4TBNTbUQEtgFhYy;JYT|x zSe?$?D9@3=8D*SeU;f9e#rndY@`>BmwGT@z{NQ-oJ(9|VyskBQb%kDeQ@$j0%+>Gf zXf@nSw{Dl?8|Jh1h50U}oSgOYaaDhNsNQ_cydCF4o6l#ikA2ENwLU(Q)*Su5KR#S8 ziCbz1js4FQ|GK@j9l}law?@3VgilkkQ~S+~uOs7`^2O!k!QM=&%Oz}D;%roog#RLa zS{(?f@^+EpN7tt<`lfi)hlRXc`x+t_TyBuZFUGA))VcBLI2ri0`Rd)$o=p59w%RRc z-f$7>07djK_|r`NdJgcV^lQS;_zml?j^C*ff4)7s8^TTX2gFgq3~MdpLew`z6hA2M zqWsLIync+nF(3XsKeHF#hz|!H)*EFh3D;jeA9^8N%g?3-&wt4C#AiqO*`?Tz__O@{ z%)KT(y$)0pr^nXm`AhJNsN^d%KkMz&_N320$Em}f#5AJ(%(|mI^Yv-B2~Xx{{SKDK zIK8p_c1pM*KV!}O7!QxDm*2AoJFr@N(wD#9bcB8h4G#WjHM`$oP916!R|W6)n|pczQ9$!uj+mN9`!=R0yiJ1pR4+>yC?p9 z{#!D>80}&FjQq#meq$=-%zxld&3_p$jgR@q@R_wLel`XCoeP|!9@n!(zC<*=TQh(5 z8$8Da_k54*O~hZAuUI3nm$X+qnqPL8aH;3ChN#Upx8Ot7=Nq@gFAOE)1s~;@RJAvM^1jTs=zaftjJoey=ocz8{db9QZa-RffbmK*)~~vPFH`@Y zd_Ea3N@+me-($T}F){W7w|Vu2-W>d<=9i+sGOS>~0CDs z(R8&eJ;~$tXlwM>PM2_H|Cg_`avl2$H?I`8)gIW;M`Aq+-lbM3xH+D4!S^q_U~9K$l7MAJ z`fGwOlin%eDSDMY5&!I?{Yt0A@$=VT_nmO=30p0Hj#~ecq*RIDU_TA&PuWkbZh}|a zTg-1^C0QTq&mo_b{a$gr(W)7M=0Io%Eh_%FTuxg<`UJJF)(9|(4C`0hC0vFMeIk*E zAMB}H_V;LwTE=>e{AY(e9QF))4f3%)ABM-Bi6S7GHjH{LuVi>ZCFzPkTS9$XnAQ4?Dic8s#;< zrmf5GacelAIp^i+YWIw_XOEh|+G-8V_^zVy^6(w)>6h@6FTa|=#XsiA&jzjHZx=iG z+x+=qjdt`enfkmbkE+*S;as!>&nT~^OE`LT;19FqwZZ=En($%T-eU3a8{vCC8ME(5 zpR4gwVvW_^*KEZ-anyjxF7~s8AO0BmYc2kAyM#;rnX+HS@0dAlYq%e4^Se?&uiJ%? zrOl<7-bkKvELsMC*a!%hZHpXv&KZM;_?iPgFGk}D|NK(*t{c*q@*lE3ChcdA{jwnH zRdDWhX8+n2IAyQP6Z_eZ_p=YshJBqwT-grvECeKgQ-#^AH)N8_c3tdI< zUy9$*L3NY$x0^2NsXv3ul)Ux&r{}f-r_j`g(M)`N)N5zh>pawFyg8rG= zWBe$5T3-n4_nrLY&sTRE!ejE@eUHm^#*jg{ztR(a^7BP|KzXF*D{GwSx!F&u=vhI( z38mn5QNJ{-j{||H)+6#4*=Hj|{(AkP?UEk!=*9hq&{IJj3-wOO$J)b`i}d|PdiE}Y zpv3&r>vO*F&*2Uq$*1)B0DpD4oM8XABK*G+8@@x@x9?917Mw7zwE8gs%W z9@6E_m=$%*jfzuI+duZ}H8bo-$JdteWGMl@U|K;x*0nAAPugcwk^>2CB|q2*KXV`S zNPZO7C$6guaUffzfmu7WP)k?F73#FzBfs=l*C+^FsMxG$tvG?~ngd>8oZM-o(ehy|FxK)kpQ z^C0}Y*=2oH9u<3(pQNAFY6S3aLZtjsMpE|RseMuY`X>MVQr7!oMV=2E_k*xj)e`&5 zx1Xzk_Nnr_$`1Qqe(1|Ta>sY>vc?zt_PAF+Tq8$44{1RE51-Gs59>OBsf+3B?;mTr z@W+Jbzi(TFv*+9Ln)8`gM{nSvFIelFyzZvz>#=xrM)+3tTVF?2Q;RK61!|-*X1nMtL{qgs(u9m5_I`uQa=_ z*$eo7rvG~&y-EKkP9v$0R39?xt;^Npy}k#CehcA0U*8vm@3Zus!k^jaZ2L%c4Dmvb zaMh2Oux~Sd=(}BlKg#s)?))ahzn`LysLxmWk`MbPm&9k7U)_Lk=^rW3cLM*NRV|QD zgBu#ZDSw$i2Y+|T_YLyD7yR5-DYTzZziNJ>Pg(i^@oLM(hKNBvR|CTTK4CsY@`?Ja zkN)JMWL!VoE#cD7m{>myeeKHssWTUilF?sTHNvI8^K|@*_U`;HB_BPXZ3QUW{jPlC z^8@kc9qCKPv*ScO8~9iXg252uN&Fhcv!x4`$yKPdMOewxRF?J0ucqYd@+JEbID3Sl z-V5Y4En_Gt?X;w)v&(;*)_=m2@vQH&9xJ4T>rpD7^8(UyS5Czz4XvK!w1pn>qdpQZ zp+@*ITP-(Zo}&PVZ!%uKKl~GF#9-4E-*M)(1a)PAw^Li{300jqq5XK?>)JiYH=4ka1phZ_*i zGrL9clD0l1`x5LsG$|YW3+6xIJQMs!{2XGxcOOP;u!l0?C#~07AMG0UaHxy_EWnSg zL*S=UitJ6tAFmN&{*R3M@aBY{q7S_jDGw9d)ulqtjd~BgT>GWszVK;qqJ@uAwb-t@0e%17`iv0OQ0se*Hm-_#2;E(#U zKLkJRMXQIZMOZB@gkT#1`o6}IYeow_oB}^I+Phi}KRrG63Sd%2BZTHbQA36iV zIY^Oz((P&f_;7R1cdW*In!>NgfBk^?rMIJCy+xd&^>qWa>%(aq{L!_*Psnc%`R>@m zvyA|Yp21(YUBaKpS|PpCH_kq9r(1#l&CJ(Y9IsAv>Z2B+Q}Q*|$x06u?5R|iU*Z0h zFZ4@&CyZ~cQk ztDXqo6L*n6|M(s)(Yy3;vyq+w+&@72v*k&9OUYB5K!LvEec+&~TtL4=`Kj|F1^#J< zID7aN_ISc{s#q!w`9PQOQ`U#^eR+$$r}Ods;rx9wn87{^^zYme|CyhvC&u)@A%B|w zd1psa`~Z5;ONw>y{$?>JxW`e%epE|Bw77bG4zY8ex!JPKkOR^ zi&trR#PstJ!jt|onSa_Zw3mGToI8P2bqRkSo4+*8%lQlB$0SnSSHd4+@(l==e&>XL z4g1RRX4gy)&Z0w0ymKc>Pj0JKW>)%J<{;9n>JDZ)$(DlE;x`zO}ftemO_MERS3p6IHFdgLy)|E0-qSetsw!+!QT`G4h|G|2xKNBu?o zYv&uiIpLD;W$>SI7XTTwOXqpDu#pkKJe#*J{+(s6@xP5E% z9sP?QSAxiO4@AZNL+rkoyB_PWbd8}t*;^{Tj~(`xD}PG(-MP{Kfq%kd{y3r!Jwab% z@ACTzn5=d{eP-I*GwDg$8|QWwefHse&HUYHAAK1wKHnmH+m3KH7xD5l`3YoMC`OvO{N{grEuNAVp#dHkS8g0r*e zrR05EIQJ*}E~pPI_`Zri!u285A6g~7rNKv9o|^ya&p|JJ;^D(P3A6OG+OYk`KehtGA2?u!f6(wPtd|~^ zruck8|57L~>r>#ddQUW8aEIE&yZd_LIV$XXjn+e{u~}W$OkaOM_+t)z=qcDOW9I<+ z!cTrY;#NyqQeh_E=9ACRzGkxG6{w%(KmZA@F)QtCFpm*gC{%wh# zXgRa-I%y4M|FGXt{2vZ_>=2}IEj3DWRHiQ#xZ&~QM-Ddg!el-BjV4OzuP5T zuIBnr#v=p0`QOk_zCGFjgb?3<4}I7BFmvC`<8U8X$Ux*hj5mWOHN$e}!;(p5e%fH8vJ#~Qkzj?gQfbh!i z=qouM{w?RjCu`gvfpajZ2aG7MeEnJ7zu=#wwfGO^iJS*~Vk~F=3HnE*KZ^GQwcg7F z=lXBIaJ+pF^)XO~&oLgb-A8#yUX?{%>u-MRRZ+xpi9dgST@45qR-^uAXT|tD)Yxbv?tiyInSHGmoIUz7)iCQ zzrJ($b6wDr;*X2=pN_wLYS|xC?3wXQNw^OJd>_ew4lXO?hDJ&rmg{D+=D`-3gu;=gj|=c-;s zEU!G5AMp8ne`LEmz#kx<{P}k1_gMB*{gW|$+={-~N|&#X@Lpluk#i@{bL3>aWm^~U zhoUI~i)U1a67uDlbI&g6Zq4xPtU`>9mm|o8I+9kt2rk;wjX*DepuXNe_+(#THqIuOujv!hvswY zHNQZw+V8j$dNS>KMSPLDDSO7B8ZhEd)<65MSsu;+t#|SL?X*0&-@`o?IrsB{bHm6{ zuPwj-V3fzBzzgJo{Vwh)$hjBh7%ibEQyydDOUi?P!^0$R9e;Q>$hGQef2q~y+!Emh z>m~a)S>xn6rszI0Yfv%TpF1Z!)=yxRw|183w$FO2h$b_BdM3Oee!`p$<()h$uqeR4 z6Z~fXl!^av&a6^^-|a)_@qWFOKTYG0&O5gGzCk`i!4Gpe(O!;qSY&34A7+0$s>6TA z&o`v%J-WTbdoNy`4c}Mm*>U}}y2`G}kw^CVfP(c$^S9dBfZIOnt@->t6CUrU zH_o5<9qRadP6haPf}f$jVSUs5OR`s^Qh?v>qZAiEZ)T=HJg;F*e;}TW+fU3suL+O$ z=Nso|=055p=`+ZGE%cx6AL+~VUXP977Xzn|)kp1DzmR^>y!=+>AMyTOBR|?%gQ)l4 z?gOcTpB~}yes-fiG=8G>u<4@6VaRvd1HxnHS{ox&IV-i2@S(aYr0Ksh_;~JEIn}IZLfCG5dWHIH}IaH%FB+{&o%b%izYm z0YYtqyf5d33#mu`Q6H;JDxd5re0vgzGcwbIGy0%cohLu!ldI)odhA)k{l5k8U&#A9 zKkEI%xh=OwxH#RgpU~?5Eg84izJzAoKI)t2bBJE`LxlBH{s}zd=6{VX(^PqW$mfFq zOKsx52&;t6J9stn-sj&d;U9wI-vh%(tEay5{ffMwzg}Fq#4o9Kbf=PYca~b;bp1kJ zfJf^s?hrRWzad<$FH!tcBYk^`AHw+1z2kX7o&&&9P}ULq{E2_)@5mp2Qu68aF;#X0 z$}^w8hR9n)ExlH*{5$`7FCab{FREAAFK2KqLX@UoX`)iKPMKdTp$8=fxdozzzgnk& zP^egG+~4c*0`6=Be&I}gWyT9T!7r#ndFlE155kl2LQnX~=hs0EFcmLYclf1geQFb) zj2FZnJ#{vaY}{f_nEdrK;i>*kiqhUr;2%a+)GAs?w@v!x-!wY>{W#>;I42R^@25m5 z-@^aVe~cc6sH<=f@k8}Uv9B5*-tm!)|KzWY3KUdHVO!)cS4|Ng{}vAK?+krA9#Z;; z)h6^W_QTn&K8{Q}Ok@}*>}{j!Q(}4YfQXmBKg2JL9glT`|NF;(|If$cufM;ZKL7P= f^Uv?6Uz@l0^*?L%f0zDU`iK9&|Mic)byNO-i%wSV diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-default-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-default-config.yml index 8f46f25c3777..e52b295cc1dc 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-default-config.yml +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-default-config.yml @@ -1,7 +1,8 @@ input: aws-s3 +vars: + data_stream.dataset: amazon_security_lake.discovery data_stream: vars: - collect_s3_logs: true access_key_id: '{{AWS_ACCESS_KEY_ID}}' secret_access_key: '{{AWS_SECRET_ACCESS_KEY}}' session_token: '{{AWS_SESSION_TOKEN}}' diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml index 19b7b5ccd19c..ebf3414e79ed 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -1323,6 +1323,7 @@ processors: - ocsf.url.scheme - ocsf.url.subdomain - ocsf.url.url_string + - aws tag: remove_duplicate_custom_fields ignore_missing: true if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) diff --git a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml index e13a34bbe571..7027cd972e05 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml @@ -77,7 +77,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -158,7 +158,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -218,7 +218,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -236,7 +236,7 @@ type: keyword description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - name: confidentiality_id - type: keyword + type: integer description: The normalized identifier of the file content confidentiality indicator. - name: created_time type: date @@ -257,7 +257,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -317,7 +317,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -335,7 +335,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -365,7 +365,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -425,7 +425,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -449,7 +449,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -509,7 +509,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -569,7 +569,7 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized digital signature algorithm. - name: certificate type: group @@ -596,7 +596,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -629,7 +629,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -641,7 +641,7 @@ type: keyword description: The file type. - name: type_id - type: keyword + type: integer description: The file type ID. - name: uid type: keyword @@ -674,7 +674,7 @@ type: keyword description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - name: integrity_id - type: keyword + type: integer description: The normalized identifier of the process integrity level (Windows only). - name: lineage type: keyword @@ -707,7 +707,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -788,7 +788,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -848,7 +848,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -866,7 +866,7 @@ type: keyword description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - name: confidentiality_id - type: keyword + type: integer description: The normalized identifier of the file content confidentiality indicator. - name: created_time type: date @@ -887,7 +887,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -947,7 +947,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -965,7 +965,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -995,7 +995,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -1055,7 +1055,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -1079,7 +1079,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -1139,7 +1139,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -1199,7 +1199,7 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized digital signature algorithm. - name: certificate type: group @@ -1226,7 +1226,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1259,7 +1259,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1271,7 +1271,7 @@ type: keyword description: The file type. - name: type_id - type: keyword + type: integer description: The file type ID. - name: uid type: keyword @@ -1304,7 +1304,7 @@ type: keyword description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - name: integrity_id - type: keyword + type: integer description: The normalized identifier of the process integrity level (Windows only). - name: lineage type: keyword @@ -1387,7 +1387,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -1447,7 +1447,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -1521,7 +1521,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -1581,7 +1581,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -1655,7 +1655,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -1715,7 +1715,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -1725,6 +1725,7 @@ description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - name: ldap_person type: group + description: The LDAP person object. fields: - name: cost_center type: keyword diff --git a/packages/amazon_security_lake/data_stream/event/manifest.yml b/packages/amazon_security_lake/data_stream/event/manifest.yml index eeddd30a6702..4c27180a984a 100644 --- a/packages/amazon_security_lake/data_stream/event/manifest.yml +++ b/packages/amazon_security_lake/data_stream/event/manifest.yml @@ -7,10 +7,6 @@ streams: description: Collect Amazon Security Lake Events via AWS S3 input. template_path: aws-s3.yml.hbs vars: - - name: data_stream.dataset - type: text - required: true - default: amazon_security_lake.event - name: access_key_id type: password title: Access Key ID diff --git a/packages/amazon_security_lake/data_stream/event/sample_event.json b/packages/amazon_security_lake/data_stream/event/sample_event.json new file mode 100644 index 000000000000..7002a2938254 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/sample_event.json @@ -0,0 +1,437 @@ +{ + "@timestamp": "1970-01-20T08:34:04.800Z", + "agent": { + "ephemeral_id": "18969fad-c76a-4106-b318-473dfca4dbf0", + "id": "7cf29b78-13e7-49c9-8f7d-129e499b0a81", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.13.2" + }, + "cloud": { + "provider": "aws", + "region": "us-east-1" + }, + "data_stream": { + "dataset": "amazon_security_lake.discovery", + "namespace": "73259", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "7cf29b78-13e7-49c9-8f7d-129e499b0a81", + "snapshot": false, + "version": "8.13.2" + }, + "event": { + "action": "login-attempt", + "agent_id_status": "verified", + "dataset": "amazon_security_lake.discovery", + "duration": 3600000000, + "end": "1970-01-20T08:35:31.200Z", + "ingested": "2024-06-17T15:16:13Z", + "kind": "event", + "outcome": "success", + "severity": 2, + "start": "1970-01-20T08:34:04.800Z" + }, + "input": { + "type": "aws-s3" + }, + "log": { + "file": { + "path": "https://elastic-package-security-lake-logs-bucket-86893.s3.us-east-1.amazonaws.com/aws_test_log" + }, + "offset": 0 + }, + "message": "User John Doe attempted a login from San Francisco.", + "ocsf": { + "activity_id": "1", + "activity_name": "Login Attempt", + "actor.authorizations": [ + { + "decision": "allow", + "policy": { + "desc": "Allow login", + "group": { + "desc": "Employee Group", + "domain": "example.com", + "name": "employees", + "privileges": [ + "read", + "write" + ], + "type": "internal", + "uid": "grp101" + }, + "name": "Login Policy", + "uid": "pol101", + "version": "1.0" + } + } + ], + "actor.idp.name": "IDP Service", + "actor.idp.uid": "idp101", + "actor.invoked_by": "web_app", + "actor.process.cmd_line": "/usr/bin/login", + "actor.process.created_time": 1672444800, + "actor.process.file.accessed_time": 1672531200, + "actor.process.file.accessor.account.name": "john.doe", + "actor.process.file.accessor.account.type": "user", + "actor.process.file.accessor.account.type_id": 1, + "actor.process.file.accessor.account.uid": "acc101", + "actor.process.file.accessor.credential_uid": "cred101", + "actor.process.file.accessor.domain": "example.com", + "actor.process.file.accessor.email_addr": "john.doe@example.com", + "actor.process.file.accessor.full_name": "John Doe", + "actor.process.file.accessor.groups": [ + { + "desc": "Employee Group", + "domain": "example.com", + "name": "employees", + "privileges": [ + "read", + "write" + ], + "type": "internal", + "uid": "grp101" + } + ], + "actor.process.file.accessor.name": "John Doe", + "actor.process.file.accessor.org.name": "Example Corp", + "actor.process.file.accessor.org.ou_name": "IT", + "actor.process.file.accessor.org.ou_uid": "ou101", + "actor.process.file.accessor.org.uid": "org101", + "actor.process.file.accessor.type": "user", + "actor.process.file.accessor.type_id": 1, + "actor.process.file.accessor.uid": "usr101", + "actor.process.file.accessor.uid_alt": "john_doe_alt", + "actor.process.file.attributes": 777, + "actor.process.file.company_name": "Example Corp", + "actor.process.file.confidentiality": "high", + "actor.process.file.confidentiality_id": 2, + "actor.process.file.created_time": 1672444800, + "actor.process.file.desc": "Login script", + "actor.process.file.hashes": [ + { + "algorithm": "SHA-256", + "algorithm_id": 4, + "value": "abcd1234" + } + ], + "actor.process.file.is_system": true, + "actor.process.file.mime_type": "application/x-sh", + "actor.process.file.modified_time": 1672444800, + "actor.process.file.name": "login.sh", + "actor.process.file.parent_folder": "/usr/bin", + "actor.process.file.path": "/usr/bin/login.sh", + "actor.process.file.security_descriptor": "D:P(A;;FA;;;BA)", + "actor.process.file.signature.algorithm": "RSA", + "actor.process.file.signature.algorithm_id": 1, + "actor.process.file.signature.certificate.created_time": 1577836800, + "actor.process.file.signature.certificate.expiration_time": 1893456000, + "actor.process.file.signature.certificate.fingerprints": [ + { + "algorithm": "SHA-1", + "algorithm_id": 3, + "value": "abc123" + } + ], + "actor.process.file.signature.certificate.issuer": "Example CA", + "actor.process.file.signature.certificate.serial_number": "123456", + "actor.process.file.signature.certificate.subject": "Example Corp", + "actor.process.file.signature.certificate.uid": "cert101", + "actor.process.file.signature.certificate.version": "1", + "actor.process.file.signature.created_time": 1672444800, + "actor.process.file.signature.developer_uid": "dev101", + "actor.process.file.signature.digest.algorithm": "SHA-256", + "actor.process.file.signature.digest.algorithm_id": 4, + "actor.process.file.signature.digest.value": "abcd1234", + "actor.process.file.size": 2048, + "actor.process.file.type": "script", + "actor.process.file.type_id": 1, + "actor.process.file.uid": "file101", + "actor.process.file.version": "1.0", + "actor.process.integrity": "valid", + "actor.process.integrity_id": 1, + "actor.process.lineage": [ + "/sbin/init", + "/usr/bin/login" + ], + "actor.process.loaded_modules": [ + "pam", + "bash" + ], + "actor.process.name": "login", + "actor.process.pid": 1234, + "actor.process.sandbox": "none", + "actor.process.terminated_time": 1672531200, + "actor.process.tid": 5678, + "actor.process.uid": "proc101", + "actor.session.count": 1, + "actor.session.created_time": 1672444800, + "actor.session.credential_uid": "cred101", + "actor.session.expiration_reason": "timeout", + "actor.session.expiration_time": 1672531200, + "actor.session.is_mfa": true, + "actor.session.is_remote": false, + "actor.session.is_vpn": false, + "actor.session.issuer": "IDP Service", + "actor.session.terminal": "pts/1", + "actor.session.uid": "sess101", + "actor.session.uid_alt": "sess102", + "actor.session.uuid": "uuid-1234", + "actor.user.account.name": "john.doe", + "actor.user.account.type": "user", + "actor.user.account.type_id": 1, + "actor.user.account.uid": "acc101", + "actor.user.credential_uid": "cred101", + "actor.user.domain": "example.com", + "actor.user.email_addr": "john.doe@example.com", + "actor.user.full_name": "John Doe", + "actor.user.groups": [ + { + "desc": "Employee Group", + "domain": "example.com", + "name": "employees", + "privileges": [ + "read", + "write" + ], + "type": "internal", + "uid": "grp101" + } + ], + "actor.user.ldap_person.cost_center": "IT", + "actor.user.ldap_person.created_time": 1577836800, + "actor.user.ldap_person.email_addrs": [ + "john.doe@example.com" + ], + "actor.user.ldap_person.employee_uid": "emp101", + "actor.user.ldap_person.given_name": "John", + "actor.user.ldap_person.hire_time": 1546300800, + "actor.user.ldap_person.job_title": "System Administrator", + "actor.user.ldap_person.labels": [ + "full-time" + ], + "actor.user.ldap_person.last_login_time": 1672444800, + "actor.user.ldap_person.ldap_cn": "john_doe_cn", + "actor.user.ldap_person.ldap_dn": "cn=John Doe,ou=users,dc=example,dc=com", + "actor.user.ldap_person.location.city": "San Francisco", + "actor.user.ldap_person.location.continent": "North America", + "actor.user.ldap_person.location.coordinates": [ + 37.7749, + -122.4194 + ], + "actor.user.ldap_person.location.country": "USA", + "actor.user.ldap_person.location.desc": "Head Office", + "actor.user.ldap_person.location.is_on_premises": true, + "actor.user.ldap_person.location.isp": "Example ISP", + "actor.user.ldap_person.location.postal_code": "94103", + "actor.user.ldap_person.location.provider": "Example Provider", + "actor.user.ldap_person.location.region": "California", + "actor.user.ldap_person.manager.account.name": "jane.manager", + "actor.user.ldap_person.manager.account.type": "user", + "actor.user.ldap_person.manager.account.type_id": 1, + "actor.user.ldap_person.manager.account.uid": "acc102", + "actor.user.ldap_person.manager.credential_uid": "cred102", + "actor.user.ldap_person.manager.domain": "example.com", + "actor.user.ldap_person.manager.email_addr": "jane.manager@example.com", + "actor.user.ldap_person.manager.full_name": "Jane Manager", + "actor.user.ldap_person.manager.groups": [ + { + "desc": "Managers Group", + "domain": "example.com", + "name": "managers", + "privileges": [ + "read", + "write", + "manage" + ], + "type": "internal", + "uid": "grp102" + } + ], + "actor.user.ldap_person.manager.name": "Jane Manager", + "actor.user.ldap_person.manager.org.name": "Example Corp", + "actor.user.ldap_person.manager.org.ou_name": "IT", + "actor.user.ldap_person.manager.org.ou_uid": "ou101", + "actor.user.ldap_person.manager.org.uid": "org101", + "actor.user.ldap_person.manager.type": "user", + "actor.user.ldap_person.manager.type_id": 1, + "actor.user.ldap_person.manager.uid": "usr102", + "actor.user.ldap_person.manager.uid_alt": "jane_manager_alt", + "actor.user.ldap_person.modified_time": 1622505600, + "actor.user.ldap_person.office_location": "Building A", + "actor.user.ldap_person.surname": "Doe", + "actor.user.name": "John Doe", + "actor.user.org.name": "Example Corp", + "actor.user.org.ou_name": "IT", + "actor.user.org.ou_uid": "ou101", + "actor.user.org.uid": "org101", + "actor.user.type": "user", + "actor.user.type_id": 1, + "actor.user.uid": "usr101", + "actor.user.uid_alt": "john_doe_alt", + "category_name": "User Activity", + "category_uid": "5", + "class_name": "Login Events", + "class_uid": "5003", + "count": 1, + "duration": 3600, + "metadata.correlation_uid": "cor-1234", + "metadata.event_code": "login_attempt", + "metadata.extension.name": "Login Extension", + "metadata.extension.uid": "ext-1234", + "metadata.extension.version": "1.0", + "metadata.labels": [ + "security" + ], + "metadata.log_level": "info", + "metadata.log_name": "user_activity", + "metadata.log_provider": "Example Provider", + "metadata.log_version": "1.0", + "metadata.logged_time": 1672444800, + "metadata.modified_time": 1672444800, + "metadata.original_time": "2023-01-01T00:00:00Z", + "metadata.processed_time": 1672531200, + "metadata.product.cpe_name": "cpe:/a:example:product", + "metadata.product.feature.name": "Login Feature", + "metadata.product.feature.uid": "fea-1234", + "metadata.product.feature.version": "1.0", + "metadata.product.lang": "en", + "metadata.product.name": "User Activity Logger", + "metadata.product.path": "/var/log/user_activity", + "metadata.product.uid": "prod-1234", + "metadata.product.url_string": "https://example.com", + "metadata.product.vendor_name": "Example Vendor", + "metadata.product.version": "1.0", + "metadata.profiles": [ + "default" + ], + "metadata.sequence": 1, + "metadata.tenant_uid": "tenant123", + "metadata.uid": "evt-1234", + "metadata.version": "1.0", + "observables": [ + { + "name": "San Francisco", + "reputation": { + "base_score": 90, + "provider": "GeoIP Service", + "score": "high", + "score_id": "1" + }, + "type": "location", + "type_id": "2", + "value": "San Francisco, USA" + } + ], + "raw_data_keyword": "raw_event_data", + "severity": "medium", + "status": "processed", + "status_code": "200", + "status_detail": "Event processed successfully.", + "status_id": "1", + "timezone_offset": -8, + "type_name": "login_event", + "type_uid": "1001", + "user.account.name": "john.doe", + "user.account.type": "user", + "user.account.type_id": 1, + "user.account.uid": "acc101", + "user.credential_uid": "cred101", + "user.domain": "example.com", + "user.email_addr": "john.doe@example.com", + "user.full_name": "John Doe", + "user.groups": [ + { + "desc": "Employee Group", + "domain": "example.com", + "name": "employees", + "privileges": [ + "read", + "write" + ], + "type": "internal", + "uid": "grp101" + } + ], + "user.ldap_person.cost_center": "IT", + "user.ldap_person.created_time": 1577836800, + "user.ldap_person.email_addrs": [ + "john.doe@example.com" + ], + "user.ldap_person.employee_uid": "emp101", + "user.ldap_person.given_name": "John", + "user.ldap_person.hire_time": 1546300800, + "user.ldap_person.job_title": "System Administrator", + "user.ldap_person.labels": [ + "full-time" + ], + "user.ldap_person.last_login_time": 1672444800, + "user.ldap_person.ldap_cn": "john_doe_cn", + "user.ldap_person.ldap_dn": "cn=John Doe,ou=users,dc=example,dc=com", + "user.ldap_person.location.city": "San Francisco", + "user.ldap_person.location.continent": "North America", + "user.ldap_person.location.coordinates": [ + 37.7749, + -122.4194 + ], + "user.ldap_person.location.country": "USA", + "user.ldap_person.location.desc": "Head Office", + "user.ldap_person.location.is_on_premises": true, + "user.ldap_person.location.isp": "Example ISP", + "user.ldap_person.location.postal_code": "94103", + "user.ldap_person.location.provider": "Example Provider", + "user.ldap_person.location.region": "California", + "user.ldap_person.manager.account.name": "jane.manager", + "user.ldap_person.manager.account.type": "user", + "user.ldap_person.manager.account.type_id": 1, + "user.ldap_person.manager.account.uid": "acc102", + "user.ldap_person.manager.credential_uid": "cred102", + "user.ldap_person.manager.domain": "example.com", + "user.ldap_person.manager.email_addr": "jane.manager@example.com", + "user.ldap_person.manager.full_name": "Jane Manager", + "user.ldap_person.manager.groups": [ + { + "desc": "Managers Group", + "domain": "example.com", + "name": "managers", + "privileges": [ + "read", + "write", + "manage" + ], + "type": "internal", + "uid": "grp102" + } + ], + "user.ldap_person.manager.name": "Jane Manager", + "user.ldap_person.manager.org.name": "Example Corp", + "user.ldap_person.manager.org.ou_name": "IT", + "user.ldap_person.manager.org.ou_uid": "ou101", + "user.ldap_person.manager.org.uid": "org101", + "user.ldap_person.manager.type": "user", + "user.ldap_person.manager.type_id": 1, + "user.ldap_person.manager.uid": "usr102", + "user.ldap_person.manager.uid_alt": "jane_manager_alt", + "user.ldap_person.modified_time": 1622505600, + "user.ldap_person.office_location": "Building A", + "user.ldap_person.surname": "Doe", + "user.name": "John Doe", + "user.org.name": "Example Corp", + "user.org.ou_name": "IT", + "user.org.ou_uid": "ou101", + "user.org.uid": "org101", + "user.type": "user", + "user.type_id": 1, + "user.uid": "usr101", + "user.uid_alt": "john_doe_alt" + }, + "tags": [ + "forwarded", + "amazon_security_lake-event" + ] +} \ No newline at end of file diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index cbb73b86d9de..e19169493226 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -103,7 +103,7 @@ This is the `Event` dataset. | ocsf.actor.process.auid | The audit user assigned at login by the audit subsystem. | keyword | | ocsf.actor.process.cmd_line | The full command line used to launch an application, service, process, or job. | keyword | | ocsf.actor.process.container.hash.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.container.hash.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | +| ocsf.actor.process.container.hash.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | integer | | ocsf.actor.process.container.hash.value | The digital fingerprint value. | keyword | | ocsf.actor.process.container.image.labels | The image labels. | keyword | | ocsf.actor.process.container.image.name | The image name. | keyword | @@ -126,7 +126,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.accessed_time_dt | The time when the file was last accessed. | date | | ocsf.actor.process.file.accessor.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.file.accessor.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.file.accessor.account.type_id | The normalized account type identifier. | keyword | +| ocsf.actor.process.file.accessor.account.type_id | The normalized account type identifier. | integer | | ocsf.actor.process.file.accessor.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.file.accessor.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.file.accessor.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -144,18 +144,18 @@ This is the `Event` dataset. | ocsf.actor.process.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | | ocsf.actor.process.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | | ocsf.actor.process.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.file.accessor.type_id | The account type identifier. | keyword | +| ocsf.actor.process.file.accessor.type_id | The account type identifier. | integer | | ocsf.actor.process.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.file.accessor.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.file.attributes | The Bitmask value that represents the file attributes. | long | | ocsf.actor.process.file.company_name | The name of the company that published the file. For example: Microsoft Corporation. | keyword | | ocsf.actor.process.file.confidentiality | The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.file.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | keyword | +| ocsf.actor.process.file.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | integer | | ocsf.actor.process.file.created_time | The time when the file was created. | date | | ocsf.actor.process.file.created_time_dt | The time when the file was created. | date | | ocsf.actor.process.file.creator.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.file.creator.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.file.creator.account.type_id | The normalized account type identifier. | keyword | +| ocsf.actor.process.file.creator.account.type_id | The normalized account type identifier. | integer | | ocsf.actor.process.file.creator.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.file.creator.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.file.creator.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -173,12 +173,12 @@ This is the `Event` dataset. | ocsf.actor.process.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | | ocsf.actor.process.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | | ocsf.actor.process.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.file.creator.type_id | The account type identifier. | keyword | +| ocsf.actor.process.file.creator.type_id | The account type identifier. | integer | | ocsf.actor.process.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.file.creator.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.file.desc | The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type. | keyword | | ocsf.actor.process.file.hashes.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.file.hashes.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | +| ocsf.actor.process.file.hashes.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | integer | | ocsf.actor.process.file.hashes.value | The digital fingerprint value. | keyword | | ocsf.actor.process.file.is_system | The indication of whether the object is part of the operating system. | boolean | | ocsf.actor.process.file.mime_type | The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. | keyword | @@ -186,7 +186,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.modified_time_dt | The time when the file was last modified. | date | | ocsf.actor.process.file.modifier.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.file.modifier.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.file.modifier.account.type_id | The normalized account type identifier. | keyword | +| ocsf.actor.process.file.modifier.account.type_id | The normalized account type identifier. | integer | | ocsf.actor.process.file.modifier.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.file.modifier.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.file.modifier.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -204,13 +204,13 @@ This is the `Event` dataset. | ocsf.actor.process.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | | ocsf.actor.process.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | | ocsf.actor.process.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.file.modifier.type_id | The account type identifier. | keyword | +| ocsf.actor.process.file.modifier.type_id | The account type identifier. | integer | | ocsf.actor.process.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.file.modifier.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.file.name | The name of the file. For example: svchost.exe. | keyword | | ocsf.actor.process.file.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.file.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.file.owner.account.type_id | The normalized account type identifier. | keyword | +| ocsf.actor.process.file.owner.account.type_id | The normalized account type identifier. | integer | | ocsf.actor.process.file.owner.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.file.owner.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.file.owner.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -228,7 +228,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | | ocsf.actor.process.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | | ocsf.actor.process.file.owner.type | The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.file.owner.type_id | The account type identifier. | keyword | +| ocsf.actor.process.file.owner.type_id | The account type identifier. | integer | | ocsf.actor.process.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | @@ -245,13 +245,13 @@ This is the `Event` dataset. | ocsf.actor.process.file.product.version | The version of the product, as defined by the event source. For example: 2013.1.3-beta. | keyword | | ocsf.actor.process.file.security_descriptor | The object security descriptor. | keyword | | ocsf.actor.process.file.signature.algorithm | The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.file.signature.algorithm_id | The identifier of the normalized digital signature algorithm. | keyword | +| ocsf.actor.process.file.signature.algorithm_id | The identifier of the normalized digital signature algorithm. | integer | | ocsf.actor.process.file.signature.certificate.created_time | The time when the certificate was created. | date | | ocsf.actor.process.file.signature.certificate.created_time_dt | The time when the certificate was created. | date | | ocsf.actor.process.file.signature.certificate.expiration_time | The expiration time of the certificate. | date | | ocsf.actor.process.file.signature.certificate.expiration_time_dt | The expiration time of the certificate. | date | | ocsf.actor.process.file.signature.certificate.fingerprints.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.file.signature.certificate.fingerprints.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | +| ocsf.actor.process.file.signature.certificate.fingerprints.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | integer | | ocsf.actor.process.file.signature.certificate.fingerprints.value | The digital fingerprint value. | keyword | | ocsf.actor.process.file.signature.certificate.issuer | The certificate issuer distinguished name. | keyword | | ocsf.actor.process.file.signature.certificate.serial_number | The serial number of the certificate used to create the digital signature. | keyword | @@ -262,11 +262,11 @@ This is the `Event` dataset. | ocsf.actor.process.file.signature.created_time_dt | The time when the digital signature was created. | date | | ocsf.actor.process.file.signature.developer_uid | The developer ID on the certificate that signed the file. | keyword | | ocsf.actor.process.file.signature.digest.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.file.signature.digest.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | +| ocsf.actor.process.file.signature.digest.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | integer | | ocsf.actor.process.file.signature.digest.value | The digital fingerprint value. | keyword | | ocsf.actor.process.file.size | The size of data, in bytes. | long | | ocsf.actor.process.file.type | The file type. | keyword | -| ocsf.actor.process.file.type_id | The file type ID. | keyword | +| ocsf.actor.process.file.type_id | The file type ID. | integer | | ocsf.actor.process.file.uid | The unique identifier of the file as defined by the storage system, such the file system file ID. | keyword | | ocsf.actor.process.file.version | The file version. For example: 8.0.7601.17514. | keyword | | ocsf.actor.process.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened | @@ -276,7 +276,7 @@ This is the `Event` dataset. | ocsf.actor.process.group.type | The type of the group or account. | keyword | | ocsf.actor.process.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.actor.process.integrity | The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). | keyword | -| ocsf.actor.process.integrity_id | The normalized identifier of the process integrity level (Windows only). | keyword | +| ocsf.actor.process.integrity_id | The normalized identifier of the process integrity level (Windows only). | integer | | ocsf.actor.process.lineage | The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']. | keyword | | ocsf.actor.process.loaded_modules | The list of loaded module names. | keyword | | ocsf.actor.process.name | The friendly name of the process, for example: Notepad++. | keyword | @@ -284,7 +284,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.auid | The audit user assigned at login by the audit subsystem. | keyword | | ocsf.actor.process.parent_process.cmd_line | The full command line used to launch an application, service, process, or job. | keyword | | ocsf.actor.process.parent_process.container.hash.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.container.hash.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | +| ocsf.actor.process.parent_process.container.hash.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | integer | | ocsf.actor.process.parent_process.container.hash.value | The digital fingerprint value. | keyword | | ocsf.actor.process.parent_process.container.image.labels | The image labels. | keyword | | ocsf.actor.process.parent_process.container.image.name | The image name. | keyword | @@ -307,7 +307,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.accessed_time_dt | The time when the file was last accessed. | date | | ocsf.actor.process.parent_process.file.accessor.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.parent_process.file.accessor.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.file.accessor.account.type_id | The normalized account type identifier. | keyword | +| ocsf.actor.process.parent_process.file.accessor.account.type_id | The normalized account type identifier. | integer | | ocsf.actor.process.parent_process.file.accessor.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.parent_process.file.accessor.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.parent_process.file.accessor.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -325,18 +325,18 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | | ocsf.actor.process.parent_process.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | | ocsf.actor.process.parent_process.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.parent_process.file.accessor.type_id | The account type identifier. | keyword | +| ocsf.actor.process.parent_process.file.accessor.type_id | The account type identifier. | integer | | ocsf.actor.process.parent_process.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.parent_process.file.accessor.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.parent_process.file.attributes | The Bitmask value that represents the file attributes. | long | | ocsf.actor.process.parent_process.file.company_name | The name of the company that published the file. For example: Microsoft Corporation. | keyword | | ocsf.actor.process.parent_process.file.confidentiality | The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.file.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | keyword | +| ocsf.actor.process.parent_process.file.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | integer | | ocsf.actor.process.parent_process.file.created_time | The time when the file was created. | date | | ocsf.actor.process.parent_process.file.created_time_dt | The time when the file was created. | date | | ocsf.actor.process.parent_process.file.creator.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.parent_process.file.creator.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.file.creator.account.type_id | The normalized account type identifier. | keyword | +| ocsf.actor.process.parent_process.file.creator.account.type_id | The normalized account type identifier. | integer | | ocsf.actor.process.parent_process.file.creator.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.parent_process.file.creator.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.parent_process.file.creator.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -354,12 +354,12 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | | ocsf.actor.process.parent_process.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | | ocsf.actor.process.parent_process.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.parent_process.file.creator.type_id | The account type identifier. | keyword | +| ocsf.actor.process.parent_process.file.creator.type_id | The account type identifier. | integer | | ocsf.actor.process.parent_process.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.parent_process.file.creator.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.parent_process.file.desc | The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type. | keyword | | ocsf.actor.process.parent_process.file.hashes.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.file.hashes.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | +| ocsf.actor.process.parent_process.file.hashes.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | integer | | ocsf.actor.process.parent_process.file.hashes.value | The digital fingerprint value. | keyword | | ocsf.actor.process.parent_process.file.is_system | The indication of whether the object is part of the operating system. | boolean | | ocsf.actor.process.parent_process.file.mime_type | The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. | keyword | @@ -367,7 +367,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.modified_time_dt | The time when the file was last modified. | date | | ocsf.actor.process.parent_process.file.modifier.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.parent_process.file.modifier.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.file.modifier.account.type_id | The normalized account type identifier. | keyword | +| ocsf.actor.process.parent_process.file.modifier.account.type_id | The normalized account type identifier. | integer | | ocsf.actor.process.parent_process.file.modifier.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.parent_process.file.modifier.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.parent_process.file.modifier.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -385,13 +385,13 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | | ocsf.actor.process.parent_process.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | | ocsf.actor.process.parent_process.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.parent_process.file.modifier.type_id | The account type identifier. | keyword | +| ocsf.actor.process.parent_process.file.modifier.type_id | The account type identifier. | integer | | ocsf.actor.process.parent_process.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.parent_process.file.modifier.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.parent_process.file.name | The name of the file. For example: svchost.exe. | keyword | | ocsf.actor.process.parent_process.file.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.parent_process.file.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.file.owner.account.type_id | The normalized account type identifier. | keyword | +| ocsf.actor.process.parent_process.file.owner.account.type_id | The normalized account type identifier. | integer | | ocsf.actor.process.parent_process.file.owner.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.parent_process.file.owner.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.parent_process.file.owner.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -409,7 +409,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | | ocsf.actor.process.parent_process.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | | ocsf.actor.process.parent_process.file.owner.type | The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.parent_process.file.owner.type_id | The account type identifier. | keyword | +| ocsf.actor.process.parent_process.file.owner.type_id | The account type identifier. | integer | | ocsf.actor.process.parent_process.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.parent_process.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.parent_process.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | @@ -426,13 +426,13 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.product.version | The version of the product, as defined by the event source. For example: 2013.1.3-beta. | keyword | | ocsf.actor.process.parent_process.file.security_descriptor | The object security descriptor. | keyword | | ocsf.actor.process.parent_process.file.signature.algorithm | The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.file.signature.algorithm_id | The identifier of the normalized digital signature algorithm. | keyword | +| ocsf.actor.process.parent_process.file.signature.algorithm_id | The identifier of the normalized digital signature algorithm. | integer | | ocsf.actor.process.parent_process.file.signature.certificate.created_time | The time when the certificate was created. | date | | ocsf.actor.process.parent_process.file.signature.certificate.created_time_dt | The time when the certificate was created. | date | | ocsf.actor.process.parent_process.file.signature.certificate.expiration_time | The expiration time of the certificate. | date | | ocsf.actor.process.parent_process.file.signature.certificate.expiration_time_dt | The expiration time of the certificate. | date | | ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | +| ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | integer | | ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.value | The digital fingerprint value. | keyword | | ocsf.actor.process.parent_process.file.signature.certificate.issuer | The certificate issuer distinguished name. | keyword | | ocsf.actor.process.parent_process.file.signature.certificate.serial_number | The serial number of the certificate used to create the digital signature. | keyword | @@ -443,11 +443,11 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.signature.created_time_dt | The time when the digital signature was created. | date | | ocsf.actor.process.parent_process.file.signature.developer_uid | The developer ID on the certificate that signed the file. | keyword | | ocsf.actor.process.parent_process.file.signature.digest.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.file.signature.digest.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | +| ocsf.actor.process.parent_process.file.signature.digest.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | integer | | ocsf.actor.process.parent_process.file.signature.digest.value | The digital fingerprint value. | keyword | | ocsf.actor.process.parent_process.file.size | The size of data, in bytes. | long | | ocsf.actor.process.parent_process.file.type | The file type. | keyword | -| ocsf.actor.process.parent_process.file.type_id | The file type ID. | keyword | +| ocsf.actor.process.parent_process.file.type_id | The file type ID. | integer | | ocsf.actor.process.parent_process.file.uid | The unique identifier of the file as defined by the storage system, such the file system file ID. | keyword | | ocsf.actor.process.parent_process.file.version | The file version. For example: 8.0.7601.17514. | keyword | | ocsf.actor.process.parent_process.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened | @@ -457,7 +457,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.group.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.actor.process.parent_process.integrity | The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). | keyword | -| ocsf.actor.process.parent_process.integrity_id | The normalized identifier of the process integrity level (Windows only). | keyword | +| ocsf.actor.process.parent_process.integrity_id | The normalized identifier of the process integrity level (Windows only). | integer | | ocsf.actor.process.parent_process.lineage | The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']. | keyword | | ocsf.actor.process.parent_process.loaded_modules | The list of loaded module names. | keyword | | ocsf.actor.process.parent_process.name | The friendly name of the process, for example: Notepad++. | keyword | @@ -482,7 +482,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.uid | A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. | keyword | | ocsf.actor.process.parent_process.user.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.parent_process.user.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.user.account.type_id | The normalized account type identifier. | keyword | +| ocsf.actor.process.parent_process.user.account.type_id | The normalized account type identifier. | integer | | ocsf.actor.process.parent_process.user.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.parent_process.user.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.parent_process.user.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -500,7 +500,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | | ocsf.actor.process.parent_process.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | | ocsf.actor.process.parent_process.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.parent_process.user.type_id | The account type identifier. | keyword | +| ocsf.actor.process.parent_process.user.type_id | The account type identifier. | integer | | ocsf.actor.process.parent_process.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.parent_process.user.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.parent_process.xattributes | An unordered collection of zero or more name/value pairs that represent a process extended attribute. | flattened | @@ -522,7 +522,7 @@ This is the `Event` dataset. | ocsf.actor.process.uid | A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. | keyword | | ocsf.actor.process.user.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.user.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.user.account.type_id | The normalized account type identifier. | keyword | +| ocsf.actor.process.user.account.type_id | The normalized account type identifier. | integer | | ocsf.actor.process.user.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.user.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.user.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -540,7 +540,7 @@ This is the `Event` dataset. | ocsf.actor.process.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | | ocsf.actor.process.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | | ocsf.actor.process.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.user.type_id | The account type identifier. | keyword | +| ocsf.actor.process.user.type_id | The account type identifier. | integer | | ocsf.actor.process.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.user.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.xattributes | An unordered collection of zero or more name/value pairs that represent a process extended attribute. | flattened | @@ -562,7 +562,7 @@ This is the `Event` dataset. | ocsf.actor.session.uuid | The universally unique identifier of the session. | keyword | | ocsf.actor.user.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.user.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.user.account.type_id | The normalized account type identifier. | keyword | +| ocsf.actor.user.account.type_id | The normalized account type identifier. | integer | | ocsf.actor.user.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.user.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.user.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -629,7 +629,7 @@ This is the `Event` dataset. | ocsf.actor.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | | ocsf.actor.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | | ocsf.actor.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.user.type_id | The account type identifier. | keyword | +| ocsf.actor.user.type_id | The account type identifier. | integer | | ocsf.actor.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.user.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actual_permissions | The permissions that were granted to the in a platform-native format. | long | From 118b2d2e7781686e3f11a1a4c5b8ea3d49f6b32e Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Wed, 10 Jul 2024 14:08:25 +0530 Subject: [PATCH 04/30] test commit to be reverted --- .../discovery/fields/user-fields.yml | 48 +++++++++-------- .../data_stream/discovery/manifest.yml | 12 +++++ .../data_stream/event/fields/actor-fields.yml | 4 ++ .../data_stream/event/fields/user-fields.yml | 53 +++++++++++-------- .../data_stream/event/manifest.yml | 10 ++++ packages/amazon_security_lake/docs/README.md | 7 +-- 6 files changed, 84 insertions(+), 50 deletions(-) diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml index ac4e1b543f6f..a90aecad8dfd 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml @@ -85,14 +85,18 @@ - name: cost_center type: keyword description: The cost center associated with the user. - - name: created_time + - name: '*_time' type: date format: epoch_second - description: The timestamp when the user was created. - - name: deleted_time - type: date - format: epoch_second - description: The timestamp when the user was deleted. + description: path_match for timestamp fields in ldap_person + # - name: created_time + # type: date + # format: epoch_second + # description: The timestamp when the user was created. + # - name: deleted_time + # type: date + # format: epoch_second + # description: The timestamp when the user was deleted. - name: email_addrs type: keyword description: A list of additional email addresses for the user. @@ -102,34 +106,34 @@ - name: given_name type: keyword description: The given or first name of the user. - - name: hire_time - type: date - format: epoch_second - description: The timestamp when the user was or will be hired by the organization. + # - name: hire_time + # type: date + # format: epoch_second + # description: The timestamp when the user was or will be hired by the organization. - name: job_title type: keyword description: The user's job title. - name: labels type: keyword description: The labels associated with the user. For example in AD this could be the userType, employeeType. - - name: last_login_time - type: date - format: epoch_second - description: The last time when the user logged in. + # - name: last_login_time + # type: date + # format: epoch_second + # description: The last time when the user logged in. - name: ldap_cn type: keyword description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. - name: ldap_dn type: keyword description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. - - name: leave_time - type: date - format: epoch_second - description: The timestamp when the user left or will be leaving the organization. - - name: modified_time - type: date - format: epoch_second - description: The timestamp when the user entry was last modified. + # - name: leave_time + # type: date + # format: epoch_second + # description: The timestamp when the user left or will be leaving the organization. + # - name: modified_time + # type: date + # format: epoch_second + # description: The timestamp when the user entry was last modified. - name: office_location type: keyword description: The primary office location associated with the user. This could be any string and isn't a specific address. diff --git a/packages/amazon_security_lake/data_stream/discovery/manifest.yml b/packages/amazon_security_lake/data_stream/discovery/manifest.yml index 378ed301c0b3..d7880a02e3f8 100644 --- a/packages/amazon_security_lake/data_stream/discovery/manifest.yml +++ b/packages/amazon_security_lake/data_stream/discovery/manifest.yml @@ -1,3 +1,15 @@ title: Amazon Security Lake Discovery Events dataset: amazon_security_lake.discovery type: logs +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true + # index_template: + # mappings: + # dynamic: true + # dynamic_templates: + # - strings_as_date: + # match_mapping_type: string + # mapping: + # type: date + # date_detection: true diff --git a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml index 7027cd972e05..e356d4c2b3cf 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml @@ -1730,6 +1730,10 @@ - name: cost_center type: keyword description: The cost center associated with the user. + # - name: '*_time' + # type: date + # format: epoch_second + # description: path_match for timestamp fields in ldap_person - name: created_time type: date format: epoch_second diff --git a/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml index 92e575f05d9b..6937a97ecd80 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml @@ -82,20 +82,29 @@ - name: uid_alt type: keyword description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + # - name: 'ldap_person.*_time' + # type: date + # dynamic: true + # format: epoch_second + # description: path_match for timestamp fields in ldap_person - name: ldap_person type: group fields: - name: cost_center type: keyword description: The cost center associated with the user. - - name: created_time + - name: '*_time' type: date format: epoch_second - description: The timestamp when the user was created. - - name: deleted_time - type: date - format: epoch_second - description: The timestamp when the user was deleted. + description: path_match for timestamp fields in ldap_person + # - name: created_time + # type: date + # format: epoch_second + # description: The timestamp when the user was created. + # - name: deleted_time + # type: date + # format: epoch_second + # description: The timestamp when the user was deleted. - name: email_addrs type: keyword description: A list of additional email addresses for the user. @@ -105,34 +114,34 @@ - name: given_name type: keyword description: The given or first name of the user. - - name: hire_time - type: date - format: epoch_second - description: The timestamp when the user was or will be hired by the organization. + # - name: hire_time + # type: date + # format: epoch_second + # description: The timestamp when the user was or will be hired by the organization. - name: job_title type: keyword description: The user's job title. - name: labels type: keyword description: The labels associated with the user. For example in AD this could be the userType, employeeType. - - name: last_login_time - type: date - format: epoch_second - description: The last time when the user logged in. + # - name: last_login_time + # type: date + # format: epoch_second + # description: The last time when the user logged in. - name: ldap_cn type: keyword description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. - name: ldap_dn type: keyword description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. - - name: leave_time - type: date - format: epoch_second - description: The timestamp when the user left or will be leaving the organization. - - name: modified_time - type: date - format: epoch_second - description: The timestamp when the user entry was last modified. + # - name: leave_time + # type: date + # format: epoch_second + # description: The timestamp when the user left or will be leaving the organization. + # - name: modified_time + # type: date + # format: epoch_second + # description: The timestamp when the user entry was last modified. - name: office_location type: keyword description: The primary office location associated with the user. This could be any string and isn't a specific address. diff --git a/packages/amazon_security_lake/data_stream/event/manifest.yml b/packages/amazon_security_lake/data_stream/event/manifest.yml index 4c27180a984a..0ffffee46e47 100644 --- a/packages/amazon_security_lake/data_stream/event/manifest.yml +++ b/packages/amazon_security_lake/data_stream/event/manifest.yml @@ -200,3 +200,13 @@ streams: elasticsearch: dynamic_dataset: true dynamic_namespace: true + # index_template: + # mappings: + # dynamic: true + # dynamic_templates: + # - strings_as_date: + # match_mapping_type: string + # mapping: + # type: date + # format: epoch_second + # date_detection: true diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index ea4c2c7a6772..f79d3ef0f00c 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -1936,19 +1936,15 @@ This is the `Event` dataset. | ocsf.user.groups.privileges | The group privileges. | keyword | | ocsf.user.groups.type | The type of the group or account. | keyword | | ocsf.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.user.ldap_person.\*_time | path_match for timestamp fields in ldap_person | date | | ocsf.user.ldap_person.cost_center | The cost center associated with the user. | keyword | -| ocsf.user.ldap_person.created_time | The timestamp when the user was created. | date | -| ocsf.user.ldap_person.deleted_time | The timestamp when the user was deleted. | date | | ocsf.user.ldap_person.email_addrs | A list of additional email addresses for the user. | keyword | | ocsf.user.ldap_person.employee_uid | The employee identifier assigned to the user by the organization. | keyword | | ocsf.user.ldap_person.given_name | The given or first name of the user. | keyword | -| ocsf.user.ldap_person.hire_time | The timestamp when the user was or will be hired by the organization. | date | | ocsf.user.ldap_person.job_title | The user's job title. | keyword | | ocsf.user.ldap_person.labels | The labels associated with the user. For example in AD this could be the userType, employeeType. | keyword | -| ocsf.user.ldap_person.last_login_time | The last time when the user logged in. | date | | ocsf.user.ldap_person.ldap_cn | The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. | keyword | | ocsf.user.ldap_person.ldap_dn | The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. | keyword | -| ocsf.user.ldap_person.leave_time | The timestamp when the user left or will be leaving the organization. | date | | ocsf.user.ldap_person.location.city | The name of the city. | keyword | | ocsf.user.ldap_person.location.continent | The name of the continent. | keyword | | ocsf.user.ldap_person.location.coordinates | A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. | geo_point | @@ -1982,7 +1978,6 @@ This is the `Event` dataset. | ocsf.user.ldap_person.manager.type_id | The account type identifier. | integer | | ocsf.user.ldap_person.manager.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.user.ldap_person.manager.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | -| ocsf.user.ldap_person.modified_time | The timestamp when the user entry was last modified. | date | | ocsf.user.ldap_person.office_location | The primary office location associated with the user. This could be any string and isn't a specific address. | keyword | | ocsf.user.ldap_person.surname | The last or family name for the user. | keyword | | ocsf.user.name | The username. For example, janedoe1. | keyword | From 185e2f99490941eb2fa4fab1431571a046d1a3f9 Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Fri, 12 Jul 2024 17:34:24 +0530 Subject: [PATCH 05/30] initial working test for dynamic template --- .../discovery/fields/actor-fields.yml | 170 +++++++++++++++++- .../discovery/fields/user-fields.yml | 88 ++++----- .../data_stream/discovery/manifest.yml | 12 +- .../data_stream/event/fields/actor-fields.yml | 4 - .../data_stream/event/fields/base-fields.yml | 1 - .../data_stream/event/fields/user-fields.yml | 93 ++++------ .../data_stream/event/manifest.yml | 13 +- packages/amazon_security_lake/docs/README.md | 17 +- 8 files changed, 246 insertions(+), 152 deletions(-) diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml index ccda117be004..d32ca9a55a04 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml @@ -1715,5 +1715,171 @@ type: keyword description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - name: ldap_person - type: flattened - description: The LDAP attributes of the user. + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml index a90aecad8dfd..9b4a121dd36d 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml @@ -52,21 +52,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -85,18 +75,14 @@ - name: cost_center type: keyword description: The cost center associated with the user. - - name: '*_time' + - name: created_time + type: date + date_format: epoch_second + description: The timestamp when the user was created. + - name: deleted_time type: date - format: epoch_second - description: path_match for timestamp fields in ldap_person - # - name: created_time - # type: date - # format: epoch_second - # description: The timestamp when the user was created. - # - name: deleted_time - # type: date - # format: epoch_second - # description: The timestamp when the user was deleted. + date_format: epoch_second + description: The timestamp when the user was deleted. - name: email_addrs type: keyword description: A list of additional email addresses for the user. @@ -106,34 +92,34 @@ - name: given_name type: keyword description: The given or first name of the user. - # - name: hire_time - # type: date - # format: epoch_second - # description: The timestamp when the user was or will be hired by the organization. + - name: hire_time + type: date + date_format: epoch_second + description: The timestamp when the user was or will be hired by the organization. - name: job_title type: keyword description: The user's job title. - name: labels type: keyword description: The labels associated with the user. For example in AD this could be the userType, employeeType. - # - name: last_login_time - # type: date - # format: epoch_second - # description: The last time when the user logged in. + - name: last_login_time + type: date + date_format: epoch_second + description: The last time when the user logged in. - name: ldap_cn type: keyword description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. - name: ldap_dn type: keyword description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. - # - name: leave_time - # type: date - # format: epoch_second - # description: The timestamp when the user left or will be leaving the organization. - # - name: modified_time - # type: date - # format: epoch_second - # description: The timestamp when the user entry was last modified. + - name: leave_time + type: date + date_format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: modified_time + type: date + date_format: epoch_second + description: The timestamp when the user entry was last modified. - name: office_location type: keyword description: The primary office location associated with the user. This could be any string and isn't a specific address. @@ -226,20 +212,10 @@ type: keyword description: The username. For example, janedoe1. - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. diff --git a/packages/amazon_security_lake/data_stream/discovery/manifest.yml b/packages/amazon_security_lake/data_stream/discovery/manifest.yml index d7880a02e3f8..39d52c9c0dac 100644 --- a/packages/amazon_security_lake/data_stream/discovery/manifest.yml +++ b/packages/amazon_security_lake/data_stream/discovery/manifest.yml @@ -4,12 +4,6 @@ type: logs elasticsearch: dynamic_dataset: true dynamic_namespace: true - # index_template: - # mappings: - # dynamic: true - # dynamic_templates: - # - strings_as_date: - # match_mapping_type: string - # mapping: - # type: date - # date_detection: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml index e356d4c2b3cf..7027cd972e05 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml @@ -1730,10 +1730,6 @@ - name: cost_center type: keyword description: The cost center associated with the user. - # - name: '*_time' - # type: date - # format: epoch_second - # description: path_match for timestamp fields in ldap_person - name: created_time type: date format: epoch_second diff --git a/packages/amazon_security_lake/data_stream/event/fields/base-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/base-fields.yml index c034c1b6dbbd..ce287c5392ef 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/base-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/base-fields.yml @@ -14,7 +14,6 @@ - name: event.dataset type: constant_keyword description: Event dataset. - value: amazon_security_lake.event - name: '@timestamp' type: date description: Event timestamp. diff --git a/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml index 6937a97ecd80..0f4fc84ae3fe 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml @@ -55,21 +55,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -82,29 +72,20 @@ - name: uid_alt type: keyword description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - # - name: 'ldap_person.*_time' - # type: date - # dynamic: true - # format: epoch_second - # description: path_match for timestamp fields in ldap_person - name: ldap_person type: group fields: - name: cost_center type: keyword description: The cost center associated with the user. - - name: '*_time' + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: deleted_time type: date format: epoch_second - description: path_match for timestamp fields in ldap_person - # - name: created_time - # type: date - # format: epoch_second - # description: The timestamp when the user was created. - # - name: deleted_time - # type: date - # format: epoch_second - # description: The timestamp when the user was deleted. + description: The timestamp when the user was deleted. - name: email_addrs type: keyword description: A list of additional email addresses for the user. @@ -114,34 +95,34 @@ - name: given_name type: keyword description: The given or first name of the user. - # - name: hire_time - # type: date - # format: epoch_second - # description: The timestamp when the user was or will be hired by the organization. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. - name: job_title type: keyword description: The user's job title. - name: labels type: keyword description: The labels associated with the user. For example in AD this could be the userType, employeeType. - # - name: last_login_time - # type: date - # format: epoch_second - # description: The last time when the user logged in. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. - name: ldap_cn type: keyword description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. - name: ldap_dn type: keyword description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. - # - name: leave_time - # type: date - # format: epoch_second - # description: The timestamp when the user left or will be leaving the organization. - # - name: modified_time - # type: date - # format: epoch_second - # description: The timestamp when the user entry was last modified. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. - name: office_location type: keyword description: The primary office location associated with the user. This could be any string and isn't a specific address. @@ -236,21 +217,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. diff --git a/packages/amazon_security_lake/data_stream/event/manifest.yml b/packages/amazon_security_lake/data_stream/event/manifest.yml index 0ffffee46e47..f2dd3aab62c2 100644 --- a/packages/amazon_security_lake/data_stream/event/manifest.yml +++ b/packages/amazon_security_lake/data_stream/event/manifest.yml @@ -200,13 +200,6 @@ streams: elasticsearch: dynamic_dataset: true dynamic_namespace: true - # index_template: - # mappings: - # dynamic: true - # dynamic_templates: - # - strings_as_date: - # match_mapping_type: string - # mapping: - # type: date - # format: epoch_second - # date_detection: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index f79d3ef0f00c..6179ca16aee6 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -1936,15 +1936,19 @@ This is the `Event` dataset. | ocsf.user.groups.privileges | The group privileges. | keyword | | ocsf.user.groups.type | The type of the group or account. | keyword | | ocsf.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | -| ocsf.user.ldap_person.\*_time | path_match for timestamp fields in ldap_person | date | | ocsf.user.ldap_person.cost_center | The cost center associated with the user. | keyword | +| ocsf.user.ldap_person.created_time | The timestamp when the user was created. | date | +| ocsf.user.ldap_person.deleted_time | The timestamp when the user was deleted. | date | | ocsf.user.ldap_person.email_addrs | A list of additional email addresses for the user. | keyword | | ocsf.user.ldap_person.employee_uid | The employee identifier assigned to the user by the organization. | keyword | | ocsf.user.ldap_person.given_name | The given or first name of the user. | keyword | +| ocsf.user.ldap_person.hire_time | The timestamp when the user was or will be hired by the organization. | date | | ocsf.user.ldap_person.job_title | The user's job title. | keyword | | ocsf.user.ldap_person.labels | The labels associated with the user. For example in AD this could be the userType, employeeType. | keyword | +| ocsf.user.ldap_person.last_login_time | The last time when the user logged in. | date | | ocsf.user.ldap_person.ldap_cn | The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. | keyword | | ocsf.user.ldap_person.ldap_dn | The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. | keyword | +| ocsf.user.ldap_person.leave_time | The timestamp when the user left or will be leaving the organization. | date | | ocsf.user.ldap_person.location.city | The name of the city. | keyword | | ocsf.user.ldap_person.location.continent | The name of the continent. | keyword | | ocsf.user.ldap_person.location.coordinates | A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. | geo_point | @@ -1970,21 +1974,16 @@ This is the `Event` dataset. | ocsf.user.ldap_person.manager.groups.type | The type of the group or account. | keyword | | ocsf.user.ldap_person.manager.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.user.ldap_person.manager.name | The username. For example, janedoe1. | keyword | -| ocsf.user.ldap_person.manager.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.user.ldap_person.manager.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.user.ldap_person.manager.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.user.ldap_person.manager.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.user.ldap_person.manager.org.\* | | object | | ocsf.user.ldap_person.manager.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.user.ldap_person.manager.type_id | The account type identifier. | integer | | ocsf.user.ldap_person.manager.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.user.ldap_person.manager.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | +| ocsf.user.ldap_person.modified_time | The timestamp when the user entry was last modified. | date | | ocsf.user.ldap_person.office_location | The primary office location associated with the user. This could be any string and isn't a specific address. | keyword | | ocsf.user.ldap_person.surname | The last or family name for the user. | keyword | | ocsf.user.name | The username. For example, janedoe1. | keyword | -| ocsf.user.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.user.org.\* | | object | | ocsf.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.user.type_id | The account type identifier. | integer | | ocsf.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | From f784e757cfbcd01a858542584c9e5a048064a149 Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Fri, 12 Jul 2024 17:46:03 +0530 Subject: [PATCH 06/30] updated root org templates --- .../application_activity/fields/fields.yml | 100 +++------- .../discovery/fields/actor-fields.yml | 120 +++--------- .../data_stream/event/fields/actor-fields.yml | 139 ++++---------- .../data_stream/findings/fields/fields.yml | 80 ++------ .../data_stream/iam/fields/fields.yml | 180 +++++------------- .../network_activity/fields/fields.yml | 100 +++------- .../system_activity/fields/fields.yml | 180 +++++------------- packages/amazon_security_lake/docs/README.md | 34 +--- 8 files changed, 232 insertions(+), 701 deletions(-) diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml index 57f77aaf0afd..416cc1a2dc8e 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml @@ -199,21 +199,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -295,21 +285,11 @@ - name: name type: keyword description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -400,21 +380,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -481,21 +451,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. @@ -1392,21 +1352,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml index d32ca9a55a04..8d73ed32d77f 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml @@ -196,21 +196,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -295,21 +285,11 @@ - name: name type: keyword description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -403,21 +383,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -487,21 +457,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. @@ -1419,21 +1379,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1856,21 +1806,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. diff --git a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml index 7027cd972e05..6c9315d47726 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml @@ -199,21 +199,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -298,21 +288,11 @@ - name: name type: keyword description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -406,21 +386,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -490,21 +460,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. @@ -829,21 +789,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1428,21 +1377,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1869,21 +1808,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml index 2b6a3f72f7a0..cfc9efc20c4f 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml @@ -1350,21 +1350,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1446,21 +1436,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1551,21 +1531,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1632,21 +1602,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml index ab245e5d92b0..569473d70208 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml @@ -199,21 +199,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -295,21 +285,11 @@ - name: name type: keyword description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -400,21 +380,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -481,21 +451,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. @@ -1392,21 +1352,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3142,21 +3092,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3238,21 +3178,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3343,21 +3273,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3424,21 +3344,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml index 7dafaf441ca0..4545e3f154c8 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml @@ -199,21 +199,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -295,21 +285,11 @@ - name: name type: keyword description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -400,21 +380,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -481,21 +451,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. @@ -1398,21 +1358,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml index e45b7ecdf2e0..9110b863775c 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml @@ -202,21 +202,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -298,21 +288,11 @@ - name: name type: keyword description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -403,21 +383,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -484,21 +454,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. @@ -1401,21 +1361,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5854,21 +5804,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5950,21 +5890,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -6055,21 +5985,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -6136,21 +6056,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index 6179ca16aee6..60a43ebb8913 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -139,10 +139,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.accessor.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.actor.process.file.accessor.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.file.accessor.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.file.accessor.type_id | The account type identifier. | integer | | ocsf.actor.process.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -168,10 +165,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.creator.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.actor.process.file.creator.name | The name of the city. | keyword | -| ocsf.actor.process.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.file.creator.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.file.creator.type_id | The account type identifier. | integer | | ocsf.actor.process.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -199,10 +193,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.modifier.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.actor.process.file.modifier.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.file.modifier.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.file.modifier.type_id | The account type identifier. | integer | | ocsf.actor.process.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -223,10 +214,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.owner.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.actor.process.file.owner.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.file.owner.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.owner.type | The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.file.owner.type_id | The account type identifier. | integer | | ocsf.actor.process.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -495,10 +483,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.user.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.actor.process.parent_process.user.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.parent_process.user.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.parent_process.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.parent_process.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.parent_process.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.parent_process.user.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.parent_process.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.parent_process.user.type_id | The account type identifier. | integer | | ocsf.actor.process.parent_process.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -612,10 +597,7 @@ This is the `Event` dataset. | ocsf.actor.user.ldap_person.manager.groups.type | The type of the group or account. | keyword | | ocsf.actor.user.ldap_person.manager.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.actor.user.ldap_person.manager.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.user.ldap_person.manager.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.user.ldap_person.manager.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.user.ldap_person.manager.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.user.ldap_person.manager.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.user.ldap_person.manager.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.user.ldap_person.manager.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.user.ldap_person.manager.type_id | The account type identifier. | integer | | ocsf.actor.user.ldap_person.manager.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -1974,7 +1956,7 @@ This is the `Event` dataset. | ocsf.user.ldap_person.manager.groups.type | The type of the group or account. | keyword | | ocsf.user.ldap_person.manager.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.user.ldap_person.manager.name | The username. For example, janedoe1. | keyword | -| ocsf.user.ldap_person.manager.org.\* | | object | +| ocsf.user.ldap_person.manager.org.\* | Organization and org unit related to the user. | object | | ocsf.user.ldap_person.manager.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.user.ldap_person.manager.type_id | The account type identifier. | integer | | ocsf.user.ldap_person.manager.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -1983,7 +1965,7 @@ This is the `Event` dataset. | ocsf.user.ldap_person.office_location | The primary office location associated with the user. This could be any string and isn't a specific address. | keyword | | ocsf.user.ldap_person.surname | The last or family name for the user. | keyword | | ocsf.user.name | The username. For example, janedoe1. | keyword | -| ocsf.user.org.\* | | object | +| ocsf.user.org.\* | Organization and org unit related to the user. | object | | ocsf.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.user.type_id | The account type identifier. | integer | | ocsf.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | From 42822257dbfe8da222cd33b5c1db029aa6f8df9d Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Fri, 12 Jul 2024 17:59:02 +0530 Subject: [PATCH 07/30] reworked 'org' object mapping as tynamic template for all data streams --- .../application_activity/fields/fields.yml | 95 +--- .../discovery/fields/actor-fields.yml | 95 +--- .../data_stream/event/fields/actor-fields.yml | 76 +--- .../data_stream/event/fields/fields.yml | 152 ++----- .../data_stream/findings/fields/fields.yml | 95 +--- .../data_stream/iam/fields/fields.yml | 190 ++------ .../network_activity/fields/fields.yml | 95 +--- .../system_activity/fields/fields.yml | 418 ++++-------------- packages/amazon_security_lake/docs/README.md | 65 +-- 9 files changed, 269 insertions(+), 1012 deletions(-) diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml index 416cc1a2dc8e..9adcbdf087ba 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml @@ -771,21 +771,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -867,21 +856,10 @@ - name: name type: keyword description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -972,21 +950,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1053,21 +1020,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. @@ -1473,21 +1429,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml index 8d73ed32d77f..bc934388d178 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml @@ -783,21 +783,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -882,21 +871,10 @@ - name: name type: keyword description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -990,21 +968,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1074,21 +1041,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. @@ -1503,21 +1459,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. diff --git a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml index 6c9315d47726..d7de1e51a6e5 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml @@ -877,21 +877,10 @@ - name: name type: keyword description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -985,21 +974,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1069,21 +1047,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. @@ -1501,21 +1468,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. diff --git a/packages/amazon_security_lake/data_stream/event/fields/fields.yml b/packages/amazon_security_lake/data_stream/event/fields/fields.yml index ae11efc5b145..6fec7dd6cb00 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/fields.yml @@ -909,21 +909,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1005,21 +994,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1110,21 +1088,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1191,21 +1158,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3120,21 +3076,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3216,21 +3161,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3321,21 +3255,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3402,21 +3325,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml index cfc9efc20c4f..8181694c88db 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml @@ -735,21 +735,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -831,21 +820,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -936,21 +914,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1017,21 +984,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1892,21 +1848,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml index 569473d70208..91b1f6bdf841 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml @@ -771,21 +771,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -867,21 +856,10 @@ - name: name type: keyword description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -972,21 +950,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1053,21 +1020,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. @@ -1473,21 +1429,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -2480,21 +2425,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -2576,21 +2510,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -2681,21 +2604,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -2762,21 +2674,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3633,21 +3534,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml index 4545e3f154c8..5b37508acd27 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml @@ -774,21 +774,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -870,21 +859,10 @@ - name: name type: keyword description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -975,21 +953,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1056,21 +1023,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. @@ -1479,21 +1435,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml index 9110b863775c..65f6d2813a2f 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml @@ -777,21 +777,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -873,21 +862,10 @@ - name: name type: keyword description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -978,21 +956,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1059,21 +1026,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. @@ -1482,21 +1438,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -2174,21 +2119,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -2270,21 +2204,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -2375,21 +2298,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -2456,21 +2368,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3725,21 +3626,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3821,21 +3711,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3926,21 +3805,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4007,21 +3875,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4568,21 +4425,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4664,21 +4510,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4769,21 +4604,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4850,21 +4674,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5189,21 +5002,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5285,21 +5087,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5390,21 +5181,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5471,21 +5251,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -6346,21 +6115,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index 60a43ebb8913..af166ad4c4b8 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -308,10 +308,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.accessor.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.actor.process.parent_process.file.accessor.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.parent_process.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.parent_process.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.parent_process.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.parent_process.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.parent_process.file.accessor.org.\* | | object | | ocsf.actor.process.parent_process.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.parent_process.file.accessor.type_id | The account type identifier. | integer | | ocsf.actor.process.parent_process.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -337,10 +334,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.creator.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.actor.process.parent_process.file.creator.name | The name of the city. | keyword | -| ocsf.actor.process.parent_process.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.parent_process.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.parent_process.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.parent_process.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.parent_process.file.creator.org.\* | | object | | ocsf.actor.process.parent_process.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.parent_process.file.creator.type_id | The account type identifier. | integer | | ocsf.actor.process.parent_process.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -368,10 +362,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.modifier.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.actor.process.parent_process.file.modifier.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.parent_process.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.parent_process.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.parent_process.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.parent_process.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.parent_process.file.modifier.org.\* | | object | | ocsf.actor.process.parent_process.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.parent_process.file.modifier.type_id | The account type identifier. | integer | | ocsf.actor.process.parent_process.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -392,10 +383,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.owner.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.actor.process.parent_process.file.owner.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.parent_process.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.parent_process.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.parent_process.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.parent_process.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.parent_process.file.owner.org.\* | | object | | ocsf.actor.process.parent_process.file.owner.type | The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.parent_process.file.owner.type_id | The account type identifier. | integer | | ocsf.actor.process.parent_process.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -520,10 +508,7 @@ This is the `Event` dataset. | ocsf.actor.process.user.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.actor.process.user.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.user.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.user.org.\* | | object | | ocsf.actor.process.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.user.type_id | The account type identifier. | integer | | ocsf.actor.process.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -872,10 +857,7 @@ This is the `Event` dataset. | ocsf.driver.file.accessor.groups.type | The type of the group or account. | keyword | | ocsf.driver.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.driver.file.accessor.name | The username. For example, janedoe1. | keyword | -| ocsf.driver.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.driver.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.driver.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.driver.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.driver.file.accessor.org.\* | | object | | ocsf.driver.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.driver.file.accessor.type_id | The account type identifier. | keyword | | ocsf.driver.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -900,10 +882,7 @@ This is the `Event` dataset. | ocsf.driver.file.creator.groups.type | The type of the group or account. | keyword | | ocsf.driver.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.driver.file.creator.name | The username. For example, janedoe1. | keyword | -| ocsf.driver.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.driver.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.driver.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.driver.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.driver.file.creator.org.\* | | object | | ocsf.driver.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.driver.file.creator.type_id | The account type identifier. | keyword | | ocsf.driver.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -930,10 +909,7 @@ This is the `Event` dataset. | ocsf.driver.file.modifier.groups.type | The type of the group or account. | keyword | | ocsf.driver.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.driver.file.modifier.name | The username. For example, janedoe1. | keyword | -| ocsf.driver.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.driver.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.driver.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.driver.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.driver.file.modifier.org.\* | | object | | ocsf.driver.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.driver.file.modifier.type_id | The account type identifier. | keyword | | ocsf.driver.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -953,10 +929,7 @@ This is the `Event` dataset. | ocsf.driver.file.owner.groups.type | The type of the group or account. | keyword | | ocsf.driver.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.driver.file.owner.name | The username. For example, janedoe1. | keyword | -| ocsf.driver.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.driver.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.driver.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.driver.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.driver.file.owner.org.\* | | object | | ocsf.driver.file.owner.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.driver.file.owner.type_id | The account type identifier. | keyword | | ocsf.driver.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -1509,10 +1482,7 @@ This is the `Event` dataset. | ocsf.module.file.accessor.groups.type | The type of the group or account. | keyword | | ocsf.module.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.module.file.accessor.name | The username. For example, janedoe1. | keyword | -| ocsf.module.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.module.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.module.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.module.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.module.file.accessor.org.\* | | object | | ocsf.module.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.module.file.accessor.type_id | The account type identifier. | keyword | | ocsf.module.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -1537,10 +1507,7 @@ This is the `Event` dataset. | ocsf.module.file.creator.groups.type | The type of the group or account. | keyword | | ocsf.module.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.module.file.creator.name | The username. For example, janedoe1. | keyword | -| ocsf.module.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.module.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.module.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.module.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.module.file.creator.org.\* | | object | | ocsf.module.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.module.file.creator.type_id | The account type identifier. | keyword | | ocsf.module.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -1567,10 +1534,7 @@ This is the `Event` dataset. | ocsf.module.file.modifier.groups.type | The type of the group or account. | keyword | | ocsf.module.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.module.file.modifier.name | The username. For example, janedoe1. | keyword | -| ocsf.module.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.module.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.module.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.module.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.module.file.modifier.org.\* | | object | | ocsf.module.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.module.file.modifier.type_id | The account type identifier. | keyword | | ocsf.module.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -1590,10 +1554,7 @@ This is the `Event` dataset. | ocsf.module.file.owner.groups.type | The type of the group or account. | keyword | | ocsf.module.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.module.file.owner.name | The username. For example, janedoe1. | keyword | -| ocsf.module.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.module.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.module.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.module.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.module.file.owner.org.\* | | object | | ocsf.module.file.owner.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.module.file.owner.type_id | The account type identifier. | keyword | | ocsf.module.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | From 32ed1027968d41eda13e9dbb2604a085002ecee1 Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Tue, 30 Jul 2024 17:47:46 +0530 Subject: [PATCH 08/30] segregated process fields in 'findings', added 'actor' fields for new class support, ignore _dev folder --- .../findings/fields/_dev/fields.yml | 2327 +++++++++++++++++ .../data_stream/findings/fields/fields.yml | 1399 ---------- .../findings/fields/process-fields.yml | 1402 ++++++++++ 3 files changed, 3729 insertions(+), 1399 deletions(-) create mode 100644 packages/amazon_security_lake/data_stream/findings/fields/_dev/fields.yml create mode 100644 packages/amazon_security_lake/data_stream/findings/fields/process-fields.yml diff --git a/packages/amazon_security_lake/data_stream/findings/fields/_dev/fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/_dev/fields.yml new file mode 100644 index 000000000000..8181694c88db --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/_dev/fields.yml @@ -0,0 +1,2327 @@ +- name: ocsf + type: group + fields: + - name: activity_id + type: keyword + description: The normalized identifier of the activity that triggered the event. + - name: activity_name + type: keyword + description: The event activity name, as defined by the activity_id. + - name: analytic + type: group + fields: + - name: category + type: keyword + description: The analytic category. + - name: desc + type: keyword + description: The description of the analytic that generated the finding. + - name: name + type: keyword + description: The name of the analytic that generated the finding. + - name: related_analytics + type: group + fields: + - name: category + type: keyword + description: The analytic category. + - name: desc + type: keyword + description: The description of the analytic that generated the finding. + - name: name + type: keyword + description: The name of the analytic that generated the finding. + - name: related_analytics + type: flattened + - name: type + type: keyword + description: The analytic type. + - name: type_id + type: keyword + description: The analytic type ID. + - name: uid + type: keyword + description: The unique identifier of the analytic that generated the finding. + - name: version + type: keyword + description: 'The analytic version. For example: 1.1.' + - name: type + type: keyword + description: The analytic type. + - name: type_id + type: keyword + description: The analytic type ID. + - name: uid + type: keyword + description: The unique identifier of the analytic that generated the finding. + - name: version + type: keyword + description: 'The analytic version. For example: 1.1.' + - name: api + type: group + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: request + type: group + fields: + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. + - name: uid + type: keyword + description: The unique request identifier. + - name: response + type: group + fields: + - name: code + type: long + description: The numeric response sent to a request. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: keyword + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. + - name: message + type: keyword + description: The description of the event, as defined by the event source. + - name: service + type: group + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. + - name: attacks + type: group + fields: + - name: tactics + type: group + fields: + - name: name + type: keyword + description: The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. + - name: uid + type: keyword + description: The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. + - name: technique + type: group + fields: + - name: name + type: keyword + description: 'The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise.' + - name: uid + type: keyword + description: 'The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1189.' + - name: version + type: keyword + description: The ATT&CK Matrix version. + - name: category_name + type: keyword + description: 'The event category name, as defined by category_uid value: Identity & Access Management.' + - name: category_uid + type: keyword + description: The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. + - name: cis_csc + type: group + fields: + - name: control + type: keyword + description: The CIS critical security control. + - name: version + type: keyword + description: The CIS critical security control version. + - name: class_name + type: keyword + description: 'The event class name, as defined by class_uid value: Security Finding.' + - name: class_uid + type: keyword + description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. + - name: cloud + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: project_uid + type: keyword + description: The unique identifier of a Cloud project. + - name: provider + type: keyword + description: The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. + - name: region + type: keyword + description: The name of the cloud region, as defined by the cloud provider. + - name: zone + type: keyword + description: The availability zone in the cloud region, as defined by the cloud provider. + - name: compliance + type: group + fields: + - name: status_detail + type: keyword + description: The status details contains additional information about the event outcome. + - name: requirements + type: keyword + description: A list of applicable compliance requirements for which this finding is related to. + - name: status + type: keyword + description: The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. + - name: confidence + type: keyword + description: The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source. + - name: confidence_id + type: keyword + description: The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature. + - name: confidence_score + type: long + description: The confidence score as reported by the event source. + - name: count + type: long + description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. + - name: data_sources + type: keyword + description: The data sources for the finding. + - name: duration + type: long + description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. + - name: end_time + type: date + description: The end time of a time period, or the time of the most recent event included in the aggregate event. + - name: end_time_dt + type: date + description: The end time of a time period, or the time of the most recent event included in the aggregate event. + - name: enrichments + type: group + fields: + - name: data + type: flattened + description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. + - name: name + type: keyword + description: The name of the attribute to which the enriched data pertains. + - name: provider + type: keyword + description: The enrichment data provider name. + - name: type + type: keyword + description: The enrichment type. For example, location. + - name: value + type: keyword + description: The value of the attribute to which the enriched data pertains. + - name: evidence + type: flattened + description: The data the finding exposes to the analyst. + - name: finding + type: group + fields: + - name: created_time + type: date + description: The time when the finding was created. + - name: created_time_dt + type: date + description: The time when the finding was created. + - name: desc + type: keyword + description: The description of the reported finding. + - name: first_seen_time + type: date + description: The time when the finding was first observed. + - name: first_seen_time_dt + type: date + description: The time when the finding was first observed. + - name: last_seen_time + type: date + description: The time when the finding was most recently observed. + - name: last_seen_time_dt + type: date + description: The time when the finding was most recently observed. + - name: modified_time + type: date + description: The time when the finding was last modified. + - name: modified_time_dt + type: date + description: The time when the finding was last modified. + - name: product_uid + type: keyword + description: The unique identifier of the product that reported the finding. + - name: related_events + type: group + fields: + - name: product_uid + type: keyword + description: The unique identifier of the product that reported the related event. + - name: type + type: keyword + description: 'The type of the related event. For example: Process Activity: Launch.' + - name: type_uid + type: keyword + description: 'The unique identifier of the related event type. For example: 100701.' + - name: uid + type: keyword + description: The unique identifier of the related event. + - name: remediation + type: group + fields: + - name: desc + type: keyword + description: The description of the remediation strategy. + - name: kb_articles + type: keyword + description: The KB article/s related to the entity. + - name: src_url + type: keyword + description: The URL pointing to the source of the finding. + - name: supporting_data + type: flattened + description: Additional data supporting a finding as provided by security tool. + - name: title + type: keyword + description: The title of the reported finding. + - name: types + type: keyword + description: One or more types of the reported finding. + - name: uid + type: keyword + description: The unique identifier of the reported finding. + - name: impact + type: keyword + description: The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source. + - name: impact_id + type: keyword + description: The normalized impact of the finding. + - name: impact_score + type: long + description: The impact of the finding, valid range 0-100. + - name: kill_chain + type: group + fields: + - name: phase + type: keyword + description: The cyber kill chain phase. + - name: phase_id + type: keyword + description: The cyber kill chain phase identifier. + - name: malware + type: group + fields: + - name: classification_ids + type: keyword + description: The list of normalized identifiers of the malware classifications. + - name: classifications + type: keyword + description: The list of malware classifications, normalized to the captions of the classification_id values. In the case of 'Other', they are defined by the event source. + - name: cves + type: group + fields: + - name: created_time + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. + - name: created_time_dt + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. + - name: cvss + type: group + fields: + - name: base_score + type: double + description: The CVSS base score. + - name: depth + type: keyword + description: The CVSS depth represents a depth of the equation used to calculate CVSS score. + - name: metrics + type: group + fields: + - name: name + type: keyword + description: The name of the metric. + - name: value + type: keyword + description: The value of the metric. + - name: overall_score + type: double + description: The CVSS overall score, impacted by base, temporal, and environmental metrics. + - name: severity + type: keyword + description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. + - name: vector_string + type: keyword + description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' + - name: version + type: keyword + description: The CVSS version. + - name: cwe_uid + type: keyword + description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' + - name: cwe_url + type: keyword + description: Common Weakness Enumeration (CWE) definition URL. + - name: modified_time + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: modified_time_dt + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: type + type: keyword + description: The vulnerability type as selected from a large dropdown menu during CVE refinement. + - name: uid + type: keyword + description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.' + - name: name + type: keyword + description: The malware name, as reported by the detection engine. + - name: path + type: keyword + description: The filesystem path of the malware that was observed. + - name: provider + type: keyword + description: The provider of the malware information. + - name: uid + type: keyword + description: The malware unique identifier, as reported by the detection engine. For example a virus id or an IPS signature id. + - name: message + type: keyword + description: The description of the event, as defined by the event source. + - name: metadata + type: group + fields: + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' + - name: nist + type: keyword + description: The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk. + - name: observables + type: group + fields: + - name: name + type: keyword + description: 'The full name of the observable attribute. The name is a pointer/reference to an attribute within the event data. For example: file.name.' + - name: reputation + type: group + fields: + - name: base_score + type: double + description: The reputation score as reported by the event source. + - name: provider + type: keyword + description: The provider of the reputation information. + - name: score + type: keyword + description: The reputation score, normalized to the caption of the score_id value. In the case of 'Other', it is defined by the event source. + - name: score_id + type: keyword + description: The normalized reputation score identifier. + - name: type + type: keyword + description: The observable value type name. + - name: type_id + type: keyword + description: The observable value type identifier. + - name: value + type: keyword + description: The value associated with the observable attribute. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.' + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.' + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.' + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.' + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The short name of the endpoint. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The name of the network interface (e.g. eth2). + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The short name of the endpoint. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The name of the network interface (e.g. eth2). + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: raw_data + type: flattened + description: The event data as received from the event source. + - name: raw_data_keyword + type: keyword + - name: resources + type: group + fields: + - name: cloud_partition + type: keyword + description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' + - name: criticality + type: keyword + description: The criticality of the resource as defined by the event source. + - name: data + type: flattened + description: Additional data describing the resource. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: labels + type: keyword + description: The list of labels/tags associated to a resource. + - name: name + type: keyword + description: The name of the resource. + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: region + type: keyword + description: The cloud region of the resource. + - name: type + type: keyword + description: The resource type as defined by the event source. + - name: uid + type: keyword + description: The unique identifier of the resource. + - name: version + type: keyword + description: The version of the resource. For example 1.2.3. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: severity + type: keyword + description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. + - name: severity_id + type: long + description: The normalized identifier of the event severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events. + - name: start_time + type: date + description: The start time of a time period, or the time of the least recent event included in the aggregate event. + - name: start_time_dt + type: date + description: The start time of a time period, or the time of the least recent event included in the aggregate event. + - name: state + type: keyword + description: The normalized state of a security finding. + - name: state_id + type: keyword + description: The normalized state identifier of a security finding. + - name: status + type: keyword + description: The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. + - name: status_code + type: keyword + description: The event status code, as reported by the event source. For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18. + - name: status_detail + type: keyword + description: The status details contains additional information about the event outcome. + - name: status_id + type: keyword + description: The normalized identifier of the event status. + - name: time + type: date + description: The normalized event occurrence time. + - name: time_dt + type: date + description: The normalized event occurrence time. + - name: timezone_offset + type: long + description: The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080. + - name: type_name + type: keyword + description: The event type name, as defined by the type_uid. + - name: type_uid + type: keyword + description: 'The event type ID. It identifies the events semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.' + - name: unmapped + type: flattened + description: The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. + - name: vulnerabilities + type: group + fields: + - name: cve + type: group + fields: + - name: created_time + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. + - name: created_time_dt + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. + - name: cvss + type: group + fields: + - name: base_score + type: double + description: 'The CVSS base score. For example: 9.1.' + - name: depth + type: keyword + description: The CVSS depth represents a depth of the equation used to calculate CVSS score. + - name: metrics + type: group + fields: + - name: name + type: keyword + description: The name of the metric. + - name: value + type: keyword + description: The value of the metric. + - name: overall_score + type: double + description: 'The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1.' + - name: severity + type: keyword + description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. + - name: vector_string + type: keyword + description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' + - name: version + type: keyword + description: 'The CVSS version. For example: 3.1.' + - name: cwe_uid + type: keyword + description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' + - name: cwe_url + type: keyword + description: 'Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.' + - name: modified_time + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: modified_time_dt + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: type + type: keyword + description: The vulnerability type as selected from a large dropdown menu during CVE refinement. + - name: uid + type: keyword + description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.' + - name: desc + type: keyword + description: The description of the vulnerability. + - name: fix_available + type: boolean + description: Indicates if a fix is available for the reported vulnerability. + - name: kb_articles + type: keyword + description: The KB article/s related to the entity. + - name: packages + type: group + fields: + - name: architecture + type: keyword + description: Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. + - name: epoch + type: long + description: The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. + - name: license + type: keyword + description: The software license applied to this package. + - name: name + type: keyword + description: The software package name. + - name: release + type: keyword + description: Release is the number of times a version of the software has been packaged. + - name: version + type: keyword + description: The software package version. + - name: references + type: keyword + description: Supporting reference URLs. + - name: related_vulnerabilities + type: keyword + description: List of vulnerabilities that are related to this vulnerability. + - name: severity + type: keyword + description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. + - name: title + type: keyword + description: The title of the vulnerability. + - name: vendor_name + type: keyword + description: The vendor who identified the vulnerability. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml index 8181694c88db..5c97d187a98c 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml @@ -597,1405 +597,6 @@ - name: value type: keyword description: The value associated with the observable attribute. - - name: process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.' - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.' - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.' - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.' - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The short name of the endpoint. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The name of the network interface (e.g. eth2). - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The short name of the endpoint. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The name of the network interface (e.g. eth2). - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - name: raw_data type: flattened description: The event data as received from the event source. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/process-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/process-fields.yml new file mode 100644 index 000000000000..732e91359f37 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/process-fields.yml @@ -0,0 +1,1402 @@ +- name: ocsf + type: group + fields: + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.' + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.' + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.' + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.' + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The short name of the endpoint. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The name of the network interface (e.g. eth2). + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The short name of the endpoint. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The name of the network interface (e.g. eth2). + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. From 78c1ea2ab6450bbab7a46da77e9b00b41ecf8876 Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Tue, 30 Jul 2024 20:01:24 +0530 Subject: [PATCH 09/30] added fulnerability findings support and segregated 'resource' group into it's own file --- .../_dev/test/pipeline/test-findings.log | 1 + .../pipeline/test-findings.log-expected.json | 241 ++ .../elasticsearch/ingest_pipeline/default.yml | 15 +- .../data_stream/event/fields/fields.yml | 270 +- .../event/fields/resource-fields.yml | 132 + .../event/fields/vulnerability-fields.yml | 153 ++ .../findings/fields/_dev/fields.yml | 2327 ----------------- .../findings/fields/actor-fields.yml | 1770 +++++++++++++ .../data_stream/findings/fields/fields.yml | 144 +- .../findings/fields/vulnerability-fields.yml | 153 ++ .../data_stream/findings/manifest.yml | 6 + .../data_stream/iam/fields/fields.yml | 126 - .../iam/fields/resource-fields.yml | 132 + packages/amazon_security_lake/docs/README.md | 1 + 14 files changed, 2605 insertions(+), 2866 deletions(-) create mode 100644 packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml delete mode 100644 packages/amazon_security_lake/data_stream/findings/fields/_dev/fields.yml create mode 100644 packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log index 9505d2a6cc7e..e33d8625112f 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log @@ -1 +1,2 @@ {"activity_id":2,"activity_name":"Update","category_name":"Findings","category_uid":2,"class_name":"Security Finding","class_uid":2001,"cloud":{"account":{"uid":"522536594833"},"provider":"AWS","region":"us-east-1"},"compliance":{"requirements":["PCI1.2"],"status":"PASSED","status_detail":"CloudWatch alarms do not exist in the account"},"finding":{"created_time":1635449619417,"desc":"This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22, 3000, 5000, 8088, 8888] that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for the listed ports.","first_seen_time":1635449619417,"last_seen_time":1659636565316,"modified_time":1659636559100,"related_events":[{"product_uid":"arn:aws:securityhub:us-west-2::product/aws/guardduty","uid":"123e4567-e89b-12d3-a456-426655440000"},{"product_uid":"arn:aws:securityhub:us-west-2::product/aws/guardduty","uid":"AcmeNerfHerder-111111111111-x189dx7824"}],"remediation":{"desc":"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.","kb_articles":["https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation"]},"title":"EC2.19 Security groups should not allow unrestricted access to ports with high risk","types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"uid":"test"},"malware":[{"classification_ids":[1],"classifications":["Adware"],"name":"Stringler","path":"/usr/sbin/stringler"}],"metadata":{"product":{"feature":{"name":"Security Hub","uid":"aws-foundational-security-best-practices/v/1.0.0/EC2.19"},"name":"Security Hub","uid":"arn:aws:securityhub:us-east-1::product/aws/securityhub","vendor_name":"AWS","version":"2018-10-08"},"profiles":["cloud"],"version":"1.0.0-rc.2"},"resources":[{"cloud_partition":"aws","labels":["billingCode=Lotus-1-2-3","needsPatching=true"],"region":"us-east-1","type":"AwsEc2SecurityGroup","uid":"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499"}],"severity":"Informational","severity_id":1,"state":"Resolved","state_id":4,"time":1659636559100,"type_name":"Security Finding: Update","type_uid":200102,"unmapped":{"CompanyName":"AWS","Compliance.StatusReasons[].ReasonCode":"CW_ALARMS_NOT_PRESENT","FindingProviderFields.Severity.Label":"INFORMATIONAL","FindingProviderFields.Severity.Original":"INFORMATIONAL","FindingProviderFields.Types[]":"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices","Malware[].State":"OBSERVED","ProductFields.ControlId":"EC2.19","ProductFields.RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation","ProductFields.RelatedAWSResources:0/name":"securityhub-vpc-sg-restricted-common-ports-2af29baf","ProductFields.RelatedAWSResources:0/type":"AWS::Config::ConfigRule","ProductFields.Resources:0/Id":"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499","ProductFields.StandardsArn":"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0","ProductFields.StandardsControlArn":"arn:aws:securityhub:us-east-1:522536594833:control/aws-foundational-security-best-practices/v/1.0.0/EC2.19","ProductFields.StandardsSubscriptionArn":"arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0","ProductFields.aws/securityhub/CompanyName":"AWS","ProductFields.aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bf428107-eee0-4d19-a013-92748ed69eef","ProductFields.aws/securityhub/ProductName":"Security Hub","RecordState":"ACTIVE","Severity.Normalized":"0","Severity.Original":"INFORMATIONAL","Severity.Product":"0","Vulnerabilities[].Cvss[].BaseScore":"4.7,1.0","Vulnerabilities[].Cvss[].BaseVector":"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N,AV:L/AC:M/Au:N/C:C/I:N/A:N","Vulnerabilities[].Cvss[].Version":"V3,V2","Vulnerabilities[].Vendor.VendorSeverity":"Medium","WorkflowState":"NEW"},"vulnerabilities":[{"cve":{"created_time":1579132903000,"cvss":{"base_score":4.7,"vector_string":"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"V3"},"modified_time":1579132903000,"uid":"CVE-2020-12345"},"kb_articles":["https://alas.aws.amazon.com/ALAS-2020-1337.html"],"packages":[{"architecture":"x86_64","epoch":1,"name":"openssl","release":"16.amzn2.0.3","version":"1.0.2k"},{"architecture":"x86_64","epoch":3,"name":"yaml","release":"16.amzn2.0.3","version":"4.3.2"}],"references":["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418"],"related_vulnerabilities":["CVE-2020-12345"],"vendor_name":"Alas"}]} +{"status":"In Progress","time":1722327712967320,"metadata":{"version":"1.1.0","product":{"name":"bouquet forget occupied","version":"1.1.0","uid":"c6afd262-4e4c-11ef-a63c-0242ac110005","feature":{"name":"updating lawyers string","uid":"c6afdb4a-4e4c-11ef-a8c4-0242ac110005"},"cpe_name":"words geographical gets","vendor_name":"trim massive setting"},"sequence":2,"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"shall none shipped","log_provider":"outlined produced examining","original_time":"scope institutions int","tenant_uid":"c6afe64e-4e4c-11ef-bcf9-0242ac110005","logged_time_dt":"2024-07-30T08:21:52.967232Z"},"resource":{"owner":{"name":"Dude","type":"Admin","uid":"c6b0192a-4e4c-11ef-90f9-0242ac110005","type_id":2,"uid_alt":"recommendation highs equipped"},"type":"carb le multimedia","group":{"name":"resorts looking issues"},"namespace":"explain les collections"},"severity":"Fatal","type_name":"Vulnerability Finding: Create","activity_id":1,"type_uid":200201,"category_name":"Findings","class_uid":2002,"category_uid":2,"class_name":"Vulnerability Finding","start_time_dt":"2024-07-30T08:21:52.968170Z","end_time_dt":"2024-07-30T08:21:52.967308Z","timezone_offset":17,"activity_name":"Create","actor":{"user":{"name":"Without","type":"Admin","uid":"c6af496e-4e4c-11ef-b35b-0242ac110005","type_id":2,"account":{"name":"susan amy ventures","type":"Windows Account","uid":"c6af57e2-4e4c-11ef-b613-0242ac110005","type_id":2},"credential_uid":"c6af5ecc-4e4c-11ef-bda8-0242ac110005"}},"cloud":{"org":{"name":"africa za springer","uid":"c6b002c8-4e4c-11ef-b707-0242ac110005","ou_name":"opponent const outlet"},"project_uid":"c6b00a0c-4e4c-11ef-a1c9-0242ac110005","provider":"loving fabulous seating","region":"needed costumes main"},"confidence":"characteristic benz automotive","confidence_id":3,"finding_info":{"title":"vinyl lease crown","uid":"c6af0030-4e4c-11ef-963a-0242ac110005","analytic":{"name":"incentives module joyce","type":"Rule","uid":"c6af34ec-4e4c-11ef-a5db-0242ac110005","category":"sanyo asus escorts","type_id":1},"data_sources":["reliable honey flexibility"],"created_time_dt":"2024-07-30T08:21:52.962788Z","modified_time_dt":"2024-07-30T08:21:52.962804Z"},"severity_id":6,"status_id":2,"vulnerabilities":[{"title":"trek ae danger","references":["suite featured smart","sanyo vbulletin contain"],"cve":{"type":"republicans offset expense","title":"smilies since terminal","uid":"c6af9176-4e4c-11ef-8fde-0242ac110005","references":["brass duty expected"],"created_time":1722327712965081,"cvss":[{"version":"1.1.0","depth":"Base","base_score":97.7035,"overall_score":29.3613}]},"cwe":{"uid":"c6af9f0e-4e4c-11ef-b234-0242ac110005","caption":"blanket toshiba olympics"},"kb_articles":["mounts el significantly","newer length frost"],"packages":[{"name":"nuts nine horn","version":"1.1.0","architecture":"diana zen collector"},{"name":"answered absence oxygen","version":"1.1.0","release":"classroom virtually satisfactory","architecture":"railway offering vietnamese"}]},{"references":["workshop surprising ceramic","grow annually mom"],"severity":"villas haiti links","cve":{"type":"coaching workflow sony","title":"jim patients rick","uid":"c6afb07a-4e4c-11ef-9138-0242ac110005","references":["propecia rebecca savage"],"created_time":1722327712965872,"created_time_dt":"2024-07-30T08:21:52.965881Z","modified_time_dt":"2024-07-30T08:21:52.965891Z"},"cwe":{"uid":"c6afba70-4e4c-11ef-8ac3-0242ac110005"},"kb_articles":["resistant verified wiring","redhead informal frankfurt"]}]} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json index 65098cbe31f8..283b33361440 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json @@ -222,6 +222,247 @@ ] } } + }, + { + "@timestamp": "+56548-05-23T12:42:47.320Z", + "cloud": { + "project": { + "id": "c6b00a0c-4e4c-11ef-a1c9-0242ac110005" + }, + "provider": "loving fabulous seating", + "region": "needed costumes main" + }, + "data_stream": { + "dataset": "amazon_security_lake.findings", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "create", + "category": [ + "vulnerability" + ], + "end": "2024-07-30T08:21:52.967Z", + "kind": "alert", + "original": "{\"status\":\"In Progress\",\"time\":1722327712967320,\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"bouquet forget occupied\",\"version\":\"1.1.0\",\"uid\":\"c6afd262-4e4c-11ef-a63c-0242ac110005\",\"feature\":{\"name\":\"updating lawyers string\",\"uid\":\"c6afdb4a-4e4c-11ef-a8c4-0242ac110005\"},\"cpe_name\":\"words geographical gets\",\"vendor_name\":\"trim massive setting\"},\"sequence\":2,\"profiles\":[\"cloud\",\"container\",\"datetime\",\"host\",\"linux/linux_users\",\"load_balancer\",\"network_proxy\",\"security_control\"],\"log_name\":\"shall none shipped\",\"log_provider\":\"outlined produced examining\",\"original_time\":\"scope institutions int\",\"tenant_uid\":\"c6afe64e-4e4c-11ef-bcf9-0242ac110005\",\"logged_time_dt\":\"2024-07-30T08:21:52.967232Z\"},\"resource\":{\"owner\":{\"name\":\"Dude\",\"type\":\"Admin\",\"uid\":\"c6b0192a-4e4c-11ef-90f9-0242ac110005\",\"type_id\":2,\"uid_alt\":\"recommendation highs equipped\"},\"type\":\"carb le multimedia\",\"group\":{\"name\":\"resorts looking issues\"},\"namespace\":\"explain les collections\"},\"severity\":\"Fatal\",\"type_name\":\"Vulnerability Finding: Create\",\"activity_id\":1,\"type_uid\":200201,\"category_name\":\"Findings\",\"class_uid\":2002,\"category_uid\":2,\"class_name\":\"Vulnerability Finding\",\"start_time_dt\":\"2024-07-30T08:21:52.968170Z\",\"end_time_dt\":\"2024-07-30T08:21:52.967308Z\",\"timezone_offset\":17,\"activity_name\":\"Create\",\"actor\":{\"user\":{\"name\":\"Without\",\"type\":\"Admin\",\"uid\":\"c6af496e-4e4c-11ef-b35b-0242ac110005\",\"type_id\":2,\"account\":{\"name\":\"susan amy ventures\",\"type\":\"Windows Account\",\"uid\":\"c6af57e2-4e4c-11ef-b613-0242ac110005\",\"type_id\":2},\"credential_uid\":\"c6af5ecc-4e4c-11ef-bda8-0242ac110005\"}},\"cloud\":{\"org\":{\"name\":\"africa za springer\",\"uid\":\"c6b002c8-4e4c-11ef-b707-0242ac110005\",\"ou_name\":\"opponent const outlet\"},\"project_uid\":\"c6b00a0c-4e4c-11ef-a1c9-0242ac110005\",\"provider\":\"loving fabulous seating\",\"region\":\"needed costumes main\"},\"confidence\":\"characteristic benz automotive\",\"confidence_id\":3,\"finding_info\":{\"title\":\"vinyl lease crown\",\"uid\":\"c6af0030-4e4c-11ef-963a-0242ac110005\",\"analytic\":{\"name\":\"incentives module joyce\",\"type\":\"Rule\",\"uid\":\"c6af34ec-4e4c-11ef-a5db-0242ac110005\",\"category\":\"sanyo asus escorts\",\"type_id\":1},\"data_sources\":[\"reliable honey flexibility\"],\"created_time_dt\":\"2024-07-30T08:21:52.962788Z\",\"modified_time_dt\":\"2024-07-30T08:21:52.962804Z\"},\"severity_id\":6,\"status_id\":2,\"vulnerabilities\":[{\"title\":\"trek ae danger\",\"references\":[\"suite featured smart\",\"sanyo vbulletin contain\"],\"cve\":{\"type\":\"republicans offset expense\",\"title\":\"smilies since terminal\",\"uid\":\"c6af9176-4e4c-11ef-8fde-0242ac110005\",\"references\":[\"brass duty expected\"],\"created_time\":1722327712965081,\"cvss\":[{\"version\":\"1.1.0\",\"depth\":\"Base\",\"base_score\":97.7035,\"overall_score\":29.3613}]},\"cwe\":{\"uid\":\"c6af9f0e-4e4c-11ef-b234-0242ac110005\",\"caption\":\"blanket toshiba olympics\"},\"kb_articles\":[\"mounts el significantly\",\"newer length frost\"],\"packages\":[{\"name\":\"nuts nine horn\",\"version\":\"1.1.0\",\"architecture\":\"diana zen collector\"},{\"name\":\"answered absence oxygen\",\"version\":\"1.1.0\",\"release\":\"classroom virtually satisfactory\",\"architecture\":\"railway offering vietnamese\"}]},{\"references\":[\"workshop surprising ceramic\",\"grow annually mom\"],\"severity\":\"villas haiti links\",\"cve\":{\"type\":\"coaching workflow sony\",\"title\":\"jim patients rick\",\"uid\":\"c6afb07a-4e4c-11ef-9138-0242ac110005\",\"references\":[\"propecia rebecca savage\"],\"created_time\":1722327712965872,\"created_time_dt\":\"2024-07-30T08:21:52.965881Z\",\"modified_time_dt\":\"2024-07-30T08:21:52.965891Z\"},\"cwe\":{\"uid\":\"c6afba70-4e4c-11ef-8ac3-0242ac110005\"},\"kb_articles\":[\"resistant verified wiring\",\"redhead informal frankfurt\"]}]}", + "outcome": "failure", + "provider": "outlined produced examining", + "sequence": 2, + "severity": 6, + "start": "2024-07-30T08:21:52.968Z", + "type": [ + "info" + ] + }, + "ocsf": { + "activity_id": "1", + "activity_name": "Create", + "actor": { + "user": { + "account": { + "name": "susan amy ventures", + "type": "Windows Account", + "type_id": "2", + "uid": "c6af57e2-4e4c-11ef-b613-0242ac110005" + }, + "credential_uid": "c6af5ecc-4e4c-11ef-bda8-0242ac110005", + "name": "Without", + "type": "Admin", + "type_id": "2", + "uid": "c6af496e-4e4c-11ef-b35b-0242ac110005" + } + }, + "category_name": "Findings", + "category_uid": "2", + "class_name": "Vulnerability Finding", + "class_uid": "2002", + "cloud": { + "org": { + "name": "africa za springer", + "ou_name": "opponent const outlet", + "uid": "c6b002c8-4e4c-11ef-b707-0242ac110005" + }, + "project_uid": "c6b00a0c-4e4c-11ef-a1c9-0242ac110005", + "provider": "loving fabulous seating", + "region": "needed costumes main" + }, + "confidence": "characteristic benz automotive", + "confidence_id": "3", + "end_time_dt": "2024-07-30T08:21:52.967Z", + "finding_info": { + "analytic": { + "category": "sanyo asus escorts", + "name": "incentives module joyce", + "type": "Rule", + "type_id": 1, + "uid": "c6af34ec-4e4c-11ef-a5db-0242ac110005" + }, + "created_time_dt": "2024-07-30T08:21:52.962788Z", + "data_sources": [ + "reliable honey flexibility" + ], + "modified_time_dt": "2024-07-30T08:21:52.962804Z", + "title": "vinyl lease crown", + "uid": "c6af0030-4e4c-11ef-963a-0242ac110005" + }, + "metadata": { + "log_name": "shall none shipped", + "log_provider": "outlined produced examining", + "logged_time_dt": "2024-07-30T08:21:52.967Z", + "original_time": "scope institutions int", + "product": { + "cpe_name": "words geographical gets", + "feature": { + "name": "updating lawyers string", + "uid": "c6afdb4a-4e4c-11ef-a8c4-0242ac110005" + }, + "name": "bouquet forget occupied", + "uid": "c6afd262-4e4c-11ef-a63c-0242ac110005", + "vendor_name": "trim massive setting", + "version": "1.1.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "linux/linux_users", + "load_balancer", + "network_proxy", + "security_control" + ], + "sequence": 2, + "tenant_uid": "c6afe64e-4e4c-11ef-bcf9-0242ac110005", + "version": "1.1.0" + }, + "resource": { + "group": { + "name": "resorts looking issues" + }, + "namespace": "explain les collections", + "owner": { + "name": "Dude", + "type": "Admin", + "type_id": "2", + "uid": "c6b0192a-4e4c-11ef-90f9-0242ac110005", + "uid_alt": "recommendation highs equipped" + }, + "type": "carb le multimedia" + }, + "severity": "Fatal", + "severity_id": 6, + "start_time_dt": "2024-07-30T08:21:52.968Z", + "status": "In Progress", + "status_id": "2", + "time": "+56548-05-23T12:42:47.320Z", + "timezone_offset": 17, + "type_name": "Vulnerability Finding: Create", + "type_uid": "200201", + "vulnerabilities": [ + { + "cve": { + "created_time": 1722327712965081, + "cvss": [ + { + "base_score": 97.7035, + "depth": "Base", + "overall_score": 29.3613, + "version": "1.1.0" + } + ], + "references": [ + "brass duty expected" + ], + "title": "smilies since terminal", + "type": "republicans offset expense", + "uid": "c6af9176-4e4c-11ef-8fde-0242ac110005" + }, + "cwe": { + "caption": "blanket toshiba olympics", + "uid": "c6af9f0e-4e4c-11ef-b234-0242ac110005" + }, + "kb_articles": [ + "mounts el significantly", + "newer length frost" + ], + "packages": [ + { + "architecture": "diana zen collector", + "name": "nuts nine horn", + "version": "1.1.0" + }, + { + "architecture": "railway offering vietnamese", + "name": "answered absence oxygen", + "release": "classroom virtually satisfactory", + "version": "1.1.0" + } + ], + "references": [ + "suite featured smart", + "sanyo vbulletin contain" + ], + "title": "trek ae danger" + }, + { + "cve": { + "created_time": 1722327712965872, + "created_time_dt": "2024-07-30T08:21:52.965881Z", + "modified_time_dt": "2024-07-30T08:21:52.965891Z", + "references": [ + "propecia rebecca savage" + ], + "title": "jim patients rick", + "type": "coaching workflow sony", + "uid": "c6afb07a-4e4c-11ef-9138-0242ac110005" + }, + "cwe": { + "uid": "c6afba70-4e4c-11ef-8ac3-0242ac110005" + }, + "kb_articles": [ + "resistant verified wiring", + "redhead informal frankfurt" + ], + "references": [ + "workshop surprising ceramic", + "grow annually mom" + ], + "severity": "villas haiti links" + } + ] + }, + "related": { + "user": [ + "c6af496e-4e4c-11ef-b35b-0242ac110005", + "Without" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "id": "c6af496e-4e4c-11ef-b35b-0242ac110005", + "name": "Without" + }, + "vulnerability": { + "id": [ + "c6af9176-4e4c-11ef-8fde-0242ac110005", + "c6afb07a-4e4c-11ef-9138-0242ac110005" + ], + "reference": [ + "suite featured smart", + "sanyo vbulletin contain", + "workshop surprising ceramic", + "grow annually mom" + ], + "severity": [ + "villas haiti links" + ] + } } ] } \ No newline at end of file diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml index ebf3414e79ed..0e596917c320 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -33,7 +33,7 @@ processors: - set: field: event.kind tag: set_event_kind - if: ctx.ocsf?.class_uid != null && ['2001'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['2001', '2002'].contains(ctx.ocsf.class_uid) value: alert - append: field: event.category @@ -46,7 +46,7 @@ processors: tag: append_vulnerability_into_event_category value: vulnerability allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['2001'].contains(ctx.ocsf.class_uid) && ctx.ocsf.vulnerabilities != null + if: ctx.ocsf?.class_uid != null && ['2001', '2002'].contains(ctx.ocsf.class_uid) && ctx.ocsf.vulnerabilities != null - append: field: event.category tag: append_iam_into_event_category @@ -124,7 +124,7 @@ processors: tag: append_info_into_event_type value: info allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','6002','6003','6004'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001', '2002','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','6002','6003','6004'].contains(ctx.ocsf.class_uid) - append: field: event.type tag: append_user_into_event_type @@ -363,6 +363,11 @@ processors: tag: convert_cloud_account_type_id_to_string type: string ignore_missing: true + - convert: + field: ocsf.resource.owner.type_id + tag: convert_resource_owner_type_id_to_string + type: string + ignore_missing: true - convert: field: ocsf.count tag: convert_count_to_long @@ -688,7 +693,7 @@ processors: ignore_missing: true - pipeline: name: '{{ IngestPipeline "pipeline_object_actor" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','5003','6001','6002','6003','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','5003','6001','6002','6003','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null tag: pipeline_object_actor ignore_missing_pipeline: true - pipeline: @@ -703,7 +708,7 @@ processors: ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_device" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4011','4012','5001','5002','6001','6002','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.device != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4011','4012','5001','5002','6001','6002','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.device != null tag: pipeline_object_device ignore_missing_pipeline: true - pipeline: diff --git a/packages/amazon_security_lake/data_stream/event/fields/fields.yml b/packages/amazon_security_lake/data_stream/event/fields/fields.yml index 6fec7dd6cb00..9fdf0577d2e6 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/fields.yml @@ -2602,6 +2602,9 @@ - name: uid type: keyword description: The unique identifier of the reported finding. + - name: finding_info + type: flattened + description: Describes the supporting information about a generated finding. - name: group type: group fields: @@ -3712,132 +3715,6 @@ - name: requested_permissions type: long description: The permissions mask that were requested by the process. - - name: resource - type: group - fields: - - name: cloud_partition - type: keyword - description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' - - name: criticality - type: keyword - description: The criticality of the resource as defined by the event source. - - name: data - type: flattened - description: Additional data describing the resource. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: labels - type: keyword - description: The list of labels/tags associated to a resource. - - name: name - type: keyword - description: The name of the resource. - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: region - type: keyword - description: The cloud region of the resource. - - name: type - type: keyword - description: The resource type as defined by the event source. - - name: uid - type: keyword - description: The unique identifier of the resource. - - name: version - type: keyword - description: The version of the resource. For example 1.2.3. - name: resources type: group fields: @@ -4461,147 +4338,6 @@ - name: uid_alt type: keyword description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vulnerabilities - type: group - fields: - - name: cve - type: group - fields: - - name: created_time - type: date - description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - - name: created_time_dt - type: date - description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - - name: cvss - type: group - fields: - - name: base_score - type: double - description: 'The CVSS base score. For example: 9.1.' - - name: depth - type: keyword - description: The CVSS depth represents a depth of the equation used to calculate CVSS score. - - name: metrics - type: group - fields: - - name: name - type: keyword - description: The name of the metric. - - name: value - type: keyword - description: The value of the metric. - - name: overall_score - type: double - description: 'The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1.' - - name: severity - type: keyword - description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. - - name: vector_string - type: keyword - description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' - - name: version - type: keyword - description: 'The CVSS version. For example: 3.1.' - - name: cwe_uid - type: keyword - description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' - - name: cwe_url - type: keyword - description: 'Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.' - - name: modified_time - type: date - description: The Record Modified Date identifies when the CVE record was last updated. - - name: modified_time_dt - type: date - description: The Record Modified Date identifies when the CVE record was last updated. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: type - type: keyword - description: The vulnerability type as selected from a large dropdown menu during CVE refinement. - - name: uid - type: keyword - description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.' - - name: desc - type: keyword - description: The description of the vulnerability. - - name: fix_available - type: boolean - description: Indicates if a fix is available for the reported vulnerability. - - name: kb_articles - type: keyword - description: The KB article/s related to the entity. - - name: packages - type: group - fields: - - name: architecture - type: keyword - description: Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. - - name: epoch - type: long - description: The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. - - name: license - type: keyword - description: The software license applied to this package. - - name: name - type: keyword - description: The software package name. - - name: release - type: keyword - description: Release is the number of times a version of the software has been packaged. - - name: version - type: keyword - description: The software package version. - - name: references - type: keyword - description: Supporting reference URLs. - - name: related_vulnerabilities - type: keyword - description: List of vulnerabilities that are related to this vulnerability. - - name: severity - type: keyword - description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. - - name: title - type: keyword - description: The title of the vulnerability. - - name: vendor_name - type: keyword - description: The vendor who identified the vulnerability. - name: web_resources type: group fields: diff --git a/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml new file mode 100644 index 000000000000..ca03fa06dc14 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml @@ -0,0 +1,132 @@ +- name: ocsf + type: group + fields: + - name: resource + type: group + fields: + - name: cloud_partition + type: keyword + description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' + - name: criticality + type: keyword + description: The criticality of the resource as defined by the event source. + - name: data + type: flattened + description: Additional data describing the resource. + - name: namespace + type: keyword + description: The resource namespace. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: labels + type: keyword + description: The list of labels/tags associated to a resource. + - name: name + type: keyword + description: The name of the resource. + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: region + type: keyword + description: The cloud region of the resource. + - name: type + type: keyword + description: The resource type as defined by the event source. + - name: uid + type: keyword + description: The unique identifier of the resource. + - name: version + type: keyword + description: The version of the resource. For example 1.2.3. \ No newline at end of file diff --git a/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml new file mode 100644 index 000000000000..0efbd018dab7 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml @@ -0,0 +1,153 @@ +- name: ocsf + type: group + fields: + - name: vulnerabilities + type: group + fields: + - name: cve + type: group + fields: + - name: created_time + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. + - name: created_time_dt + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. + - name: cvss + type: group + fields: + - name: base_score + type: double + description: 'The CVSS base score. For example: 9.1.' + - name: depth + type: keyword + description: The CVSS depth represents a depth of the equation used to calculate CVSS score. + - name: metrics + type: group + fields: + - name: name + type: keyword + description: The name of the metric. + - name: value + type: keyword + description: The value of the metric. + - name: overall_score + type: double + description: 'The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1.' + - name: severity + type: keyword + description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. + - name: vector_string + type: keyword + description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' + - name: version + type: keyword + description: 'The CVSS version. For example: 3.1.' + - name: cwe_uid + type: keyword + description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' + - name: cwe_url + type: keyword + description: 'Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.' + - name: modified_time + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: modified_time_dt + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: type + type: keyword + description: The vulnerability type as selected from a large dropdown menu during CVE refinement. + - name: uid + type: keyword + description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.' + - name: references + type: keyword + description: Supporting reference URLs. + - name: title + type: keyword + description: The title of the cve. + - name: cwe + type: flattened + description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' + - name: desc + type: keyword + description: The description of the vulnerability. + - name: fix_available + type: boolean + description: Indicates if a fix is available for the reported vulnerability. + - name: kb_articles + type: keyword + description: The KB article/s related to the entity. + - name: packages + type: group + fields: + - name: architecture + type: keyword + description: Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. + - name: epoch + type: long + description: The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. + - name: license + type: keyword + description: The software license applied to this package. + - name: name + type: keyword + description: The software package name. + - name: release + type: keyword + description: Release is the number of times a version of the software has been packaged. + - name: version + type: keyword + description: The software package version. + - name: references + type: keyword + description: Supporting reference URLs. + - name: related_vulnerabilities + type: keyword + description: List of vulnerabilities that are related to this vulnerability. + - name: severity + type: keyword + description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. + - name: title + type: keyword + description: The title of the vulnerability. + - name: vendor_name + type: keyword + description: The vendor who identified the vulnerability. \ No newline at end of file diff --git a/packages/amazon_security_lake/data_stream/findings/fields/_dev/fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/_dev/fields.yml deleted file mode 100644 index 8181694c88db..000000000000 --- a/packages/amazon_security_lake/data_stream/findings/fields/_dev/fields.yml +++ /dev/null @@ -1,2327 +0,0 @@ -- name: ocsf - type: group - fields: - - name: activity_id - type: keyword - description: The normalized identifier of the activity that triggered the event. - - name: activity_name - type: keyword - description: The event activity name, as defined by the activity_id. - - name: analytic - type: group - fields: - - name: category - type: keyword - description: The analytic category. - - name: desc - type: keyword - description: The description of the analytic that generated the finding. - - name: name - type: keyword - description: The name of the analytic that generated the finding. - - name: related_analytics - type: group - fields: - - name: category - type: keyword - description: The analytic category. - - name: desc - type: keyword - description: The description of the analytic that generated the finding. - - name: name - type: keyword - description: The name of the analytic that generated the finding. - - name: related_analytics - type: flattened - - name: type - type: keyword - description: The analytic type. - - name: type_id - type: keyword - description: The analytic type ID. - - name: uid - type: keyword - description: The unique identifier of the analytic that generated the finding. - - name: version - type: keyword - description: 'The analytic version. For example: 1.1.' - - name: type - type: keyword - description: The analytic type. - - name: type_id - type: keyword - description: The analytic type ID. - - name: uid - type: keyword - description: The unique identifier of the analytic that generated the finding. - - name: version - type: keyword - description: 'The analytic version. For example: 1.1.' - - name: api - type: group - fields: - - name: operation - type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version - type: keyword - description: The version of the API service. - - name: attacks - type: group - fields: - - name: tactics - type: group - fields: - - name: name - type: keyword - description: The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. - - name: uid - type: keyword - description: The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. - - name: technique - type: group - fields: - - name: name - type: keyword - description: 'The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise.' - - name: uid - type: keyword - description: 'The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1189.' - - name: version - type: keyword - description: The ATT&CK Matrix version. - - name: category_name - type: keyword - description: 'The event category name, as defined by category_uid value: Identity & Access Management.' - - name: category_uid - type: keyword - description: The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. - - name: cis_csc - type: group - fields: - - name: control - type: keyword - description: The CIS critical security control. - - name: version - type: keyword - description: The CIS critical security control version. - - name: class_name - type: keyword - description: 'The event class name, as defined by class_uid value: Security Finding.' - - name: class_uid - type: keyword - description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. - - name: cloud - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: project_uid - type: keyword - description: The unique identifier of a Cloud project. - - name: provider - type: keyword - description: The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. - - name: region - type: keyword - description: The name of the cloud region, as defined by the cloud provider. - - name: zone - type: keyword - description: The availability zone in the cloud region, as defined by the cloud provider. - - name: compliance - type: group - fields: - - name: status_detail - type: keyword - description: The status details contains additional information about the event outcome. - - name: requirements - type: keyword - description: A list of applicable compliance requirements for which this finding is related to. - - name: status - type: keyword - description: The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. - - name: confidence - type: keyword - description: The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source. - - name: confidence_id - type: keyword - description: The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature. - - name: confidence_score - type: long - description: The confidence score as reported by the event source. - - name: count - type: long - description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. - - name: data_sources - type: keyword - description: The data sources for the finding. - - name: duration - type: long - description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. - - name: end_time - type: date - description: The end time of a time period, or the time of the most recent event included in the aggregate event. - - name: end_time_dt - type: date - description: The end time of a time period, or the time of the most recent event included in the aggregate event. - - name: enrichments - type: group - fields: - - name: data - type: flattened - description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - - name: name - type: keyword - description: The name of the attribute to which the enriched data pertains. - - name: provider - type: keyword - description: The enrichment data provider name. - - name: type - type: keyword - description: The enrichment type. For example, location. - - name: value - type: keyword - description: The value of the attribute to which the enriched data pertains. - - name: evidence - type: flattened - description: The data the finding exposes to the analyst. - - name: finding - type: group - fields: - - name: created_time - type: date - description: The time when the finding was created. - - name: created_time_dt - type: date - description: The time when the finding was created. - - name: desc - type: keyword - description: The description of the reported finding. - - name: first_seen_time - type: date - description: The time when the finding was first observed. - - name: first_seen_time_dt - type: date - description: The time when the finding was first observed. - - name: last_seen_time - type: date - description: The time when the finding was most recently observed. - - name: last_seen_time_dt - type: date - description: The time when the finding was most recently observed. - - name: modified_time - type: date - description: The time when the finding was last modified. - - name: modified_time_dt - type: date - description: The time when the finding was last modified. - - name: product_uid - type: keyword - description: The unique identifier of the product that reported the finding. - - name: related_events - type: group - fields: - - name: product_uid - type: keyword - description: The unique identifier of the product that reported the related event. - - name: type - type: keyword - description: 'The type of the related event. For example: Process Activity: Launch.' - - name: type_uid - type: keyword - description: 'The unique identifier of the related event type. For example: 100701.' - - name: uid - type: keyword - description: The unique identifier of the related event. - - name: remediation - type: group - fields: - - name: desc - type: keyword - description: The description of the remediation strategy. - - name: kb_articles - type: keyword - description: The KB article/s related to the entity. - - name: src_url - type: keyword - description: The URL pointing to the source of the finding. - - name: supporting_data - type: flattened - description: Additional data supporting a finding as provided by security tool. - - name: title - type: keyword - description: The title of the reported finding. - - name: types - type: keyword - description: One or more types of the reported finding. - - name: uid - type: keyword - description: The unique identifier of the reported finding. - - name: impact - type: keyword - description: The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source. - - name: impact_id - type: keyword - description: The normalized impact of the finding. - - name: impact_score - type: long - description: The impact of the finding, valid range 0-100. - - name: kill_chain - type: group - fields: - - name: phase - type: keyword - description: The cyber kill chain phase. - - name: phase_id - type: keyword - description: The cyber kill chain phase identifier. - - name: malware - type: group - fields: - - name: classification_ids - type: keyword - description: The list of normalized identifiers of the malware classifications. - - name: classifications - type: keyword - description: The list of malware classifications, normalized to the captions of the classification_id values. In the case of 'Other', they are defined by the event source. - - name: cves - type: group - fields: - - name: created_time - type: date - description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - - name: created_time_dt - type: date - description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - - name: cvss - type: group - fields: - - name: base_score - type: double - description: The CVSS base score. - - name: depth - type: keyword - description: The CVSS depth represents a depth of the equation used to calculate CVSS score. - - name: metrics - type: group - fields: - - name: name - type: keyword - description: The name of the metric. - - name: value - type: keyword - description: The value of the metric. - - name: overall_score - type: double - description: The CVSS overall score, impacted by base, temporal, and environmental metrics. - - name: severity - type: keyword - description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. - - name: vector_string - type: keyword - description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' - - name: version - type: keyword - description: The CVSS version. - - name: cwe_uid - type: keyword - description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' - - name: cwe_url - type: keyword - description: Common Weakness Enumeration (CWE) definition URL. - - name: modified_time - type: date - description: The Record Modified Date identifies when the CVE record was last updated. - - name: modified_time_dt - type: date - description: The Record Modified Date identifies when the CVE record was last updated. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: type - type: keyword - description: The vulnerability type as selected from a large dropdown menu during CVE refinement. - - name: uid - type: keyword - description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.' - - name: name - type: keyword - description: The malware name, as reported by the detection engine. - - name: path - type: keyword - description: The filesystem path of the malware that was observed. - - name: provider - type: keyword - description: The provider of the malware information. - - name: uid - type: keyword - description: The malware unique identifier, as reported by the detection engine. For example a virus id or an IPS signature id. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' - - name: nist - type: keyword - description: The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk. - - name: observables - type: group - fields: - - name: name - type: keyword - description: 'The full name of the observable attribute. The name is a pointer/reference to an attribute within the event data. For example: file.name.' - - name: reputation - type: group - fields: - - name: base_score - type: double - description: The reputation score as reported by the event source. - - name: provider - type: keyword - description: The provider of the reputation information. - - name: score - type: keyword - description: The reputation score, normalized to the caption of the score_id value. In the case of 'Other', it is defined by the event source. - - name: score_id - type: keyword - description: The normalized reputation score identifier. - - name: type - type: keyword - description: The observable value type name. - - name: type_id - type: keyword - description: The observable value type identifier. - - name: value - type: keyword - description: The value associated with the observable attribute. - - name: process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.' - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.' - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.' - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.' - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The short name of the endpoint. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The name of the network interface (e.g. eth2). - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The short name of the endpoint. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The name of the network interface (e.g. eth2). - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: raw_data - type: flattened - description: The event data as received from the event source. - - name: raw_data_keyword - type: keyword - - name: resources - type: group - fields: - - name: cloud_partition - type: keyword - description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' - - name: criticality - type: keyword - description: The criticality of the resource as defined by the event source. - - name: data - type: flattened - description: Additional data describing the resource. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: labels - type: keyword - description: The list of labels/tags associated to a resource. - - name: name - type: keyword - description: The name of the resource. - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: region - type: keyword - description: The cloud region of the resource. - - name: type - type: keyword - description: The resource type as defined by the event source. - - name: uid - type: keyword - description: The unique identifier of the resource. - - name: version - type: keyword - description: The version of the resource. For example 1.2.3. - - name: risk_level - type: keyword - description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. - - name: risk_level_id - type: keyword - description: The normalized risk level id. - - name: risk_score - type: long - description: The risk score as reported by the event source. - - name: severity - type: keyword - description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. - - name: severity_id - type: long - description: The normalized identifier of the event severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events. - - name: start_time - type: date - description: The start time of a time period, or the time of the least recent event included in the aggregate event. - - name: start_time_dt - type: date - description: The start time of a time period, or the time of the least recent event included in the aggregate event. - - name: state - type: keyword - description: The normalized state of a security finding. - - name: state_id - type: keyword - description: The normalized state identifier of a security finding. - - name: status - type: keyword - description: The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. - - name: status_code - type: keyword - description: The event status code, as reported by the event source. For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18. - - name: status_detail - type: keyword - description: The status details contains additional information about the event outcome. - - name: status_id - type: keyword - description: The normalized identifier of the event status. - - name: time - type: date - description: The normalized event occurrence time. - - name: time_dt - type: date - description: The normalized event occurrence time. - - name: timezone_offset - type: long - description: The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080. - - name: type_name - type: keyword - description: The event type name, as defined by the type_uid. - - name: type_uid - type: keyword - description: 'The event type ID. It identifies the events semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.' - - name: unmapped - type: flattened - description: The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. - - name: vulnerabilities - type: group - fields: - - name: cve - type: group - fields: - - name: created_time - type: date - description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - - name: created_time_dt - type: date - description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - - name: cvss - type: group - fields: - - name: base_score - type: double - description: 'The CVSS base score. For example: 9.1.' - - name: depth - type: keyword - description: The CVSS depth represents a depth of the equation used to calculate CVSS score. - - name: metrics - type: group - fields: - - name: name - type: keyword - description: The name of the metric. - - name: value - type: keyword - description: The value of the metric. - - name: overall_score - type: double - description: 'The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1.' - - name: severity - type: keyword - description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. - - name: vector_string - type: keyword - description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' - - name: version - type: keyword - description: 'The CVSS version. For example: 3.1.' - - name: cwe_uid - type: keyword - description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' - - name: cwe_url - type: keyword - description: 'Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.' - - name: modified_time - type: date - description: The Record Modified Date identifies when the CVE record was last updated. - - name: modified_time_dt - type: date - description: The Record Modified Date identifies when the CVE record was last updated. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: type - type: keyword - description: The vulnerability type as selected from a large dropdown menu during CVE refinement. - - name: uid - type: keyword - description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.' - - name: desc - type: keyword - description: The description of the vulnerability. - - name: fix_available - type: boolean - description: Indicates if a fix is available for the reported vulnerability. - - name: kb_articles - type: keyword - description: The KB article/s related to the entity. - - name: packages - type: group - fields: - - name: architecture - type: keyword - description: Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. - - name: epoch - type: long - description: The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. - - name: license - type: keyword - description: The software license applied to this package. - - name: name - type: keyword - description: The software package name. - - name: release - type: keyword - description: Release is the number of times a version of the software has been packaged. - - name: version - type: keyword - description: The software package version. - - name: references - type: keyword - description: Supporting reference URLs. - - name: related_vulnerabilities - type: keyword - description: List of vulnerabilities that are related to this vulnerability. - - name: severity - type: keyword - description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. - - name: title - type: keyword - description: The title of the vulnerability. - - name: vendor_name - type: keyword - description: The vendor who identified the vulnerability. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml new file mode 100644 index 000000000000..bc934388d178 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml @@ -0,0 +1,1770 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: integer + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: integer + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml index 5c97d187a98c..f3f1a298515c 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml @@ -785,144 +785,6 @@ - name: unmapped type: flattened description: The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. - - name: vulnerabilities - type: group - fields: - - name: cve - type: group - fields: - - name: created_time - type: date - description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - - name: created_time_dt - type: date - description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - - name: cvss - type: group - fields: - - name: base_score - type: double - description: 'The CVSS base score. For example: 9.1.' - - name: depth - type: keyword - description: The CVSS depth represents a depth of the equation used to calculate CVSS score. - - name: metrics - type: group - fields: - - name: name - type: keyword - description: The name of the metric. - - name: value - type: keyword - description: The value of the metric. - - name: overall_score - type: double - description: 'The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1.' - - name: severity - type: keyword - description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. - - name: vector_string - type: keyword - description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' - - name: version - type: keyword - description: 'The CVSS version. For example: 3.1.' - - name: cwe_uid - type: keyword - description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' - - name: cwe_url - type: keyword - description: 'Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.' - - name: modified_time - type: date - description: The Record Modified Date identifies when the CVE record was last updated. - - name: modified_time_dt - type: date - description: The Record Modified Date identifies when the CVE record was last updated. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: type - type: keyword - description: The vulnerability type as selected from a large dropdown menu during CVE refinement. - - name: uid - type: keyword - description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.' - - name: desc - type: keyword - description: The description of the vulnerability. - - name: fix_available - type: boolean - description: Indicates if a fix is available for the reported vulnerability. - - name: kb_articles - type: keyword - description: The KB article/s related to the entity. - - name: packages - type: group - fields: - - name: architecture - type: keyword - description: Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. - - name: epoch - type: long - description: The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. - - name: license - type: keyword - description: The software license applied to this package. - - name: name - type: keyword - description: The software package name. - - name: release - type: keyword - description: Release is the number of times a version of the software has been packaged. - - name: version - type: keyword - description: The software package version. - - name: references - type: keyword - description: Supporting reference URLs. - - name: related_vulnerabilities - type: keyword - description: List of vulnerabilities that are related to this vulnerability. - - name: severity - type: keyword - description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. - - name: title - type: keyword - description: The title of the vulnerability. - - name: vendor_name - type: keyword - description: The vendor who identified the vulnerability. + - name: finding_info + type: flattened + description: Describes the supporting information about a generated finding. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml new file mode 100644 index 000000000000..0efbd018dab7 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml @@ -0,0 +1,153 @@ +- name: ocsf + type: group + fields: + - name: vulnerabilities + type: group + fields: + - name: cve + type: group + fields: + - name: created_time + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. + - name: created_time_dt + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. + - name: cvss + type: group + fields: + - name: base_score + type: double + description: 'The CVSS base score. For example: 9.1.' + - name: depth + type: keyword + description: The CVSS depth represents a depth of the equation used to calculate CVSS score. + - name: metrics + type: group + fields: + - name: name + type: keyword + description: The name of the metric. + - name: value + type: keyword + description: The value of the metric. + - name: overall_score + type: double + description: 'The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1.' + - name: severity + type: keyword + description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. + - name: vector_string + type: keyword + description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' + - name: version + type: keyword + description: 'The CVSS version. For example: 3.1.' + - name: cwe_uid + type: keyword + description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' + - name: cwe_url + type: keyword + description: 'Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.' + - name: modified_time + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: modified_time_dt + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: type + type: keyword + description: The vulnerability type as selected from a large dropdown menu during CVE refinement. + - name: uid + type: keyword + description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.' + - name: references + type: keyword + description: Supporting reference URLs. + - name: title + type: keyword + description: The title of the cve. + - name: cwe + type: flattened + description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' + - name: desc + type: keyword + description: The description of the vulnerability. + - name: fix_available + type: boolean + description: Indicates if a fix is available for the reported vulnerability. + - name: kb_articles + type: keyword + description: The KB article/s related to the entity. + - name: packages + type: group + fields: + - name: architecture + type: keyword + description: Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. + - name: epoch + type: long + description: The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. + - name: license + type: keyword + description: The software license applied to this package. + - name: name + type: keyword + description: The software package name. + - name: release + type: keyword + description: Release is the number of times a version of the software has been packaged. + - name: version + type: keyword + description: The software package version. + - name: references + type: keyword + description: Supporting reference URLs. + - name: related_vulnerabilities + type: keyword + description: List of vulnerabilities that are related to this vulnerability. + - name: severity + type: keyword + description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. + - name: title + type: keyword + description: The title of the vulnerability. + - name: vendor_name + type: keyword + description: The vendor who identified the vulnerability. \ No newline at end of file diff --git a/packages/amazon_security_lake/data_stream/findings/manifest.yml b/packages/amazon_security_lake/data_stream/findings/manifest.yml index 38c95d073a94..6cc244e9afe4 100644 --- a/packages/amazon_security_lake/data_stream/findings/manifest.yml +++ b/packages/amazon_security_lake/data_stream/findings/manifest.yml @@ -1,3 +1,9 @@ title: Amazon Security Lake Findings Events dataset: amazon_security_lake.findings type: logs +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml index 91b1f6bdf841..9f86fa8da790 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml @@ -3831,132 +3831,6 @@ - name: raw_data type: flattened description: The event data as received from the event source. - - name: resource - type: group - fields: - - name: cloud_partition - type: keyword - description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' - - name: criticality - type: keyword - description: The criticality of the resource as defined by the event source. - - name: data - type: flattened - description: Additional data describing the resource. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: labels - type: keyword - description: The list of labels/tags associated to a resource. - - name: name - type: keyword - description: The name of the resource. - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: region - type: keyword - description: The cloud region of the resource. - - name: type - type: keyword - description: The resource type as defined by the event source. - - name: uid - type: keyword - description: The unique identifier of the resource. - - name: version - type: keyword - description: The version of the resource. For example 1.2.3. - name: service type: group fields: diff --git a/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml new file mode 100644 index 000000000000..ca03fa06dc14 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml @@ -0,0 +1,132 @@ +- name: ocsf + type: group + fields: + - name: resource + type: group + fields: + - name: cloud_partition + type: keyword + description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' + - name: criticality + type: keyword + description: The criticality of the resource as defined by the event source. + - name: data + type: flattened + description: Additional data describing the resource. + - name: namespace + type: keyword + description: The resource namespace. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: labels + type: keyword + description: The list of labels/tags associated to a resource. + - name: name + type: keyword + description: The name of the resource. + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: region + type: keyword + description: The cloud region of the resource. + - name: type + type: keyword + description: The resource type as defined by the event source. + - name: uid + type: keyword + description: The unique identifier of the resource. + - name: version + type: keyword + description: The version of the resource. For example 1.2.3. \ No newline at end of file diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index af166ad4c4b8..0a7e9a325447 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -1346,6 +1346,7 @@ This is the `Event` dataset. | ocsf.finding.title | The title of the reported finding. | keyword | | ocsf.finding.types | One or more types of the reported finding. | keyword | | ocsf.finding.uid | The unique identifier of the reported finding. | keyword | +| ocsf.finding_info | Describes the supporting information about a generated finding. | flattened | | ocsf.group.desc | The group description. | keyword | | ocsf.group.name | The group name. | keyword | | ocsf.group.privileges | The group privileges. | keyword | From 8f7122dbfbc62f2f532563c8b559d17337401512 Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Thu, 1 Aug 2024 20:08:46 +0530 Subject: [PATCH 10/30] added ntp activity event class, deprecated proxy event class, aded proxy_endpoint field, uupdated network activity class and segregated endpoint event mappings into separate files across all data streams. updated ocsf object as necessary across respective data streams --- .../application_activity/fields/fields.yml | 168 +- .../fields/network-endpoint-fields.yml | 213 ++ .../data_stream/discovery/fields/fields.yml | 6 + .../test/pipeline/test-network-activity.log | 1 + .../test-network-activity.log-expected.json | 1029 +++++++++ .../elasticsearch/ingest_pipeline/default.yml | 28 +- .../data_stream/event/fields/fields.yml | 330 +-- .../event/fields/network-endpoint-fields.yml | 213 ++ .../event/fields/proxy-endpoint-fields.yml | 108 + .../event/fields/proxy-fields-deprecated.yml | 84 + .../event/fields/resource-fields.yml | 4 +- .../event/fields/vulnerability-fields.yml | 4 +- .../findings/fields/vulnerability-fields.yml | 4 +- .../data_stream/iam/fields/fields.yml | 168 +- .../iam/fields/network-endpoint-fields.yml | 213 ++ .../iam/fields/resource-fields.yml | 4 +- .../network_activity/fields/actor-fields.yml | 1560 ++++++++++++++ .../network_activity/fields/fields.yml | 1887 +---------------- .../fields/network-endpoint-fields.yml | 213 ++ .../fields/proxy-endpoint-fields.yml | 108 + .../fields/proxy-fields-deprecated.yml | 84 + .../system_activity/fields/fields.yml | 6 + packages/amazon_security_lake/docs/README.md | 79 + 23 files changed, 4125 insertions(+), 2389 deletions(-) create mode 100644 packages/amazon_security_lake/data_stream/application_activity/fields/network-endpoint-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/network-endpoint-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/proxy-endpoint-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/proxy-fields-deprecated.yml create mode 100644 packages/amazon_security_lake/data_stream/iam/fields/network-endpoint-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/network_activity/fields/network-endpoint-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/network_activity/fields/proxy-endpoint-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/network_activity/fields/proxy-fields-deprecated.yml diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml index 9adcbdf087ba..3592f2114ad7 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml @@ -1711,6 +1711,9 @@ - name: autoscale_uid type: keyword description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. - name: created_time type: date description: The time when the device was known to have been created. @@ -1921,6 +1924,9 @@ - name: name type: keyword description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - name: network_interfaces type: group fields: @@ -2035,87 +2041,6 @@ - name: vpc_uid type: keyword description: The unique identifier of the Virtual Private Cloud (VPC). - - name: dst_endpoint - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: duration type: long description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. @@ -2455,87 +2380,6 @@ - name: severity_id type: long description: The normalized identifier of the event severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events. - - name: src_endpoint - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: start_time type: date description: The start time of a time period, or the time of the least recent event included in the aggregate event. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/network-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/network-endpoint-fields.yml new file mode 100644 index 000000000000..fdb8f2040fcd --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/network-endpoint-fields.yml @@ -0,0 +1,213 @@ +- name: ocsf + type: group + fields: + - name: dst_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: integer + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. + - name: src_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: integer + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml index e8dd58eadca4..929074598149 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml @@ -163,6 +163,9 @@ - name: autoscale_uid type: keyword description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. - name: created_time type: date description: The time when the device was known to have been created. @@ -373,6 +376,9 @@ - name: name type: keyword description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - name: network_interfaces type: group fields: diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log index 609b4b0c5ea3..ef0a463fad02 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log @@ -10,3 +10,4 @@ {"message":"kelkoo interactions constitute","status":"patch emma midi","time":1695676041549,"file":{"name":"amend.sh","type":"Unknown","desc":"arabic suits fun","type_id":0,"accessor":{"name":"Uruguay","type":"User","uid":"849f49fa-5be7-11ee-bfe2-0242ac110005","org":{"name":"lottery political own","uid":"849f501c-5be7-11ee-ab6f-0242ac110005","ou_name":"confirmed towards declined","ou_uid":"849f540e-5be7-11ee-841c-0242ac110005"},"type_id":1},"hashes":[{"value":"4C3280C17F9D982CCBAC882AE1F48DAD224DBA938BEE87BF18E31C76B0C3B88B","algorithm":"SHA-256","algorithm_id":3},{"value":"A7F0A2AD03BE8938C945F65DB1A395CE9E98D67F9EE8D4CA97D687FBB394B64FA0AEB15F5B1D82A2922B62320B77DBA842BBEDEE2B5E15D7A883665ADE3F7C2B","algorithm":"quickXorHash","algorithm_id":7}],"modified_time_dt":"2023-09-25T21:07:21.567190Z"},"metadata":{"version":"1.0.0","product":{"name":"describes static geological","version":"1.0.0","uid":"849714ce-5be7-11ee-981b-0242ac110005","url_string":"avatar","vendor_name":"highly got hook"},"sequence":99,"profiles":["cloud","container","datetime"],"correlation_uid":"84971e10-5be7-11ee-b5e7-0242ac110005","log_name":"proud iso ticket","log_provider":"cb indexes boxing","original_time":"tournaments leisure comedy","modified_time_dt":"2023-09-25T21:07:21.513376Z","processed_time_dt":"2023-09-25T21:07:21.513394Z"},"start_time":1695676041445,"severity":"Low","type_name":"Network File Activity: Rename","activity_id":5,"type_uid":401005,"observables":[{"name":"except visitor vbulletin","type":"Uniform Resource Locator","type_id":23},{"name":"hong rhode para","type":"Process Name","type_id":9}],"category_name":"Network Activity","class_uid":4010,"category_uid":4,"class_name":"Network File Activity","timezone_offset":42,"activity_name":"Rename","actor":{"process":{"name":"Qualification","pid":42,"file":{"attributes":9,"name":"citations.gpx","type":"Character Device","path":"telling saved challenge/wrapped.tga/citations.gpx","type_id":3,"parent_folder":"telling saved challenge/wrapped.tga"},"user":{"name":"Aquatic","type":"System","uid":"84975f7e-5be7-11ee-bfad-0242ac110005","type_id":3,"account":{"name":"suspended cg sisters","uid":"8497655a-5be7-11ee-ab52-0242ac110005"}},"tid":17,"uid":"849768e8-5be7-11ee-a428-0242ac110005","cmd_line":"goals happen dad","container":{"name":"ambien cloud eur","size":2164055839,"uid":"84977158-5be7-11ee-b042-0242ac110005","image":{"name":"produced field obituaries","path":"adaptive granny knew","uid":"849779dc-5be7-11ee-8f66-0242ac110005"},"network_driver":"cute desktops arrest"},"created_time":1695676041514,"namespace_pid":41,"parent_process":{"file":{"name":"finance.3g2","type":"wrap","path":"attention matching forest/met.mpa/finance.3g2","signature":{"certificate":{"version":"1.0.0","subject":"mt minutes bids","issuer":"shall systematic vatican","fingerprints":[{"value":"B3305921648A755AA6C1E2C028691A6861EAE8922BAE5ACE52B76E01AD96DF87ECE4E22E06EDC6715A0CAE469323620A07CCC384FD40C69EBA60E8BBEE8EA805","algorithm":"TLSH","algorithm_id":6}],"expiration_time":1695676041516,"serial_number":"requirement sodium situated","expiration_time_dt":"2023-09-25T21:07:21.516239Z","created_time_dt":"2023-09-25T21:07:21.516247Z"},"algorithm":"RSA","algorithm_id":2},"desc":"surgeons settled advocacy","type_id":99,"creator":{"name":"Additionally","type":"beat","uid":"84979804-5be7-11ee-848b-0242ac110005","type_id":99,"full_name":"Kirstin Thersa","credential_uid":"8497ab3c-5be7-11ee-8df1-0242ac110005"},"parent_folder":"attention matching forest/met.mpa","hashes":[{"value":"2675028478A31F71064C2D8CCA68C7FCA87605C294611E7C2294806CE87B596AD856077767F9D941E21BC5089906C5E6903FE622EE1FE19DB2E3FA8F1F1A8EE9","algorithm":"CTPH","algorithm_id":5},{"value":"4D018BA6DBA4C03004FD6E10D1C02BD324F62DE46C5FE687431A2D4BF4335BB7","algorithm":"magic","algorithm_id":99}],"modified_time_dt":"2023-09-25T21:07:21.517084Z"},"uid":"8497ba64-5be7-11ee-b3a6-0242ac110005","session":{"uid":"8497c27a-5be7-11ee-8a34-0242ac110005","issuer":"discussing capital ottawa","created_time":1695676041516,"credential_uid":"8497c716-5be7-11ee-bd7a-0242ac110005"},"loaded_modules":["/super/disclose/barnes/pg/california.png","/ourselves/lynn/gpl/helped/narrow.tga"],"cmd_line":"bless addresses backgrounds","container":{"name":"citizenship caribbean twisted","size":2686118868,"uid":"8497d15c-5be7-11ee-aa8b-0242ac110005","image":{"name":"assistance grande an","uid":"8497dec2-5be7-11ee-9c88-0242ac110005"},"hash":{"value":"08759209B8F0A761FFF2B978AB8DAB0B6AE7B63C9AC9D3694BC0FED57BB2E27F5AAFB08486F656D6C6FE784F7DF07513FCB0975EC8B772EE000F56F793867A77","algorithm":"Unknown","algorithm_id":0}},"created_time":1695676041518,"lineage":["vhs mechanism dates"],"namespace_pid":97,"parent_process":{"name":"Bid","pid":26,"file":{"name":"dame.svg","type":"Regular File","path":"wives pamela karl/articles.c/dame.svg","modifier":{"name":"Complete","type":"Unknown","uid":"8497f38a-5be7-11ee-97c6-0242ac110005","groups":[{"name":"winds seeking reply","uid":"8497fde4-5be7-11ee-9733-0242ac110005"},{"name":"hamburg roommate environment","uid":"8498099c-5be7-11ee-ac6f-0242ac110005"}],"type_id":0},"type_id":1,"parent_folder":"wives pamela karl/articles.c","hashes":[{"value":"E7B2EBCA4F63795EBE380FFBEAB194BCF3E2EB5C74F10C6B8AAB95F4C0B8D7AC","algorithm":"magic","algorithm_id":99},{"value":"AFD9AD7A88CFF487A60962E99C6219806726EB352DD1591D375AD3BB143C0DABBFBC6DBFFA5D99B3662AE82C9B7EED847E30B7EA516D2AD9DFF07D8775F8AE36","algorithm":"quickXorHash","algorithm_id":7}],"security_descriptor":"robinson queens graduate","created_time_dt":"2023-09-25T21:07:21.519646Z"},"user":{"name":"Shipment","type":"Unknown","uid":"84981f68-5be7-11ee-b652-0242ac110005","type_id":0,"uid_alt":"singh dim static"},"uid":"849823d2-5be7-11ee-92d1-0242ac110005","cmd_line":"harder interventions pb","container":{"name":"kg sources houses","runtime":"kate through furniture","size":2387392206,"uid":"849829cc-5be7-11ee-bb7a-0242ac110005","hash":{"value":"6A9A10210588981DD8FAA6BE10E39F2C65E816FEFE4768884F7B0BB0A10CD9D6","algorithm":"SHA-256","algorithm_id":3},"pod_uuid":"kiss"},"created_time":1695676041517,"integrity":"they thermal eau","lineage":["attraction cord adjustment","announcements summer introduce"],"namespace_pid":49,"parent_process":{"name":"Jamie","pid":28,"file":{"name":"seq.wpd","type":"Character Device","path":"conflicts disability citysearch/ieee.dtd/seq.wpd","modifier":{"name":"Officer","type":"Admin","uid":"84984362-5be7-11ee-af2c-0242ac110005","type_id":2},"type_id":3,"parent_folder":"conflicts disability citysearch/ieee.dtd","confidentiality":"Unknown","confidentiality_id":0,"created_time":1695676041520845,"hashes":[{"value":"7D875B5EB312ADEF7D530DD6E43468170B094A5F54CA1AC26E7788A81A01238428E62D581423E70B05DA11F15513291EB10776B4E14DE1844072ACDF11BBDFD1","algorithm":"CTPH","algorithm_id":5},{"value":"1100511F3469E3CDE7D081EC6E78154C8476D546F615EEEB37C4CDFBD41740440FC77660EE3A4B9C67DE81C63172A49F835656F85ED5E36A65A2A25E2A733358","algorithm":"TLSH","algorithm_id":6}]},"user":{"name":"Knows","type":"User","domain":"sao uri flesh","uid":"84984db2-5be7-11ee-ba4e-0242ac110005","type_id":1},"uid":"8498530c-5be7-11ee-86f3-0242ac110005","cmd_line":"creation defense carolina","container":{"name":"hunt indicating radiation","size":3179758248,"tag":"reader prevention as","uid":"84985df2-5be7-11ee-be06-0242ac110005","hash":{"value":"666334EB7A1E55E189435FFF3F0CA7266F484FB44970AAFF3E72546D8B04B02ABB1A66B209CAFD44267701CA1392DF35B8EC3EECE0DC492D093880F2E4FF352C","algorithm":"TLSH","algorithm_id":6}},"created_time":1695676041527,"namespace_pid":46,"parent_process":{"name":"Arbor","pid":20,"file":{"name":"startup.3dm","size":3504413585,"type":"Named Pipe","version":"1.0.0","signature":{"certificate":{"subject":"shades bad tradition","issuer":"previous price thing","fingerprints":[{"value":"8E4DE5CC0D59311697B0D4061FDBFB4CB99E38121EA17CF740789A0CBC85B56703E1341C940E7A2220C02211CC84447A19061569BE42AC4A2C03010FB6CB1A75","algorithm":"SHA-512","algorithm_id":4},{"value":"205D64FF9B580AADBF4829EC41DD4EF0","algorithm":"MD5","algorithm_id":1}],"created_time":1695676041522,"expiration_time":1695676041526,"serial_number":"files the parish","created_time_dt":"2023-09-25T21:07:21.521904Z"},"algorithm":"RSA","algorithm_id":2},"uid":"84987ae4-5be7-11ee-b247-0242ac110005","type_id":6,"created_time":1695676042262,"hashes":[{"value":"60F202A3BE4EF214E24EA9D3555D194C","algorithm":"MD5","algorithm_id":1},{"value":"B0B2D200728B0DACE6CB6829F90EE31A9AD123FF1982012B003249D4F2C5351924E6DBBD1242EE722D4C5A0B80C983DC7B94DDD594FCFCEF4E63552956E2B26A","algorithm":"TLSH","algorithm_id":6}],"modified_time_dt":"2023-09-25T21:07:21.522441Z"},"user":{"name":"Provided","type":"Admin","uid":"84988e80-5be7-11ee-bf3c-0242ac110005","type_id":2,"full_name":"Karoline Meggan","email_addr":"Elza@girls.mil"},"uid":"84989376-5be7-11ee-9216-0242ac110005","cmd_line":"plan agents converter","container":{"name":"thongs routine an","size":2099983603,"uid":"84989948-5be7-11ee-b4fb-0242ac110005","image":{"name":"extending construction inkjet","path":"empirical precipitation builder","uid":"84989f42-5be7-11ee-8820-0242ac110005","labels":["golf","nov"]},"hash":{"value":"E7EFDA40B1C94805070CD9BF9638AE27","algorithm":"MD5","algorithm_id":1}},"created_time":1695676041523226,"integrity":"conspiracy unions allocated","parent_process":{"name":"Processes","pid":49,"file":{"name":"considerations.jar","type":"Local Socket","path":"roger economy macro/mesh.gadget/considerations.jar","type_id":5,"accessor":{"name":"Wildlife","type":"Admin","uid":"8498c030-5be7-11ee-80d9-0242ac110005","type_id":2,"full_name":"Twyla Cherise","email_addr":"Shin@cause.mobi","uid_alt":"excellent far varied"},"mime_type":"star/flyer","parent_folder":"roger economy macro/mesh.gadget","created_time":1695676041524,"hashes":[{"value":"707CF5E50A11D69874235DED9A045B6AB42439F7495DED03049CB7E997949E8B014295A25059CD1A9F06BFE9E4101ED176615E69D43FE199E849DEC0BC4AEB4D","algorithm":"CTPH","algorithm_id":5},{"value":"6F487B974BDB9DBDF014F50502D9F70BC2630E6C974E4C6E6AA2EB3BEC95A3BDCA7AE609DA34179E0677F042734A767ADA4F6CA04788916644262CDC60BC2FB2","algorithm":"CTPH","algorithm_id":5}]},"user":{"name":"Hour","type":"insert","uid":"8498cd14-5be7-11ee-94d7-0242ac110005","type_id":99,"uid_alt":"organizations guild beds"},"uid":"8498d430-5be7-11ee-b1bf-0242ac110005","cmd_line":"sixth pc peoples","container":{"name":"warrior document workflow","size":2697694450,"uid":"8498da2a-5be7-11ee-9d00-0242ac110005","image":{"name":"version treating tall","uid":"8498df20-5be7-11ee-8257-0242ac110005"},"hash":{"value":"F4001D4FD76B73412DB0EFD2C66F0AB3C27D9FE9BD375B1659A1DDDA68C17DC1C0F5402A6AE571DC073E94F1B720821E4208595D5BB4B13D917A12CE3DA53C1E","algorithm":"TLSH","algorithm_id":6},"pod_uuid":"sas"},"created_time":1695676041523,"integrity":"aviation blame tion","namespace_pid":76,"parent_process":{"name":"Job","pid":86,"file":{"name":"pic.vcd","owner":{"name":"Enquiry","type":"minneapolis","uid":"849901e4-5be7-11ee-bfe1-0242ac110005","type_id":99,"full_name":"Blythe Jamie"},"type":"charged","path":"const foreign pressed/among.ged/pic.vcd","signature":{"certificate":{"version":"1.0.0","subject":"strap liz boulder","issuer":"everybody brunei disciplinary","fingerprints":[{"value":"9E41EB47ABD226D92CFE27DBDA0C924C190A1B0C0136B09923B419089B013DF14CB58C38F651F710540E348BF800DFE364197904B11FFFAD98BB2B10006B28E2","algorithm":"CTPH","algorithm_id":5},{"value":"3DE877DDFB06DB510E63893D98DDAC9524696C14","algorithm":"SHA-1","algorithm_id":2}],"created_time":1695676041526,"expiration_time":1695676045872,"serial_number":"approaches symbol assembly"},"algorithm":"ECDSA","algorithm_id":3,"developer_uid":"84991526-5be7-11ee-a2ca-0242ac110005","created_time_dt":"2023-09-25T21:07:21.526203Z"},"uid":"84992264-5be7-11ee-8071-0242ac110005","type_id":99,"parent_folder":"const foreign pressed/among.ged","accessed_time":1695676041556,"confidentiality":"suburban ati mostly","hashes":[{"value":"00EF9DADDE482AF5432B0BFC5F69023736D4A0ECD59F74884C4B8AD83D21429B78023351C5DBD07407EAB2BFA527A0586016DE3C92F37913920E221F7D452802","algorithm":"Unknown","algorithm_id":0}],"is_system":false,"modified_time_dt":"2023-09-25T21:07:21.526727Z","created_time_dt":"2023-09-25T21:07:21.526737Z"},"user":{"name":"Rice","type":"Unknown","uid":"84993312-5be7-11ee-b956-0242ac110005","type_id":0,"email_addr":"Renita@pete.cat"},"uid":"8499377c-5be7-11ee-9164-0242ac110005","container":{"name":"acquired minority slip","size":2257875576,"uid":"84993ce0-5be7-11ee-8a18-0242ac110005","image":{"tag":"vocal trim jon","uid":"849944f6-5be7-11ee-bc62-0242ac110005"}},"namespace_pid":29,"parent_process":{"pid":67,"file":{"name":"tuner.pdb","type":"Named Pipe","version":"1.0.0","path":"architectural pink phil/overview.dtd/tuner.pdb","type_id":6,"parent_folder":"architectural pink phil/overview.dtd","hashes":[{"value":"44CA9EA761C2131C73960AD47472741B13D305EE2D07FE91E8F1B47F4F062B8A16DD3611E4439E4C163A7CF42F1AE5989CF9683117DB801FD1BC222A16618E19","algorithm":"quickXorHash","algorithm_id":7},{"value":"C25DDA249CDECE9D908CC33ADCD16AA05E20290F","algorithm":"SHA-1","algorithm_id":2}],"xattributes":{}},"user":{"name":"Fantastic","type":"Admin","uid":"84995d06-5be7-11ee-8223-0242ac110005","org":{"name":"dryer asn trying","uid":"849963aa-5be7-11ee-b57a-0242ac110005","ou_name":"wr r gibraltar"},"type_id":2},"uid":"84996800-5be7-11ee-8754-0242ac110005","cmd_line":"brush bouquet alto","container":{"name":"deutschland pic newcastle","size":797071549,"uid":"84996db4-5be7-11ee-bada-0242ac110005","image":{"name":"adipex into polo","uid":"849984fc-5be7-11ee-af4c-0242ac110005"},"hash":{"value":"82B5F7770097973F2962C241C557369EC2D38E9A1BDA03176B9CA511F1CA56CF","algorithm":"SHA-256","algorithm_id":3}},"created_time":1695676041528,"lineage":["familiar privilege canvas"],"namespace_pid":23,"parent_process":{"name":"Cialis","pid":21,"file":{"attributes":83,"name":"spirit.max","owner":{"name":"Friend","type":"User","uid":"84999e10-5be7-11ee-914b-0242ac110005","type_id":1,"email_addr":"Pamelia@directed.com"},"type":"Regular File","version":"1.0.0","path":"fish largest alberta/solutions.deskthemepack/spirit.max","desc":"escape steady bow","type_id":1,"parent_folder":"fish largest alberta/solutions.deskthemepack","hashes":[{"value":"718C92FD5ECC9B483CA9A76E309BD60F7DAD6035254FAD5EA9430568F36EB16D5532657DE90C3B3B41896C8A9B601BF1E1083D5BB299127118B535C347D13549","algorithm":"CTPH","algorithm_id":5},{"value":"D13D53927A745D27511C298846343093D7E92D919905B6C22ABBF727AD18EF7E3B3850949F8CC772390749C8644B5CF6F8618FEF524E9589DB73F57FE128AA88","algorithm":"Unknown","algorithm_id":0}]},"user":{"name":"Apartments","type":"ad","uid":"8499b5da-5be7-11ee-b276-0242ac110005","type_id":99,"uid_alt":"serving turbo spy"},"uid":"8499bc88-5be7-11ee-b028-0242ac110005","session":{"uid":"8499ca0c-5be7-11ee-aae9-0242ac110005","created_time":1695676041534,"expiration_time":1695676041542,"is_remote":true},"cmd_line":"in blowing memorial","container":{"name":"france sg charger","size":1048383191,"tag":"deserve focused select","uid":"8499d164-5be7-11ee-a7e8-0242ac110005","image":{"name":"robert through mailing","tag":"struggle gerald weather","uid":"8499d704-5be7-11ee-b617-0242ac110005"},"hash":{"value":"6B2A589B76A482CD379A7FF8AF13EE0F9ABF937DE60010068FEC808F5B6B22521C2A28C7F48BC5C2EDC81EAE5E5812D95F5E0F3DF5685571E5DB36B146DB82EC","algorithm":"TLSH","algorithm_id":6},"network_driver":"catch sun general","orchestrator":"sf varieties queries"},"created_time":1695676041539,"integrity":"faculty hardcover generated","namespace_pid":79,"parent_process":{"name":"Devices","pid":90,"file":{"name":"premises.sln","owner":{"name":"Welcome","type":"User","type_id":1,"account":{"name":"discs outlets general","type":"Mac OS Account","uid":"8499eb2c-5be7-11ee-86b7-0242ac110005","type_id":7}},"type":"ships","path":"ralph tales librarian/simpsons.psd/premises.sln","type_id":99,"creator":{"name":"Booking","type":"System","domain":"coupons dropped pantyhose","uid":"8499f1ee-5be7-11ee-a02c-0242ac110005","type_id":3},"parent_folder":"ralph tales librarian/simpsons.psd","hashes":[{"value":"F01EB1DD5E5D955CF3DA810E1FAABA4136E09F5EF69DA3753223183EF836741A617AAAEB52D8B014D900A4A11B94974298F7D3C4EAE57C107CF3A3230AD34188","algorithm":"TLSH","algorithm_id":6}],"modified_time_dt":"2023-09-25T21:07:21.531893Z"},"user":{"name":"Immediate","type":"Unknown","uid":"849a06c0-5be7-11ee-acfe-0242ac110005","org":{"name":"velvet days pubs","ou_name":"brake craps campaign"},"groups":[{"uid":"849a1124-5be7-11ee-9a8e-0242ac110005","privileges":["independent vegetables assisted","refinance lee seating"]},{"name":"div violence strange","uid":"849a1674-5be7-11ee-aa3b-0242ac110005"}],"type_id":0},"uid":"849a1af2-5be7-11ee-82a9-0242ac110005","cmd_line":"text ana range","container":{"name":"own drawing acute","size":1512724327,"uid":"849a2420-5be7-11ee-94c5-0242ac110005","image":{"name":"layers branch lucas","tag":"nations chances trips","uid":"849a32bc-5be7-11ee-86bb-0242ac110005"},"hash":{"value":"79F7EED760813BF63DC0EE7F986F1CC6345DD170AB03CA1350684CB8720E3C67F9FCE3B075A22266EB0C66A1CDA2D3BD540E777D9A294433377B83DB6DE3D6DB","algorithm":"TLSH","algorithm_id":6}},"created_time":1695676041533,"lineage":["guru hosted bradley"],"namespace_pid":39,"parent_process":{"name":"Bags","file":{"attributes":22,"name":"hunt.ppt","type":"Local Socket","type_id":5,"confidentiality":"Confidential","confidentiality_id":2,"hashes":[{"value":"6FD1E1613C3918067E01585E32D4AA461C485DF01C56BD5A294FD82B353B5EC64A7EBAED614D28451E3AECB3ACA75900593A20D8AE7F7A1E2CF9DD4F0496B9C4","algorithm":"quickXorHash","algorithm_id":7},{"value":"B66E94D9133A6E41392C5AFCBF3F6EEB29E45C041350255AEE34ADD6C4E6BD15FF9060177954793B5D078A8802B4B1ADDD73BECACB7D5827D9A1CB9F96D5E153","algorithm":"quickXorHash","algorithm_id":7}],"is_system":false,"modified_time_dt":"2023-09-25T21:07:21.533963Z"},"user":{"name":"Sisters","type":"rebound","uid":"849a52ce-5be7-11ee-a468-0242ac110005","type_id":99,"full_name":"Elisa Cleora"},"uid":"849a5d78-5be7-11ee-ac24-0242ac110005","cmd_line":"merchandise initiatives accessibility","container":{"name":"apartment drunk amateur","size":3702557326,"uid":"849a646c-5be7-11ee-90ce-0242ac110005","image":{"name":"evaluating apartments disaster","uid":"849a6a66-5be7-11ee-95e4-0242ac110005"},"hash":{"value":"12FC9239ABF2C07159EBC92013171DA43175589170BD05B55220534634A9D1FEFC88B117A95FCE4FE3C5A5FEDB9DC4EB3F700C0386931C889F815E86BCD4B509","algorithm":"Unknown","algorithm_id":0}},"created_time":1695676041535,"namespace_pid":29,"parent_process":{"name":"Sen","pid":13,"file":{"attributes":35,"name":"hardware.wma","owner":{"name":"Asia","type":"meetup","uid":"849a7ac4-5be7-11ee-a06d-0242ac110005","type_id":99},"type":"Unknown","path":"interactions malta thoughts/laden.pdf/hardware.wma","signature":{"digest":{"value":"3188206324B062751CE36D4251C19C94","algorithm":"MD5","algorithm_id":1},"algorithm":"Authenticode","algorithm_id":4},"type_id":0,"parent_folder":"interactions malta thoughts/laden.pdf","hashes":[{"value":"6BD48B1E57856137037BFEE4DEC8D57F","algorithm":"MD5","algorithm_id":1}]},"user":{"name":"Round","type":"System","uid":"849a900e-5be7-11ee-9894-0242ac110005","type_id":3,"full_name":"Marisela Towanda","account":{"name":"fragrances bulk specialty","type":"LDAP Account","uid":"849a9702-5be7-11ee-9f5d-0242ac110005","type_id":1},"credential_uid":"849a9afe-5be7-11ee-b27a-0242ac110005","email_addr":"Wava@promises.info"},"uid":"849a9ed2-5be7-11ee-ae61-0242ac110005","cmd_line":"recordings countries slides","container":{"name":"distant modeling monaco","runtime":"peace up sailing","uid":"849aa490-5be7-11ee-bb98-0242ac110005","image":{"name":"evanescence plans courts","tag":"buy archives predict","uid":"849aaa9e-5be7-11ee-a47a-0242ac110005"},"hash":{"value":"383B6630E8241D34D54BFD689DECC0CAB88770D935667989A3A1DE8397F5520F","algorithm":"SHA-256","algorithm_id":3}},"created_time":1695676041539,"integrity":"bookings qc dictionaries","lineage":["lanka manufacture bra","gibson implementation pope"],"namespace_pid":6,"parent_process":{"name":"Impacts","pid":86,"file":{"name":"removal.obj","type":"Named Pipe","path":"jeff puts assignments/thing.msi/removal.obj","type_id":6,"parent_folder":"jeff puts assignments/thing.msi","accessed_time":1695676041534,"hashes":[{"value":"CE850E16E049A60B4B8F465DC00ADBFB7207CC76FD94F5EBC335F637B8052B77","algorithm":"magic","algorithm_id":99}],"security_descriptor":"bureau myspace barrel"},"user":{"name":"Alliance","type":"Admin","domain":"statistical poland gregory","uid":"849abe76-5be7-11ee-a5a1-0242ac110005","org":{"name":"nyc kidney drawings","uid":"849accae-5be7-11ee-af7b-0242ac110005"},"groups":[{"name":"accessed thanks instructions","desc":"luggage species belkin","uid":"849ad5fa-5be7-11ee-a0e9-0242ac110005","privileges":["flashing aol autumn"]},{"name":"cognitive times agent","uid":"849ada50-5be7-11ee-824e-0242ac110005","privileges":["sodium believed housing","incorporated jungle asian"]}],"type_id":2,"full_name":"Paul Julian"},"uid":"849adea6-5be7-11ee-aa53-0242ac110005","cmd_line":"amount anywhere suffered","container":{"name":"author channel disappointed","size":191473515,"uid":"849aff08-5be7-11ee-80bd-0242ac110005","image":{"name":"cross tray influenced","tag":"afternoon counseling governance","uid":"849b1f7e-5be7-11ee-bb9d-0242ac110005"},"hash":{"value":"B7F1BFFEB47BCFB30F891852F769572A9816784BF4A4073805850F9F969A5335CFC878CACC9E0F8A71B547F60832FE712A59A7DD7DBD6E94BB9D155309EB3581","algorithm":"quickXorHash","algorithm_id":7},"network_driver":"slovakia friend username"},"created_time":1695676041539630,"namespace_pid":49,"parent_process":{"name":"Sampling","pid":71,"file":{"attributes":78,"name":"human.pdb","type":"Symbolic Link","path":"let dawn representing/surrounding.dwg/human.pdb","product":{"name":"heavy payroll timothy","version":"1.0.0","uid":"849b3fd6-5be7-11ee-83d2-0242ac110005","feature":{"name":"metric th alt","version":"1.0.0","uid":"849b46a2-5be7-11ee-824d-0242ac110005"},"vendor_name":"rv brother vaccine"},"type_id":7,"accessor":{"name":"Dragon","type":"System","uid":"849b52b4-5be7-11ee-863c-0242ac110005","type_id":3,"credential_uid":"849b5b88-5be7-11ee-af7a-0242ac110005"},"parent_folder":"let dawn representing/surrounding.dwg","hashes":[{"value":"AABE45CE23939AE53AA3AF15C6123A6ED98FC106E4C7491B89A814D8EB040F3B9D5842B5A215D1D27ED1B4DC8DD3D3F0D50197DD105E37461661D98A23E0917C","algorithm":"quickXorHash","algorithm_id":7}],"modified_time":1695676041541,"modified_time_dt":"2023-09-25T21:07:21.541163Z","created_time_dt":"2023-09-25T21:07:21.541195Z"},"user":{"name":"Particles","type":"User","domain":"lexmark refers dylan","uid":"849b6916-5be7-11ee-a01e-0242ac110005","type_id":1,"email_addr":"Yelena@communities.nato"},"uid":"849b6dee-5be7-11ee-84f0-0242ac110005","cmd_line":"techno now vid","created_time":1695676041593,"lineage":["qualify insight reproduce","placing download tomato"],"namespace_pid":91,"parent_process":{"name":"Foundation","pid":41,"file":{"name":"sunday.crdownload","size":1384349588,"type":"Unknown","path":"designing designed kim/butts.crx/sunday.crdownload","signature":{"certificate":{"version":"1.0.0","subject":"annually ic quest","issuer":"cooperation worldcat southwest","fingerprints":[{"value":"A1636B226D49D354EAD09345190417B47EC13762648D8C196823FB556456DD5A2ED39FDF2ADE536CF2D0AFA33A47F9404800085FE205A49A4DA6C280AF603AA9","algorithm":"Unknown","algorithm_id":0}],"created_time":1695676041542,"expiration_time":1695676041577,"serial_number":"distributed characters bin"},"algorithm":"Unknown","algorithm_id":0,"created_time_dt":"2023-09-25T21:07:21.542032Z"},"product":{"name":"nights validity updated","version":"1.0.0","uid":"849b866c-5be7-11ee-a7ff-0242ac110005","feature":{"name":"seminar automatic gui","version":"1.0.0","uid":"849b9742-5be7-11ee-9904-0242ac110005"},"lang":"en","url_string":"however","vendor_name":"favorite album ncaa"},"type_id":0,"accessor":{"name":"Xhtml","type":"disabilities","uid":"849ba016-5be7-11ee-8738-0242ac110005","type_id":99,"email_addr":"Stormy@postcard.mobi"},"creator":{"name":"Tap","type":"User","domain":"neural fig colin","org":{"name":"timing process palestinian","uid":"849bad9a-5be7-11ee-9fa0-0242ac110005","ou_name":"step mouth drunk"},"type_id":1,"full_name":"Otelia Kori"},"mime_type":"talked/wishlist","parent_folder":"designing designed kim/butts.crx","hashes":[{"value":"A5064ED27DDBDCBA4CBCADF1DB39DA3F2EEE6B58C7A1239C64CABA643C220D3F292A1DE7E239A9314ECD04E09E02E1289265DB1375370F0E2CB9844F235B40B9","algorithm":"TLSH","algorithm_id":6}],"is_system":true,"modified_time":1695676041546},"user":{"name":"Certain","type":"Unknown","uid":"849bb81c-5be7-11ee-bbec-0242ac110005","groups":[{"name":"penn laundry woods","type":"powerpoint jump hospitality","desc":"twenty protection innovative","uid":"849bbdee-5be7-11ee-95a2-0242ac110005"},{"uid":"849bc780-5be7-11ee-9955-0242ac110005"}],"type_id":0,"email_addr":"Reba@contemporary.mobi","uid_alt":"technical critics nationally"},"tid":86,"uid":"849bcfb4-5be7-11ee-b896-0242ac110005","session":{"uid":"849bd89c-5be7-11ee-bbae-0242ac110005","issuer":"mind file superior","created_time":1695676041544,"is_remote":true},"loaded_modules":["/aims/hammer/duke/implementation/roland.jar","/illustration/reads/adaptation/ppc/footage.cab"],"cmd_line":"treatments proceeding assumed","created_time":1695676041548,"integrity":"written","integrity_id":99,"lineage":["tenant surveillance nature","securities joining bite"],"parent_process":{"name":"Restore","pid":74,"file":{"name":"moral.kmz","type":"Local Socket","path":"suit who pics/arrange.torrent/moral.kmz","type_id":5,"accessor":{"name":"Qualities","type":"Unknown","domain":"operates collectables presentations","uid":"849bf00c-5be7-11ee-a0de-0242ac110005","type_id":0,"uid_alt":"welsh constraints elimination"},"parent_folder":"suit who pics/arrange.torrent","accessed_time":1695676044937,"created_time":1695676041545,"hashes":[{"value":"BADBDA50632954800C02D40EB49D1BEF8E5A883D","algorithm":"SHA-1","algorithm_id":2},{"value":"22B65F9CC3DDECE17BC92C741314C0C01D6C398B477BCFE22CCB63F4975A066119C2A3F4E9BDC342383345BCEEA9046C0573AEA278C1EBD8E1578337B1640606","algorithm":"quickXorHash","algorithm_id":7}],"is_system":false},"cmd_line":"remain weird municipal","container":{"name":"anthony serial medline","size":2006500672,"uid":"849c059c-5be7-11ee-b620-0242ac110005","image":{"name":"titten live cvs","uid":"849c105a-5be7-11ee-8337-0242ac110005"},"hash":{"value":"53CB2A3DF41EA583C9DAD815CC228E623D600CA69DD3B138EBA03828A95C399AC2319E8C246FAF2EB345362B0931618009C8A5FF4C8E100C7B414107D51F849D","algorithm":"TLSH","algorithm_id":6}},"created_time":1695676041542,"integrity":"High","integrity_id":4,"namespace_pid":8,"parent_process":{"pid":20,"file":{"attributes":79,"name":"revolution.vcf","owner":{"name":"Sunny","type":"Unknown","uid":"849c24fa-5be7-11ee-93d2-0242ac110005","type_id":0,"email_addr":"Suzan@communicate.coop"},"type":"Folder","version":"1.0.0","path":"nintendo smilies thank/ought.vb/revolution.vcf","signature":{"certificate":{"version":"1.0.0","subject":"microwave marriott okay","issuer":"foundation review shaft","fingerprints":[{"value":"35C90137B6BD19F8D464173B9904DBFA60D62BFF8BCBCF99235987ACC2D4840DBA02F991522C533C211C54B3A1016A0A76AF0578E30D0190414926A1EA56FEB7","algorithm":"TLSH","algorithm_id":6}],"created_time":1695676041548,"expiration_time":1695676041514,"serial_number":"windsor sponsor google"},"algorithm":"ECDSA","algorithm_id":3},"product":{"name":"pci invasion producers","version":"1.0.0","uid":"849c3e4a-5be7-11ee-80be-0242ac110005","lang":"en","vendor_name":"australian payments crm"},"type_id":2,"accessor":{"name":"Class","type":"pie","type_id":99,"full_name":"Crysta Damaris","account":{"name":"cards gratis necklace","type":"Apple Account","type_id":8},"uid_alt":"linux has luis"},"company_name":"Mckenzie Ardith","creator":{"type":"selected","domain":"glass outlet lopez","uid":"849c4b2e-5be7-11ee-9c0b-0242ac110005","org":{"name":"reproductive balloon stanley","uid":"849c5060-5be7-11ee-b740-0242ac110005","ou_name":"pick rear governance","ou_uid":"849c5470-5be7-11ee-b89d-0242ac110005"},"groups":[{"name":"suspected contributor counting","type":"vacations wines biological","uid":"849c5ae2-5be7-11ee-97a7-0242ac110005"}],"type_id":99},"parent_folder":"nintendo smilies thank/ought.vb","confidentiality":"Top Secret","confidentiality_id":4,"hashes":[{"value":"1B8BF6AF4C4E0F5A64ED59860F5673F5762D1E214D4B3127BAC626D3811952EAF98972460DF098DEAB2B6D4FF02723546AEBA4108F2A03A20044552141A4447E","algorithm":"quickXorHash","algorithm_id":7},{"value":"221C1DF278F5DBE8C04CCC89DB66A355ABA13C3F27B4E23A19D0E73C64E5E9A7951D5102BA2F416429122A6110C57ED22F7216EB73939FF0E7E4BDB574A90CC4","algorithm":"TLSH","algorithm_id":6}],"is_system":false,"security_descriptor":"recommended approve environment"},"uid":"849c61f4-5be7-11ee-8006-0242ac110005","cmd_line":"arrangements makes handy","container":{"name":"yahoo plains basically","uid":"849c6776-5be7-11ee-94b5-0242ac110005","image":{"name":"capabilities huge hometown","uid":"849c6d2a-5be7-11ee-a411-0242ac110005","labels":["mumbai"]},"hash":{"value":"FC25F43E993A1FB725021E78097481FDD1FECA2EC91BF14AE34067FC31DBCD1005D4B0AFC4F050872672CC3EAB72236EADE80DFF4CCBB844F8ED0489F697D2F1","algorithm":"TLSH","algorithm_id":6}},"created_time":1695676041544,"namespace_pid":13,"parent_process":{"name":"Tell","file":{"name":"world.jpg","type":"Block Device","path":"blend roommates closed/died.docx/world.jpg","modifier":{"name":"Heritage","type":"System","domain":"ln resolved couple","uid":"849c8878-5be7-11ee-98bd-0242ac110005","type_id":3,"email_addr":"Deloise@agreed.arpa"},"type_id":4,"mime_type":"engineer/habitat","parent_folder":"blend roommates closed/died.docx","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"3BC175E9CE56D1FC2D86AB6EA2EC56EB21930540B56A5B6E3840DFB64287ACAB","algorithm":"SHA-256","algorithm_id":3},{"value":"31588C71F04798D44E2202431AE7025AF3BC67EC8192E94F362A9B9121FB5AC23510026F8391A0A54234D8D0DB8D2DEBD112DEEF6AC598A11A194875191A4975","algorithm":"TLSH","algorithm_id":6}],"is_system":true},"user":{"name":"Weather","type":"Admin","domain":"our installing clinical","uid":"849ca4ca-5be7-11ee-b39c-0242ac110005","org":{"name":"top riverside asthma","uid":"849cb208-5be7-11ee-a4a6-0242ac110005","ou_name":"stats dans soviet"},"type_id":2,"credential_uid":"849cc0f4-5be7-11ee-9c36-0242ac110005"},"uid":"849cc522-5be7-11ee-aa87-0242ac110005","session":{"uid":"849ccebe-5be7-11ee-a1ca-0242ac110005","issuer":"volunteer meetings medline","created_time":1695676041550,"is_remote":false,"expiration_time_dt":"2023-09-25T21:07:21.550638Z"},"loaded_modules":["/rev/amazon/casino/june/fails.bin","/credit/potential/lawsuit/clause/nine.bmp"],"cmd_line":"well absent shoe","container":{"name":"hospitality walker vs","size":1224758347,"uid":"849cdd28-5be7-11ee-9250-0242ac110005","image":{"name":"audio miracle leader","uid":"849ce32c-5be7-11ee-b7a9-0242ac110005"},"hash":{"value":"A813ED16B0B3E58FA959C0BA26A47058","algorithm":"MD5","algorithm_id":1}},"created_time":1695676041555,"lineage":["achievement courage send","expansion instructional agreements"],"namespace_pid":62,"parent_process":{"name":"Airfare","file":{"name":"flexible.vcxproj","type":"Folder","product":{"name":"external polar galaxy","version":"1.0.0","lang":"en","vendor_name":"hack infection generator"},"type_id":2,"mime_type":"silicon/limousines","confidentiality":"venue rl epa","hashes":[{"value":"2347F66D3EE9CCBD7191F650BE1EF4F94E8B6ED61D543709A1A907FBC76BFC089577CB78BFA772DA65746573746C4AB26AF19E7A8E9DB821E3979ED04051B9BC","algorithm":"SHA-512","algorithm_id":4},{"value":"256D62122A8BA5E06B613EAD639B79BA7875995217AC6E2C854DBB610631D33C","algorithm":"magic","algorithm_id":99}],"modified_time":1695676041500,"xattributes":{},"created_time_dt":"2023-09-25T21:07:21.551631Z"},"user":{"name":"Track","type":"Unknown","uid":"849cfe70-5be7-11ee-b38b-0242ac110005","type_id":0,"account":{"name":"strict manufactured invest","type":"AWS IAM User","uid":"849d0500-5be7-11ee-97bd-0242ac110005","type_id":3},"credential_uid":"849d08ca-5be7-11ee-bfe2-0242ac110005"},"cmd_line":"challenges prompt cumulative","container":{"name":"develop affiliates required","size":2138922450,"uid":"849d0e7e-5be7-11ee-a8e4-0242ac110005","image":{"name":"charges fragrances complex","uid":"849d1342-5be7-11ee-a4ca-0242ac110005"},"hash":{"value":"6E73C76AD0B2D03EB35088BB834D7A1949E2174F0288EAC8066F5CC920923FEC2568825E7A9B3B3B871DC2AA82AD34DAC42A8E327CAD3D3E720D2ADD7C13CAB0","algorithm":"SHA-512","algorithm_id":4},"network_driver":"familiar movies legitimate","pod_uuid":"legally"},"integrity":"Unknown","integrity_id":0,"namespace_pid":2,"parent_process":{"name":"Eternal","pid":76,"file":{"attributes":44,"name":"uzbekistan.jar","type":"Block Device","uid":"849d2170-5be7-11ee-a637-0242ac110005","type_id":4,"mime_type":"will/executed","hashes":[{"value":"8A25185F3C5523EF3B08C1ECDD83016224863C95","algorithm":"SHA-1","algorithm_id":2},{"value":"6B9ED75DAE7A1E692073FC400B558EA4","algorithm":"MD5","algorithm_id":1}],"xattributes":{}},"user":{"name":"Manager","type":"legs","uid":"849d2c24-5be7-11ee-953d-0242ac110005","type_id":99,"email_addr":"Josefina@holders.museum"},"uid":"849d308e-5be7-11ee-a5ad-0242ac110005","cmd_line":"reporter techno regarded","container":{"name":"cpu mission hacker","runtime":"cables vanilla amendments","size":1820268463,"uid":"849d3caa-5be7-11ee-9fe6-0242ac110005","image":{"uid":"849d468c-5be7-11ee-85e3-0242ac110005","labels":["responsibility"]},"hash":{"value":"0895F371F264F7E3AA4A79B16A3C6EEAABE10BBF6A7DC2B7D8DD4F14B3C6F05D","algorithm":"magic","algorithm_id":99},"orchestrator":"helpful pasta matthew"},"namespace_pid":84,"parent_process":{"name":"Music","pid":28,"file":{"name":"titanium.avi","type":"Unknown","path":"slideshow configurations lens/nations.flv/titanium.avi","desc":"closed hydraulic connecting","type_id":0,"company_name":"Frederica Hertha","parent_folder":"slideshow configurations lens/nations.flv","confidentiality":"Top Secret","confidentiality_id":4,"created_time":1695676041554,"hashes":[{"value":"5C5069744142886E3127F2CCFE145C68A0B1A4DFA3BB504B858390D851E16A9F","algorithm":"magic","algorithm_id":99}],"xattributes":{},"created_time_dt":"2023-09-25T21:07:21.554150Z"},"user":{"name":"Be","type":"types","uid":"849d60a4-5be7-11ee-98cb-0242ac110005","type_id":99},"uid":"849d64dc-5be7-11ee-b02a-0242ac110005","container":{"size":1668291787,"uid":"849d7cce-5be7-11ee-80f3-0242ac110005","image":{"name":"curtis burns park","uid":"849d83f4-5be7-11ee-8f40-0242ac110005","labels":["fix"]},"hash":{"value":"308FD1FED7D34B9AFAB9224FF617D64E4CA9AC20FC59F1FB3B80AB2CBB1511245EC668E138B6C330D86E2B874BD66ED33E16E931B3D344A8365BE63CAB39562C","algorithm":"Unknown","algorithm_id":0},"network_driver":"surely assistance actively","pod_uuid":"gardening"},"created_time":1695676041553,"integrity":"System","integrity_id":5,"parent_process":{"name":"Surprise","pid":50,"file":{"name":"opening.vob","type":"Local Socket","path":"venezuela flyer seller/os.kml/opening.vob","modifier":{"name":"Infected","type":"User","uid":"849d94de-5be7-11ee-b30d-0242ac110005","type_id":1,"full_name":"Katheryn Kena"},"type_id":5,"accessor":{"name":"Mine","type":"fcc","uid":"849da17c-5be7-11ee-9d3a-0242ac110005","type_id":99,"account":{"name":"hourly toll disappointed","uid":"849dabd6-5be7-11ee-ba6a-0242ac110005"},"credential_uid":"849db838-5be7-11ee-8a18-0242ac110005"},"parent_folder":"venezuela flyer seller/os.kml","hashes":[{"value":"599DCCE2998A6B40B1E38E8C6006CB0A","algorithm":"MD5","algorithm_id":1},{"value":"E3C48119D2F351FBEB28EABE137BB8D7969A9AA7CEBF71A153DA4670481EFAAB267B6B39C0EDBDDAF4DD1B9E9B5FF0B28D72E0A5FA27336A282A0FDBA4D0C9D4","algorithm":"TLSH","algorithm_id":6}],"modified_time":1695676041557,"security_descriptor":"graham occupations become"},"user":{"name":"Simulations","type":"User","uid":"849debb4-5be7-11ee-bfac-0242ac110005","type_id":1,"account":{"type":"Windows Account","uid":"849df820-5be7-11ee-82f1-0242ac110005","type_id":2},"credential_uid":"849dfc62-5be7-11ee-a9bc-0242ac110005"},"cmd_line":"pursuant proceed discussed","container":{"name":"insight style ca","runtime":"williams ng xhtml","size":220440282,"uid":"849e031a-5be7-11ee-b55b-0242ac110005","image":{"name":"bubble architects vancouver","path":"hairy pixel time","uid":"849e0ebe-5be7-11ee-8341-0242ac110005"},"hash":{"value":"8876489CE00D6D9FDF61ED1C773F047E","algorithm":"MD5","algorithm_id":1}},"created_time":1695676041558,"lineage":["bk destinations est","whose playback congressional"],"namespace_pid":54,"parent_process":{"name":"Courage","pid":5,"file":{"name":"filled.mdb","size":2881440001,"type":"Character Device","path":"disc dividend incentives/crucial.wps/filled.mdb","signature":{"certificate":{"version":"1.0.0","subject":"infectious replication lock","issuer":"worker attended mel","fingerprints":[{"value":"372885B9675F31EF37D14F711A430940E777638ADCB2F77B36D079076E38606F","algorithm":"magic","algorithm_id":99}],"created_time":1695676041558,"expiration_time":1695676041554,"serial_number":"durham graham course"},"algorithm":"Unknown","algorithm_id":0},"modifier":{"name":"Constraints","type":"Unknown","domain":"informational advisory mg","uid":"849e2a2a-5be7-11ee-82b2-0242ac110005","type_id":0},"product":{"name":"michigan slight torture","version":"1.0.0","path":"costumes somewhat qui","uid":"849e3088-5be7-11ee-8510-0242ac110005","lang":"en","vendor_name":"franchise portland experiment"},"type_id":3,"accessor":{"name":"Intl","type":"Unknown","uid":"849e39a2-5be7-11ee-b3b8-0242ac110005","type_id":0,"full_name":"Lorna Francisco"},"parent_folder":"disc dividend incentives/crucial.wps","hashes":[{"value":"9471ED19416B8099E51855CB0EF61AE3","algorithm":"MD5","algorithm_id":1}],"modified_time":1695676041563},"user":{"name":"Motorcycle","type":"Admin","uid":"849e4a46-5be7-11ee-bc81-0242ac110005","type_id":2},"cmd_line":"peer rail specialist","container":{"name":"priority mirrors although","runtime":"rock relation block","size":2559819198,"uid":"849e509a-5be7-11ee-ad75-0242ac110005","image":{"name":"committed plastic does","uid":"849e6972-5be7-11ee-b803-0242ac110005"},"network_driver":"conduct linking lb"},"created_time":1695676041434,"lineage":["desktop lakes moscow","barrel touch increasing"],"namespace_pid":13,"parent_process":{"name":"Harley","pid":38,"file":{"name":"metabolism.gadget","owner":{"type":"System","uid":"849e86dc-5be7-11ee-9b00-0242ac110005","org":{"name":"syndication joseph realized","uid":"849e8ff6-5be7-11ee-be3f-0242ac110005","ou_name":"advertise scored usr","ou_uid":"849e9852-5be7-11ee-9c6a-0242ac110005"},"type_id":3},"type":"Character Device","path":"patch attempting mf/nashville.dxf/metabolism.gadget","signature":{"certificate":{"version":"1.0.0","subject":"signals book follow","issuer":"database verse prince","fingerprints":[{"value":"6467C5C0EA62DB25016E724973C845BA50F0BBD72AE91F11E4CB5F3884CF1852EC05AA4B971CA59B372F8DC7B8E49562276E89C888FFDE3DD41BFC2E88336E98","algorithm":"quickXorHash","algorithm_id":7},{"value":"80A346634E5CD09AAFC3C417ABCE0C6A156B40EBB910123FAC486DC6197D24EC4C575301A8CC06D58FBAEEAE6F40E42B6D84FDA6996E06EE2F68282EA73FDA93","algorithm":"Unknown","algorithm_id":0}],"created_time":1695676041504,"expiration_time":1695676041569,"serial_number":"termination vi limitation"},"algorithm":"ECDSA","algorithm_id":3},"type_id":3,"creator":{"type":"Unknown","uid":"849edfe2-5be7-11ee-97f0-0242ac110005","type_id":0,"account":{"name":"workers observer lonely","type":"GCP Account","uid":"849ef310-5be7-11ee-b8e1-0242ac110005","type_id":5},"email_addr":"Myrta@of.cat"},"parent_folder":"patch attempting mf/nashville.dxf","hashes":[{"value":"5F8105C9976CE93253600A074BD373A5286734FB9650F503EF4AD611A9422D3554C34BD6C2672159C2F485A59C83965804D6F2532A8DADF2749DF74B1B089C10","algorithm":"TLSH","algorithm_id":6},{"value":"C1E19A5C30DB36D9FEA3088EBBCF2E05B7F2E3B108DA82565EF183591D036A615456960CA1BF3DEDAEF8450140669F4E45A239D12DE570D5B2322AEADAE0EE7B","algorithm":"CTPH","algorithm_id":5}],"accessed_time_dt":"2023-09-25T21:07:21.564734Z"},"user":{"name":"Referenced","type":"Admin","type_id":2,"full_name":"Lyndsay Ricky"},"uid":"849f00ee-5be7-11ee-954b-0242ac110005","cmd_line":"institutes yes inputs","container":{"name":"missed foreign palmer","size":903476370,"uid":"849f0878-5be7-11ee-b335-0242ac110005","image":{"name":"belfast interests activation","uid":"849f1dc2-5be7-11ee-b432-0242ac110005"},"hash":{"value":"7CA5C1BF6D37F1E7389DB34F7617B7101F65DED1","algorithm":"SHA-1","algorithm_id":2}},"created_time":1695676041565,"namespace_pid":44,"terminated_time":1695676041566,"xattributes":{},"created_time_dt":"2023-09-25T21:07:21.565824Z"}},"sandbox":"final corporations performances"}},"xattributes":{}}},"sandbox":"distributor workshops maldives"}},"sandbox":"upload stages deutsch","xattributes":{},"created_time_dt":"2023-09-25T21:07:21.565886Z","terminated_time_dt":"2023-09-25T21:07:21.565891Z"},"sandbox":"facial gossip lopez","terminated_time":1695676041561,"created_time_dt":"2023-09-25T21:07:21.565904Z","terminated_time_dt":"2023-09-25T21:07:21.565908Z"},"sandbox":"compounds s time","terminated_time":1695676041567},"sandbox":"romance volunteer entrepreneurs"}},"xattributes":{}},"sandbox":"moon exercise starring","terminated_time":1695676041562}},"terminated_time":1695676041561},"xattributes":{}}},"sandbox":"keeps pour rent","terminated_time":1695676041566},"xattributes":{}},"sandbox":"species tourism system","terminated_time":1695676041564,"xattributes":{}},"terminated_time":1695676041564}},"user":{"name":"Turkish","type":"metres","domain":"jones cnet biz","uid":"849f330c-5be7-11ee-aa02-0242ac110005","org":{"name":"performed assignments undefined","uid":"849f3870-5be7-11ee-8857-0242ac110005","ou_name":"headquarters informal nigeria"},"type_id":99}},"cloud":{"provider":"diego ins ext","region":"kissing wi confidence"},"enrichments":[{"data":{"wallpaper":"feded"},"name":"hc saskatchewan quickly","type":"thu loves strong","value":"sword somebody equilibrium","provider":"outlet toolkit person"},{"data":{"drug":"drugg7899"},"name":"tree cities corner","type":"knife super bat","value":"thy qualification booth"}],"expiration_time":1695676041527,"severity_id":2,"src_endpoint":{"name":"replaced wa unlock","port":25780,"ip":"175.16.199.1","uid":"84972e82-5be7-11ee-8eac-0242ac110005","hostname":"menu.travel","instance_uid":"849732a6-5be7-11ee-bdb0-0242ac110005","interface_name":"grown reflect expressed","interface_uid":"84973670-5be7-11ee-8000-0242ac110005","svc_name":"stanford leisure analyzed"}} {"message":"distances authorization packed","status":"annually","time":1695676084572,"file":{"name":"revenge.ged","size":123,"type":"Block Device","path":"pensions lightning push/congress.icns/revenge.ged","type_id":4,"parent_folder":"pensions lightning push/congress.icns","confidentiality":"Top Secret","confidentiality_id":4,"hashes":[{"value":"55F23C756971F835627DAD00E0FEAF38D62993462CA63631FDF93D0E8130CDFF","algorithm":"magic","algorithm_id":99}],"modified_time":1695676084549,"security_descriptor":"procedure amsterdam belarus","accessed_time_dt":"2023-09-25T21:08:04.549340Z"},"device":{"name":"walter qt hitting","type":"Tablet","ip":"67.43.156.0","uid":"9e3dbfa4-5be7-11ee-8f05-0242ac110005","hostname":"rule.edu","groups":[{"name":"scanned consisting expense","type":"odds traditions trick","uid":"9e3db702-5be7-11ee-a715-0242ac110005","privileges":["photography derived log","dna ec believed"]},{"name":"tires modifications calendars","uid":"9e3dbc02-5be7-11ee-9470-0242ac110005"}],"type_id":4,"autoscale_uid":"9e3d9b1e-5be7-11ee-ab96-0242ac110005","instance_uid":"9e3d9f74-5be7-11ee-a549-0242ac110005","interface_name":"accurately shadows node","interface_uid":"9e3da38e-5be7-11ee-bda3-0242ac110005","is_personal":false,"modified_time":1695676084549,"region":"cosmetics preston msgstr","uid_alt":"technology alex metallica"},"metadata":{"version":"1.0.0","extension":{"name":"editor nerve offset","version":"1.0.0","uid":"9e3d7ff8-5be7-11ee-8454-0242ac110005"},"product":{"name":"harm dash walter","version":"1.0.0","path":"contributors rest worried","uid":"9e3d893a-5be7-11ee-9bf6-0242ac110005","lang":"en","vendor_name":"acre shut suzuki"},"profiles":["cloud","container","datetime","host","security_control"],"log_version":"flow tribunal aging","original_time":"consistently sauce duke","processed_time_dt":"2023-09-25T21:08:04.547033Z"},"severity":"Critical","disposition":"Blocked","type_name":"Email File Activity: Send","activity_id":1,"disposition_id":2,"type_uid":401101,"category_name":"Network Activity","class_uid":4011,"category_uid":4,"class_name":"Email File Activity","timezone_offset":0,"attacks":[{"version":"12.1","tactics":[{"name":"Privilege Escalation | The adversary is trying to gain higher-level permissions.","uid":"TA0004"}],"technique":{"name":"CMSTP","uid":"T1191"}}],"activity_name":"Send","cloud":{"account":{"type":"AWS Account","uid":"9e3d6a4a-5be7-11ee-9095-0242ac110005","type_id":10},"provider":"antique camp pin"},"email_uid":"9e3d9088-5be7-11ee-b651-0242ac110005","enrichments":[{"data":{"meat":"meattt"},"name":"another polyester collectors","type":"gen cap beauty","value":"recipes generating stored","provider":"companion fy mat"},{"data":{"meatd":"meattt"},"name":"brandon fraser seed","type":"grove bradley ddr","value":"written thumbnail looksmart","provider":"hearings gossip shadows"}],"severity_id":5,"status_id":99} {"count":43,"message":"carb fujitsu spots","status":"Success","time":1695676101376,"device":{"name":"experiments old guides","type":"Virtual","ip":"67.43.156.0","desc":"beta culture receiving","uid":"a845433c-5be7-11ee-8e93-0242ac110005","hostname":"australia.aero","image":{"name":"bank ftp newman","uid":"a84532d4-5be7-11ee-af3a-0242ac110005"},"groups":[{"name":"karaoke finnish coordination","desc":"blessed drive took","uid":"a8453b30-5be7-11ee-90d5-0242ac110005"},{"name":"briefs iii andy","type":"ireland arch trademark","uid":"a8453fc2-5be7-11ee-bd52-0242ac110005"}],"type_id":6,"instance_uid":"a84525fa-5be7-11ee-987a-0242ac110005","interface_name":"subsection get techno","interface_uid":"a8452b90-5be7-11ee-9db2-0242ac110005","network_interfaces":[{"name":"animals economy signals","type":"proven","ip":"175.16.199.1","hostname":"personalized.nato","mac":"30:29:E4:EE:B6:98:14:3A","type_id":99},{"name":"announces restaurants deposits","type":"Wired","ip":"224.61.168.94","hostname":"mitchell.nato","mac":"69:8D:D4:20:55:3A:43:D0","type_id":1}],"region":"propecia commonwealth equipment","last_seen_time_dt":"2023-09-25T21:08:21.374251Z"},"metadata":{"version":"1.0.0","product":{"name":"erotica ladies hero","version":"1.0.0","uid":"a844f346-5be7-11ee-a2c8-0242ac110005","feature":{"name":"mess const microwave","version":"1.0.0","uid":"a8450084-5be7-11ee-93f7-0242ac110005"},"lang":"en","url_string":"washer","vendor_name":"feelings tide perry"},"profiles":["cloud","container","datetime","host","security_control"],"log_name":"cleaners villa historic","log_provider":"immediately accused charlie","logged_time":1695676101375,"original_time":"medline prospect ict"},"severity":"electrical","url":{"port":23624,"scheme":"yoga thesaurus regardless","path":"flows affiliation global","hostname":"sage.mil","query_string":"mattress betting covers","category_ids":[49,54],"url_string":"vocal"},"duration":2,"disposition":"Delayed","type_name":"Email URL Activity: Receive","activity_id":2,"disposition_id":14,"type_uid":401202,"category_name":"Network Activity","class_uid":4012,"category_uid":4,"class_name":"Email URL Activity","timezone_offset":34,"activity_name":"Receive","cloud":{"account":{"name":"bubble prototype interstate","type":"Azure AD Account","uid":"a844c1f0-5be7-11ee-83dc-0242ac110005","type_id":6},"provider":"indicated electro washer","region":"crucial mysimon exit"},"email_uid":"a8450be2-5be7-11ee-bf7c-0242ac110005","severity_id":99,"status_detail":"released oxygen reasonable","status_id":1} +{"actor":{"process":{"pid":55,"file":{"name":"demonstrates.xlsx","size":1700247011,"type":"Character Device","path":"simpson alice serum/loud.key/demonstrates.xlsx","desc":"suits peru therapist","type_id":3,"accessor":{"name":"Dinner","type":"User","uid":"8241051e-4ff6-11ef-8c1c-0242ac110005","type_id":1,"uid_alt":"tiny democrats map"},"creator":{"name":"Clock","type":"System","uid":"824111ee-4ff6-11ef-80d5-0242ac110005","type_id":3,"email_addr":"Clelia@servers.arpa"},"parent_folder":"simpson alice serum/loud.key","confidentiality":"Not Confidential","confidentiality_id":1,"hashes":[{"value":"866B6A4496BE310906297BA18911C77BFAE1C93BC72E9928D71B99CA7DB9BBFB64011AE273A934FB07149E380121579F8F57C8B70195D5893BE983497C7401A9","algorithm":"SHA-512","algorithm_id":4},{"value":"9F8E773E3B9D47BE47FA380985087C12F510973FD173B27657A4BAB7D0932A136A0A5D5AC53B909689AE6CC0439BFC3DE52907BC8DD305994F8D5955D3319D7C","algorithm":"CTPH","algorithm_id":5}]},"uid":"82411bb2-4ff6-11ef-a29d-0242ac110005","cmd_line":"composer oriented salt","container":{"name":"essential service beverage","size":3850921168,"uid":"8241251c-4ff6-11ef-bfb4-0242ac110005","image":{"name":"ports ide john","uid":"82412df0-4ff6-11ef-bb20-0242ac110005"},"hash":{"value":"FB62C3D023C80BF37169DFFD866BD30AF45E2274F6D63654E805AA43C6D23A16","algorithm":"magic","algorithm_id":99}},"created_time":1722510563763413,"namespace_pid":26,"parent_process":{"name":"Peripheral","file":{"name":"ebook.xls","type":"Named Pipe","path":"sheffield specs folks/ab.dll/ebook.xls","uid":"824151a4-4ff6-11ef-baa0-0242ac110005","type_id":6,"accessor":{"name":"Mp","type":"Admin","uid":"82415dc0-4ff6-11ef-8589-0242ac110005","type_id":2},"creator":{"name":"Contemporary","type":"User","uid":"82416b62-4ff6-11ef-bb14-0242ac110005","groups":[{"name":"differences rachel activity","uid":"824174ea-4ff6-11ef-858b-0242ac110005"},{"name":"philips facility sure","desc":"richardson silly malpractice"}],"type_id":1,"credential_uid":"82417bf2-4ff6-11ef-9b27-0242ac110005"},"parent_folder":"sheffield specs folks/ab.dll","confidentiality":"ws rage bedford","hashes":[{"value":"8879181273A51CEAC15FF28D95FEF4690E668D3565C680638C1FEADEA3A66CCFA9845C83F22F56EA7ED164C8D919019373A1F877DA156F876D0358EB0DEF36E6","algorithm":"TLSH","algorithm_id":6},{"value":"8735D62A700225288A69C4C58805E742E91D287FC59A68C297753E5B7D1E420B","algorithm":"magic","algorithm_id":99}],"xattributes":{},"accessed_time_dt":"2024-08-01T11:09:23.765455Z"},"user":{"type":"System","uid":"82418dcc-4ff6-11ef-ad9d-0242ac110005","groups":[{"name":"minneapolis listen accounts","uid":"82419740-4ff6-11ef-8605-0242ac110005"},{"name":"convert temporal sees","type":"pointer launch particle","uid":"82419e0c-4ff6-11ef-a40e-0242ac110005"}],"type_id":3,"account":{"name":"person catalogs assembled","type":"AWS IAM Role","uid":"8241a78a-4ff6-11ef-a514-0242ac110005","type_id":4},"email_addr":"Mabel@appointment.cat"},"group":{"name":"crisis vulnerable challenge","desc":"understand charlie shorts"},"tid":31,"uid":"8241b414-4ff6-11ef-942e-0242ac110005","cmd_line":"scientist discover md","container":{"name":"basement canada const","size":3047246820,"uid":"8241bd6a-4ff6-11ef-b2aa-0242ac110005","image":{"uid":"8241c562-4ff6-11ef-8fe7-0242ac110005"},"orchestrator":"leslie contribute pixel"},"created_time":1722510563767250,"namespace_pid":1,"parent_process":{"name":"Racks","pid":74,"file":{"name":"lightning.htm","type":"valve","path":"deer oils respected/blood.ico/lightning.htm","desc":"differently maldives brand","product":{"name":"relevant adaptation midwest","version":"1.1.0","lang":"en","vendor_name":"eclipse korean ghost"},"type_id":99,"accessor":{"name":"Request","type":"Admin","uid":"8241ede4-4ff6-11ef-acc4-0242ac110005","groups":[{"name":"well characterization holocaust","uid":"82421e4a-4ff6-11ef-8980-0242ac110005"},{"name":"levitra against glen"}],"type_id":2},"parent_folder":"deer oils respected/blood.ico","confidentiality":"median twelve ha","created_time":1722510563769556,"hashes":[{"value":"06B04AF04D46617C543D3B3E00B99E504838DD15737ADA44AD4294FDDDAFF6D9585FAC5FD5DFA5754AEB22DC9103B558FAB9AF00B6CA8EB2A9D69B81032A20DD","algorithm":"Unknown","algorithm_id":0},{"value":"7076AC494351B52696279B3745D5340FC3AFD5121F4D18647E4A29796EEFD6C57363BC0ACDEC4D9552DDA8D642B25D9B81BC08AEBF9B01A05F288053FB1AEB98","algorithm":"quickXorHash","algorithm_id":7}],"created_time_dt":"2024-08-01T11:09:23.769628Z"},"user":{"name":"Prep","type":"Unknown","uid":"82422f2a-4ff6-11ef-8418-0242ac110005","type_id":0},"group":{"name":"bet dictionaries peace"},"uid":"82423a2e-4ff6-11ef-ac30-0242ac110005","cmd_line":"checking yeast mark","container":{"name":"ireland subcommittee falling","size":1936688053,"uid":"82424474-4ff6-11ef-82f8-0242ac110005","image":{"name":"write paper recognized","uid":"82424de8-4ff6-11ef-8d6b-0242ac110005"},"hash":{"value":"D74C708F707DAB0C2242DD6D42285F3C7EE4E2A184638F20C51CBA94CBA1FC8712D9EC20451FFE4C09C4E3660F8F154D048927419E81E2A55F1ABFDCCF4F767B","algorithm":"quickXorHash","algorithm_id":7},"pod_uuid":"blues"},"created_time":1722510563770786,"parent_process":{"name":"Chile","pid":51,"file":{"name":"eyed.csr","owner":{"name":"Recent","type":"User","uid":"82426be8-4ff6-11ef-807f-0242ac110005","type_id":1,"uid_alt":"affiliation locks chance"},"type":"Regular File","path":"michigan prague acting/perfume.cer/eyed.csr","product":{"name":"classics problem furnished","version":"1.1.0","uid":"82427804-4ff6-11ef-92e9-0242ac110005","vendor_name":"mathematical chat duration"},"type_id":1,"accessor":{"name":"Reducing","type":"Admin","uid":"82428894-4ff6-11ef-aa8a-0242ac110005","type_id":2},"parent_folder":"michigan prague acting/perfume.cer","confidentiality":"coach","confidentiality_id":99,"hashes":[{"value":"44C87B3E980B5D5906C47A44899C53ECEAA127EF07D4DADDC5BEEB648A5EBD979F5D54C7002601E0148D642C58F1AFF229C9C50C02365ED263295529F74A9AB2","algorithm":"SHA-512","algorithm_id":4}],"security_descriptor":"hamilton samsung subsidiary"},"user":{"name":"Fitted","type":"Admin","uid":"82429a96-4ff6-11ef-ac59-0242ac110005","type_id":2},"group":{"name":"lightbox lay brad","uid":"8242f608-4ff6-11ef-aea1-0242ac110005"},"uid":"8242ff90-4ff6-11ef-b85f-0242ac110005","cmd_line":"fixed marketing wear","container":{"name":"disagree replied romania","size":940803910,"uid":"82430aa8-4ff6-11ef-83eb-0242ac110005","image":{"name":"venice shipment thursday","tag":"worst lamb depends","uid":"8243169c-4ff6-11ef-9bd9-0242ac110005"},"orchestrator":"syndrome permissions shark"},"created_time":1722510563775908,"integrity":"tired random grown","namespace_pid":4,"parent_process":{"pid":17,"file":{"name":"freedom.bat","owner":{"name":"Lake","type":"Unknown","type_id":0,"credential_uid":"82433334-4ff6-11ef-9df3-0242ac110005"},"type":"Symbolic Link","path":"ko phantom flights/ground.dtd/freedom.bat","desc":"beatles collar exposure","product":{"name":"gave thomson circumstances","uid":"82433e6a-4ff6-11ef-8379-0242ac110005","url_string":"copyrights","vendor_name":"poetry lived fy"},"uid":"82434784-4ff6-11ef-98ca-0242ac110005","type_id":7,"mime_type":"law/apparent","parent_folder":"ko phantom flights/ground.dtd","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"CD0EE6AF5EAA1C114A915FA7096E3060AE27D1892461BFA5EE7896B183FC87987940FD470777B47DC0709EED93E2EBCED33B3D3E0C4870660C470F1D1DCCDD45","algorithm":"quickXorHash","algorithm_id":7}],"is_system":false,"xattributes":{}},"user":{"name":"Ak","type":"System","domain":"km msgid creek","uid":"82436e80-4ff6-11ef-b543-0242ac110005","type_id":3,"credential_uid":"824374de-4ff6-11ef-a10e-0242ac110005"},"group":{"name":"via capabilities manufacturing","uid":"82437e84-4ff6-11ef-a820-0242ac110005","privileges":["tv glasses retrieval"]},"uid":"824384d8-4ff6-11ef-8982-0242ac110005","cmd_line":"smile builders sanyo","container":{"name":"arrange lips hoped","size":3752277430,"uid":"82438e24-4ff6-11ef-9a2b-0242ac110005","image":{"name":"surfing harvest additionally","tag":"instrumentation mi dim","uid":"82439680-4ff6-11ef-b7fa-0242ac110005"},"hash":{"value":"37F2759ED75FB07B29E4F1A5A51072ADD7EC16769903AAA33DBBA5DEA773A7E3CBA90D3152ADBA24BF6E54372233D78D69D964F32AC2E3973C91C1FAB5D51B26","algorithm":"SHA-512","algorithm_id":4}},"created_time":1722510563779192,"namespace_pid":23,"parent_process":{"name":"Miles","pid":44,"file":{"name":"naturally.dmp","type":"apparently","version":"1.1.0","path":"eligible terms landscapes/those.accdb/naturally.dmp","product":{"name":"viruses dancing dirty","version":"1.1.0","uid":"8243ae0e-4ff6-11ef-9d4a-0242ac110005","lang":"en","vendor_name":"ricky junk daniel"},"type_id":99,"accessor":{"name":"Profiles","type":"hall","uid":"8243c31c-4ff6-11ef-b7ce-0242ac110005","type_id":99,"email_addr":"Benita@instrument.com","uid_alt":"zope unsubscribe be"},"parent_folder":"eligible terms landscapes/those.accdb","hashes":[{"value":"75017A36EC07FD4C377A0D2A011400AB193E61DB","algorithm":"SHA-1","algorithm_id":2}],"created_time_dt":"2024-08-01T11:09:23.780361Z","modified_time_dt":"2024-08-01T11:09:23.780372Z"},"user":{"name":"Translated","type":"User","uid":"8243ea5e-4ff6-11ef-af0a-0242ac110005","type_id":1,"full_name":"Bronwyn Kandi"},"group":{"name":"secure escape dui","type":"vault vocational aerospace","uid":"8243f65c-4ff6-11ef-a514-0242ac110005","privileges":["doug producing distributor","discover uri conscious"]},"uid":"8243fda0-4ff6-11ef-9876-0242ac110005","cmd_line":"compiler homework usually","container":{"name":"vietnamese sixth good","runtime":"paragraph pizza ing","size":3917616377,"uid":"82440a5c-4ff6-11ef-ad41-0242ac110005","image":{"name":"pr request boy","uid":"824413e4-4ff6-11ef-bb4f-0242ac110005"},"hash":{"value":"818853F7CD4B4D46AD3612755274DC4BE0689988A1BDBC0D8A5F54BA585D7FA5","algorithm":"SHA-256","algorithm_id":3},"orchestrator":"maintain cargo awarded"},"terminated_time":1722510563782421}},"terminated_time":1722510563782432,"euid":44,"egid":29,"created_time_dt":"2024-08-01T11:09:23.782438Z","terminated_time_dt":"2024-08-01T11:09:23.782445Z"},"terminated_time":1722510563782452,"auid":78,"terminated_time_dt":"2024-08-01T11:09:23.782458Z"},"euid":21,"created_time_dt":"2024-08-01T11:09:23.782465Z","terminated_time_dt":"2024-08-01T11:09:23.782471Z"},"euid":20},"user":{"name":"Villa","type":"seek","uid":"824425be-4ff6-11ef-8b9f-0242ac110005","org":{"name":"replied reservation circles","uid":"82442fdc-4ff6-11ef-b680-0242ac110005","ou_name":"dale halloween convenience"},"type_id":99,"uid_alt":"trout americans substance"}},"activity_name":"Client Synchronization","action":"Denied","proxy_endpoint":{"name":"resources contracts treasury","port":32431,"type":"Hub","ip":"175.16.199.0","hostname":"fashion.aero","uid":"8240c996-4ff6-11ef-a9b6-0242ac110005","mac":"AA:9E:EF:FA:F6:8C:22:78","type_id":11,"container":{"name":"actions bullet populations","size":1551677878,"uid":"8240d5bc-4ff6-11ef-8e32-0242ac110005","image":{"name":"jewish rating housewives","uid":"8240de40-4ff6-11ef-8dac-0242ac110005"},"hash":{"value":"428AC4813390324C88145AE1CB67084A8DA3386B","algorithm":"SHA-1","algorithm_id":2},"network_driver":"midi florists tired","orchestrator":"contract girl traditional"},"instance_uid":"8240e746-4ff6-11ef-a2e6-0242ac110005","interface_name":"bring ana ex","namespace_pid":71,"svc_name":"democratic benefits supplier"},"stratum_id":16,"severity":"indirect","category_name":"Network Activity","message":"c attended regulated","class_uid":4013,"severity_id":99,"version":"1.1.0","proxy_connection_info":{"uid":"8240bb40-4ff6-11ef-9482-0242ac110005","direction":"commodity","direction_id":99,"protocol_num":62,"protocol_ver":"Internet Protocol version 4 (IPv4)","protocol_ver_id":4},"time":1722510563760083,"precision":47,"device":{"name":"keyboards sudan tp","type":"Unknown","ip":"216.160.83.56","location":{"desc":"Guadeloupe","city":"Vic screenshot","country":"GP","coordinates":[22.1588,28.2006],"continent":"North America"},"hostname":"teeth.nato","image":{"uid":"8240911a-4ff6-11ef-a984-0242ac110005","labels":["microsoft"]},"type_id":0,"subnet":"38.80.125.0/24","container":{"name":"hormone investigated performances","size":793369097,"uid":"82409b10-4ff6-11ef-b701-0242ac110005","image":{"name":"distance beautifully maximum","tag":"passed contribution studied","uid":"8240a3d0-4ff6-11ef-be39-0242ac110005"},"hash":{"value":"CB553813B87B309D428B27D4E5A9457DCAD28C846E4C0EFAB7A1A8FA2345B199","algorithm":"magic","algorithm_id":99},"orchestrator":"genes thick degree"},"created_time":1722510563758738,"instance_uid":"8240879c-4ff6-11ef-af64-0242ac110005","interface_name":"abstracts cj highs","interface_uid":"8240ade4-4ff6-11ef-b741-0242ac110005","is_managed":false,"namespace_pid":56,"region":"painful lifetime significant","vlan_uid":"824080b2-4ff6-11ef-a395-0242ac110005"},"observables":[{"name":"logged nasdaq hosts","type":"Hash","type_id":8},{"name":"trading friends request","type":"gentle","type_id":99}],"type_name":"NTP Activity: Client Synchronization","type_uid":401303,"src_endpoint":{"name":"brandon attacked blonde","port":23430,"type":"Virtual","ip":"89.160.20.128","location":{"desc":"Macao, Special Administrative Region of China","city":"Death stars","country":"MO","coordinates":[-54.8511,61.8154],"continent":"Asia"},"hostname":"sacrifice.jobs","uid":"82403698-4ff6-11ef-bb82-0242ac110005","type_id":6,"container":{"name":"variety summary focused","size":1038161419,"uid":"824041c4-4ff6-11ef-916a-0242ac110005","image":{"name":"toddler yahoo dressing","uid":"82405042-4ff6-11ef-9809-0242ac110005"},"hash":{"value":"FEA9B0C8FDA936ECB33171CEBCAB7B574A0BD1A0A1D6B08474F8E20388709CAA28CB19DD8A53F0238CDD07712528D0AC7DE36988DE03147B1524257D6C190823","algorithm":"SHA-512","algorithm_id":4}},"instance_uid":"8240592a-4ff6-11ef-a917-0242ac110005","interface_name":"bobby machines drink","interface_uid":"82405fb0-4ff6-11ef-8580-0242ac110005","namespace_pid":19,"vpc_uid":"824065c8-4ff6-11ef-83f7-0242ac110005","zone":"admitted freebsd lazy"},"metadata":{"version":"1.1.0","product":{"name":"raising sodium preliminary","version":"1.1.0","uid":"82400ab0-4ff6-11ef-abab-0242ac110005","cpe_name":"skilled ru contributions","url_string":"mad","vendor_name":"answer probe affiliation"},"labels":["martin","lil"],"log_level":"recovered device retail","sequence":44,"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"planets van wine","log_provider":"execute lite utah","original_time":"fairy affecting agricultural","tenant_uid":"8240179e-4ff6-11ef-b399-0242ac110005","processed_time_dt":"2024-08-01T11:09:23.756232Z"},"activity_id":3,"proxy_tls":{"version":"1.1.0","key_length":36,"cipher":"cent memories rochester","sni":"identification vincent breakfast","certificate_chain":["pack menu plot"],"ja3_hash":{"value":"AC725768466500046904D27B548D75C5","algorithm":"MD5","algorithm_id":1},"ja3s_hash":{"value":"FF1E2DBC60149EBF225BBC13B2E100CEC2DF9FE5A8024345B354723618C4A4B74622930D7ED086F5B727F66E3E617E0DA4E39B3BFB4B67378F600594D2C05396","algorithm":"Unknown","algorithm_id":0},"tls_extension_list":[{"data":"recruitment","type":"server_name","type_id":0}]},"stratum":"Unsynchronized","count":97,"status":"Success","connection_info":{"direction":"Lateral","direction_id":3,"protocol_num":24,"protocol_ver":"1"},"proxy_traffic":{"packets":3436547282},"timezone_offset":59,"category_uid":4,"proxy_http_response":{"code":84,"status":"accident around gamespot","http_headers":[{"name":"valid involving problem","value":"swiss navigator focused"}]},"cloud":{"account":{"name":"diet services amazon","type":"Linux Account","uid":"823f3676-4ff6-11ef-87ce-0242ac110005","type_id":9},"provider":"son fits additions","region":"stick aurora admission"},"dst_endpoint":{"name":"foul coming meetings","port":26803,"type":"Virtual","ip":"67.43.156.0","hostname":"sporting.edu","uid":"823eaf30-4ff6-11ef-9671-0242ac110005","type_id":6,"container":{"name":"fisher invite serial","size":480391375,"uid":"823eb962-4ff6-11ef-b477-0242ac110005","image":{"name":"scientific isa thrown","path":"isbn phones proof","uid":"823ec95c-4ff6-11ef-9378-0242ac110005","labels":["oc","inside"]},"hash":{"value":"0A2D96EB4F44895D58B6441A0129F11199AB967C178305172B83A039B4E6D41287DD945B3BCB4937343A8E4ECB95E4A9C84B495FF73B7F404EC88A0A0FA286F3","algorithm":"Unknown","algorithm_id":0}},"interface_name":"active rc saying","interface_uid":"823ed398-4ff6-11ef-9896-0242ac110005","intermediate_ips":["81.2.69.142","81.2.69.144"],"namespace_pid":38,"svc_name":"cyber influence simon","vpc_uid":"823edb22-4ff6-11ef-bd25-0242ac110005"},"action_id":2,"authorizations":[{},{}],"load_balancer":{"code":47,"name":"threats invoice popularity","uid":"823df61c-4ff6-11ef-a0b1-0242ac110005","dst_endpoint":{"name":"aspect attempted credit","port":42720,"type":"Laptop","ip":"31.13.253.50","hostname":"brake.jobs","uid":"823e06ac-4ff6-11ef-949d-0242ac110005","type_id":3,"container":{"name":"allowed entered philippines","size":4007710700,"tag":"items preservation orleans","uid":"823e1200-4ff6-11ef-833f-0242ac110005","image":{"name":"repairs opposed condos","tag":"melissa post courage","path":"circulation franklin everybody","uid":"823e1c46-4ff6-11ef-a5a8-0242ac110005"},"hash":{"value":"5733974066CC8F9646E6E1E170DB95F2B5D0E7DCDADF8A62A35EB47B61FCE172316B9A40AFD4FC58EC1B104C1DB4D1E2F0858866EDF563DE649A755940BCD18C","algorithm":"CTPH","algorithm_id":5}},"instance_uid":"823e25ec-4ff6-11ef-8a0b-0242ac110005","interface_name":"adelaide hewlett housewives","interface_uid":"823e2c9a-4ff6-11ef-9dc6-0242ac110005","namespace_pid":0,"svc_name":"layout radius connectors","vpc_uid":"823e3352-4ff6-11ef-8cdc-0242ac110005"},"endpoint_connections":[{"code":7,"network_endpoint":{"port":9631,"type":"Mobile","ip":"155.162.119.5","hostname":"principle.nato","uid":"823e6124-4ff6-11ef-83b0-0242ac110005","type_id":5,"hw_info":{"keyboard_info":{"ime":"mark least sean"},"ram_size":94,"serial_number":"invest spring distributors"},"instance_uid":"823e6bd8-4ff6-11ef-9050-0242ac110005","interface_name":"bouquet shorter node","interface_uid":"823e7290-4ff6-11ef-b82d-0242ac110005","svc_name":"surfing lynn leonard"}},{"code":95,"network_endpoint":{"name":"ambien thermal advance","port":58409,"type":"Browser","ip":"102.249.60.133","hostname":"ranging.pro","type_id":8,"container":{"name":"cad xanax businesses","size":2100136552,"uid":"823e83fc-4ff6-11ef-9497-0242ac110005","image":{"name":"usda ian manitoba","uid":"823e8d8e-4ff6-11ef-ae19-0242ac110005"},"orchestrator":"control flame phrases"},"instance_uid":"823e94a0-4ff6-11ef-bdd0-0242ac110005","interface_name":"platform boat nav","interface_uid":"823e9f2c-4ff6-11ef-8022-0242ac110005","namespace_pid":32,"svc_name":"intention currency persons","zone":"beverly fm stage"}}]},"class_name":"NTP Activity","status_id":1} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log-expected.json index 8d486e226a4a..ca075c74cd85 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log-expected.json @@ -3016,6 +3016,1035 @@ "query": "mattress betting covers", "scheme": "yoga thesaurus regardless" } + }, + { + "@timestamp": "+56554-03-09T20:36:00.083Z", + "cloud": { + "account": { + "id": "823f3676-4ff6-11ef-87ce-0242ac110005", + "name": "diet services amazon" + }, + "provider": "son fits additions", + "region": "stick aurora admission" + }, + "container": { + "id": "8241251c-4ff6-11ef-bfb4-0242ac110005", + "image": { + "name": "ports ide john" + }, + "name": "essential service beverage" + }, + "data_stream": { + "dataset": "amazon_security_lake.network_activity", + "namespace": "default", + "type": "logs" + }, + "destination": { + "domain": [ + "sporting.edu" + ], + "ip": "67.43.156.0", + "port": 26803 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "client-synchronization", + "category": [ + "network" + ], + "kind": "event", + "original": "{\"actor\":{\"process\":{\"pid\":55,\"file\":{\"name\":\"demonstrates.xlsx\",\"size\":1700247011,\"type\":\"Character Device\",\"path\":\"simpson alice serum/loud.key/demonstrates.xlsx\",\"desc\":\"suits peru therapist\",\"type_id\":3,\"accessor\":{\"name\":\"Dinner\",\"type\":\"User\",\"uid\":\"8241051e-4ff6-11ef-8c1c-0242ac110005\",\"type_id\":1,\"uid_alt\":\"tiny democrats map\"},\"creator\":{\"name\":\"Clock\",\"type\":\"System\",\"uid\":\"824111ee-4ff6-11ef-80d5-0242ac110005\",\"type_id\":3,\"email_addr\":\"Clelia@servers.arpa\"},\"parent_folder\":\"simpson alice serum/loud.key\",\"confidentiality\":\"Not Confidential\",\"confidentiality_id\":1,\"hashes\":[{\"value\":\"866B6A4496BE310906297BA18911C77BFAE1C93BC72E9928D71B99CA7DB9BBFB64011AE273A934FB07149E380121579F8F57C8B70195D5893BE983497C7401A9\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"9F8E773E3B9D47BE47FA380985087C12F510973FD173B27657A4BAB7D0932A136A0A5D5AC53B909689AE6CC0439BFC3DE52907BC8DD305994F8D5955D3319D7C\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}]},\"uid\":\"82411bb2-4ff6-11ef-a29d-0242ac110005\",\"cmd_line\":\"composer oriented salt\",\"container\":{\"name\":\"essential service beverage\",\"size\":3850921168,\"uid\":\"8241251c-4ff6-11ef-bfb4-0242ac110005\",\"image\":{\"name\":\"ports ide john\",\"uid\":\"82412df0-4ff6-11ef-bb20-0242ac110005\"},\"hash\":{\"value\":\"FB62C3D023C80BF37169DFFD866BD30AF45E2274F6D63654E805AA43C6D23A16\",\"algorithm\":\"magic\",\"algorithm_id\":99}},\"created_time\":1722510563763413,\"namespace_pid\":26,\"parent_process\":{\"name\":\"Peripheral\",\"file\":{\"name\":\"ebook.xls\",\"type\":\"Named Pipe\",\"path\":\"sheffield specs folks/ab.dll/ebook.xls\",\"uid\":\"824151a4-4ff6-11ef-baa0-0242ac110005\",\"type_id\":6,\"accessor\":{\"name\":\"Mp\",\"type\":\"Admin\",\"uid\":\"82415dc0-4ff6-11ef-8589-0242ac110005\",\"type_id\":2},\"creator\":{\"name\":\"Contemporary\",\"type\":\"User\",\"uid\":\"82416b62-4ff6-11ef-bb14-0242ac110005\",\"groups\":[{\"name\":\"differences rachel activity\",\"uid\":\"824174ea-4ff6-11ef-858b-0242ac110005\"},{\"name\":\"philips facility sure\",\"desc\":\"richardson silly malpractice\"}],\"type_id\":1,\"credential_uid\":\"82417bf2-4ff6-11ef-9b27-0242ac110005\"},\"parent_folder\":\"sheffield specs folks/ab.dll\",\"confidentiality\":\"ws rage bedford\",\"hashes\":[{\"value\":\"8879181273A51CEAC15FF28D95FEF4690E668D3565C680638C1FEADEA3A66CCFA9845C83F22F56EA7ED164C8D919019373A1F877DA156F876D0358EB0DEF36E6\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},{\"value\":\"8735D62A700225288A69C4C58805E742E91D287FC59A68C297753E5B7D1E420B\",\"algorithm\":\"magic\",\"algorithm_id\":99}],\"xattributes\":{},\"accessed_time_dt\":\"2024-08-01T11:09:23.765455Z\"},\"user\":{\"type\":\"System\",\"uid\":\"82418dcc-4ff6-11ef-ad9d-0242ac110005\",\"groups\":[{\"name\":\"minneapolis listen accounts\",\"uid\":\"82419740-4ff6-11ef-8605-0242ac110005\"},{\"name\":\"convert temporal sees\",\"type\":\"pointer launch particle\",\"uid\":\"82419e0c-4ff6-11ef-a40e-0242ac110005\"}],\"type_id\":3,\"account\":{\"name\":\"person catalogs assembled\",\"type\":\"AWS IAM Role\",\"uid\":\"8241a78a-4ff6-11ef-a514-0242ac110005\",\"type_id\":4},\"email_addr\":\"Mabel@appointment.cat\"},\"group\":{\"name\":\"crisis vulnerable challenge\",\"desc\":\"understand charlie shorts\"},\"tid\":31,\"uid\":\"8241b414-4ff6-11ef-942e-0242ac110005\",\"cmd_line\":\"scientist discover md\",\"container\":{\"name\":\"basement canada const\",\"size\":3047246820,\"uid\":\"8241bd6a-4ff6-11ef-b2aa-0242ac110005\",\"image\":{\"uid\":\"8241c562-4ff6-11ef-8fe7-0242ac110005\"},\"orchestrator\":\"leslie contribute pixel\"},\"created_time\":1722510563767250,\"namespace_pid\":1,\"parent_process\":{\"name\":\"Racks\",\"pid\":74,\"file\":{\"name\":\"lightning.htm\",\"type\":\"valve\",\"path\":\"deer oils respected/blood.ico/lightning.htm\",\"desc\":\"differently maldives brand\",\"product\":{\"name\":\"relevant adaptation midwest\",\"version\":\"1.1.0\",\"lang\":\"en\",\"vendor_name\":\"eclipse korean ghost\"},\"type_id\":99,\"accessor\":{\"name\":\"Request\",\"type\":\"Admin\",\"uid\":\"8241ede4-4ff6-11ef-acc4-0242ac110005\",\"groups\":[{\"name\":\"well characterization holocaust\",\"uid\":\"82421e4a-4ff6-11ef-8980-0242ac110005\"},{\"name\":\"levitra against glen\"}],\"type_id\":2},\"parent_folder\":\"deer oils respected/blood.ico\",\"confidentiality\":\"median twelve ha\",\"created_time\":1722510563769556,\"hashes\":[{\"value\":\"06B04AF04D46617C543D3B3E00B99E504838DD15737ADA44AD4294FDDDAFF6D9585FAC5FD5DFA5754AEB22DC9103B558FAB9AF00B6CA8EB2A9D69B81032A20DD\",\"algorithm\":\"Unknown\",\"algorithm_id\":0},{\"value\":\"7076AC494351B52696279B3745D5340FC3AFD5121F4D18647E4A29796EEFD6C57363BC0ACDEC4D9552DDA8D642B25D9B81BC08AEBF9B01A05F288053FB1AEB98\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"created_time_dt\":\"2024-08-01T11:09:23.769628Z\"},\"user\":{\"name\":\"Prep\",\"type\":\"Unknown\",\"uid\":\"82422f2a-4ff6-11ef-8418-0242ac110005\",\"type_id\":0},\"group\":{\"name\":\"bet dictionaries peace\"},\"uid\":\"82423a2e-4ff6-11ef-ac30-0242ac110005\",\"cmd_line\":\"checking yeast mark\",\"container\":{\"name\":\"ireland subcommittee falling\",\"size\":1936688053,\"uid\":\"82424474-4ff6-11ef-82f8-0242ac110005\",\"image\":{\"name\":\"write paper recognized\",\"uid\":\"82424de8-4ff6-11ef-8d6b-0242ac110005\"},\"hash\":{\"value\":\"D74C708F707DAB0C2242DD6D42285F3C7EE4E2A184638F20C51CBA94CBA1FC8712D9EC20451FFE4C09C4E3660F8F154D048927419E81E2A55F1ABFDCCF4F767B\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7},\"pod_uuid\":\"blues\"},\"created_time\":1722510563770786,\"parent_process\":{\"name\":\"Chile\",\"pid\":51,\"file\":{\"name\":\"eyed.csr\",\"owner\":{\"name\":\"Recent\",\"type\":\"User\",\"uid\":\"82426be8-4ff6-11ef-807f-0242ac110005\",\"type_id\":1,\"uid_alt\":\"affiliation locks chance\"},\"type\":\"Regular File\",\"path\":\"michigan prague acting/perfume.cer/eyed.csr\",\"product\":{\"name\":\"classics problem furnished\",\"version\":\"1.1.0\",\"uid\":\"82427804-4ff6-11ef-92e9-0242ac110005\",\"vendor_name\":\"mathematical chat duration\"},\"type_id\":1,\"accessor\":{\"name\":\"Reducing\",\"type\":\"Admin\",\"uid\":\"82428894-4ff6-11ef-aa8a-0242ac110005\",\"type_id\":2},\"parent_folder\":\"michigan prague acting/perfume.cer\",\"confidentiality\":\"coach\",\"confidentiality_id\":99,\"hashes\":[{\"value\":\"44C87B3E980B5D5906C47A44899C53ECEAA127EF07D4DADDC5BEEB648A5EBD979F5D54C7002601E0148D642C58F1AFF229C9C50C02365ED263295529F74A9AB2\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}],\"security_descriptor\":\"hamilton samsung subsidiary\"},\"user\":{\"name\":\"Fitted\",\"type\":\"Admin\",\"uid\":\"82429a96-4ff6-11ef-ac59-0242ac110005\",\"type_id\":2},\"group\":{\"name\":\"lightbox lay brad\",\"uid\":\"8242f608-4ff6-11ef-aea1-0242ac110005\"},\"uid\":\"8242ff90-4ff6-11ef-b85f-0242ac110005\",\"cmd_line\":\"fixed marketing wear\",\"container\":{\"name\":\"disagree replied romania\",\"size\":940803910,\"uid\":\"82430aa8-4ff6-11ef-83eb-0242ac110005\",\"image\":{\"name\":\"venice shipment thursday\",\"tag\":\"worst lamb depends\",\"uid\":\"8243169c-4ff6-11ef-9bd9-0242ac110005\"},\"orchestrator\":\"syndrome permissions shark\"},\"created_time\":1722510563775908,\"integrity\":\"tired random grown\",\"namespace_pid\":4,\"parent_process\":{\"pid\":17,\"file\":{\"name\":\"freedom.bat\",\"owner\":{\"name\":\"Lake\",\"type\":\"Unknown\",\"type_id\":0,\"credential_uid\":\"82433334-4ff6-11ef-9df3-0242ac110005\"},\"type\":\"Symbolic Link\",\"path\":\"ko phantom flights/ground.dtd/freedom.bat\",\"desc\":\"beatles collar exposure\",\"product\":{\"name\":\"gave thomson circumstances\",\"uid\":\"82433e6a-4ff6-11ef-8379-0242ac110005\",\"url_string\":\"copyrights\",\"vendor_name\":\"poetry lived fy\"},\"uid\":\"82434784-4ff6-11ef-98ca-0242ac110005\",\"type_id\":7,\"mime_type\":\"law/apparent\",\"parent_folder\":\"ko phantom flights/ground.dtd\",\"confidentiality\":\"Unknown\",\"confidentiality_id\":0,\"hashes\":[{\"value\":\"CD0EE6AF5EAA1C114A915FA7096E3060AE27D1892461BFA5EE7896B183FC87987940FD470777B47DC0709EED93E2EBCED33B3D3E0C4870660C470F1D1DCCDD45\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"is_system\":false,\"xattributes\":{}},\"user\":{\"name\":\"Ak\",\"type\":\"System\",\"domain\":\"km msgid creek\",\"uid\":\"82436e80-4ff6-11ef-b543-0242ac110005\",\"type_id\":3,\"credential_uid\":\"824374de-4ff6-11ef-a10e-0242ac110005\"},\"group\":{\"name\":\"via capabilities manufacturing\",\"uid\":\"82437e84-4ff6-11ef-a820-0242ac110005\",\"privileges\":[\"tv glasses retrieval\"]},\"uid\":\"824384d8-4ff6-11ef-8982-0242ac110005\",\"cmd_line\":\"smile builders sanyo\",\"container\":{\"name\":\"arrange lips hoped\",\"size\":3752277430,\"uid\":\"82438e24-4ff6-11ef-9a2b-0242ac110005\",\"image\":{\"name\":\"surfing harvest additionally\",\"tag\":\"instrumentation mi dim\",\"uid\":\"82439680-4ff6-11ef-b7fa-0242ac110005\"},\"hash\":{\"value\":\"37F2759ED75FB07B29E4F1A5A51072ADD7EC16769903AAA33DBBA5DEA773A7E3CBA90D3152ADBA24BF6E54372233D78D69D964F32AC2E3973C91C1FAB5D51B26\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}},\"created_time\":1722510563779192,\"namespace_pid\":23,\"parent_process\":{\"name\":\"Miles\",\"pid\":44,\"file\":{\"name\":\"naturally.dmp\",\"type\":\"apparently\",\"version\":\"1.1.0\",\"path\":\"eligible terms landscapes/those.accdb/naturally.dmp\",\"product\":{\"name\":\"viruses dancing dirty\",\"version\":\"1.1.0\",\"uid\":\"8243ae0e-4ff6-11ef-9d4a-0242ac110005\",\"lang\":\"en\",\"vendor_name\":\"ricky junk daniel\"},\"type_id\":99,\"accessor\":{\"name\":\"Profiles\",\"type\":\"hall\",\"uid\":\"8243c31c-4ff6-11ef-b7ce-0242ac110005\",\"type_id\":99,\"email_addr\":\"Benita@instrument.com\",\"uid_alt\":\"zope unsubscribe be\"},\"parent_folder\":\"eligible terms landscapes/those.accdb\",\"hashes\":[{\"value\":\"75017A36EC07FD4C377A0D2A011400AB193E61DB\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}],\"created_time_dt\":\"2024-08-01T11:09:23.780361Z\",\"modified_time_dt\":\"2024-08-01T11:09:23.780372Z\"},\"user\":{\"name\":\"Translated\",\"type\":\"User\",\"uid\":\"8243ea5e-4ff6-11ef-af0a-0242ac110005\",\"type_id\":1,\"full_name\":\"Bronwyn Kandi\"},\"group\":{\"name\":\"secure escape dui\",\"type\":\"vault vocational aerospace\",\"uid\":\"8243f65c-4ff6-11ef-a514-0242ac110005\",\"privileges\":[\"doug producing distributor\",\"discover uri conscious\"]},\"uid\":\"8243fda0-4ff6-11ef-9876-0242ac110005\",\"cmd_line\":\"compiler homework usually\",\"container\":{\"name\":\"vietnamese sixth good\",\"runtime\":\"paragraph pizza ing\",\"size\":3917616377,\"uid\":\"82440a5c-4ff6-11ef-ad41-0242ac110005\",\"image\":{\"name\":\"pr request boy\",\"uid\":\"824413e4-4ff6-11ef-bb4f-0242ac110005\"},\"hash\":{\"value\":\"818853F7CD4B4D46AD3612755274DC4BE0689988A1BDBC0D8A5F54BA585D7FA5\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},\"orchestrator\":\"maintain cargo awarded\"},\"terminated_time\":1722510563782421}},\"terminated_time\":1722510563782432,\"euid\":44,\"egid\":29,\"created_time_dt\":\"2024-08-01T11:09:23.782438Z\",\"terminated_time_dt\":\"2024-08-01T11:09:23.782445Z\"},\"terminated_time\":1722510563782452,\"auid\":78,\"terminated_time_dt\":\"2024-08-01T11:09:23.782458Z\"},\"euid\":21,\"created_time_dt\":\"2024-08-01T11:09:23.782465Z\",\"terminated_time_dt\":\"2024-08-01T11:09:23.782471Z\"},\"euid\":20},\"user\":{\"name\":\"Villa\",\"type\":\"seek\",\"uid\":\"824425be-4ff6-11ef-8b9f-0242ac110005\",\"org\":{\"name\":\"replied reservation circles\",\"uid\":\"82442fdc-4ff6-11ef-b680-0242ac110005\",\"ou_name\":\"dale halloween convenience\"},\"type_id\":99,\"uid_alt\":\"trout americans substance\"}},\"activity_name\":\"Client Synchronization\",\"action\":\"Denied\",\"proxy_endpoint\":{\"name\":\"resources contracts treasury\",\"port\":32431,\"type\":\"Hub\",\"ip\":\"175.16.199.0\",\"hostname\":\"fashion.aero\",\"uid\":\"8240c996-4ff6-11ef-a9b6-0242ac110005\",\"mac\":\"AA:9E:EF:FA:F6:8C:22:78\",\"type_id\":11,\"container\":{\"name\":\"actions bullet populations\",\"size\":1551677878,\"uid\":\"8240d5bc-4ff6-11ef-8e32-0242ac110005\",\"image\":{\"name\":\"jewish rating housewives\",\"uid\":\"8240de40-4ff6-11ef-8dac-0242ac110005\"},\"hash\":{\"value\":\"428AC4813390324C88145AE1CB67084A8DA3386B\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2},\"network_driver\":\"midi florists tired\",\"orchestrator\":\"contract girl traditional\"},\"instance_uid\":\"8240e746-4ff6-11ef-a2e6-0242ac110005\",\"interface_name\":\"bring ana ex\",\"namespace_pid\":71,\"svc_name\":\"democratic benefits supplier\"},\"stratum_id\":16,\"severity\":\"indirect\",\"category_name\":\"Network Activity\",\"message\":\"c attended regulated\",\"class_uid\":4013,\"severity_id\":99,\"version\":\"1.1.0\",\"proxy_connection_info\":{\"uid\":\"8240bb40-4ff6-11ef-9482-0242ac110005\",\"direction\":\"commodity\",\"direction_id\":99,\"protocol_num\":62,\"protocol_ver\":\"Internet Protocol version 4 (IPv4)\",\"protocol_ver_id\":4},\"time\":1722510563760083,\"precision\":47,\"device\":{\"name\":\"keyboards sudan tp\",\"type\":\"Unknown\",\"ip\":\"216.160.83.56\",\"location\":{\"desc\":\"Guadeloupe\",\"city\":\"Vic screenshot\",\"country\":\"GP\",\"coordinates\":[22.1588,28.2006],\"continent\":\"North America\"},\"hostname\":\"teeth.nato\",\"image\":{\"uid\":\"8240911a-4ff6-11ef-a984-0242ac110005\",\"labels\":[\"microsoft\"]},\"type_id\":0,\"subnet\":\"38.80.125.0/24\",\"container\":{\"name\":\"hormone investigated performances\",\"size\":793369097,\"uid\":\"82409b10-4ff6-11ef-b701-0242ac110005\",\"image\":{\"name\":\"distance beautifully maximum\",\"tag\":\"passed contribution studied\",\"uid\":\"8240a3d0-4ff6-11ef-be39-0242ac110005\"},\"hash\":{\"value\":\"CB553813B87B309D428B27D4E5A9457DCAD28C846E4C0EFAB7A1A8FA2345B199\",\"algorithm\":\"magic\",\"algorithm_id\":99},\"orchestrator\":\"genes thick degree\"},\"created_time\":1722510563758738,\"instance_uid\":\"8240879c-4ff6-11ef-af64-0242ac110005\",\"interface_name\":\"abstracts cj highs\",\"interface_uid\":\"8240ade4-4ff6-11ef-b741-0242ac110005\",\"is_managed\":false,\"namespace_pid\":56,\"region\":\"painful lifetime significant\",\"vlan_uid\":\"824080b2-4ff6-11ef-a395-0242ac110005\"},\"observables\":[{\"name\":\"logged nasdaq hosts\",\"type\":\"Hash\",\"type_id\":8},{\"name\":\"trading friends request\",\"type\":\"gentle\",\"type_id\":99}],\"type_name\":\"NTP Activity: Client Synchronization\",\"type_uid\":401303,\"src_endpoint\":{\"name\":\"brandon attacked blonde\",\"port\":23430,\"type\":\"Virtual\",\"ip\":\"89.160.20.128\",\"location\":{\"desc\":\"Macao, Special Administrative Region of China\",\"city\":\"Death stars\",\"country\":\"MO\",\"coordinates\":[-54.8511,61.8154],\"continent\":\"Asia\"},\"hostname\":\"sacrifice.jobs\",\"uid\":\"82403698-4ff6-11ef-bb82-0242ac110005\",\"type_id\":6,\"container\":{\"name\":\"variety summary focused\",\"size\":1038161419,\"uid\":\"824041c4-4ff6-11ef-916a-0242ac110005\",\"image\":{\"name\":\"toddler yahoo dressing\",\"uid\":\"82405042-4ff6-11ef-9809-0242ac110005\"},\"hash\":{\"value\":\"FEA9B0C8FDA936ECB33171CEBCAB7B574A0BD1A0A1D6B08474F8E20388709CAA28CB19DD8A53F0238CDD07712528D0AC7DE36988DE03147B1524257D6C190823\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}},\"instance_uid\":\"8240592a-4ff6-11ef-a917-0242ac110005\",\"interface_name\":\"bobby machines drink\",\"interface_uid\":\"82405fb0-4ff6-11ef-8580-0242ac110005\",\"namespace_pid\":19,\"vpc_uid\":\"824065c8-4ff6-11ef-83f7-0242ac110005\",\"zone\":\"admitted freebsd lazy\"},\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"raising sodium preliminary\",\"version\":\"1.1.0\",\"uid\":\"82400ab0-4ff6-11ef-abab-0242ac110005\",\"cpe_name\":\"skilled ru contributions\",\"url_string\":\"mad\",\"vendor_name\":\"answer probe affiliation\"},\"labels\":[\"martin\",\"lil\"],\"log_level\":\"recovered device retail\",\"sequence\":44,\"profiles\":[\"cloud\",\"container\",\"datetime\",\"host\",\"linux/linux_users\",\"load_balancer\",\"network_proxy\",\"security_control\"],\"log_name\":\"planets van wine\",\"log_provider\":\"execute lite utah\",\"original_time\":\"fairy affecting agricultural\",\"tenant_uid\":\"8240179e-4ff6-11ef-b399-0242ac110005\",\"processed_time_dt\":\"2024-08-01T11:09:23.756232Z\"},\"activity_id\":3,\"proxy_tls\":{\"version\":\"1.1.0\",\"key_length\":36,\"cipher\":\"cent memories rochester\",\"sni\":\"identification vincent breakfast\",\"certificate_chain\":[\"pack menu plot\"],\"ja3_hash\":{\"value\":\"AC725768466500046904D27B548D75C5\",\"algorithm\":\"MD5\",\"algorithm_id\":1},\"ja3s_hash\":{\"value\":\"FF1E2DBC60149EBF225BBC13B2E100CEC2DF9FE5A8024345B354723618C4A4B74622930D7ED086F5B727F66E3E617E0DA4E39B3BFB4B67378F600594D2C05396\",\"algorithm\":\"Unknown\",\"algorithm_id\":0},\"tls_extension_list\":[{\"data\":\"recruitment\",\"type\":\"server_name\",\"type_id\":0}]},\"stratum\":\"Unsynchronized\",\"count\":97,\"status\":\"Success\",\"connection_info\":{\"direction\":\"Lateral\",\"direction_id\":3,\"protocol_num\":24,\"protocol_ver\":\"1\"},\"proxy_traffic\":{\"packets\":3436547282},\"timezone_offset\":59,\"category_uid\":4,\"proxy_http_response\":{\"code\":84,\"status\":\"accident around gamespot\",\"http_headers\":[{\"name\":\"valid involving problem\",\"value\":\"swiss navigator focused\"}]},\"cloud\":{\"account\":{\"name\":\"diet services amazon\",\"type\":\"Linux Account\",\"uid\":\"823f3676-4ff6-11ef-87ce-0242ac110005\",\"type_id\":9},\"provider\":\"son fits additions\",\"region\":\"stick aurora admission\"},\"dst_endpoint\":{\"name\":\"foul coming meetings\",\"port\":26803,\"type\":\"Virtual\",\"ip\":\"67.43.156.0\",\"hostname\":\"sporting.edu\",\"uid\":\"823eaf30-4ff6-11ef-9671-0242ac110005\",\"type_id\":6,\"container\":{\"name\":\"fisher invite serial\",\"size\":480391375,\"uid\":\"823eb962-4ff6-11ef-b477-0242ac110005\",\"image\":{\"name\":\"scientific isa thrown\",\"path\":\"isbn phones proof\",\"uid\":\"823ec95c-4ff6-11ef-9378-0242ac110005\",\"labels\":[\"oc\",\"inside\"]},\"hash\":{\"value\":\"0A2D96EB4F44895D58B6441A0129F11199AB967C178305172B83A039B4E6D41287DD945B3BCB4937343A8E4ECB95E4A9C84B495FF73B7F404EC88A0A0FA286F3\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}},\"interface_name\":\"active rc saying\",\"interface_uid\":\"823ed398-4ff6-11ef-9896-0242ac110005\",\"intermediate_ips\":[\"81.2.69.142\",\"81.2.69.144\"],\"namespace_pid\":38,\"svc_name\":\"cyber influence simon\",\"vpc_uid\":\"823edb22-4ff6-11ef-bd25-0242ac110005\"},\"action_id\":2,\"authorizations\":[{},{}],\"load_balancer\":{\"code\":47,\"name\":\"threats invoice popularity\",\"uid\":\"823df61c-4ff6-11ef-a0b1-0242ac110005\",\"dst_endpoint\":{\"name\":\"aspect attempted credit\",\"port\":42720,\"type\":\"Laptop\",\"ip\":\"31.13.253.50\",\"hostname\":\"brake.jobs\",\"uid\":\"823e06ac-4ff6-11ef-949d-0242ac110005\",\"type_id\":3,\"container\":{\"name\":\"allowed entered philippines\",\"size\":4007710700,\"tag\":\"items preservation orleans\",\"uid\":\"823e1200-4ff6-11ef-833f-0242ac110005\",\"image\":{\"name\":\"repairs opposed condos\",\"tag\":\"melissa post courage\",\"path\":\"circulation franklin everybody\",\"uid\":\"823e1c46-4ff6-11ef-a5a8-0242ac110005\"},\"hash\":{\"value\":\"5733974066CC8F9646E6E1E170DB95F2B5D0E7DCDADF8A62A35EB47B61FCE172316B9A40AFD4FC58EC1B104C1DB4D1E2F0858866EDF563DE649A755940BCD18C\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}},\"instance_uid\":\"823e25ec-4ff6-11ef-8a0b-0242ac110005\",\"interface_name\":\"adelaide hewlett housewives\",\"interface_uid\":\"823e2c9a-4ff6-11ef-9dc6-0242ac110005\",\"namespace_pid\":0,\"svc_name\":\"layout radius connectors\",\"vpc_uid\":\"823e3352-4ff6-11ef-8cdc-0242ac110005\"},\"endpoint_connections\":[{\"code\":7,\"network_endpoint\":{\"port\":9631,\"type\":\"Mobile\",\"ip\":\"155.162.119.5\",\"hostname\":\"principle.nato\",\"uid\":\"823e6124-4ff6-11ef-83b0-0242ac110005\",\"type_id\":5,\"hw_info\":{\"keyboard_info\":{\"ime\":\"mark least sean\"},\"ram_size\":94,\"serial_number\":\"invest spring distributors\"},\"instance_uid\":\"823e6bd8-4ff6-11ef-9050-0242ac110005\",\"interface_name\":\"bouquet shorter node\",\"interface_uid\":\"823e7290-4ff6-11ef-b82d-0242ac110005\",\"svc_name\":\"surfing lynn leonard\"}},{\"code\":95,\"network_endpoint\":{\"name\":\"ambien thermal advance\",\"port\":58409,\"type\":\"Browser\",\"ip\":\"102.249.60.133\",\"hostname\":\"ranging.pro\",\"type_id\":8,\"container\":{\"name\":\"cad xanax businesses\",\"size\":2100136552,\"uid\":\"823e83fc-4ff6-11ef-9497-0242ac110005\",\"image\":{\"name\":\"usda ian manitoba\",\"uid\":\"823e8d8e-4ff6-11ef-ae19-0242ac110005\"},\"orchestrator\":\"control flame phrases\"},\"instance_uid\":\"823e94a0-4ff6-11ef-bdd0-0242ac110005\",\"interface_name\":\"platform boat nav\",\"interface_uid\":\"823e9f2c-4ff6-11ef-8022-0242ac110005\",\"namespace_pid\":32,\"svc_name\":\"intention currency persons\",\"zone\":\"beverly fm stage\"}}]},\"class_name\":\"NTP Activity\",\"status_id\":1}", + "outcome": "success", + "provider": "execute lite utah", + "sequence": 44, + "severity": 99, + "type": [ + "info", + "start" + ] + }, + "file": { + "directory": "simpson alice serum/loud.key", + "hash": { + "sha512": [ + "866B6A4496BE310906297BA18911C77BFAE1C93BC72E9928D71B99CA7DB9BBFB64011AE273A934FB07149E380121579F8F57C8B70195D5893BE983497C7401A9" + ], + "ssdeep": [ + "9F8E773E3B9D47BE47FA380985087C12F510973FD173B27657A4BAB7D0932A136A0A5D5AC53B909689AE6CC0439BFC3DE52907BC8DD305994F8D5955D3319D7C" + ] + }, + "name": "demonstrates.xlsx", + "path": "simpson alice serum/loud.key/demonstrates.xlsx", + "size": 1700247011, + "type": "Character Device" + }, + "host": { + "geo": { + "city_name": "Vic screenshot", + "continent_name": "North America", + "country_iso_code": "GP", + "location": [ + 22.1588, + 28.2006 + ], + "name": "Guadeloupe" + }, + "hostname": "teeth.nato", + "ip": [ + "216.160.83.56" + ], + "name": "keyboards sudan tp", + "type": "Unknown" + }, + "message": "c attended regulated", + "network": { + "application": [ + "cyber influence simon" + ], + "iana_number": "24", + "type": "1", + "vlan": { + "id": "824080b2-4ff6-11ef-a395-0242ac110005" + } + }, + "ocsf": { + "action": "Denied", + "action_id": 2, + "activity_id": "3", + "activity_name": "Client Synchronization", + "actor": { + "process": { + "cmd_line": "composer oriented salt", + "container": { + "hash": { + "algorithm": "magic", + "algorithm_id": "99", + "value": "FB62C3D023C80BF37169DFFD866BD30AF45E2274F6D63654E805AA43C6D23A16" + }, + "image": { + "name": "ports ide john", + "uid": "82412df0-4ff6-11ef-bb20-0242ac110005" + }, + "name": "essential service beverage", + "size": 3850921168, + "uid": "8241251c-4ff6-11ef-bfb4-0242ac110005" + }, + "created_time": "+56554-03-09T20:36:03.413Z", + "euid": "20", + "file": { + "accessor": { + "name": "Dinner", + "type": "User", + "type_id": "1", + "uid": "8241051e-4ff6-11ef-8c1c-0242ac110005", + "uid_alt": "tiny democrats map" + }, + "confidentiality": "Not Confidential", + "confidentiality_id": "1", + "creator": { + "email_addr": "Clelia@servers.arpa", + "name": "Clock", + "type": "System", + "type_id": "3", + "uid": "824111ee-4ff6-11ef-80d5-0242ac110005" + }, + "desc": "suits peru therapist", + "hashes": [ + { + "algorithm": "SHA-512", + "algorithm_id": "4", + "value": "866B6A4496BE310906297BA18911C77BFAE1C93BC72E9928D71B99CA7DB9BBFB64011AE273A934FB07149E380121579F8F57C8B70195D5893BE983497C7401A9" + }, + { + "algorithm": "CTPH", + "algorithm_id": "5", + "value": "9F8E773E3B9D47BE47FA380985087C12F510973FD173B27657A4BAB7D0932A136A0A5D5AC53B909689AE6CC0439BFC3DE52907BC8DD305994F8D5955D3319D7C" + } + ], + "name": "demonstrates.xlsx", + "parent_folder": "simpson alice serum/loud.key", + "path": "simpson alice serum/loud.key/demonstrates.xlsx", + "size": 1700247011, + "type": "Character Device", + "type_id": "3" + }, + "namespace_pid": 26, + "parent_process": { + "cmd_line": "scientist discover md", + "container": { + "image": { + "uid": "8241c562-4ff6-11ef-8fe7-0242ac110005" + }, + "name": "basement canada const", + "orchestrator": "leslie contribute pixel", + "size": 3047246820, + "uid": "8241bd6a-4ff6-11ef-b2aa-0242ac110005" + }, + "created_time": "+56554-03-09T20:36:07.250Z", + "created_time_dt": "2024-08-01T11:09:23.782Z", + "euid": "21", + "file": { + "accessed_time_dt": "2024-08-01T11:09:23.765Z", + "accessor": { + "name": "Mp", + "type": "Admin", + "type_id": "2", + "uid": "82415dc0-4ff6-11ef-8589-0242ac110005" + }, + "confidentiality": "ws rage bedford", + "creator": { + "credential_uid": "82417bf2-4ff6-11ef-9b27-0242ac110005", + "groups": [ + { + "name": "differences rachel activity", + "uid": "824174ea-4ff6-11ef-858b-0242ac110005" + }, + { + "desc": "richardson silly malpractice", + "name": "philips facility sure" + } + ], + "name": "Contemporary", + "type": "User", + "type_id": "1", + "uid": "82416b62-4ff6-11ef-bb14-0242ac110005" + }, + "hashes": [ + { + "algorithm": "TLSH", + "algorithm_id": "6", + "value": "8879181273A51CEAC15FF28D95FEF4690E668D3565C680638C1FEADEA3A66CCFA9845C83F22F56EA7ED164C8D919019373A1F877DA156F876D0358EB0DEF36E6" + }, + { + "algorithm": "magic", + "algorithm_id": "99", + "value": "8735D62A700225288A69C4C58805E742E91D287FC59A68C297753E5B7D1E420B" + } + ], + "name": "ebook.xls", + "parent_folder": "sheffield specs folks/ab.dll", + "path": "sheffield specs folks/ab.dll/ebook.xls", + "type": "Named Pipe", + "type_id": "6", + "uid": "824151a4-4ff6-11ef-baa0-0242ac110005" + }, + "group": { + "desc": "understand charlie shorts", + "name": "crisis vulnerable challenge" + }, + "name": "Peripheral", + "namespace_pid": 1, + "parent_process": { + "auid": 78, + "cmd_line": "checking yeast mark", + "container": { + "hash": { + "algorithm": "quickXorHash", + "algorithm_id": 7, + "value": "D74C708F707DAB0C2242DD6D42285F3C7EE4E2A184638F20C51CBA94CBA1FC8712D9EC20451FFE4C09C4E3660F8F154D048927419E81E2A55F1ABFDCCF4F767B" + }, + "image": { + "name": "write paper recognized", + "uid": "82424de8-4ff6-11ef-8d6b-0242ac110005" + }, + "name": "ireland subcommittee falling", + "pod_uuid": "blues", + "size": 1936688053, + "uid": "82424474-4ff6-11ef-82f8-0242ac110005" + }, + "created_time": 1722510563770786, + "file": { + "accessor": { + "groups": [ + { + "name": "well characterization holocaust", + "uid": "82421e4a-4ff6-11ef-8980-0242ac110005" + }, + { + "name": "levitra against glen" + } + ], + "name": "Request", + "type": "Admin", + "type_id": 2, + "uid": "8241ede4-4ff6-11ef-acc4-0242ac110005" + }, + "confidentiality": "median twelve ha", + "created_time": 1722510563769556, + "created_time_dt": "2024-08-01T11:09:23.769628Z", + "desc": "differently maldives brand", + "hashes": [ + { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "06B04AF04D46617C543D3B3E00B99E504838DD15737ADA44AD4294FDDDAFF6D9585FAC5FD5DFA5754AEB22DC9103B558FAB9AF00B6CA8EB2A9D69B81032A20DD" + }, + { + "algorithm": "quickXorHash", + "algorithm_id": 7, + "value": "7076AC494351B52696279B3745D5340FC3AFD5121F4D18647E4A29796EEFD6C57363BC0ACDEC4D9552DDA8D642B25D9B81BC08AEBF9B01A05F288053FB1AEB98" + } + ], + "name": "lightning.htm", + "parent_folder": "deer oils respected/blood.ico", + "path": "deer oils respected/blood.ico/lightning.htm", + "product": { + "lang": "en", + "name": "relevant adaptation midwest", + "vendor_name": "eclipse korean ghost", + "version": "1.1.0" + }, + "type": "valve", + "type_id": 99 + }, + "group": { + "name": "bet dictionaries peace" + }, + "name": "Racks", + "parent_process": { + "cmd_line": "fixed marketing wear", + "container": { + "image": { + "name": "venice shipment thursday", + "tag": "worst lamb depends", + "uid": "8243169c-4ff6-11ef-9bd9-0242ac110005" + }, + "name": "disagree replied romania", + "orchestrator": "syndrome permissions shark", + "size": 940803910, + "uid": "82430aa8-4ff6-11ef-83eb-0242ac110005" + }, + "created_time": 1722510563775908, + "created_time_dt": "2024-08-01T11:09:23.782438Z", + "egid": 29, + "euid": 44, + "file": { + "accessor": { + "name": "Reducing", + "type": "Admin", + "type_id": 2, + "uid": "82428894-4ff6-11ef-aa8a-0242ac110005" + }, + "confidentiality": "coach", + "confidentiality_id": 99, + "hashes": [ + { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "44C87B3E980B5D5906C47A44899C53ECEAA127EF07D4DADDC5BEEB648A5EBD979F5D54C7002601E0148D642C58F1AFF229C9C50C02365ED263295529F74A9AB2" + } + ], + "name": "eyed.csr", + "owner": { + "name": "Recent", + "type": "User", + "type_id": 1, + "uid": "82426be8-4ff6-11ef-807f-0242ac110005", + "uid_alt": "affiliation locks chance" + }, + "parent_folder": "michigan prague acting/perfume.cer", + "path": "michigan prague acting/perfume.cer/eyed.csr", + "product": { + "name": "classics problem furnished", + "uid": "82427804-4ff6-11ef-92e9-0242ac110005", + "vendor_name": "mathematical chat duration", + "version": "1.1.0" + }, + "security_descriptor": "hamilton samsung subsidiary", + "type": "Regular File", + "type_id": 1 + }, + "group": { + "name": "lightbox lay brad", + "uid": "8242f608-4ff6-11ef-aea1-0242ac110005" + }, + "integrity": "tired random grown", + "name": "Chile", + "namespace_pid": 4, + "parent_process": { + "cmd_line": "smile builders sanyo", + "container": { + "hash": { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "37F2759ED75FB07B29E4F1A5A51072ADD7EC16769903AAA33DBBA5DEA773A7E3CBA90D3152ADBA24BF6E54372233D78D69D964F32AC2E3973C91C1FAB5D51B26" + }, + "image": { + "name": "surfing harvest additionally", + "tag": "instrumentation mi dim", + "uid": "82439680-4ff6-11ef-b7fa-0242ac110005" + }, + "name": "arrange lips hoped", + "size": 3752277430, + "uid": "82438e24-4ff6-11ef-9a2b-0242ac110005" + }, + "created_time": 1722510563779192, + "file": { + "confidentiality": "Unknown", + "confidentiality_id": 0, + "desc": "beatles collar exposure", + "hashes": [ + { + "algorithm": "quickXorHash", + "algorithm_id": 7, + "value": "CD0EE6AF5EAA1C114A915FA7096E3060AE27D1892461BFA5EE7896B183FC87987940FD470777B47DC0709EED93E2EBCED33B3D3E0C4870660C470F1D1DCCDD45" + } + ], + "is_system": false, + "mime_type": "law/apparent", + "name": "freedom.bat", + "owner": { + "credential_uid": "82433334-4ff6-11ef-9df3-0242ac110005", + "name": "Lake", + "type": "Unknown", + "type_id": 0 + }, + "parent_folder": "ko phantom flights/ground.dtd", + "path": "ko phantom flights/ground.dtd/freedom.bat", + "product": { + "name": "gave thomson circumstances", + "uid": "82433e6a-4ff6-11ef-8379-0242ac110005", + "url_string": "copyrights", + "vendor_name": "poetry lived fy" + }, + "type": "Symbolic Link", + "type_id": 7, + "uid": "82434784-4ff6-11ef-98ca-0242ac110005" + }, + "group": { + "name": "via capabilities manufacturing", + "privileges": [ + "tv glasses retrieval" + ], + "uid": "82437e84-4ff6-11ef-a820-0242ac110005" + }, + "namespace_pid": 23, + "parent_process": { + "cmd_line": "compiler homework usually", + "container": { + "hash": { + "algorithm": "SHA-256", + "algorithm_id": 3, + "value": "818853F7CD4B4D46AD3612755274DC4BE0689988A1BDBC0D8A5F54BA585D7FA5" + }, + "image": { + "name": "pr request boy", + "uid": "824413e4-4ff6-11ef-bb4f-0242ac110005" + }, + "name": "vietnamese sixth good", + "orchestrator": "maintain cargo awarded", + "runtime": "paragraph pizza ing", + "size": 3917616377, + "uid": "82440a5c-4ff6-11ef-ad41-0242ac110005" + }, + "file": { + "accessor": { + "email_addr": "Benita@instrument.com", + "name": "Profiles", + "type": "hall", + "type_id": 99, + "uid": "8243c31c-4ff6-11ef-b7ce-0242ac110005", + "uid_alt": "zope unsubscribe be" + }, + "created_time_dt": "2024-08-01T11:09:23.780361Z", + "hashes": [ + { + "algorithm": "SHA-1", + "algorithm_id": 2, + "value": "75017A36EC07FD4C377A0D2A011400AB193E61DB" + } + ], + "modified_time_dt": "2024-08-01T11:09:23.780372Z", + "name": "naturally.dmp", + "parent_folder": "eligible terms landscapes/those.accdb", + "path": "eligible terms landscapes/those.accdb/naturally.dmp", + "product": { + "lang": "en", + "name": "viruses dancing dirty", + "uid": "8243ae0e-4ff6-11ef-9d4a-0242ac110005", + "vendor_name": "ricky junk daniel", + "version": "1.1.0" + }, + "type": "apparently", + "type_id": 99, + "version": "1.1.0" + }, + "group": { + "name": "secure escape dui", + "privileges": [ + "doug producing distributor", + "discover uri conscious" + ], + "type": "vault vocational aerospace", + "uid": "8243f65c-4ff6-11ef-a514-0242ac110005" + }, + "name": "Miles", + "pid": 44, + "terminated_time": 1722510563782421, + "uid": "8243fda0-4ff6-11ef-9876-0242ac110005", + "user": { + "full_name": "Bronwyn Kandi", + "name": "Translated", + "type": "User", + "type_id": 1, + "uid": "8243ea5e-4ff6-11ef-af0a-0242ac110005" + } + }, + "pid": 17, + "uid": "824384d8-4ff6-11ef-8982-0242ac110005", + "user": { + "credential_uid": "824374de-4ff6-11ef-a10e-0242ac110005", + "domain": "km msgid creek", + "name": "Ak", + "type": "System", + "type_id": 3, + "uid": "82436e80-4ff6-11ef-b543-0242ac110005" + } + }, + "pid": 51, + "terminated_time": 1722510563782432, + "terminated_time_dt": "2024-08-01T11:09:23.782445Z", + "uid": "8242ff90-4ff6-11ef-b85f-0242ac110005", + "user": { + "name": "Fitted", + "type": "Admin", + "type_id": 2, + "uid": "82429a96-4ff6-11ef-ac59-0242ac110005" + } + }, + "pid": 74, + "terminated_time": 1722510563782452, + "terminated_time_dt": "2024-08-01T11:09:23.782458Z", + "uid": "82423a2e-4ff6-11ef-ac30-0242ac110005", + "user": { + "name": "Prep", + "type": "Unknown", + "type_id": 0, + "uid": "82422f2a-4ff6-11ef-8418-0242ac110005" + } + }, + "terminated_time_dt": "2024-08-01T11:09:23.782Z", + "tid": 31, + "uid": "8241b414-4ff6-11ef-942e-0242ac110005", + "user": { + "account": { + "name": "person catalogs assembled", + "type": "AWS IAM Role", + "type_id": "4", + "uid": "8241a78a-4ff6-11ef-a514-0242ac110005" + }, + "email_addr": "Mabel@appointment.cat", + "groups": [ + { + "name": "minneapolis listen accounts", + "uid": "82419740-4ff6-11ef-8605-0242ac110005" + }, + { + "name": "convert temporal sees", + "type": "pointer launch particle", + "uid": "82419e0c-4ff6-11ef-a40e-0242ac110005" + } + ], + "type": "System", + "type_id": "3", + "uid": "82418dcc-4ff6-11ef-ad9d-0242ac110005" + } + }, + "pid": 55, + "uid": "82411bb2-4ff6-11ef-a29d-0242ac110005" + }, + "user": { + "name": "Villa", + "org": { + "name": "replied reservation circles", + "ou_name": "dale halloween convenience", + "uid": "82442fdc-4ff6-11ef-b680-0242ac110005" + }, + "type": "seek", + "type_id": "99", + "uid": "824425be-4ff6-11ef-8b9f-0242ac110005", + "uid_alt": "trout americans substance" + } + }, + "category_name": "Network Activity", + "category_uid": "4", + "class_name": "NTP Activity", + "class_uid": "4013", + "cloud": { + "account": { + "name": "diet services amazon", + "type": "Linux Account", + "type_id": "9", + "uid": "823f3676-4ff6-11ef-87ce-0242ac110005" + }, + "provider": "son fits additions", + "region": "stick aurora admission" + }, + "connection_info": { + "direction": "Lateral", + "direction_id": "3", + "protocol_num": "24", + "protocol_ver": "1" + }, + "count": 97, + "device": { + "container": { + "hash": { + "algorithm": "magic", + "algorithm_id": 99, + "value": "CB553813B87B309D428B27D4E5A9457DCAD28C846E4C0EFAB7A1A8FA2345B199" + }, + "image": { + "name": "distance beautifully maximum", + "tag": "passed contribution studied", + "uid": "8240a3d0-4ff6-11ef-be39-0242ac110005" + }, + "name": "hormone investigated performances", + "orchestrator": "genes thick degree", + "size": 793369097, + "uid": "82409b10-4ff6-11ef-b701-0242ac110005" + }, + "created_time": "+56554-03-09T20:35:58.738Z", + "hostname": "teeth.nato", + "image": { + "labels": [ + "microsoft" + ], + "uid": "8240911a-4ff6-11ef-a984-0242ac110005" + }, + "instance_uid": "8240879c-4ff6-11ef-af64-0242ac110005", + "interface_name": "abstracts cj highs", + "interface_uid": "8240ade4-4ff6-11ef-b741-0242ac110005", + "ip": "216.160.83.56", + "is_managed": false, + "location": { + "city": "Vic screenshot", + "continent": "North America", + "coordinates": [ + 22.1588, + 28.2006 + ], + "country": "GP", + "desc": "Guadeloupe" + }, + "name": "keyboards sudan tp", + "namespace_pid": 56, + "region": "painful lifetime significant", + "subnet": "38.80.125.0/24", + "type": "Unknown", + "type_id": "0", + "vlan_uid": "824080b2-4ff6-11ef-a395-0242ac110005" + }, + "dst_endpoint": { + "container": { + "hash": { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "0A2D96EB4F44895D58B6441A0129F11199AB967C178305172B83A039B4E6D41287DD945B3BCB4937343A8E4ECB95E4A9C84B495FF73B7F404EC88A0A0FA286F3" + }, + "image": { + "labels": [ + "oc", + "inside" + ], + "name": "scientific isa thrown", + "path": "isbn phones proof", + "uid": "823ec95c-4ff6-11ef-9378-0242ac110005" + }, + "name": "fisher invite serial", + "size": 480391375, + "uid": "823eb962-4ff6-11ef-b477-0242ac110005" + }, + "hostname": "sporting.edu", + "interface_name": "active rc saying", + "interface_uid": "823ed398-4ff6-11ef-9896-0242ac110005", + "intermediate_ips": [ + "81.2.69.142", + "81.2.69.144" + ], + "ip": "67.43.156.0", + "name": "foul coming meetings", + "namespace_pid": 38, + "port": 26803, + "svc_name": "cyber influence simon", + "type": "Virtual", + "type_id": 6, + "uid": "823eaf30-4ff6-11ef-9671-0242ac110005", + "vpc_uid": "823edb22-4ff6-11ef-bd25-0242ac110005" + }, + "load_balancer": { + "code": 47, + "dst_endpoint": { + "container": { + "hash": { + "algorithm": "CTPH", + "algorithm_id": 5, + "value": "5733974066CC8F9646E6E1E170DB95F2B5D0E7DCDADF8A62A35EB47B61FCE172316B9A40AFD4FC58EC1B104C1DB4D1E2F0858866EDF563DE649A755940BCD18C" + }, + "image": { + "name": "repairs opposed condos", + "path": "circulation franklin everybody", + "tag": "melissa post courage", + "uid": "823e1c46-4ff6-11ef-a5a8-0242ac110005" + }, + "name": "allowed entered philippines", + "size": 4007710700, + "tag": "items preservation orleans", + "uid": "823e1200-4ff6-11ef-833f-0242ac110005" + }, + "hostname": "brake.jobs", + "instance_uid": "823e25ec-4ff6-11ef-8a0b-0242ac110005", + "interface_name": "adelaide hewlett housewives", + "interface_uid": "823e2c9a-4ff6-11ef-9dc6-0242ac110005", + "ip": "31.13.253.50", + "name": "aspect attempted credit", + "namespace_pid": 0, + "port": 42720, + "svc_name": "layout radius connectors", + "type": "Laptop", + "type_id": 3, + "uid": "823e06ac-4ff6-11ef-949d-0242ac110005", + "vpc_uid": "823e3352-4ff6-11ef-8cdc-0242ac110005" + }, + "endpoint_connections": [ + { + "code": 7, + "network_endpoint": { + "hostname": "principle.nato", + "hw_info": { + "keyboard_info": { + "ime": "mark least sean" + }, + "ram_size": 94, + "serial_number": "invest spring distributors" + }, + "instance_uid": "823e6bd8-4ff6-11ef-9050-0242ac110005", + "interface_name": "bouquet shorter node", + "interface_uid": "823e7290-4ff6-11ef-b82d-0242ac110005", + "ip": "155.162.119.5", + "port": 9631, + "svc_name": "surfing lynn leonard", + "type": "Mobile", + "type_id": 5, + "uid": "823e6124-4ff6-11ef-83b0-0242ac110005" + } + }, + { + "code": 95, + "network_endpoint": { + "container": { + "image": { + "name": "usda ian manitoba", + "uid": "823e8d8e-4ff6-11ef-ae19-0242ac110005" + }, + "name": "cad xanax businesses", + "orchestrator": "control flame phrases", + "size": 2100136552, + "uid": "823e83fc-4ff6-11ef-9497-0242ac110005" + }, + "hostname": "ranging.pro", + "instance_uid": "823e94a0-4ff6-11ef-bdd0-0242ac110005", + "interface_name": "platform boat nav", + "interface_uid": "823e9f2c-4ff6-11ef-8022-0242ac110005", + "ip": "102.249.60.133", + "name": "ambien thermal advance", + "namespace_pid": 32, + "port": 58409, + "svc_name": "intention currency persons", + "type": "Browser", + "type_id": 8, + "zone": "beverly fm stage" + } + } + ], + "name": "threats invoice popularity", + "uid": "823df61c-4ff6-11ef-a0b1-0242ac110005" + }, + "message": "c attended regulated", + "metadata": { + "labels": [ + "martin", + "lil" + ], + "log_level": "recovered device retail", + "log_name": "planets van wine", + "log_provider": "execute lite utah", + "original_time": "fairy affecting agricultural", + "processed_time_dt": "2024-08-01T11:09:23.756Z", + "product": { + "cpe_name": "skilled ru contributions", + "name": "raising sodium preliminary", + "uid": "82400ab0-4ff6-11ef-abab-0242ac110005", + "url_string": "mad", + "vendor_name": "answer probe affiliation", + "version": "1.1.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "linux/linux_users", + "load_balancer", + "network_proxy", + "security_control" + ], + "sequence": 44, + "tenant_uid": "8240179e-4ff6-11ef-b399-0242ac110005", + "version": "1.1.0" + }, + "observables": [ + { + "name": "logged nasdaq hosts", + "type": "Hash", + "type_id": "8" + }, + { + "name": "trading friends request", + "type": "gentle", + "type_id": "99" + } + ], + "precision": 47, + "proxy_connection_info": { + "direction": "commodity", + "direction_id": 99, + "protocol_num": 62, + "protocol_ver": "Internet Protocol version 4 (IPv4)", + "protocol_ver_id": 4, + "uid": "8240bb40-4ff6-11ef-9482-0242ac110005" + }, + "proxy_endpoint": { + "container": { + "hash": { + "algorithm": "SHA-1", + "algorithm_id": 2, + "value": "428AC4813390324C88145AE1CB67084A8DA3386B" + }, + "image": { + "name": "jewish rating housewives", + "uid": "8240de40-4ff6-11ef-8dac-0242ac110005" + }, + "name": "actions bullet populations", + "network_driver": "midi florists tired", + "orchestrator": "contract girl traditional", + "size": 1551677878, + "uid": "8240d5bc-4ff6-11ef-8e32-0242ac110005" + }, + "hostname": "fashion.aero", + "instance_uid": "8240e746-4ff6-11ef-a2e6-0242ac110005", + "interface_name": "bring ana ex", + "ip": "175.16.199.0", + "mac": "AA:9E:EF:FA:F6:8C:22:78", + "name": "resources contracts treasury", + "namespace_pid": 71, + "port": 32431, + "svc_name": "democratic benefits supplier", + "type": "Hub", + "type_id": 11, + "uid": "8240c996-4ff6-11ef-a9b6-0242ac110005" + }, + "proxy_http_response": { + "code": 84, + "http_headers": [ + { + "name": "valid involving problem", + "value": "swiss navigator focused" + } + ], + "status": "accident around gamespot" + }, + "proxy_tls": { + "certificate_chain": [ + "pack menu plot" + ], + "cipher": "cent memories rochester", + "ja3_hash": { + "algorithm": "MD5", + "algorithm_id": 1, + "value": "AC725768466500046904D27B548D75C5" + }, + "ja3s_hash": { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "FF1E2DBC60149EBF225BBC13B2E100CEC2DF9FE5A8024345B354723618C4A4B74622930D7ED086F5B727F66E3E617E0DA4E39B3BFB4B67378F600594D2C05396" + }, + "key_length": 36, + "sni": "identification vincent breakfast", + "tls_extension_list": [ + { + "data": "recruitment", + "type": "server_name", + "type_id": 0 + } + ], + "version": "1.1.0" + }, + "proxy_traffic": { + "packets": 3436547282 + }, + "severity": "indirect", + "severity_id": 99, + "src_endpoint": { + "container": { + "hash": { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "FEA9B0C8FDA936ECB33171CEBCAB7B574A0BD1A0A1D6B08474F8E20388709CAA28CB19DD8A53F0238CDD07712528D0AC7DE36988DE03147B1524257D6C190823" + }, + "image": { + "name": "toddler yahoo dressing", + "uid": "82405042-4ff6-11ef-9809-0242ac110005" + }, + "name": "variety summary focused", + "size": 1038161419, + "uid": "824041c4-4ff6-11ef-916a-0242ac110005" + }, + "hostname": "sacrifice.jobs", + "instance_uid": "8240592a-4ff6-11ef-a917-0242ac110005", + "interface_name": "bobby machines drink", + "interface_uid": "82405fb0-4ff6-11ef-8580-0242ac110005", + "ip": "89.160.20.128", + "location": { + "city": "Death stars", + "continent": "Asia", + "coordinates": [ + -54.8511, + 61.8154 + ], + "country": "MO", + "desc": "Macao, Special Administrative Region of China" + }, + "name": "brandon attacked blonde", + "namespace_pid": 19, + "port": 23430, + "type": "Virtual", + "type_id": 6, + "uid": "82403698-4ff6-11ef-bb82-0242ac110005", + "vpc_uid": "824065c8-4ff6-11ef-83f7-0242ac110005", + "zone": "admitted freebsd lazy" + }, + "status": "Success", + "status_id": "1", + "stratum": "Unsynchronized", + "stratum_id": 16, + "time": "+56554-03-09T20:36:00.083Z", + "timezone_offset": 59, + "type_name": "NTP Activity: Client Synchronization", + "type_uid": "401303", + "version": "1.1.0" + }, + "process": { + "command_line": "composer oriented salt", + "entity_id": "82411bb2-4ff6-11ef-a29d-0242ac110005", + "parent": { + "command_line": "scientist discover md", + "end": "2024-08-01T11:09:23.782Z", + "entity_id": "8241b414-4ff6-11ef-942e-0242ac110005", + "group": { + "name": "crisis vulnerable challenge" + }, + "name": "Peripheral", + "start": "+56554-03-09T20:36:07.250Z", + "thread": { + "id": 31 + }, + "user": { + "email": "Mabel@appointment.cat", + "group": { + "id": [ + "82419740-4ff6-11ef-8605-0242ac110005", + "82419e0c-4ff6-11ef-a40e-0242ac110005" + ], + "name": [ + "minneapolis listen accounts", + "convert temporal sees" + ] + }, + "id": [ + "21", + "82418dcc-4ff6-11ef-ad9d-0242ac110005" + ] + } + }, + "pid": 55, + "start": "+56554-03-09T20:36:03.413Z", + "user": { + "id": [ + "20" + ] + } + }, + "related": { + "hash": [ + "FB62C3D023C80BF37169DFFD866BD30AF45E2274F6D63654E805AA43C6D23A16", + "866B6A4496BE310906297BA18911C77BFAE1C93BC72E9928D71B99CA7DB9BBFB64011AE273A934FB07149E380121579F8F57C8B70195D5893BE983497C7401A9", + "9F8E773E3B9D47BE47FA380985087C12F510973FD173B27657A4BAB7D0932A136A0A5D5AC53B909689AE6CC0439BFC3DE52907BC8DD305994F8D5955D3319D7C", + "8879181273A51CEAC15FF28D95FEF4690E668D3565C680638C1FEADEA3A66CCFA9845C83F22F56EA7ED164C8D919019373A1F877DA156F876D0358EB0DEF36E6", + "8735D62A700225288A69C4C58805E742E91D287FC59A68C297753E5B7D1E420B" + ], + "hosts": [ + "teeth.nato", + "keyboards sudan tp", + "sacrifice.jobs", + "sporting.edu" + ], + "ip": [ + "216.160.83.56", + "89.160.20.128", + "67.43.156.0", + "81.2.69.142", + "81.2.69.144" + ], + "user": [ + "20", + "824425be-4ff6-11ef-8b9f-0242ac110005", + "Villa", + "tiny democrats map", + "Dinner", + "8241051e-4ff6-11ef-8c1c-0242ac110005", + "Mabel@appointment.cat", + "21", + "82418dcc-4ff6-11ef-ad9d-0242ac110005", + "Mp", + "82415dc0-4ff6-11ef-8589-0242ac110005", + "Contemporary", + "82416b62-4ff6-11ef-bb14-0242ac110005", + "Clelia@servers.arpa", + "Clock", + "824111ee-4ff6-11ef-80d5-0242ac110005", + "trout americans substance" + ] + }, + "source": { + "domain": [ + "sacrifice.jobs" + ], + "geo": { + "city_name": "Death stars", + "continent_name": "Asia", + "country_iso_code": "MO", + "location": [ + -54.8511, + 61.8154 + ], + "name": "Macao, Special Administrative Region of China" + }, + "ip": "89.160.20.128", + "port": 23430 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "martin", + "lil" + ], + "user": { + "id": "824425be-4ff6-11ef-8b9f-0242ac110005", + "name": "Villa" + } } ] } \ No newline at end of file diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml index 0e596917c320..307cca854f0b 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -28,7 +28,7 @@ processors: - set: field: event.kind tag: set_event_kind - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','5003','6001','6002','6003','6004'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','6001','6002','6003','6004'].contains(ctx.ocsf.class_uid) value: event - set: field: event.kind @@ -70,7 +70,7 @@ processors: tag: append_network_into_event_category value: network allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['4001','4003','4004','4005','4007','4008','4010'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['4001','4003','4004','4005','4007','4008','4010','4013'].contains(ctx.ocsf.class_uid) - append: field: event.category tag: append_api_into_event_category @@ -124,7 +124,7 @@ processors: tag: append_info_into_event_type value: info allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001', '2002','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','6002','6003','6004'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001', '2002','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','6002','6003','6004'].contains(ctx.ocsf.class_uid) - append: field: event.type tag: append_user_into_event_type @@ -166,13 +166,13 @@ processors: tag: append_start_into_event_type value: start allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1007','3002','4001','4007','6002'].contains(ctx.ocsf.class_uid) && ['Launch','Logon','Open','Start'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['1007','3002','4001','4013','4007','6002'].contains(ctx.ocsf.class_uid) && ['Launch','Logon','Open','Start','Symmetric Active Exchange','Client Synchronization','Broadcast','Control'].contains(ctx.ocsf.activity_name) - append: field: event.type tag: append_end_into_event_type value: end allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1007','3002','4001','4007','6002'].contains(ctx.ocsf.class_uid) && ['Terminate','Logoff','Close','Stop'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['1007','3002','4001','4007','4013','6002'].contains(ctx.ocsf.class_uid) && ['Terminate','Logoff','Close','Stop','Symmetric Passive Response','Server Response','Private Use Case','Other'].contains(ctx.ocsf.activity_name) - append: field: event.type tag: append_denied_into_event_type @@ -693,22 +693,22 @@ processors: ignore_missing: true - pipeline: name: '{{ IngestPipeline "pipeline_object_actor" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','5003','6001','6002','6003','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','6001','6002','6003','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null tag: pipeline_object_actor ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_attack" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2001','4001','4002','4003','4005','4006','4007','4008','4009','4011','4012'].contains(ctx.ocsf.class_uid) && ctx.ocsf.attacks != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2001','4001','4002','4003','4005','4006','4007','4008','4009','4011','4012','4013'].contains(ctx.ocsf.class_uid) && ctx.ocsf.attacks != null tag: pipeline_object_attack ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_network_connection_info" }}' - if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008'].contains(ctx.ocsf.class_uid) && ctx.ocsf.connection_info != null + if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008','4013'].contains(ctx.ocsf.class_uid) && ctx.ocsf.connection_info != null tag: pipeline_object_network_connection_info ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_device" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4011','4012','5001','5002','6001','6002','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.device != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4011','4012','4013','5001','5002','6001','6002','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.device != null tag: pipeline_object_device ignore_missing_pipeline: true - pipeline: @@ -718,12 +718,12 @@ processors: ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_malware" }}' - if: ctx.ocsf?.class_uid != null && ['2001','4001','4002','4003','4005','4006','4007','4008','4009','4011','4012'].contains(ctx.ocsf.class_uid) && ctx.ocsf.malware != null + if: ctx.ocsf?.class_uid != null && ['2001','4001','4002','4003','4005','4006','4007','4008','4009','4011','4012','4013'].contains(ctx.ocsf.class_uid) && ctx.ocsf.malware != null tag: pipeline_object_malware ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_network_endpoint" }}' - if: ctx.ocsf?.class_uid != null && ['3001','3002','3003','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','6001','6003','6004'].contains(ctx.ocsf.class_uid) && (ctx.ocsf.dst_endpoint != null || ctx.ocsf.src_endpoint != null) + if: ctx.ocsf?.class_uid != null && ['3001','3002','3003','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4013','6001','6003','6004'].contains(ctx.ocsf.class_uid) && (ctx.ocsf.dst_endpoint != null || ctx.ocsf.src_endpoint != null) tag: pipeline_object_network_endpoint ignore_missing_pipeline: true - pipeline: @@ -733,17 +733,17 @@ processors: ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_proxy" }}' - if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008'].contains(ctx.ocsf.class_uid) && ctx.ocsf.proxy != null + if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008','4013'].contains(ctx.ocsf.class_uid) && ctx.ocsf.proxy != null tag: pipeline_object_proxy ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_tls" }}' - if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008'].contains(ctx.ocsf.class_uid) && ctx.ocsf.tls != null + if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008','4013'].contains(ctx.ocsf.class_uid) && ctx.ocsf.tls != null tag: pipeline_object_tls ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_traffic" }}' - if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008'].contains(ctx.ocsf.class_uid) && ctx.ocsf.traffic != null + if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008','4013'].contains(ctx.ocsf.class_uid) && ctx.ocsf.traffic != null tag: pipeline_object_traffic ignore_missing_pipeline: true - pipeline: diff --git a/packages/amazon_security_lake/data_stream/event/fields/fields.yml b/packages/amazon_security_lake/data_stream/event/fields/fields.yml index 9fdf0577d2e6..2e64876a3013 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/fields.yml @@ -10,6 +10,12 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. + - name: action_id + type: integer + description: The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. + - name: action + type: keyword + description: The normalized caption of action_id. - name: actual_permissions type: long description: The permissions that were granted to the in a platform-native format. @@ -210,6 +216,48 @@ - name: auth_protocol_id type: keyword description: The normalized identifier of the authentication protocol used to create the user session. + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. - name: banner type: keyword description: The initial SMTP connection response that a messaging server receives after it connects to a email server. @@ -504,6 +552,9 @@ - name: autoscale_uid type: keyword description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. - name: created_time type: date description: The time when the device was known to have been created. @@ -714,6 +765,9 @@ - name: name type: keyword description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - name: network_interfaces type: group fields: @@ -1303,87 +1357,6 @@ - name: xattributes type: flattened description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: dst_endpoint - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: duration type: long description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. @@ -2605,6 +2578,9 @@ - name: finding_info type: flattened description: Describes the supporting information about a generated finding. + - name: firewall_rule + type: flattened + description: The firewall rule that triggered the event. - name: group type: group fields: @@ -2779,6 +2755,9 @@ - name: lease_dur type: long description: This represents the length of the DHCP lease in seconds. This is present in DHCP Ack events. (activity_id = 1) + - name: load_balancer + type: flattened + description: The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations. - name: logon_type type: keyword description: The logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source. @@ -3530,93 +3509,30 @@ - name: port type: long description: The dynamic port established for impending data transfers. + - name: precision + type: integer + description: The NTP precision quantifies a clock's accuracy and stability in log2 seconds, as defined in RFC-5905. - name: privileges type: keyword description: The list of sensitive privileges, assigned to the new user session. - name: protocol_ver type: keyword description: The Protocol version. - - name: proxy - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). + - name: proxy_connection_info + type: flattened + description: The connection information from the proxy server to the remote server. + - name: proxy_http_request + type: flattened + description: The HTTP Request from the proxy server to the remote server. + - name: proxy_http_response + type: flattened + description: The HTTP Response from the remote server to the proxy server. + - name: proxy_tls + type: flattened + description: The TLS protocol negotiated between the proxy server and the remote server. + - name: proxy_traffic + type: flattened + description: The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time. - name: query type: group fields: @@ -3960,87 +3876,6 @@ - name: smtp_hello type: keyword description: The value of the SMTP HELO or EHLO command sent by the initiator (client). - - name: src_endpoint - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: start_time type: date description: The start time of a time period, or the time of the least recent event included in the aggregate event. @@ -4065,6 +3900,12 @@ - name: status_id type: keyword description: The normalized identifier of the event status. + - name: stratum_id + type: integer + description: The normalized identifier of the stratum level, as defined in RFC-5905. + - name: stratum + type: keyword + description: The stratum level of the NTP server's time source, normalized to the caption of the stratum_id value. - name: time type: date description: The normalized event occurrence time. @@ -4338,6 +4179,9 @@ - name: uid_alt type: keyword description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: version + type: keyword + description: The version number of the NTP protocol. - name: web_resources type: group fields: diff --git a/packages/amazon_security_lake/data_stream/event/fields/network-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/network-endpoint-fields.yml new file mode 100644 index 000000000000..fdb8f2040fcd --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/network-endpoint-fields.yml @@ -0,0 +1,213 @@ +- name: ocsf + type: group + fields: + - name: dst_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: integer + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. + - name: src_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: integer + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/event/fields/proxy-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/proxy-endpoint-fields.yml new file mode 100644 index 000000000000..629037c600e3 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/proxy-endpoint-fields.yml @@ -0,0 +1,108 @@ +- name: ocsf + type: group + fields: + - name: proxy_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: port + type: long + description: The port used for communication within the network connection. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: integer + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/event/fields/proxy-fields-deprecated.yml b/packages/amazon_security_lake/data_stream/event/fields/proxy-fields-deprecated.yml new file mode 100644 index 000000000000..11d1f9a9bdb8 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/proxy-fields-deprecated.yml @@ -0,0 +1,84 @@ +- name: ocsf + type: group + fields: + - name: proxy + type: group + fields: + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). diff --git a/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml index ca03fa06dc14..8882a3b585e4 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml @@ -1,6 +1,6 @@ - name: ocsf type: group - fields: + fields: - name: resource type: group fields: @@ -129,4 +129,4 @@ description: The unique identifier of the resource. - name: version type: keyword - description: The version of the resource. For example 1.2.3. \ No newline at end of file + description: The version of the resource. For example 1.2.3. diff --git a/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml index 0efbd018dab7..12f16d9a892f 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml @@ -1,6 +1,6 @@ - name: ocsf type: group - fields: + fields: - name: vulnerabilities type: group fields: @@ -150,4 +150,4 @@ description: The title of the vulnerability. - name: vendor_name type: keyword - description: The vendor who identified the vulnerability. \ No newline at end of file + description: The vendor who identified the vulnerability. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml index 0efbd018dab7..12f16d9a892f 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml @@ -1,6 +1,6 @@ - name: ocsf type: group - fields: + fields: - name: vulnerabilities type: group fields: @@ -150,4 +150,4 @@ description: The title of the vulnerability. - name: vendor_name type: keyword - description: The vendor who identified the vulnerability. \ No newline at end of file + description: The vendor who identified the vulnerability. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml index 9f86fa8da790..9e9367d8274c 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml @@ -1723,6 +1723,9 @@ - name: autoscale_uid type: keyword description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. - name: created_time type: date description: The time when the device was known to have been created. @@ -1933,6 +1936,9 @@ - name: name type: keyword description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - name: network_interfaces type: group fields: @@ -2047,87 +2053,6 @@ - name: vpc_uid type: keyword description: The unique identifier of the Virtual Private Cloud (VPC). - - name: dst_endpoint - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: duration type: long description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. @@ -3884,87 +3809,6 @@ - name: severity_id type: long description: The normalized identifier of the event severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events. - - name: src_endpoint - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: start_time type: date description: The start time of a time period, or the time of the least recent event included in the aggregate event. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/network-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/network-endpoint-fields.yml new file mode 100644 index 000000000000..fdb8f2040fcd --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/network-endpoint-fields.yml @@ -0,0 +1,213 @@ +- name: ocsf + type: group + fields: + - name: dst_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: integer + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. + - name: src_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: integer + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml index ca03fa06dc14..8882a3b585e4 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml @@ -1,6 +1,6 @@ - name: ocsf type: group - fields: + fields: - name: resource type: group fields: @@ -129,4 +129,4 @@ description: The unique identifier of the resource. - name: version type: keyword - description: The version of the resource. For example 1.2.3. \ No newline at end of file + description: The version of the resource. For example 1.2.3. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml new file mode 100644 index 000000000000..9f344036ae3d --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml @@ -0,0 +1,1560 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml index 5b37508acd27..5293fefd6c2b 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml @@ -7,1563 +7,12 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: actor - type: group - fields: - - name: authorizations - type: group - fields: - - name: decision - type: keyword - description: Authorization Result/outcome, e.g. allowed, denied. - - name: policy - type: group - fields: - - name: desc - type: keyword - description: The description of the policy. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: 'The policy name. For example: IAM Policy.' - - name: uid - type: keyword - description: A unique identifier of the policy instance. - - name: version - type: keyword - description: The policy version number. - - name: idp - type: group - fields: - - name: name - type: keyword - description: The name of the identity provider. - - name: uid - type: keyword - description: The unique identifier of the identity provider. - - name: invoked_by - type: keyword - description: The name of the service that invoked the activity as described in the event. - - name: process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: action_id + type: integer + description: The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. + - name: action + type: keyword + description: The normalized caption of action_id. - name: answers type: group fields: @@ -1642,6 +91,48 @@ - name: app_name type: keyword description: The name of the application that is associated with the event or object. + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. - name: attacks type: group fields: @@ -1837,6 +328,9 @@ - name: autoscale_uid type: keyword description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. - name: created_time type: date description: The time when the device was known to have been created. @@ -2047,6 +541,9 @@ - name: name type: keyword description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - name: network_interfaces type: group fields: @@ -2179,87 +676,6 @@ - name: disposition_id type: keyword description: When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product. - - name: dst_endpoint - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: duration type: long description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. @@ -2863,6 +1279,9 @@ - name: xattributes type: flattened description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: firewall_rule + type: flattened + description: The firewall rule that triggered the event. - name: http_request type: group fields: @@ -2962,6 +1381,9 @@ - name: lease_dur type: long description: This represents the length of the DHCP lease in seconds. This is present in DHCP Ack events. (activity_id = 1) + - name: load_balancer + type: flattened + description: The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations. - name: malware type: group fields: @@ -3220,90 +1642,27 @@ - name: port type: long description: The dynamic port established for impending data transfers. + - name: precision + type: integer + description: The NTP precision quantifies a clock's accuracy and stability in log2 seconds, as defined in RFC-5905. - name: protocol_ver type: keyword description: The Protocol version. - - name: proxy - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). + - name: proxy_connection_info + type: flattened + description: The connection information from the proxy server to the remote server. + - name: proxy_http_request + type: flattened + description: The HTTP Request from the proxy server to the remote server. + - name: proxy_http_response + type: flattened + description: The HTTP Response from the remote server to the proxy server. + - name: proxy_tls + type: flattened + description: The TLS protocol negotiated between the proxy server and the remote server. + - name: proxy_traffic + type: flattened + description: The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time. - name: query type: group fields: @@ -3459,87 +1818,6 @@ - name: smtp_hello type: keyword description: The value of the SMTP HELO or EHLO command sent by the initiator (client). - - name: src_endpoint - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: start_time type: date description: The start time of a time period, or the time of the least recent event included in the aggregate event. @@ -3558,6 +1836,12 @@ - name: status_id type: keyword description: The normalized identifier of the event status. + - name: stratum_id + type: integer + description: The normalized identifier of the stratum level, as defined in RFC-5905. + - name: stratum + type: keyword + description: The stratum level of the NTP server's time source, normalized to the caption of the stratum_id value. - name: time type: date description: The normalized event occurrence time. @@ -3753,3 +2037,6 @@ - name: url_string type: keyword description: The URL string. See RFC 1738. + - name: version + type: keyword + description: The version number of the NTP protocol. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/network-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/network-endpoint-fields.yml new file mode 100644 index 000000000000..fdb8f2040fcd --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/network-endpoint-fields.yml @@ -0,0 +1,213 @@ +- name: ocsf + type: group + fields: + - name: dst_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: integer + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. + - name: src_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: integer + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-endpoint-fields.yml new file mode 100644 index 000000000000..629037c600e3 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-endpoint-fields.yml @@ -0,0 +1,108 @@ +- name: ocsf + type: group + fields: + - name: proxy_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: port + type: long + description: The port used for communication within the network connection. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: integer + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-fields-deprecated.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-fields-deprecated.yml new file mode 100644 index 000000000000..11d1f9a9bdb8 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-fields-deprecated.yml @@ -0,0 +1,84 @@ +- name: ocsf + type: group + fields: + - name: proxy + type: group + fields: + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml index 65f6d2813a2f..d74b894096ea 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml @@ -1723,6 +1723,9 @@ - name: autoscale_uid type: keyword description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. - name: created_time type: date description: The time when the device was known to have been created. @@ -1933,6 +1936,9 @@ - name: name type: keyword description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - name: network_interfaces type: group fields: diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index 0a7e9a325447..2a3919860464 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -84,6 +84,8 @@ This is the `Event` dataset. | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | | ocsf.access_mask | The access mask in a platform-native format. | long | +| ocsf.action | The normalized caption of action_id. | keyword | +| ocsf.action_id | The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. | integer | | ocsf.activity_id | The normalized identifier of the activity that triggered the event. | keyword | | ocsf.activity_name | The event activity name, as defined by the activity_id. | keyword | | ocsf.actor.authorizations.decision | Authorization Result/outcome, e.g. allowed, denied. | keyword | @@ -654,6 +656,17 @@ This is the `Event` dataset. | ocsf.attempt | The attempt number for attempting to deliver the email. | long | | ocsf.auth_protocol | The authentication protocol as defined by the caption of 'auth_protocol_id'. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.auth_protocol_id | The normalized identifier of the authentication protocol used to create the user session. | keyword | +| ocsf.authorizations.decision | Authorization Result/outcome, e.g. allowed, denied. | keyword | +| ocsf.authorizations.policy.desc | The description of the policy. | keyword | +| ocsf.authorizations.policy.group.desc | The group description. | keyword | +| ocsf.authorizations.policy.group.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | +| ocsf.authorizations.policy.group.name | The group name. | keyword | +| ocsf.authorizations.policy.group.privileges | The group privileges. | keyword | +| ocsf.authorizations.policy.group.type | The type of the group or account. | keyword | +| ocsf.authorizations.policy.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.authorizations.policy.name | The policy name. For example: IAM Policy. | keyword | +| ocsf.authorizations.policy.uid | A unique identifier of the policy instance. | keyword | +| ocsf.authorizations.policy.version | The policy version number. | keyword | | ocsf.banner | The initial SMTP connection response that a messaging server receives after it connects to a email server. | keyword | | ocsf.base_address | The memory address that was access or requested. | keyword | | ocsf.capabilities | A list of RDP capabilities. | keyword | @@ -736,6 +749,7 @@ This is the `Event` dataset. | ocsf.dce_rpc.rpc_interface.uuid | The unique identifier of the particular remote procedure or service. | keyword | | ocsf.dce_rpc.rpc_interface.version | The version of the DCE/RPC protocol being used in the session. | keyword | | ocsf.device.autoscale_uid | The unique identifier of the cloud autoscale configuration. | keyword | +| ocsf.device.container | The information describing an instance of a container. | flattened | | ocsf.device.created_time | The time when the device was known to have been created. | date | | ocsf.device.created_time_dt | TThe time when the device was known to have been created. | date | | ocsf.device.desc | The description of the device, ordinarily as reported by the operating system. | keyword | @@ -800,6 +814,7 @@ This is the `Event` dataset. | ocsf.device.modified_time | The time when the device was last known to have been modified. | date | | ocsf.device.modified_time_dt | The time when the device was last known to have been modified. | date | | ocsf.device.name | The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. | keyword | +| ocsf.device.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | integer | | ocsf.device.network_interfaces.hostname | The hostname associated with the network interface. | keyword | | ocsf.device.network_interfaces.ip | The IP address associated with the network interface. | ip | | ocsf.device.network_interfaces.mac | The MAC address of the network interface. | keyword | @@ -971,8 +986,10 @@ This is the `Event` dataset. | ocsf.driver.file.uid | The unique identifier of the file as defined by the storage system, such the file system file ID. | keyword | | ocsf.driver.file.version | The file version. For example: 8.0.7601.17514. | keyword | | ocsf.driver.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened | +| ocsf.dst_endpoint.container | The information describing an instance of a container. | flattened | | ocsf.dst_endpoint.domain | The name of the domain. | keyword | | ocsf.dst_endpoint.hostname | The fully qualified name of the endpoint. | keyword | +| ocsf.dst_endpoint.hw_info | The endpoint hardware information. | flattened | | ocsf.dst_endpoint.instance_uid | The unique identifier of a VM instance. | keyword | | ocsf.dst_endpoint.interface_name | The name of the network interface (e.g. eth2). | keyword | | ocsf.dst_endpoint.interface_uid | The unique identifier of the network interface. | keyword | @@ -990,12 +1007,18 @@ This is the `Event` dataset. | ocsf.dst_endpoint.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. | keyword | | ocsf.dst_endpoint.mac | The Media Access Control (MAC) address of the endpoint. | keyword | | ocsf.dst_endpoint.name | The short name of the endpoint. | keyword | +| ocsf.dst_endpoint.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | integer | +| ocsf.dst_endpoint.os | The endpoint operating system. | flattened | | ocsf.dst_endpoint.port | The port used for communication within the network connection. | long | +| ocsf.dst_endpoint.proxy_endpoint | The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). | flattened | | ocsf.dst_endpoint.subnet_uid | The unique identifier of a virtual subnet. | keyword | | ocsf.dst_endpoint.svc_name | The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. | keyword | +| ocsf.dst_endpoint.type | The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. | keyword | +| ocsf.dst_endpoint.type_id | The network endpoint type ID. | integer | | ocsf.dst_endpoint.uid | The unique identifier of the endpoint. | keyword | | ocsf.dst_endpoint.vlan_uid | The Virtual LAN identifier. | keyword | | ocsf.dst_endpoint.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | +| ocsf.dst_endpoint.zone | The network zone or LAN segment. | keyword | | ocsf.duration | The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. | long | | ocsf.email.cc | The email header Cc values, as defined by RFC 5322. | keyword | | ocsf.email.delivered_to | The Delivered-To email header field. | keyword | @@ -1347,6 +1370,7 @@ This is the `Event` dataset. | ocsf.finding.types | One or more types of the reported finding. | keyword | | ocsf.finding.uid | The unique identifier of the reported finding. | keyword | | ocsf.finding_info | Describes the supporting information about a generated finding. | flattened | +| ocsf.firewall_rule | The firewall rule that triggered the event. | flattened | | ocsf.group.desc | The group description. | keyword | | ocsf.group.name | The group name. | keyword | | ocsf.group.privileges | The group privileges. | keyword | @@ -1398,6 +1422,7 @@ This is the `Event` dataset. | ocsf.kill_chain.phase | The cyber kill chain phase. | keyword | | ocsf.kill_chain.phase_id | The cyber kill chain phase identifier. | keyword | | ocsf.lease_dur | This represents the length of the DHCP lease in seconds. This is present in DHCP Ack events. (activity_id = 1) | long | +| ocsf.load_balancer | The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations. | flattened | | ocsf.logon_type | The logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.logon_type_id | The normalized logon type identifier | keyword | | ocsf.malware.classification_ids | The list of normalized identifiers of the malware classifications. | keyword | @@ -1614,6 +1639,7 @@ This is the `Event` dataset. | ocsf.observables.value | The value associated with the observable attribute. | keyword | | ocsf.open_type | Indicates how the file was opened (e.g. normal, delete on close). | keyword | | ocsf.port | The dynamic port established for impending data transfers. | long | +| ocsf.precision | The NTP precision quantifies a clock's accuracy and stability in log2 seconds, as defined in RFC-5905. | integer | | ocsf.privileges | The list of sensitive privileges, assigned to the new user session. | keyword | | ocsf.protocol_ver | The Protocol version. | keyword | | ocsf.proxy.domain | The name of the domain. | keyword | @@ -1641,6 +1667,44 @@ This is the `Event` dataset. | ocsf.proxy.uid | The unique identifier of the endpoint. | keyword | | ocsf.proxy.vlan_uid | The Virtual LAN identifier. | keyword | | ocsf.proxy.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | +| ocsf.proxy_connection_info | The connection information from the proxy server to the remote server. | flattened | +| ocsf.proxy_endpoint.container | The information describing an instance of a container. | flattened | +| ocsf.proxy_endpoint.domain | The name of the domain. | keyword | +| ocsf.proxy_endpoint.hostname | The fully qualified name of the endpoint. | keyword | +| ocsf.proxy_endpoint.hw_info | The endpoint hardware information. | flattened | +| ocsf.proxy_endpoint.instance_uid | The unique identifier of a VM instance. | keyword | +| ocsf.proxy_endpoint.interface_name | The name of the network interface (e.g. eth2). | keyword | +| ocsf.proxy_endpoint.interface_uid | The unique identifier of the network interface. | keyword | +| ocsf.proxy_endpoint.intermediate_ips | The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. | ip | +| ocsf.proxy_endpoint.ip | The IP address of the endpoint, in either IPv4 or IPv6 format. | ip | +| ocsf.proxy_endpoint.location.city | The name of the city. | keyword | +| ocsf.proxy_endpoint.location.continent | The name of the continent. | keyword | +| ocsf.proxy_endpoint.location.coordinates | A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. | geo_point | +| ocsf.proxy_endpoint.location.country | The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. | keyword | +| ocsf.proxy_endpoint.location.desc | The description of the geographical location. | keyword | +| ocsf.proxy_endpoint.location.is_on_premises | The indication of whether the location is on premises. | boolean | +| ocsf.proxy_endpoint.location.isp | The name of the Internet Service Provider (ISP). | keyword | +| ocsf.proxy_endpoint.location.postal_code | The postal code of the location. | keyword | +| ocsf.proxy_endpoint.location.provider | The provider of the geographical location data. | keyword | +| ocsf.proxy_endpoint.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. | keyword | +| ocsf.proxy_endpoint.mac | The Media Access Control (MAC) address of the endpoint. | keyword | +| ocsf.proxy_endpoint.name | The short name of the endpoint. | keyword | +| ocsf.proxy_endpoint.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | integer | +| ocsf.proxy_endpoint.os | The endpoint operating system. | flattened | +| ocsf.proxy_endpoint.port | The port used for communication within the network connection. | long | +| ocsf.proxy_endpoint.proxy_endpoint | The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). | flattened | +| ocsf.proxy_endpoint.subnet_uid | The unique identifier of a virtual subnet. | keyword | +| ocsf.proxy_endpoint.svc_name | The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. | keyword | +| ocsf.proxy_endpoint.type | The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. | keyword | +| ocsf.proxy_endpoint.type_id | The network endpoint type ID. | integer | +| ocsf.proxy_endpoint.uid | The unique identifier of the endpoint. | keyword | +| ocsf.proxy_endpoint.vlan_uid | The Virtual LAN identifier. | keyword | +| ocsf.proxy_endpoint.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | +| ocsf.proxy_endpoint.zone | The network zone or LAN segment. | keyword | +| ocsf.proxy_http_request | The HTTP Request from the proxy server to the remote server. | flattened | +| ocsf.proxy_http_response | The HTTP Response from the remote server to the proxy server. | flattened | +| ocsf.proxy_tls | The TLS protocol negotiated between the proxy server and the remote server. | flattened | +| ocsf.proxy_traffic | The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time. | flattened | | ocsf.query.class | The class of resource records being queried. See RFC1035. For example: IN. | keyword | | ocsf.query.hostname | The hostname or domain being queried. For example: www.example.com | keyword | | ocsf.query.opcode | The DNS opcode specifies the type of the query message. | keyword | @@ -1680,6 +1744,7 @@ This is the `Event` dataset. | ocsf.resource.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.resource.labels | The list of labels/tags associated to a resource. | keyword | | ocsf.resource.name | The name of the resource. | keyword | +| ocsf.resource.namespace | The resource namespace. | keyword | | ocsf.resource.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.resource.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.resource.owner.account.type_id | The normalized account type identifier. | keyword | @@ -1777,8 +1842,10 @@ This is the `Event` dataset. | ocsf.share_type_id | The normalized identifier of the SMB share type. | keyword | | ocsf.size | The memory size that was access or requested. | long | | ocsf.smtp_hello | The value of the SMTP HELO or EHLO command sent by the initiator (client). | keyword | +| ocsf.src_endpoint.container | The information describing an instance of a container. | flattened | | ocsf.src_endpoint.domain | The name of the domain. | keyword | | ocsf.src_endpoint.hostname | The fully qualified name of the endpoint. | keyword | +| ocsf.src_endpoint.hw_info | The endpoint hardware information. | flattened | | ocsf.src_endpoint.instance_uid | The unique identifier of a VM instance. | keyword | | ocsf.src_endpoint.interface_name | The name of the network interface (e.g. eth2). | keyword | | ocsf.src_endpoint.interface_uid | The unique identifier of the network interface. | keyword | @@ -1796,12 +1863,18 @@ This is the `Event` dataset. | ocsf.src_endpoint.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. | keyword | | ocsf.src_endpoint.mac | The Media Access Control (MAC) address of the endpoint. | keyword | | ocsf.src_endpoint.name | The short name of the endpoint. | keyword | +| ocsf.src_endpoint.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | integer | +| ocsf.src_endpoint.os | The endpoint operating system. | flattened | | ocsf.src_endpoint.port | The port used for communication within the network connection. | long | +| ocsf.src_endpoint.proxy_endpoint | The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). | flattened | | ocsf.src_endpoint.subnet_uid | The unique identifier of a virtual subnet. | keyword | | ocsf.src_endpoint.svc_name | The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. | keyword | +| ocsf.src_endpoint.type | The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. | keyword | +| ocsf.src_endpoint.type_id | The network endpoint type ID. | integer | | ocsf.src_endpoint.uid | The unique identifier of the endpoint. | keyword | | ocsf.src_endpoint.vlan_uid | The Virtual LAN identifier. | keyword | | ocsf.src_endpoint.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | +| ocsf.src_endpoint.zone | The network zone or LAN segment. | keyword | | ocsf.start_time | The start time of a time period, or the time of the least recent event included in the aggregate event. | date | | ocsf.start_time_dt | The start time of a time period, or the time of the least recent event included in the aggregate event. | date | | ocsf.state | The normalized state of a security finding. | keyword | @@ -1810,6 +1883,8 @@ This is the `Event` dataset. | ocsf.status_code | The event status code, as reported by the event source. For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18. | keyword | | ocsf.status_detail | The status details contains additional information about the event outcome. | keyword | | ocsf.status_id | The normalized identifier of the event status. | keyword | +| ocsf.stratum | The stratum level of the NTP server's time source, normalized to the caption of the stratum_id value. | keyword | +| ocsf.stratum_id | The normalized identifier of the stratum level, as defined in RFC-5905. | integer | | ocsf.time | The normalized event occurrence time. | date | | ocsf.time_dt | The normalized event occurrence time. | date | | ocsf.timezone_offset | The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080. | long | @@ -1954,6 +2029,7 @@ This is the `Event` dataset. | ocsf.user_result.type_id | The account type identifier. | keyword | | ocsf.user_result.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.user_result.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | +| ocsf.version | The version number of the NTP protocol. | keyword | | ocsf.vulnerabilities.cve.created_time | The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. | date | | ocsf.vulnerabilities.cve.created_time_dt | The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. | date | | ocsf.vulnerabilities.cve.cvss.base_score | The CVSS base score. For example: 9.1. | double | @@ -1978,8 +2054,11 @@ This is the `Event` dataset. | ocsf.vulnerabilities.cve.product.url_string | The URL pointing towards the product. | keyword | | ocsf.vulnerabilities.cve.product.vendor_name | The name of the vendor of the product. | keyword | | ocsf.vulnerabilities.cve.product.version | The version of the product, as defined by the event source. For example: 2013.1.3-beta. | keyword | +| ocsf.vulnerabilities.cve.references | Supporting reference URLs. | keyword | +| ocsf.vulnerabilities.cve.title | The title of the cve. | keyword | | ocsf.vulnerabilities.cve.type | The vulnerability type as selected from a large dropdown menu during CVE refinement. | keyword | | ocsf.vulnerabilities.cve.uid | The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345. | keyword | +| ocsf.vulnerabilities.cwe | The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787. | flattened | | ocsf.vulnerabilities.desc | The description of the vulnerability. | keyword | | ocsf.vulnerabilities.fix_available | Indicates if a fix is available for the reported vulnerability. | boolean | | ocsf.vulnerabilities.kb_articles | The KB article/s related to the entity. | keyword | From 5352aac9fbe000e6d43ccf0fb215996a1f8fe4ae Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Fri, 2 Aug 2024 17:31:51 +0530 Subject: [PATCH 11/30] added os patch state event class, segregated device fields across all data streams, added new fields to support newly added event class --- .../fields/device-fields.yml | 342 ++++++++++++++++ .../application_activity/fields/fields.yml | 339 +--------------- .../discovery/fields/device-fields.yml | 345 ++++++++++++++++ .../data_stream/discovery/fields/fields.yml | 379 ++--------------- .../_dev/test/pipeline/test-discovery.log | 1 + .../pipeline/test-discovery.log-expected.json | 276 ++++++++++++- .../elasticsearch/ingest_pipeline/default.yml | 8 +- .../event/fields/device-fields.yml | 345 ++++++++++++++++ .../data_stream/event/fields/fields.yml | 382 ++---------------- .../data_stream/findings/fields/fields.yml | 3 + .../data_stream/iam/fields/device-fields.yml | 345 ++++++++++++++++ .../data_stream/iam/fields/fields.yml | 339 +--------------- .../network_activity/fields/device-fields.yml | 345 ++++++++++++++++ .../network_activity/fields/fields.yml | 342 +--------------- .../system_activity/fields/device-fields.yml | 345 ++++++++++++++++ .../system_activity/fields/fields.yml | 342 +--------------- packages/amazon_security_lake/docs/README.md | 14 + 17 files changed, 2462 insertions(+), 2030 deletions(-) create mode 100644 packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/discovery/fields/device-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/device-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/iam/fields/device-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/network_activity/fields/device-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/system_activity/fields/device-fields.yml diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml new file mode 100644 index 000000000000..adb7aabcc142 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml @@ -0,0 +1,342 @@ +- name: ocsf + type: group + fields: + - name: device + type: group + fields: + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: TThe time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: 'The network domain where the device resides. For example: work.example.com.' + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: hostname + type: keyword + description: The devicename. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: 'The BIOS date. For example: 03/31/16.' + - name: bios_manufacturer + type: keyword + description: 'The BIOS manufacturer. For example: LENOVO.' + - name: bios_ver + type: keyword + description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. + - name: cpu_bits + type: long + description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' + - name: cpu_cores + type: long + description: 'The number of processor cores in all installed processors. For Example: 42.' + - name: cpu_count + type: long + description: 'The number of physical processors on a system. For example: 1.' + - name: cpu_speed + type: long + description: 'The speed of the processor in Mhz. For Example: 4200.' + - name: cpu_type + type: keyword + description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' + - name: desktop_display + type: group + fields: + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: keyboard_info + type: group + fields: + - name: function_keys + type: long + description: The number of function keys on client keyboard. + - name: ime + type: keyword + description: The Input Method Editor (IME) file name. + - name: keyboard_layout + type: keyword + description: The keyboard locale identifier name (e.g., en-US). + - name: keyboard_subtype + type: long + description: The keyboard numeric code. + - name: keyboard_type + type: keyword + description: The keyboard type (e.g., xt, ico). + - name: ram_size + type: long + description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: imei + type: keyword + description: The International Mobile Station Equipment Identifier that is associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address, in either IPv4 or IPv6 format. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The device Media Access Control (MAC) address. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. + - name: edition + type: keyword + description: The operating system edition. For example, Professional. + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". + - name: region + type: keyword + description: The region where the virtual machine is located. For example, an AWS Region. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: ip_range + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The device type ID. + - name: uid + type: keyword + description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml index 3592f2114ad7..0b3d4e46a095 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml @@ -1705,342 +1705,6 @@ - name: count type: long description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. - - name: device - type: group - fields: - - name: autoscale_uid - type: keyword - description: The unique identifier of the cloud autoscale configuration. - - name: container - type: flattened - description: The information describing an instance of a container. - - name: created_time - type: date - description: The time when the device was known to have been created. - - name: created_time_dt - type: date - description: TThe time when the device was known to have been created. - - name: desc - type: keyword - description: The description of the device, ordinarily as reported by the operating system. - - name: domain - type: keyword - description: 'The network domain where the device resides. For example: work.example.com.' - - name: first_seen_time - type: date - description: The initial discovery time of the device. - - name: first_seen_time_dt - type: date - description: The initial discovery time of the device. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: hostname - type: keyword - description: The devicename. - - name: hw_info - type: group - fields: - - name: bios_date - type: keyword - description: 'The BIOS date. For example: 03/31/16.' - - name: bios_manufacturer - type: keyword - description: 'The BIOS manufacturer. For example: LENOVO.' - - name: bios_ver - type: keyword - description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' - - name: chassis - type: keyword - description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. - - name: cpu_bits - type: long - description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' - - name: cpu_cores - type: long - description: 'The number of processor cores in all installed processors. For Example: 42.' - - name: cpu_count - type: long - description: 'The number of physical processors on a system. For example: 1.' - - name: cpu_speed - type: long - description: 'The speed of the processor in Mhz. For Example: 4200.' - - name: cpu_type - type: keyword - description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' - - name: desktop_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: keyboard_info - type: group - fields: - - name: function_keys - type: long - description: The number of function keys on client keyboard. - - name: ime - type: keyword - description: The Input Method Editor (IME) file name. - - name: keyboard_layout - type: keyword - description: The keyboard locale identifier name (e.g., en-US). - - name: keyboard_subtype - type: long - description: The keyboard numeric code. - - name: keyboard_type - type: keyword - description: The keyboard type (e.g., xt, ico). - - name: ram_size - type: long - description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' - - name: serial_number - type: keyword - description: The device manufacturer serial number. - - name: hypervisor - type: keyword - description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: imei - type: keyword - description: The International Mobile Station Equipment Identifier that is associated with the device. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: ip - type: ip - description: The device IP address, in either IPv4 or IPv6 format. - - name: is_compliant - type: boolean - description: The event occurred on a compliant device. - - name: is_managed - type: boolean - description: The event occurred on a managed device. - - name: is_personal - type: boolean - description: The event occurred on a personal device. - - name: is_trusted - type: boolean - description: The event occurred on a trusted device. - - name: last_seen_time - type: date - description: The most recent discovery time of the device. - - name: last_seen_time_dt - type: date - description: The most recent discovery time of the device. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The device Media Access Control (MAC) address. - - name: modified_time - type: date - description: The time when the device was last known to have been modified. - - name: modified_time_dt - type: date - description: The time when the device was last known to have been modified. - - name: name - type: keyword - description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - - name: namespace_pid - type: integer - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: network_interfaces - type: group - fields: - - name: hostname - type: keyword - description: The hostname associated with the network interface. - - name: ip - type: ip - description: The IP address associated with the network interface. - - name: mac - type: keyword - description: The MAC address of the network interface. - - name: name - type: keyword - description: The name of the network interface. - - name: namespace - type: keyword - description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. - - name: type - type: keyword - description: The type of network interface. - - name: type_id - type: keyword - description: The network interface type identifier. - - name: uid - type: keyword - description: The unique identifier for the network interface. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: os - type: group - fields: - - name: build - type: keyword - description: The operating system build number. - - name: country - type: keyword - description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. - - name: cpu_bits - type: long - description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. - - name: edition - type: keyword - description: The operating system edition. For example, Professional. - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The operating system name. - - name: sp_name - type: keyword - description: The name of the latest Service Pack. - - name: sp_ver - type: keyword - description: The version number of the latest Service Pack. - - name: type - type: keyword - description: The type of the operating system. - - name: type_id - type: keyword - description: The type identifier of the operating system. - - name: version - type: keyword - description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". - - name: region - type: keyword - description: The region where the virtual machine is located. For example, an AWS Region. - - name: risk_level - type: keyword - description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. - - name: risk_level_id - type: keyword - description: The normalized risk level id. - - name: risk_score - type: long - description: The risk score as reported by the event source. - - name: subnet - type: ip_range - description: The subnet mask. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: type - type: keyword - description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - - name: type_id - type: keyword - description: The device type ID. - - name: uid - type: keyword - description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: duration type: long description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. @@ -2182,6 +1846,9 @@ - name: labels type: keyword description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. - name: log_name type: keyword description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/device-fields.yml new file mode 100644 index 000000000000..5394314a13de --- /dev/null +++ b/packages/amazon_security_lake/data_stream/discovery/fields/device-fields.yml @@ -0,0 +1,345 @@ +- name: ocsf + type: group + fields: + - name: device + type: group + fields: + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: TThe time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: 'The network domain where the device resides. For example: work.example.com.' + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: hostname + type: keyword + description: The devicename. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: 'The BIOS date. For example: 03/31/16.' + - name: bios_manufacturer + type: keyword + description: 'The BIOS manufacturer. For example: LENOVO.' + - name: bios_ver + type: keyword + description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. + - name: cpu_bits + type: long + description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' + - name: cpu_cores + type: long + description: 'The number of processor cores in all installed processors. For Example: 42.' + - name: cpu_count + type: long + description: 'The number of physical processors on a system. For example: 1.' + - name: cpu_speed + type: long + description: 'The speed of the processor in Mhz. For Example: 4200.' + - name: cpu_type + type: keyword + description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' + - name: desktop_display + type: group + fields: + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: keyboard_info + type: group + fields: + - name: function_keys + type: long + description: The number of function keys on client keyboard. + - name: ime + type: keyword + description: The Input Method Editor (IME) file name. + - name: keyboard_layout + type: keyword + description: The keyboard locale identifier name (e.g., en-US). + - name: keyboard_subtype + type: long + description: The keyboard numeric code. + - name: keyboard_type + type: keyword + description: The keyboard type (e.g., xt, ico). + - name: ram_size + type: long + description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: imei + type: keyword + description: The International Mobile Station Equipment Identifier that is associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address, in either IPv4 or IPv6 format. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The device Media Access Control (MAC) address. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. + - name: edition + type: keyword + description: The operating system edition. For example, Professional. + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". + - name: region + type: keyword + description: The region where the virtual machine is located. For example, an AWS Region. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: ip_range + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The device type ID. + - name: uid + type: keyword + description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml index 929074598149..48ea317c4c4d 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml @@ -157,342 +157,6 @@ - name: count type: long description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. - - name: device - type: group - fields: - - name: autoscale_uid - type: keyword - description: The unique identifier of the cloud autoscale configuration. - - name: container - type: flattened - description: The information describing an instance of a container. - - name: created_time - type: date - description: The time when the device was known to have been created. - - name: created_time_dt - type: date - description: TThe time when the device was known to have been created. - - name: desc - type: keyword - description: The description of the device, ordinarily as reported by the operating system. - - name: domain - type: keyword - description: 'The network domain where the device resides. For example: work.example.com.' - - name: first_seen_time - type: date - description: The initial discovery time of the device. - - name: first_seen_time_dt - type: date - description: The initial discovery time of the device. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: hostname - type: keyword - description: The devicename. - - name: hw_info - type: group - fields: - - name: bios_date - type: keyword - description: 'The BIOS date. For example: 03/31/16.' - - name: bios_manufacturer - type: keyword - description: 'The BIOS manufacturer. For example: LENOVO.' - - name: bios_ver - type: keyword - description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' - - name: chassis - type: keyword - description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. - - name: cpu_bits - type: long - description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' - - name: cpu_cores - type: long - description: 'The number of processor cores in all installed processors. For Example: 42.' - - name: cpu_count - type: long - description: 'The number of physical processors on a system. For example: 1.' - - name: cpu_speed - type: long - description: 'The speed of the processor in Mhz. For Example: 4200.' - - name: cpu_type - type: keyword - description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' - - name: desktop_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: keyboard_info - type: group - fields: - - name: function_keys - type: long - description: The number of function keys on client keyboard. - - name: ime - type: keyword - description: The Input Method Editor (IME) file name. - - name: keyboard_layout - type: keyword - description: The keyboard locale identifier name (e.g., en-US). - - name: keyboard_subtype - type: long - description: The keyboard numeric code. - - name: keyboard_type - type: keyword - description: The keyboard type (e.g., xt, ico). - - name: ram_size - type: long - description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' - - name: serial_number - type: keyword - description: The device manufacturer serial number. - - name: hypervisor - type: keyword - description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: imei - type: keyword - description: The International Mobile Station Equipment Identifier that is associated with the device. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: ip - type: ip - description: The device IP address, in either IPv4 or IPv6 format. - - name: is_compliant - type: boolean - description: The event occurred on a compliant device. - - name: is_managed - type: boolean - description: The event occurred on a managed device. - - name: is_personal - type: boolean - description: The event occurred on a personal device. - - name: is_trusted - type: boolean - description: The event occurred on a trusted device. - - name: last_seen_time - type: date - description: The most recent discovery time of the device. - - name: last_seen_time_dt - type: date - description: The most recent discovery time of the device. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The device Media Access Control (MAC) address. - - name: modified_time - type: date - description: The time when the device was last known to have been modified. - - name: modified_time_dt - type: date - description: The time when the device was last known to have been modified. - - name: name - type: keyword - description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - - name: namespace_pid - type: integer - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: network_interfaces - type: group - fields: - - name: hostname - type: keyword - description: The hostname associated with the network interface. - - name: ip - type: ip - description: The IP address associated with the network interface. - - name: mac - type: keyword - description: The MAC address of the network interface. - - name: name - type: keyword - description: The name of the network interface. - - name: namespace - type: keyword - description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. - - name: type - type: keyword - description: The type of network interface. - - name: type_id - type: keyword - description: The network interface type identifier. - - name: uid - type: keyword - description: The unique identifier for the network interface. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: os - type: group - fields: - - name: build - type: keyword - description: The operating system build number. - - name: country - type: keyword - description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. - - name: cpu_bits - type: long - description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. - - name: edition - type: keyword - description: The operating system edition. For example, Professional. - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The operating system name. - - name: sp_name - type: keyword - description: The name of the latest Service Pack. - - name: sp_ver - type: keyword - description: The version number of the latest Service Pack. - - name: type - type: keyword - description: The type of the operating system. - - name: type_id - type: keyword - description: The type identifier of the operating system. - - name: version - type: keyword - description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". - - name: region - type: keyword - description: The region where the virtual machine is located. For example, an AWS Region. - - name: risk_level - type: keyword - description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. - - name: risk_level_id - type: keyword - description: The normalized risk level id. - - name: risk_score - type: long - description: The risk score as reported by the event source. - - name: subnet - type: ip_range - description: The subnet mask. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: type - type: keyword - description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - - name: type_id - type: keyword - description: The device type ID. - - name: uid - type: keyword - description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: duration type: long description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. @@ -520,6 +184,46 @@ - name: value type: keyword description: The value of the attribute to which the enriched data pertains. + - name: kb_article_list + type: group + description: The KB Article object contains metadata that describes the patch or update. + fields: + - name: uid + type: keyword + description: The unique identifier for the kb article. + - name: bulletin + type: keyword + description: The kb article bulletin identifier. + - name: classification + type: keyword + description: The vendors classification of the kb article. + - name: created_time + type: long + description: The date the kb article was released by the vendor. + - name: created_time_dt + type: date + description: The date the kb article was released by the vendor. + - name: is_superseded + type: boolean + description: "The patch is superseded" + - name: severity + type: keyword + description: The severity of the kb article. + - name: size + type: long + description: The size in bytes for the kb article. + - name: src_url + type: keyword + description: The kb article link from the source vendor. + - name: title + type: keyword + description: The title of the kb article. + - name: os + type: flattened + description: The operating system the kb article applies. + - name: product + type: flattened + description: The product details the kb article applies. - name: message type: keyword description: The description of the event, as defined by the event source. @@ -568,6 +272,9 @@ - name: logged_time_dt type: date description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. - name: modified_time type: date description: The time when the event was last modified or enriched. diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log index 0dd594d1a16a..12dc667f7c4e 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log @@ -1,3 +1,4 @@ {"count":73,"message":"flags feel absolute","cis_benchmark_result": {"rule": {"category": "descidhscate", "desc": "rule_description", "name": "rule_name", "uid":"rule123", "version": "0.1.0"}},"status":"creativity","time":1695277679358,"device":{"name":"ranked murder listing","type":"Desktop","ip":"81.2.69.142","uid":"023e2564-5848-11ee-9c42-0242ac110005","hostname":"lucas.pro","type_id":2,"subnet":"49.28.0.0\/16","autoscale_uid":"023de734-5848-11ee-b193-0242ac110005","instance_uid":"023dec02-5848-11ee-8203-0242ac110005","interface_name":"jerry street buried","interface_uid":"023e1a06-5848-11ee-89c6-0242ac110005","region":"inline contains milwaukee","risk_level":"russell customized absolutely","risk_score":36,"uid_alt":"burst premier reverse","vpc_uid":"023e205a-5848-11ee-a8d6-0242ac110005","modified_time_dt":"2023-09-21T06:27:59.357977Z","first_seen_time_dt":"2023-09-21T06:27:59.356353Z"},"metadata":{"version":"1.0.0","extension":{"name":"chess entry productive","version":"1.0.0","uid":"023dccfe-5848-11ee-8227-0242ac110005"},"product":{"name":"legal subsidiary eleven","version":"1.0.0","path":"financial spot tennis","uid":"023dd33e-5848-11ee-aa6d-0242ac110005","vendor_name":"assumes podcast went"},"profiles":["cloud","container","datetime","host"],"correlation_uid":"023dd7c6-5848-11ee-9d4d-0242ac110005","log_provider":"reliance trust interim","original_time":"database darwin area","processed_time_dt":"2023-09-21T06:27:59.356124Z"},"severity":"Fatal","type_name":"Device Config State: Collect","activity_id":2,"type_uid":500202,"category_name":"Discovery","class_uid":5002,"category_uid":5,"class_name":"Device Config State","timezone_offset":0,"activity_name":"Collect","cloud":{"org":{"uid":"023dbdcc-5848-11ee-bd54-0242ac110005","ou_name":"determined apr sheets"},"provider":"mathematical inclusive insured","region":"gravity bids tennis"},"enrichments":[{"data":{"inexpensive":"abddfg"},"name":"preview belarus licking","type":"separation passes distance","value":"magnitude cancellation weed","provider":"surgical disaster individually"}],"severity_id":6,"status_id":99} {"message":"poster thongs assumptions","status":"Success","time":1695277679358,"device":{"name":"craig functioning literally","type":"Laptop","os":{"name":"spy chronic casual","type":"Android","version":"1.0.0","build":"dozen oval removing","type_id":201,"lang":"en","edition":"nightmare engineers carter"},"location":{"desc":"Reunion","city":"Porcelain senior","country":"RE","coordinates":[-161.6608,-47.0418],"continent":"Africa"},"uid":"7f256308-584d-11ee-8de0-0242ac110005","image":{"name":"saudi enhanced surgical","uid":"7f2554b2-584d-11ee-b26b-0242ac110005"},"mac":"C6:49:F0:76:1D:13:CE:F7","type_id":3,"autoscale_uid":"7f25415c-584d-11ee-b3fc-0242ac110005","hw_info":{"cpu_bits":66},"instance_uid":"7f254ea4-584d-11ee-a68f-0242ac110005","interface_name":"watt profile rs","is_personal":false,"last_seen_time":1695277679358,"region":"airport leaves kitchen","risk_level":"organizational economic connecticut"},"metadata":{"version":"1.0.0","product":{"name":"butterfly knight log","version":"1.0.0","uid":"7f25336a-584d-11ee-b2a5-0242ac110005","lang":"en","vendor_name":"disciplinary rec report"},"profiles":["cloud","container","datetime","host"],"event_code":"spelling","log_name":"len falling educational","log_provider":"tales asset extremely","log_version":"learners headlines linear","original_time":"programmers less barcelona","processed_time":1695280036393},"severity":"Critical","type_name":"Device Inventory Info: Collect","activity_id":2,"type_uid":500102,"category_name":"Discovery","class_uid":5001,"category_uid":5,"class_name":"Device Inventory Info","timezone_offset":65,"activity_name":"Collect","cloud":{"org":{"name":"black lets promotions","ou_name":"recover sol revolutionary"},"provider":"mod force sailing","region":"ticket resident buried"},"enrichments":[{"data":{"nintendo":"abcd"},"name":"visual mv bottom","type":"calibration basics quebec","value":"alice stick spray","provider":"lucy permanent trips"}],"severity_id":5,"status_code":"vancouver","status_id":1,"start_time_dt":"2023-09-21T07:07:16.394812Z"} {"activity_id":1,"activity_name":"Login Attempt","actor":{"authorizations":[{"decision":"allow","policy":{"desc":"Allow login","group":{"desc":"Employee Group","domain":"example.com","name":"employees","privileges":["read","write"],"type":"internal","uid":"grp101"},"name":"Login Policy","uid":"pol101","version":"1.0"}}],"idp":{"name":"IDP Service","uid":"idp101"},"invoked_by":"web_app","process":{"cmd_line":"/usr/bin/login","created_time":1672444800,"file":{"accessed_time":1672531200,"accessor":{"account":{"name":"john.doe","type":"user","type_id":1,"uid":"acc101"},"credential_uid":"cred101","domain":"example.com","email_addr":"john.doe@example.com","full_name":"John Doe","groups":[{"desc":"Employee Group","domain":"example.com","name":"employees","privileges":["read","write"],"type":"internal","uid":"grp101"}],"ldap_person":null,"name":"John Doe","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr101","uid_alt":"john_doe_alt"},"attributes":777,"company_name":"Example Corp","confidentiality":"high","confidentiality_id":2,"created_time":1672444800,"creator":null,"desc":"Login script","hashes":[{"algorithm":"SHA-256","algorithm_id":4,"value":"abcd1234"}],"is_system":true,"mime_type":"application/x-sh","modified_time":1672444800,"modifier":null,"name":"login.sh","owner":null,"parent_folder":"/usr/bin","path":"/usr/bin/login.sh","product":null,"security_descriptor":"D:P(A;;FA;;;BA)","signature":{"algorithm":"RSA","algorithm_id":1,"certificate":{"created_time":1577836800,"expiration_time":1893456000,"fingerprints":[{"algorithm":"SHA-1","algorithm_id":3,"value":"abc123"}],"issuer":"Example CA","serial_number":"123456","subject":"Example Corp","uid":"cert101","version":"1"},"created_time":1672444800,"developer_uid":"dev101","digest":{"algorithm":"SHA-256","algorithm_id":4,"value":"abcd1234"}},"size":2048,"type":"script","type_id":1,"uid":"file101","version":"1.0","xattributes":{}},"integrity":"valid","integrity_id":1,"lineage":["/sbin/init","/usr/bin/login"],"loaded_modules":["pam","bash"],"name":"login","parent_process":null,"pid":1234,"sandbox":"none","session":null,"terminated_time":1672531200,"tid":5678,"uid":"proc101","user":null,"xattributes":{}},"session":{"count":1,"created_time":1672444800,"credential_uid":"cred101","expiration_reason":"timeout","expiration_time":1672531200,"is_mfa":true,"is_remote":false,"is_vpn":false,"issuer":"IDP Service","terminal":"pts/1","uid":"sess101","uid_alt":"sess102","uuid":"uuid-1234"},"user":{"account":{"name":"john.doe","type":"user","type_id":1,"uid":"acc101"},"credential_uid":"cred101","domain":"example.com","email_addr":"john.doe@example.com","full_name":"John Doe","groups":[{"desc":"Employee Group","domain":"example.com","name":"employees","privileges":["read","write"],"type":"internal","uid":"grp101"}],"ldap_person":{"cost_center":"IT","created_time":1577836800,"deleted_time":null,"email_addrs":["john.doe@example.com"],"employee_uid":"emp101","given_name":"John","hire_time":1546300800,"job_title":"System Administrator","labels":["full-time"],"last_login_time":1672444800,"ldap_cn":"john_doe_cn","ldap_dn":"cn=John Doe,ou=users,dc=example,dc=com","leave_time":null,"location":{"city":"San Francisco","continent":"North America","coordinates":[37.7749,-122.4194],"country":"USA","desc":"Head Office","is_on_premises":true,"isp":"Example ISP","postal_code":"94103","provider":"Example Provider","region":"California"},"manager":{"account":{"name":"jane.manager","type":"user","type_id":1,"uid":"acc102"},"credential_uid":"cred102","domain":"example.com","email_addr":"jane.manager@example.com","full_name":"Jane Manager","groups":[{"desc":"Managers Group","domain":"example.com","name":"managers","privileges":["read","write","manage"],"type":"internal","uid":"grp102"}],"ldap_person":null,"name":"Jane Manager","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr102","uid_alt":"jane_manager_alt"},"modified_time":1622505600,"office_location":"Building A","surname":"Doe"},"name":"John Doe","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr101","uid_alt":"john_doe_alt"}},"category_name":"User Activity","category_uid":5,"class_name":"Login Events","class_uid":5003,"count":1,"duration":3600,"end_time":1672531200,"enrichments":[{"data":{},"name":"GeoIP Enrichment","provider":"GeoIP Service","type":"location","value":"San Francisco, USA"}],"message":"User John Doe attempted a login from San Francisco.","metadata":{"correlation_uid":"cor-1234","event_code":"login_attempt","extension":{"name":"Login Extension","uid":"ext-1234","version":"1.0"},"extensions":[],"labels":["security"],"log_level":"info","log_name":"user_activity","log_provider":"Example Provider","log_version":"1.0","logged_time":1672444800,"loggers":[],"modified_time":1672444800,"original_time":"2023-01-01T00:00:00Z","processed_time":1672531200,"product":{"cpe_name":"cpe:/a:example:product","feature":{"name":"Login Feature","uid":"fea-1234","version":"1.0"},"lang":"en","name":"User Activity Logger","path":"/var/log/user_activity","uid":"prod-1234","url_string":"https://example.com","vendor_name":"Example Vendor","version":"1.0"},"profiles":["default"],"sequence":1,"tenant_uid":"tenant123","uid":"evt-1234","version":"1.0"},"observables":[{"name":"San Francisco","reputation":{"base_score":90,"provider":"GeoIP Service","score":"high","score_id":1},"type":"location","type_id":2,"value":"San Francisco, USA"}],"raw_data":"raw_event_data","severity":"medium","severity_id":2,"start_time":1672444800,"status":"processed","status_code":"200","status_detail":"Event processed successfully.","status_id":1,"time":1672444800,"timezone_offset":-8,"type_name":"login_event","type_uid":1001,"unmapped":{},"user":{"account":{"name":"john.doe","type":"user","type_id":1,"uid":"acc101"},"credential_uid":"cred101","domain":"example.com","email_addr":"john.doe@example.com","full_name":"John Doe","groups":[{"desc":"Employee Group","domain":"example.com","name":"employees","privileges":["read","write"],"type":"internal","uid":"grp101"}],"ldap_person":{"cost_center":"IT","created_time":1577836800,"deleted_time":null,"email_addrs":["john.doe@example.com"],"employee_uid":"emp101","given_name":"John","hire_time":1546300800,"job_title":"System Administrator","labels":["full-time"],"last_login_time":1672444800,"ldap_cn":"john_doe_cn","ldap_dn":"cn=John Doe,ou=users,dc=example,dc=com","leave_time":null,"location":{"city":"San Francisco","continent":"North America","coordinates":[37.7749,-122.4194],"country":"USA","desc":"Head Office","is_on_premises":true,"isp":"Example ISP","postal_code":"94103","provider":"Example Provider","region":"California"},"manager":{"account":{"name":"jane.manager","type":"user","type_id":1,"uid":"acc102"},"credential_uid":"cred102","domain":"example.com","email_addr":"jane.manager@example.com","full_name":"Jane Manager","groups":[{"desc":"Managers Group","domain":"example.com","name":"managers","privileges":["read","write","manage"],"type":"internal","uid":"grp102"}],"ldap_person":null,"name":"Jane Manager","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr102","uid_alt":"jane_manager_alt"},"modified_time":1622505600,"office_location":"Building A","surname":"Doe"},"name":"John Doe","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr101","uid_alt":"john_doe_alt"}} +{"message":"ol avatar webster","status":"jim","time":1722592439954199,"device":{"name":"sk feat cups","type":"Browser","ip":"81.2.69.144","location":{"desc":"Burundi, Republic of","city":"Randy wellington","country":"BI","coordinates":[-44.0959,34.4006],"continent":"Africa"},"hostname":"surfaces.biz","uid":"2444035c-50b5-11ef-be7d-0242ac110005","type_id":8,"container":{"name":"ent give c","size":2809284742,"uid":"2444104a-50b5-11ef-a8ef-0242ac110005","image":{"name":"rt href dubai","tag":"team established germany","path":"enhancing zope celtic","uid":"24441aea-50b5-11ef-a95e-0242ac110005","labels":["determines","dirt"]},"hash":{"value":"A0F0F23EF42637BEC6F126E2A94D58802124DC4B559791CE9583CBC1BB474C954FEF9FD047DFB80F46A869FBB1BAC07C4841FC2C92C4A9DF1755072825DEBBC8","algorithm":"Unknown","algorithm_id":0},"orchestrator":"carries pretty ranks"},"instance_uid":"2443f740-50b5-11ef-8557-0242ac110005","interface_name":"mb built rip","interface_uid":"24442436-50b5-11ef-a4a7-0242ac110005","is_managed":false,"is_trusted":true,"last_seen_time":1722592439950666,"region":"topic toshiba inform","risk_score":3,"vlan_uid":"2443ec0a-50b5-11ef-95ed-0242ac110005","zone":"percent databases fairfield","first_seen_time_dt":"2024-08-02T09:53:59.950879Z"},"metadata":{"version":"1.1.0","extension":{"name":"columbia merely switzerland","version":"1.1.0","uid":"24428c98-50b5-11ef-955a-0242ac110005"},"product":{"name":"semi boston electric","path":"norm eggs ranges","uid":"24429a8a-50b5-11ef-924a-0242ac110005","vendor_name":"gauge thereby modes"},"log_level":"ata ty announcements","sequence":29,"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"correlation_uid":"2442a34a-50b5-11ef-adc6-0242ac110005","log_name":"orientation will game","log_provider":"rod seasons weed","loggers":[{"name":"netherlands devoted extensive","device":{"name":"tender harmony powerseller","type":"Laptop","os":{"name":"ian distributor collectible","type":"HP-UX","type_id":402,"cpu_bits":9},"ip":"97.19.65.133","uid":"24433d8c-50b5-11ef-b570-0242ac110005","type_id":3,"subnet":"164.124.0.0/16","autoscale_uid":"24432c02-50b5-11ef-b1ff-0242ac110005","container":{"size":2010633241,"uid":"2443498a-50b5-11ef-ae6c-0242ac110005","image":{"name":"anxiety patents return","uid":"2443540c-50b5-11ef-8146-0242ac110005","labels":["intimate","momentum"]},"hash":{"value":"FA43AD9444AD97C075FDAE70D75E938A031C84A9C642A94B9F058555892B875F","algorithm":"magic","algorithm_id":99}},"imei":"relatively drums significantly","instance_uid":"2443362a-50b5-11ef-b381-0242ac110005","interface_name":"own monitoring ph","interface_uid":"24435e02-50b5-11ef-81a2-0242ac110005","is_managed":true,"is_personal":false,"namespace_pid":85,"region":"impacts trackbacks authentication","uid_alt":"kelkoo clinics nearby"},"product":{"name":"herself market quote","version":"1.1.0","uid":"2443cb58-50b5-11ef-b723-0242ac110005","cpe_name":"locale memorabilia board","url_string":"belt","vendor_name":"ultimately permalink scenes"},"log_name":"jul pregnant carrying","log_provider":"specifically executive dosage","transmit_time_dt":"2024-08-02T09:53:59.950077Z"}],"modified_time":1722592439950096,"original_time":"livecam yearly isbn","processed_time":1722592439950110,"tenant_uid":"2443d6b6-50b5-11ef-8908-0242ac110005","modified_time_dt":"2024-08-02T09:53:59.950313Z"},"severity":"Low","duration":84,"type_name":"Operating System Patch State: Unknown","activity_id":0,"type_uid":500400,"category_name":"Discovery","class_uid":5004,"category_uid":5,"class_name":"Operating System Patch State","timezone_offset":54,"activity_name":"Unknown","cloud":{"project_uid":"244256a6-50b5-11ef-b514-0242ac110005","provider":"examined thumbzilla applies","region":"refugees england number"},"kb_article_list":[{"os":{"name":"pills conversations dave","type":"Windows Mobile","type_id":101,"lang":"en","edition":"liechtenstein wildlife rooms"},"title":"survey chinese wales","uid":"24443296-50b5-11ef-a50c-0242ac110005","severity":"spectacular durham aw","bulletin":"mauritius journalists shaved"},{"os":{"name":"reaches ridge signatures","type":"overseas","version":"1.1.0","type_id":99,"cpe_name":"almost advertisement oe","cpu_bits":7},"product":{"name":"recorder engaging widescreen","version":"1.1.0","uid":"244462f2-50b5-11ef-86a0-0242ac110005","lang":"en","cpe_name":"stuffed robots bras","vendor_name":"spring russian core"},"uid":"24446d6a-50b5-11ef-ac9c-0242ac110005","severity":"paso strictly after","src_url":"reserved"}],"severity_id":2,"status_id":99} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json index 96f7912c63f1..8578dc4d5112 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json @@ -339,7 +339,10 @@ "provider": "Example Provider", "sequence": 1, "severity": 2, - "start": "1970-01-20T08:34:04.800Z" + "start": "1970-01-20T08:34:04.800Z", + "type": [ + "info" + ] }, "file": { "accessed": "1970-01-20T08:35:31.200Z", @@ -887,6 +890,277 @@ "name": "John Doe" } } + }, + { + "@timestamp": "+56556-10-12T11:59:14.199Z", + "cloud": { + "project": { + "id": "244256a6-50b5-11ef-b514-0242ac110005" + }, + "provider": "examined thumbzilla applies", + "region": "refugees england number" + }, + "data_stream": { + "dataset": "amazon_security_lake.discovery", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "unknown", + "duration": 84000000, + "kind": "event", + "original": "{\"message\":\"ol avatar webster\",\"status\":\"jim\",\"time\":1722592439954199,\"device\":{\"name\":\"sk feat cups\",\"type\":\"Browser\",\"ip\":\"81.2.69.144\",\"location\":{\"desc\":\"Burundi, Republic of\",\"city\":\"Randy wellington\",\"country\":\"BI\",\"coordinates\":[-44.0959,34.4006],\"continent\":\"Africa\"},\"hostname\":\"surfaces.biz\",\"uid\":\"2444035c-50b5-11ef-be7d-0242ac110005\",\"type_id\":8,\"container\":{\"name\":\"ent give c\",\"size\":2809284742,\"uid\":\"2444104a-50b5-11ef-a8ef-0242ac110005\",\"image\":{\"name\":\"rt href dubai\",\"tag\":\"team established germany\",\"path\":\"enhancing zope celtic\",\"uid\":\"24441aea-50b5-11ef-a95e-0242ac110005\",\"labels\":[\"determines\",\"dirt\"]},\"hash\":{\"value\":\"A0F0F23EF42637BEC6F126E2A94D58802124DC4B559791CE9583CBC1BB474C954FEF9FD047DFB80F46A869FBB1BAC07C4841FC2C92C4A9DF1755072825DEBBC8\",\"algorithm\":\"Unknown\",\"algorithm_id\":0},\"orchestrator\":\"carries pretty ranks\"},\"instance_uid\":\"2443f740-50b5-11ef-8557-0242ac110005\",\"interface_name\":\"mb built rip\",\"interface_uid\":\"24442436-50b5-11ef-a4a7-0242ac110005\",\"is_managed\":false,\"is_trusted\":true,\"last_seen_time\":1722592439950666,\"region\":\"topic toshiba inform\",\"risk_score\":3,\"vlan_uid\":\"2443ec0a-50b5-11ef-95ed-0242ac110005\",\"zone\":\"percent databases fairfield\",\"first_seen_time_dt\":\"2024-08-02T09:53:59.950879Z\"},\"metadata\":{\"version\":\"1.1.0\",\"extension\":{\"name\":\"columbia merely switzerland\",\"version\":\"1.1.0\",\"uid\":\"24428c98-50b5-11ef-955a-0242ac110005\"},\"product\":{\"name\":\"semi boston electric\",\"path\":\"norm eggs ranges\",\"uid\":\"24429a8a-50b5-11ef-924a-0242ac110005\",\"vendor_name\":\"gauge thereby modes\"},\"log_level\":\"ata ty announcements\",\"sequence\":29,\"profiles\":[\"cloud\",\"container\",\"datetime\",\"host\",\"linux/linux_users\",\"load_balancer\",\"network_proxy\",\"security_control\"],\"correlation_uid\":\"2442a34a-50b5-11ef-adc6-0242ac110005\",\"log_name\":\"orientation will game\",\"log_provider\":\"rod seasons weed\",\"loggers\":[{\"name\":\"netherlands devoted extensive\",\"device\":{\"name\":\"tender harmony powerseller\",\"type\":\"Laptop\",\"os\":{\"name\":\"ian distributor collectible\",\"type\":\"HP-UX\",\"type_id\":402,\"cpu_bits\":9},\"ip\":\"97.19.65.133\",\"uid\":\"24433d8c-50b5-11ef-b570-0242ac110005\",\"type_id\":3,\"subnet\":\"164.124.0.0/16\",\"autoscale_uid\":\"24432c02-50b5-11ef-b1ff-0242ac110005\",\"container\":{\"size\":2010633241,\"uid\":\"2443498a-50b5-11ef-ae6c-0242ac110005\",\"image\":{\"name\":\"anxiety patents return\",\"uid\":\"2443540c-50b5-11ef-8146-0242ac110005\",\"labels\":[\"intimate\",\"momentum\"]},\"hash\":{\"value\":\"FA43AD9444AD97C075FDAE70D75E938A031C84A9C642A94B9F058555892B875F\",\"algorithm\":\"magic\",\"algorithm_id\":99}},\"imei\":\"relatively drums significantly\",\"instance_uid\":\"2443362a-50b5-11ef-b381-0242ac110005\",\"interface_name\":\"own monitoring ph\",\"interface_uid\":\"24435e02-50b5-11ef-81a2-0242ac110005\",\"is_managed\":true,\"is_personal\":false,\"namespace_pid\":85,\"region\":\"impacts trackbacks authentication\",\"uid_alt\":\"kelkoo clinics nearby\"},\"product\":{\"name\":\"herself market quote\",\"version\":\"1.1.0\",\"uid\":\"2443cb58-50b5-11ef-b723-0242ac110005\",\"cpe_name\":\"locale memorabilia board\",\"url_string\":\"belt\",\"vendor_name\":\"ultimately permalink scenes\"},\"log_name\":\"jul pregnant carrying\",\"log_provider\":\"specifically executive dosage\",\"transmit_time_dt\":\"2024-08-02T09:53:59.950077Z\"}],\"modified_time\":1722592439950096,\"original_time\":\"livecam yearly isbn\",\"processed_time\":1722592439950110,\"tenant_uid\":\"2443d6b6-50b5-11ef-8908-0242ac110005\",\"modified_time_dt\":\"2024-08-02T09:53:59.950313Z\"},\"severity\":\"Low\",\"duration\":84,\"type_name\":\"Operating System Patch State: Unknown\",\"activity_id\":0,\"type_uid\":500400,\"category_name\":\"Discovery\",\"class_uid\":5004,\"category_uid\":5,\"class_name\":\"Operating System Patch State\",\"timezone_offset\":54,\"activity_name\":\"Unknown\",\"cloud\":{\"project_uid\":\"244256a6-50b5-11ef-b514-0242ac110005\",\"provider\":\"examined thumbzilla applies\",\"region\":\"refugees england number\"},\"kb_article_list\":[{\"os\":{\"name\":\"pills conversations dave\",\"type\":\"Windows Mobile\",\"type_id\":101,\"lang\":\"en\",\"edition\":\"liechtenstein wildlife rooms\"},\"title\":\"survey chinese wales\",\"uid\":\"24443296-50b5-11ef-a50c-0242ac110005\",\"severity\":\"spectacular durham aw\",\"bulletin\":\"mauritius journalists shaved\"},{\"os\":{\"name\":\"reaches ridge signatures\",\"type\":\"overseas\",\"version\":\"1.1.0\",\"type_id\":99,\"cpe_name\":\"almost advertisement oe\",\"cpu_bits\":7},\"product\":{\"name\":\"recorder engaging widescreen\",\"version\":\"1.1.0\",\"uid\":\"244462f2-50b5-11ef-86a0-0242ac110005\",\"lang\":\"en\",\"cpe_name\":\"stuffed robots bras\",\"vendor_name\":\"spring russian core\"},\"uid\":\"24446d6a-50b5-11ef-ac9c-0242ac110005\",\"severity\":\"paso strictly after\",\"src_url\":\"reserved\"}],\"severity_id\":2,\"status_id\":99}", + "provider": "rod seasons weed", + "sequence": 29, + "severity": 2, + "type": [ + "info" + ] + }, + "host": { + "geo": { + "city_name": "Randy wellington", + "continent_name": "Africa", + "country_iso_code": "BI", + "location": [ + -44.0959, + 34.4006 + ], + "name": "Burundi, Republic of" + }, + "hostname": "surfaces.biz", + "id": "2444035c-50b5-11ef-be7d-0242ac110005", + "ip": [ + "81.2.69.144" + ], + "name": "sk feat cups", + "risk": { + "static_score": 3 + }, + "type": "Browser" + }, + "message": "ol avatar webster", + "network": { + "vlan": { + "id": "2443ec0a-50b5-11ef-95ed-0242ac110005" + } + }, + "ocsf": { + "activity_id": "0", + "activity_name": "Unknown", + "category_name": "Discovery", + "category_uid": "5", + "class_name": "Operating System Patch State", + "class_uid": "5004", + "cloud": { + "project_uid": "244256a6-50b5-11ef-b514-0242ac110005", + "provider": "examined thumbzilla applies", + "region": "refugees england number" + }, + "device": { + "container": { + "hash": { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "A0F0F23EF42637BEC6F126E2A94D58802124DC4B559791CE9583CBC1BB474C954FEF9FD047DFB80F46A869FBB1BAC07C4841FC2C92C4A9DF1755072825DEBBC8" + }, + "image": { + "labels": [ + "determines", + "dirt" + ], + "name": "rt href dubai", + "path": "enhancing zope celtic", + "tag": "team established germany", + "uid": "24441aea-50b5-11ef-a95e-0242ac110005" + }, + "name": "ent give c", + "orchestrator": "carries pretty ranks", + "size": 2809284742, + "uid": "2444104a-50b5-11ef-a8ef-0242ac110005" + }, + "first_seen_time_dt": "2024-08-02T09:53:59.950Z", + "hostname": "surfaces.biz", + "instance_uid": "2443f740-50b5-11ef-8557-0242ac110005", + "interface_name": "mb built rip", + "interface_uid": "24442436-50b5-11ef-a4a7-0242ac110005", + "ip": "81.2.69.144", + "is_managed": false, + "is_trusted": true, + "last_seen_time": "+56556-10-12T11:59:10.666Z", + "location": { + "city": "Randy wellington", + "continent": "Africa", + "coordinates": [ + -44.0959, + 34.4006 + ], + "country": "BI", + "desc": "Burundi, Republic of" + }, + "name": "sk feat cups", + "region": "topic toshiba inform", + "risk_score": 3, + "type": "Browser", + "type_id": "8", + "uid": "2444035c-50b5-11ef-be7d-0242ac110005", + "vlan_uid": "2443ec0a-50b5-11ef-95ed-0242ac110005", + "zone": "percent databases fairfield" + }, + "duration": 84, + "kb_article_list": [ + { + "bulletin": "mauritius journalists shaved", + "os": { + "edition": "liechtenstein wildlife rooms", + "lang": "en", + "name": "pills conversations dave", + "type": "Windows Mobile", + "type_id": 101 + }, + "severity": "spectacular durham aw", + "title": "survey chinese wales", + "uid": "24443296-50b5-11ef-a50c-0242ac110005" + }, + { + "os": { + "cpe_name": "almost advertisement oe", + "cpu_bits": 7, + "name": "reaches ridge signatures", + "type": "overseas", + "type_id": 99, + "version": "1.1.0" + }, + "product": { + "cpe_name": "stuffed robots bras", + "lang": "en", + "name": "recorder engaging widescreen", + "uid": "244462f2-50b5-11ef-86a0-0242ac110005", + "vendor_name": "spring russian core", + "version": "1.1.0" + }, + "severity": "paso strictly after", + "src_url": "reserved", + "uid": "24446d6a-50b5-11ef-ac9c-0242ac110005" + } + ], + "message": "ol avatar webster", + "metadata": { + "correlation_uid": "2442a34a-50b5-11ef-adc6-0242ac110005", + "extension": { + "name": "columbia merely switzerland", + "uid": "24428c98-50b5-11ef-955a-0242ac110005", + "version": "1.1.0" + }, + "log_level": "ata ty announcements", + "log_name": "orientation will game", + "log_provider": "rod seasons weed", + "loggers": [ + { + "device": { + "autoscale_uid": "24432c02-50b5-11ef-b1ff-0242ac110005", + "container": { + "hash": { + "algorithm": "magic", + "algorithm_id": 99, + "value": "FA43AD9444AD97C075FDAE70D75E938A031C84A9C642A94B9F058555892B875F" + }, + "image": { + "labels": [ + "intimate", + "momentum" + ], + "name": "anxiety patents return", + "uid": "2443540c-50b5-11ef-8146-0242ac110005" + }, + "size": 2010633241, + "uid": "2443498a-50b5-11ef-ae6c-0242ac110005" + }, + "imei": "relatively drums significantly", + "instance_uid": "2443362a-50b5-11ef-b381-0242ac110005", + "interface_name": "own monitoring ph", + "interface_uid": "24435e02-50b5-11ef-81a2-0242ac110005", + "ip": "97.19.65.133", + "is_managed": true, + "is_personal": false, + "name": "tender harmony powerseller", + "namespace_pid": 85, + "os": { + "cpu_bits": 9, + "name": "ian distributor collectible", + "type": "HP-UX", + "type_id": 402 + }, + "region": "impacts trackbacks authentication", + "subnet": "164.124.0.0/16", + "type": "Laptop", + "type_id": 3, + "uid": "24433d8c-50b5-11ef-b570-0242ac110005", + "uid_alt": "kelkoo clinics nearby" + }, + "log_name": "jul pregnant carrying", + "log_provider": "specifically executive dosage", + "name": "netherlands devoted extensive", + "product": { + "cpe_name": "locale memorabilia board", + "name": "herself market quote", + "uid": "2443cb58-50b5-11ef-b723-0242ac110005", + "url_string": "belt", + "vendor_name": "ultimately permalink scenes", + "version": "1.1.0" + }, + "transmit_time_dt": "2024-08-02T09:53:59.950077Z" + } + ], + "modified_time": "+56556-10-12T11:59:10.096Z", + "modified_time_dt": "2024-08-02T09:53:59.950Z", + "original_time": "livecam yearly isbn", + "processed_time": "+56556-10-12T11:59:10.110Z", + "product": { + "name": "semi boston electric", + "path": "norm eggs ranges", + "uid": "24429a8a-50b5-11ef-924a-0242ac110005", + "vendor_name": "gauge thereby modes" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "linux/linux_users", + "load_balancer", + "network_proxy", + "security_control" + ], + "sequence": 29, + "tenant_uid": "2443d6b6-50b5-11ef-8908-0242ac110005", + "version": "1.1.0" + }, + "severity": "Low", + "severity_id": 2, + "status": "jim", + "status_id": "99", + "time": "+56556-10-12T11:59:14.199Z", + "timezone_offset": 54, + "type_name": "Operating System Patch State: Unknown", + "type_uid": "500400" + }, + "related": { + "hosts": [ + "surfaces.biz", + "sk feat cups" + ], + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] } ] } \ No newline at end of file diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml index 307cca854f0b..d6fbc86e7d16 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -28,7 +28,7 @@ processors: - set: field: event.kind tag: set_event_kind - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','6001','6002','6003','6004'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','6001','6002','6003','6004'].contains(ctx.ocsf.class_uid) value: event - set: field: event.kind @@ -124,7 +124,7 @@ processors: tag: append_info_into_event_type value: info allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001', '2002','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','6002','6003','6004'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001', '2002','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','6002','6003','6004'].contains(ctx.ocsf.class_uid) - append: field: event.type tag: append_user_into_event_type @@ -202,7 +202,7 @@ processors: tag: append_installation_into_event_type value: installation allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['6002'].contains(ctx.ocsf.class_uid) && ['Install'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['6002','5004'].contains(ctx.ocsf.class_uid) && ['Install','Log','Collect'].contains(ctx.ocsf.activity_name) - append: field: event.type tag: append_error_into_event_type @@ -708,7 +708,7 @@ processors: ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_device" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4011','4012','4013','5001','5002','6001','6002','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.device != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4011','4012','4013','5001','5002','5004','6001','6002','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.device != null tag: pipeline_object_device ignore_missing_pipeline: true - pipeline: diff --git a/packages/amazon_security_lake/data_stream/event/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/device-fields.yml new file mode 100644 index 000000000000..5394314a13de --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/device-fields.yml @@ -0,0 +1,345 @@ +- name: ocsf + type: group + fields: + - name: device + type: group + fields: + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: TThe time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: 'The network domain where the device resides. For example: work.example.com.' + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: hostname + type: keyword + description: The devicename. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: 'The BIOS date. For example: 03/31/16.' + - name: bios_manufacturer + type: keyword + description: 'The BIOS manufacturer. For example: LENOVO.' + - name: bios_ver + type: keyword + description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. + - name: cpu_bits + type: long + description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' + - name: cpu_cores + type: long + description: 'The number of processor cores in all installed processors. For Example: 42.' + - name: cpu_count + type: long + description: 'The number of physical processors on a system. For example: 1.' + - name: cpu_speed + type: long + description: 'The speed of the processor in Mhz. For Example: 4200.' + - name: cpu_type + type: keyword + description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' + - name: desktop_display + type: group + fields: + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: keyboard_info + type: group + fields: + - name: function_keys + type: long + description: The number of function keys on client keyboard. + - name: ime + type: keyword + description: The Input Method Editor (IME) file name. + - name: keyboard_layout + type: keyword + description: The keyboard locale identifier name (e.g., en-US). + - name: keyboard_subtype + type: long + description: The keyboard numeric code. + - name: keyboard_type + type: keyword + description: The keyboard type (e.g., xt, ico). + - name: ram_size + type: long + description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: imei + type: keyword + description: The International Mobile Station Equipment Identifier that is associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address, in either IPv4 or IPv6 format. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The device Media Access Control (MAC) address. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. + - name: edition + type: keyword + description: The operating system edition. For example, Professional. + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". + - name: region + type: keyword + description: The region where the virtual machine is located. For example, an AWS Region. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: ip_range + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The device type ID. + - name: uid + type: keyword + description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/event/fields/fields.yml b/packages/amazon_security_lake/data_stream/event/fields/fields.yml index 2e64876a3013..c683d32cf09f 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/fields.yml @@ -546,345 +546,6 @@ - name: version type: keyword description: The version of the DCE/RPC protocol being used in the session. - - name: device - type: group - fields: - - name: autoscale_uid - type: keyword - description: The unique identifier of the cloud autoscale configuration. - - name: container - type: flattened - description: The information describing an instance of a container. - - name: created_time - type: date - description: The time when the device was known to have been created. - - name: created_time_dt - type: date - description: TThe time when the device was known to have been created. - - name: desc - type: keyword - description: The description of the device, ordinarily as reported by the operating system. - - name: domain - type: keyword - description: 'The network domain where the device resides. For example: work.example.com.' - - name: first_seen_time - type: date - description: The initial discovery time of the device. - - name: first_seen_time_dt - type: date - description: The initial discovery time of the device. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: hostname - type: keyword - description: The devicename. - - name: hw_info - type: group - fields: - - name: bios_date - type: keyword - description: 'The BIOS date. For example: 03/31/16.' - - name: bios_manufacturer - type: keyword - description: 'The BIOS manufacturer. For example: LENOVO.' - - name: bios_ver - type: keyword - description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' - - name: chassis - type: keyword - description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. - - name: cpu_bits - type: long - description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' - - name: cpu_cores - type: long - description: 'The number of processor cores in all installed processors. For Example: 42.' - - name: cpu_count - type: long - description: 'The number of physical processors on a system. For example: 1.' - - name: cpu_speed - type: long - description: 'The speed of the processor in Mhz. For Example: 4200.' - - name: cpu_type - type: keyword - description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' - - name: desktop_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: keyboard_info - type: group - fields: - - name: function_keys - type: long - description: The number of function keys on client keyboard. - - name: ime - type: keyword - description: The Input Method Editor (IME) file name. - - name: keyboard_layout - type: keyword - description: The keyboard locale identifier name (e.g., en-US). - - name: keyboard_subtype - type: long - description: The keyboard numeric code. - - name: keyboard_type - type: keyword - description: The keyboard type (e.g., xt, ico). - - name: ram_size - type: long - description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' - - name: serial_number - type: keyword - description: The device manufacturer serial number. - - name: hypervisor - type: keyword - description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: imei - type: keyword - description: The International Mobile Station Equipment Identifier that is associated with the device. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: ip - type: ip - description: The device IP address, in either IPv4 or IPv6 format. - - name: is_compliant - type: boolean - description: The event occurred on a compliant device. - - name: is_managed - type: boolean - description: The event occurred on a managed device. - - name: is_personal - type: boolean - description: The event occurred on a personal device. - - name: is_trusted - type: boolean - description: The event occurred on a trusted device. - - name: last_seen_time - type: date - description: The most recent discovery time of the device. - - name: last_seen_time_dt - type: date - description: The most recent discovery time of the device. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The device Media Access Control (MAC) address. - - name: modified_time - type: date - description: The time when the device was last known to have been modified. - - name: modified_time_dt - type: date - description: The time when the device was last known to have been modified. - - name: name - type: keyword - description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - - name: namespace_pid - type: integer - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: network_interfaces - type: group - fields: - - name: hostname - type: keyword - description: The hostname associated with the network interface. - - name: ip - type: ip - description: The IP address associated with the network interface. - - name: mac - type: keyword - description: The MAC address of the network interface. - - name: name - type: keyword - description: The name of the network interface. - - name: namespace - type: keyword - description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. - - name: subnet_prefix - type: long - description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. - - name: type - type: keyword - description: The type of network interface. - - name: type_id - type: keyword - description: The network interface type identifier. - - name: uid - type: keyword - description: The unique identifier for the network interface. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: os - type: group - fields: - - name: build - type: keyword - description: The operating system build number. - - name: country - type: keyword - description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. - - name: cpu_bits - type: long - description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. - - name: edition - type: keyword - description: The operating system edition. For example, Professional. - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The operating system name. - - name: sp_name - type: keyword - description: The name of the latest Service Pack. - - name: sp_ver - type: keyword - description: The version number of the latest Service Pack. - - name: type - type: keyword - description: The type of the operating system. - - name: type_id - type: keyword - description: The type identifier of the operating system. - - name: version - type: keyword - description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". - - name: region - type: keyword - description: The region where the virtual machine is located. For example, an AWS Region. - - name: risk_level - type: keyword - description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. - - name: risk_level_id - type: keyword - description: The normalized risk level id. - - name: risk_score - type: long - description: The risk score as reported by the event source. - - name: subnet - type: ip_range - description: The subnet mask. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: type - type: keyword - description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - - name: type_id - type: keyword - description: The device type ID. - - name: uid - type: keyword - description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: dialect type: keyword description: The negotiated protocol dialect. @@ -2722,6 +2383,46 @@ - name: is_renewal type: boolean description: The indication of whether this is a lease/session renewal event. + - name: kb_article_list + type: group + description: The KB Article object contains metadata that describes the patch or update. + fields: + - name: uid + type: keyword + description: The unique identifier for the kb article. + - name: bulletin + type: keyword + description: The kb article bulletin identifier. + - name: classification + type: keyword + description: The vendors classification of the kb article. + - name: created_time + type: long + description: The date the kb article was released by the vendor. + - name: created_time_dt + type: date + description: The date the kb article was released by the vendor. + - name: is_superseded + type: boolean + description: "The patch is superseded" + - name: severity + type: keyword + description: The severity of the kb article. + - name: size + type: long + description: The size in bytes for the kb article. + - name: src_url + type: keyword + description: The kb article link from the source vendor. + - name: title + type: keyword + description: The title of the kb article. + - name: os + type: flattened + description: The operating system the kb article applies. + - name: product + type: flattened + description: The product details the kb article applies. - name: kernel type: group fields: @@ -2890,6 +2591,9 @@ - name: log_level type: keyword description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. - name: correlation_uid type: keyword description: The unique identifier used to correlate events. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml index f3f1a298515c..a277c08e1558 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml @@ -486,6 +486,9 @@ - name: labels type: keyword description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. - name: log_name type: keyword description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' diff --git a/packages/amazon_security_lake/data_stream/iam/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/device-fields.yml new file mode 100644 index 000000000000..5394314a13de --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/device-fields.yml @@ -0,0 +1,345 @@ +- name: ocsf + type: group + fields: + - name: device + type: group + fields: + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: TThe time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: 'The network domain where the device resides. For example: work.example.com.' + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: hostname + type: keyword + description: The devicename. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: 'The BIOS date. For example: 03/31/16.' + - name: bios_manufacturer + type: keyword + description: 'The BIOS manufacturer. For example: LENOVO.' + - name: bios_ver + type: keyword + description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. + - name: cpu_bits + type: long + description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' + - name: cpu_cores + type: long + description: 'The number of processor cores in all installed processors. For Example: 42.' + - name: cpu_count + type: long + description: 'The number of physical processors on a system. For example: 1.' + - name: cpu_speed + type: long + description: 'The speed of the processor in Mhz. For Example: 4200.' + - name: cpu_type + type: keyword + description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' + - name: desktop_display + type: group + fields: + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: keyboard_info + type: group + fields: + - name: function_keys + type: long + description: The number of function keys on client keyboard. + - name: ime + type: keyword + description: The Input Method Editor (IME) file name. + - name: keyboard_layout + type: keyword + description: The keyboard locale identifier name (e.g., en-US). + - name: keyboard_subtype + type: long + description: The keyboard numeric code. + - name: keyboard_type + type: keyword + description: The keyboard type (e.g., xt, ico). + - name: ram_size + type: long + description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: imei + type: keyword + description: The International Mobile Station Equipment Identifier that is associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address, in either IPv4 or IPv6 format. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The device Media Access Control (MAC) address. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. + - name: edition + type: keyword + description: The operating system edition. For example, Professional. + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". + - name: region + type: keyword + description: The region where the virtual machine is located. For example, an AWS Region. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: ip_range + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The device type ID. + - name: uid + type: keyword + description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml index 9e9367d8274c..6f778ca7dc4d 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml @@ -1717,342 +1717,6 @@ - name: count type: long description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. - - name: device - type: group - fields: - - name: autoscale_uid - type: keyword - description: The unique identifier of the cloud autoscale configuration. - - name: container - type: flattened - description: The information describing an instance of a container. - - name: created_time - type: date - description: The time when the device was known to have been created. - - name: created_time_dt - type: date - description: TThe time when the device was known to have been created. - - name: desc - type: keyword - description: The description of the device, ordinarily as reported by the operating system. - - name: domain - type: keyword - description: 'The network domain where the device resides. For example: work.example.com.' - - name: first_seen_time - type: date - description: The initial discovery time of the device. - - name: first_seen_time_dt - type: date - description: The initial discovery time of the device. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: hostname - type: keyword - description: The devicename. - - name: hw_info - type: group - fields: - - name: bios_date - type: keyword - description: 'The BIOS date. For example: 03/31/16.' - - name: bios_manufacturer - type: keyword - description: 'The BIOS manufacturer. For example: LENOVO.' - - name: bios_ver - type: keyword - description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' - - name: chassis - type: keyword - description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. - - name: cpu_bits - type: long - description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' - - name: cpu_cores - type: long - description: 'The number of processor cores in all installed processors. For Example: 42.' - - name: cpu_count - type: long - description: 'The number of physical processors on a system. For example: 1.' - - name: cpu_speed - type: long - description: 'The speed of the processor in Mhz. For Example: 4200.' - - name: cpu_type - type: keyword - description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' - - name: desktop_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: keyboard_info - type: group - fields: - - name: function_keys - type: long - description: The number of function keys on client keyboard. - - name: ime - type: keyword - description: The Input Method Editor (IME) file name. - - name: keyboard_layout - type: keyword - description: The keyboard locale identifier name (e.g., en-US). - - name: keyboard_subtype - type: long - description: The keyboard numeric code. - - name: keyboard_type - type: keyword - description: The keyboard type (e.g., xt, ico). - - name: ram_size - type: long - description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' - - name: serial_number - type: keyword - description: The device manufacturer serial number. - - name: hypervisor - type: keyword - description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: imei - type: keyword - description: The International Mobile Station Equipment Identifier that is associated with the device. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: ip - type: ip - description: The device IP address, in either IPv4 or IPv6 format. - - name: is_compliant - type: boolean - description: The event occurred on a compliant device. - - name: is_managed - type: boolean - description: The event occurred on a managed device. - - name: is_personal - type: boolean - description: The event occurred on a personal device. - - name: is_trusted - type: boolean - description: The event occurred on a trusted device. - - name: last_seen_time - type: date - description: The most recent discovery time of the device. - - name: last_seen_time_dt - type: date - description: The most recent discovery time of the device. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The device Media Access Control (MAC) address. - - name: modified_time - type: date - description: The time when the device was last known to have been modified. - - name: modified_time_dt - type: date - description: The time when the device was last known to have been modified. - - name: name - type: keyword - description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - - name: namespace_pid - type: integer - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: network_interfaces - type: group - fields: - - name: hostname - type: keyword - description: The hostname associated with the network interface. - - name: ip - type: ip - description: The IP address associated with the network interface. - - name: mac - type: keyword - description: The MAC address of the network interface. - - name: name - type: keyword - description: The name of the network interface. - - name: namespace - type: keyword - description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. - - name: type - type: keyword - description: The type of network interface. - - name: type_id - type: keyword - description: The network interface type identifier. - - name: uid - type: keyword - description: The unique identifier for the network interface. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: os - type: group - fields: - - name: build - type: keyword - description: The operating system build number. - - name: country - type: keyword - description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. - - name: cpu_bits - type: long - description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. - - name: edition - type: keyword - description: The operating system edition. For example, Professional. - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The operating system name. - - name: sp_name - type: keyword - description: The name of the latest Service Pack. - - name: sp_ver - type: keyword - description: The version number of the latest Service Pack. - - name: type - type: keyword - description: The type of the operating system. - - name: type_id - type: keyword - description: The type identifier of the operating system. - - name: version - type: keyword - description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". - - name: region - type: keyword - description: The region where the virtual machine is located. For example, an AWS Region. - - name: risk_level - type: keyword - description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. - - name: risk_level_id - type: keyword - description: The normalized risk level id. - - name: risk_score - type: long - description: The risk score as reported by the event source. - - name: subnet - type: ip_range - description: The subnet mask. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: type - type: keyword - description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - - name: type_id - type: keyword - description: The device type ID. - - name: uid - type: keyword - description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: duration type: long description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. @@ -3642,6 +3306,9 @@ - name: labels type: keyword description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. - name: log_name type: keyword description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/device-fields.yml new file mode 100644 index 000000000000..5394314a13de --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/device-fields.yml @@ -0,0 +1,345 @@ +- name: ocsf + type: group + fields: + - name: device + type: group + fields: + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: TThe time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: 'The network domain where the device resides. For example: work.example.com.' + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: hostname + type: keyword + description: The devicename. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: 'The BIOS date. For example: 03/31/16.' + - name: bios_manufacturer + type: keyword + description: 'The BIOS manufacturer. For example: LENOVO.' + - name: bios_ver + type: keyword + description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. + - name: cpu_bits + type: long + description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' + - name: cpu_cores + type: long + description: 'The number of processor cores in all installed processors. For Example: 42.' + - name: cpu_count + type: long + description: 'The number of physical processors on a system. For example: 1.' + - name: cpu_speed + type: long + description: 'The speed of the processor in Mhz. For Example: 4200.' + - name: cpu_type + type: keyword + description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' + - name: desktop_display + type: group + fields: + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: keyboard_info + type: group + fields: + - name: function_keys + type: long + description: The number of function keys on client keyboard. + - name: ime + type: keyword + description: The Input Method Editor (IME) file name. + - name: keyboard_layout + type: keyword + description: The keyboard locale identifier name (e.g., en-US). + - name: keyboard_subtype + type: long + description: The keyboard numeric code. + - name: keyboard_type + type: keyword + description: The keyboard type (e.g., xt, ico). + - name: ram_size + type: long + description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: imei + type: keyword + description: The International Mobile Station Equipment Identifier that is associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address, in either IPv4 or IPv6 format. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The device Media Access Control (MAC) address. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. + - name: edition + type: keyword + description: The operating system edition. For example, Professional. + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". + - name: region + type: keyword + description: The region where the virtual machine is located. For example, an AWS Region. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: ip_range + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The device type ID. + - name: uid + type: keyword + description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml index 5293fefd6c2b..1aba4dd27fe7 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml @@ -322,345 +322,6 @@ - name: version type: keyword description: The version of the DCE/RPC protocol being used in the session. - - name: device - type: group - fields: - - name: autoscale_uid - type: keyword - description: The unique identifier of the cloud autoscale configuration. - - name: container - type: flattened - description: The information describing an instance of a container. - - name: created_time - type: date - description: The time when the device was known to have been created. - - name: created_time_dt - type: date - description: TThe time when the device was known to have been created. - - name: desc - type: keyword - description: The description of the device, ordinarily as reported by the operating system. - - name: domain - type: keyword - description: 'The network domain where the device resides. For example: work.example.com.' - - name: first_seen_time - type: date - description: The initial discovery time of the device. - - name: first_seen_time_dt - type: date - description: The initial discovery time of the device. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: hostname - type: keyword - description: The devicename. - - name: hw_info - type: group - fields: - - name: bios_date - type: keyword - description: 'The BIOS date. For example: 03/31/16.' - - name: bios_manufacturer - type: keyword - description: 'The BIOS manufacturer. For example: LENOVO.' - - name: bios_ver - type: keyword - description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' - - name: chassis - type: keyword - description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. - - name: cpu_bits - type: long - description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' - - name: cpu_cores - type: long - description: 'The number of processor cores in all installed processors. For Example: 42.' - - name: cpu_count - type: long - description: 'The number of physical processors on a system. For example: 1.' - - name: cpu_speed - type: long - description: 'The speed of the processor in Mhz. For Example: 4200.' - - name: cpu_type - type: keyword - description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' - - name: desktop_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: keyboard_info - type: group - fields: - - name: function_keys - type: long - description: The number of function keys on client keyboard. - - name: ime - type: keyword - description: The Input Method Editor (IME) file name. - - name: keyboard_layout - type: keyword - description: The keyboard locale identifier name (e.g., en-US). - - name: keyboard_subtype - type: long - description: The keyboard numeric code. - - name: keyboard_type - type: keyword - description: The keyboard type (e.g., xt, ico). - - name: ram_size - type: long - description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' - - name: serial_number - type: keyword - description: The device manufacturer serial number. - - name: hypervisor - type: keyword - description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: imei - type: keyword - description: The International Mobile Station Equipment Identifier that is associated with the device. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: ip - type: ip - description: The device IP address, in either IPv4 or IPv6 format. - - name: is_compliant - type: boolean - description: The event occurred on a compliant device. - - name: is_managed - type: boolean - description: The event occurred on a managed device. - - name: is_personal - type: boolean - description: The event occurred on a personal device. - - name: is_trusted - type: boolean - description: The event occurred on a trusted device. - - name: last_seen_time - type: date - description: The most recent discovery time of the device. - - name: last_seen_time_dt - type: date - description: The most recent discovery time of the device. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The device Media Access Control (MAC) address. - - name: modified_time - type: date - description: The time when the device was last known to have been modified. - - name: modified_time_dt - type: date - description: The time when the device was last known to have been modified. - - name: name - type: keyword - description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - - name: namespace_pid - type: integer - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: network_interfaces - type: group - fields: - - name: hostname - type: keyword - description: The hostname associated with the network interface. - - name: ip - type: ip - description: The IP address associated with the network interface. - - name: mac - type: keyword - description: The MAC address of the network interface. - - name: name - type: keyword - description: The name of the network interface. - - name: namespace - type: keyword - description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. - - name: subnet_prefix - type: long - description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. - - name: type - type: keyword - description: The type of network interface. - - name: type_id - type: keyword - description: The network interface type identifier. - - name: uid - type: keyword - description: The unique identifier for the network interface. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: os - type: group - fields: - - name: build - type: keyword - description: The operating system build number. - - name: country - type: keyword - description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. - - name: cpu_bits - type: long - description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. - - name: edition - type: keyword - description: The operating system edition. For example, Professional. - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The operating system name. - - name: sp_name - type: keyword - description: The name of the latest Service Pack. - - name: sp_ver - type: keyword - description: The version number of the latest Service Pack. - - name: type - type: keyword - description: The type of the operating system. - - name: type_id - type: keyword - description: The type identifier of the operating system. - - name: version - type: keyword - description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". - - name: region - type: keyword - description: The region where the virtual machine is located. For example, an AWS Region. - - name: risk_level - type: keyword - description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. - - name: risk_level_id - type: keyword - description: The normalized risk level id. - - name: risk_score - type: long - description: The risk score as reported by the event source. - - name: subnet - type: ip_range - description: The subnet mask. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: type - type: keyword - description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - - name: type_id - type: keyword - description: The device type ID. - - name: uid - type: keyword - description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: dialect type: keyword description: The negotiated protocol dialect. @@ -1525,6 +1186,9 @@ - name: labels type: keyword description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. - name: log_name type: keyword description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/device-fields.yml new file mode 100644 index 000000000000..5394314a13de --- /dev/null +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/device-fields.yml @@ -0,0 +1,345 @@ +- name: ocsf + type: group + fields: + - name: device + type: group + fields: + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: TThe time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: 'The network domain where the device resides. For example: work.example.com.' + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: hostname + type: keyword + description: The devicename. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: 'The BIOS date. For example: 03/31/16.' + - name: bios_manufacturer + type: keyword + description: 'The BIOS manufacturer. For example: LENOVO.' + - name: bios_ver + type: keyword + description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. + - name: cpu_bits + type: long + description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' + - name: cpu_cores + type: long + description: 'The number of processor cores in all installed processors. For Example: 42.' + - name: cpu_count + type: long + description: 'The number of physical processors on a system. For example: 1.' + - name: cpu_speed + type: long + description: 'The speed of the processor in Mhz. For Example: 4200.' + - name: cpu_type + type: keyword + description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' + - name: desktop_display + type: group + fields: + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: keyboard_info + type: group + fields: + - name: function_keys + type: long + description: The number of function keys on client keyboard. + - name: ime + type: keyword + description: The Input Method Editor (IME) file name. + - name: keyboard_layout + type: keyword + description: The keyboard locale identifier name (e.g., en-US). + - name: keyboard_subtype + type: long + description: The keyboard numeric code. + - name: keyboard_type + type: keyword + description: The keyboard type (e.g., xt, ico). + - name: ram_size + type: long + description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: imei + type: keyword + description: The International Mobile Station Equipment Identifier that is associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address, in either IPv4 or IPv6 format. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The device Media Access Control (MAC) address. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. + - name: edition + type: keyword + description: The operating system edition. For example, Professional. + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". + - name: region + type: keyword + description: The region where the virtual machine is located. For example, an AWS Region. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: ip_range + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The device type ID. + - name: uid + type: keyword + description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml index d74b894096ea..15c87483924e 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml @@ -1717,345 +1717,6 @@ - name: create_mask type: keyword description: The original Windows mask that is required to create the object. - - name: device - type: group - fields: - - name: autoscale_uid - type: keyword - description: The unique identifier of the cloud autoscale configuration. - - name: container - type: flattened - description: The information describing an instance of a container. - - name: created_time - type: date - description: The time when the device was known to have been created. - - name: created_time_dt - type: date - description: TThe time when the device was known to have been created. - - name: desc - type: keyword - description: The description of the device, ordinarily as reported by the operating system. - - name: domain - type: keyword - description: 'The network domain where the device resides. For example: work.example.com.' - - name: first_seen_time - type: date - description: The initial discovery time of the device. - - name: first_seen_time_dt - type: date - description: The initial discovery time of the device. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: hostname - type: keyword - description: The devicename. - - name: hw_info - type: group - fields: - - name: bios_date - type: keyword - description: 'The BIOS date. For example: 03/31/16.' - - name: bios_manufacturer - type: keyword - description: 'The BIOS manufacturer. For example: LENOVO.' - - name: bios_ver - type: keyword - description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' - - name: chassis - type: keyword - description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. - - name: cpu_bits - type: long - description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' - - name: cpu_cores - type: long - description: 'The number of processor cores in all installed processors. For Example: 42.' - - name: cpu_count - type: long - description: 'The number of physical processors on a system. For example: 1.' - - name: cpu_speed - type: long - description: 'The speed of the processor in Mhz. For Example: 4200.' - - name: cpu_type - type: keyword - description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' - - name: desktop_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: keyboard_info - type: group - fields: - - name: function_keys - type: long - description: The number of function keys on client keyboard. - - name: ime - type: keyword - description: The Input Method Editor (IME) file name. - - name: keyboard_layout - type: keyword - description: The keyboard locale identifier name (e.g., en-US). - - name: keyboard_subtype - type: long - description: The keyboard numeric code. - - name: keyboard_type - type: keyword - description: The keyboard type (e.g., xt, ico). - - name: ram_size - type: long - description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' - - name: serial_number - type: keyword - description: The device manufacturer serial number. - - name: hypervisor - type: keyword - description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: imei - type: keyword - description: The International Mobile Station Equipment Identifier that is associated with the device. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: ip - type: ip - description: The device IP address, in either IPv4 or IPv6 format. - - name: is_compliant - type: boolean - description: The event occurred on a compliant device. - - name: is_managed - type: boolean - description: The event occurred on a managed device. - - name: is_personal - type: boolean - description: The event occurred on a personal device. - - name: is_trusted - type: boolean - description: The event occurred on a trusted device. - - name: last_seen_time - type: date - description: The most recent discovery time of the device. - - name: last_seen_time_dt - type: date - description: The most recent discovery time of the device. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The device Media Access Control (MAC) address. - - name: modified_time - type: date - description: The time when the device was last known to have been modified. - - name: modified_time_dt - type: date - description: The time when the device was last known to have been modified. - - name: name - type: keyword - description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - - name: namespace_pid - type: integer - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: network_interfaces - type: group - fields: - - name: hostname - type: keyword - description: The hostname associated with the network interface. - - name: ip - type: ip - description: The IP address associated with the network interface. - - name: mac - type: keyword - description: The MAC address of the network interface. - - name: name - type: keyword - description: The name of the network interface. - - name: namespace - type: keyword - description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. - - name: subnet_prefix - type: long - description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. - - name: type - type: keyword - description: The type of network interface. - - name: type_id - type: keyword - description: The network interface type identifier. - - name: uid - type: keyword - description: The unique identifier for the network interface. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: os - type: group - fields: - - name: build - type: keyword - description: The operating system build number. - - name: country - type: keyword - description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. - - name: cpu_bits - type: long - description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. - - name: edition - type: keyword - description: The operating system edition. For example, Professional. - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The operating system name. - - name: sp_name - type: keyword - description: The name of the latest Service Pack. - - name: sp_ver - type: keyword - description: The version number of the latest Service Pack. - - name: type - type: keyword - description: The type of the operating system. - - name: type_id - type: keyword - description: The type identifier of the operating system. - - name: version - type: keyword - description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". - - name: region - type: keyword - description: The region where the virtual machine is located. For example, an AWS Region. - - name: risk_level - type: keyword - description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. - - name: risk_level_id - type: keyword - description: The normalized risk level id. - - name: risk_score - type: long - description: The risk score as reported by the event source. - - name: subnet - type: ip_range - description: The subnet mask. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: type - type: keyword - description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - - name: type_id - type: keyword - description: The device type ID. - - name: uid - type: keyword - description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: disposition type: keyword description: The event disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source. @@ -4287,6 +3948,9 @@ - name: labels type: keyword description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. - name: log_name type: keyword description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index 2a3919860464..e92a952c6924 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -851,6 +851,7 @@ This is the `Event` dataset. | ocsf.device.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.device.vlan_uid | The Virtual LAN identifier. | keyword | | ocsf.device.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | +| ocsf.device.zone | The network zone or LAN segment. | keyword | | ocsf.dialect | The negotiated protocol dialect. | keyword | | ocsf.direction | The direction of the email, as defined by the direction_id value. | keyword | | ocsf.direction_id | The direction of the email relative to the scanning host or organization. | keyword | @@ -1413,6 +1414,18 @@ This is the `Event` dataset. | ocsf.is_new_logon | Indicates logon is from a device not seen before or a first time account logon. | boolean | | ocsf.is_remote | The attempted authentication is over a remote connection. | boolean | | ocsf.is_renewal | The indication of whether this is a lease/session renewal event. | boolean | +| ocsf.kb_article_list.bulletin | The kb article bulletin identifier. | keyword | +| ocsf.kb_article_list.classification | The vendors classification of the kb article. | keyword | +| ocsf.kb_article_list.created_time | The date the kb article was released by the vendor. | long | +| ocsf.kb_article_list.created_time_dt | The date the kb article was released by the vendor. | date | +| ocsf.kb_article_list.is_superseded | The patch is superseded | boolean | +| ocsf.kb_article_list.os | The operating system the kb article applies. | flattened | +| ocsf.kb_article_list.product | The product details the kb article applies. | flattened | +| ocsf.kb_article_list.severity | The severity of the kb article. | keyword | +| ocsf.kb_article_list.size | The size in bytes for the kb article. | long | +| ocsf.kb_article_list.src_url | The kb article link from the source vendor. | keyword | +| ocsf.kb_article_list.title | The title of the kb article. | keyword | +| ocsf.kb_article_list.uid | The unique identifier for the kb article. | keyword | | ocsf.kernel.is_system | The indication of whether the object is part of the operating system. | boolean | | ocsf.kernel.name | The name of the kernel resource. | keyword | | ocsf.kernel.path | The full path of the kernel resource. | keyword | @@ -1470,6 +1483,7 @@ This is the `Event` dataset. | ocsf.metadata.log_version | The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. | keyword | | ocsf.metadata.logged_time | The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. | date | | ocsf.metadata.logged_time_dt | The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. | date | +| ocsf.metadata.loggers | An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. | flattened | | ocsf.metadata.modified_time | The time when the event was last modified or enriched. | date | | ocsf.metadata.modified_time_dt | The time when the event was last modified or enriched. | date | | ocsf.metadata.original_time | The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. | keyword | From ac66e6ef08b9f5c74530276c97175f8aaaafed18 Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Tue, 6 Aug 2024 18:40:21 +0530 Subject: [PATCH 12/30] added datastore activity event class, segregated actor, user & metadata fields across all data streams, flattened ldap fields in event data stream to make room for more fields --- .../fields/actor-fields.yml | 1796 ++++++++++++++++ .../fields/device-fields.yml | 3 + .../application_activity/fields/fields.yml | 1845 ++--------------- .../fields/metadata-fields.yml | 129 ++ .../discovery/fields/actor-fields.yml | 56 +- .../data_stream/discovery/fields/fields.yml | 114 - .../discovery/fields/metadata-fields.yml | 129 ++ .../discovery/fields/user-fields.yml | 42 +- .../pipeline/test-application-activity.log | 1 + ...est-application-activity.log-expected.json | 1080 ++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 10 +- .../data_stream/event/fields/actor-fields.yml | 190 +- .../data_stream/event/fields/fields.yml | 131 +- .../event/fields/metadata-fields.yml | 129 ++ .../data_stream/event/fields/user-fields.yml | 18 + .../findings/fields/actor-fields.yml | 56 +- .../data_stream/findings/fields/fields.yml | 105 - .../findings/fields/metadata-fields.yml | 129 ++ .../data_stream/iam/fields/actor-fields.yml | 1796 ++++++++++++++++ .../data_stream/iam/fields/fields.yml | 1734 ---------------- .../iam/fields/metadata-fields.yml | 129 ++ .../data_stream/iam/fields/user-fields.yml | 254 +++ .../network_activity/fields/actor-fields.yml | 342 ++- .../network_activity/fields/fields.yml | 105 - .../fields/metadata-fields.yml | 129 ++ .../system_activity/fields/actor-fields.yml | 1796 ++++++++++++++++ .../system_activity/fields/fields.yml | 1662 --------------- .../fields/metadata-fields.yml | 129 ++ packages/amazon_security_lake/docs/README.md | 70 +- 29 files changed, 8293 insertions(+), 5816 deletions(-) create mode 100644 packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/application_activity/fields/metadata-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/discovery/fields/metadata-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/metadata-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/findings/fields/metadata-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/iam/fields/metadata-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/iam/fields/user-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/network_activity/fields/metadata-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/system_activity/fields/metadata-fields.yml diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml new file mode 100644 index 000000000000..89de2343dcc3 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml @@ -0,0 +1,1796 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: integer + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: integer + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml index adb7aabcc142..5394314a13de 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml @@ -340,3 +340,6 @@ - name: vpc_uid type: keyword description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml index 0b3d4e46a095..08b9eaab391d 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml @@ -7,1557 +7,6 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: actor - type: group - fields: - - name: authorizations - type: group - fields: - - name: decision - type: keyword - description: Authorization Result/outcome, e.g. allowed, denied. - - name: policy - type: group - fields: - - name: desc - type: keyword - description: The description of the policy. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: 'The policy name. For example: IAM Policy.' - - name: uid - type: keyword - description: A unique identifier of the policy instance. - - name: version - type: keyword - description: The policy version number. - - name: idp - type: group - fields: - - name: name - type: keyword - description: The name of the identity provider. - - name: uid - type: keyword - description: The unique identifier of the identity provider. - - name: invoked_by - type: keyword - description: The name of the service that invoked the activity as described in the event. - - name: process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - name: api type: group fields: @@ -1708,6 +157,117 @@ - name: duration type: long description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. + - name: database + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the database. + - name: created_time + type: long + description: The time when the database was known to have been created. + - name: created_time_dt + type: date + description: The time (date) when the database was known to have been created. + - name: desc + type: keyword + description: The description that pertains to the object or event. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: modified_time + type: long + description: The most recent time when any changes, updates, or modifications were made within the database. + - name: modified_time_dt + type: date + description: The most recent time (date) when any changes, updates, or modifications were made within the database. + - name: name + type: keyword + description: The database name, ordinarily as assigned by a database administrator. + - name: size + type: long + description: The size of the database in bytes. + - name: type + type: keyword + description: The database type. + - name: type_id + type: integer + description: The normalized identifier of the database type. + - name: databucket + type: group + fields: + - name: uid + type: keyword + description: "Unique ID" + - name: created_time + type: long + description: The time when the databucket was known to have been created. + - name: created_time_dt + type: date + description: The time (date) when the databucket was known to have been created. + - name: desc + type: keyword + description: The description of the databucket. + - name: file + type: flattened + description: A file within a databucket. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: modified_time + type: long + description: The most recent time when any changes, updates, or modifications were made within the databucket. + - name: modified_time_dt + type: date + description: The most recent time (date) when any changes, updates, or modifications were made within the databucket. + - name: name + type: keyword + description: The databucket name. + - name: size + type: long + description: The size of the databucket in bytes. + - name: type + type: keyword + description: The databucket type. + - name: type_id + type: integer + description: The normalized identifier of the databucket type. - name: end_time type: date description: The end time of a time period, or the time of the most recent event included in the aggregate event. @@ -1822,111 +382,6 @@ - name: message type: keyword description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: loggers - type: flattened - description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' - name: observables type: group fields: @@ -2038,6 +493,30 @@ - name: vpc_uid type: keyword description: The unique identifier of the Virtual Private Cloud (VPC). + - name: query_info + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the query. + - name: name + type: keyword + description: The query name for a saved or scheduled query. + - name: query_string + type: text + description: A string representing the query code being run. For example, SELECT * FROM my_table + - name: query_time + type: long + description: The time when the query was run. + - name: query_time_dt + type: date + description: The time (date) when the query was run. + - name: bytes + type: long + description: The size of the data returned from the query. + - name: data + type: flattened + description: The data returned from the query execution. - name: raw_data type: flattened description: The event data as received from the event source. @@ -2188,6 +667,60 @@ - name: version type: keyword description: The TLS protocol version. + - name: table + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the table. + - name: name + type: keyword + description: The table name, ordinarily as assigned by a database administrator. + - name: desc + type: text + description: The description of the table. + - name: created_time + type: long + description: The time when the table was known to have been created. + - name: created_time_dt + type: date + description: The time (date) when the table was known to have been created. + - name: modified_time + type: long + description: The most recent time when any changes, updates, or modifications were made within the table. + - name: modified_time_dt + type: date + description: The most recent time (date) when any changes, updates, or modifications were made within the table. + - name: size + type: long + description: The size of the data table in bytes. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: type + type: keyword + description: The event type name, as defined by the type_id. + - name: type_id + type: integer + description: The normalized event type identifier. - name: type_name type: keyword description: The event type name, as defined by the type_uid. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/metadata-fields.yml new file mode 100644 index 000000000000..00f399e22ecd --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/metadata-fields.yml @@ -0,0 +1,129 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml index bc934388d178..89de2343dcc3 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml @@ -19,6 +19,9 @@ - name: group type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -507,6 +510,9 @@ - name: uid type: keyword description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. - name: vendor_name type: keyword description: The name of the vendor of the product. @@ -1090,6 +1096,9 @@ - name: uid type: keyword description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. - name: vendor_name type: keyword description: The name of the vendor of the product. @@ -1192,6 +1201,9 @@ - name: group type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -1352,6 +1364,9 @@ - name: uid_alt type: keyword description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: xattributes type: flattened description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. @@ -1582,21 +1597,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1619,10 +1624,16 @@ type: date format: epoch_second description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. - name: deleted_time type: date format: epoch_second description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. - name: email_addrs type: keyword description: A list of additional email addresses for the user. @@ -1636,6 +1647,9 @@ type: date format: epoch_second description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. - name: job_title type: keyword description: The user's job title. @@ -1646,6 +1660,9 @@ type: date format: epoch_second description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. - name: ldap_cn type: keyword description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. @@ -1656,10 +1673,16 @@ type: date format: epoch_second description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. - name: modified_time type: date format: epoch_second description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. - name: office_location type: keyword description: The primary office location associated with the user. This could be any string and isn't a specific address. @@ -1733,6 +1756,9 @@ - name: groups type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml index 48ea317c4c4d..40ccbd56c4f4 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml @@ -227,120 +227,6 @@ - name: message type: keyword description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: tenant_uid - type: keyword - description: The audit level at which an event was generated. - - name: log_level - type: keyword - description: The log level of the event. - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: loggers - type: flattened - description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: cpe_name - type: keyword - description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' - name: observables type: group fields: diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/metadata-fields.yml new file mode 100644 index 000000000000..00f399e22ecd --- /dev/null +++ b/packages/amazon_security_lake/data_stream/discovery/fields/metadata-fields.yml @@ -0,0 +1,129 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml index 9b4a121dd36d..8ce12477ebc7 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml @@ -14,7 +14,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -34,6 +34,9 @@ - name: groups type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -61,7 +64,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -77,12 +80,18 @@ description: The cost center associated with the user. - name: created_time type: date - date_format: epoch_second + format: epoch_second description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. - name: deleted_time type: date - date_format: epoch_second + format: epoch_second description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. - name: email_addrs type: keyword description: A list of additional email addresses for the user. @@ -94,8 +103,11 @@ description: The given or first name of the user. - name: hire_time type: date - date_format: epoch_second + format: epoch_second description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. - name: job_title type: keyword description: The user's job title. @@ -104,8 +116,11 @@ description: The labels associated with the user. For example in AD this could be the userType, employeeType. - name: last_login_time type: date - date_format: epoch_second + format: epoch_second description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. - name: ldap_cn type: keyword description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. @@ -114,12 +129,18 @@ description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. - name: leave_time type: date - date_format: epoch_second + format: epoch_second description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. - name: modified_time type: date - date_format: epoch_second + format: epoch_second description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. - name: office_location type: keyword description: The primary office location associated with the user. This could be any string and isn't a specific address. @@ -193,6 +214,9 @@ - name: groups type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -211,7 +235,7 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org + - name: org.* type: object object_type: keyword object_type_mapping_type: "*" diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log index c7ccb32bdd0b..a48d2777d01f 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log @@ -1,3 +1,4 @@ {"http_request":{"version":"1.0.0","uid":"072e083a-584a-11ee-9892-0242ac110005","url":{"port":51670,"scheme":"metallica races fears","path":"container profiles content","hostname":"congress.nato","query_string":"pads palestinian already","category_ids":[35,59],"url_string":"daily"},"user_agent":"webpage assets adams","http_headers":[{"name":"aol jim thick","value":"unexpected counts ease"},{"name":"ride sender reflections","value":"persistent irc finest"}],"http_method":"GET"},"message":"brain bear brush","status":"Unknown","time":1695277679358,"device":{"name":"explains slow junior","type":"IOT","ip":"81.2.69.142","desc":"evaluate permits yesterday","uid":"072de986-584a-11ee-b258-0242ac110005","hostname":"chuck.int","type_id":7,"interface_name":"uzbekistan published feedback","interface_uid":"072ddc66-584a-11ee-9824-0242ac110005","last_seen_time":1695277679358,"region":"invalid expressed participating"},"metadata":{"version":"1.0.0","product":{"name":"loc bw pa","version":"1.0.0","uid":"072dafa2-584a-11ee-bca3-0242ac110005","lang":"en","url_string":"indirect","vendor_name":"fotos choir archive"},"sequence":20,"profiles":["cloud","container","datetime","host"],"correlation_uid":"072db420-584a-11ee-adc0-0242ac110005","event_code":"edward","log_name":"foul jackson termination","log_provider":"copper protective inexpensive","original_time":"diploma mesh certified","logged_time_dt":"2023-09-21T06:42:26.632427Z"},"severity":"High","type_name":"Web Resource Access Activity: Access Error","activity_id":4,"type_uid":600404,"category_name":"Application Activity","class_uid":6004,"category_uid":6,"class_name":"Web Resource Access Activity","timezone_offset":55,"activity_name":"Access Error","cloud":{"org":{"name":"brazil newbie loc","uid":"072d99ea-584a-11ee-920a-0242ac110005","ou_name":"predicted themselves missile","ou_uid":"072da124-584a-11ee-bf8b-0242ac110005"},"provider":"speeches mail lack"},"severity_id":4,"status_id":0,"web_resources":[{"name":"ghost formats res","desc":"pleased won coverage","uid":"072dbbbe-584a-11ee-b4cc-0242ac110005","type": "package type","url_string":"consists"},{"data":{"logitech":"dehbs"},"url_string":"devil"}],"start_time_dt":"2023-09-21T06:42:26.634761Z", "http_response": {"code":22, "length":40, "latency":3, "message": "message regarding htp response"}} {"message":"washington like safari","status":"Failure","time":1695277679358,"metadata":{"version":"1.0.0","product":{"name":"eligible scenes worm","version":"1.0.0","uid":"f6508420-520e-11ee-adcc-0242ac110004","feature":{"name":"australia cup bios","version":"1.0.0","uid":"f6508bfa-520e-11ee-b54c-0242ac110004"},"lang":"en","vendor_name":"fix complicated accreditation"},"sequence":78,"profiles":[],"log_name":"ur bother bearing","log_provider":"performs elevation fox","log_version":"three maritime cowboy","logged_time":1695277679358,"original_time":"moore genetic symbols","processed_time":1695277679358},"start_time":1695277679358,"severity":"Unknown","type_name":"Web Resources Activity: Create","category_name":"Application Activity","timezone_offset":83,"activity_id":1,"class_uid":6001,"type_uid":600101,"category_uid":6,"class_name":"Web Resources Activity","activity_name":"Create","severity_id":0,"src_endpoint":{"name":"leasing imperial toner","port":31790,"domain":"hawaii unfortunately copying","ip":"81.2.69.142","hostname":"saudi.int","uid":"f650994c-520e-11ee-a9f4-0242ac110004","instance_uid":"f6509d0c-520e-11ee-9e6b-0242ac110004","interface_name":"somewhere mentor crm","interface_uid":"f650a3f6-520e-11ee-882f-0242ac110004","intermediate_ips":["81.2.69.142","81.2.69.143"],"svc_name":"sheets horror trader","vlan_uid":"f650a8a6-520e-11ee-b961-0242ac110004"},"status_detail":"only zone its","status_id":2,"web_resources":[{"data":{"discretion":"fhbds"},"desc":"Description of web resource","name":"concept navigator constitution","type":"fundamental previous ty","url_string":"past"}],"web_resources_result":[{"type":"prediction sunglasses rounds","uid":"f65072d2-520e-11ee-9b9a-0242ac110004","url_string":"military"},{"data":{"protect":"rfvfd"},"url_string":"association"}]} {"message":"issues kings loop","status":"Success","time":1695277679358,"device":{"name":"knows col covered","type":"Unknown","domain":"allied had insulation","ip":"81.2.69.142","uid":"651987a6-584c-11ee-ad31-0242ac110005","hostname":"zinc.biz","org":{"name":"chaos winner entered","uid":"65197a86-584c-11ee-96c1-0242ac110005","ou_name":"music client leaf"},"type_id":0,"created_time":1695277679358,"hw_info":{"ram_size":84,"serial_number":"training blink executives"},"instance_uid":"65197efa-584c-11ee-bc04-0242ac110005","interface_name":"lightbox bugs spain","interface_uid":"6519835a-584c-11ee-b813-0242ac110005","is_personal":false,"region":"casio paris norway","subnet_uid":"6519725c-584c-11ee-b6a2-0242ac110005","uid_alt":"older audience trends"},"metadata":{"version":"1.0.0","product":{"name":"enzyme cookie citations","version":"1.0.0","uid":"65195f88-584c-11ee-8118-0242ac110005","lang":"en","url_string":"deck","vendor_name":"rochester school force"},"profiles":["cloud","container","datetime","host"],"log_name":"collaboration blood loan","log_provider":"jurisdiction protecting witness","original_time":"effectively dimensional reservation","modified_time_dt":"2023-09-21T06:59:23.198620Z"},"app":{"name":"bottom loud knowledge","version":"1.0.0","uid":"6519a3da-584c-11ee-8c89-0242ac110005","path": "path o f","feature":{"name":"mit received implemented","version":"1.0.0","uid":"6519aa4c-584c-11ee-ac40-0242ac110005"},"lang":"en","vendor_name":"ss keeping administered"},"severity":"Fatal","type_name":"Application Lifecycle: Other","activity_id":99,"type_uid":600299,"category_name":"Application Activity","class_uid":6002,"category_uid":6,"class_name":"Application Lifecycle","activity_name":"look","cloud":{"org":{"name":"exclusive variables tag","uid":"65193f12-584c-11ee-ae9b-0242ac110005","ou_name":"custom packard pierre"},"account":{"type":"AWS Account","uid":"65194d7c-584c-11ee-8857-0242ac110005","type_id":10},"provider":"infrared delayed visiting","region":"initial lucia designer"},"severity_id":6,"status_detail":"rat forth dishes","status_id":1,"start_time_dt":"2023-09-21T06:59:23.200400Z"} +{"message":"routing rosa speeds","status":"Failure","type":"loc","time":1722945774073580,"metadata":{"version":"1.1.0","product":{"name":"nightlife joint talked","version":"1.1.0","path":"roulette covered encryption","uid":"cfcfc1aa-53eb-11ef-80a9-0242ac110005","vendor_name":"rainbow league closure"},"extensions":[{"name":"importantly identifying causing","version":"1.1.0","uid":"cfcfce02-53eb-11ef-a17b-0242ac110005"},{"name":"feof nightlife dans","version":"1.1.0","uid":"cfcfd5d2-53eb-11ef-acdf-0242ac110005"}],"labels":["dominant"],"log_level":"consult supplements external","profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"ottawa triumph analysis","log_provider":"medal removing losses","original_time":"families batman star","tenant_uid":"cfcfde4c-53eb-11ef-9b9b-0242ac110005"},"severity":"Informational","duration":38,"type_name":"Datastore Activity: Write","activity_id":5,"type_uid":600505,"category_name":"Application Activity","class_uid":6005,"category_uid":6,"class_name":"Datastore Activity","type_id":99,"end_time_dt":"2024-08-06T12:02:54.073562Z","activity_name":"Write","actor":{"process":{"name":"Flashing","pid":98,"file":{"name":"senegal.dcr","type":"Folder","path":"stock armstrong ie/bobby.m3u/senegal.dcr","type_id":2,"creator":{"name":"Slight","type":"System","domain":"dedicated smile macintosh","uid":"cfd08748-53eb-11ef-8545-0242ac110005","type_id":3},"parent_folder":"stock armstrong ie/bobby.m3u","confidentiality":"Top Secret","confidentiality_id":4,"hashes":[{"value":"6AC2AD2B6F5A51A33103412CB1C13FA5FDB24737666758DD9FDD8402BB9D2A43","algorithm":"magic","algorithm_id":99},{"value":"7B849A50DA92F39D6AF294B10E0B93F5","algorithm":"MD5","algorithm_id":1}],"modified_time_dt":"2024-08-06T12:02:54.074547Z"},"user":{"name":"Contamination","type":"Admin","uid":"cfd09666-53eb-11ef-9cc7-0242ac110005","type_id":2},"group":{"name":"desired administration quotations","desc":"mime counsel uses","uid":"cfd0a0f2-53eb-11ef-a02f-0242ac110005"},"uid":"cfd0a73c-53eb-11ef-9622-0242ac110005","loaded_modules":["/chronicle/initiated/hormone/surprise/corps.html","/allan/appearance/viruses/college/naughty.rom"],"cmd_line":"associate directions partly","container":{"size":2753478121,"uid":"cfd0b25e-53eb-11ef-aab1-0242ac110005","image":{"name":"number serial patients","uid":"cfd0bb46-53eb-11ef-b743-0242ac110005"},"hash":{"value":"D908A0C6E33ABAEF5F1C8D9658E99DF9714CFF289FCE29B9DD5A362475554AF2","algorithm":"magic","algorithm_id":99}},"created_time":1722945774075951,"namespace_pid":78,"parent_process":{"name":"Basin","pid":63,"file":{"attributes":67,"name":"spirituality.mid","type":"Character Device","path":"analyzed election throws/composition.tax2020/spirituality.mid","uid":"cfd0d964-53eb-11ef-9f61-0242ac110005","type_id":3,"company_name":"Norberto Vena","parent_folder":"analyzed election throws/composition.tax2020","confidentiality":"Secret","confidentiality_id":3,"hashes":[{"value":"8C8D9D64A77C351C6AAFF4C0EF9B436F904638B7","algorithm":"SHA-1","algorithm_id":2}],"security_descriptor":"nor treasury uri","xattributes":{}},"user":{"name":"Revisions","type":"Admin","type_id":2,"ldap_person":{"created_time":1722945774077119,"hire_time":1722945774077128,"hire_time_dt":"2024-08-06T12:02:54.077132Z"}},"group":{"name":"adolescent antigua ui","domain":"detail blah motels","uid":"cfd0fa70-53eb-11ef-9120-0242ac110005"},"cmd_line":"hash unknown meters","container":{"name":"gnome face decisions","size":411217035,"uid":"cfd10448-53eb-11ef-8948-0242ac110005","image":{"name":"climbing quickly lonely","uid":"cfd10d12-53eb-11ef-8fcb-0242ac110005"},"hash":{"value":"48324C16BF85398DE1219E9270E663A1CCB2438C617A716A5F0F8D44034D7294","algorithm":"magic","algorithm_id":99}},"created_time":1722945774077934,"lineage":["off disturbed bidding","validity requested without"],"namespace_pid":60,"parent_process":{"name":"Zus","session":{"issuer":"informal witnesses endif","created_time":1722945774078143,"is_remote":false},"file":{"attributes":46,"name":"invite.flv","type":"Folder","path":"mobiles at hazards/feels.b/invite.flv","product":{"name":"executives dell bands","version":"1.1.0","uid":"cfd14174-53eb-11ef-ad92-0242ac110005","url_string":"divx","vendor_name":"neighbor advise animal"},"modifier":{"name":"Bang","type":"wicked","uid":"cfd14d0e-53eb-11ef-8822-0242ac110005","org":{"name":"snake dam rapidly","uid":"cfd155ba-53eb-11ef-9ea1-0242ac110005","ou_name":"photo acrylic highway"},"groups":[{"name":"wales indoor speaking","uid":"cfd160be-53eb-11ef-8f19-0242ac110005"},{"name":"mongolia records suffer","desc":"bathrooms transfers diego","uid":"cfd167da-53eb-11ef-b5a7-0242ac110005"}],"type_id":99,"full_name":"Etha Roy"},"uid":"cfd16ece-53eb-11ef-92bb-0242ac110005","type_id":2,"company_name":"Christian Cinda","parent_folder":"mobiles at hazards/feels.b","confidentiality":"promise","confidentiality_id":99,"hashes":[{"value":"CE59D0F436DBA3BA0A6A76043041A5E787C3B835","algorithm":"SHA-1","algorithm_id":2},{"value":"5DC822DDEFF863F87504863C2926EFADEA58E6CC12C9913FBF94816997FDAA2115104F362F7481BCFA8296CDB2EF69ABFF1D22A64E0B6F5D7B8BB6BDF0485F77","algorithm":"CTPH","algorithm_id":5}],"modified_time":1722945774080462,"security_descriptor":"allen mba skating"},"user":{"name":"Bernard","type":"Admin","type_id":2,"uid_alt":"denmark day sir"},"group":{"desc":"times substitute plasma","uid":"cfd17fa4-53eb-11ef-bb39-0242ac110005"},"tid":63,"uid":"cfd185c6-53eb-11ef-85ca-0242ac110005","loaded_modules":["/hotels/stream/anchor/ted/ghost.zipx","/secure/proprietary/execute/medicine/hl.dwg"],"cmd_line":"capabilities major outline","container":{"name":"ul primary rivers","size":4147443008,"uid":"cfd19624-53eb-11ef-b555-0242ac110005","image":{"name":"objectives cooper expenses","tag":"flashers incurred visiting","uid":"cfd19f5c-53eb-11ef-b6a5-0242ac110005"},"hash":{"value":"32F556C7248E9893205497FAD5588B52A815C9A2008D165B36C015A90F534BFA","algorithm":"SHA-256","algorithm_id":3}},"created_time":1722945774081680,"lineage":["feed prozac starring"],"parent_process":{"name":"Keep","pid":75,"file":{"name":"shirts.pct","type":"Folder","path":"reporters schools bermuda/investigations.apk/shirts.pct","modifier":{"name":"Drivers","type":"Admin","uid":"cfd1b884-53eb-11ef-9e17-0242ac110005","type_id":2,"credential_uid":"cfd1bf00-53eb-11ef-9ae0-0242ac110005"},"type_id":2,"parent_folder":"reporters schools bermuda/investigations.apk","confidentiality":"Secret","confidentiality_id":3,"hashes":[{"value":"8D99573EF8E69D00FAE94C1020E9BCDEAB0B2381D11507174E58B253935B16A8391E07FE4DDCFBC6B4EE66C04EB617345B997605559139B9986AC27695ACE216","algorithm":"SHA-512","algorithm_id":4}]},"user":{"name":"Northeast","type":"Admin","uid":"cfd1cbbc-53eb-11ef-86e4-0242ac110005","org":{"name":"demo dressing bloggers","ou_name":"infection replace kingdom"},"groups":[{"type":"multi extension th","domain":"rolled womens allowed","uid":"cfd1de54-53eb-11ef-9548-0242ac110005"},{"name":"shorter hydrocodone obtaining","type":"jenny version diploma"}],"type_id":2,"credential_uid":"cfd1e638-53eb-11ef-acdc-0242ac110005","email_addr":"Timika@starsmerchant.store","uid_alt":"jr participants illustration"},"group":{"name":"easily strengthening concept","type":"claimed farms dressed","domain":"jim presents tire","uid":"cfd1f0b0-53eb-11ef-a5b6-0242ac110005"},"tid":93,"uid":"cfd1f6b4-53eb-11ef-88fe-0242ac110005","container":{"name":"travesti borough biggest","size":3355225968,"uid":"cfd201c2-53eb-11ef-86c9-0242ac110005","hash":{"value":"A241B037A73C6DEFF4F66BAE284A4B2AEA05ACD3","algorithm":"SHA-1","algorithm_id":2}},"created_time":1722945774084196,"namespace_pid":63,"parent_process":{"name":"Acres","pid":41,"file":{"name":"cafe.fon","type":"Local Socket","path":"microwave cir nails/gtk.dmg/cafe.fon","uid":"cfd23214-53eb-11ef-aaf5-0242ac110005","type_id":5,"creator":{"name":"Soa","ldap_person":{"manager":{"name":"Arrangements","type":"bunch","domain":"permission eu anonymous","uid":"cfd25802-53eb-11ef-bc5e-0242ac110005","org":{"name":"positioning sending donald","uid":"cfd261e4-53eb-11ef-8e64-0242ac110005","ou_name":"americans pee mixed"},"type_id":99},"cost_center":"char immigration blue","employee_uid":"cfd269b4-53eb-11ef-862f-0242ac110005","job_title":"tm payday needed","office_location":"hack maintains suit","hire_time_dt":"2024-08-06T12:02:54.086830Z"}},"parent_folder":"microwave cir nails/gtk.dmg","security_descriptor":"hour rca writes"},"user":{"name":"Defence","type":"Admin","uid":"cfd27814-53eb-11ef-91f4-0242ac110005","groups":[{"name":"suppliers returns jewellery","uid":"cfd28336-53eb-11ef-a671-0242ac110005"},{"name":"archive honolulu restricted","uid":"cfd28a84-53eb-11ef-a27d-0242ac110005"}],"type_id":2,"account":{"name":"engage subscribe fireplace","type":"Unknown","uid":"cfd298e4-53eb-11ef-9fc1-0242ac110005","type_id":0},"ldap_person":{"manager":{"name":"Lucia","domain":"sides sheet lt","uid":"cfd2a640-53eb-11ef-b33d-0242ac110005","credential_uid":"cfd2ac3a-53eb-11ef-89b0-0242ac110005","email_addr":"Dodie@soundtrack.firm"},"modified_time":1722945774088534,"leave_time_dt":"2024-08-06T12:02:54.088544Z","last_login_time_dt":"2024-08-06T12:02:54.088552Z"},"uid_alt":"trustee tree normally"},"group":{"name":"income bridges uruguay","uid":"cfd2b96e-53eb-11ef-b3a0-0242ac110005"},"tid":47,"uid":"cfd2bf72-53eb-11ef-96ff-0242ac110005","loaded_modules":["/counters/kentucky/proceeding/yo/norwegian.mp3","/indianapolis/sega/statutes/java/purple.bat"],"cmd_line":"calibration signature temp","container":{"name":"begins magnetic inn","size":83122349,"uid":"cfd2ca08-53eb-11ef-af87-0242ac110005","image":{"name":"pot pulse ser","path":"seat employers licenses","uid":"cfd2d638-53eb-11ef-a4c4-0242ac110005"},"hash":{"value":"CEEA7A4A0C43E8765267E8AEF5F074E2D83C2B387ED111EB0F9E903BB79DFACD26A958A69404A2C9ACFC06C590DF12DFF79EAED625E9EE1BB25727BC3398F838","algorithm":"SHA-512","algorithm_id":4},"orchestrator":"essay brother facility","pod_uuid":"bachelor"},"created_time":1722945774089651,"integrity":"Protected","integrity_id":6,"namespace_pid":96,"parent_process":{"name":"Nationwide","pid":28,"file":{"name":"fragrance.otf","owner":{"name":"Does","type":"Admin","uid":"cfd2f1c2-53eb-11ef-9117-0242ac110005","type_id":2,"email_addr":"Patrina@prototype.gov","ldap_person":{"cost_center":"permits interact afternoon","deleted_time":1722945774090716,"ldap_dn":"renaissance exhibition far","leave_time_dt":"2024-08-06T12:02:54.090731Z","last_login_time_dt":"2024-08-06T12:02:54.090739Z"}},"type":"Block Device","path":"thumbzilla sir drawings/clicking.ico/fragrance.otf","modifier":{"name":"Romania","type":"Unknown","uid":"cfd30dd8-53eb-11ef-a1d7-0242ac110005","groups":[{"name":"boat generate canadian","type":"breast brave sacramento","domain":"mostly third hats","desc":"york yours falls","uid":"cfd317ec-53eb-11ef-b8c7-0242ac110005","privileges":["queries meyer wellness"]},{"name":"considerations wants books","uid":"cfd31f1c-53eb-11ef-8b0c-0242ac110005"}],"type_id":0},"type_id":4,"parent_folder":"thumbzilla sir drawings/clicking.ico","confidentiality":"Unknown","confidentiality_id":0,"created_time":1722945774091482,"hashes":[{"value":"8C4977626121F73FAF30273CA0604C3B2C1207E04716722E66C667D788C6F874","algorithm":"magic","algorithm_id":99},{"value":"A541714A17804AC281E6DDDA5B707952","algorithm":"MD5","algorithm_id":1}],"modified_time":1722945774091552,"xattributes":{}},"user":{"name":"Semester","type":"Unknown","uid":"cfd34d66-53eb-11ef-852b-0242ac110005","groups":[{"name":"ellis methods congratulations","uid":"cfd3572a-53eb-11ef-8889-0242ac110005","privileges":["deck version bathroom"]},{"name":"proposed margin drug","desc":"race pg usps","uid":"cfd35e64-53eb-11ef-8d1c-0242ac110005"}],"type_id":0,"email_addr":"Birdie@candle.edu","ldap_person":{},"uid_alt":"protein clubs membership"},"group":{"name":"blessed operates rug","uid":"cfd36e5e-53eb-11ef-9d98-0242ac110005"},"uid":"cfd374da-53eb-11ef-a5ba-0242ac110005","cmd_line":"vaccine l vegetarian","container":{"name":"matter venues paxil","size":3925402475,"uid":"cfd37e94-53eb-11ef-b3b8-0242ac110005","image":{"name":"troy when advertisers","path":"knife aluminum connectivity","uid":"cfd3879a-53eb-11ef-b5b2-0242ac110005"},"hash":{"value":"9B88DFD0CFCEDCD1108BAC8D96F5E7576E8AA5EFEE6228DEE92628994C808FA83487125996422844E815E8321734322E728259C00D5FC302552A542C80FC26DE","algorithm":"Unknown","algorithm_id":0},"pod_uuid":"examined"},"created_time":1722945774094193,"lineage":["relationship closed gathered","ment tu other"],"namespace_pid":26,"parent_process":{"name":"Pixel","pid":10,"session":{"uid":"cfd3a202-53eb-11ef-8e19-0242ac110005","issuer":"recognize lobby mon","created_time":1722945774095984,"is_remote":false},"file":{"name":"jane.m4a","type":"Folder","path":"living marsh smilies/turner.mim/jane.m4a","modifier":{"type":"System","uid":"cfd3e9ec-53eb-11ef-a8dd-0242ac110005","type_id":3,"uid_alt":"account qld kim"},"type_id":2,"parent_folder":"living marsh smilies/turner.mim","confidentiality":"auburn","confidentiality_id":99,"hashes":[{"value":"C6316326E7128B9D69A3C004DC06AF4240FCBE9CE2D36D76A6074A15DA9E1E5469C37D1BDEE8EB2EA2E4A0E20A366B43DB7C9529A7DFB7719025662F5B1B2868","algorithm":"quickXorHash","algorithm_id":7},{"value":"9ED2837AE1C9BF010E3821339FB9B60585584E697B0670BC2E532228F4DD9251B11715FE20D50FF600E1ED5B5BBA4637AF874B0CC900680B7ECDACBAD07624FD","algorithm":"SHA-512","algorithm_id":4}],"modified_time":1722945774096743,"security_descriptor":"ticket vegas generates","created_time_dt":"2024-08-06T12:02:54.096759Z"},"group":{"name":"bean learners accepting","type":"dietary firms hotels","uid":"cfd3fbe4-53eb-11ef-bdb1-0242ac110005"},"uid":"cfd40206-53eb-11ef-a429-0242ac110005","cmd_line":"initiative step gathered","container":{"name":"hundred central hrs","size":724491757,"uid":"cfd40e22-53eb-11ef-afb2-0242ac110005","image":{"name":"food qatar brain","uid":"cfd41700-53eb-11ef-a54d-0242ac110005"},"hash":{"value":"1C89EFCEB73F4433865E95F1BF2AB892DA6B9AA1C0205D1A8087C101B7AF953BE2F34683E786B31F4344403F35885F4D105EF2E764F6D299E44E31D284DBD5E3","algorithm":"Unknown","algorithm_id":0}},"created_time":1722945774097846,"namespace_pid":45,"parent_process":{"name":"Yield","pid":82,"file":{"name":"apartments.py","size":524979186,"type":"Named Pipe","path":"fig kelly companion/attorneys.com/apartments.py","uid":"cfd42dd0-53eb-11ef-8dc9-0242ac110005","type_id":6,"parent_folder":"fig kelly companion/attorneys.com","hashes":[{"value":"EBF49DCD836F810084C14E0F2DAB4DC1768BBDC5980481BF201FCF76771DFF7A","algorithm":"SHA-256","algorithm_id":3},{"value":"C2EB02DC35DC77D3373542631011FFD4C933AF5C6676646BAFB85126C8652AB679884C90C91E3109A28812D07AAC8C0DADDCF3DC7C86FAD4FBA91A1401900947","algorithm":"Unknown","algorithm_id":0}],"security_descriptor":"avoiding bear incoming"},"user":{"name":"Fatal","type":"Unknown","type_id":0},"group":{"name":"cam empirical path","uid":"cfd43d52-53eb-11ef-8205-0242ac110005"},"uid":"cfd4436a-53eb-11ef-84cf-0242ac110005","cmd_line":"pix potential mardi","container":{"name":"kerry courier tony","runtime":"ben dynamics vienna","size":3164331564,"image":{"name":"celebrities sensitive manufacture","tag":"staff ericsson duty","path":"selling rocky projection","uid":"cfd450d0-53eb-11ef-83f3-0242ac110005","labels":["healing","avoiding"]},"hash":{"value":"A9DCE75FB9B7C3AD1CCBE9A3001619DE593186058F77799D91C1413A074FDE187FE7C8719F8A94FA0453F77D76EB8AF6CC9074BABB51EAFF5476F9D169C724A7","algorithm":"SHA-512","algorithm_id":4},"orchestrator":"dui expansion focus"},"created_time":1722945774099345,"integrity":"g manner mambo","namespace_pid":96,"parent_process":{"name":"Organ","pid":90,"session":{"uid":"cfd469b2-53eb-11ef-8a8a-0242ac110005","issuer":"lyric fujitsu timber","created_time":1722945774099934,"is_remote":true,"created_time_dt":"2024-08-06T12:02:54.099943Z","expiration_time_dt":"2024-08-06T12:02:54.099951Z"},"file":{"name":"mothers.com","type":"Symbolic Link","version":"1.1.0","path":"wal quiz worker/skin.plugin/mothers.com","type_id":7,"company_name":"Delora Edyth","parent_folder":"wal quiz worker/skin.plugin","hashes":[{"value":"02799F801AA43966F78CC2C403CE6F0AB37F05D3AF823C0AEEDE58090A622F10470F614F19B68FE2CEFC4B1BEAFF7589FDF5E4DF0A47FF29700DA72C1E4A7966","algorithm":"SHA-512","algorithm_id":4},{"value":"805FAE387ABCC95FB8B74AD92202D2F367255E57291D4C54514FE11EB086C85E7B879FBC13E3405E1C6D5D663F69CD4F509A28B7F2BD0B7F57F71E31C52E2280","algorithm":"Unknown","algorithm_id":0}]},"user":{"type":"Unknown","uid":"cfd47e3e-53eb-11ef-a1ef-0242ac110005","type_id":0,"full_name":"Thuy Kristin"},"group":{"type":"figured eyes microphone","desc":"comparable likelihood jeep","uid":"cfd48fb4-53eb-11ef-bbb9-0242ac110005"},"uid":"cfd495e0-53eb-11ef-b81b-0242ac110005","cmd_line":"welding viewpicture sampling","container":{"name":"iii accessories ddr","size":3779122986,"uid":"cfd4a166-53eb-11ef-97e4-0242ac110005","image":{"name":"beach omaha protest","uid":"cfd4aa76-53eb-11ef-a970-0242ac110005"},"hash":{"value":"917004FD903B196255A9B56D08246E5E9FC34E38BC01CADD52A3ADABEB309DA5","algorithm":"magic","algorithm_id":99}},"created_time":1722945774101623,"namespace_pid":90,"parent_process":{"name":"Arrange","pid":5,"file":{"attributes":76,"name":"elizabeth.sln","size":1485425900,"type":"Folder","path":"kai surname approach/xp.wpd/elizabeth.sln","desc":"member dogs ports","type_id":2,"company_name":"Claudio Alejandra","parent_folder":"kai surname approach/xp.wpd","confidentiality":"says","confidentiality_id":99,"created_time_dt":"2024-08-06T12:02:54.102808Z"},"user":{"name":"Night","type":"Unknown","type_id":0,"ldap_person":{"manager":{"name":"Merchandise","type":"System","uid":"cfd4ff76-53eb-11ef-9efb-0242ac110005","org":{"name":"belief billion talented","ou_name":"volkswagen africa respect"},"groups":[{"name":"pos constraints inkjet","type":"stat tray charitable"},{"name":"yemen happiness theft"}],"type_id":3,"full_name":"Janiece Jon","credential_uid":"cfd50fd4-53eb-11ef-83d7-0242ac110005","ldap_person":{"surname":"cancelled present faced","modified_time_dt":"2024-08-06T12:02:54.104306Z"},"uid_alt":"fraud answers loved"},"email_addrs":["Sharonda@helena.name","Caroline@consent.mil"],"hire_time":1722945774104346,"office_location":"ways statement ni","surname":"cio evaluating bc","last_login_time_dt":"2024-08-06T12:02:54.104363Z"}},"group":{"name":"majority scores surveillance","desc":"bearing return gt","uid":"cfd52f3c-53eb-11ef-bb53-0242ac110005","privileges":["kansas religions cgi"]},"uid":"cfd53608-53eb-11ef-92de-0242ac110005","loaded_modules":["/save/tt/places/ballet/exclusive.psd","/administered/herbs/discrete/katie/rl.ttf"],"cmd_line":"visual dated alpha","container":{"name":"footwear checkout march","size":1641826457,"uid":"cfd542ec-53eb-11ef-be38-0242ac110005","image":{"name":"concentrations deck created","uid":"cfd54bf2-53eb-11ef-b477-0242ac110005"},"hash":{"value":"03C6D52314CF55EC4DFDAE665DC2100E56F08F7599D9B87FD76B0AF55FA44C4F3A7B4204C517E201F9326306ECC712A0CE46D93B7B4A03AAFDBDFAE7BD9A7471","algorithm":"TLSH","algorithm_id":6}},"created_time":1722945774105758,"integrity":"Unknown","integrity_id":0,"lineage":["length apr charm","farm chaos overseas"],"namespace_pid":33,"sandbox":"mexican mixer g","euid":59,"terminated_time_dt":"2024-08-06T12:02:54.105788Z"},"egid":49,"terminated_time_dt":"2024-08-06T12:02:54.105798Z"},"sandbox":"variance volleyball compile"},"auid":38,"terminated_time_dt":"2024-08-06T12:02:54.105811Z"}},"created_time_dt":"2024-08-06T12:02:54.105819Z"},"xattributes":{},"euid":32},"terminated_time":1722945774105859,"auid":17},"sandbox":"frequent dining arguments","xattributes":{},"created_time_dt":"2024-08-06T12:02:54.105883Z","terminated_time_dt":"2024-08-06T12:02:54.105888Z"},"euid":93,"terminated_time_dt":"2024-08-06T12:02:54.105894Z"},"user":{"name":"Ok","type":"System","domain":"rpm particular mae","uid":"cfd57668-53eb-11ef-ad7f-0242ac110005","groups":[{"name":"numbers nextel globe","type":"debug carpet per","domain":"indexed email mardi","uid":"cfd58068-53eb-11ef-b081-0242ac110005"},{"name":"fitting personalized estimation","uid":"cfd58ae0-53eb-11ef-850c-0242ac110005"}],"type_id":3}},"cloud":{"provider":"experimental mac seconds","region":"debate population smithsonian","zone":"raised expert baseball"},"database":{"name":"laden confidence arabic","type":"Object Oriented","uid":"cfcf8aaa-53eb-11ef-835d-0242ac110005","type_id":3,"created_time_dt":"2024-08-06T12:02:54.068006Z"},"databucket":{"name":"facts drug laos","type":"GCP Bucket","type_id":3},"severity_id":1,"src_endpoint":{"port":47139,"type":"Laptop","ip":"175.16.199.0","hostname":"thank.coop","uid":"cfcfee32-53eb-11ef-b8c3-0242ac110005","type_id":3,"container":{"name":"detect drop hobbies","size":2933944469,"tag":"together own republicans","uid":"cfd0401c-53eb-11ef-b764-0242ac110005","image":{"path":"constraint explosion ge","uid":"cfd04b5c-53eb-11ef-a7db-0242ac110005","labels":["er","distances"]}},"hw_info":{"cpu_count":74,"cpu_speed":92},"instance_uid":"cfd0555c-53eb-11ef-82ff-0242ac110005","interface_uid":"cfd05bd8-53eb-11ef-864c-0242ac110005","namespace_pid":25,"svc_name":"further compressed twisted","vlan_uid":"cfd06344-53eb-11ef-9b92-0242ac110005"},"status_id":2} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json index 470f79bf9237..ec310bde054c 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json @@ -501,6 +501,1086 @@ "preserve_original_event", "preserve_duplicate_custom_fields" ] + }, + { + "@timestamp": "+56567-12-24T00:21:13.580Z", + "cloud": { + "availability_zone": "raised expert baseball", + "provider": "experimental mac seconds", + "region": "debate population smithsonian" + }, + "container": { + "id": "cfd0b25e-53eb-11ef-aab1-0242ac110005", + "image": { + "name": "number serial patients" + } + }, + "data_stream": { + "dataset": "amazon_security_lake.application_activity", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "write", + "duration": 38000000, + "end": "2024-08-06T12:02:54.073Z", + "kind": "event", + "original": "{\"message\":\"routing rosa speeds\",\"status\":\"Failure\",\"type\":\"loc\",\"time\":1722945774073580,\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"nightlife joint talked\",\"version\":\"1.1.0\",\"path\":\"roulette covered encryption\",\"uid\":\"cfcfc1aa-53eb-11ef-80a9-0242ac110005\",\"vendor_name\":\"rainbow league closure\"},\"extensions\":[{\"name\":\"importantly identifying causing\",\"version\":\"1.1.0\",\"uid\":\"cfcfce02-53eb-11ef-a17b-0242ac110005\"},{\"name\":\"feof nightlife dans\",\"version\":\"1.1.0\",\"uid\":\"cfcfd5d2-53eb-11ef-acdf-0242ac110005\"}],\"labels\":[\"dominant\"],\"log_level\":\"consult supplements external\",\"profiles\":[\"cloud\",\"container\",\"datetime\",\"host\",\"linux/linux_users\",\"load_balancer\",\"network_proxy\",\"security_control\"],\"log_name\":\"ottawa triumph analysis\",\"log_provider\":\"medal removing losses\",\"original_time\":\"families batman star\",\"tenant_uid\":\"cfcfde4c-53eb-11ef-9b9b-0242ac110005\"},\"severity\":\"Informational\",\"duration\":38,\"type_name\":\"Datastore Activity: Write\",\"activity_id\":5,\"type_uid\":600505,\"category_name\":\"Application Activity\",\"class_uid\":6005,\"category_uid\":6,\"class_name\":\"Datastore Activity\",\"type_id\":99,\"end_time_dt\":\"2024-08-06T12:02:54.073562Z\",\"activity_name\":\"Write\",\"actor\":{\"process\":{\"name\":\"Flashing\",\"pid\":98,\"file\":{\"name\":\"senegal.dcr\",\"type\":\"Folder\",\"path\":\"stock armstrong ie/bobby.m3u/senegal.dcr\",\"type_id\":2,\"creator\":{\"name\":\"Slight\",\"type\":\"System\",\"domain\":\"dedicated smile macintosh\",\"uid\":\"cfd08748-53eb-11ef-8545-0242ac110005\",\"type_id\":3},\"parent_folder\":\"stock armstrong ie/bobby.m3u\",\"confidentiality\":\"Top Secret\",\"confidentiality_id\":4,\"hashes\":[{\"value\":\"6AC2AD2B6F5A51A33103412CB1C13FA5FDB24737666758DD9FDD8402BB9D2A43\",\"algorithm\":\"magic\",\"algorithm_id\":99},{\"value\":\"7B849A50DA92F39D6AF294B10E0B93F5\",\"algorithm\":\"MD5\",\"algorithm_id\":1}],\"modified_time_dt\":\"2024-08-06T12:02:54.074547Z\"},\"user\":{\"name\":\"Contamination\",\"type\":\"Admin\",\"uid\":\"cfd09666-53eb-11ef-9cc7-0242ac110005\",\"type_id\":2},\"group\":{\"name\":\"desired administration quotations\",\"desc\":\"mime counsel uses\",\"uid\":\"cfd0a0f2-53eb-11ef-a02f-0242ac110005\"},\"uid\":\"cfd0a73c-53eb-11ef-9622-0242ac110005\",\"loaded_modules\":[\"/chronicle/initiated/hormone/surprise/corps.html\",\"/allan/appearance/viruses/college/naughty.rom\"],\"cmd_line\":\"associate directions partly\",\"container\":{\"size\":2753478121,\"uid\":\"cfd0b25e-53eb-11ef-aab1-0242ac110005\",\"image\":{\"name\":\"number serial patients\",\"uid\":\"cfd0bb46-53eb-11ef-b743-0242ac110005\"},\"hash\":{\"value\":\"D908A0C6E33ABAEF5F1C8D9658E99DF9714CFF289FCE29B9DD5A362475554AF2\",\"algorithm\":\"magic\",\"algorithm_id\":99}},\"created_time\":1722945774075951,\"namespace_pid\":78,\"parent_process\":{\"name\":\"Basin\",\"pid\":63,\"file\":{\"attributes\":67,\"name\":\"spirituality.mid\",\"type\":\"Character Device\",\"path\":\"analyzed election throws/composition.tax2020/spirituality.mid\",\"uid\":\"cfd0d964-53eb-11ef-9f61-0242ac110005\",\"type_id\":3,\"company_name\":\"Norberto Vena\",\"parent_folder\":\"analyzed election throws/composition.tax2020\",\"confidentiality\":\"Secret\",\"confidentiality_id\":3,\"hashes\":[{\"value\":\"8C8D9D64A77C351C6AAFF4C0EF9B436F904638B7\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}],\"security_descriptor\":\"nor treasury uri\",\"xattributes\":{}},\"user\":{\"name\":\"Revisions\",\"type\":\"Admin\",\"type_id\":2,\"ldap_person\":{\"created_time\":1722945774077119,\"hire_time\":1722945774077128,\"hire_time_dt\":\"2024-08-06T12:02:54.077132Z\"}},\"group\":{\"name\":\"adolescent antigua ui\",\"domain\":\"detail blah motels\",\"uid\":\"cfd0fa70-53eb-11ef-9120-0242ac110005\"},\"cmd_line\":\"hash unknown meters\",\"container\":{\"name\":\"gnome face decisions\",\"size\":411217035,\"uid\":\"cfd10448-53eb-11ef-8948-0242ac110005\",\"image\":{\"name\":\"climbing quickly lonely\",\"uid\":\"cfd10d12-53eb-11ef-8fcb-0242ac110005\"},\"hash\":{\"value\":\"48324C16BF85398DE1219E9270E663A1CCB2438C617A716A5F0F8D44034D7294\",\"algorithm\":\"magic\",\"algorithm_id\":99}},\"created_time\":1722945774077934,\"lineage\":[\"off disturbed bidding\",\"validity requested without\"],\"namespace_pid\":60,\"parent_process\":{\"name\":\"Zus\",\"session\":{\"issuer\":\"informal witnesses endif\",\"created_time\":1722945774078143,\"is_remote\":false},\"file\":{\"attributes\":46,\"name\":\"invite.flv\",\"type\":\"Folder\",\"path\":\"mobiles at hazards/feels.b/invite.flv\",\"product\":{\"name\":\"executives dell bands\",\"version\":\"1.1.0\",\"uid\":\"cfd14174-53eb-11ef-ad92-0242ac110005\",\"url_string\":\"divx\",\"vendor_name\":\"neighbor advise animal\"},\"modifier\":{\"name\":\"Bang\",\"type\":\"wicked\",\"uid\":\"cfd14d0e-53eb-11ef-8822-0242ac110005\",\"org\":{\"name\":\"snake dam rapidly\",\"uid\":\"cfd155ba-53eb-11ef-9ea1-0242ac110005\",\"ou_name\":\"photo acrylic highway\"},\"groups\":[{\"name\":\"wales indoor speaking\",\"uid\":\"cfd160be-53eb-11ef-8f19-0242ac110005\"},{\"name\":\"mongolia records suffer\",\"desc\":\"bathrooms transfers diego\",\"uid\":\"cfd167da-53eb-11ef-b5a7-0242ac110005\"}],\"type_id\":99,\"full_name\":\"Etha Roy\"},\"uid\":\"cfd16ece-53eb-11ef-92bb-0242ac110005\",\"type_id\":2,\"company_name\":\"Christian Cinda\",\"parent_folder\":\"mobiles at hazards/feels.b\",\"confidentiality\":\"promise\",\"confidentiality_id\":99,\"hashes\":[{\"value\":\"CE59D0F436DBA3BA0A6A76043041A5E787C3B835\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2},{\"value\":\"5DC822DDEFF863F87504863C2926EFADEA58E6CC12C9913FBF94816997FDAA2115104F362F7481BCFA8296CDB2EF69ABFF1D22A64E0B6F5D7B8BB6BDF0485F77\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}],\"modified_time\":1722945774080462,\"security_descriptor\":\"allen mba skating\"},\"user\":{\"name\":\"Bernard\",\"type\":\"Admin\",\"type_id\":2,\"uid_alt\":\"denmark day sir\"},\"group\":{\"desc\":\"times substitute plasma\",\"uid\":\"cfd17fa4-53eb-11ef-bb39-0242ac110005\"},\"tid\":63,\"uid\":\"cfd185c6-53eb-11ef-85ca-0242ac110005\",\"loaded_modules\":[\"/hotels/stream/anchor/ted/ghost.zipx\",\"/secure/proprietary/execute/medicine/hl.dwg\"],\"cmd_line\":\"capabilities major outline\",\"container\":{\"name\":\"ul primary rivers\",\"size\":4147443008,\"uid\":\"cfd19624-53eb-11ef-b555-0242ac110005\",\"image\":{\"name\":\"objectives cooper expenses\",\"tag\":\"flashers incurred visiting\",\"uid\":\"cfd19f5c-53eb-11ef-b6a5-0242ac110005\"},\"hash\":{\"value\":\"32F556C7248E9893205497FAD5588B52A815C9A2008D165B36C015A90F534BFA\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3}},\"created_time\":1722945774081680,\"lineage\":[\"feed prozac starring\"],\"parent_process\":{\"name\":\"Keep\",\"pid\":75,\"file\":{\"name\":\"shirts.pct\",\"type\":\"Folder\",\"path\":\"reporters schools bermuda/investigations.apk/shirts.pct\",\"modifier\":{\"name\":\"Drivers\",\"type\":\"Admin\",\"uid\":\"cfd1b884-53eb-11ef-9e17-0242ac110005\",\"type_id\":2,\"credential_uid\":\"cfd1bf00-53eb-11ef-9ae0-0242ac110005\"},\"type_id\":2,\"parent_folder\":\"reporters schools bermuda/investigations.apk\",\"confidentiality\":\"Secret\",\"confidentiality_id\":3,\"hashes\":[{\"value\":\"8D99573EF8E69D00FAE94C1020E9BCDEAB0B2381D11507174E58B253935B16A8391E07FE4DDCFBC6B4EE66C04EB617345B997605559139B9986AC27695ACE216\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}]},\"user\":{\"name\":\"Northeast\",\"type\":\"Admin\",\"uid\":\"cfd1cbbc-53eb-11ef-86e4-0242ac110005\",\"org\":{\"name\":\"demo dressing bloggers\",\"ou_name\":\"infection replace kingdom\"},\"groups\":[{\"type\":\"multi extension th\",\"domain\":\"rolled womens allowed\",\"uid\":\"cfd1de54-53eb-11ef-9548-0242ac110005\"},{\"name\":\"shorter hydrocodone obtaining\",\"type\":\"jenny version diploma\"}],\"type_id\":2,\"credential_uid\":\"cfd1e638-53eb-11ef-acdc-0242ac110005\",\"email_addr\":\"Timika@starsmerchant.store\",\"uid_alt\":\"jr participants illustration\"},\"group\":{\"name\":\"easily strengthening concept\",\"type\":\"claimed farms dressed\",\"domain\":\"jim presents tire\",\"uid\":\"cfd1f0b0-53eb-11ef-a5b6-0242ac110005\"},\"tid\":93,\"uid\":\"cfd1f6b4-53eb-11ef-88fe-0242ac110005\",\"container\":{\"name\":\"travesti borough biggest\",\"size\":3355225968,\"uid\":\"cfd201c2-53eb-11ef-86c9-0242ac110005\",\"hash\":{\"value\":\"A241B037A73C6DEFF4F66BAE284A4B2AEA05ACD3\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}},\"created_time\":1722945774084196,\"namespace_pid\":63,\"parent_process\":{\"name\":\"Acres\",\"pid\":41,\"file\":{\"name\":\"cafe.fon\",\"type\":\"Local Socket\",\"path\":\"microwave cir nails/gtk.dmg/cafe.fon\",\"uid\":\"cfd23214-53eb-11ef-aaf5-0242ac110005\",\"type_id\":5,\"creator\":{\"name\":\"Soa\",\"ldap_person\":{\"manager\":{\"name\":\"Arrangements\",\"type\":\"bunch\",\"domain\":\"permission eu anonymous\",\"uid\":\"cfd25802-53eb-11ef-bc5e-0242ac110005\",\"org\":{\"name\":\"positioning sending donald\",\"uid\":\"cfd261e4-53eb-11ef-8e64-0242ac110005\",\"ou_name\":\"americans pee mixed\"},\"type_id\":99},\"cost_center\":\"char immigration blue\",\"employee_uid\":\"cfd269b4-53eb-11ef-862f-0242ac110005\",\"job_title\":\"tm payday needed\",\"office_location\":\"hack maintains suit\",\"hire_time_dt\":\"2024-08-06T12:02:54.086830Z\"}},\"parent_folder\":\"microwave cir nails/gtk.dmg\",\"security_descriptor\":\"hour rca writes\"},\"user\":{\"name\":\"Defence\",\"type\":\"Admin\",\"uid\":\"cfd27814-53eb-11ef-91f4-0242ac110005\",\"groups\":[{\"name\":\"suppliers returns jewellery\",\"uid\":\"cfd28336-53eb-11ef-a671-0242ac110005\"},{\"name\":\"archive honolulu restricted\",\"uid\":\"cfd28a84-53eb-11ef-a27d-0242ac110005\"}],\"type_id\":2,\"account\":{\"name\":\"engage subscribe fireplace\",\"type\":\"Unknown\",\"uid\":\"cfd298e4-53eb-11ef-9fc1-0242ac110005\",\"type_id\":0},\"ldap_person\":{\"manager\":{\"name\":\"Lucia\",\"domain\":\"sides sheet lt\",\"uid\":\"cfd2a640-53eb-11ef-b33d-0242ac110005\",\"credential_uid\":\"cfd2ac3a-53eb-11ef-89b0-0242ac110005\",\"email_addr\":\"Dodie@soundtrack.firm\"},\"modified_time\":1722945774088534,\"leave_time_dt\":\"2024-08-06T12:02:54.088544Z\",\"last_login_time_dt\":\"2024-08-06T12:02:54.088552Z\"},\"uid_alt\":\"trustee tree normally\"},\"group\":{\"name\":\"income bridges uruguay\",\"uid\":\"cfd2b96e-53eb-11ef-b3a0-0242ac110005\"},\"tid\":47,\"uid\":\"cfd2bf72-53eb-11ef-96ff-0242ac110005\",\"loaded_modules\":[\"/counters/kentucky/proceeding/yo/norwegian.mp3\",\"/indianapolis/sega/statutes/java/purple.bat\"],\"cmd_line\":\"calibration signature temp\",\"container\":{\"name\":\"begins magnetic inn\",\"size\":83122349,\"uid\":\"cfd2ca08-53eb-11ef-af87-0242ac110005\",\"image\":{\"name\":\"pot pulse ser\",\"path\":\"seat employers licenses\",\"uid\":\"cfd2d638-53eb-11ef-a4c4-0242ac110005\"},\"hash\":{\"value\":\"CEEA7A4A0C43E8765267E8AEF5F074E2D83C2B387ED111EB0F9E903BB79DFACD26A958A69404A2C9ACFC06C590DF12DFF79EAED625E9EE1BB25727BC3398F838\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},\"orchestrator\":\"essay brother facility\",\"pod_uuid\":\"bachelor\"},\"created_time\":1722945774089651,\"integrity\":\"Protected\",\"integrity_id\":6,\"namespace_pid\":96,\"parent_process\":{\"name\":\"Nationwide\",\"pid\":28,\"file\":{\"name\":\"fragrance.otf\",\"owner\":{\"name\":\"Does\",\"type\":\"Admin\",\"uid\":\"cfd2f1c2-53eb-11ef-9117-0242ac110005\",\"type_id\":2,\"email_addr\":\"Patrina@prototype.gov\",\"ldap_person\":{\"cost_center\":\"permits interact afternoon\",\"deleted_time\":1722945774090716,\"ldap_dn\":\"renaissance exhibition far\",\"leave_time_dt\":\"2024-08-06T12:02:54.090731Z\",\"last_login_time_dt\":\"2024-08-06T12:02:54.090739Z\"}},\"type\":\"Block Device\",\"path\":\"thumbzilla sir drawings/clicking.ico/fragrance.otf\",\"modifier\":{\"name\":\"Romania\",\"type\":\"Unknown\",\"uid\":\"cfd30dd8-53eb-11ef-a1d7-0242ac110005\",\"groups\":[{\"name\":\"boat generate canadian\",\"type\":\"breast brave sacramento\",\"domain\":\"mostly third hats\",\"desc\":\"york yours falls\",\"uid\":\"cfd317ec-53eb-11ef-b8c7-0242ac110005\",\"privileges\":[\"queries meyer wellness\"]},{\"name\":\"considerations wants books\",\"uid\":\"cfd31f1c-53eb-11ef-8b0c-0242ac110005\"}],\"type_id\":0},\"type_id\":4,\"parent_folder\":\"thumbzilla sir drawings/clicking.ico\",\"confidentiality\":\"Unknown\",\"confidentiality_id\":0,\"created_time\":1722945774091482,\"hashes\":[{\"value\":\"8C4977626121F73FAF30273CA0604C3B2C1207E04716722E66C667D788C6F874\",\"algorithm\":\"magic\",\"algorithm_id\":99},{\"value\":\"A541714A17804AC281E6DDDA5B707952\",\"algorithm\":\"MD5\",\"algorithm_id\":1}],\"modified_time\":1722945774091552,\"xattributes\":{}},\"user\":{\"name\":\"Semester\",\"type\":\"Unknown\",\"uid\":\"cfd34d66-53eb-11ef-852b-0242ac110005\",\"groups\":[{\"name\":\"ellis methods congratulations\",\"uid\":\"cfd3572a-53eb-11ef-8889-0242ac110005\",\"privileges\":[\"deck version bathroom\"]},{\"name\":\"proposed margin drug\",\"desc\":\"race pg usps\",\"uid\":\"cfd35e64-53eb-11ef-8d1c-0242ac110005\"}],\"type_id\":0,\"email_addr\":\"Birdie@candle.edu\",\"ldap_person\":{},\"uid_alt\":\"protein clubs membership\"},\"group\":{\"name\":\"blessed operates rug\",\"uid\":\"cfd36e5e-53eb-11ef-9d98-0242ac110005\"},\"uid\":\"cfd374da-53eb-11ef-a5ba-0242ac110005\",\"cmd_line\":\"vaccine l vegetarian\",\"container\":{\"name\":\"matter venues paxil\",\"size\":3925402475,\"uid\":\"cfd37e94-53eb-11ef-b3b8-0242ac110005\",\"image\":{\"name\":\"troy when advertisers\",\"path\":\"knife aluminum connectivity\",\"uid\":\"cfd3879a-53eb-11ef-b5b2-0242ac110005\"},\"hash\":{\"value\":\"9B88DFD0CFCEDCD1108BAC8D96F5E7576E8AA5EFEE6228DEE92628994C808FA83487125996422844E815E8321734322E728259C00D5FC302552A542C80FC26DE\",\"algorithm\":\"Unknown\",\"algorithm_id\":0},\"pod_uuid\":\"examined\"},\"created_time\":1722945774094193,\"lineage\":[\"relationship closed gathered\",\"ment tu other\"],\"namespace_pid\":26,\"parent_process\":{\"name\":\"Pixel\",\"pid\":10,\"session\":{\"uid\":\"cfd3a202-53eb-11ef-8e19-0242ac110005\",\"issuer\":\"recognize lobby mon\",\"created_time\":1722945774095984,\"is_remote\":false},\"file\":{\"name\":\"jane.m4a\",\"type\":\"Folder\",\"path\":\"living marsh smilies/turner.mim/jane.m4a\",\"modifier\":{\"type\":\"System\",\"uid\":\"cfd3e9ec-53eb-11ef-a8dd-0242ac110005\",\"type_id\":3,\"uid_alt\":\"account qld kim\"},\"type_id\":2,\"parent_folder\":\"living marsh smilies/turner.mim\",\"confidentiality\":\"auburn\",\"confidentiality_id\":99,\"hashes\":[{\"value\":\"C6316326E7128B9D69A3C004DC06AF4240FCBE9CE2D36D76A6074A15DA9E1E5469C37D1BDEE8EB2EA2E4A0E20A366B43DB7C9529A7DFB7719025662F5B1B2868\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7},{\"value\":\"9ED2837AE1C9BF010E3821339FB9B60585584E697B0670BC2E532228F4DD9251B11715FE20D50FF600E1ED5B5BBA4637AF874B0CC900680B7ECDACBAD07624FD\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}],\"modified_time\":1722945774096743,\"security_descriptor\":\"ticket vegas generates\",\"created_time_dt\":\"2024-08-06T12:02:54.096759Z\"},\"group\":{\"name\":\"bean learners accepting\",\"type\":\"dietary firms hotels\",\"uid\":\"cfd3fbe4-53eb-11ef-bdb1-0242ac110005\"},\"uid\":\"cfd40206-53eb-11ef-a429-0242ac110005\",\"cmd_line\":\"initiative step gathered\",\"container\":{\"name\":\"hundred central hrs\",\"size\":724491757,\"uid\":\"cfd40e22-53eb-11ef-afb2-0242ac110005\",\"image\":{\"name\":\"food qatar brain\",\"uid\":\"cfd41700-53eb-11ef-a54d-0242ac110005\"},\"hash\":{\"value\":\"1C89EFCEB73F4433865E95F1BF2AB892DA6B9AA1C0205D1A8087C101B7AF953BE2F34683E786B31F4344403F35885F4D105EF2E764F6D299E44E31D284DBD5E3\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}},\"created_time\":1722945774097846,\"namespace_pid\":45,\"parent_process\":{\"name\":\"Yield\",\"pid\":82,\"file\":{\"name\":\"apartments.py\",\"size\":524979186,\"type\":\"Named Pipe\",\"path\":\"fig kelly companion/attorneys.com/apartments.py\",\"uid\":\"cfd42dd0-53eb-11ef-8dc9-0242ac110005\",\"type_id\":6,\"parent_folder\":\"fig kelly companion/attorneys.com\",\"hashes\":[{\"value\":\"EBF49DCD836F810084C14E0F2DAB4DC1768BBDC5980481BF201FCF76771DFF7A\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},{\"value\":\"C2EB02DC35DC77D3373542631011FFD4C933AF5C6676646BAFB85126C8652AB679884C90C91E3109A28812D07AAC8C0DADDCF3DC7C86FAD4FBA91A1401900947\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}],\"security_descriptor\":\"avoiding bear incoming\"},\"user\":{\"name\":\"Fatal\",\"type\":\"Unknown\",\"type_id\":0},\"group\":{\"name\":\"cam empirical path\",\"uid\":\"cfd43d52-53eb-11ef-8205-0242ac110005\"},\"uid\":\"cfd4436a-53eb-11ef-84cf-0242ac110005\",\"cmd_line\":\"pix potential mardi\",\"container\":{\"name\":\"kerry courier tony\",\"runtime\":\"ben dynamics vienna\",\"size\":3164331564,\"image\":{\"name\":\"celebrities sensitive manufacture\",\"tag\":\"staff ericsson duty\",\"path\":\"selling rocky projection\",\"uid\":\"cfd450d0-53eb-11ef-83f3-0242ac110005\",\"labels\":[\"healing\",\"avoiding\"]},\"hash\":{\"value\":\"A9DCE75FB9B7C3AD1CCBE9A3001619DE593186058F77799D91C1413A074FDE187FE7C8719F8A94FA0453F77D76EB8AF6CC9074BABB51EAFF5476F9D169C724A7\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},\"orchestrator\":\"dui expansion focus\"},\"created_time\":1722945774099345,\"integrity\":\"g manner mambo\",\"namespace_pid\":96,\"parent_process\":{\"name\":\"Organ\",\"pid\":90,\"session\":{\"uid\":\"cfd469b2-53eb-11ef-8a8a-0242ac110005\",\"issuer\":\"lyric fujitsu timber\",\"created_time\":1722945774099934,\"is_remote\":true,\"created_time_dt\":\"2024-08-06T12:02:54.099943Z\",\"expiration_time_dt\":\"2024-08-06T12:02:54.099951Z\"},\"file\":{\"name\":\"mothers.com\",\"type\":\"Symbolic Link\",\"version\":\"1.1.0\",\"path\":\"wal quiz worker/skin.plugin/mothers.com\",\"type_id\":7,\"company_name\":\"Delora Edyth\",\"parent_folder\":\"wal quiz worker/skin.plugin\",\"hashes\":[{\"value\":\"02799F801AA43966F78CC2C403CE6F0AB37F05D3AF823C0AEEDE58090A622F10470F614F19B68FE2CEFC4B1BEAFF7589FDF5E4DF0A47FF29700DA72C1E4A7966\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"805FAE387ABCC95FB8B74AD92202D2F367255E57291D4C54514FE11EB086C85E7B879FBC13E3405E1C6D5D663F69CD4F509A28B7F2BD0B7F57F71E31C52E2280\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}]},\"user\":{\"type\":\"Unknown\",\"uid\":\"cfd47e3e-53eb-11ef-a1ef-0242ac110005\",\"type_id\":0,\"full_name\":\"Thuy Kristin\"},\"group\":{\"type\":\"figured eyes microphone\",\"desc\":\"comparable likelihood jeep\",\"uid\":\"cfd48fb4-53eb-11ef-bbb9-0242ac110005\"},\"uid\":\"cfd495e0-53eb-11ef-b81b-0242ac110005\",\"cmd_line\":\"welding viewpicture sampling\",\"container\":{\"name\":\"iii accessories ddr\",\"size\":3779122986,\"uid\":\"cfd4a166-53eb-11ef-97e4-0242ac110005\",\"image\":{\"name\":\"beach omaha protest\",\"uid\":\"cfd4aa76-53eb-11ef-a970-0242ac110005\"},\"hash\":{\"value\":\"917004FD903B196255A9B56D08246E5E9FC34E38BC01CADD52A3ADABEB309DA5\",\"algorithm\":\"magic\",\"algorithm_id\":99}},\"created_time\":1722945774101623,\"namespace_pid\":90,\"parent_process\":{\"name\":\"Arrange\",\"pid\":5,\"file\":{\"attributes\":76,\"name\":\"elizabeth.sln\",\"size\":1485425900,\"type\":\"Folder\",\"path\":\"kai surname approach/xp.wpd/elizabeth.sln\",\"desc\":\"member dogs ports\",\"type_id\":2,\"company_name\":\"Claudio Alejandra\",\"parent_folder\":\"kai surname approach/xp.wpd\",\"confidentiality\":\"says\",\"confidentiality_id\":99,\"created_time_dt\":\"2024-08-06T12:02:54.102808Z\"},\"user\":{\"name\":\"Night\",\"type\":\"Unknown\",\"type_id\":0,\"ldap_person\":{\"manager\":{\"name\":\"Merchandise\",\"type\":\"System\",\"uid\":\"cfd4ff76-53eb-11ef-9efb-0242ac110005\",\"org\":{\"name\":\"belief billion talented\",\"ou_name\":\"volkswagen africa respect\"},\"groups\":[{\"name\":\"pos constraints inkjet\",\"type\":\"stat tray charitable\"},{\"name\":\"yemen happiness theft\"}],\"type_id\":3,\"full_name\":\"Janiece Jon\",\"credential_uid\":\"cfd50fd4-53eb-11ef-83d7-0242ac110005\",\"ldap_person\":{\"surname\":\"cancelled present faced\",\"modified_time_dt\":\"2024-08-06T12:02:54.104306Z\"},\"uid_alt\":\"fraud answers loved\"},\"email_addrs\":[\"Sharonda@helena.name\",\"Caroline@consent.mil\"],\"hire_time\":1722945774104346,\"office_location\":\"ways statement ni\",\"surname\":\"cio evaluating bc\",\"last_login_time_dt\":\"2024-08-06T12:02:54.104363Z\"}},\"group\":{\"name\":\"majority scores surveillance\",\"desc\":\"bearing return gt\",\"uid\":\"cfd52f3c-53eb-11ef-bb53-0242ac110005\",\"privileges\":[\"kansas religions cgi\"]},\"uid\":\"cfd53608-53eb-11ef-92de-0242ac110005\",\"loaded_modules\":[\"/save/tt/places/ballet/exclusive.psd\",\"/administered/herbs/discrete/katie/rl.ttf\"],\"cmd_line\":\"visual dated alpha\",\"container\":{\"name\":\"footwear checkout march\",\"size\":1641826457,\"uid\":\"cfd542ec-53eb-11ef-be38-0242ac110005\",\"image\":{\"name\":\"concentrations deck created\",\"uid\":\"cfd54bf2-53eb-11ef-b477-0242ac110005\"},\"hash\":{\"value\":\"03C6D52314CF55EC4DFDAE665DC2100E56F08F7599D9B87FD76B0AF55FA44C4F3A7B4204C517E201F9326306ECC712A0CE46D93B7B4A03AAFDBDFAE7BD9A7471\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}},\"created_time\":1722945774105758,\"integrity\":\"Unknown\",\"integrity_id\":0,\"lineage\":[\"length apr charm\",\"farm chaos overseas\"],\"namespace_pid\":33,\"sandbox\":\"mexican mixer g\",\"euid\":59,\"terminated_time_dt\":\"2024-08-06T12:02:54.105788Z\"},\"egid\":49,\"terminated_time_dt\":\"2024-08-06T12:02:54.105798Z\"},\"sandbox\":\"variance volleyball compile\"},\"auid\":38,\"terminated_time_dt\":\"2024-08-06T12:02:54.105811Z\"}},\"created_time_dt\":\"2024-08-06T12:02:54.105819Z\"},\"xattributes\":{},\"euid\":32},\"terminated_time\":1722945774105859,\"auid\":17},\"sandbox\":\"frequent dining arguments\",\"xattributes\":{},\"created_time_dt\":\"2024-08-06T12:02:54.105883Z\",\"terminated_time_dt\":\"2024-08-06T12:02:54.105888Z\"},\"euid\":93,\"terminated_time_dt\":\"2024-08-06T12:02:54.105894Z\"},\"user\":{\"name\":\"Ok\",\"type\":\"System\",\"domain\":\"rpm particular mae\",\"uid\":\"cfd57668-53eb-11ef-ad7f-0242ac110005\",\"groups\":[{\"name\":\"numbers nextel globe\",\"type\":\"debug carpet per\",\"domain\":\"indexed email mardi\",\"uid\":\"cfd58068-53eb-11ef-b081-0242ac110005\"},{\"name\":\"fitting personalized estimation\",\"uid\":\"cfd58ae0-53eb-11ef-850c-0242ac110005\"}],\"type_id\":3}},\"cloud\":{\"provider\":\"experimental mac seconds\",\"region\":\"debate population smithsonian\",\"zone\":\"raised expert baseball\"},\"database\":{\"name\":\"laden confidence arabic\",\"type\":\"Object Oriented\",\"uid\":\"cfcf8aaa-53eb-11ef-835d-0242ac110005\",\"type_id\":3,\"created_time_dt\":\"2024-08-06T12:02:54.068006Z\"},\"databucket\":{\"name\":\"facts drug laos\",\"type\":\"GCP Bucket\",\"type_id\":3},\"severity_id\":1,\"src_endpoint\":{\"port\":47139,\"type\":\"Laptop\",\"ip\":\"175.16.199.0\",\"hostname\":\"thank.coop\",\"uid\":\"cfcfee32-53eb-11ef-b8c3-0242ac110005\",\"type_id\":3,\"container\":{\"name\":\"detect drop hobbies\",\"size\":2933944469,\"tag\":\"together own republicans\",\"uid\":\"cfd0401c-53eb-11ef-b764-0242ac110005\",\"image\":{\"path\":\"constraint explosion ge\",\"uid\":\"cfd04b5c-53eb-11ef-a7db-0242ac110005\",\"labels\":[\"er\",\"distances\"]}},\"hw_info\":{\"cpu_count\":74,\"cpu_speed\":92},\"instance_uid\":\"cfd0555c-53eb-11ef-82ff-0242ac110005\",\"interface_uid\":\"cfd05bd8-53eb-11ef-864c-0242ac110005\",\"namespace_pid\":25,\"svc_name\":\"further compressed twisted\",\"vlan_uid\":\"cfd06344-53eb-11ef-9b92-0242ac110005\"},\"status_id\":2}", + "outcome": "failure", + "provider": "medal removing losses", + "severity": 1, + "type": [ + "info" + ] + }, + "file": { + "directory": "stock armstrong ie/bobby.m3u", + "hash": { + "md5": [ + "7B849A50DA92F39D6AF294B10E0B93F5" + ] + }, + "mtime": "2024-08-06T12:02:54.074Z", + "name": "senegal.dcr", + "path": "stock armstrong ie/bobby.m3u/senegal.dcr", + "type": "Folder" + }, + "message": "routing rosa speeds", + "network": { + "application": [ + "further compressed twisted" + ] + }, + "ocsf": { + "activity_id": "5", + "activity_name": "Write", + "actor": { + "process": { + "cmd_line": "associate directions partly", + "container": { + "hash": { + "algorithm": "magic", + "algorithm_id": "99", + "value": "D908A0C6E33ABAEF5F1C8D9658E99DF9714CFF289FCE29B9DD5A362475554AF2" + }, + "image": { + "name": "number serial patients", + "uid": "cfd0bb46-53eb-11ef-b743-0242ac110005" + }, + "size": 2753478121, + "uid": "cfd0b25e-53eb-11ef-aab1-0242ac110005" + }, + "created_time": "+56567-12-24T00:21:15.951Z", + "euid": "93", + "file": { + "confidentiality": "Top Secret", + "confidentiality_id": "4", + "creator": { + "domain": "dedicated smile macintosh", + "name": "Slight", + "type": "System", + "type_id": "3", + "uid": "cfd08748-53eb-11ef-8545-0242ac110005" + }, + "hashes": [ + { + "algorithm": "magic", + "algorithm_id": "99", + "value": "6AC2AD2B6F5A51A33103412CB1C13FA5FDB24737666758DD9FDD8402BB9D2A43" + }, + { + "algorithm": "MD5", + "algorithm_id": "1", + "value": "7B849A50DA92F39D6AF294B10E0B93F5" + } + ], + "modified_time_dt": "2024-08-06T12:02:54.074Z", + "name": "senegal.dcr", + "parent_folder": "stock armstrong ie/bobby.m3u", + "path": "stock armstrong ie/bobby.m3u/senegal.dcr", + "type": "Folder", + "type_id": "2" + }, + "group": { + "desc": "mime counsel uses", + "name": "desired administration quotations", + "uid": "cfd0a0f2-53eb-11ef-a02f-0242ac110005" + }, + "loaded_modules": [ + "/chronicle/initiated/hormone/surprise/corps.html", + "/allan/appearance/viruses/college/naughty.rom" + ], + "name": "Flashing", + "namespace_pid": 78, + "parent_process": { + "cmd_line": "hash unknown meters", + "container": { + "hash": { + "algorithm": "magic", + "algorithm_id": "99", + "value": "48324C16BF85398DE1219E9270E663A1CCB2438C617A716A5F0F8D44034D7294" + }, + "image": { + "name": "climbing quickly lonely", + "uid": "cfd10d12-53eb-11ef-8fcb-0242ac110005" + }, + "name": "gnome face decisions", + "size": 411217035, + "uid": "cfd10448-53eb-11ef-8948-0242ac110005" + }, + "created_time": "+56567-12-24T00:21:17.934Z", + "created_time_dt": "2024-08-06T12:02:54.105Z", + "file": { + "attributes": 67, + "company_name": "Norberto Vena", + "confidentiality": "Secret", + "confidentiality_id": "3", + "hashes": [ + { + "algorithm": "SHA-1", + "algorithm_id": "2", + "value": "8C8D9D64A77C351C6AAFF4C0EF9B436F904638B7" + } + ], + "name": "spirituality.mid", + "parent_folder": "analyzed election throws/composition.tax2020", + "path": "analyzed election throws/composition.tax2020/spirituality.mid", + "security_descriptor": "nor treasury uri", + "type": "Character Device", + "type_id": "3", + "uid": "cfd0d964-53eb-11ef-9f61-0242ac110005" + }, + "group": { + "domain": "detail blah motels", + "name": "adolescent antigua ui", + "uid": "cfd0fa70-53eb-11ef-9120-0242ac110005" + }, + "lineage": [ + "off disturbed bidding", + "validity requested without" + ], + "name": "Basin", + "namespace_pid": 60, + "parent_process": { + "auid": 17, + "cmd_line": "capabilities major outline", + "container": { + "hash": { + "algorithm": "SHA-256", + "algorithm_id": 3, + "value": "32F556C7248E9893205497FAD5588B52A815C9A2008D165B36C015A90F534BFA" + }, + "image": { + "name": "objectives cooper expenses", + "tag": "flashers incurred visiting", + "uid": "cfd19f5c-53eb-11ef-b6a5-0242ac110005" + }, + "name": "ul primary rivers", + "size": 4147443008, + "uid": "cfd19624-53eb-11ef-b555-0242ac110005" + }, + "created_time": 1722945774081680, + "file": { + "attributes": 46, + "company_name": "Christian Cinda", + "confidentiality": "promise", + "confidentiality_id": 99, + "hashes": [ + { + "algorithm": "SHA-1", + "algorithm_id": 2, + "value": "CE59D0F436DBA3BA0A6A76043041A5E787C3B835" + }, + { + "algorithm": "CTPH", + "algorithm_id": 5, + "value": "5DC822DDEFF863F87504863C2926EFADEA58E6CC12C9913FBF94816997FDAA2115104F362F7481BCFA8296CDB2EF69ABFF1D22A64E0B6F5D7B8BB6BDF0485F77" + } + ], + "modified_time": 1722945774080462, + "modifier": { + "full_name": "Etha Roy", + "groups": [ + { + "name": "wales indoor speaking", + "uid": "cfd160be-53eb-11ef-8f19-0242ac110005" + }, + { + "desc": "bathrooms transfers diego", + "name": "mongolia records suffer", + "uid": "cfd167da-53eb-11ef-b5a7-0242ac110005" + } + ], + "name": "Bang", + "org": { + "name": "snake dam rapidly", + "ou_name": "photo acrylic highway", + "uid": "cfd155ba-53eb-11ef-9ea1-0242ac110005" + }, + "type": "wicked", + "type_id": 99, + "uid": "cfd14d0e-53eb-11ef-8822-0242ac110005" + }, + "name": "invite.flv", + "parent_folder": "mobiles at hazards/feels.b", + "path": "mobiles at hazards/feels.b/invite.flv", + "product": { + "name": "executives dell bands", + "uid": "cfd14174-53eb-11ef-ad92-0242ac110005", + "url_string": "divx", + "vendor_name": "neighbor advise animal", + "version": "1.1.0" + }, + "security_descriptor": "allen mba skating", + "type": "Folder", + "type_id": 2, + "uid": "cfd16ece-53eb-11ef-92bb-0242ac110005" + }, + "group": { + "desc": "times substitute plasma", + "uid": "cfd17fa4-53eb-11ef-bb39-0242ac110005" + }, + "lineage": [ + "feed prozac starring" + ], + "loaded_modules": [ + "/hotels/stream/anchor/ted/ghost.zipx", + "/secure/proprietary/execute/medicine/hl.dwg" + ], + "name": "Zus", + "parent_process": { + "container": { + "hash": { + "algorithm": "SHA-1", + "algorithm_id": 2, + "value": "A241B037A73C6DEFF4F66BAE284A4B2AEA05ACD3" + }, + "name": "travesti borough biggest", + "size": 3355225968, + "uid": "cfd201c2-53eb-11ef-86c9-0242ac110005" + }, + "created_time": 1722945774084196, + "euid": 32, + "file": { + "confidentiality": "Secret", + "confidentiality_id": 3, + "hashes": [ + { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "8D99573EF8E69D00FAE94C1020E9BCDEAB0B2381D11507174E58B253935B16A8391E07FE4DDCFBC6B4EE66C04EB617345B997605559139B9986AC27695ACE216" + } + ], + "modifier": { + "credential_uid": "cfd1bf00-53eb-11ef-9ae0-0242ac110005", + "name": "Drivers", + "type": "Admin", + "type_id": 2, + "uid": "cfd1b884-53eb-11ef-9e17-0242ac110005" + }, + "name": "shirts.pct", + "parent_folder": "reporters schools bermuda/investigations.apk", + "path": "reporters schools bermuda/investigations.apk/shirts.pct", + "type": "Folder", + "type_id": 2 + }, + "group": { + "domain": "jim presents tire", + "name": "easily strengthening concept", + "type": "claimed farms dressed", + "uid": "cfd1f0b0-53eb-11ef-a5b6-0242ac110005" + }, + "name": "Keep", + "namespace_pid": 63, + "parent_process": { + "cmd_line": "calibration signature temp", + "container": { + "hash": { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "CEEA7A4A0C43E8765267E8AEF5F074E2D83C2B387ED111EB0F9E903BB79DFACD26A958A69404A2C9ACFC06C590DF12DFF79EAED625E9EE1BB25727BC3398F838" + }, + "image": { + "name": "pot pulse ser", + "path": "seat employers licenses", + "uid": "cfd2d638-53eb-11ef-a4c4-0242ac110005" + }, + "name": "begins magnetic inn", + "orchestrator": "essay brother facility", + "pod_uuid": "bachelor", + "size": 83122349, + "uid": "cfd2ca08-53eb-11ef-af87-0242ac110005" + }, + "created_time": 1722945774089651, + "created_time_dt": "2024-08-06T12:02:54.105819Z", + "file": { + "creator": { + "ldap_person": { + "cost_center": "char immigration blue", + "employee_uid": "cfd269b4-53eb-11ef-862f-0242ac110005", + "hire_time_dt": "2024-08-06T12:02:54.086830Z", + "job_title": "tm payday needed", + "manager": { + "domain": "permission eu anonymous", + "name": "Arrangements", + "org": { + "name": "positioning sending donald", + "ou_name": "americans pee mixed", + "uid": "cfd261e4-53eb-11ef-8e64-0242ac110005" + }, + "type": "bunch", + "type_id": 99, + "uid": "cfd25802-53eb-11ef-bc5e-0242ac110005" + }, + "office_location": "hack maintains suit" + }, + "name": "Soa" + }, + "name": "cafe.fon", + "parent_folder": "microwave cir nails/gtk.dmg", + "path": "microwave cir nails/gtk.dmg/cafe.fon", + "security_descriptor": "hour rca writes", + "type": "Local Socket", + "type_id": 5, + "uid": "cfd23214-53eb-11ef-aaf5-0242ac110005" + }, + "group": { + "name": "income bridges uruguay", + "uid": "cfd2b96e-53eb-11ef-b3a0-0242ac110005" + }, + "integrity": "Protected", + "integrity_id": 6, + "loaded_modules": [ + "/counters/kentucky/proceeding/yo/norwegian.mp3", + "/indianapolis/sega/statutes/java/purple.bat" + ], + "name": "Acres", + "namespace_pid": 96, + "parent_process": { + "cmd_line": "vaccine l vegetarian", + "container": { + "hash": { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "9B88DFD0CFCEDCD1108BAC8D96F5E7576E8AA5EFEE6228DEE92628994C808FA83487125996422844E815E8321734322E728259C00D5FC302552A542C80FC26DE" + }, + "image": { + "name": "troy when advertisers", + "path": "knife aluminum connectivity", + "uid": "cfd3879a-53eb-11ef-b5b2-0242ac110005" + }, + "name": "matter venues paxil", + "pod_uuid": "examined", + "size": 3925402475, + "uid": "cfd37e94-53eb-11ef-b3b8-0242ac110005" + }, + "created_time": 1722945774094193, + "file": { + "confidentiality": "Unknown", + "confidentiality_id": 0, + "created_time": 1722945774091482, + "hashes": [ + { + "algorithm": "magic", + "algorithm_id": 99, + "value": "8C4977626121F73FAF30273CA0604C3B2C1207E04716722E66C667D788C6F874" + }, + { + "algorithm": "MD5", + "algorithm_id": 1, + "value": "A541714A17804AC281E6DDDA5B707952" + } + ], + "modified_time": 1722945774091552, + "modifier": { + "groups": [ + { + "desc": "york yours falls", + "domain": "mostly third hats", + "name": "boat generate canadian", + "privileges": [ + "queries meyer wellness" + ], + "type": "breast brave sacramento", + "uid": "cfd317ec-53eb-11ef-b8c7-0242ac110005" + }, + { + "name": "considerations wants books", + "uid": "cfd31f1c-53eb-11ef-8b0c-0242ac110005" + } + ], + "name": "Romania", + "type": "Unknown", + "type_id": 0, + "uid": "cfd30dd8-53eb-11ef-a1d7-0242ac110005" + }, + "name": "fragrance.otf", + "owner": { + "email_addr": "Patrina@prototype.gov", + "ldap_person": { + "cost_center": "permits interact afternoon", + "deleted_time": 1722945774090716, + "last_login_time_dt": "2024-08-06T12:02:54.090739Z", + "ldap_dn": "renaissance exhibition far", + "leave_time_dt": "2024-08-06T12:02:54.090731Z" + }, + "name": "Does", + "type": "Admin", + "type_id": 2, + "uid": "cfd2f1c2-53eb-11ef-9117-0242ac110005" + }, + "parent_folder": "thumbzilla sir drawings/clicking.ico", + "path": "thumbzilla sir drawings/clicking.ico/fragrance.otf", + "type": "Block Device", + "type_id": 4 + }, + "group": { + "name": "blessed operates rug", + "uid": "cfd36e5e-53eb-11ef-9d98-0242ac110005" + }, + "lineage": [ + "relationship closed gathered", + "ment tu other" + ], + "name": "Nationwide", + "namespace_pid": 26, + "parent_process": { + "auid": 38, + "cmd_line": "initiative step gathered", + "container": { + "hash": { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "1C89EFCEB73F4433865E95F1BF2AB892DA6B9AA1C0205D1A8087C101B7AF953BE2F34683E786B31F4344403F35885F4D105EF2E764F6D299E44E31D284DBD5E3" + }, + "image": { + "name": "food qatar brain", + "uid": "cfd41700-53eb-11ef-a54d-0242ac110005" + }, + "name": "hundred central hrs", + "size": 724491757, + "uid": "cfd40e22-53eb-11ef-afb2-0242ac110005" + }, + "created_time": 1722945774097846, + "file": { + "confidentiality": "auburn", + "confidentiality_id": 99, + "created_time_dt": "2024-08-06T12:02:54.096759Z", + "hashes": [ + { + "algorithm": "quickXorHash", + "algorithm_id": 7, + "value": "C6316326E7128B9D69A3C004DC06AF4240FCBE9CE2D36D76A6074A15DA9E1E5469C37D1BDEE8EB2EA2E4A0E20A366B43DB7C9529A7DFB7719025662F5B1B2868" + }, + { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "9ED2837AE1C9BF010E3821339FB9B60585584E697B0670BC2E532228F4DD9251B11715FE20D50FF600E1ED5B5BBA4637AF874B0CC900680B7ECDACBAD07624FD" + } + ], + "modified_time": 1722945774096743, + "modifier": { + "type": "System", + "type_id": 3, + "uid": "cfd3e9ec-53eb-11ef-a8dd-0242ac110005", + "uid_alt": "account qld kim" + }, + "name": "jane.m4a", + "parent_folder": "living marsh smilies/turner.mim", + "path": "living marsh smilies/turner.mim/jane.m4a", + "security_descriptor": "ticket vegas generates", + "type": "Folder", + "type_id": 2 + }, + "group": { + "name": "bean learners accepting", + "type": "dietary firms hotels", + "uid": "cfd3fbe4-53eb-11ef-bdb1-0242ac110005" + }, + "name": "Pixel", + "namespace_pid": 45, + "parent_process": { + "cmd_line": "pix potential mardi", + "container": { + "hash": { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "A9DCE75FB9B7C3AD1CCBE9A3001619DE593186058F77799D91C1413A074FDE187FE7C8719F8A94FA0453F77D76EB8AF6CC9074BABB51EAFF5476F9D169C724A7" + }, + "image": { + "labels": [ + "healing", + "avoiding" + ], + "name": "celebrities sensitive manufacture", + "path": "selling rocky projection", + "tag": "staff ericsson duty", + "uid": "cfd450d0-53eb-11ef-83f3-0242ac110005" + }, + "name": "kerry courier tony", + "orchestrator": "dui expansion focus", + "runtime": "ben dynamics vienna", + "size": 3164331564 + }, + "created_time": 1722945774099345, + "file": { + "hashes": [ + { + "algorithm": "SHA-256", + "algorithm_id": 3, + "value": "EBF49DCD836F810084C14E0F2DAB4DC1768BBDC5980481BF201FCF76771DFF7A" + }, + { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "C2EB02DC35DC77D3373542631011FFD4C933AF5C6676646BAFB85126C8652AB679884C90C91E3109A28812D07AAC8C0DADDCF3DC7C86FAD4FBA91A1401900947" + } + ], + "name": "apartments.py", + "parent_folder": "fig kelly companion/attorneys.com", + "path": "fig kelly companion/attorneys.com/apartments.py", + "security_descriptor": "avoiding bear incoming", + "size": 524979186, + "type": "Named Pipe", + "type_id": 6, + "uid": "cfd42dd0-53eb-11ef-8dc9-0242ac110005" + }, + "group": { + "name": "cam empirical path", + "uid": "cfd43d52-53eb-11ef-8205-0242ac110005" + }, + "integrity": "g manner mambo", + "name": "Yield", + "namespace_pid": 96, + "parent_process": { + "cmd_line": "welding viewpicture sampling", + "container": { + "hash": { + "algorithm": "magic", + "algorithm_id": 99, + "value": "917004FD903B196255A9B56D08246E5E9FC34E38BC01CADD52A3ADABEB309DA5" + }, + "image": { + "name": "beach omaha protest", + "uid": "cfd4aa76-53eb-11ef-a970-0242ac110005" + }, + "name": "iii accessories ddr", + "size": 3779122986, + "uid": "cfd4a166-53eb-11ef-97e4-0242ac110005" + }, + "created_time": 1722945774101623, + "egid": 49, + "file": { + "company_name": "Delora Edyth", + "hashes": [ + { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "02799F801AA43966F78CC2C403CE6F0AB37F05D3AF823C0AEEDE58090A622F10470F614F19B68FE2CEFC4B1BEAFF7589FDF5E4DF0A47FF29700DA72C1E4A7966" + }, + { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "805FAE387ABCC95FB8B74AD92202D2F367255E57291D4C54514FE11EB086C85E7B879FBC13E3405E1C6D5D663F69CD4F509A28B7F2BD0B7F57F71E31C52E2280" + } + ], + "name": "mothers.com", + "parent_folder": "wal quiz worker/skin.plugin", + "path": "wal quiz worker/skin.plugin/mothers.com", + "type": "Symbolic Link", + "type_id": 7, + "version": "1.1.0" + }, + "group": { + "desc": "comparable likelihood jeep", + "type": "figured eyes microphone", + "uid": "cfd48fb4-53eb-11ef-bbb9-0242ac110005" + }, + "name": "Organ", + "namespace_pid": 90, + "parent_process": { + "cmd_line": "visual dated alpha", + "container": { + "hash": { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "03C6D52314CF55EC4DFDAE665DC2100E56F08F7599D9B87FD76B0AF55FA44C4F3A7B4204C517E201F9326306ECC712A0CE46D93B7B4A03AAFDBDFAE7BD9A7471" + }, + "image": { + "name": "concentrations deck created", + "uid": "cfd54bf2-53eb-11ef-b477-0242ac110005" + }, + "name": "footwear checkout march", + "size": 1641826457, + "uid": "cfd542ec-53eb-11ef-be38-0242ac110005" + }, + "created_time": 1722945774105758, + "euid": 59, + "file": { + "attributes": 76, + "company_name": "Claudio Alejandra", + "confidentiality": "says", + "confidentiality_id": 99, + "created_time_dt": "2024-08-06T12:02:54.102808Z", + "desc": "member dogs ports", + "name": "elizabeth.sln", + "parent_folder": "kai surname approach/xp.wpd", + "path": "kai surname approach/xp.wpd/elizabeth.sln", + "size": 1485425900, + "type": "Folder", + "type_id": 2 + }, + "group": { + "desc": "bearing return gt", + "name": "majority scores surveillance", + "privileges": [ + "kansas religions cgi" + ], + "uid": "cfd52f3c-53eb-11ef-bb53-0242ac110005" + }, + "integrity": "Unknown", + "integrity_id": 0, + "lineage": [ + "length apr charm", + "farm chaos overseas" + ], + "loaded_modules": [ + "/save/tt/places/ballet/exclusive.psd", + "/administered/herbs/discrete/katie/rl.ttf" + ], + "name": "Arrange", + "namespace_pid": 33, + "pid": 5, + "sandbox": "mexican mixer g", + "terminated_time_dt": "2024-08-06T12:02:54.105788Z", + "uid": "cfd53608-53eb-11ef-92de-0242ac110005", + "user": { + "ldap_person": { + "email_addrs": [ + "Sharonda@helena.name", + "Caroline@consent.mil" + ], + "hire_time": 1722945774104346, + "last_login_time_dt": "2024-08-06T12:02:54.104363Z", + "manager": { + "credential_uid": "cfd50fd4-53eb-11ef-83d7-0242ac110005", + "full_name": "Janiece Jon", + "groups": [ + { + "name": "pos constraints inkjet", + "type": "stat tray charitable" + }, + { + "name": "yemen happiness theft" + } + ], + "ldap_person": { + "modified_time_dt": "2024-08-06T12:02:54.104306Z", + "surname": "cancelled present faced" + }, + "name": "Merchandise", + "org": { + "name": "belief billion talented", + "ou_name": "volkswagen africa respect" + }, + "type": "System", + "type_id": 3, + "uid": "cfd4ff76-53eb-11ef-9efb-0242ac110005", + "uid_alt": "fraud answers loved" + }, + "office_location": "ways statement ni", + "surname": "cio evaluating bc" + }, + "name": "Night", + "type": "Unknown", + "type_id": 0 + } + }, + "pid": 90, + "session": { + "created_time": 1722945774099934, + "created_time_dt": "2024-08-06T12:02:54.099943Z", + "expiration_time_dt": "2024-08-06T12:02:54.099951Z", + "is_remote": true, + "issuer": "lyric fujitsu timber", + "uid": "cfd469b2-53eb-11ef-8a8a-0242ac110005" + }, + "terminated_time_dt": "2024-08-06T12:02:54.105798Z", + "uid": "cfd495e0-53eb-11ef-b81b-0242ac110005", + "user": { + "full_name": "Thuy Kristin", + "type": "Unknown", + "type_id": 0, + "uid": "cfd47e3e-53eb-11ef-a1ef-0242ac110005" + } + }, + "pid": 82, + "sandbox": "variance volleyball compile", + "uid": "cfd4436a-53eb-11ef-84cf-0242ac110005", + "user": { + "name": "Fatal", + "type": "Unknown", + "type_id": 0 + } + }, + "pid": 10, + "session": { + "created_time": 1722945774095984, + "is_remote": false, + "issuer": "recognize lobby mon", + "uid": "cfd3a202-53eb-11ef-8e19-0242ac110005" + }, + "terminated_time_dt": "2024-08-06T12:02:54.105811Z", + "uid": "cfd40206-53eb-11ef-a429-0242ac110005" + }, + "pid": 28, + "uid": "cfd374da-53eb-11ef-a5ba-0242ac110005", + "user": { + "email_addr": "Birdie@candle.edu", + "groups": [ + { + "name": "ellis methods congratulations", + "privileges": [ + "deck version bathroom" + ], + "uid": "cfd3572a-53eb-11ef-8889-0242ac110005" + }, + { + "desc": "race pg usps", + "name": "proposed margin drug", + "uid": "cfd35e64-53eb-11ef-8d1c-0242ac110005" + } + ], + "name": "Semester", + "type": "Unknown", + "type_id": 0, + "uid": "cfd34d66-53eb-11ef-852b-0242ac110005", + "uid_alt": "protein clubs membership" + } + }, + "pid": 41, + "tid": 47, + "uid": "cfd2bf72-53eb-11ef-96ff-0242ac110005", + "user": { + "account": { + "name": "engage subscribe fireplace", + "type": "Unknown", + "type_id": 0, + "uid": "cfd298e4-53eb-11ef-9fc1-0242ac110005" + }, + "groups": [ + { + "name": "suppliers returns jewellery", + "uid": "cfd28336-53eb-11ef-a671-0242ac110005" + }, + { + "name": "archive honolulu restricted", + "uid": "cfd28a84-53eb-11ef-a27d-0242ac110005" + } + ], + "ldap_person": { + "last_login_time_dt": "2024-08-06T12:02:54.088552Z", + "leave_time_dt": "2024-08-06T12:02:54.088544Z", + "manager": { + "credential_uid": "cfd2ac3a-53eb-11ef-89b0-0242ac110005", + "domain": "sides sheet lt", + "email_addr": "Dodie@soundtrack.firm", + "name": "Lucia", + "uid": "cfd2a640-53eb-11ef-b33d-0242ac110005" + }, + "modified_time": 1722945774088534 + }, + "name": "Defence", + "type": "Admin", + "type_id": 2, + "uid": "cfd27814-53eb-11ef-91f4-0242ac110005", + "uid_alt": "trustee tree normally" + } + }, + "pid": 75, + "tid": 93, + "uid": "cfd1f6b4-53eb-11ef-88fe-0242ac110005", + "user": { + "credential_uid": "cfd1e638-53eb-11ef-acdc-0242ac110005", + "email_addr": "Timika@starsmerchant.store", + "groups": [ + { + "domain": "rolled womens allowed", + "type": "multi extension th", + "uid": "cfd1de54-53eb-11ef-9548-0242ac110005" + }, + { + "name": "shorter hydrocodone obtaining", + "type": "jenny version diploma" + } + ], + "name": "Northeast", + "org": { + "name": "demo dressing bloggers", + "ou_name": "infection replace kingdom" + }, + "type": "Admin", + "type_id": 2, + "uid": "cfd1cbbc-53eb-11ef-86e4-0242ac110005", + "uid_alt": "jr participants illustration" + } + }, + "session": { + "created_time": 1722945774078143, + "is_remote": false, + "issuer": "informal witnesses endif" + }, + "terminated_time": 1722945774105859, + "tid": 63, + "uid": "cfd185c6-53eb-11ef-85ca-0242ac110005", + "user": { + "name": "Bernard", + "type": "Admin", + "type_id": 2, + "uid_alt": "denmark day sir" + } + }, + "pid": 63, + "sandbox": "frequent dining arguments", + "terminated_time_dt": "2024-08-06T12:02:54.105Z", + "user": { + "ldap_person": { + "created_time": 1722945774077119, + "hire_time": 1722945774077128, + "hire_time_dt": "2024-08-06T12:02:54.077132Z" + }, + "name": "Revisions", + "type": "Admin", + "type_id": "2" + } + }, + "pid": 98, + "terminated_time_dt": "2024-08-06T12:02:54.105Z", + "uid": "cfd0a73c-53eb-11ef-9622-0242ac110005", + "user": { + "name": "Contamination", + "type": "Admin", + "type_id": "2", + "uid": "cfd09666-53eb-11ef-9cc7-0242ac110005" + } + }, + "user": { + "domain": "rpm particular mae", + "groups": [ + { + "domain": "indexed email mardi", + "name": "numbers nextel globe", + "type": "debug carpet per", + "uid": "cfd58068-53eb-11ef-b081-0242ac110005" + }, + { + "name": "fitting personalized estimation", + "uid": "cfd58ae0-53eb-11ef-850c-0242ac110005" + } + ], + "name": "Ok", + "type": "System", + "type_id": "3", + "uid": "cfd57668-53eb-11ef-ad7f-0242ac110005" + } + }, + "category_name": "Application Activity", + "category_uid": "6", + "class_name": "Datastore Activity", + "class_uid": "6005", + "cloud": { + "provider": "experimental mac seconds", + "region": "debate population smithsonian", + "zone": "raised expert baseball" + }, + "database": { + "created_time_dt": "2024-08-06T12:02:54.068006Z", + "name": "laden confidence arabic", + "type": "Object Oriented", + "type_id": 3, + "uid": "cfcf8aaa-53eb-11ef-835d-0242ac110005" + }, + "databucket": { + "name": "facts drug laos", + "type": "GCP Bucket", + "type_id": 3 + }, + "duration": 38, + "end_time_dt": "2024-08-06T12:02:54.073Z", + "message": "routing rosa speeds", + "metadata": { + "extensions": [ + { + "name": "importantly identifying causing", + "uid": "cfcfce02-53eb-11ef-a17b-0242ac110005", + "version": "1.1.0" + }, + { + "name": "feof nightlife dans", + "uid": "cfcfd5d2-53eb-11ef-acdf-0242ac110005", + "version": "1.1.0" + } + ], + "labels": [ + "dominant" + ], + "log_level": "consult supplements external", + "log_name": "ottawa triumph analysis", + "log_provider": "medal removing losses", + "original_time": "families batman star", + "product": { + "name": "nightlife joint talked", + "path": "roulette covered encryption", + "uid": "cfcfc1aa-53eb-11ef-80a9-0242ac110005", + "vendor_name": "rainbow league closure", + "version": "1.1.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "linux/linux_users", + "load_balancer", + "network_proxy", + "security_control" + ], + "tenant_uid": "cfcfde4c-53eb-11ef-9b9b-0242ac110005", + "version": "1.1.0" + }, + "severity": "Informational", + "severity_id": 1, + "src_endpoint": { + "container": { + "image": { + "labels": [ + "er", + "distances" + ], + "path": "constraint explosion ge", + "uid": "cfd04b5c-53eb-11ef-a7db-0242ac110005" + }, + "name": "detect drop hobbies", + "size": 2933944469, + "tag": "together own republicans", + "uid": "cfd0401c-53eb-11ef-b764-0242ac110005" + }, + "hostname": "thank.coop", + "hw_info": { + "cpu_count": 74, + "cpu_speed": 92 + }, + "instance_uid": "cfd0555c-53eb-11ef-82ff-0242ac110005", + "interface_uid": "cfd05bd8-53eb-11ef-864c-0242ac110005", + "ip": "175.16.199.0", + "namespace_pid": 25, + "port": 47139, + "svc_name": "further compressed twisted", + "type": "Laptop", + "type_id": 3, + "uid": "cfcfee32-53eb-11ef-b8c3-0242ac110005", + "vlan_uid": "cfd06344-53eb-11ef-9b92-0242ac110005" + }, + "status": "Failure", + "status_id": "2", + "time": "+56567-12-24T00:21:13.580Z", + "type": "loc", + "type_id": 99, + "type_name": "Datastore Activity: Write", + "type_uid": "600505" + }, + "process": { + "command_line": "associate directions partly", + "end": "2024-08-06T12:02:54.105Z", + "entity_id": "cfd0a73c-53eb-11ef-9622-0242ac110005", + "group": { + "id": [ + "cfd0a0f2-53eb-11ef-a02f-0242ac110005" + ], + "name": "desired administration quotations" + }, + "name": "Flashing", + "parent": { + "command_line": "hash unknown meters", + "end": "2024-08-06T12:02:54.105Z", + "group": { + "id": [ + "cfd0fa70-53eb-11ef-9120-0242ac110005" + ], + "name": "adolescent antigua ui" + }, + "name": "Basin", + "pid": 63, + "start": "+56567-12-24T00:21:17.934Z", + "user": { + "name": "Revisions" + } + }, + "pid": 98, + "start": "+56567-12-24T00:21:15.951Z", + "user": { + "id": [ + "93", + "cfd09666-53eb-11ef-9cc7-0242ac110005" + ], + "name": "Contamination" + } + }, + "related": { + "hash": [ + "D908A0C6E33ABAEF5F1C8D9658E99DF9714CFF289FCE29B9DD5A362475554AF2", + "6AC2AD2B6F5A51A33103412CB1C13FA5FDB24737666758DD9FDD8402BB9D2A43", + "7B849A50DA92F39D6AF294B10E0B93F5", + "48324C16BF85398DE1219E9270E663A1CCB2438C617A716A5F0F8D44034D7294", + "8C8D9D64A77C351C6AAFF4C0EF9B436F904638B7" + ], + "hosts": [ + "thank.coop" + ], + "ip": [ + "175.16.199.0" + ], + "user": [ + "93", + "cfd09666-53eb-11ef-9cc7-0242ac110005", + "Contamination", + "cfd57668-53eb-11ef-ad7f-0242ac110005", + "Ok", + "Revisions", + "Slight", + "cfd08748-53eb-11ef-8545-0242ac110005" + ] + }, + "source": { + "domain": [ + "thank.coop" + ], + "ip": "175.16.199.0", + "port": 47139 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "dominant" + ], + "user": { + "domain": "rpm particular mae", + "group": { + "id": [ + "cfd58068-53eb-11ef-b081-0242ac110005", + "cfd58ae0-53eb-11ef-850c-0242ac110005" + ], + "name": [ + "numbers nextel globe", + "fitting personalized estimation" + ] + }, + "id": "cfd57668-53eb-11ef-ad7f-0242ac110005", + "name": "Ok" + } } ] } \ No newline at end of file diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml index d6fbc86e7d16..587fa3748198 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -28,7 +28,7 @@ processors: - set: field: event.kind tag: set_event_kind - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','6001','6002','6003','6004'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','6001','6002','6003','6004','6005'].contains(ctx.ocsf.class_uid) value: event - set: field: event.kind @@ -124,7 +124,7 @@ processors: tag: append_info_into_event_type value: info allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001', '2002','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','6002','6003','6004'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001', '2002','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','6002','6003','6004','6005'].contains(ctx.ocsf.class_uid) - append: field: event.type tag: append_user_into_event_type @@ -693,7 +693,7 @@ processors: ignore_missing: true - pipeline: name: '{{ IngestPipeline "pipeline_object_actor" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','6001','6002','6003','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','6001','6002','6003','6004','6005'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null tag: pipeline_object_actor ignore_missing_pipeline: true - pipeline: @@ -713,7 +713,7 @@ processors: ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_http_request" }}' - if: ctx.ocsf?.class_uid != null && ['3001','3002','4002','6003','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.http_request != null + if: ctx.ocsf?.class_uid != null && ['3001','3002','4002','6003','6004','6005'].contains(ctx.ocsf.class_uid) && ctx.ocsf.http_request != null tag: pipeline_object_http_request ignore_missing_pipeline: true - pipeline: @@ -723,7 +723,7 @@ processors: ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_network_endpoint" }}' - if: ctx.ocsf?.class_uid != null && ['3001','3002','3003','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4013','6001','6003','6004'].contains(ctx.ocsf.class_uid) && (ctx.ocsf.dst_endpoint != null || ctx.ocsf.src_endpoint != null) + if: ctx.ocsf?.class_uid != null && ['3001','3002','3003','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4013','6001','6003','6004','6005'].contains(ctx.ocsf.class_uid) && (ctx.ocsf.dst_endpoint != null || ctx.ocsf.src_endpoint != null) tag: pipeline_object_network_endpoint ignore_missing_pipeline: true - pipeline: diff --git a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml index d7de1e51a6e5..1468a03bb216 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml @@ -1201,6 +1201,9 @@ - name: group type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -1361,6 +1364,9 @@ - name: uid_alt type: keyword description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: xattributes type: flattened description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. @@ -1591,21 +1597,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1619,165 +1615,5 @@ type: keyword description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - name: ldap_person - type: group - description: The LDAP person object. - fields: - - name: cost_center - type: keyword - description: The cost center associated with the user. - - name: created_time - type: date - format: epoch_second - description: The timestamp when the user was created. - - name: deleted_time - type: date - format: epoch_second - description: The timestamp when the user was deleted. - - name: email_addrs - type: keyword - description: A list of additional email addresses for the user. - - name: employee_uid - type: keyword - description: The employee identifier assigned to the user by the organization. - - name: given_name - type: keyword - description: The given or first name of the user. - - name: hire_time - type: date - format: epoch_second - description: The timestamp when the user was or will be hired by the organization. - - name: job_title - type: keyword - description: The user's job title. - - name: labels - type: keyword - description: The labels associated with the user. For example in AD this could be the userType, employeeType. - - name: last_login_time - type: date - format: epoch_second - description: The last time when the user logged in. - - name: ldap_cn - type: keyword - description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. - - name: ldap_dn - type: keyword - description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. - - name: leave_time - type: date - format: epoch_second - description: The timestamp when the user left or will be leaving the organization. - - name: modified_time - type: date - format: epoch_second - description: The timestamp when the user entry was last modified. - - name: office_location - type: keyword - description: The primary office location associated with the user. This could be any string and isn't a specific address. - - name: surname - type: keyword - description: The last or family name for the user. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: manager - type: group - description: Manager - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: integer - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: domain - type: keyword - description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: integer - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + type: flattened + description: The LDAP attributes of the user. diff --git a/packages/amazon_security_lake/data_stream/event/fields/fields.yml b/packages/amazon_security_lake/data_stream/event/fields/fields.yml index c683d32cf09f..63b6f531c0a7 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/fields.yml @@ -516,6 +516,12 @@ - name: data_sources type: keyword description: The data sources for the finding. + - name: database + type: flattened + description: The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data. + - name: databucket + type: flattened + description: The data bucket object is a basic container that holds data, typically organized through the use of data partitions. - name: dce_rpc type: group fields: @@ -2582,120 +2588,6 @@ - name: message type: keyword description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: tenant_uid - type: keyword - description: The audit level at which an event was generated. - - name: log_level - type: keyword - description: The log level of the event. - - name: loggers - type: flattened - description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: cpe_name - type: keyword - description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' - name: module type: group fields: @@ -3258,6 +3150,9 @@ - name: type type: keyword description: 'The type of resource records being queried. See RFC1035. For example: A, AAAA, CNAME, MX, and NS.' + - name: query_info + type: flattened + description: The query info object holds information related to data access within a datastore. - name: query_time type: date description: The Domain Name System (DNS) query time. @@ -3733,6 +3628,9 @@ - name: version type: keyword description: The TLS protocol version. + - name: table + type: flattened + description: The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried. - name: traffic type: group fields: @@ -3762,7 +3660,10 @@ description: The tree id is a unique SMB identifier which represents an open connection to a share. - name: type type: keyword - description: The type of FTP network connection (e.g. active, passive). + description: The type the event. + - name: type_id + type: integer + description: The normalized event type identifier. - name: type_name type: keyword description: The event type name, as defined by the type_uid. diff --git a/packages/amazon_security_lake/data_stream/event/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/metadata-fields.yml new file mode 100644 index 000000000000..00f399e22ecd --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/metadata-fields.yml @@ -0,0 +1,129 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml index 0f4fc84ae3fe..8ce12477ebc7 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml @@ -82,10 +82,16 @@ type: date format: epoch_second description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. - name: deleted_time type: date format: epoch_second description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. - name: email_addrs type: keyword description: A list of additional email addresses for the user. @@ -99,6 +105,9 @@ type: date format: epoch_second description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. - name: job_title type: keyword description: The user's job title. @@ -109,6 +118,9 @@ type: date format: epoch_second description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. - name: ldap_cn type: keyword description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. @@ -119,10 +131,16 @@ type: date format: epoch_second description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. - name: modified_time type: date format: epoch_second description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. - name: office_location type: keyword description: The primary office location associated with the user. This could be any string and isn't a specific address. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml index bc934388d178..89de2343dcc3 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml @@ -19,6 +19,9 @@ - name: group type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -507,6 +510,9 @@ - name: uid type: keyword description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. - name: vendor_name type: keyword description: The name of the vendor of the product. @@ -1090,6 +1096,9 @@ - name: uid type: keyword description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. - name: vendor_name type: keyword description: The name of the vendor of the product. @@ -1192,6 +1201,9 @@ - name: group type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -1352,6 +1364,9 @@ - name: uid_alt type: keyword description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: xattributes type: flattened description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. @@ -1582,21 +1597,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -1619,10 +1624,16 @@ type: date format: epoch_second description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. - name: deleted_time type: date format: epoch_second description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. - name: email_addrs type: keyword description: A list of additional email addresses for the user. @@ -1636,6 +1647,9 @@ type: date format: epoch_second description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. - name: job_title type: keyword description: The user's job title. @@ -1646,6 +1660,9 @@ type: date format: epoch_second description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. - name: ldap_cn type: keyword description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. @@ -1656,10 +1673,16 @@ type: date format: epoch_second description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. - name: modified_time type: date format: epoch_second description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. - name: office_location type: keyword description: The primary office location associated with the user. This could be any string and isn't a specific address. @@ -1733,6 +1756,9 @@ - name: groups type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml index a277c08e1558..bc0f1057ff88 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml @@ -462,111 +462,6 @@ - name: message type: keyword description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: loggers - type: flattened - description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' - name: nist type: keyword description: The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/metadata-fields.yml new file mode 100644 index 000000000000..00f399e22ecd --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/metadata-fields.yml @@ -0,0 +1,129 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml new file mode 100644 index 000000000000..89de2343dcc3 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml @@ -0,0 +1,1796 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: integer + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: integer + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml index 6f778ca7dc4d..83a867224a41 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml @@ -7,1557 +7,6 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: actor - type: group - fields: - - name: authorizations - type: group - fields: - - name: decision - type: keyword - description: Authorization Result/outcome, e.g. allowed, denied. - - name: policy - type: group - fields: - - name: desc - type: keyword - description: The description of the policy. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: 'The policy name. For example: IAM Policy.' - - name: uid - type: keyword - description: A unique identifier of the policy instance. - - name: version - type: keyword - description: The policy version number. - - name: idp - type: group - fields: - - name: name - type: keyword - description: The name of the identity provider. - - name: uid - type: keyword - description: The unique identifier of the identity provider. - - name: invoked_by - type: keyword - description: The name of the service that invoked the activity as described in the event. - - name: process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - name: api type: group fields: @@ -3282,111 +1731,6 @@ - name: message type: keyword description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: loggers - type: flattened - description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' - name: observables type: group fields: @@ -3512,84 +1856,6 @@ - name: unmapped type: flattened description: The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - name: user_result type: group fields: diff --git a/packages/amazon_security_lake/data_stream/iam/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/metadata-fields.yml new file mode 100644 index 000000000000..00f399e22ecd --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/metadata-fields.yml @@ -0,0 +1,129 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/iam/fields/user-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/user-fields.yml new file mode 100644 index 000000000000..8ce12477ebc7 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/user-fields.yml @@ -0,0 +1,254 @@ +- name: ocsf + type: group + fields: + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml index 9f344036ae3d..89de2343dcc3 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml @@ -19,6 +19,9 @@ - name: group type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -74,7 +77,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -155,7 +158,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -175,6 +178,9 @@ - name: groups type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -202,7 +208,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -220,7 +226,7 @@ type: keyword description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - name: confidentiality_id - type: keyword + type: integer description: The normalized identifier of the file content confidentiality indicator. - name: created_time type: date @@ -241,7 +247,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -261,6 +267,9 @@ - name: groups type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -288,7 +297,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -306,7 +315,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -336,7 +345,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -356,6 +365,9 @@ - name: groups type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -383,7 +395,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -407,7 +419,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -427,6 +439,9 @@ - name: groups type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -454,7 +469,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -514,11 +529,14 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized digital signature algorithm. - name: certificate type: group fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. - name: created_time type: date description: The time when the certificate was created. @@ -538,7 +556,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -571,7 +589,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -583,7 +601,7 @@ type: keyword description: The file type. - name: type_id - type: keyword + type: integer description: The file type ID. - name: uid type: keyword @@ -616,7 +634,7 @@ type: keyword description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - name: integrity_id - type: keyword + type: integer description: The normalized identifier of the process integrity level (Windows only). - name: lineage type: keyword @@ -649,7 +667,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -730,7 +748,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -750,6 +768,9 @@ - name: groups type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -776,7 +797,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -794,7 +815,7 @@ type: keyword description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - name: confidentiality_id - type: keyword + type: integer description: The normalized identifier of the file content confidentiality indicator. - name: created_time type: date @@ -815,7 +836,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -835,6 +856,9 @@ - name: groups type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -861,7 +885,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -879,7 +903,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -909,7 +933,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -929,6 +953,9 @@ - name: groups type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -955,7 +982,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -979,7 +1006,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -999,6 +1026,9 @@ - name: groups type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -1025,7 +1055,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -1085,11 +1115,14 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized digital signature algorithm. - name: certificate type: group fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. - name: created_time type: date description: The time when the certificate was created. @@ -1109,7 +1142,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1142,7 +1175,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: keyword + type: integer description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1154,7 +1187,7 @@ type: keyword description: The file type. - name: type_id - type: keyword + type: integer description: The file type ID. - name: uid type: keyword @@ -1168,6 +1201,9 @@ - name: group type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -1187,7 +1223,7 @@ type: keyword description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - name: integrity_id - type: keyword + type: integer description: The normalized identifier of the process integrity level (Windows only). - name: lineage type: keyword @@ -1270,7 +1306,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -1290,6 +1326,9 @@ - name: groups type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -1317,7 +1356,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -1325,6 +1364,9 @@ - name: uid_alt type: keyword description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: xattributes type: flattened description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. @@ -1391,7 +1433,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -1411,6 +1453,9 @@ - name: groups type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -1437,7 +1482,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -1480,6 +1525,24 @@ - name: uuid type: keyword description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. - name: user type: group fields: @@ -1493,7 +1556,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -1513,6 +1576,9 @@ - name: groups type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -1531,26 +1597,16 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -1558,3 +1614,183 @@ - name: uid_alt type: keyword description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml index 1aba4dd27fe7..91063c5a28b6 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml @@ -1162,111 +1162,6 @@ - name: message type: keyword description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: loggers - type: flattened - description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' - name: name type: keyword description: The name of the data affiliated with the command. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/metadata-fields.yml new file mode 100644 index 000000000000..00f399e22ecd --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/metadata-fields.yml @@ -0,0 +1,129 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml new file mode 100644 index 000000000000..89de2343dcc3 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml @@ -0,0 +1,1796 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: integer + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: integer + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: integer + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml index 15c87483924e..e4a9c3821cd1 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml @@ -10,1563 +10,6 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: actor - type: group - fields: - - name: authorizations - type: group - fields: - - name: decision - type: keyword - description: Authorization Result/outcome, e.g. allowed, denied. - - name: policy - type: group - fields: - - name: desc - type: keyword - description: The description of the policy. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: 'The policy name. For example: IAM Policy.' - - name: uid - type: keyword - description: A unique identifier of the policy instance. - - name: version - type: keyword - description: The policy version number. - - name: idp - type: group - fields: - - name: name - type: keyword - description: The name of the identity provider. - - name: uid - type: keyword - description: The unique identifier of the identity provider. - - name: invoked_by - type: keyword - description: The name of the service that invoked the activity as described in the event. - - name: process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Organization and org unit related to the user. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org.* - type: object - object_type: keyword - object_type_mapping_type: "*" - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - name: actual_permissions type: long description: The permissions that were granted to the in a platform-native format. @@ -3924,111 +2367,6 @@ - name: message type: keyword description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: loggers - type: flattened - description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' - name: module type: group fields: diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/metadata-fields.yml new file mode 100644 index 000000000000..00f399e22ecd --- /dev/null +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/metadata-fields.yml @@ -0,0 +1,129 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index e92a952c6924..8e8e2ba9ba24 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -430,6 +430,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.version | The file version. For example: 8.0.7601.17514. | keyword | | ocsf.actor.process.parent_process.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened | | ocsf.actor.process.parent_process.group.desc | The group description. | keyword | +| ocsf.actor.process.parent_process.group.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.parent_process.group.name | The group name. | keyword | | ocsf.actor.process.parent_process.group.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.group.type | The type of the group or account. | keyword | @@ -472,6 +473,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.user.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.user.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.parent_process.user.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.parent_process.user.name | The username. For example, janedoe1. | keyword | | ocsf.actor.process.parent_process.user.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.parent_process.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | @@ -546,57 +548,9 @@ This is the `Event` dataset. | ocsf.actor.user.groups.privileges | The group privileges. | keyword | | ocsf.actor.user.groups.type | The type of the group or account. | keyword | | ocsf.actor.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | -| ocsf.actor.user.ldap_person.cost_center | The cost center associated with the user. | keyword | -| ocsf.actor.user.ldap_person.created_time | The timestamp when the user was created. | date | -| ocsf.actor.user.ldap_person.deleted_time | The timestamp when the user was deleted. | date | -| ocsf.actor.user.ldap_person.email_addrs | A list of additional email addresses for the user. | keyword | -| ocsf.actor.user.ldap_person.employee_uid | The employee identifier assigned to the user by the organization. | keyword | -| ocsf.actor.user.ldap_person.given_name | The given or first name of the user. | keyword | -| ocsf.actor.user.ldap_person.hire_time | The timestamp when the user was or will be hired by the organization. | date | -| ocsf.actor.user.ldap_person.job_title | The user's job title. | keyword | -| ocsf.actor.user.ldap_person.labels | The labels associated with the user. For example in AD this could be the userType, employeeType. | keyword | -| ocsf.actor.user.ldap_person.last_login_time | The last time when the user logged in. | date | -| ocsf.actor.user.ldap_person.ldap_cn | The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. | keyword | -| ocsf.actor.user.ldap_person.ldap_dn | The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. | keyword | -| ocsf.actor.user.ldap_person.leave_time | The timestamp when the user left or will be leaving the organization. | date | -| ocsf.actor.user.ldap_person.location.city | The name of the city. | keyword | -| ocsf.actor.user.ldap_person.location.continent | The name of the continent. | keyword | -| ocsf.actor.user.ldap_person.location.coordinates | A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. | geo_point | -| ocsf.actor.user.ldap_person.location.country | The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. | keyword | -| ocsf.actor.user.ldap_person.location.desc | The description of the geographical location. | keyword | -| ocsf.actor.user.ldap_person.location.is_on_premises | The indication of whether the location is on premises. | boolean | -| ocsf.actor.user.ldap_person.location.isp | The name of the Internet Service Provider (ISP). | keyword | -| ocsf.actor.user.ldap_person.location.postal_code | The postal code of the location. | keyword | -| ocsf.actor.user.ldap_person.location.provider | The provider of the geographical location data. | keyword | -| ocsf.actor.user.ldap_person.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. | keyword | -| ocsf.actor.user.ldap_person.manager.account.name | The name of the account (e.g. GCP Account Name). | keyword | -| ocsf.actor.user.ldap_person.manager.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.user.ldap_person.manager.account.type_id | The normalized account type identifier. | integer | -| ocsf.actor.user.ldap_person.manager.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | -| ocsf.actor.user.ldap_person.manager.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | -| ocsf.actor.user.ldap_person.manager.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | -| ocsf.actor.user.ldap_person.manager.email_addr | The user's email address. | keyword | -| ocsf.actor.user.ldap_person.manager.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | -| ocsf.actor.user.ldap_person.manager.groups.desc | The group description. | keyword | -| ocsf.actor.user.ldap_person.manager.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | -| ocsf.actor.user.ldap_person.manager.groups.name | The group name. | keyword | -| ocsf.actor.user.ldap_person.manager.groups.privileges | The group privileges. | keyword | -| ocsf.actor.user.ldap_person.manager.groups.type | The type of the group or account. | keyword | -| ocsf.actor.user.ldap_person.manager.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | -| ocsf.actor.user.ldap_person.manager.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.user.ldap_person.manager.org.\* | Organization and org unit related to the user. | object | -| ocsf.actor.user.ldap_person.manager.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.user.ldap_person.manager.type_id | The account type identifier. | integer | -| ocsf.actor.user.ldap_person.manager.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | -| ocsf.actor.user.ldap_person.manager.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | -| ocsf.actor.user.ldap_person.modified_time | The timestamp when the user entry was last modified. | date | -| ocsf.actor.user.ldap_person.office_location | The primary office location associated with the user. This could be any string and isn't a specific address. | keyword | -| ocsf.actor.user.ldap_person.surname | The last or family name for the user. | keyword | +| ocsf.actor.user.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.user.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.user.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.user.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.user.type_id | The account type identifier. | integer | | ocsf.actor.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -740,6 +694,8 @@ This is the `Event` dataset. | ocsf.count | The number of times that events in the same logical group occurred during the event Start Time to End Time period. | long | | ocsf.create_mask | The original Windows mask that is required to create the object. | keyword | | ocsf.data_sources | The data sources for the finding. | keyword | +| ocsf.database | The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data. | flattened | +| ocsf.databucket | The data bucket object is a basic container that holds data, typically organized through the use of data partitions. | flattened | | ocsf.dce_rpc.command | The request command (e.g. REQUEST, BIND). | keyword | | ocsf.dce_rpc.command_response | The reply to the request command (e.g. RESPONSE, BINDACK or FAULT). | keyword | | ocsf.dce_rpc.flags | The list of interface flags. | keyword | @@ -1476,6 +1432,9 @@ This is the `Event` dataset. | ocsf.metadata.extension.name | The schema extension name. For example: dev. | keyword | | ocsf.metadata.extension.uid | The schema extension unique identifier. For example: 999. | keyword | | ocsf.metadata.extension.version | The schema extension version. For example: 1.0.0-alpha.2. | keyword | +| ocsf.metadata.extensions.name | The schema extension name. For example: dev. | keyword | +| ocsf.metadata.extensions.uid | The schema extension unique identifier. For example: 999. | keyword | +| ocsf.metadata.extensions.version | The schema extension version. For example: 1.0.0-alpha.2. | keyword | | ocsf.metadata.labels | The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. | keyword | | ocsf.metadata.log_level | The log level of the event. | keyword | | ocsf.metadata.log_name | The event log name. For example, syslog file name or Windows logging subsystem: Security. | keyword | @@ -1725,6 +1684,7 @@ This is the `Event` dataset. | ocsf.query.opcode_id | The DNS opcode ID specifies the normalized query message type. | keyword | | ocsf.query.packet_uid | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | | ocsf.query.type | The type of resource records being queried. See RFC1035. For example: A, AAAA, CNAME, MX, and NS. | keyword | +| ocsf.query_info | The query info object holds information related to data access within a datastore. | flattened | | ocsf.query_time | The Domain Name System (DNS) query time. | date | | ocsf.query_time_dt | The Domain Name System (DNS) query time. | date | | ocsf.raw_data | The event data as received from the event source. | flattened | @@ -1899,6 +1859,7 @@ This is the `Event` dataset. | ocsf.status_id | The normalized identifier of the event status. | keyword | | ocsf.stratum | The stratum level of the NTP server's time source, normalized to the caption of the stratum_id value. | keyword | | ocsf.stratum_id | The normalized identifier of the stratum level, as defined in RFC-5905. | integer | +| ocsf.table | The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried. | flattened | | ocsf.time | The normalized event occurrence time. | date | | ocsf.time_dt | The normalized event occurrence time. | date | | ocsf.timezone_offset | The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080. | long | @@ -1941,7 +1902,8 @@ This is the `Event` dataset. | ocsf.traffic.packets_out | The number of packets sent from the source to the destination. | long | | ocsf.transaction_uid | The unique identifier of the transaction. This is typically a random number generated from the client to associate a dhcp request/response pair. | keyword | | ocsf.tree_uid | The tree id is a unique SMB identifier which represents an open connection to a share. | keyword | -| ocsf.type | The type of FTP network connection (e.g. active, passive). | keyword | +| ocsf.type | The type the event. | keyword | +| ocsf.type_id | The normalized event type identifier. | integer | | ocsf.type_name | The event type name, as defined by the type_uid. | keyword | | ocsf.type_uid | The event type ID. It identifies the events semantics and structure. The value is calculated by the logging system as: class_uid \* 100 + activity_id. | keyword | | ocsf.unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | flattened | @@ -1971,17 +1933,22 @@ This is the `Event` dataset. | ocsf.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.user.ldap_person.cost_center | The cost center associated with the user. | keyword | | ocsf.user.ldap_person.created_time | The timestamp when the user was created. | date | +| ocsf.user.ldap_person.created_time_dt | The date when the user was created. | date | | ocsf.user.ldap_person.deleted_time | The timestamp when the user was deleted. | date | +| ocsf.user.ldap_person.deleted_time_dt | The date when the user was deleted. | date | | ocsf.user.ldap_person.email_addrs | A list of additional email addresses for the user. | keyword | | ocsf.user.ldap_person.employee_uid | The employee identifier assigned to the user by the organization. | keyword | | ocsf.user.ldap_person.given_name | The given or first name of the user. | keyword | | ocsf.user.ldap_person.hire_time | The timestamp when the user was or will be hired by the organization. | date | +| ocsf.user.ldap_person.hire_time_dt | The date when the user was or will be hired by the organization. | date | | ocsf.user.ldap_person.job_title | The user's job title. | keyword | | ocsf.user.ldap_person.labels | The labels associated with the user. For example in AD this could be the userType, employeeType. | keyword | | ocsf.user.ldap_person.last_login_time | The last time when the user logged in. | date | +| ocsf.user.ldap_person.last_login_time_dt | The last date when the user logged in. | date | | ocsf.user.ldap_person.ldap_cn | The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. | keyword | | ocsf.user.ldap_person.ldap_dn | The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. | keyword | | ocsf.user.ldap_person.leave_time | The timestamp when the user left or will be leaving the organization. | date | +| ocsf.user.ldap_person.leave_time_dt | The date when the user left or will be leaving the organization. | date | | ocsf.user.ldap_person.location.city | The name of the city. | keyword | | ocsf.user.ldap_person.location.continent | The name of the continent. | keyword | | ocsf.user.ldap_person.location.coordinates | A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. | geo_point | @@ -2013,6 +1980,7 @@ This is the `Event` dataset. | ocsf.user.ldap_person.manager.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.user.ldap_person.manager.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.user.ldap_person.modified_time | The timestamp when the user entry was last modified. | date | +| ocsf.user.ldap_person.modified_time_dt | The date when the user entry was last modified. | date | | ocsf.user.ldap_person.office_location | The primary office location associated with the user. This could be any string and isn't a specific address. | keyword | | ocsf.user.ldap_person.surname | The last or family name for the user. | keyword | | ocsf.user.name | The username. For example, janedoe1. | keyword | From 73b7be8c4a2416b0f934f85628f54681ea8bf02a Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Tue, 6 Aug 2024 20:06:28 +0530 Subject: [PATCH 13/30] added support for detection finding event class, segregated and mapped finding_info in findings data stream --- .../data_stream/discovery/fields/fields.yml | 6 + .../_dev/test/pipeline/test-findings.log | 1 + .../pipeline/test-findings.log-expected.json | 1175 +++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 6 +- .../data_stream/event/fields/fields.yml | 21 + .../data_stream/findings/fields/fields.yml | 19 +- .../findings/fields/finding-info-fields.yml | 137 ++ packages/amazon_security_lake/docs/README.md | 7 + 8 files changed, 1366 insertions(+), 6 deletions(-) create mode 100644 packages/amazon_security_lake/data_stream/findings/fields/finding-info-fields.yml diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml index 40ccbd56c4f4..31662dc2cf6d 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml @@ -82,6 +82,12 @@ - name: kb_articles type: keyword description: The KB article/s related to the entity. + - name: kb_article_list + type: flattened + description: A list of KB articles or patches related to an endpoint. + - name: references + type: keyword + description: A list of supporting URL/s, references that help describe the remediation strategy. - name: rule type: group fields: diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log index e33d8625112f..37038465d30d 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log @@ -1,2 +1,3 @@ {"activity_id":2,"activity_name":"Update","category_name":"Findings","category_uid":2,"class_name":"Security Finding","class_uid":2001,"cloud":{"account":{"uid":"522536594833"},"provider":"AWS","region":"us-east-1"},"compliance":{"requirements":["PCI1.2"],"status":"PASSED","status_detail":"CloudWatch alarms do not exist in the account"},"finding":{"created_time":1635449619417,"desc":"This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22, 3000, 5000, 8088, 8888] that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for the listed ports.","first_seen_time":1635449619417,"last_seen_time":1659636565316,"modified_time":1659636559100,"related_events":[{"product_uid":"arn:aws:securityhub:us-west-2::product/aws/guardduty","uid":"123e4567-e89b-12d3-a456-426655440000"},{"product_uid":"arn:aws:securityhub:us-west-2::product/aws/guardduty","uid":"AcmeNerfHerder-111111111111-x189dx7824"}],"remediation":{"desc":"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.","kb_articles":["https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation"]},"title":"EC2.19 Security groups should not allow unrestricted access to ports with high risk","types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"uid":"test"},"malware":[{"classification_ids":[1],"classifications":["Adware"],"name":"Stringler","path":"/usr/sbin/stringler"}],"metadata":{"product":{"feature":{"name":"Security Hub","uid":"aws-foundational-security-best-practices/v/1.0.0/EC2.19"},"name":"Security Hub","uid":"arn:aws:securityhub:us-east-1::product/aws/securityhub","vendor_name":"AWS","version":"2018-10-08"},"profiles":["cloud"],"version":"1.0.0-rc.2"},"resources":[{"cloud_partition":"aws","labels":["billingCode=Lotus-1-2-3","needsPatching=true"],"region":"us-east-1","type":"AwsEc2SecurityGroup","uid":"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499"}],"severity":"Informational","severity_id":1,"state":"Resolved","state_id":4,"time":1659636559100,"type_name":"Security Finding: Update","type_uid":200102,"unmapped":{"CompanyName":"AWS","Compliance.StatusReasons[].ReasonCode":"CW_ALARMS_NOT_PRESENT","FindingProviderFields.Severity.Label":"INFORMATIONAL","FindingProviderFields.Severity.Original":"INFORMATIONAL","FindingProviderFields.Types[]":"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices","Malware[].State":"OBSERVED","ProductFields.ControlId":"EC2.19","ProductFields.RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation","ProductFields.RelatedAWSResources:0/name":"securityhub-vpc-sg-restricted-common-ports-2af29baf","ProductFields.RelatedAWSResources:0/type":"AWS::Config::ConfigRule","ProductFields.Resources:0/Id":"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499","ProductFields.StandardsArn":"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0","ProductFields.StandardsControlArn":"arn:aws:securityhub:us-east-1:522536594833:control/aws-foundational-security-best-practices/v/1.0.0/EC2.19","ProductFields.StandardsSubscriptionArn":"arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0","ProductFields.aws/securityhub/CompanyName":"AWS","ProductFields.aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bf428107-eee0-4d19-a013-92748ed69eef","ProductFields.aws/securityhub/ProductName":"Security Hub","RecordState":"ACTIVE","Severity.Normalized":"0","Severity.Original":"INFORMATIONAL","Severity.Product":"0","Vulnerabilities[].Cvss[].BaseScore":"4.7,1.0","Vulnerabilities[].Cvss[].BaseVector":"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N,AV:L/AC:M/Au:N/C:C/I:N/A:N","Vulnerabilities[].Cvss[].Version":"V3,V2","Vulnerabilities[].Vendor.VendorSeverity":"Medium","WorkflowState":"NEW"},"vulnerabilities":[{"cve":{"created_time":1579132903000,"cvss":{"base_score":4.7,"vector_string":"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"V3"},"modified_time":1579132903000,"uid":"CVE-2020-12345"},"kb_articles":["https://alas.aws.amazon.com/ALAS-2020-1337.html"],"packages":[{"architecture":"x86_64","epoch":1,"name":"openssl","release":"16.amzn2.0.3","version":"1.0.2k"},{"architecture":"x86_64","epoch":3,"name":"yaml","release":"16.amzn2.0.3","version":"4.3.2"}],"references":["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418"],"related_vulnerabilities":["CVE-2020-12345"],"vendor_name":"Alas"}]} {"status":"In Progress","time":1722327712967320,"metadata":{"version":"1.1.0","product":{"name":"bouquet forget occupied","version":"1.1.0","uid":"c6afd262-4e4c-11ef-a63c-0242ac110005","feature":{"name":"updating lawyers string","uid":"c6afdb4a-4e4c-11ef-a8c4-0242ac110005"},"cpe_name":"words geographical gets","vendor_name":"trim massive setting"},"sequence":2,"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"shall none shipped","log_provider":"outlined produced examining","original_time":"scope institutions int","tenant_uid":"c6afe64e-4e4c-11ef-bcf9-0242ac110005","logged_time_dt":"2024-07-30T08:21:52.967232Z"},"resource":{"owner":{"name":"Dude","type":"Admin","uid":"c6b0192a-4e4c-11ef-90f9-0242ac110005","type_id":2,"uid_alt":"recommendation highs equipped"},"type":"carb le multimedia","group":{"name":"resorts looking issues"},"namespace":"explain les collections"},"severity":"Fatal","type_name":"Vulnerability Finding: Create","activity_id":1,"type_uid":200201,"category_name":"Findings","class_uid":2002,"category_uid":2,"class_name":"Vulnerability Finding","start_time_dt":"2024-07-30T08:21:52.968170Z","end_time_dt":"2024-07-30T08:21:52.967308Z","timezone_offset":17,"activity_name":"Create","actor":{"user":{"name":"Without","type":"Admin","uid":"c6af496e-4e4c-11ef-b35b-0242ac110005","type_id":2,"account":{"name":"susan amy ventures","type":"Windows Account","uid":"c6af57e2-4e4c-11ef-b613-0242ac110005","type_id":2},"credential_uid":"c6af5ecc-4e4c-11ef-bda8-0242ac110005"}},"cloud":{"org":{"name":"africa za springer","uid":"c6b002c8-4e4c-11ef-b707-0242ac110005","ou_name":"opponent const outlet"},"project_uid":"c6b00a0c-4e4c-11ef-a1c9-0242ac110005","provider":"loving fabulous seating","region":"needed costumes main"},"confidence":"characteristic benz automotive","confidence_id":3,"finding_info":{"title":"vinyl lease crown","uid":"c6af0030-4e4c-11ef-963a-0242ac110005","analytic":{"name":"incentives module joyce","type":"Rule","uid":"c6af34ec-4e4c-11ef-a5db-0242ac110005","category":"sanyo asus escorts","type_id":1},"data_sources":["reliable honey flexibility"],"created_time_dt":"2024-07-30T08:21:52.962788Z","modified_time_dt":"2024-07-30T08:21:52.962804Z"},"severity_id":6,"status_id":2,"vulnerabilities":[{"title":"trek ae danger","references":["suite featured smart","sanyo vbulletin contain"],"cve":{"type":"republicans offset expense","title":"smilies since terminal","uid":"c6af9176-4e4c-11ef-8fde-0242ac110005","references":["brass duty expected"],"created_time":1722327712965081,"cvss":[{"version":"1.1.0","depth":"Base","base_score":97.7035,"overall_score":29.3613}]},"cwe":{"uid":"c6af9f0e-4e4c-11ef-b234-0242ac110005","caption":"blanket toshiba olympics"},"kb_articles":["mounts el significantly","newer length frost"],"packages":[{"name":"nuts nine horn","version":"1.1.0","architecture":"diana zen collector"},{"name":"answered absence oxygen","version":"1.1.0","release":"classroom virtually satisfactory","architecture":"railway offering vietnamese"}]},{"references":["workshop surprising ceramic","grow annually mom"],"severity":"villas haiti links","cve":{"type":"coaching workflow sony","title":"jim patients rick","uid":"c6afb07a-4e4c-11ef-9138-0242ac110005","references":["propecia rebecca savage"],"created_time":1722327712965872,"created_time_dt":"2024-07-30T08:21:52.965881Z","modified_time_dt":"2024-07-30T08:21:52.965891Z"},"cwe":{"uid":"c6afba70-4e4c-11ef-8ac3-0242ac110005"},"kb_articles":["resistant verified wiring","redhead informal frankfurt"]}]} +{"message":"satellite violent subscriptions","status":"Suppressed","time":1722951737015847,"metadata":{"version":"1.1.0","product":{"name":"favorite dictionary butter","version":"1.1.0","uid":"b201250c-53f9-11ef-a42e-0242ac110005","vendor_name":"routing attending username"},"labels":["paper","james"],"profiles":[],"log_name":"variables admin absolutely","log_provider":"facilities channels cradle","log_version":"unless mood revised","original_time":"complaint planning historic"},"severity":"Low","duration":19,"resources":[{"owner":{"name":"Plain","type":"Unknown","uid":"b2005820-53f9-11ef-9b03-0242ac110005","type_id":0,"ldap_person":{"deleted_time":1722951737010636,"job_title":"tp barely fancy"}},"version":"1.1.0","uid":"b2006efa-53f9-11ef-b4fa-0242ac110005","namespace":"inherited proceeds invalid"},{"owner":{"name":"Adsl","type":"User","type_id":1},"version":"1.1.0","group":{"name":"m biography divx","uid":"b200884a-53f9-11ef-b155-0242ac110005"},"labels":["circular","vip"],"namespace":"updating mic expo","criticality":"packaging neon hearings"}],"type_name":"Detection Finding: Create","activity_id":1,"type_uid":200401,"category_name":"Findings","class_uid":2004,"category_uid":2,"class_name":"Detection Finding","activity_name":"Create","confidence_id":2,"evidences":[{"process":{"pid":2,"file":{"attributes":61,"name":"mortgages.mp3","size":3964710393,"type":"Folder","path":"match fuzzy noise/royalty.cbr/mortgages.mp3","signature":{"certificate":{"uid":"b20156da-53f9-11ef-ae03-0242ac110005","subject":"norwegian satisfactory collective","issuer":"consist refers bite","fingerprints":[{"value":"98AA77CF5506DBAB9E87EF8088CEAC7C9C019C46E05DD1EE1ABE03DCDDB251EE8A82D602A74B165599EA81CD3F96BCD31351F02130F1826DE55314362F5E51A0","algorithm":"SHA-512","algorithm_id":4},{"value":"F074E3FC1A4F869EEF665EABF9EF6F7E4E08D51AD47FE695D451386D3DFC826FD679D11BCDF59682C9017FCB065A8C3E4C765AD0D81111D105A79724536E5AF3","algorithm":"TLSH","algorithm_id":6}],"created_time":1722951737017011,"expiration_time":1722951737017020,"serial_number":"headers futures rico"},"algorithm":"Authenticode","algorithm_id":4,"created_time":1722951737017030},"type_id":2,"parent_folder":"match fuzzy noise/royalty.cbr","hashes":[{"value":"989B7EC6D89636B773DD48E84A23A93EF0537374753B6CB2DC513D875E01FE4721CDFD519CCAE9B90092CEF08F3C38EC3C353271FE028C193AEA2DDB17A32653","algorithm":"TLSH","algorithm_id":6}]},"user":{"name":"Brunei","type":"Unknown","uid":"b20169ae-53f9-11ef-a7ab-0242ac110005","type_id":0},"uid":"b2017ba6-53f9-11ef-8664-0242ac110005","cmd_line":"cattle disk nat","created_time":1722951737017869,"parent_process":{"name":"Districts","pid":61,"file":{"name":"points.dat","owner":{"name":"Possession","type":"packaging","uid":"b20198de-53f9-11ef-99e3-0242ac110005","groups":[{"name":"framework chambers motorcycle","domain":"robots opportunities auburn","uid":"b201a2de-53f9-11ef-91ee-0242ac110005"}],"type_id":99},"type":"Local Socket","version":"1.1.0","path":"perfume cleveland crystal/database.vob/points.dat","modifier":{"name":"Tower","type":"Unknown","uid":"b201c520-53f9-11ef-8fe7-0242ac110005","org":{"name":"gabriel harmful teach","uid":"b201cf5c-53f9-11ef-90e0-0242ac110005","ou_name":"chapel library combinations"},"type_id":0,"email_addr":"Lynne@rated.jobs"},"type_id":5,"accessor":{"name":"Record","type":"Unknown","uid":"b201dc40-53f9-11ef-a0fe-0242ac110005","type_id":0,"email_addr":"Zada@czech.museum","ldap_person":{"location":{"desc":"San Marino, Republic of","city":"Component got","country":"SM","coordinates":[-25.0862,-71.9167],"continent":"Europe"},"deleted_time":1722951737020608,"job_title":"tobago rubber abstracts"}},"parent_folder":"perfume cleveland crystal/database.vob","hashes":[{"value":"115CE7973C9A37D3558656DB4BE3719A4E02E1C42BBD3D9FED201E22F5D5A770","algorithm":"magic","algorithm_id":99},{"value":"77F4DE0C4DB55DEC736561AC64C7EA6B","algorithm":"MD5","algorithm_id":1}],"modified_time":1722951737020691},"user":{"name":"April","type":"System","uid":"b201f540-53f9-11ef-b886-0242ac110005","type_id":3,"credential_uid":"b201fbb2-53f9-11ef-b9d8-0242ac110005"},"uid":"b2020184-53f9-11ef-85ea-0242ac110005","cmd_line":"inquiries sept nil","created_time":1722951737021297,"lineage":["barbara flow indiana"],"parent_process":{"pid":98,"session":{"uid":"b2021138-53f9-11ef-a183-0242ac110005","issuer":"boulder candle footwear","created_time":1722951737021699,"is_remote":true},"file":{"name":"bryan.htm","type":"Character Device","path":"fuji collectible creator/describes.tex/bryan.htm","type_id":3,"company_name":"Reagan Vincenza","creator":{"type":"sydney","uid":"b2022628-53f9-11ef-97c3-0242ac110005","type_id":99},"mime_type":"numeric/produces","parent_folder":"fuji collectible creator/describes.tex","modified_time":1722951737022248},"user":{"name":"Inventory","type":"User","groups":[{"name":"drums brisbane belfast","uid":"b2023438-53f9-11ef-b235-0242ac110005"},{"name":"distinction wp inquiries","desc":"subdivision centered matched","uid":"b2023b9a-53f9-11ef-8b76-0242ac110005"}],"type_id":1,"credential_uid":"b20243f6-53f9-11ef-995a-0242ac110005","email_addr":"Salena@tour.coop","uid_alt":"headline press postal"},"uid":"b2024b62-53f9-11ef-85ae-0242ac110005","cmd_line":"correlation jd nintendo","created_time":1722951737023185,"xattributes":{}},"terminated_time":1722951737023238}},"file":{"name":"pounds.sdf","type":"footwear","path":"bent hostel listed/knives.fnt/pounds.sdf","product":{"name":"soldier ut outer","version":"1.1.0","uid":"b20268d6-53f9-11ef-8389-0242ac110005","vendor_name":"prototype blog convertible"},"type_id":99,"mime_type":"quit/helen","parent_folder":"bent hostel listed/knives.fnt","hashes":[{"value":"05241F6680F10C78013CDDC1924651513B262F6318EFD85AC8D5EB13184DBF9742C515B85CF2ED8717B01AEA36CB0796CA62B9229E3047149B40B62FFCBE50AA","algorithm":"TLSH","algorithm_id":6},{"value":"EB108A6BBDAF145D08D811956465AD4382629CF361E1F696E021BE3ABADB6D47","algorithm":"SHA-256","algorithm_id":3}],"modified_time":1722951737024064},"query":{"type":"rrp look city","hostname":"monroe.museum","class":"researcher promotions theaters","opcode_id":3,"packet_uid":42},"connection_info":{"uid":"b2027e84-53f9-11ef-beec-0242ac110005","direction":"Outbound","direction_id":2,"protocol_num":63,"tcp_flags":39},"api":{"request":{"data":"courier","uid":"b2028ac8-53f9-11ef-bcf3-0242ac110005"},"response":{"error":"commissioner kill madness","code":48,"error_message":"whale holdings lol"},"operation":"prophet disabled joel"},"actor":{"process":{"pid":53,"file":{"name":"travel.ico","type":"Regular File","path":"choice estates triple/connecticut.rom/travel.ico","type_id":1,"accessor":{"name":"Japanese","type":"User","type_id":1,"ldap_person":{"hire_time":1722951737025505,"ldap_dn":"essentials incomplete main"},"uid_alt":"cassette dust evidence"},"parent_folder":"choice estates triple/connecticut.rom","confidentiality":"nation fishing professional","hashes":[{"value":"DE54555CB12989F6314B6AE9DDF8FE4F8AD41F970C0D21D5A4D8B7E6C6437A9F","algorithm":"magic","algorithm_id":99},{"value":"C989A5E557F5C7289ABE62F83373C88BDD0E698C72F8C8F511BF4E9E601E3C053FA00EA8B181974F5CDF25BA86E8C9FB4A717B9F8A672E6F45A4DFCEC39E529F","algorithm":"CTPH","algorithm_id":5}],"is_system":false,"security_descriptor":"burden authentication flashing"},"user":{"name":"Families","type":"System","domain":"authors subjects animal","uid":"b202b3e0-53f9-11ef-bc91-0242ac110005","groups":[{"name":"graphic university chile","uid":"b202c178-53f9-11ef-b0e0-0242ac110005"},{"name":"departure projects eastern","type":"direct hoping harder","uid":"b202c876-53f9-11ef-99bc-0242ac110005","privileges":["camcorders hazardous occurred","strong wav finland"]}],"type_id":3,"email_addr":"Hugh@vb.aero","ldap_person":{"location":{"desc":"Libyan Arab Jamahiriya","city":"Relaxation depend","country":"LY","coordinates":[72.6769,27.7735],"continent":"Africa"},"manager":{"name":"Titles","type":"System","domain":"many tvs hand","uid":"b202da8c-53f9-11ef-a9a8-0242ac110005","org":{"name":"declare commit gathering","uid":"b202e55e-53f9-11ef-90d3-0242ac110005"},"type_id":3,"credential_uid":"b202eba8-53f9-11ef-a0ef-0242ac110005"},"job_title":"evident gotten tcp","ldap_cn":"ran experiences isolation"}},"uid":"b202f3be-53f9-11ef-9c3b-0242ac110005","cmd_line":"hydrogen reporting ensemble","created_time":1722951737027494,"integrity":"extra dial resolved","parent_process":{"name":"Findings","file":{"name":"crude.sh","owner":{"type":"Admin","uid":"b2031308-53f9-11ef-b2f8-0242ac110005","groups":[{"uid":"b2031cd6-53f9-11ef-b786-0242ac110005"},{"name":"wrap smile durham","uid":"b2032866-53f9-11ef-bf54-0242ac110005","privileges":["preventing security wales","protest membership rs"]}],"type_id":2},"type":"Block Device","path":"hub clarity henderson/mailing.rss/crude.sh","product":{"name":"fund groundwater dom","version":"1.1.0","uid":"b2033324-53f9-11ef-ba5b-0242ac110005","feature":{"name":"producer depot financing","version":"1.1.0","uid":"b2033bc6-53f9-11ef-91fe-0242ac110005"},"cpe_name":"oven regulatory dairy","vendor_name":"disney intel antibody"},"type_id":4,"parent_folder":"hub clarity henderson/mailing.rss","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"5894ABC3288BA9FA689F8E5C7EF19816EA9839E4986E552B491A1ABF2D3F5F45738F7B3A0B53C15A19FD24B1B7402365D44871C3D6F00537E075A0007E7E261A","algorithm":"TLSH","algorithm_id":6},{"value":"A6DFAEBD54AB8C6EE7D571201347BC0C5FC04F3599B22FAF9AE6A142D72CB65DE290302FA9AD807BAD6F5F0648F8BF5497C6EE43AAF960B7C3137C8CB706E183","algorithm":"quickXorHash","algorithm_id":7}],"security_descriptor":"cross organic bookings","xattributes":{}},"user":{"name":"Adjust","domain":"wrong expanding proposal","uid":"b2034c56-53f9-11ef-aed8-0242ac110005","credential_uid":"b203526e-53f9-11ef-9e92-0242ac110005","email_addr":"Gerry@poker.biz"},"uid":"b20358d6-53f9-11ef-939b-0242ac110005","cmd_line":"arrested suits personally","created_time":1722951737030083,"parent_process":{"name":"Poverty","pid":42,"file":{"name":"sad.kml","type":"Unknown","path":"random horse explained/soap.csv/sad.kml","signature":{"digest":{"value":"A24F695AAF92949E2578A874832FF516","algorithm":"MD5","algorithm_id":1},"certificate":{"version":"1.1.0","uid":"b2037334-53f9-11ef-880c-0242ac110005","subject":"delay prairie cents","issuer":"thought loans celebrate","fingerprints":[{"value":"70CE515C96733618D3639DA3699227EEF2615296002DB79CFAE31A49F04D171107F820A86048A8A742037DA40CE56FEB5AF132CF0557508C821508DED8E25802","algorithm":"CTPH","algorithm_id":5},{"value":"054F4E3613BCAA252DED4DEC5193B4207F68218A0B57BD676DE5EA08E59343D24FEB8AC279470FB94F032C25AEE110A24BD17FC0EB41182E767A7710BD0F2082","algorithm":"TLSH","algorithm_id":6}],"created_time":1722951737030958,"expiration_time":1722951737030965,"serial_number":"concerned arthritis beam"},"algorithm":"Authenticode","algorithm_id":4,"developer_uid":"b2038324-53f9-11ef-a9fd-0242ac110005"},"uid":"b2038928-53f9-11ef-93ab-0242ac110005","type_id":0,"accessor":{"name":"Affordable","type":"User","domain":"mill nest ministers","uid":"b2039418-53f9-11ef-ace2-0242ac110005","type_id":1,"full_name":"Thu Dewitt","account":{"name":"provider queensland warranties","type":"AWS Account","uid":"b2039db4-53f9-11ef-ac2d-0242ac110005","type_id":10}},"parent_folder":"random horse explained/soap.csv","hashes":[{"value":"552BDF4BBC9329B555B93E7C9B6A38F36C6EDB58B0E7FCA0392F79528CC1B9E6","algorithm":"SHA-256","algorithm_id":3},{"value":"DCF06E858132CA1EDC2384EBDF0200885DD2AC3F","algorithm":"SHA-1","algorithm_id":2}],"modified_time":1722951737031923},"user":{"name":"Continuously","type":"cassette","uid":"b203c596-53f9-11ef-9213-0242ac110005","org":{"name":"vitamins causes lg","uid":"b203cf64-53f9-11ef-a9e6-0242ac110005","ou_name":"most worcester generator"},"type_id":99,"full_name":"Manie Demetra","ldap_person":{"labels":["results","considered"],"deleted_time":1722951737033239,"email_addrs":["Joeann@trials.com","Enrique@zshops.int"],"last_login_time":1722951737033262,"modified_time":1722951737033265}},"tid":39,"uid":"b203dc7a-53f9-11ef-8a2b-0242ac110005","created_time":1722951737033438,"integrity":"Protected","integrity_id":6,"lineage":["arab comparison charlotte","namibia republicans decorative"],"parent_process":{"name":"Labs","pid":22,"session":{"terminal":"signals click categories","uid":"b203f264-53f9-11ef-9ec3-0242ac110005","created_time":1722951737034000,"is_remote":false},"file":{"name":"leaders.ged","type":"anthony","path":"zimbabwe co hyundai/telecom.rom/leaders.ged","type_id":99,"parent_folder":"zimbabwe co hyundai/telecom.rom","hashes":[{"value":"FBBED8C2F97068EC6807B00BE7C3183932F576D73C208D1D8ABD78AAC60411FF78D7442895C204E292CFA8F6FAC25EC3FEE7954AA27C6024B6F47D3A5BEF4AC2","algorithm":"quickXorHash","algorithm_id":7},{"value":"B336DF698D12AC8E54570BA6EA2679F0","algorithm":"MD5","algorithm_id":1}]},"user":{"type":"tears","org":{"name":"bye lenses alabama","uid":"b2040b0a-53f9-11ef-98b5-0242ac110005","ou_name":"antiques compliant tutorial","ou_uid":"b204153c-53f9-11ef-a6ea-0242ac110005"},"type_id":99},"uid":"b2042360-53f9-11ef-9794-0242ac110005","cmd_line":"windsor installed invite","created_time":1722951737035272,"parent_process":{"name":"Asus","pid":64,"session":{"uid":"b2048058-53f9-11ef-8e0f-0242ac110005","uuid":"b20486ca-53f9-11ef-9010-0242ac110005","issuer":"planner providence titles","created_time":1722951737037814,"credential_uid":"b2048dfa-53f9-11ef-8e51-0242ac110005","is_remote":true},"file":{"name":"badge.avi","type":"Unknown","path":"showed conf citizenship/alto.csr/badge.avi","signature":{"certificate":{"version":"1.1.0","subject":"voters crazy chelsea","issuer":"balance rip flags","fingerprints":[{"value":"AD9B86237F7CD511073B023864629995D42D434D7A9A3DE38CC9C353E9263BCA131C239C9851342A16967895231B1436AA8DBBD6229A517C76E3539639BDCEDD","algorithm":"CTPH","algorithm_id":5}],"created_time":1722951737038366,"expiration_time":1722951737038371,"serial_number":"generally grande babies"},"algorithm":"RSA","algorithm_id":2,"developer_uid":"b204a4e8-53f9-11ef-a45f-0242ac110005"},"desc":"jersey pod crafts","type_id":0,"mime_type":"minimal/wisconsin","parent_folder":"showed conf citizenship/alto.csr","hashes":[{"value":"5B612EDB571C479D1A33C2355B8933EF943BD5715B25116AAF91DBF3A842C2BD","algorithm":"SHA-256","algorithm_id":3},{"value":"1A41B0D707D5D14EA20C1DD0A10CED258A1322589440FD67387BED26CE48E453","algorithm":"magic","algorithm_id":99}]},"user":{"name":"Churches","type":"User","uid":"b204b8ca-53f9-11ef-ae39-0242ac110005","org":{"name":"asking bookmark builders","ou_name":"nightlife fragrance into"},"type_id":1,"account":{"name":"essential wishing wanted","type":"Windows Account","uid":"b204c8ce-53f9-11ef-9832-0242ac110005","type_id":2}},"uid":"b204cf68-53f9-11ef-9210-0242ac110005","loaded_modules":["/condition/tunisia/phillips/accounting/tension.pkg","/argue/aboriginal/connectors/journal/clinic.dcr"],"cmd_line":"dryer thereby reliable","created_time":1722951737039702,"parent_process":{"name":"Multi","pid":51,"file":{"attributes":37,"name":"option.swf","type":"Block Device","path":"associate spas climb/canadian.rar/option.swf","product":{"name":"or dynamic distinguished","version":"1.1.0","path":"weddings competent korea","uid":"b205092e-53f9-11ef-b82a-0242ac110005","lang":"en","vendor_name":"hunt vitamins columns"},"type_id":4,"accessor":{"name":"Finish","type":"System","uid":"b205141e-53f9-11ef-bef4-0242ac110005","groups":[{"name":"tablet drivers broader","domain":"orange says vegetation","uid":"b2051dd8-53f9-11ef-9d88-0242ac110005"},{"name":"rid planets gp","domain":"antique hans ez","uid":"b20524b8-53f9-11ef-bfc7-0242ac110005","privileges":["obesity descriptions paintball"]}],"type_id":3},"parent_folder":"associate spas climb/canadian.rar","hashes":[{"value":"D5924A11CBADB27A986421344623CBFE538FD3F096A9A0FDC3F0BC302F3EC0C1","algorithm":"magic","algorithm_id":99},{"value":"E16704D9E243B23B4F4E557748D6EEF6","algorithm":"MD5","algorithm_id":1}],"security_descriptor":"sentences angela guides"},"user":{"name":"Auditor","domain":"france designer commissioner","uid":"b2053246-53f9-11ef-8f1f-0242ac110005","groups":[{"name":"front license tide","type":"scope nebraska suffered","uid":"b2054b5a-53f9-11ef-b10c-0242ac110005"},{"name":"belts transform phone","type":"ir paul vector","uid":"b2055956-53f9-11ef-bac5-0242ac110005"}]},"cmd_line":"int assets shanghai","created_time":1722951737043210,"integrity":"philip energy traveler","parent_process":{"name":"Auctions","pid":97,"file":{"name":"mainland.sav","type":"Character Device","path":"easter advert gregory/briefing.vcd/mainland.sav","uid":"b2057062-53f9-11ef-b33c-0242ac110005","type_id":3,"company_name":"Shay Geoffrey","mime_type":"came/dui","parent_folder":"easter advert gregory/briefing.vcd","hashes":[{"value":"D28CCA18F2C34C4120D0689FFD9EE4F4FFEAE0402B7C59A202FA980D9359A4E54BF2289BF5ED8C083B3EC8735F44C955DB680854EEF42D53E126839B635DA171","algorithm":"TLSH","algorithm_id":6}],"security_descriptor":"ugly embedded sql"},"user":{"name":"Yahoo","uid":"b20585de-53f9-11ef-a722-0242ac110005"},"uid":"b2058d2c-53f9-11ef-9c93-0242ac110005","cmd_line":"computers qt caribbean","created_time":1722951737044530,"integrity":"classifieds conceptual contest","parent_process":{"name":"Portable","pid":15,"user":{"name":"Camel","type":"System","uid":"b205a618-53f9-11ef-b616-0242ac110005","type_id":3},"uid":"b205ac6c-53f9-11ef-b326-0242ac110005","cmd_line":"letter agencies family","created_time":1722951737045332,"parent_process":{"name":"Weed","pid":38,"file":{"name":"leslie.indd","type":"Symbolic Link","path":"rating malawi ash/ny.bin/leslie.indd","signature":{"certificate":{"version":"1.1.0","subject":"conscious forecasts poland","issuer":"henry recognize short","fingerprints":[{"value":"3697621565DCC42F701641C483DD9F531ED1B40987DD5D58FA4EEAC5C6E127657BED12A5ED10012607C476DFE31339C6557044007AE04C2F96C120D7E68F9B46","algorithm":"TLSH","algorithm_id":6},{"value":"CB2785DC1EFEBF4604D971B80C7BA7A49061E6B2","algorithm":"SHA-1","algorithm_id":2}],"created_time":1722951737046152,"expiration_time":1722951737046157,"serial_number":"number emotional belly"},"algorithm":"weekends","algorithm_id":99},"modifier":{"name":"Measurements","type":"User","uid":"b205d93a-53f9-11ef-97c9-0242ac110005","type_id":1,"ldap_person":{"manager":{"name":"Satisfy","type":"Unknown","domain":"combat mall responded","uid":"b205e8bc-53f9-11ef-b220-0242ac110005","org":{"name":"simulations kelkoo picture","uid":"b205fb4a-53f9-11ef-bcdf-0242ac110005","ou_name":"ntsc tab er"},"type_id":0},"cost_center":"believed defeat workout","given_name":"country medicine susan","job_title":"minister hugh opponent"}},"type_id":7,"accessor":{"name":"Differential","type":"User","domain":"second heaven reg","uid":"b2060720-53f9-11ef-b3d3-0242ac110005","type_id":1,"email_addr":"Iliana@easter.jobs"},"creator":{"type":"Admin","uid":"b206126a-53f9-11ef-bcf1-0242ac110005","type_id":2,"full_name":"Zelma Brady","credential_uid":"b2061990-53f9-11ef-92d2-0242ac110005"},"parent_folder":"rating malawi ash/ny.bin","hashes":[{"value":"80354281FAAA2126E5D2CA51A907C1D2F15B2719AAE8EBF70AE4DAFD8F369DC8D23BE2285768C8C6A83CF5496A2440965EC79B4857350AD79273385359E6272C","algorithm":"TLSH","algorithm_id":6},{"value":"2FACE219B9E0ACE4E7841FB7019D658D","algorithm":"MD5","algorithm_id":1}],"modified_time":1722951737048171},"user":{"name":"Smoking","type":"Admin","uid":"b20633f8-53f9-11ef-84d6-0242ac110005","groups":[{"name":"lyric cent failure","uid":"b2063dc6-53f9-11ef-be9b-0242ac110005"},{"name":"tests australian manufacturing","domain":"indonesia performances dispute","uid":"b20644a6-53f9-11ef-88ec-0242ac110005"}],"type_id":2},"uid":"b2064a96-53f9-11ef-9a3a-0242ac110005","cmd_line":"abandoned plaintiff consult","created_time":1722951737049379,"parent_process":{"name":"Shore","pid":47,"file":{"name":"grip.py","type":"Regular File","path":"travesti promotes incentives/ask.c/grip.py","type_id":1,"accessor":{"name":"Composition","type":"Unknown","uid":"b206ba3a-53f9-11ef-8d45-0242ac110005","type_id":0,"account":{"type":"Unknown","uid":"b206dd4e-53f9-11ef-8a0d-0242ac110005","type_id":0}},"parent_folder":"travesti promotes incentives/ask.c","accessed_time":1722951737053129,"confidentiality":"scholarships introducing scientific","modified_time":1722951737053154},"user":{"name":"Indicators","org":{"name":"assisted difficulty submit","uid":"b206eb0e-53f9-11ef-93f9-0242ac110005","ou_name":"hazardous oracle array","ou_uid":"b206f194-53f9-11ef-98e9-0242ac110005"},"uid_alt":"significant beverages mail"},"uid":"b206f84c-53f9-11ef-b820-0242ac110005","cmd_line":"age ratings employees","lineage":["gauge exists gmbh","ieee drawing bat"],"parent_process":{"name":"Vb","pid":42,"file":{"name":"hereby.txt","type":"Unknown","path":"alumni broad whatever/editing.dat/hereby.txt","type_id":0,"parent_folder":"alumni broad whatever/editing.dat","hashes":[{"value":"0F682A9E816B4E78B01EF28B990B90A619718C249F0502C3BC26EE953198973B8ECAA2A598633947C6F575ED7DA43412557660B2E8796466CDF950DEEF210794","algorithm":"SHA-512","algorithm_id":4},{"value":"8C766AB995CDFBDBB9EB5FCA53F8D53AB3690305C46FDBB5D10554FAAB868502D870FF46248C01AC8E1A8BA4547B5B7C6A85CA5D280CBDEC1FEE04484110E043","algorithm":"Unknown","algorithm_id":0}],"security_descriptor":"fuel horses cialis"},"uid":"b2071688-53f9-11ef-9e48-0242ac110005","cmd_line":"stuart notify nc","created_time":1722951737054600,"integrity":"argument historic decision","lineage":["gathered then container"],"parent_process":{"name":"Protect","pid":69,"file":{"name":"animation.wsf","size":668783954,"type":"Unknown","path":"action cheats collective/day.dll/animation.wsf","product":{"name":"assessed delete infection","version":"1.1.0","uid":"b2073b5e-53f9-11ef-89e3-0242ac110005","url_string":"indigenous","vendor_name":"perhaps weak mattress"},"uid":"b20742b6-53f9-11ef-b089-0242ac110005","type_id":0,"company_name":"Kay Hugo","parent_folder":"action cheats collective/day.dll","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"D1902BB2910C00B9024F7FAD53B1AEF5D9CDD9897B4C1D0D59CB7986288BF7D59846CC65CF09FF73604CC643C20D1A4920C9EFAE6E4BE4982718A0B3021841EA","algorithm":"quickXorHash","algorithm_id":7}]},"user":{"name":"Nike","type":"Unknown","uid":"b207597c-53f9-11ef-bb63-0242ac110005","type_id":0,"ldap_person":{"office_location":"signing equations keith"},"uid_alt":"earthquake race promises"},"tid":76,"uid":"b2076714-53f9-11ef-8876-0242ac110005","cmd_line":"accurate revenue def","created_time":1722951737056663,"integrity":"Medium","integrity_id":3,"lineage":["guidance rider vanilla","ambient glow well"]}}},"terminated_time":1722951737056691}},"xattributes":{}}},"terminated_time":1722951737056729},"terminated_time":1722951737056732}},"sandbox":"participants safer outlets"}},"user":{"uid":"b207743e-53f9-11ef-b930-0242ac110005","org":{"name":"martial makers bras","uid":"b2077cea-53f9-11ef-98a2-0242ac110005","ou_name":"announced plastic serial"},"credential_uid":"b20785dc-53f9-11ef-9a4e-0242ac110005"},"authorizations":[{},{"decision":"ssl meaning excellence"}]},"dst_endpoint":{"name":"bouquet observations flashing","port":47351,"type":"Desktop","os":{"name":"reductions loans null","type":"Unknown","type_id":0,"sp_name":"cloud heat faith"},"domain":"developer resistance cove","ip":"41.251.197.63","location":{"desc":"Angola, Republic of","city":"Extras separated","country":"AO","coordinates":[-51.2157,-88.1173],"continent":"Africa"},"hostname":"brakes.travel","uid":"b207abc0-53f9-11ef-984e-0242ac110005","type_id":2,"interface_name":"responsible ips bits","interface_uid":"b207b336-53f9-11ef-992b-0242ac110005","intermediate_ips":["43.42.170.135","161.178.9.23"],"proxy_endpoint":{"name":"ray maximum theology","port":59643,"type":"Firewall","ip":"128.28.111.51","hostname":"upcoming.biz","uid":"b207c466-53f9-11ef-9061-0242ac110005","type_id":9,"instance_uid":"b207cc90-53f9-11ef-ace5-0242ac110005","interface_name":"acts unavailable caught","interface_uid":"b207d4ec-53f9-11ef-a2a8-0242ac110005","svc_name":"xi marketplace productivity"},"svc_name":"motorcycle cnn eh"},"src_endpoint":{"name":"clerk massive hints","port":3366,"type":"Server","ip":"135.11.251.187","uid":"b207e1c6-53f9-11ef-bd79-0242ac110005","mac":"E3:9B:50:54:D4:43:80:D1","type_id":1,"instance_uid":"b207ec52-53f9-11ef-870e-0242ac110005","interface_name":"sale cut divided","interface_uid":"b207f38c-53f9-11ef-af93-0242ac110005","intermediate_ips":["141.220.224.128","133.184.5.152"],"svc_name":"princess realize wax"}}],"finding_info":{"title":"cocktail graphics controlled","uid":"b200a0e6-53f9-11ef-a714-0242ac110005","analytic":{"name":"shirts deutsche times","type":"Statistical","uid":"b200b234-53f9-11ef-88a2-0242ac110005","type_id":3},"first_seen_time":1722951737012703,"kill_chain":[{"phase":"Unknown","phase_id":0}],"related_events":[{"uid":"b200c6ca-53f9-11ef-88d3-0242ac110005","type_uid":1760088869}]},"risk_level":"Low","risk_level_id":1,"severity_id":2,"status_id":3} \ No newline at end of file diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json index 283b33361440..c7a86b71f609 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json @@ -463,6 +463,1181 @@ "villas haiti links" ] } + }, + { + "@timestamp": "+56568-03-02T00:43:35.847Z", + "data_stream": { + "dataset": "amazon_security_lake.findings", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "create", + "duration": 19000000, + "kind": "alert", + "original": "{\"message\":\"satellite violent subscriptions\",\"status\":\"Suppressed\",\"time\":1722951737015847,\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"favorite dictionary butter\",\"version\":\"1.1.0\",\"uid\":\"b201250c-53f9-11ef-a42e-0242ac110005\",\"vendor_name\":\"routing attending username\"},\"labels\":[\"paper\",\"james\"],\"profiles\":[],\"log_name\":\"variables admin absolutely\",\"log_provider\":\"facilities channels cradle\",\"log_version\":\"unless mood revised\",\"original_time\":\"complaint planning historic\"},\"severity\":\"Low\",\"duration\":19,\"resources\":[{\"owner\":{\"name\":\"Plain\",\"type\":\"Unknown\",\"uid\":\"b2005820-53f9-11ef-9b03-0242ac110005\",\"type_id\":0,\"ldap_person\":{\"deleted_time\":1722951737010636,\"job_title\":\"tp barely fancy\"}},\"version\":\"1.1.0\",\"uid\":\"b2006efa-53f9-11ef-b4fa-0242ac110005\",\"namespace\":\"inherited proceeds invalid\"},{\"owner\":{\"name\":\"Adsl\",\"type\":\"User\",\"type_id\":1},\"version\":\"1.1.0\",\"group\":{\"name\":\"m biography divx\",\"uid\":\"b200884a-53f9-11ef-b155-0242ac110005\"},\"labels\":[\"circular\",\"vip\"],\"namespace\":\"updating mic expo\",\"criticality\":\"packaging neon hearings\"}],\"type_name\":\"Detection Finding: Create\",\"activity_id\":1,\"type_uid\":200401,\"category_name\":\"Findings\",\"class_uid\":2004,\"category_uid\":2,\"class_name\":\"Detection Finding\",\"activity_name\":\"Create\",\"confidence_id\":2,\"evidences\":[{\"process\":{\"pid\":2,\"file\":{\"attributes\":61,\"name\":\"mortgages.mp3\",\"size\":3964710393,\"type\":\"Folder\",\"path\":\"match fuzzy noise/royalty.cbr/mortgages.mp3\",\"signature\":{\"certificate\":{\"uid\":\"b20156da-53f9-11ef-ae03-0242ac110005\",\"subject\":\"norwegian satisfactory collective\",\"issuer\":\"consist refers bite\",\"fingerprints\":[{\"value\":\"98AA77CF5506DBAB9E87EF8088CEAC7C9C019C46E05DD1EE1ABE03DCDDB251EE8A82D602A74B165599EA81CD3F96BCD31351F02130F1826DE55314362F5E51A0\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"F074E3FC1A4F869EEF665EABF9EF6F7E4E08D51AD47FE695D451386D3DFC826FD679D11BCDF59682C9017FCB065A8C3E4C765AD0D81111D105A79724536E5AF3\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}],\"created_time\":1722951737017011,\"expiration_time\":1722951737017020,\"serial_number\":\"headers futures rico\"},\"algorithm\":\"Authenticode\",\"algorithm_id\":4,\"created_time\":1722951737017030},\"type_id\":2,\"parent_folder\":\"match fuzzy noise/royalty.cbr\",\"hashes\":[{\"value\":\"989B7EC6D89636B773DD48E84A23A93EF0537374753B6CB2DC513D875E01FE4721CDFD519CCAE9B90092CEF08F3C38EC3C353271FE028C193AEA2DDB17A32653\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}]},\"user\":{\"name\":\"Brunei\",\"type\":\"Unknown\",\"uid\":\"b20169ae-53f9-11ef-a7ab-0242ac110005\",\"type_id\":0},\"uid\":\"b2017ba6-53f9-11ef-8664-0242ac110005\",\"cmd_line\":\"cattle disk nat\",\"created_time\":1722951737017869,\"parent_process\":{\"name\":\"Districts\",\"pid\":61,\"file\":{\"name\":\"points.dat\",\"owner\":{\"name\":\"Possession\",\"type\":\"packaging\",\"uid\":\"b20198de-53f9-11ef-99e3-0242ac110005\",\"groups\":[{\"name\":\"framework chambers motorcycle\",\"domain\":\"robots opportunities auburn\",\"uid\":\"b201a2de-53f9-11ef-91ee-0242ac110005\"}],\"type_id\":99},\"type\":\"Local Socket\",\"version\":\"1.1.0\",\"path\":\"perfume cleveland crystal/database.vob/points.dat\",\"modifier\":{\"name\":\"Tower\",\"type\":\"Unknown\",\"uid\":\"b201c520-53f9-11ef-8fe7-0242ac110005\",\"org\":{\"name\":\"gabriel harmful teach\",\"uid\":\"b201cf5c-53f9-11ef-90e0-0242ac110005\",\"ou_name\":\"chapel library combinations\"},\"type_id\":0,\"email_addr\":\"Lynne@rated.jobs\"},\"type_id\":5,\"accessor\":{\"name\":\"Record\",\"type\":\"Unknown\",\"uid\":\"b201dc40-53f9-11ef-a0fe-0242ac110005\",\"type_id\":0,\"email_addr\":\"Zada@czech.museum\",\"ldap_person\":{\"location\":{\"desc\":\"San Marino, Republic of\",\"city\":\"Component got\",\"country\":\"SM\",\"coordinates\":[-25.0862,-71.9167],\"continent\":\"Europe\"},\"deleted_time\":1722951737020608,\"job_title\":\"tobago rubber abstracts\"}},\"parent_folder\":\"perfume cleveland crystal/database.vob\",\"hashes\":[{\"value\":\"115CE7973C9A37D3558656DB4BE3719A4E02E1C42BBD3D9FED201E22F5D5A770\",\"algorithm\":\"magic\",\"algorithm_id\":99},{\"value\":\"77F4DE0C4DB55DEC736561AC64C7EA6B\",\"algorithm\":\"MD5\",\"algorithm_id\":1}],\"modified_time\":1722951737020691},\"user\":{\"name\":\"April\",\"type\":\"System\",\"uid\":\"b201f540-53f9-11ef-b886-0242ac110005\",\"type_id\":3,\"credential_uid\":\"b201fbb2-53f9-11ef-b9d8-0242ac110005\"},\"uid\":\"b2020184-53f9-11ef-85ea-0242ac110005\",\"cmd_line\":\"inquiries sept nil\",\"created_time\":1722951737021297,\"lineage\":[\"barbara flow indiana\"],\"parent_process\":{\"pid\":98,\"session\":{\"uid\":\"b2021138-53f9-11ef-a183-0242ac110005\",\"issuer\":\"boulder candle footwear\",\"created_time\":1722951737021699,\"is_remote\":true},\"file\":{\"name\":\"bryan.htm\",\"type\":\"Character Device\",\"path\":\"fuji collectible creator/describes.tex/bryan.htm\",\"type_id\":3,\"company_name\":\"Reagan Vincenza\",\"creator\":{\"type\":\"sydney\",\"uid\":\"b2022628-53f9-11ef-97c3-0242ac110005\",\"type_id\":99},\"mime_type\":\"numeric/produces\",\"parent_folder\":\"fuji collectible creator/describes.tex\",\"modified_time\":1722951737022248},\"user\":{\"name\":\"Inventory\",\"type\":\"User\",\"groups\":[{\"name\":\"drums brisbane belfast\",\"uid\":\"b2023438-53f9-11ef-b235-0242ac110005\"},{\"name\":\"distinction wp inquiries\",\"desc\":\"subdivision centered matched\",\"uid\":\"b2023b9a-53f9-11ef-8b76-0242ac110005\"}],\"type_id\":1,\"credential_uid\":\"b20243f6-53f9-11ef-995a-0242ac110005\",\"email_addr\":\"Salena@tour.coop\",\"uid_alt\":\"headline press postal\"},\"uid\":\"b2024b62-53f9-11ef-85ae-0242ac110005\",\"cmd_line\":\"correlation jd nintendo\",\"created_time\":1722951737023185,\"xattributes\":{}},\"terminated_time\":1722951737023238}},\"file\":{\"name\":\"pounds.sdf\",\"type\":\"footwear\",\"path\":\"bent hostel listed/knives.fnt/pounds.sdf\",\"product\":{\"name\":\"soldier ut outer\",\"version\":\"1.1.0\",\"uid\":\"b20268d6-53f9-11ef-8389-0242ac110005\",\"vendor_name\":\"prototype blog convertible\"},\"type_id\":99,\"mime_type\":\"quit/helen\",\"parent_folder\":\"bent hostel listed/knives.fnt\",\"hashes\":[{\"value\":\"05241F6680F10C78013CDDC1924651513B262F6318EFD85AC8D5EB13184DBF9742C515B85CF2ED8717B01AEA36CB0796CA62B9229E3047149B40B62FFCBE50AA\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},{\"value\":\"EB108A6BBDAF145D08D811956465AD4382629CF361E1F696E021BE3ABADB6D47\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3}],\"modified_time\":1722951737024064},\"query\":{\"type\":\"rrp look city\",\"hostname\":\"monroe.museum\",\"class\":\"researcher promotions theaters\",\"opcode_id\":3,\"packet_uid\":42},\"connection_info\":{\"uid\":\"b2027e84-53f9-11ef-beec-0242ac110005\",\"direction\":\"Outbound\",\"direction_id\":2,\"protocol_num\":63,\"tcp_flags\":39},\"api\":{\"request\":{\"data\":\"courier\",\"uid\":\"b2028ac8-53f9-11ef-bcf3-0242ac110005\"},\"response\":{\"error\":\"commissioner kill madness\",\"code\":48,\"error_message\":\"whale holdings lol\"},\"operation\":\"prophet disabled joel\"},\"actor\":{\"process\":{\"pid\":53,\"file\":{\"name\":\"travel.ico\",\"type\":\"Regular File\",\"path\":\"choice estates triple/connecticut.rom/travel.ico\",\"type_id\":1,\"accessor\":{\"name\":\"Japanese\",\"type\":\"User\",\"type_id\":1,\"ldap_person\":{\"hire_time\":1722951737025505,\"ldap_dn\":\"essentials incomplete main\"},\"uid_alt\":\"cassette dust evidence\"},\"parent_folder\":\"choice estates triple/connecticut.rom\",\"confidentiality\":\"nation fishing professional\",\"hashes\":[{\"value\":\"DE54555CB12989F6314B6AE9DDF8FE4F8AD41F970C0D21D5A4D8B7E6C6437A9F\",\"algorithm\":\"magic\",\"algorithm_id\":99},{\"value\":\"C989A5E557F5C7289ABE62F83373C88BDD0E698C72F8C8F511BF4E9E601E3C053FA00EA8B181974F5CDF25BA86E8C9FB4A717B9F8A672E6F45A4DFCEC39E529F\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}],\"is_system\":false,\"security_descriptor\":\"burden authentication flashing\"},\"user\":{\"name\":\"Families\",\"type\":\"System\",\"domain\":\"authors subjects animal\",\"uid\":\"b202b3e0-53f9-11ef-bc91-0242ac110005\",\"groups\":[{\"name\":\"graphic university chile\",\"uid\":\"b202c178-53f9-11ef-b0e0-0242ac110005\"},{\"name\":\"departure projects eastern\",\"type\":\"direct hoping harder\",\"uid\":\"b202c876-53f9-11ef-99bc-0242ac110005\",\"privileges\":[\"camcorders hazardous occurred\",\"strong wav finland\"]}],\"type_id\":3,\"email_addr\":\"Hugh@vb.aero\",\"ldap_person\":{\"location\":{\"desc\":\"Libyan Arab Jamahiriya\",\"city\":\"Relaxation depend\",\"country\":\"LY\",\"coordinates\":[72.6769,27.7735],\"continent\":\"Africa\"},\"manager\":{\"name\":\"Titles\",\"type\":\"System\",\"domain\":\"many tvs hand\",\"uid\":\"b202da8c-53f9-11ef-a9a8-0242ac110005\",\"org\":{\"name\":\"declare commit gathering\",\"uid\":\"b202e55e-53f9-11ef-90d3-0242ac110005\"},\"type_id\":3,\"credential_uid\":\"b202eba8-53f9-11ef-a0ef-0242ac110005\"},\"job_title\":\"evident gotten tcp\",\"ldap_cn\":\"ran experiences isolation\"}},\"uid\":\"b202f3be-53f9-11ef-9c3b-0242ac110005\",\"cmd_line\":\"hydrogen reporting ensemble\",\"created_time\":1722951737027494,\"integrity\":\"extra dial resolved\",\"parent_process\":{\"name\":\"Findings\",\"file\":{\"name\":\"crude.sh\",\"owner\":{\"type\":\"Admin\",\"uid\":\"b2031308-53f9-11ef-b2f8-0242ac110005\",\"groups\":[{\"uid\":\"b2031cd6-53f9-11ef-b786-0242ac110005\"},{\"name\":\"wrap smile durham\",\"uid\":\"b2032866-53f9-11ef-bf54-0242ac110005\",\"privileges\":[\"preventing security wales\",\"protest membership rs\"]}],\"type_id\":2},\"type\":\"Block Device\",\"path\":\"hub clarity henderson/mailing.rss/crude.sh\",\"product\":{\"name\":\"fund groundwater dom\",\"version\":\"1.1.0\",\"uid\":\"b2033324-53f9-11ef-ba5b-0242ac110005\",\"feature\":{\"name\":\"producer depot financing\",\"version\":\"1.1.0\",\"uid\":\"b2033bc6-53f9-11ef-91fe-0242ac110005\"},\"cpe_name\":\"oven regulatory dairy\",\"vendor_name\":\"disney intel antibody\"},\"type_id\":4,\"parent_folder\":\"hub clarity henderson/mailing.rss\",\"confidentiality\":\"Unknown\",\"confidentiality_id\":0,\"hashes\":[{\"value\":\"5894ABC3288BA9FA689F8E5C7EF19816EA9839E4986E552B491A1ABF2D3F5F45738F7B3A0B53C15A19FD24B1B7402365D44871C3D6F00537E075A0007E7E261A\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},{\"value\":\"A6DFAEBD54AB8C6EE7D571201347BC0C5FC04F3599B22FAF9AE6A142D72CB65DE290302FA9AD807BAD6F5F0648F8BF5497C6EE43AAF960B7C3137C8CB706E183\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"security_descriptor\":\"cross organic bookings\",\"xattributes\":{}},\"user\":{\"name\":\"Adjust\",\"domain\":\"wrong expanding proposal\",\"uid\":\"b2034c56-53f9-11ef-aed8-0242ac110005\",\"credential_uid\":\"b203526e-53f9-11ef-9e92-0242ac110005\",\"email_addr\":\"Gerry@poker.biz\"},\"uid\":\"b20358d6-53f9-11ef-939b-0242ac110005\",\"cmd_line\":\"arrested suits personally\",\"created_time\":1722951737030083,\"parent_process\":{\"name\":\"Poverty\",\"pid\":42,\"file\":{\"name\":\"sad.kml\",\"type\":\"Unknown\",\"path\":\"random horse explained/soap.csv/sad.kml\",\"signature\":{\"digest\":{\"value\":\"A24F695AAF92949E2578A874832FF516\",\"algorithm\":\"MD5\",\"algorithm_id\":1},\"certificate\":{\"version\":\"1.1.0\",\"uid\":\"b2037334-53f9-11ef-880c-0242ac110005\",\"subject\":\"delay prairie cents\",\"issuer\":\"thought loans celebrate\",\"fingerprints\":[{\"value\":\"70CE515C96733618D3639DA3699227EEF2615296002DB79CFAE31A49F04D171107F820A86048A8A742037DA40CE56FEB5AF132CF0557508C821508DED8E25802\",\"algorithm\":\"CTPH\",\"algorithm_id\":5},{\"value\":\"054F4E3613BCAA252DED4DEC5193B4207F68218A0B57BD676DE5EA08E59343D24FEB8AC279470FB94F032C25AEE110A24BD17FC0EB41182E767A7710BD0F2082\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}],\"created_time\":1722951737030958,\"expiration_time\":1722951737030965,\"serial_number\":\"concerned arthritis beam\"},\"algorithm\":\"Authenticode\",\"algorithm_id\":4,\"developer_uid\":\"b2038324-53f9-11ef-a9fd-0242ac110005\"},\"uid\":\"b2038928-53f9-11ef-93ab-0242ac110005\",\"type_id\":0,\"accessor\":{\"name\":\"Affordable\",\"type\":\"User\",\"domain\":\"mill nest ministers\",\"uid\":\"b2039418-53f9-11ef-ace2-0242ac110005\",\"type_id\":1,\"full_name\":\"Thu Dewitt\",\"account\":{\"name\":\"provider queensland warranties\",\"type\":\"AWS Account\",\"uid\":\"b2039db4-53f9-11ef-ac2d-0242ac110005\",\"type_id\":10}},\"parent_folder\":\"random horse explained/soap.csv\",\"hashes\":[{\"value\":\"552BDF4BBC9329B555B93E7C9B6A38F36C6EDB58B0E7FCA0392F79528CC1B9E6\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},{\"value\":\"DCF06E858132CA1EDC2384EBDF0200885DD2AC3F\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}],\"modified_time\":1722951737031923},\"user\":{\"name\":\"Continuously\",\"type\":\"cassette\",\"uid\":\"b203c596-53f9-11ef-9213-0242ac110005\",\"org\":{\"name\":\"vitamins causes lg\",\"uid\":\"b203cf64-53f9-11ef-a9e6-0242ac110005\",\"ou_name\":\"most worcester generator\"},\"type_id\":99,\"full_name\":\"Manie Demetra\",\"ldap_person\":{\"labels\":[\"results\",\"considered\"],\"deleted_time\":1722951737033239,\"email_addrs\":[\"Joeann@trials.com\",\"Enrique@zshops.int\"],\"last_login_time\":1722951737033262,\"modified_time\":1722951737033265}},\"tid\":39,\"uid\":\"b203dc7a-53f9-11ef-8a2b-0242ac110005\",\"created_time\":1722951737033438,\"integrity\":\"Protected\",\"integrity_id\":6,\"lineage\":[\"arab comparison charlotte\",\"namibia republicans decorative\"],\"parent_process\":{\"name\":\"Labs\",\"pid\":22,\"session\":{\"terminal\":\"signals click categories\",\"uid\":\"b203f264-53f9-11ef-9ec3-0242ac110005\",\"created_time\":1722951737034000,\"is_remote\":false},\"file\":{\"name\":\"leaders.ged\",\"type\":\"anthony\",\"path\":\"zimbabwe co hyundai/telecom.rom/leaders.ged\",\"type_id\":99,\"parent_folder\":\"zimbabwe co hyundai/telecom.rom\",\"hashes\":[{\"value\":\"FBBED8C2F97068EC6807B00BE7C3183932F576D73C208D1D8ABD78AAC60411FF78D7442895C204E292CFA8F6FAC25EC3FEE7954AA27C6024B6F47D3A5BEF4AC2\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7},{\"value\":\"B336DF698D12AC8E54570BA6EA2679F0\",\"algorithm\":\"MD5\",\"algorithm_id\":1}]},\"user\":{\"type\":\"tears\",\"org\":{\"name\":\"bye lenses alabama\",\"uid\":\"b2040b0a-53f9-11ef-98b5-0242ac110005\",\"ou_name\":\"antiques compliant tutorial\",\"ou_uid\":\"b204153c-53f9-11ef-a6ea-0242ac110005\"},\"type_id\":99},\"uid\":\"b2042360-53f9-11ef-9794-0242ac110005\",\"cmd_line\":\"windsor installed invite\",\"created_time\":1722951737035272,\"parent_process\":{\"name\":\"Asus\",\"pid\":64,\"session\":{\"uid\":\"b2048058-53f9-11ef-8e0f-0242ac110005\",\"uuid\":\"b20486ca-53f9-11ef-9010-0242ac110005\",\"issuer\":\"planner providence titles\",\"created_time\":1722951737037814,\"credential_uid\":\"b2048dfa-53f9-11ef-8e51-0242ac110005\",\"is_remote\":true},\"file\":{\"name\":\"badge.avi\",\"type\":\"Unknown\",\"path\":\"showed conf citizenship/alto.csr/badge.avi\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"subject\":\"voters crazy chelsea\",\"issuer\":\"balance rip flags\",\"fingerprints\":[{\"value\":\"AD9B86237F7CD511073B023864629995D42D434D7A9A3DE38CC9C353E9263BCA131C239C9851342A16967895231B1436AA8DBBD6229A517C76E3539639BDCEDD\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}],\"created_time\":1722951737038366,\"expiration_time\":1722951737038371,\"serial_number\":\"generally grande babies\"},\"algorithm\":\"RSA\",\"algorithm_id\":2,\"developer_uid\":\"b204a4e8-53f9-11ef-a45f-0242ac110005\"},\"desc\":\"jersey pod crafts\",\"type_id\":0,\"mime_type\":\"minimal/wisconsin\",\"parent_folder\":\"showed conf citizenship/alto.csr\",\"hashes\":[{\"value\":\"5B612EDB571C479D1A33C2355B8933EF943BD5715B25116AAF91DBF3A842C2BD\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},{\"value\":\"1A41B0D707D5D14EA20C1DD0A10CED258A1322589440FD67387BED26CE48E453\",\"algorithm\":\"magic\",\"algorithm_id\":99}]},\"user\":{\"name\":\"Churches\",\"type\":\"User\",\"uid\":\"b204b8ca-53f9-11ef-ae39-0242ac110005\",\"org\":{\"name\":\"asking bookmark builders\",\"ou_name\":\"nightlife fragrance into\"},\"type_id\":1,\"account\":{\"name\":\"essential wishing wanted\",\"type\":\"Windows Account\",\"uid\":\"b204c8ce-53f9-11ef-9832-0242ac110005\",\"type_id\":2}},\"uid\":\"b204cf68-53f9-11ef-9210-0242ac110005\",\"loaded_modules\":[\"/condition/tunisia/phillips/accounting/tension.pkg\",\"/argue/aboriginal/connectors/journal/clinic.dcr\"],\"cmd_line\":\"dryer thereby reliable\",\"created_time\":1722951737039702,\"parent_process\":{\"name\":\"Multi\",\"pid\":51,\"file\":{\"attributes\":37,\"name\":\"option.swf\",\"type\":\"Block Device\",\"path\":\"associate spas climb/canadian.rar/option.swf\",\"product\":{\"name\":\"or dynamic distinguished\",\"version\":\"1.1.0\",\"path\":\"weddings competent korea\",\"uid\":\"b205092e-53f9-11ef-b82a-0242ac110005\",\"lang\":\"en\",\"vendor_name\":\"hunt vitamins columns\"},\"type_id\":4,\"accessor\":{\"name\":\"Finish\",\"type\":\"System\",\"uid\":\"b205141e-53f9-11ef-bef4-0242ac110005\",\"groups\":[{\"name\":\"tablet drivers broader\",\"domain\":\"orange says vegetation\",\"uid\":\"b2051dd8-53f9-11ef-9d88-0242ac110005\"},{\"name\":\"rid planets gp\",\"domain\":\"antique hans ez\",\"uid\":\"b20524b8-53f9-11ef-bfc7-0242ac110005\",\"privileges\":[\"obesity descriptions paintball\"]}],\"type_id\":3},\"parent_folder\":\"associate spas climb/canadian.rar\",\"hashes\":[{\"value\":\"D5924A11CBADB27A986421344623CBFE538FD3F096A9A0FDC3F0BC302F3EC0C1\",\"algorithm\":\"magic\",\"algorithm_id\":99},{\"value\":\"E16704D9E243B23B4F4E557748D6EEF6\",\"algorithm\":\"MD5\",\"algorithm_id\":1}],\"security_descriptor\":\"sentences angela guides\"},\"user\":{\"name\":\"Auditor\",\"domain\":\"france designer commissioner\",\"uid\":\"b2053246-53f9-11ef-8f1f-0242ac110005\",\"groups\":[{\"name\":\"front license tide\",\"type\":\"scope nebraska suffered\",\"uid\":\"b2054b5a-53f9-11ef-b10c-0242ac110005\"},{\"name\":\"belts transform phone\",\"type\":\"ir paul vector\",\"uid\":\"b2055956-53f9-11ef-bac5-0242ac110005\"}]},\"cmd_line\":\"int assets shanghai\",\"created_time\":1722951737043210,\"integrity\":\"philip energy traveler\",\"parent_process\":{\"name\":\"Auctions\",\"pid\":97,\"file\":{\"name\":\"mainland.sav\",\"type\":\"Character Device\",\"path\":\"easter advert gregory/briefing.vcd/mainland.sav\",\"uid\":\"b2057062-53f9-11ef-b33c-0242ac110005\",\"type_id\":3,\"company_name\":\"Shay Geoffrey\",\"mime_type\":\"came/dui\",\"parent_folder\":\"easter advert gregory/briefing.vcd\",\"hashes\":[{\"value\":\"D28CCA18F2C34C4120D0689FFD9EE4F4FFEAE0402B7C59A202FA980D9359A4E54BF2289BF5ED8C083B3EC8735F44C955DB680854EEF42D53E126839B635DA171\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}],\"security_descriptor\":\"ugly embedded sql\"},\"user\":{\"name\":\"Yahoo\",\"uid\":\"b20585de-53f9-11ef-a722-0242ac110005\"},\"uid\":\"b2058d2c-53f9-11ef-9c93-0242ac110005\",\"cmd_line\":\"computers qt caribbean\",\"created_time\":1722951737044530,\"integrity\":\"classifieds conceptual contest\",\"parent_process\":{\"name\":\"Portable\",\"pid\":15,\"user\":{\"name\":\"Camel\",\"type\":\"System\",\"uid\":\"b205a618-53f9-11ef-b616-0242ac110005\",\"type_id\":3},\"uid\":\"b205ac6c-53f9-11ef-b326-0242ac110005\",\"cmd_line\":\"letter agencies family\",\"created_time\":1722951737045332,\"parent_process\":{\"name\":\"Weed\",\"pid\":38,\"file\":{\"name\":\"leslie.indd\",\"type\":\"Symbolic Link\",\"path\":\"rating malawi ash/ny.bin/leslie.indd\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"subject\":\"conscious forecasts poland\",\"issuer\":\"henry recognize short\",\"fingerprints\":[{\"value\":\"3697621565DCC42F701641C483DD9F531ED1B40987DD5D58FA4EEAC5C6E127657BED12A5ED10012607C476DFE31339C6557044007AE04C2F96C120D7E68F9B46\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},{\"value\":\"CB2785DC1EFEBF4604D971B80C7BA7A49061E6B2\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}],\"created_time\":1722951737046152,\"expiration_time\":1722951737046157,\"serial_number\":\"number emotional belly\"},\"algorithm\":\"weekends\",\"algorithm_id\":99},\"modifier\":{\"name\":\"Measurements\",\"type\":\"User\",\"uid\":\"b205d93a-53f9-11ef-97c9-0242ac110005\",\"type_id\":1,\"ldap_person\":{\"manager\":{\"name\":\"Satisfy\",\"type\":\"Unknown\",\"domain\":\"combat mall responded\",\"uid\":\"b205e8bc-53f9-11ef-b220-0242ac110005\",\"org\":{\"name\":\"simulations kelkoo picture\",\"uid\":\"b205fb4a-53f9-11ef-bcdf-0242ac110005\",\"ou_name\":\"ntsc tab er\"},\"type_id\":0},\"cost_center\":\"believed defeat workout\",\"given_name\":\"country medicine susan\",\"job_title\":\"minister hugh opponent\"}},\"type_id\":7,\"accessor\":{\"name\":\"Differential\",\"type\":\"User\",\"domain\":\"second heaven reg\",\"uid\":\"b2060720-53f9-11ef-b3d3-0242ac110005\",\"type_id\":1,\"email_addr\":\"Iliana@easter.jobs\"},\"creator\":{\"type\":\"Admin\",\"uid\":\"b206126a-53f9-11ef-bcf1-0242ac110005\",\"type_id\":2,\"full_name\":\"Zelma Brady\",\"credential_uid\":\"b2061990-53f9-11ef-92d2-0242ac110005\"},\"parent_folder\":\"rating malawi ash/ny.bin\",\"hashes\":[{\"value\":\"80354281FAAA2126E5D2CA51A907C1D2F15B2719AAE8EBF70AE4DAFD8F369DC8D23BE2285768C8C6A83CF5496A2440965EC79B4857350AD79273385359E6272C\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},{\"value\":\"2FACE219B9E0ACE4E7841FB7019D658D\",\"algorithm\":\"MD5\",\"algorithm_id\":1}],\"modified_time\":1722951737048171},\"user\":{\"name\":\"Smoking\",\"type\":\"Admin\",\"uid\":\"b20633f8-53f9-11ef-84d6-0242ac110005\",\"groups\":[{\"name\":\"lyric cent failure\",\"uid\":\"b2063dc6-53f9-11ef-be9b-0242ac110005\"},{\"name\":\"tests australian manufacturing\",\"domain\":\"indonesia performances dispute\",\"uid\":\"b20644a6-53f9-11ef-88ec-0242ac110005\"}],\"type_id\":2},\"uid\":\"b2064a96-53f9-11ef-9a3a-0242ac110005\",\"cmd_line\":\"abandoned plaintiff consult\",\"created_time\":1722951737049379,\"parent_process\":{\"name\":\"Shore\",\"pid\":47,\"file\":{\"name\":\"grip.py\",\"type\":\"Regular File\",\"path\":\"travesti promotes incentives/ask.c/grip.py\",\"type_id\":1,\"accessor\":{\"name\":\"Composition\",\"type\":\"Unknown\",\"uid\":\"b206ba3a-53f9-11ef-8d45-0242ac110005\",\"type_id\":0,\"account\":{\"type\":\"Unknown\",\"uid\":\"b206dd4e-53f9-11ef-8a0d-0242ac110005\",\"type_id\":0}},\"parent_folder\":\"travesti promotes incentives/ask.c\",\"accessed_time\":1722951737053129,\"confidentiality\":\"scholarships introducing scientific\",\"modified_time\":1722951737053154},\"user\":{\"name\":\"Indicators\",\"org\":{\"name\":\"assisted difficulty submit\",\"uid\":\"b206eb0e-53f9-11ef-93f9-0242ac110005\",\"ou_name\":\"hazardous oracle array\",\"ou_uid\":\"b206f194-53f9-11ef-98e9-0242ac110005\"},\"uid_alt\":\"significant beverages mail\"},\"uid\":\"b206f84c-53f9-11ef-b820-0242ac110005\",\"cmd_line\":\"age ratings employees\",\"lineage\":[\"gauge exists gmbh\",\"ieee drawing bat\"],\"parent_process\":{\"name\":\"Vb\",\"pid\":42,\"file\":{\"name\":\"hereby.txt\",\"type\":\"Unknown\",\"path\":\"alumni broad whatever/editing.dat/hereby.txt\",\"type_id\":0,\"parent_folder\":\"alumni broad whatever/editing.dat\",\"hashes\":[{\"value\":\"0F682A9E816B4E78B01EF28B990B90A619718C249F0502C3BC26EE953198973B8ECAA2A598633947C6F575ED7DA43412557660B2E8796466CDF950DEEF210794\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"8C766AB995CDFBDBB9EB5FCA53F8D53AB3690305C46FDBB5D10554FAAB868502D870FF46248C01AC8E1A8BA4547B5B7C6A85CA5D280CBDEC1FEE04484110E043\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}],\"security_descriptor\":\"fuel horses cialis\"},\"uid\":\"b2071688-53f9-11ef-9e48-0242ac110005\",\"cmd_line\":\"stuart notify nc\",\"created_time\":1722951737054600,\"integrity\":\"argument historic decision\",\"lineage\":[\"gathered then container\"],\"parent_process\":{\"name\":\"Protect\",\"pid\":69,\"file\":{\"name\":\"animation.wsf\",\"size\":668783954,\"type\":\"Unknown\",\"path\":\"action cheats collective/day.dll/animation.wsf\",\"product\":{\"name\":\"assessed delete infection\",\"version\":\"1.1.0\",\"uid\":\"b2073b5e-53f9-11ef-89e3-0242ac110005\",\"url_string\":\"indigenous\",\"vendor_name\":\"perhaps weak mattress\"},\"uid\":\"b20742b6-53f9-11ef-b089-0242ac110005\",\"type_id\":0,\"company_name\":\"Kay Hugo\",\"parent_folder\":\"action cheats collective/day.dll\",\"confidentiality\":\"Unknown\",\"confidentiality_id\":0,\"hashes\":[{\"value\":\"D1902BB2910C00B9024F7FAD53B1AEF5D9CDD9897B4C1D0D59CB7986288BF7D59846CC65CF09FF73604CC643C20D1A4920C9EFAE6E4BE4982718A0B3021841EA\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}]},\"user\":{\"name\":\"Nike\",\"type\":\"Unknown\",\"uid\":\"b207597c-53f9-11ef-bb63-0242ac110005\",\"type_id\":0,\"ldap_person\":{\"office_location\":\"signing equations keith\"},\"uid_alt\":\"earthquake race promises\"},\"tid\":76,\"uid\":\"b2076714-53f9-11ef-8876-0242ac110005\",\"cmd_line\":\"accurate revenue def\",\"created_time\":1722951737056663,\"integrity\":\"Medium\",\"integrity_id\":3,\"lineage\":[\"guidance rider vanilla\",\"ambient glow well\"]}}},\"terminated_time\":1722951737056691}},\"xattributes\":{}}},\"terminated_time\":1722951737056729},\"terminated_time\":1722951737056732}},\"sandbox\":\"participants safer outlets\"}},\"user\":{\"uid\":\"b207743e-53f9-11ef-b930-0242ac110005\",\"org\":{\"name\":\"martial makers bras\",\"uid\":\"b2077cea-53f9-11ef-98a2-0242ac110005\",\"ou_name\":\"announced plastic serial\"},\"credential_uid\":\"b20785dc-53f9-11ef-9a4e-0242ac110005\"},\"authorizations\":[{},{\"decision\":\"ssl meaning excellence\"}]},\"dst_endpoint\":{\"name\":\"bouquet observations flashing\",\"port\":47351,\"type\":\"Desktop\",\"os\":{\"name\":\"reductions loans null\",\"type\":\"Unknown\",\"type_id\":0,\"sp_name\":\"cloud heat faith\"},\"domain\":\"developer resistance cove\",\"ip\":\"41.251.197.63\",\"location\":{\"desc\":\"Angola, Republic of\",\"city\":\"Extras separated\",\"country\":\"AO\",\"coordinates\":[-51.2157,-88.1173],\"continent\":\"Africa\"},\"hostname\":\"brakes.travel\",\"uid\":\"b207abc0-53f9-11ef-984e-0242ac110005\",\"type_id\":2,\"interface_name\":\"responsible ips bits\",\"interface_uid\":\"b207b336-53f9-11ef-992b-0242ac110005\",\"intermediate_ips\":[\"43.42.170.135\",\"161.178.9.23\"],\"proxy_endpoint\":{\"name\":\"ray maximum theology\",\"port\":59643,\"type\":\"Firewall\",\"ip\":\"128.28.111.51\",\"hostname\":\"upcoming.biz\",\"uid\":\"b207c466-53f9-11ef-9061-0242ac110005\",\"type_id\":9,\"instance_uid\":\"b207cc90-53f9-11ef-ace5-0242ac110005\",\"interface_name\":\"acts unavailable caught\",\"interface_uid\":\"b207d4ec-53f9-11ef-a2a8-0242ac110005\",\"svc_name\":\"xi marketplace productivity\"},\"svc_name\":\"motorcycle cnn eh\"},\"src_endpoint\":{\"name\":\"clerk massive hints\",\"port\":3366,\"type\":\"Server\",\"ip\":\"135.11.251.187\",\"uid\":\"b207e1c6-53f9-11ef-bd79-0242ac110005\",\"mac\":\"E3:9B:50:54:D4:43:80:D1\",\"type_id\":1,\"instance_uid\":\"b207ec52-53f9-11ef-870e-0242ac110005\",\"interface_name\":\"sale cut divided\",\"interface_uid\":\"b207f38c-53f9-11ef-af93-0242ac110005\",\"intermediate_ips\":[\"141.220.224.128\",\"133.184.5.152\"],\"svc_name\":\"princess realize wax\"}}],\"finding_info\":{\"title\":\"cocktail graphics controlled\",\"uid\":\"b200a0e6-53f9-11ef-a714-0242ac110005\",\"analytic\":{\"name\":\"shirts deutsche times\",\"type\":\"Statistical\",\"uid\":\"b200b234-53f9-11ef-88a2-0242ac110005\",\"type_id\":3},\"first_seen_time\":1722951737012703,\"kill_chain\":[{\"phase\":\"Unknown\",\"phase_id\":0}],\"related_events\":[{\"uid\":\"b200c6ca-53f9-11ef-88d3-0242ac110005\",\"type_uid\":1760088869}]},\"risk_level\":\"Low\",\"risk_level_id\":1,\"severity_id\":2,\"status_id\":3}", + "provider": "facilities channels cradle", + "severity": 2, + "type": [ + "info" + ] + }, + "message": "satellite violent subscriptions", + "ocsf": { + "activity_id": "1", + "activity_name": "Create", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Detection Finding", + "class_uid": "2004", + "confidence_id": "2", + "duration": 19, + "evidences": [ + { + "actor": { + "authorizations": [ + { + "decision": "ssl meaning excellence" + } + ], + "process": { + "cmd_line": "hydrogen reporting ensemble", + "created_time": 1722951737027494, + "file": { + "accessor": { + "ldap_person": { + "hire_time": 1722951737025505, + "ldap_dn": "essentials incomplete main" + }, + "name": "Japanese", + "type": "User", + "type_id": 1, + "uid_alt": "cassette dust evidence" + }, + "confidentiality": "nation fishing professional", + "hashes": [ + { + "algorithm": "magic", + "algorithm_id": 99, + "value": "DE54555CB12989F6314B6AE9DDF8FE4F8AD41F970C0D21D5A4D8B7E6C6437A9F" + }, + { + "algorithm": "CTPH", + "algorithm_id": 5, + "value": "C989A5E557F5C7289ABE62F83373C88BDD0E698C72F8C8F511BF4E9E601E3C053FA00EA8B181974F5CDF25BA86E8C9FB4A717B9F8A672E6F45A4DFCEC39E529F" + } + ], + "is_system": false, + "name": "travel.ico", + "parent_folder": "choice estates triple/connecticut.rom", + "path": "choice estates triple/connecticut.rom/travel.ico", + "security_descriptor": "burden authentication flashing", + "type": "Regular File", + "type_id": 1 + }, + "integrity": "extra dial resolved", + "parent_process": { + "cmd_line": "arrested suits personally", + "created_time": 1722951737030083, + "file": { + "confidentiality": "Unknown", + "confidentiality_id": 0, + "hashes": [ + { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "5894ABC3288BA9FA689F8E5C7EF19816EA9839E4986E552B491A1ABF2D3F5F45738F7B3A0B53C15A19FD24B1B7402365D44871C3D6F00537E075A0007E7E261A" + }, + { + "algorithm": "quickXorHash", + "algorithm_id": 7, + "value": "A6DFAEBD54AB8C6EE7D571201347BC0C5FC04F3599B22FAF9AE6A142D72CB65DE290302FA9AD807BAD6F5F0648F8BF5497C6EE43AAF960B7C3137C8CB706E183" + } + ], + "name": "crude.sh", + "owner": { + "groups": [ + { + "uid": "b2031cd6-53f9-11ef-b786-0242ac110005" + }, + { + "name": "wrap smile durham", + "privileges": [ + "preventing security wales", + "protest membership rs" + ], + "uid": "b2032866-53f9-11ef-bf54-0242ac110005" + } + ], + "type": "Admin", + "type_id": 2, + "uid": "b2031308-53f9-11ef-b2f8-0242ac110005" + }, + "parent_folder": "hub clarity henderson/mailing.rss", + "path": "hub clarity henderson/mailing.rss/crude.sh", + "product": { + "cpe_name": "oven regulatory dairy", + "feature": { + "name": "producer depot financing", + "uid": "b2033bc6-53f9-11ef-91fe-0242ac110005", + "version": "1.1.0" + }, + "name": "fund groundwater dom", + "uid": "b2033324-53f9-11ef-ba5b-0242ac110005", + "vendor_name": "disney intel antibody", + "version": "1.1.0" + }, + "security_descriptor": "cross organic bookings", + "type": "Block Device", + "type_id": 4 + }, + "name": "Findings", + "parent_process": { + "created_time": 1722951737033438, + "file": { + "accessor": { + "account": { + "name": "provider queensland warranties", + "type": "AWS Account", + "type_id": 10, + "uid": "b2039db4-53f9-11ef-ac2d-0242ac110005" + }, + "domain": "mill nest ministers", + "full_name": "Thu Dewitt", + "name": "Affordable", + "type": "User", + "type_id": 1, + "uid": "b2039418-53f9-11ef-ace2-0242ac110005" + }, + "hashes": [ + { + "algorithm": "SHA-256", + "algorithm_id": 3, + "value": "552BDF4BBC9329B555B93E7C9B6A38F36C6EDB58B0E7FCA0392F79528CC1B9E6" + }, + { + "algorithm": "SHA-1", + "algorithm_id": 2, + "value": "DCF06E858132CA1EDC2384EBDF0200885DD2AC3F" + } + ], + "modified_time": 1722951737031923, + "name": "sad.kml", + "parent_folder": "random horse explained/soap.csv", + "path": "random horse explained/soap.csv/sad.kml", + "signature": { + "algorithm": "Authenticode", + "algorithm_id": 4, + "certificate": { + "created_time": 1722951737030958, + "expiration_time": 1722951737030965, + "fingerprints": [ + { + "algorithm": "CTPH", + "algorithm_id": 5, + "value": "70CE515C96733618D3639DA3699227EEF2615296002DB79CFAE31A49F04D171107F820A86048A8A742037DA40CE56FEB5AF132CF0557508C821508DED8E25802" + }, + { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "054F4E3613BCAA252DED4DEC5193B4207F68218A0B57BD676DE5EA08E59343D24FEB8AC279470FB94F032C25AEE110A24BD17FC0EB41182E767A7710BD0F2082" + } + ], + "issuer": "thought loans celebrate", + "serial_number": "concerned arthritis beam", + "subject": "delay prairie cents", + "uid": "b2037334-53f9-11ef-880c-0242ac110005", + "version": "1.1.0" + }, + "developer_uid": "b2038324-53f9-11ef-a9fd-0242ac110005", + "digest": { + "algorithm": "MD5", + "algorithm_id": 1, + "value": "A24F695AAF92949E2578A874832FF516" + } + }, + "type": "Unknown", + "type_id": 0, + "uid": "b2038928-53f9-11ef-93ab-0242ac110005" + }, + "integrity": "Protected", + "integrity_id": 6, + "lineage": [ + "arab comparison charlotte", + "namibia republicans decorative" + ], + "name": "Poverty", + "parent_process": { + "cmd_line": "windsor installed invite", + "created_time": 1722951737035272, + "file": { + "hashes": [ + { + "algorithm": "quickXorHash", + "algorithm_id": 7, + "value": "FBBED8C2F97068EC6807B00BE7C3183932F576D73C208D1D8ABD78AAC60411FF78D7442895C204E292CFA8F6FAC25EC3FEE7954AA27C6024B6F47D3A5BEF4AC2" + }, + { + "algorithm": "MD5", + "algorithm_id": 1, + "value": "B336DF698D12AC8E54570BA6EA2679F0" + } + ], + "name": "leaders.ged", + "parent_folder": "zimbabwe co hyundai/telecom.rom", + "path": "zimbabwe co hyundai/telecom.rom/leaders.ged", + "type": "anthony", + "type_id": 99 + }, + "name": "Labs", + "parent_process": { + "cmd_line": "dryer thereby reliable", + "created_time": 1722951737039702, + "file": { + "desc": "jersey pod crafts", + "hashes": [ + { + "algorithm": "SHA-256", + "algorithm_id": 3, + "value": "5B612EDB571C479D1A33C2355B8933EF943BD5715B25116AAF91DBF3A842C2BD" + }, + { + "algorithm": "magic", + "algorithm_id": 99, + "value": "1A41B0D707D5D14EA20C1DD0A10CED258A1322589440FD67387BED26CE48E453" + } + ], + "mime_type": "minimal/wisconsin", + "name": "badge.avi", + "parent_folder": "showed conf citizenship/alto.csr", + "path": "showed conf citizenship/alto.csr/badge.avi", + "signature": { + "algorithm": "RSA", + "algorithm_id": 2, + "certificate": { + "created_time": 1722951737038366, + "expiration_time": 1722951737038371, + "fingerprints": [ + { + "algorithm": "CTPH", + "algorithm_id": 5, + "value": "AD9B86237F7CD511073B023864629995D42D434D7A9A3DE38CC9C353E9263BCA131C239C9851342A16967895231B1436AA8DBBD6229A517C76E3539639BDCEDD" + } + ], + "issuer": "balance rip flags", + "serial_number": "generally grande babies", + "subject": "voters crazy chelsea", + "version": "1.1.0" + }, + "developer_uid": "b204a4e8-53f9-11ef-a45f-0242ac110005" + }, + "type": "Unknown", + "type_id": 0 + }, + "loaded_modules": [ + "/condition/tunisia/phillips/accounting/tension.pkg", + "/argue/aboriginal/connectors/journal/clinic.dcr" + ], + "name": "Asus", + "parent_process": { + "cmd_line": "int assets shanghai", + "created_time": 1722951737043210, + "file": { + "accessor": { + "groups": [ + { + "domain": "orange says vegetation", + "name": "tablet drivers broader", + "uid": "b2051dd8-53f9-11ef-9d88-0242ac110005" + }, + { + "domain": "antique hans ez", + "name": "rid planets gp", + "privileges": [ + "obesity descriptions paintball" + ], + "uid": "b20524b8-53f9-11ef-bfc7-0242ac110005" + } + ], + "name": "Finish", + "type": "System", + "type_id": 3, + "uid": "b205141e-53f9-11ef-bef4-0242ac110005" + }, + "attributes": 37, + "hashes": [ + { + "algorithm": "magic", + "algorithm_id": 99, + "value": "D5924A11CBADB27A986421344623CBFE538FD3F096A9A0FDC3F0BC302F3EC0C1" + }, + { + "algorithm": "MD5", + "algorithm_id": 1, + "value": "E16704D9E243B23B4F4E557748D6EEF6" + } + ], + "name": "option.swf", + "parent_folder": "associate spas climb/canadian.rar", + "path": "associate spas climb/canadian.rar/option.swf", + "product": { + "lang": "en", + "name": "or dynamic distinguished", + "path": "weddings competent korea", + "uid": "b205092e-53f9-11ef-b82a-0242ac110005", + "vendor_name": "hunt vitamins columns", + "version": "1.1.0" + }, + "security_descriptor": "sentences angela guides", + "type": "Block Device", + "type_id": 4 + }, + "integrity": "philip energy traveler", + "name": "Multi", + "parent_process": { + "cmd_line": "computers qt caribbean", + "created_time": 1722951737044530, + "file": { + "company_name": "Shay Geoffrey", + "hashes": [ + { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "D28CCA18F2C34C4120D0689FFD9EE4F4FFEAE0402B7C59A202FA980D9359A4E54BF2289BF5ED8C083B3EC8735F44C955DB680854EEF42D53E126839B635DA171" + } + ], + "mime_type": "came/dui", + "name": "mainland.sav", + "parent_folder": "easter advert gregory/briefing.vcd", + "path": "easter advert gregory/briefing.vcd/mainland.sav", + "security_descriptor": "ugly embedded sql", + "type": "Character Device", + "type_id": 3, + "uid": "b2057062-53f9-11ef-b33c-0242ac110005" + }, + "integrity": "classifieds conceptual contest", + "name": "Auctions", + "parent_process": { + "cmd_line": "letter agencies family", + "created_time": 1722951737045332, + "name": "Portable", + "parent_process": { + "cmd_line": "abandoned plaintiff consult", + "created_time": 1722951737049379, + "file": { + "accessor": { + "domain": "second heaven reg", + "email_addr": "Iliana@easter.jobs", + "name": "Differential", + "type": "User", + "type_id": 1, + "uid": "b2060720-53f9-11ef-b3d3-0242ac110005" + }, + "creator": { + "credential_uid": "b2061990-53f9-11ef-92d2-0242ac110005", + "full_name": "Zelma Brady", + "type": "Admin", + "type_id": 2, + "uid": "b206126a-53f9-11ef-bcf1-0242ac110005" + }, + "hashes": [ + { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "80354281FAAA2126E5D2CA51A907C1D2F15B2719AAE8EBF70AE4DAFD8F369DC8D23BE2285768C8C6A83CF5496A2440965EC79B4857350AD79273385359E6272C" + }, + { + "algorithm": "MD5", + "algorithm_id": 1, + "value": "2FACE219B9E0ACE4E7841FB7019D658D" + } + ], + "modified_time": 1722951737048171, + "modifier": { + "ldap_person": { + "cost_center": "believed defeat workout", + "given_name": "country medicine susan", + "job_title": "minister hugh opponent", + "manager": { + "domain": "combat mall responded", + "name": "Satisfy", + "org": { + "name": "simulations kelkoo picture", + "ou_name": "ntsc tab er", + "uid": "b205fb4a-53f9-11ef-bcdf-0242ac110005" + }, + "type": "Unknown", + "type_id": 0, + "uid": "b205e8bc-53f9-11ef-b220-0242ac110005" + } + }, + "name": "Measurements", + "type": "User", + "type_id": 1, + "uid": "b205d93a-53f9-11ef-97c9-0242ac110005" + }, + "name": "leslie.indd", + "parent_folder": "rating malawi ash/ny.bin", + "path": "rating malawi ash/ny.bin/leslie.indd", + "signature": { + "algorithm": "weekends", + "algorithm_id": 99, + "certificate": { + "created_time": 1722951737046152, + "expiration_time": 1722951737046157, + "fingerprints": [ + { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "3697621565DCC42F701641C483DD9F531ED1B40987DD5D58FA4EEAC5C6E127657BED12A5ED10012607C476DFE31339C6557044007AE04C2F96C120D7E68F9B46" + }, + { + "algorithm": "SHA-1", + "algorithm_id": 2, + "value": "CB2785DC1EFEBF4604D971B80C7BA7A49061E6B2" + } + ], + "issuer": "henry recognize short", + "serial_number": "number emotional belly", + "subject": "conscious forecasts poland", + "version": "1.1.0" + } + }, + "type": "Symbolic Link", + "type_id": 7 + }, + "name": "Weed", + "parent_process": { + "cmd_line": "age ratings employees", + "file": { + "accessed_time": 1722951737053129, + "accessor": { + "account": { + "type": "Unknown", + "type_id": 0, + "uid": "b206dd4e-53f9-11ef-8a0d-0242ac110005" + }, + "name": "Composition", + "type": "Unknown", + "type_id": 0, + "uid": "b206ba3a-53f9-11ef-8d45-0242ac110005" + }, + "confidentiality": "scholarships introducing scientific", + "modified_time": 1722951737053154, + "name": "grip.py", + "parent_folder": "travesti promotes incentives/ask.c", + "path": "travesti promotes incentives/ask.c/grip.py", + "type": "Regular File", + "type_id": 1 + }, + "lineage": [ + "gauge exists gmbh", + "ieee drawing bat" + ], + "name": "Shore", + "parent_process": { + "cmd_line": "stuart notify nc", + "created_time": 1722951737054600, + "file": { + "hashes": [ + { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "0F682A9E816B4E78B01EF28B990B90A619718C249F0502C3BC26EE953198973B8ECAA2A598633947C6F575ED7DA43412557660B2E8796466CDF950DEEF210794" + }, + { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "8C766AB995CDFBDBB9EB5FCA53F8D53AB3690305C46FDBB5D10554FAAB868502D870FF46248C01AC8E1A8BA4547B5B7C6A85CA5D280CBDEC1FEE04484110E043" + } + ], + "name": "hereby.txt", + "parent_folder": "alumni broad whatever/editing.dat", + "path": "alumni broad whatever/editing.dat/hereby.txt", + "security_descriptor": "fuel horses cialis", + "type": "Unknown", + "type_id": 0 + }, + "integrity": "argument historic decision", + "lineage": [ + "gathered then container" + ], + "name": "Vb", + "parent_process": { + "cmd_line": "accurate revenue def", + "created_time": 1722951737056663, + "file": { + "company_name": "Kay Hugo", + "confidentiality": "Unknown", + "confidentiality_id": 0, + "hashes": [ + { + "algorithm": "quickXorHash", + "algorithm_id": 7, + "value": "D1902BB2910C00B9024F7FAD53B1AEF5D9CDD9897B4C1D0D59CB7986288BF7D59846CC65CF09FF73604CC643C20D1A4920C9EFAE6E4BE4982718A0B3021841EA" + } + ], + "name": "animation.wsf", + "parent_folder": "action cheats collective/day.dll", + "path": "action cheats collective/day.dll/animation.wsf", + "product": { + "name": "assessed delete infection", + "uid": "b2073b5e-53f9-11ef-89e3-0242ac110005", + "url_string": "indigenous", + "vendor_name": "perhaps weak mattress", + "version": "1.1.0" + }, + "size": 668783954, + "type": "Unknown", + "type_id": 0, + "uid": "b20742b6-53f9-11ef-b089-0242ac110005" + }, + "integrity": "Medium", + "integrity_id": 3, + "lineage": [ + "guidance rider vanilla", + "ambient glow well" + ], + "name": "Protect", + "pid": 69, + "tid": 76, + "uid": "b2076714-53f9-11ef-8876-0242ac110005", + "user": { + "ldap_person": { + "office_location": "signing equations keith" + }, + "name": "Nike", + "type": "Unknown", + "type_id": 0, + "uid": "b207597c-53f9-11ef-bb63-0242ac110005", + "uid_alt": "earthquake race promises" + } + }, + "pid": 42, + "uid": "b2071688-53f9-11ef-9e48-0242ac110005" + }, + "pid": 47, + "uid": "b206f84c-53f9-11ef-b820-0242ac110005", + "user": { + "name": "Indicators", + "org": { + "name": "assisted difficulty submit", + "ou_name": "hazardous oracle array", + "ou_uid": "b206f194-53f9-11ef-98e9-0242ac110005", + "uid": "b206eb0e-53f9-11ef-93f9-0242ac110005" + }, + "uid_alt": "significant beverages mail" + } + }, + "pid": 38, + "terminated_time": 1722951737056691, + "uid": "b2064a96-53f9-11ef-9a3a-0242ac110005", + "user": { + "groups": [ + { + "name": "lyric cent failure", + "uid": "b2063dc6-53f9-11ef-be9b-0242ac110005" + }, + { + "domain": "indonesia performances dispute", + "name": "tests australian manufacturing", + "uid": "b20644a6-53f9-11ef-88ec-0242ac110005" + } + ], + "name": "Smoking", + "type": "Admin", + "type_id": 2, + "uid": "b20633f8-53f9-11ef-84d6-0242ac110005" + } + }, + "pid": 15, + "uid": "b205ac6c-53f9-11ef-b326-0242ac110005", + "user": { + "name": "Camel", + "type": "System", + "type_id": 3, + "uid": "b205a618-53f9-11ef-b616-0242ac110005" + } + }, + "pid": 97, + "uid": "b2058d2c-53f9-11ef-9c93-0242ac110005", + "user": { + "name": "Yahoo", + "uid": "b20585de-53f9-11ef-a722-0242ac110005" + } + }, + "pid": 51, + "user": { + "domain": "france designer commissioner", + "groups": [ + { + "name": "front license tide", + "type": "scope nebraska suffered", + "uid": "b2054b5a-53f9-11ef-b10c-0242ac110005" + }, + { + "name": "belts transform phone", + "type": "ir paul vector", + "uid": "b2055956-53f9-11ef-bac5-0242ac110005" + } + ], + "name": "Auditor", + "uid": "b2053246-53f9-11ef-8f1f-0242ac110005" + } + }, + "pid": 64, + "session": { + "created_time": 1722951737037814, + "credential_uid": "b2048dfa-53f9-11ef-8e51-0242ac110005", + "is_remote": true, + "issuer": "planner providence titles", + "uid": "b2048058-53f9-11ef-8e0f-0242ac110005", + "uuid": "b20486ca-53f9-11ef-9010-0242ac110005" + }, + "terminated_time": 1722951737056729, + "uid": "b204cf68-53f9-11ef-9210-0242ac110005", + "user": { + "account": { + "name": "essential wishing wanted", + "type": "Windows Account", + "type_id": 2, + "uid": "b204c8ce-53f9-11ef-9832-0242ac110005" + }, + "name": "Churches", + "org": { + "name": "asking bookmark builders", + "ou_name": "nightlife fragrance into" + }, + "type": "User", + "type_id": 1, + "uid": "b204b8ca-53f9-11ef-ae39-0242ac110005" + } + }, + "pid": 22, + "session": { + "created_time": 1722951737034000, + "is_remote": false, + "terminal": "signals click categories", + "uid": "b203f264-53f9-11ef-9ec3-0242ac110005" + }, + "terminated_time": 1722951737056732, + "uid": "b2042360-53f9-11ef-9794-0242ac110005", + "user": { + "org": { + "name": "bye lenses alabama", + "ou_name": "antiques compliant tutorial", + "ou_uid": "b204153c-53f9-11ef-a6ea-0242ac110005", + "uid": "b2040b0a-53f9-11ef-98b5-0242ac110005" + }, + "type": "tears", + "type_id": 99 + } + }, + "pid": 42, + "tid": 39, + "uid": "b203dc7a-53f9-11ef-8a2b-0242ac110005", + "user": { + "full_name": "Manie Demetra", + "ldap_person": { + "deleted_time": 1722951737033239, + "email_addrs": [ + "Joeann@trials.com", + "Enrique@zshops.int" + ], + "labels": [ + "results", + "considered" + ], + "last_login_time": 1722951737033262, + "modified_time": 1722951737033265 + }, + "name": "Continuously", + "org": { + "name": "vitamins causes lg", + "ou_name": "most worcester generator", + "uid": "b203cf64-53f9-11ef-a9e6-0242ac110005" + }, + "type": "cassette", + "type_id": 99, + "uid": "b203c596-53f9-11ef-9213-0242ac110005" + } + }, + "sandbox": "participants safer outlets", + "uid": "b20358d6-53f9-11ef-939b-0242ac110005", + "user": { + "credential_uid": "b203526e-53f9-11ef-9e92-0242ac110005", + "domain": "wrong expanding proposal", + "email_addr": "Gerry@poker.biz", + "name": "Adjust", + "uid": "b2034c56-53f9-11ef-aed8-0242ac110005" + } + }, + "pid": 53, + "uid": "b202f3be-53f9-11ef-9c3b-0242ac110005", + "user": { + "domain": "authors subjects animal", + "email_addr": "Hugh@vb.aero", + "groups": [ + { + "name": "graphic university chile", + "uid": "b202c178-53f9-11ef-b0e0-0242ac110005" + }, + { + "name": "departure projects eastern", + "privileges": [ + "camcorders hazardous occurred", + "strong wav finland" + ], + "type": "direct hoping harder", + "uid": "b202c876-53f9-11ef-99bc-0242ac110005" + } + ], + "ldap_person": { + "job_title": "evident gotten tcp", + "ldap_cn": "ran experiences isolation", + "location": { + "city": "Relaxation depend", + "continent": "Africa", + "coordinates": [ + 72.6769, + 27.7735 + ], + "country": "LY", + "desc": "Libyan Arab Jamahiriya" + }, + "manager": { + "credential_uid": "b202eba8-53f9-11ef-a0ef-0242ac110005", + "domain": "many tvs hand", + "name": "Titles", + "org": { + "name": "declare commit gathering", + "uid": "b202e55e-53f9-11ef-90d3-0242ac110005" + }, + "type": "System", + "type_id": 3, + "uid": "b202da8c-53f9-11ef-a9a8-0242ac110005" + } + }, + "name": "Families", + "type": "System", + "type_id": 3, + "uid": "b202b3e0-53f9-11ef-bc91-0242ac110005" + } + }, + "user": { + "credential_uid": "b20785dc-53f9-11ef-9a4e-0242ac110005", + "org": { + "name": "martial makers bras", + "ou_name": "announced plastic serial", + "uid": "b2077cea-53f9-11ef-98a2-0242ac110005" + }, + "uid": "b207743e-53f9-11ef-b930-0242ac110005" + } + }, + "api": { + "operation": "prophet disabled joel", + "request": { + "data": "courier", + "uid": "b2028ac8-53f9-11ef-bcf3-0242ac110005" + }, + "response": { + "code": 48, + "error": "commissioner kill madness", + "error_message": "whale holdings lol" + } + }, + "connection_info": { + "direction": "Outbound", + "direction_id": 2, + "protocol_num": 63, + "tcp_flags": 39, + "uid": "b2027e84-53f9-11ef-beec-0242ac110005" + }, + "dst_endpoint": { + "domain": "developer resistance cove", + "hostname": "brakes.travel", + "interface_name": "responsible ips bits", + "interface_uid": "b207b336-53f9-11ef-992b-0242ac110005", + "intermediate_ips": [ + "43.42.170.135", + "161.178.9.23" + ], + "ip": "41.251.197.63", + "location": { + "city": "Extras separated", + "continent": "Africa", + "coordinates": [ + -51.2157, + -88.1173 + ], + "country": "AO", + "desc": "Angola, Republic of" + }, + "name": "bouquet observations flashing", + "os": { + "name": "reductions loans null", + "sp_name": "cloud heat faith", + "type": "Unknown", + "type_id": 0 + }, + "port": 47351, + "proxy_endpoint": { + "hostname": "upcoming.biz", + "instance_uid": "b207cc90-53f9-11ef-ace5-0242ac110005", + "interface_name": "acts unavailable caught", + "interface_uid": "b207d4ec-53f9-11ef-a2a8-0242ac110005", + "ip": "128.28.111.51", + "name": "ray maximum theology", + "port": 59643, + "svc_name": "xi marketplace productivity", + "type": "Firewall", + "type_id": 9, + "uid": "b207c466-53f9-11ef-9061-0242ac110005" + }, + "svc_name": "motorcycle cnn eh", + "type": "Desktop", + "type_id": 2, + "uid": "b207abc0-53f9-11ef-984e-0242ac110005" + }, + "file": { + "hashes": [ + { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "05241F6680F10C78013CDDC1924651513B262F6318EFD85AC8D5EB13184DBF9742C515B85CF2ED8717B01AEA36CB0796CA62B9229E3047149B40B62FFCBE50AA" + }, + { + "algorithm": "SHA-256", + "algorithm_id": 3, + "value": "EB108A6BBDAF145D08D811956465AD4382629CF361E1F696E021BE3ABADB6D47" + } + ], + "mime_type": "quit/helen", + "modified_time": 1722951737024064, + "name": "pounds.sdf", + "parent_folder": "bent hostel listed/knives.fnt", + "path": "bent hostel listed/knives.fnt/pounds.sdf", + "product": { + "name": "soldier ut outer", + "uid": "b20268d6-53f9-11ef-8389-0242ac110005", + "vendor_name": "prototype blog convertible", + "version": "1.1.0" + }, + "type": "footwear", + "type_id": 99 + }, + "process": { + "cmd_line": "cattle disk nat", + "created_time": 1722951737017869, + "file": { + "attributes": 61, + "hashes": [ + { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "989B7EC6D89636B773DD48E84A23A93EF0537374753B6CB2DC513D875E01FE4721CDFD519CCAE9B90092CEF08F3C38EC3C353271FE028C193AEA2DDB17A32653" + } + ], + "name": "mortgages.mp3", + "parent_folder": "match fuzzy noise/royalty.cbr", + "path": "match fuzzy noise/royalty.cbr/mortgages.mp3", + "signature": { + "algorithm": "Authenticode", + "algorithm_id": 4, + "certificate": { + "created_time": 1722951737017011, + "expiration_time": 1722951737017020, + "fingerprints": [ + { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "98AA77CF5506DBAB9E87EF8088CEAC7C9C019C46E05DD1EE1ABE03DCDDB251EE8A82D602A74B165599EA81CD3F96BCD31351F02130F1826DE55314362F5E51A0" + }, + { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "F074E3FC1A4F869EEF665EABF9EF6F7E4E08D51AD47FE695D451386D3DFC826FD679D11BCDF59682C9017FCB065A8C3E4C765AD0D81111D105A79724536E5AF3" + } + ], + "issuer": "consist refers bite", + "serial_number": "headers futures rico", + "subject": "norwegian satisfactory collective", + "uid": "b20156da-53f9-11ef-ae03-0242ac110005" + }, + "created_time": 1722951737017030 + }, + "size": 3964710393, + "type": "Folder", + "type_id": 2 + }, + "parent_process": { + "cmd_line": "inquiries sept nil", + "created_time": 1722951737021297, + "file": { + "accessor": { + "email_addr": "Zada@czech.museum", + "ldap_person": { + "deleted_time": 1722951737020608, + "job_title": "tobago rubber abstracts", + "location": { + "city": "Component got", + "continent": "Europe", + "coordinates": [ + -25.0862, + -71.9167 + ], + "country": "SM", + "desc": "San Marino, Republic of" + } + }, + "name": "Record", + "type": "Unknown", + "type_id": 0, + "uid": "b201dc40-53f9-11ef-a0fe-0242ac110005" + }, + "hashes": [ + { + "algorithm": "magic", + "algorithm_id": 99, + "value": "115CE7973C9A37D3558656DB4BE3719A4E02E1C42BBD3D9FED201E22F5D5A770" + }, + { + "algorithm": "MD5", + "algorithm_id": 1, + "value": "77F4DE0C4DB55DEC736561AC64C7EA6B" + } + ], + "modified_time": 1722951737020691, + "modifier": { + "email_addr": "Lynne@rated.jobs", + "name": "Tower", + "org": { + "name": "gabriel harmful teach", + "ou_name": "chapel library combinations", + "uid": "b201cf5c-53f9-11ef-90e0-0242ac110005" + }, + "type": "Unknown", + "type_id": 0, + "uid": "b201c520-53f9-11ef-8fe7-0242ac110005" + }, + "name": "points.dat", + "owner": { + "groups": [ + { + "domain": "robots opportunities auburn", + "name": "framework chambers motorcycle", + "uid": "b201a2de-53f9-11ef-91ee-0242ac110005" + } + ], + "name": "Possession", + "type": "packaging", + "type_id": 99, + "uid": "b20198de-53f9-11ef-99e3-0242ac110005" + }, + "parent_folder": "perfume cleveland crystal/database.vob", + "path": "perfume cleveland crystal/database.vob/points.dat", + "type": "Local Socket", + "type_id": 5, + "version": "1.1.0" + }, + "lineage": [ + "barbara flow indiana" + ], + "name": "Districts", + "parent_process": { + "cmd_line": "correlation jd nintendo", + "created_time": 1722951737023185, + "file": { + "company_name": "Reagan Vincenza", + "creator": { + "type": "sydney", + "type_id": 99, + "uid": "b2022628-53f9-11ef-97c3-0242ac110005" + }, + "mime_type": "numeric/produces", + "modified_time": 1722951737022248, + "name": "bryan.htm", + "parent_folder": "fuji collectible creator/describes.tex", + "path": "fuji collectible creator/describes.tex/bryan.htm", + "type": "Character Device", + "type_id": 3 + }, + "pid": 98, + "session": { + "created_time": 1722951737021699, + "is_remote": true, + "issuer": "boulder candle footwear", + "uid": "b2021138-53f9-11ef-a183-0242ac110005" + }, + "uid": "b2024b62-53f9-11ef-85ae-0242ac110005", + "user": { + "credential_uid": "b20243f6-53f9-11ef-995a-0242ac110005", + "email_addr": "Salena@tour.coop", + "groups": [ + { + "name": "drums brisbane belfast", + "uid": "b2023438-53f9-11ef-b235-0242ac110005" + }, + { + "desc": "subdivision centered matched", + "name": "distinction wp inquiries", + "uid": "b2023b9a-53f9-11ef-8b76-0242ac110005" + } + ], + "name": "Inventory", + "type": "User", + "type_id": 1, + "uid_alt": "headline press postal" + } + }, + "pid": 61, + "terminated_time": 1722951737023238, + "uid": "b2020184-53f9-11ef-85ea-0242ac110005", + "user": { + "credential_uid": "b201fbb2-53f9-11ef-b9d8-0242ac110005", + "name": "April", + "type": "System", + "type_id": 3, + "uid": "b201f540-53f9-11ef-b886-0242ac110005" + } + }, + "pid": 2, + "uid": "b2017ba6-53f9-11ef-8664-0242ac110005", + "user": { + "name": "Brunei", + "type": "Unknown", + "type_id": 0, + "uid": "b20169ae-53f9-11ef-a7ab-0242ac110005" + } + }, + "query": { + "class": "researcher promotions theaters", + "hostname": "monroe.museum", + "opcode_id": 3, + "packet_uid": 42, + "type": "rrp look city" + }, + "src_endpoint": { + "instance_uid": "b207ec52-53f9-11ef-870e-0242ac110005", + "interface_name": "sale cut divided", + "interface_uid": "b207f38c-53f9-11ef-af93-0242ac110005", + "intermediate_ips": [ + "141.220.224.128", + "133.184.5.152" + ], + "ip": "135.11.251.187", + "mac": "E3:9B:50:54:D4:43:80:D1", + "name": "clerk massive hints", + "port": 3366, + "svc_name": "princess realize wax", + "type": "Server", + "type_id": 1, + "uid": "b207e1c6-53f9-11ef-bd79-0242ac110005" + } + } + ], + "finding_info": { + "analytic": { + "name": "shirts deutsche times", + "type": "Statistical", + "type_id": 3, + "uid": "b200b234-53f9-11ef-88a2-0242ac110005" + }, + "first_seen_time": 1722951737012703, + "kill_chain": [ + { + "phase": "Unknown", + "phase_id": 0 + } + ], + "related_events": [ + { + "type_uid": 1760088869, + "uid": "b200c6ca-53f9-11ef-88d3-0242ac110005" + } + ], + "title": "cocktail graphics controlled", + "uid": "b200a0e6-53f9-11ef-a714-0242ac110005" + }, + "message": "satellite violent subscriptions", + "metadata": { + "labels": [ + "paper", + "james" + ], + "log_name": "variables admin absolutely", + "log_provider": "facilities channels cradle", + "log_version": "unless mood revised", + "original_time": "complaint planning historic", + "product": { + "name": "favorite dictionary butter", + "uid": "b201250c-53f9-11ef-a42e-0242ac110005", + "vendor_name": "routing attending username", + "version": "1.1.0" + }, + "version": "1.1.0" + }, + "resources": [ + { + "namespace": "inherited proceeds invalid", + "owner": { + "ldap_person": { + "deleted_time": 1722951737010636, + "job_title": "tp barely fancy" + }, + "name": "Plain", + "type": "Unknown", + "type_id": "0", + "uid": "b2005820-53f9-11ef-9b03-0242ac110005" + }, + "uid": "b2006efa-53f9-11ef-b4fa-0242ac110005", + "version": "1.1.0" + }, + { + "criticality": "packaging neon hearings", + "group": { + "name": "m biography divx", + "uid": "b200884a-53f9-11ef-b155-0242ac110005" + }, + "labels": [ + "circular", + "vip" + ], + "namespace": "updating mic expo", + "owner": { + "name": "Adsl", + "type": "User", + "type_id": "1" + }, + "version": "1.1.0" + } + ], + "risk_level": "Low", + "risk_level_id": "1", + "severity": "Low", + "severity_id": 2, + "status": "Suppressed", + "status_id": "3", + "time": "+56568-03-02T00:43:35.847Z", + "type_name": "Detection Finding: Create", + "type_uid": "200401" + }, + "related": { + "user": [ + "b2005820-53f9-11ef-9b03-0242ac110005", + "Plain", + "Adsl" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "paper", + "james" + ] } ] } \ No newline at end of file diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml index 587fa3748198..effd08184a1d 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -33,7 +33,7 @@ processors: - set: field: event.kind tag: set_event_kind - if: ctx.ocsf?.class_uid != null && ['2001', '2002'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['2001', '2002','2003','2004'].contains(ctx.ocsf.class_uid) value: alert - append: field: event.category @@ -46,7 +46,7 @@ processors: tag: append_vulnerability_into_event_category value: vulnerability allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['2001', '2002'].contains(ctx.ocsf.class_uid) && ctx.ocsf.vulnerabilities != null + if: ctx.ocsf?.class_uid != null && ['2001', '2002','2003','2004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.vulnerabilities != null - append: field: event.category tag: append_iam_into_event_category @@ -124,7 +124,7 @@ processors: tag: append_info_into_event_type value: info allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001', '2002','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','6002','6003','6004','6005'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001', '2002','2003','2004','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','6002','6003','6004','6005'].contains(ctx.ocsf.class_uid) - append: field: event.type tag: append_user_into_event_type diff --git a/packages/amazon_security_lake/data_stream/event/fields/fields.yml b/packages/amazon_security_lake/data_stream/event/fields/fields.yml index 63b6f531c0a7..bff6f86ceed4 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/fields.yml @@ -333,6 +333,12 @@ - name: kb_articles type: keyword description: The KB article/s related to the entity. + - name: kb_article_list + type: flattened + description: A list of KB articles or patches related to an endpoint. + - name: references + type: keyword + description: A list of supporting URL/s, references that help describe the remediation strategy. - name: rule type: group fields: @@ -1159,6 +1165,9 @@ - name: evidence type: flattened description: The data the finding exposes to the analyst. + - name: evidences + type: flattened + description: Describes various evidence artifacts associated to the activity/activities that triggered a security detection. - name: expiration_time type: date description: The share expiration time. @@ -2227,6 +2236,12 @@ - name: kb_articles type: keyword description: The KB article/s related to the entity. + - name: kb_article_list + type: flattened + description: A list of KB articles or patches related to an endpoint. + - name: references + type: keyword + description: A list of supporting URL/s, references that help describe the remediation strategy. - name: src_url type: keyword description: The URL pointing to the source of the finding. @@ -3314,6 +3329,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. - name: name type: keyword description: The username. For example, janedoe1. @@ -3347,6 +3365,9 @@ - name: region type: keyword description: The cloud region of the resource. + - name: namespace + type: keyword + description: The namespace is useful when similar entities exist that you need to keep separate. - name: type type: keyword description: The resource type as defined by the event source. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml index bc0f1057ff88..2bafa210c63a 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml @@ -255,6 +255,9 @@ - name: evidence type: flattened description: The data the finding exposes to the analyst. + - name: evidences + type: flattened + description: Describes various evidence artifacts associated to the activity/activities that triggered a security detection. - name: finding type: group fields: @@ -312,6 +315,12 @@ - name: kb_articles type: keyword description: The KB article/s related to the entity. + - name: kb_article_list + type: flattened + description: A list of KB articles or patches related to an endpoint. + - name: references + type: keyword + description: A list of supporting URL/s, references that help describe the remediation strategy. - name: src_url type: keyword description: The URL pointing to the source of the finding. @@ -584,6 +593,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. - name: name type: keyword description: The username. For example, janedoe1. @@ -617,6 +629,9 @@ - name: region type: keyword description: The cloud region of the resource. + - name: namespace + type: keyword + description: The namespace is useful when similar entities exist that you need to keep separate. - name: type type: keyword description: The resource type as defined by the event source. @@ -683,6 +698,4 @@ - name: unmapped type: flattened description: The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. - - name: finding_info - type: flattened - description: Describes the supporting information about a generated finding. + diff --git a/packages/amazon_security_lake/data_stream/findings/fields/finding-info-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/finding-info-fields.yml new file mode 100644 index 000000000000..526037c0a092 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/finding-info-fields.yml @@ -0,0 +1,137 @@ +- name: ocsf + type: group + fields: + - name: finding_info + type: group + description: Describes the supporting information about a generated finding. + fields: + - name: uid + type: keyword + description: The unique identifier of the reported finding. + - name: title + type: text + description: A title or a brief phrase summarizing the reported finding. + - name: desc + type: text + description: The description of the reported finding. + - name: created_time + type: long + description: The time when the finding was created. + - name: created_time_dt + type: date + description: The time (date) when the finding was created. + - name: first_seen_time + type: long + description: The time when the finding was first observed. + - name: first_seen_time_dt + type: date + description: The time (date) when the finding was first observed. + - name: last_seen_time + type: long + description: The time when the finding was most recently observed. + - name: last_seen_time_dt + type: date + description: The time (date) when the finding was most recently observed. + - name: modified_time + type: long + description: The time when the finding was last modified. + - name: modified_time_dt + type: date + description: The time (date) when the finding was last modified. + - name: src_url + type: keyword + description: The URL pointing to the source of the finding. + - name: product_uid + type: keyword + description: The unique identifier of the product that reported the finding. + - name: types + type: keyword + description: One or more types of the reported finding. + - name: data_sources + type: keyword + description: A list of data sources utilized in generation of the finding. + - name: analytic + type: group + description: The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion. + fields: + - name: category + type: keyword + description: The analytic category. + - name: desc + type: text + description: The description of the analytic that generated the finding. + - name: name + type: keyword + description: The name of the analytic that generated the finding. + - name: related_analytics + type: flattened + description: Other analytics related to this analytic. + - name: type + type: keyword + description: The analytic type. + - name: type_id + type: integer + description: The analytic type ID. + - name: uid + type: keyword + description: The unique identifier of the analytic that generated the finding. + - name: version + type: keyword + description: The analytic version. For example, 1.1. + - name: attacks + type: group + description: MITRE ATT&CK Details. + fields: + - name: sub_technique + type: flattened + description: The Sub Technique object describes the sub technique ID and/or name associated to an attack. + - name: tactic + type: flattened + description: The Tactic object describes the tactic ID and/or name that is associated to an attack. + - name: tactics + type: flattened + description: The Tactic object describes the tactic ID and/or tactic name that are associated with the attack technique. + - name: technique + type: flattened + description: The Technique object describes the technique ID and/or name associated to an attack, as defined by ATT&CK MatrixTM. + - name: version + type: keyword + description: The ATT&CK MatrixTM version. + - name: kill_chain + type: group + description: The Cyber Kill Chain provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. + fields: + - name: phase + type: keyword + description: The cyber kill chain phase. + - name: phase_id + type: integer + description: The cyber kill chain phase identifier. + - name: related_analytics + type: flattened + description: Other analytics related to this finding. + - name: related_events + type: group + description: Describes events and/or other findings related to the finding as identified by the security product. + fields: + - name: attacks + type: flattened + description: MITRE ATT&CK Details. + - name: kill_chain + type: flattened + description: The Cyber Kill Chain provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. + - name: observables + type: flattened + description: The observables associated with the event or a finding. + - name: product_uid + type: keyword + description: The unique identifier of the product that reported the related event. + - name: type + type: keyword + description: The type of the related event. For example, Process Activity, Launch. + - name: type_uid + type: integer + description: The unique identifier of the related event type. For example, 100701. + - name: uid + type: keyword + description: The unique identifier of the related event. diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index 8e8e2ba9ba24..ba3bb4174747 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -641,7 +641,9 @@ This is the `Event` dataset. | ocsf.cis_benchmark_result.desc | The CIS benchmark description. | keyword | | ocsf.cis_benchmark_result.name | The CIS benchmark name. | keyword | | ocsf.cis_benchmark_result.remediation.desc | The description of the remediation strategy. | keyword | +| ocsf.cis_benchmark_result.remediation.kb_article_list | A list of KB articles or patches related to an endpoint. | flattened | | ocsf.cis_benchmark_result.remediation.kb_articles | The KB article/s related to the entity. | keyword | +| ocsf.cis_benchmark_result.remediation.references | A list of supporting URL/s, references that help describe the remediation strategy. | keyword | | ocsf.cis_benchmark_result.rule.category | The rule category. | keyword | | ocsf.cis_benchmark_result.rule.desc | The description of the rule that generated the event. | keyword | | ocsf.cis_benchmark_result.rule.name | The name of the rule that generated the event. | keyword | @@ -1016,6 +1018,7 @@ This is the `Event` dataset. | ocsf.entity_result.uid | The identifier of the managed entity. | keyword | | ocsf.entity_result.version | The version of the managed entity. | keyword | | ocsf.evidence | The data the finding exposes to the analyst. | flattened | +| ocsf.evidences | Describes various evidence artifacts associated to the activity/activities that triggered a security detection. | flattened | | ocsf.exit_code | The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred. | keyword | | ocsf.expiration_time | The share expiration time. | date | | ocsf.expiration_time_dt | The share expiration time. | date | @@ -1320,7 +1323,9 @@ This is the `Event` dataset. | ocsf.finding.related_events.type_uid | The unique identifier of the related event type. For example: 100701. | keyword | | ocsf.finding.related_events.uid | The unique identifier of the related event. | keyword | | ocsf.finding.remediation.desc | The description of the remediation strategy. | keyword | +| ocsf.finding.remediation.kb_article_list | A list of KB articles or patches related to an endpoint. | flattened | | ocsf.finding.remediation.kb_articles | The KB article/s related to the entity. | keyword | +| ocsf.finding.remediation.references | A list of supporting URL/s, references that help describe the remediation strategy. | keyword | | ocsf.finding.src_url | The URL pointing to the source of the finding. | keyword | | ocsf.finding.supporting_data | Additional data supporting a finding as provided by security tool. | flattened | | ocsf.finding.title | The title of the reported finding. | keyword | @@ -1755,6 +1760,7 @@ This is the `Event` dataset. | ocsf.resources.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.resources.labels | The list of labels/tags associated to a resource. | keyword | | ocsf.resources.name | The name of the resource. | keyword | +| ocsf.resources.namespace | The namespace is useful when similar entities exist that you need to keep separate. | keyword | | ocsf.resources.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.resources.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.resources.owner.account.type_id | The normalized account type identifier. | keyword | @@ -1768,6 +1774,7 @@ This is the `Event` dataset. | ocsf.resources.owner.groups.privileges | The group privileges. | keyword | | ocsf.resources.owner.groups.type | The type of the group or account. | keyword | | ocsf.resources.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.resources.owner.ldap_person | The LDAP person object. | flattened | | ocsf.resources.owner.name | The username. For example, janedoe1. | keyword | | ocsf.resources.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | | ocsf.resources.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | From 1236584d0508b914523c00f1423ba838b1c19c72 Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Wed, 7 Aug 2024 13:26:10 +0530 Subject: [PATCH 14/30] added support of compliance finding event class, segregated and updated resources object group, added new objects as required --- .../fields/resource-fields.yml | 141 +++++++++++++++ .../_dev/test/pipeline/test-findings.log | 3 +- .../pipeline/test-findings.log-expected.json | 125 ++++++++++++- .../test/pipeline/test-iam.log-expected.json | 9 +- .../elasticsearch/ingest_pipeline/default.yml | 10 +- .../data_stream/event/fields/fields.yml | 168 ++++-------------- .../event/fields/resource-fields.yml | 21 ++- .../data_stream/findings/fields/fields.yml | 167 ++++------------- .../findings/fields/resource-fields.yml | 141 +++++++++++++++ .../iam/fields/resource-fields.yml | 21 ++- packages/amazon_security_lake/docs/README.md | 57 ++---- 11 files changed, 526 insertions(+), 337 deletions(-) create mode 100644 packages/amazon_security_lake/data_stream/application_activity/fields/resource-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/findings/fields/resource-fields.yml diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/resource-fields.yml new file mode 100644 index 000000000000..7b751ea16a07 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/resource-fields.yml @@ -0,0 +1,141 @@ +- name: ocsf + type: group + fields: + - name: resources + type: group + fields: + - name: cloud_partition + type: keyword + description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' + - name: criticality + type: keyword + description: The criticality of the resource as defined by the event source. + - name: data + type: flattened + description: Additional data describing the resource. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: labels + type: keyword + description: The list of labels/tags associated to a resource. + - name: name + type: keyword + description: The name of the resource. + - name: namespace + type: keyword + description: The namespace is useful when similar entities exist that you need to keep separate. + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: type_id + type: integer + description: The resource group type identifier. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: region + type: keyword + description: The cloud region of the resource. + - name: type + type: keyword + description: The resource type as defined by the event source. + - name: type_id + type: integer + description: The resource type identifier. + - name: uid + type: keyword + description: The unique identifier of the resource. + - name: version + type: keyword + description: The version of the resource. For example 1.2.3. diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log index 37038465d30d..462e3e922707 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log @@ -1,3 +1,4 @@ {"activity_id":2,"activity_name":"Update","category_name":"Findings","category_uid":2,"class_name":"Security Finding","class_uid":2001,"cloud":{"account":{"uid":"522536594833"},"provider":"AWS","region":"us-east-1"},"compliance":{"requirements":["PCI1.2"],"status":"PASSED","status_detail":"CloudWatch alarms do not exist in the account"},"finding":{"created_time":1635449619417,"desc":"This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22, 3000, 5000, 8088, 8888] that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for the listed ports.","first_seen_time":1635449619417,"last_seen_time":1659636565316,"modified_time":1659636559100,"related_events":[{"product_uid":"arn:aws:securityhub:us-west-2::product/aws/guardduty","uid":"123e4567-e89b-12d3-a456-426655440000"},{"product_uid":"arn:aws:securityhub:us-west-2::product/aws/guardduty","uid":"AcmeNerfHerder-111111111111-x189dx7824"}],"remediation":{"desc":"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.","kb_articles":["https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation"]},"title":"EC2.19 Security groups should not allow unrestricted access to ports with high risk","types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"uid":"test"},"malware":[{"classification_ids":[1],"classifications":["Adware"],"name":"Stringler","path":"/usr/sbin/stringler"}],"metadata":{"product":{"feature":{"name":"Security Hub","uid":"aws-foundational-security-best-practices/v/1.0.0/EC2.19"},"name":"Security Hub","uid":"arn:aws:securityhub:us-east-1::product/aws/securityhub","vendor_name":"AWS","version":"2018-10-08"},"profiles":["cloud"],"version":"1.0.0-rc.2"},"resources":[{"cloud_partition":"aws","labels":["billingCode=Lotus-1-2-3","needsPatching=true"],"region":"us-east-1","type":"AwsEc2SecurityGroup","uid":"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499"}],"severity":"Informational","severity_id":1,"state":"Resolved","state_id":4,"time":1659636559100,"type_name":"Security Finding: Update","type_uid":200102,"unmapped":{"CompanyName":"AWS","Compliance.StatusReasons[].ReasonCode":"CW_ALARMS_NOT_PRESENT","FindingProviderFields.Severity.Label":"INFORMATIONAL","FindingProviderFields.Severity.Original":"INFORMATIONAL","FindingProviderFields.Types[]":"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices","Malware[].State":"OBSERVED","ProductFields.ControlId":"EC2.19","ProductFields.RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation","ProductFields.RelatedAWSResources:0/name":"securityhub-vpc-sg-restricted-common-ports-2af29baf","ProductFields.RelatedAWSResources:0/type":"AWS::Config::ConfigRule","ProductFields.Resources:0/Id":"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499","ProductFields.StandardsArn":"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0","ProductFields.StandardsControlArn":"arn:aws:securityhub:us-east-1:522536594833:control/aws-foundational-security-best-practices/v/1.0.0/EC2.19","ProductFields.StandardsSubscriptionArn":"arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0","ProductFields.aws/securityhub/CompanyName":"AWS","ProductFields.aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bf428107-eee0-4d19-a013-92748ed69eef","ProductFields.aws/securityhub/ProductName":"Security Hub","RecordState":"ACTIVE","Severity.Normalized":"0","Severity.Original":"INFORMATIONAL","Severity.Product":"0","Vulnerabilities[].Cvss[].BaseScore":"4.7,1.0","Vulnerabilities[].Cvss[].BaseVector":"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N,AV:L/AC:M/Au:N/C:C/I:N/A:N","Vulnerabilities[].Cvss[].Version":"V3,V2","Vulnerabilities[].Vendor.VendorSeverity":"Medium","WorkflowState":"NEW"},"vulnerabilities":[{"cve":{"created_time":1579132903000,"cvss":{"base_score":4.7,"vector_string":"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"V3"},"modified_time":1579132903000,"uid":"CVE-2020-12345"},"kb_articles":["https://alas.aws.amazon.com/ALAS-2020-1337.html"],"packages":[{"architecture":"x86_64","epoch":1,"name":"openssl","release":"16.amzn2.0.3","version":"1.0.2k"},{"architecture":"x86_64","epoch":3,"name":"yaml","release":"16.amzn2.0.3","version":"4.3.2"}],"references":["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418"],"related_vulnerabilities":["CVE-2020-12345"],"vendor_name":"Alas"}]} {"status":"In Progress","time":1722327712967320,"metadata":{"version":"1.1.0","product":{"name":"bouquet forget occupied","version":"1.1.0","uid":"c6afd262-4e4c-11ef-a63c-0242ac110005","feature":{"name":"updating lawyers string","uid":"c6afdb4a-4e4c-11ef-a8c4-0242ac110005"},"cpe_name":"words geographical gets","vendor_name":"trim massive setting"},"sequence":2,"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"shall none shipped","log_provider":"outlined produced examining","original_time":"scope institutions int","tenant_uid":"c6afe64e-4e4c-11ef-bcf9-0242ac110005","logged_time_dt":"2024-07-30T08:21:52.967232Z"},"resource":{"owner":{"name":"Dude","type":"Admin","uid":"c6b0192a-4e4c-11ef-90f9-0242ac110005","type_id":2,"uid_alt":"recommendation highs equipped"},"type":"carb le multimedia","group":{"name":"resorts looking issues"},"namespace":"explain les collections"},"severity":"Fatal","type_name":"Vulnerability Finding: Create","activity_id":1,"type_uid":200201,"category_name":"Findings","class_uid":2002,"category_uid":2,"class_name":"Vulnerability Finding","start_time_dt":"2024-07-30T08:21:52.968170Z","end_time_dt":"2024-07-30T08:21:52.967308Z","timezone_offset":17,"activity_name":"Create","actor":{"user":{"name":"Without","type":"Admin","uid":"c6af496e-4e4c-11ef-b35b-0242ac110005","type_id":2,"account":{"name":"susan amy ventures","type":"Windows Account","uid":"c6af57e2-4e4c-11ef-b613-0242ac110005","type_id":2},"credential_uid":"c6af5ecc-4e4c-11ef-bda8-0242ac110005"}},"cloud":{"org":{"name":"africa za springer","uid":"c6b002c8-4e4c-11ef-b707-0242ac110005","ou_name":"opponent const outlet"},"project_uid":"c6b00a0c-4e4c-11ef-a1c9-0242ac110005","provider":"loving fabulous seating","region":"needed costumes main"},"confidence":"characteristic benz automotive","confidence_id":3,"finding_info":{"title":"vinyl lease crown","uid":"c6af0030-4e4c-11ef-963a-0242ac110005","analytic":{"name":"incentives module joyce","type":"Rule","uid":"c6af34ec-4e4c-11ef-a5db-0242ac110005","category":"sanyo asus escorts","type_id":1},"data_sources":["reliable honey flexibility"],"created_time_dt":"2024-07-30T08:21:52.962788Z","modified_time_dt":"2024-07-30T08:21:52.962804Z"},"severity_id":6,"status_id":2,"vulnerabilities":[{"title":"trek ae danger","references":["suite featured smart","sanyo vbulletin contain"],"cve":{"type":"republicans offset expense","title":"smilies since terminal","uid":"c6af9176-4e4c-11ef-8fde-0242ac110005","references":["brass duty expected"],"created_time":1722327712965081,"cvss":[{"version":"1.1.0","depth":"Base","base_score":97.7035,"overall_score":29.3613}]},"cwe":{"uid":"c6af9f0e-4e4c-11ef-b234-0242ac110005","caption":"blanket toshiba olympics"},"kb_articles":["mounts el significantly","newer length frost"],"packages":[{"name":"nuts nine horn","version":"1.1.0","architecture":"diana zen collector"},{"name":"answered absence oxygen","version":"1.1.0","release":"classroom virtually satisfactory","architecture":"railway offering vietnamese"}]},{"references":["workshop surprising ceramic","grow annually mom"],"severity":"villas haiti links","cve":{"type":"coaching workflow sony","title":"jim patients rick","uid":"c6afb07a-4e4c-11ef-9138-0242ac110005","references":["propecia rebecca savage"],"created_time":1722327712965872,"created_time_dt":"2024-07-30T08:21:52.965881Z","modified_time_dt":"2024-07-30T08:21:52.965891Z"},"cwe":{"uid":"c6afba70-4e4c-11ef-8ac3-0242ac110005"},"kb_articles":["resistant verified wiring","redhead informal frankfurt"]}]} -{"message":"satellite violent subscriptions","status":"Suppressed","time":1722951737015847,"metadata":{"version":"1.1.0","product":{"name":"favorite dictionary butter","version":"1.1.0","uid":"b201250c-53f9-11ef-a42e-0242ac110005","vendor_name":"routing attending username"},"labels":["paper","james"],"profiles":[],"log_name":"variables admin absolutely","log_provider":"facilities channels cradle","log_version":"unless mood revised","original_time":"complaint planning historic"},"severity":"Low","duration":19,"resources":[{"owner":{"name":"Plain","type":"Unknown","uid":"b2005820-53f9-11ef-9b03-0242ac110005","type_id":0,"ldap_person":{"deleted_time":1722951737010636,"job_title":"tp barely fancy"}},"version":"1.1.0","uid":"b2006efa-53f9-11ef-b4fa-0242ac110005","namespace":"inherited proceeds invalid"},{"owner":{"name":"Adsl","type":"User","type_id":1},"version":"1.1.0","group":{"name":"m biography divx","uid":"b200884a-53f9-11ef-b155-0242ac110005"},"labels":["circular","vip"],"namespace":"updating mic expo","criticality":"packaging neon hearings"}],"type_name":"Detection Finding: Create","activity_id":1,"type_uid":200401,"category_name":"Findings","class_uid":2004,"category_uid":2,"class_name":"Detection Finding","activity_name":"Create","confidence_id":2,"evidences":[{"process":{"pid":2,"file":{"attributes":61,"name":"mortgages.mp3","size":3964710393,"type":"Folder","path":"match fuzzy noise/royalty.cbr/mortgages.mp3","signature":{"certificate":{"uid":"b20156da-53f9-11ef-ae03-0242ac110005","subject":"norwegian satisfactory collective","issuer":"consist refers bite","fingerprints":[{"value":"98AA77CF5506DBAB9E87EF8088CEAC7C9C019C46E05DD1EE1ABE03DCDDB251EE8A82D602A74B165599EA81CD3F96BCD31351F02130F1826DE55314362F5E51A0","algorithm":"SHA-512","algorithm_id":4},{"value":"F074E3FC1A4F869EEF665EABF9EF6F7E4E08D51AD47FE695D451386D3DFC826FD679D11BCDF59682C9017FCB065A8C3E4C765AD0D81111D105A79724536E5AF3","algorithm":"TLSH","algorithm_id":6}],"created_time":1722951737017011,"expiration_time":1722951737017020,"serial_number":"headers futures rico"},"algorithm":"Authenticode","algorithm_id":4,"created_time":1722951737017030},"type_id":2,"parent_folder":"match fuzzy noise/royalty.cbr","hashes":[{"value":"989B7EC6D89636B773DD48E84A23A93EF0537374753B6CB2DC513D875E01FE4721CDFD519CCAE9B90092CEF08F3C38EC3C353271FE028C193AEA2DDB17A32653","algorithm":"TLSH","algorithm_id":6}]},"user":{"name":"Brunei","type":"Unknown","uid":"b20169ae-53f9-11ef-a7ab-0242ac110005","type_id":0},"uid":"b2017ba6-53f9-11ef-8664-0242ac110005","cmd_line":"cattle disk nat","created_time":1722951737017869,"parent_process":{"name":"Districts","pid":61,"file":{"name":"points.dat","owner":{"name":"Possession","type":"packaging","uid":"b20198de-53f9-11ef-99e3-0242ac110005","groups":[{"name":"framework chambers motorcycle","domain":"robots opportunities auburn","uid":"b201a2de-53f9-11ef-91ee-0242ac110005"}],"type_id":99},"type":"Local Socket","version":"1.1.0","path":"perfume cleveland crystal/database.vob/points.dat","modifier":{"name":"Tower","type":"Unknown","uid":"b201c520-53f9-11ef-8fe7-0242ac110005","org":{"name":"gabriel harmful teach","uid":"b201cf5c-53f9-11ef-90e0-0242ac110005","ou_name":"chapel library combinations"},"type_id":0,"email_addr":"Lynne@rated.jobs"},"type_id":5,"accessor":{"name":"Record","type":"Unknown","uid":"b201dc40-53f9-11ef-a0fe-0242ac110005","type_id":0,"email_addr":"Zada@czech.museum","ldap_person":{"location":{"desc":"San Marino, Republic of","city":"Component got","country":"SM","coordinates":[-25.0862,-71.9167],"continent":"Europe"},"deleted_time":1722951737020608,"job_title":"tobago rubber abstracts"}},"parent_folder":"perfume cleveland crystal/database.vob","hashes":[{"value":"115CE7973C9A37D3558656DB4BE3719A4E02E1C42BBD3D9FED201E22F5D5A770","algorithm":"magic","algorithm_id":99},{"value":"77F4DE0C4DB55DEC736561AC64C7EA6B","algorithm":"MD5","algorithm_id":1}],"modified_time":1722951737020691},"user":{"name":"April","type":"System","uid":"b201f540-53f9-11ef-b886-0242ac110005","type_id":3,"credential_uid":"b201fbb2-53f9-11ef-b9d8-0242ac110005"},"uid":"b2020184-53f9-11ef-85ea-0242ac110005","cmd_line":"inquiries sept nil","created_time":1722951737021297,"lineage":["barbara flow indiana"],"parent_process":{"pid":98,"session":{"uid":"b2021138-53f9-11ef-a183-0242ac110005","issuer":"boulder candle footwear","created_time":1722951737021699,"is_remote":true},"file":{"name":"bryan.htm","type":"Character Device","path":"fuji collectible creator/describes.tex/bryan.htm","type_id":3,"company_name":"Reagan Vincenza","creator":{"type":"sydney","uid":"b2022628-53f9-11ef-97c3-0242ac110005","type_id":99},"mime_type":"numeric/produces","parent_folder":"fuji collectible creator/describes.tex","modified_time":1722951737022248},"user":{"name":"Inventory","type":"User","groups":[{"name":"drums brisbane belfast","uid":"b2023438-53f9-11ef-b235-0242ac110005"},{"name":"distinction wp inquiries","desc":"subdivision centered matched","uid":"b2023b9a-53f9-11ef-8b76-0242ac110005"}],"type_id":1,"credential_uid":"b20243f6-53f9-11ef-995a-0242ac110005","email_addr":"Salena@tour.coop","uid_alt":"headline press postal"},"uid":"b2024b62-53f9-11ef-85ae-0242ac110005","cmd_line":"correlation jd nintendo","created_time":1722951737023185,"xattributes":{}},"terminated_time":1722951737023238}},"file":{"name":"pounds.sdf","type":"footwear","path":"bent hostel listed/knives.fnt/pounds.sdf","product":{"name":"soldier ut outer","version":"1.1.0","uid":"b20268d6-53f9-11ef-8389-0242ac110005","vendor_name":"prototype blog convertible"},"type_id":99,"mime_type":"quit/helen","parent_folder":"bent hostel listed/knives.fnt","hashes":[{"value":"05241F6680F10C78013CDDC1924651513B262F6318EFD85AC8D5EB13184DBF9742C515B85CF2ED8717B01AEA36CB0796CA62B9229E3047149B40B62FFCBE50AA","algorithm":"TLSH","algorithm_id":6},{"value":"EB108A6BBDAF145D08D811956465AD4382629CF361E1F696E021BE3ABADB6D47","algorithm":"SHA-256","algorithm_id":3}],"modified_time":1722951737024064},"query":{"type":"rrp look city","hostname":"monroe.museum","class":"researcher promotions theaters","opcode_id":3,"packet_uid":42},"connection_info":{"uid":"b2027e84-53f9-11ef-beec-0242ac110005","direction":"Outbound","direction_id":2,"protocol_num":63,"tcp_flags":39},"api":{"request":{"data":"courier","uid":"b2028ac8-53f9-11ef-bcf3-0242ac110005"},"response":{"error":"commissioner kill madness","code":48,"error_message":"whale holdings lol"},"operation":"prophet disabled joel"},"actor":{"process":{"pid":53,"file":{"name":"travel.ico","type":"Regular File","path":"choice estates triple/connecticut.rom/travel.ico","type_id":1,"accessor":{"name":"Japanese","type":"User","type_id":1,"ldap_person":{"hire_time":1722951737025505,"ldap_dn":"essentials incomplete main"},"uid_alt":"cassette dust evidence"},"parent_folder":"choice estates triple/connecticut.rom","confidentiality":"nation fishing professional","hashes":[{"value":"DE54555CB12989F6314B6AE9DDF8FE4F8AD41F970C0D21D5A4D8B7E6C6437A9F","algorithm":"magic","algorithm_id":99},{"value":"C989A5E557F5C7289ABE62F83373C88BDD0E698C72F8C8F511BF4E9E601E3C053FA00EA8B181974F5CDF25BA86E8C9FB4A717B9F8A672E6F45A4DFCEC39E529F","algorithm":"CTPH","algorithm_id":5}],"is_system":false,"security_descriptor":"burden authentication flashing"},"user":{"name":"Families","type":"System","domain":"authors subjects animal","uid":"b202b3e0-53f9-11ef-bc91-0242ac110005","groups":[{"name":"graphic university chile","uid":"b202c178-53f9-11ef-b0e0-0242ac110005"},{"name":"departure projects eastern","type":"direct hoping harder","uid":"b202c876-53f9-11ef-99bc-0242ac110005","privileges":["camcorders hazardous occurred","strong wav finland"]}],"type_id":3,"email_addr":"Hugh@vb.aero","ldap_person":{"location":{"desc":"Libyan Arab Jamahiriya","city":"Relaxation depend","country":"LY","coordinates":[72.6769,27.7735],"continent":"Africa"},"manager":{"name":"Titles","type":"System","domain":"many tvs hand","uid":"b202da8c-53f9-11ef-a9a8-0242ac110005","org":{"name":"declare commit gathering","uid":"b202e55e-53f9-11ef-90d3-0242ac110005"},"type_id":3,"credential_uid":"b202eba8-53f9-11ef-a0ef-0242ac110005"},"job_title":"evident gotten tcp","ldap_cn":"ran experiences isolation"}},"uid":"b202f3be-53f9-11ef-9c3b-0242ac110005","cmd_line":"hydrogen reporting ensemble","created_time":1722951737027494,"integrity":"extra dial resolved","parent_process":{"name":"Findings","file":{"name":"crude.sh","owner":{"type":"Admin","uid":"b2031308-53f9-11ef-b2f8-0242ac110005","groups":[{"uid":"b2031cd6-53f9-11ef-b786-0242ac110005"},{"name":"wrap smile durham","uid":"b2032866-53f9-11ef-bf54-0242ac110005","privileges":["preventing security wales","protest membership rs"]}],"type_id":2},"type":"Block Device","path":"hub clarity henderson/mailing.rss/crude.sh","product":{"name":"fund groundwater dom","version":"1.1.0","uid":"b2033324-53f9-11ef-ba5b-0242ac110005","feature":{"name":"producer depot financing","version":"1.1.0","uid":"b2033bc6-53f9-11ef-91fe-0242ac110005"},"cpe_name":"oven regulatory dairy","vendor_name":"disney intel antibody"},"type_id":4,"parent_folder":"hub clarity henderson/mailing.rss","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"5894ABC3288BA9FA689F8E5C7EF19816EA9839E4986E552B491A1ABF2D3F5F45738F7B3A0B53C15A19FD24B1B7402365D44871C3D6F00537E075A0007E7E261A","algorithm":"TLSH","algorithm_id":6},{"value":"A6DFAEBD54AB8C6EE7D571201347BC0C5FC04F3599B22FAF9AE6A142D72CB65DE290302FA9AD807BAD6F5F0648F8BF5497C6EE43AAF960B7C3137C8CB706E183","algorithm":"quickXorHash","algorithm_id":7}],"security_descriptor":"cross organic bookings","xattributes":{}},"user":{"name":"Adjust","domain":"wrong expanding proposal","uid":"b2034c56-53f9-11ef-aed8-0242ac110005","credential_uid":"b203526e-53f9-11ef-9e92-0242ac110005","email_addr":"Gerry@poker.biz"},"uid":"b20358d6-53f9-11ef-939b-0242ac110005","cmd_line":"arrested suits personally","created_time":1722951737030083,"parent_process":{"name":"Poverty","pid":42,"file":{"name":"sad.kml","type":"Unknown","path":"random horse explained/soap.csv/sad.kml","signature":{"digest":{"value":"A24F695AAF92949E2578A874832FF516","algorithm":"MD5","algorithm_id":1},"certificate":{"version":"1.1.0","uid":"b2037334-53f9-11ef-880c-0242ac110005","subject":"delay prairie cents","issuer":"thought loans celebrate","fingerprints":[{"value":"70CE515C96733618D3639DA3699227EEF2615296002DB79CFAE31A49F04D171107F820A86048A8A742037DA40CE56FEB5AF132CF0557508C821508DED8E25802","algorithm":"CTPH","algorithm_id":5},{"value":"054F4E3613BCAA252DED4DEC5193B4207F68218A0B57BD676DE5EA08E59343D24FEB8AC279470FB94F032C25AEE110A24BD17FC0EB41182E767A7710BD0F2082","algorithm":"TLSH","algorithm_id":6}],"created_time":1722951737030958,"expiration_time":1722951737030965,"serial_number":"concerned arthritis beam"},"algorithm":"Authenticode","algorithm_id":4,"developer_uid":"b2038324-53f9-11ef-a9fd-0242ac110005"},"uid":"b2038928-53f9-11ef-93ab-0242ac110005","type_id":0,"accessor":{"name":"Affordable","type":"User","domain":"mill nest ministers","uid":"b2039418-53f9-11ef-ace2-0242ac110005","type_id":1,"full_name":"Thu Dewitt","account":{"name":"provider queensland warranties","type":"AWS Account","uid":"b2039db4-53f9-11ef-ac2d-0242ac110005","type_id":10}},"parent_folder":"random horse explained/soap.csv","hashes":[{"value":"552BDF4BBC9329B555B93E7C9B6A38F36C6EDB58B0E7FCA0392F79528CC1B9E6","algorithm":"SHA-256","algorithm_id":3},{"value":"DCF06E858132CA1EDC2384EBDF0200885DD2AC3F","algorithm":"SHA-1","algorithm_id":2}],"modified_time":1722951737031923},"user":{"name":"Continuously","type":"cassette","uid":"b203c596-53f9-11ef-9213-0242ac110005","org":{"name":"vitamins causes lg","uid":"b203cf64-53f9-11ef-a9e6-0242ac110005","ou_name":"most worcester generator"},"type_id":99,"full_name":"Manie Demetra","ldap_person":{"labels":["results","considered"],"deleted_time":1722951737033239,"email_addrs":["Joeann@trials.com","Enrique@zshops.int"],"last_login_time":1722951737033262,"modified_time":1722951737033265}},"tid":39,"uid":"b203dc7a-53f9-11ef-8a2b-0242ac110005","created_time":1722951737033438,"integrity":"Protected","integrity_id":6,"lineage":["arab comparison charlotte","namibia republicans decorative"],"parent_process":{"name":"Labs","pid":22,"session":{"terminal":"signals click categories","uid":"b203f264-53f9-11ef-9ec3-0242ac110005","created_time":1722951737034000,"is_remote":false},"file":{"name":"leaders.ged","type":"anthony","path":"zimbabwe co hyundai/telecom.rom/leaders.ged","type_id":99,"parent_folder":"zimbabwe co hyundai/telecom.rom","hashes":[{"value":"FBBED8C2F97068EC6807B00BE7C3183932F576D73C208D1D8ABD78AAC60411FF78D7442895C204E292CFA8F6FAC25EC3FEE7954AA27C6024B6F47D3A5BEF4AC2","algorithm":"quickXorHash","algorithm_id":7},{"value":"B336DF698D12AC8E54570BA6EA2679F0","algorithm":"MD5","algorithm_id":1}]},"user":{"type":"tears","org":{"name":"bye lenses alabama","uid":"b2040b0a-53f9-11ef-98b5-0242ac110005","ou_name":"antiques compliant tutorial","ou_uid":"b204153c-53f9-11ef-a6ea-0242ac110005"},"type_id":99},"uid":"b2042360-53f9-11ef-9794-0242ac110005","cmd_line":"windsor installed invite","created_time":1722951737035272,"parent_process":{"name":"Asus","pid":64,"session":{"uid":"b2048058-53f9-11ef-8e0f-0242ac110005","uuid":"b20486ca-53f9-11ef-9010-0242ac110005","issuer":"planner providence titles","created_time":1722951737037814,"credential_uid":"b2048dfa-53f9-11ef-8e51-0242ac110005","is_remote":true},"file":{"name":"badge.avi","type":"Unknown","path":"showed conf citizenship/alto.csr/badge.avi","signature":{"certificate":{"version":"1.1.0","subject":"voters crazy chelsea","issuer":"balance rip flags","fingerprints":[{"value":"AD9B86237F7CD511073B023864629995D42D434D7A9A3DE38CC9C353E9263BCA131C239C9851342A16967895231B1436AA8DBBD6229A517C76E3539639BDCEDD","algorithm":"CTPH","algorithm_id":5}],"created_time":1722951737038366,"expiration_time":1722951737038371,"serial_number":"generally grande babies"},"algorithm":"RSA","algorithm_id":2,"developer_uid":"b204a4e8-53f9-11ef-a45f-0242ac110005"},"desc":"jersey pod crafts","type_id":0,"mime_type":"minimal/wisconsin","parent_folder":"showed conf citizenship/alto.csr","hashes":[{"value":"5B612EDB571C479D1A33C2355B8933EF943BD5715B25116AAF91DBF3A842C2BD","algorithm":"SHA-256","algorithm_id":3},{"value":"1A41B0D707D5D14EA20C1DD0A10CED258A1322589440FD67387BED26CE48E453","algorithm":"magic","algorithm_id":99}]},"user":{"name":"Churches","type":"User","uid":"b204b8ca-53f9-11ef-ae39-0242ac110005","org":{"name":"asking bookmark builders","ou_name":"nightlife fragrance into"},"type_id":1,"account":{"name":"essential wishing wanted","type":"Windows Account","uid":"b204c8ce-53f9-11ef-9832-0242ac110005","type_id":2}},"uid":"b204cf68-53f9-11ef-9210-0242ac110005","loaded_modules":["/condition/tunisia/phillips/accounting/tension.pkg","/argue/aboriginal/connectors/journal/clinic.dcr"],"cmd_line":"dryer thereby reliable","created_time":1722951737039702,"parent_process":{"name":"Multi","pid":51,"file":{"attributes":37,"name":"option.swf","type":"Block Device","path":"associate spas climb/canadian.rar/option.swf","product":{"name":"or dynamic distinguished","version":"1.1.0","path":"weddings competent korea","uid":"b205092e-53f9-11ef-b82a-0242ac110005","lang":"en","vendor_name":"hunt vitamins columns"},"type_id":4,"accessor":{"name":"Finish","type":"System","uid":"b205141e-53f9-11ef-bef4-0242ac110005","groups":[{"name":"tablet drivers broader","domain":"orange says vegetation","uid":"b2051dd8-53f9-11ef-9d88-0242ac110005"},{"name":"rid planets gp","domain":"antique hans ez","uid":"b20524b8-53f9-11ef-bfc7-0242ac110005","privileges":["obesity descriptions paintball"]}],"type_id":3},"parent_folder":"associate spas climb/canadian.rar","hashes":[{"value":"D5924A11CBADB27A986421344623CBFE538FD3F096A9A0FDC3F0BC302F3EC0C1","algorithm":"magic","algorithm_id":99},{"value":"E16704D9E243B23B4F4E557748D6EEF6","algorithm":"MD5","algorithm_id":1}],"security_descriptor":"sentences angela guides"},"user":{"name":"Auditor","domain":"france designer commissioner","uid":"b2053246-53f9-11ef-8f1f-0242ac110005","groups":[{"name":"front license tide","type":"scope nebraska suffered","uid":"b2054b5a-53f9-11ef-b10c-0242ac110005"},{"name":"belts transform phone","type":"ir paul vector","uid":"b2055956-53f9-11ef-bac5-0242ac110005"}]},"cmd_line":"int assets shanghai","created_time":1722951737043210,"integrity":"philip energy traveler","parent_process":{"name":"Auctions","pid":97,"file":{"name":"mainland.sav","type":"Character Device","path":"easter advert gregory/briefing.vcd/mainland.sav","uid":"b2057062-53f9-11ef-b33c-0242ac110005","type_id":3,"company_name":"Shay Geoffrey","mime_type":"came/dui","parent_folder":"easter advert gregory/briefing.vcd","hashes":[{"value":"D28CCA18F2C34C4120D0689FFD9EE4F4FFEAE0402B7C59A202FA980D9359A4E54BF2289BF5ED8C083B3EC8735F44C955DB680854EEF42D53E126839B635DA171","algorithm":"TLSH","algorithm_id":6}],"security_descriptor":"ugly embedded sql"},"user":{"name":"Yahoo","uid":"b20585de-53f9-11ef-a722-0242ac110005"},"uid":"b2058d2c-53f9-11ef-9c93-0242ac110005","cmd_line":"computers qt caribbean","created_time":1722951737044530,"integrity":"classifieds conceptual contest","parent_process":{"name":"Portable","pid":15,"user":{"name":"Camel","type":"System","uid":"b205a618-53f9-11ef-b616-0242ac110005","type_id":3},"uid":"b205ac6c-53f9-11ef-b326-0242ac110005","cmd_line":"letter agencies family","created_time":1722951737045332,"parent_process":{"name":"Weed","pid":38,"file":{"name":"leslie.indd","type":"Symbolic Link","path":"rating malawi ash/ny.bin/leslie.indd","signature":{"certificate":{"version":"1.1.0","subject":"conscious forecasts poland","issuer":"henry recognize short","fingerprints":[{"value":"3697621565DCC42F701641C483DD9F531ED1B40987DD5D58FA4EEAC5C6E127657BED12A5ED10012607C476DFE31339C6557044007AE04C2F96C120D7E68F9B46","algorithm":"TLSH","algorithm_id":6},{"value":"CB2785DC1EFEBF4604D971B80C7BA7A49061E6B2","algorithm":"SHA-1","algorithm_id":2}],"created_time":1722951737046152,"expiration_time":1722951737046157,"serial_number":"number emotional belly"},"algorithm":"weekends","algorithm_id":99},"modifier":{"name":"Measurements","type":"User","uid":"b205d93a-53f9-11ef-97c9-0242ac110005","type_id":1,"ldap_person":{"manager":{"name":"Satisfy","type":"Unknown","domain":"combat mall responded","uid":"b205e8bc-53f9-11ef-b220-0242ac110005","org":{"name":"simulations kelkoo picture","uid":"b205fb4a-53f9-11ef-bcdf-0242ac110005","ou_name":"ntsc tab er"},"type_id":0},"cost_center":"believed defeat workout","given_name":"country medicine susan","job_title":"minister hugh opponent"}},"type_id":7,"accessor":{"name":"Differential","type":"User","domain":"second heaven reg","uid":"b2060720-53f9-11ef-b3d3-0242ac110005","type_id":1,"email_addr":"Iliana@easter.jobs"},"creator":{"type":"Admin","uid":"b206126a-53f9-11ef-bcf1-0242ac110005","type_id":2,"full_name":"Zelma Brady","credential_uid":"b2061990-53f9-11ef-92d2-0242ac110005"},"parent_folder":"rating malawi ash/ny.bin","hashes":[{"value":"80354281FAAA2126E5D2CA51A907C1D2F15B2719AAE8EBF70AE4DAFD8F369DC8D23BE2285768C8C6A83CF5496A2440965EC79B4857350AD79273385359E6272C","algorithm":"TLSH","algorithm_id":6},{"value":"2FACE219B9E0ACE4E7841FB7019D658D","algorithm":"MD5","algorithm_id":1}],"modified_time":1722951737048171},"user":{"name":"Smoking","type":"Admin","uid":"b20633f8-53f9-11ef-84d6-0242ac110005","groups":[{"name":"lyric cent failure","uid":"b2063dc6-53f9-11ef-be9b-0242ac110005"},{"name":"tests australian manufacturing","domain":"indonesia performances dispute","uid":"b20644a6-53f9-11ef-88ec-0242ac110005"}],"type_id":2},"uid":"b2064a96-53f9-11ef-9a3a-0242ac110005","cmd_line":"abandoned plaintiff consult","created_time":1722951737049379,"parent_process":{"name":"Shore","pid":47,"file":{"name":"grip.py","type":"Regular File","path":"travesti promotes incentives/ask.c/grip.py","type_id":1,"accessor":{"name":"Composition","type":"Unknown","uid":"b206ba3a-53f9-11ef-8d45-0242ac110005","type_id":0,"account":{"type":"Unknown","uid":"b206dd4e-53f9-11ef-8a0d-0242ac110005","type_id":0}},"parent_folder":"travesti promotes incentives/ask.c","accessed_time":1722951737053129,"confidentiality":"scholarships introducing scientific","modified_time":1722951737053154},"user":{"name":"Indicators","org":{"name":"assisted difficulty submit","uid":"b206eb0e-53f9-11ef-93f9-0242ac110005","ou_name":"hazardous oracle array","ou_uid":"b206f194-53f9-11ef-98e9-0242ac110005"},"uid_alt":"significant beverages mail"},"uid":"b206f84c-53f9-11ef-b820-0242ac110005","cmd_line":"age ratings employees","lineage":["gauge exists gmbh","ieee drawing bat"],"parent_process":{"name":"Vb","pid":42,"file":{"name":"hereby.txt","type":"Unknown","path":"alumni broad whatever/editing.dat/hereby.txt","type_id":0,"parent_folder":"alumni broad whatever/editing.dat","hashes":[{"value":"0F682A9E816B4E78B01EF28B990B90A619718C249F0502C3BC26EE953198973B8ECAA2A598633947C6F575ED7DA43412557660B2E8796466CDF950DEEF210794","algorithm":"SHA-512","algorithm_id":4},{"value":"8C766AB995CDFBDBB9EB5FCA53F8D53AB3690305C46FDBB5D10554FAAB868502D870FF46248C01AC8E1A8BA4547B5B7C6A85CA5D280CBDEC1FEE04484110E043","algorithm":"Unknown","algorithm_id":0}],"security_descriptor":"fuel horses cialis"},"uid":"b2071688-53f9-11ef-9e48-0242ac110005","cmd_line":"stuart notify nc","created_time":1722951737054600,"integrity":"argument historic decision","lineage":["gathered then container"],"parent_process":{"name":"Protect","pid":69,"file":{"name":"animation.wsf","size":668783954,"type":"Unknown","path":"action cheats collective/day.dll/animation.wsf","product":{"name":"assessed delete infection","version":"1.1.0","uid":"b2073b5e-53f9-11ef-89e3-0242ac110005","url_string":"indigenous","vendor_name":"perhaps weak mattress"},"uid":"b20742b6-53f9-11ef-b089-0242ac110005","type_id":0,"company_name":"Kay Hugo","parent_folder":"action cheats collective/day.dll","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"D1902BB2910C00B9024F7FAD53B1AEF5D9CDD9897B4C1D0D59CB7986288BF7D59846CC65CF09FF73604CC643C20D1A4920C9EFAE6E4BE4982718A0B3021841EA","algorithm":"quickXorHash","algorithm_id":7}]},"user":{"name":"Nike","type":"Unknown","uid":"b207597c-53f9-11ef-bb63-0242ac110005","type_id":0,"ldap_person":{"office_location":"signing equations keith"},"uid_alt":"earthquake race promises"},"tid":76,"uid":"b2076714-53f9-11ef-8876-0242ac110005","cmd_line":"accurate revenue def","created_time":1722951737056663,"integrity":"Medium","integrity_id":3,"lineage":["guidance rider vanilla","ambient glow well"]}}},"terminated_time":1722951737056691}},"xattributes":{}}},"terminated_time":1722951737056729},"terminated_time":1722951737056732}},"sandbox":"participants safer outlets"}},"user":{"uid":"b207743e-53f9-11ef-b930-0242ac110005","org":{"name":"martial makers bras","uid":"b2077cea-53f9-11ef-98a2-0242ac110005","ou_name":"announced plastic serial"},"credential_uid":"b20785dc-53f9-11ef-9a4e-0242ac110005"},"authorizations":[{},{"decision":"ssl meaning excellence"}]},"dst_endpoint":{"name":"bouquet observations flashing","port":47351,"type":"Desktop","os":{"name":"reductions loans null","type":"Unknown","type_id":0,"sp_name":"cloud heat faith"},"domain":"developer resistance cove","ip":"41.251.197.63","location":{"desc":"Angola, Republic of","city":"Extras separated","country":"AO","coordinates":[-51.2157,-88.1173],"continent":"Africa"},"hostname":"brakes.travel","uid":"b207abc0-53f9-11ef-984e-0242ac110005","type_id":2,"interface_name":"responsible ips bits","interface_uid":"b207b336-53f9-11ef-992b-0242ac110005","intermediate_ips":["43.42.170.135","161.178.9.23"],"proxy_endpoint":{"name":"ray maximum theology","port":59643,"type":"Firewall","ip":"128.28.111.51","hostname":"upcoming.biz","uid":"b207c466-53f9-11ef-9061-0242ac110005","type_id":9,"instance_uid":"b207cc90-53f9-11ef-ace5-0242ac110005","interface_name":"acts unavailable caught","interface_uid":"b207d4ec-53f9-11ef-a2a8-0242ac110005","svc_name":"xi marketplace productivity"},"svc_name":"motorcycle cnn eh"},"src_endpoint":{"name":"clerk massive hints","port":3366,"type":"Server","ip":"135.11.251.187","uid":"b207e1c6-53f9-11ef-bd79-0242ac110005","mac":"E3:9B:50:54:D4:43:80:D1","type_id":1,"instance_uid":"b207ec52-53f9-11ef-870e-0242ac110005","interface_name":"sale cut divided","interface_uid":"b207f38c-53f9-11ef-af93-0242ac110005","intermediate_ips":["141.220.224.128","133.184.5.152"],"svc_name":"princess realize wax"}}],"finding_info":{"title":"cocktail graphics controlled","uid":"b200a0e6-53f9-11ef-a714-0242ac110005","analytic":{"name":"shirts deutsche times","type":"Statistical","uid":"b200b234-53f9-11ef-88a2-0242ac110005","type_id":3},"first_seen_time":1722951737012703,"kill_chain":[{"phase":"Unknown","phase_id":0}],"related_events":[{"uid":"b200c6ca-53f9-11ef-88d3-0242ac110005","type_uid":1760088869}]},"risk_level":"Low","risk_level_id":1,"severity_id":2,"status_id":3} \ No newline at end of file +{"message":"satellite violent subscriptions","status":"Suppressed","time":1722951737015847,"metadata":{"version":"1.1.0","product":{"name":"favorite dictionary butter","version":"1.1.0","uid":"b201250c-53f9-11ef-a42e-0242ac110005","vendor_name":"routing attending username"},"labels":["paper","james"],"profiles":[],"log_name":"variables admin absolutely","log_provider":"facilities channels cradle","log_version":"unless mood revised","original_time":"complaint planning historic"},"severity":"Low","duration":19,"resources":[{"owner":{"name":"Plain","type":"Unknown","uid":"b2005820-53f9-11ef-9b03-0242ac110005","type_id":0,"ldap_person":{"deleted_time":1722951737010636,"job_title":"tp barely fancy"}},"version":"1.1.0","uid":"b2006efa-53f9-11ef-b4fa-0242ac110005","namespace":"inherited proceeds invalid"},{"owner":{"name":"Adsl","type":"User","type_id":1},"version":"1.1.0","group":{"name":"m biography divx","uid":"b200884a-53f9-11ef-b155-0242ac110005"},"labels":["circular","vip"],"namespace":"updating mic expo","criticality":"packaging neon hearings"}],"type_name":"Detection Finding: Create","activity_id":1,"type_uid":200401,"category_name":"Findings","class_uid":2004,"category_uid":2,"class_name":"Detection Finding","activity_name":"Create","confidence_id":2,"evidences":[{"process":{"pid":2,"file":{"attributes":61,"name":"mortgages.mp3","size":3964710393,"type":"Folder","path":"match fuzzy noise/royalty.cbr/mortgages.mp3","signature":{"certificate":{"uid":"b20156da-53f9-11ef-ae03-0242ac110005","subject":"norwegian satisfactory collective","issuer":"consist refers bite","fingerprints":[{"value":"98AA77CF5506DBAB9E87EF8088CEAC7C9C019C46E05DD1EE1ABE03DCDDB251EE8A82D602A74B165599EA81CD3F96BCD31351F02130F1826DE55314362F5E51A0","algorithm":"SHA-512","algorithm_id":4},{"value":"F074E3FC1A4F869EEF665EABF9EF6F7E4E08D51AD47FE695D451386D3DFC826FD679D11BCDF59682C9017FCB065A8C3E4C765AD0D81111D105A79724536E5AF3","algorithm":"TLSH","algorithm_id":6}],"created_time":1722951737017011,"expiration_time":1722951737017020,"serial_number":"headers futures rico"},"algorithm":"Authenticode","algorithm_id":4,"created_time":1722951737017030},"type_id":2,"parent_folder":"match fuzzy noise/royalty.cbr","hashes":[{"value":"989B7EC6D89636B773DD48E84A23A93EF0537374753B6CB2DC513D875E01FE4721CDFD519CCAE9B90092CEF08F3C38EC3C353271FE028C193AEA2DDB17A32653","algorithm":"TLSH","algorithm_id":6}]},"user":{"name":"Brunei","type":"Unknown","uid":"b20169ae-53f9-11ef-a7ab-0242ac110005","type_id":0},"uid":"b2017ba6-53f9-11ef-8664-0242ac110005","cmd_line":"cattle disk nat","created_time":1722951737017869,"parent_process":{"name":"Districts","pid":61,"file":{"name":"points.dat","owner":{"name":"Possession","type":"packaging","uid":"b20198de-53f9-11ef-99e3-0242ac110005","groups":[{"name":"framework chambers motorcycle","domain":"robots opportunities auburn","uid":"b201a2de-53f9-11ef-91ee-0242ac110005"}],"type_id":99},"type":"Local Socket","version":"1.1.0","path":"perfume cleveland crystal/database.vob/points.dat","modifier":{"name":"Tower","type":"Unknown","uid":"b201c520-53f9-11ef-8fe7-0242ac110005","org":{"name":"gabriel harmful teach","uid":"b201cf5c-53f9-11ef-90e0-0242ac110005","ou_name":"chapel library combinations"},"type_id":0,"email_addr":"Lynne@rated.jobs"},"type_id":5,"accessor":{"name":"Record","type":"Unknown","uid":"b201dc40-53f9-11ef-a0fe-0242ac110005","type_id":0,"email_addr":"Zada@czech.museum","ldap_person":{"location":{"desc":"San Marino, Republic of","city":"Component got","country":"SM","coordinates":[-25.0862,-71.9167],"continent":"Europe"},"deleted_time":1722951737020608,"job_title":"tobago rubber abstracts"}},"parent_folder":"perfume cleveland crystal/database.vob","hashes":[{"value":"115CE7973C9A37D3558656DB4BE3719A4E02E1C42BBD3D9FED201E22F5D5A770","algorithm":"magic","algorithm_id":99},{"value":"77F4DE0C4DB55DEC736561AC64C7EA6B","algorithm":"MD5","algorithm_id":1}],"modified_time":1722951737020691},"user":{"name":"April","type":"System","uid":"b201f540-53f9-11ef-b886-0242ac110005","type_id":3,"credential_uid":"b201fbb2-53f9-11ef-b9d8-0242ac110005"},"uid":"b2020184-53f9-11ef-85ea-0242ac110005","cmd_line":"inquiries sept nil","created_time":1722951737021297,"lineage":["barbara flow indiana"],"parent_process":{"pid":98,"session":{"uid":"b2021138-53f9-11ef-a183-0242ac110005","issuer":"boulder candle footwear","created_time":1722951737021699,"is_remote":true},"file":{"name":"bryan.htm","type":"Character Device","path":"fuji collectible creator/describes.tex/bryan.htm","type_id":3,"company_name":"Reagan Vincenza","creator":{"type":"sydney","uid":"b2022628-53f9-11ef-97c3-0242ac110005","type_id":99},"mime_type":"numeric/produces","parent_folder":"fuji collectible creator/describes.tex","modified_time":1722951737022248},"user":{"name":"Inventory","type":"User","groups":[{"name":"drums brisbane belfast","uid":"b2023438-53f9-11ef-b235-0242ac110005"},{"name":"distinction wp inquiries","desc":"subdivision centered matched","uid":"b2023b9a-53f9-11ef-8b76-0242ac110005"}],"type_id":1,"credential_uid":"b20243f6-53f9-11ef-995a-0242ac110005","email_addr":"Salena@tour.coop","uid_alt":"headline press postal"},"uid":"b2024b62-53f9-11ef-85ae-0242ac110005","cmd_line":"correlation jd nintendo","created_time":1722951737023185,"xattributes":{}},"terminated_time":1722951737023238}},"file":{"name":"pounds.sdf","type":"footwear","path":"bent hostel listed/knives.fnt/pounds.sdf","product":{"name":"soldier ut outer","version":"1.1.0","uid":"b20268d6-53f9-11ef-8389-0242ac110005","vendor_name":"prototype blog convertible"},"type_id":99,"mime_type":"quit/helen","parent_folder":"bent hostel listed/knives.fnt","hashes":[{"value":"05241F6680F10C78013CDDC1924651513B262F6318EFD85AC8D5EB13184DBF9742C515B85CF2ED8717B01AEA36CB0796CA62B9229E3047149B40B62FFCBE50AA","algorithm":"TLSH","algorithm_id":6},{"value":"EB108A6BBDAF145D08D811956465AD4382629CF361E1F696E021BE3ABADB6D47","algorithm":"SHA-256","algorithm_id":3}],"modified_time":1722951737024064},"query":{"type":"rrp look city","hostname":"monroe.museum","class":"researcher promotions theaters","opcode_id":3,"packet_uid":42},"connection_info":{"uid":"b2027e84-53f9-11ef-beec-0242ac110005","direction":"Outbound","direction_id":2,"protocol_num":63,"tcp_flags":39},"api":{"request":{"data":"courier","uid":"b2028ac8-53f9-11ef-bcf3-0242ac110005"},"response":{"error":"commissioner kill madness","code":48,"error_message":"whale holdings lol"},"operation":"prophet disabled joel"},"actor":{"process":{"pid":53,"file":{"name":"travel.ico","type":"Regular File","path":"choice estates triple/connecticut.rom/travel.ico","type_id":1,"accessor":{"name":"Japanese","type":"User","type_id":1,"ldap_person":{"hire_time":1722951737025505,"ldap_dn":"essentials incomplete main"},"uid_alt":"cassette dust evidence"},"parent_folder":"choice estates triple/connecticut.rom","confidentiality":"nation fishing professional","hashes":[{"value":"DE54555CB12989F6314B6AE9DDF8FE4F8AD41F970C0D21D5A4D8B7E6C6437A9F","algorithm":"magic","algorithm_id":99},{"value":"C989A5E557F5C7289ABE62F83373C88BDD0E698C72F8C8F511BF4E9E601E3C053FA00EA8B181974F5CDF25BA86E8C9FB4A717B9F8A672E6F45A4DFCEC39E529F","algorithm":"CTPH","algorithm_id":5}],"is_system":false,"security_descriptor":"burden authentication flashing"},"user":{"name":"Families","type":"System","domain":"authors subjects animal","uid":"b202b3e0-53f9-11ef-bc91-0242ac110005","groups":[{"name":"graphic university chile","uid":"b202c178-53f9-11ef-b0e0-0242ac110005"},{"name":"departure projects eastern","type":"direct hoping harder","uid":"b202c876-53f9-11ef-99bc-0242ac110005","privileges":["camcorders hazardous occurred","strong wav finland"]}],"type_id":3,"email_addr":"Hugh@vb.aero","ldap_person":{"location":{"desc":"Libyan Arab Jamahiriya","city":"Relaxation depend","country":"LY","coordinates":[72.6769,27.7735],"continent":"Africa"},"manager":{"name":"Titles","type":"System","domain":"many tvs hand","uid":"b202da8c-53f9-11ef-a9a8-0242ac110005","org":{"name":"declare commit gathering","uid":"b202e55e-53f9-11ef-90d3-0242ac110005"},"type_id":3,"credential_uid":"b202eba8-53f9-11ef-a0ef-0242ac110005"},"job_title":"evident gotten tcp","ldap_cn":"ran experiences isolation"}},"uid":"b202f3be-53f9-11ef-9c3b-0242ac110005","cmd_line":"hydrogen reporting ensemble","created_time":1722951737027494,"integrity":"extra dial resolved","parent_process":{"name":"Findings","file":{"name":"crude.sh","owner":{"type":"Admin","uid":"b2031308-53f9-11ef-b2f8-0242ac110005","groups":[{"uid":"b2031cd6-53f9-11ef-b786-0242ac110005"},{"name":"wrap smile durham","uid":"b2032866-53f9-11ef-bf54-0242ac110005","privileges":["preventing security wales","protest membership rs"]}],"type_id":2},"type":"Block Device","path":"hub clarity henderson/mailing.rss/crude.sh","product":{"name":"fund groundwater dom","version":"1.1.0","uid":"b2033324-53f9-11ef-ba5b-0242ac110005","feature":{"name":"producer depot financing","version":"1.1.0","uid":"b2033bc6-53f9-11ef-91fe-0242ac110005"},"cpe_name":"oven regulatory dairy","vendor_name":"disney intel antibody"},"type_id":4,"parent_folder":"hub clarity henderson/mailing.rss","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"5894ABC3288BA9FA689F8E5C7EF19816EA9839E4986E552B491A1ABF2D3F5F45738F7B3A0B53C15A19FD24B1B7402365D44871C3D6F00537E075A0007E7E261A","algorithm":"TLSH","algorithm_id":6},{"value":"A6DFAEBD54AB8C6EE7D571201347BC0C5FC04F3599B22FAF9AE6A142D72CB65DE290302FA9AD807BAD6F5F0648F8BF5497C6EE43AAF960B7C3137C8CB706E183","algorithm":"quickXorHash","algorithm_id":7}],"security_descriptor":"cross organic bookings","xattributes":{}},"user":{"name":"Adjust","domain":"wrong expanding proposal","uid":"b2034c56-53f9-11ef-aed8-0242ac110005","credential_uid":"b203526e-53f9-11ef-9e92-0242ac110005","email_addr":"Gerry@poker.biz"},"uid":"b20358d6-53f9-11ef-939b-0242ac110005","cmd_line":"arrested suits personally","created_time":1722951737030083,"parent_process":{"name":"Poverty","pid":42,"file":{"name":"sad.kml","type":"Unknown","path":"random horse explained/soap.csv/sad.kml","signature":{"digest":{"value":"A24F695AAF92949E2578A874832FF516","algorithm":"MD5","algorithm_id":1},"certificate":{"version":"1.1.0","uid":"b2037334-53f9-11ef-880c-0242ac110005","subject":"delay prairie cents","issuer":"thought loans celebrate","fingerprints":[{"value":"70CE515C96733618D3639DA3699227EEF2615296002DB79CFAE31A49F04D171107F820A86048A8A742037DA40CE56FEB5AF132CF0557508C821508DED8E25802","algorithm":"CTPH","algorithm_id":5},{"value":"054F4E3613BCAA252DED4DEC5193B4207F68218A0B57BD676DE5EA08E59343D24FEB8AC279470FB94F032C25AEE110A24BD17FC0EB41182E767A7710BD0F2082","algorithm":"TLSH","algorithm_id":6}],"created_time":1722951737030958,"expiration_time":1722951737030965,"serial_number":"concerned arthritis beam"},"algorithm":"Authenticode","algorithm_id":4,"developer_uid":"b2038324-53f9-11ef-a9fd-0242ac110005"},"uid":"b2038928-53f9-11ef-93ab-0242ac110005","type_id":0,"accessor":{"name":"Affordable","type":"User","domain":"mill nest ministers","uid":"b2039418-53f9-11ef-ace2-0242ac110005","type_id":1,"full_name":"Thu Dewitt","account":{"name":"provider queensland warranties","type":"AWS Account","uid":"b2039db4-53f9-11ef-ac2d-0242ac110005","type_id":10}},"parent_folder":"random horse explained/soap.csv","hashes":[{"value":"552BDF4BBC9329B555B93E7C9B6A38F36C6EDB58B0E7FCA0392F79528CC1B9E6","algorithm":"SHA-256","algorithm_id":3},{"value":"DCF06E858132CA1EDC2384EBDF0200885DD2AC3F","algorithm":"SHA-1","algorithm_id":2}],"modified_time":1722951737031923},"user":{"name":"Continuously","type":"cassette","uid":"b203c596-53f9-11ef-9213-0242ac110005","org":{"name":"vitamins causes lg","uid":"b203cf64-53f9-11ef-a9e6-0242ac110005","ou_name":"most worcester generator"},"type_id":99,"full_name":"Manie Demetra","ldap_person":{"labels":["results","considered"],"deleted_time":1722951737033239,"email_addrs":["Joeann@trials.com","Enrique@zshops.int"],"last_login_time":1722951737033262,"modified_time":1722951737033265}},"tid":39,"uid":"b203dc7a-53f9-11ef-8a2b-0242ac110005","created_time":1722951737033438,"integrity":"Protected","integrity_id":6,"lineage":["arab comparison charlotte","namibia republicans decorative"],"parent_process":{"name":"Labs","pid":22,"session":{"terminal":"signals click categories","uid":"b203f264-53f9-11ef-9ec3-0242ac110005","created_time":1722951737034000,"is_remote":false},"file":{"name":"leaders.ged","type":"anthony","path":"zimbabwe co hyundai/telecom.rom/leaders.ged","type_id":99,"parent_folder":"zimbabwe co hyundai/telecom.rom","hashes":[{"value":"FBBED8C2F97068EC6807B00BE7C3183932F576D73C208D1D8ABD78AAC60411FF78D7442895C204E292CFA8F6FAC25EC3FEE7954AA27C6024B6F47D3A5BEF4AC2","algorithm":"quickXorHash","algorithm_id":7},{"value":"B336DF698D12AC8E54570BA6EA2679F0","algorithm":"MD5","algorithm_id":1}]},"user":{"type":"tears","org":{"name":"bye lenses alabama","uid":"b2040b0a-53f9-11ef-98b5-0242ac110005","ou_name":"antiques compliant tutorial","ou_uid":"b204153c-53f9-11ef-a6ea-0242ac110005"},"type_id":99},"uid":"b2042360-53f9-11ef-9794-0242ac110005","cmd_line":"windsor installed invite","created_time":1722951737035272,"parent_process":{"name":"Asus","pid":64,"session":{"uid":"b2048058-53f9-11ef-8e0f-0242ac110005","uuid":"b20486ca-53f9-11ef-9010-0242ac110005","issuer":"planner providence titles","created_time":1722951737037814,"credential_uid":"b2048dfa-53f9-11ef-8e51-0242ac110005","is_remote":true},"file":{"name":"badge.avi","type":"Unknown","path":"showed conf citizenship/alto.csr/badge.avi","signature":{"certificate":{"version":"1.1.0","subject":"voters crazy chelsea","issuer":"balance rip flags","fingerprints":[{"value":"AD9B86237F7CD511073B023864629995D42D434D7A9A3DE38CC9C353E9263BCA131C239C9851342A16967895231B1436AA8DBBD6229A517C76E3539639BDCEDD","algorithm":"CTPH","algorithm_id":5}],"created_time":1722951737038366,"expiration_time":1722951737038371,"serial_number":"generally grande babies"},"algorithm":"RSA","algorithm_id":2,"developer_uid":"b204a4e8-53f9-11ef-a45f-0242ac110005"},"desc":"jersey pod crafts","type_id":0,"mime_type":"minimal/wisconsin","parent_folder":"showed conf citizenship/alto.csr","hashes":[{"value":"5B612EDB571C479D1A33C2355B8933EF943BD5715B25116AAF91DBF3A842C2BD","algorithm":"SHA-256","algorithm_id":3},{"value":"1A41B0D707D5D14EA20C1DD0A10CED258A1322589440FD67387BED26CE48E453","algorithm":"magic","algorithm_id":99}]},"user":{"name":"Churches","type":"User","uid":"b204b8ca-53f9-11ef-ae39-0242ac110005","org":{"name":"asking bookmark builders","ou_name":"nightlife fragrance into"},"type_id":1,"account":{"name":"essential wishing wanted","type":"Windows Account","uid":"b204c8ce-53f9-11ef-9832-0242ac110005","type_id":2}},"uid":"b204cf68-53f9-11ef-9210-0242ac110005","loaded_modules":["/condition/tunisia/phillips/accounting/tension.pkg","/argue/aboriginal/connectors/journal/clinic.dcr"],"cmd_line":"dryer thereby reliable","created_time":1722951737039702,"parent_process":{"name":"Multi","pid":51,"file":{"attributes":37,"name":"option.swf","type":"Block Device","path":"associate spas climb/canadian.rar/option.swf","product":{"name":"or dynamic distinguished","version":"1.1.0","path":"weddings competent korea","uid":"b205092e-53f9-11ef-b82a-0242ac110005","lang":"en","vendor_name":"hunt vitamins columns"},"type_id":4,"accessor":{"name":"Finish","type":"System","uid":"b205141e-53f9-11ef-bef4-0242ac110005","groups":[{"name":"tablet drivers broader","domain":"orange says vegetation","uid":"b2051dd8-53f9-11ef-9d88-0242ac110005"},{"name":"rid planets gp","domain":"antique hans ez","uid":"b20524b8-53f9-11ef-bfc7-0242ac110005","privileges":["obesity descriptions paintball"]}],"type_id":3},"parent_folder":"associate spas climb/canadian.rar","hashes":[{"value":"D5924A11CBADB27A986421344623CBFE538FD3F096A9A0FDC3F0BC302F3EC0C1","algorithm":"magic","algorithm_id":99},{"value":"E16704D9E243B23B4F4E557748D6EEF6","algorithm":"MD5","algorithm_id":1}],"security_descriptor":"sentences angela guides"},"user":{"name":"Auditor","domain":"france designer commissioner","uid":"b2053246-53f9-11ef-8f1f-0242ac110005","groups":[{"name":"front license tide","type":"scope nebraska suffered","uid":"b2054b5a-53f9-11ef-b10c-0242ac110005"},{"name":"belts transform phone","type":"ir paul vector","uid":"b2055956-53f9-11ef-bac5-0242ac110005"}]},"cmd_line":"int assets shanghai","created_time":1722951737043210,"integrity":"philip energy traveler","parent_process":{"name":"Auctions","pid":97,"file":{"name":"mainland.sav","type":"Character Device","path":"easter advert gregory/briefing.vcd/mainland.sav","uid":"b2057062-53f9-11ef-b33c-0242ac110005","type_id":3,"company_name":"Shay Geoffrey","mime_type":"came/dui","parent_folder":"easter advert gregory/briefing.vcd","hashes":[{"value":"D28CCA18F2C34C4120D0689FFD9EE4F4FFEAE0402B7C59A202FA980D9359A4E54BF2289BF5ED8C083B3EC8735F44C955DB680854EEF42D53E126839B635DA171","algorithm":"TLSH","algorithm_id":6}],"security_descriptor":"ugly embedded sql"},"user":{"name":"Yahoo","uid":"b20585de-53f9-11ef-a722-0242ac110005"},"uid":"b2058d2c-53f9-11ef-9c93-0242ac110005","cmd_line":"computers qt caribbean","created_time":1722951737044530,"integrity":"classifieds conceptual contest","parent_process":{"name":"Portable","pid":15,"user":{"name":"Camel","type":"System","uid":"b205a618-53f9-11ef-b616-0242ac110005","type_id":3},"uid":"b205ac6c-53f9-11ef-b326-0242ac110005","cmd_line":"letter agencies family","created_time":1722951737045332,"parent_process":{"name":"Weed","pid":38,"file":{"name":"leslie.indd","type":"Symbolic Link","path":"rating malawi ash/ny.bin/leslie.indd","signature":{"certificate":{"version":"1.1.0","subject":"conscious forecasts poland","issuer":"henry recognize short","fingerprints":[{"value":"3697621565DCC42F701641C483DD9F531ED1B40987DD5D58FA4EEAC5C6E127657BED12A5ED10012607C476DFE31339C6557044007AE04C2F96C120D7E68F9B46","algorithm":"TLSH","algorithm_id":6},{"value":"CB2785DC1EFEBF4604D971B80C7BA7A49061E6B2","algorithm":"SHA-1","algorithm_id":2}],"created_time":1722951737046152,"expiration_time":1722951737046157,"serial_number":"number emotional belly"},"algorithm":"weekends","algorithm_id":99},"modifier":{"name":"Measurements","type":"User","uid":"b205d93a-53f9-11ef-97c9-0242ac110005","type_id":1,"ldap_person":{"manager":{"name":"Satisfy","type":"Unknown","domain":"combat mall responded","uid":"b205e8bc-53f9-11ef-b220-0242ac110005","org":{"name":"simulations kelkoo picture","uid":"b205fb4a-53f9-11ef-bcdf-0242ac110005","ou_name":"ntsc tab er"},"type_id":0},"cost_center":"believed defeat workout","given_name":"country medicine susan","job_title":"minister hugh opponent"}},"type_id":7,"accessor":{"name":"Differential","type":"User","domain":"second heaven reg","uid":"b2060720-53f9-11ef-b3d3-0242ac110005","type_id":1,"email_addr":"Iliana@easter.jobs"},"creator":{"type":"Admin","uid":"b206126a-53f9-11ef-bcf1-0242ac110005","type_id":2,"full_name":"Zelma Brady","credential_uid":"b2061990-53f9-11ef-92d2-0242ac110005"},"parent_folder":"rating malawi ash/ny.bin","hashes":[{"value":"80354281FAAA2126E5D2CA51A907C1D2F15B2719AAE8EBF70AE4DAFD8F369DC8D23BE2285768C8C6A83CF5496A2440965EC79B4857350AD79273385359E6272C","algorithm":"TLSH","algorithm_id":6},{"value":"2FACE219B9E0ACE4E7841FB7019D658D","algorithm":"MD5","algorithm_id":1}],"modified_time":1722951737048171},"user":{"name":"Smoking","type":"Admin","uid":"b20633f8-53f9-11ef-84d6-0242ac110005","groups":[{"name":"lyric cent failure","uid":"b2063dc6-53f9-11ef-be9b-0242ac110005"},{"name":"tests australian manufacturing","domain":"indonesia performances dispute","uid":"b20644a6-53f9-11ef-88ec-0242ac110005"}],"type_id":2},"uid":"b2064a96-53f9-11ef-9a3a-0242ac110005","cmd_line":"abandoned plaintiff consult","created_time":1722951737049379,"parent_process":{"name":"Shore","pid":47,"file":{"name":"grip.py","type":"Regular File","path":"travesti promotes incentives/ask.c/grip.py","type_id":1,"accessor":{"name":"Composition","type":"Unknown","uid":"b206ba3a-53f9-11ef-8d45-0242ac110005","type_id":0,"account":{"type":"Unknown","uid":"b206dd4e-53f9-11ef-8a0d-0242ac110005","type_id":0}},"parent_folder":"travesti promotes incentives/ask.c","accessed_time":1722951737053129,"confidentiality":"scholarships introducing scientific","modified_time":1722951737053154},"user":{"name":"Indicators","org":{"name":"assisted difficulty submit","uid":"b206eb0e-53f9-11ef-93f9-0242ac110005","ou_name":"hazardous oracle array","ou_uid":"b206f194-53f9-11ef-98e9-0242ac110005"},"uid_alt":"significant beverages mail"},"uid":"b206f84c-53f9-11ef-b820-0242ac110005","cmd_line":"age ratings employees","lineage":["gauge exists gmbh","ieee drawing bat"],"parent_process":{"name":"Vb","pid":42,"file":{"name":"hereby.txt","type":"Unknown","path":"alumni broad whatever/editing.dat/hereby.txt","type_id":0,"parent_folder":"alumni broad whatever/editing.dat","hashes":[{"value":"0F682A9E816B4E78B01EF28B990B90A619718C249F0502C3BC26EE953198973B8ECAA2A598633947C6F575ED7DA43412557660B2E8796466CDF950DEEF210794","algorithm":"SHA-512","algorithm_id":4},{"value":"8C766AB995CDFBDBB9EB5FCA53F8D53AB3690305C46FDBB5D10554FAAB868502D870FF46248C01AC8E1A8BA4547B5B7C6A85CA5D280CBDEC1FEE04484110E043","algorithm":"Unknown","algorithm_id":0}],"security_descriptor":"fuel horses cialis"},"uid":"b2071688-53f9-11ef-9e48-0242ac110005","cmd_line":"stuart notify nc","created_time":1722951737054600,"integrity":"argument historic decision","lineage":["gathered then container"],"parent_process":{"name":"Protect","pid":69,"file":{"name":"animation.wsf","size":668783954,"type":"Unknown","path":"action cheats collective/day.dll/animation.wsf","product":{"name":"assessed delete infection","version":"1.1.0","uid":"b2073b5e-53f9-11ef-89e3-0242ac110005","url_string":"indigenous","vendor_name":"perhaps weak mattress"},"uid":"b20742b6-53f9-11ef-b089-0242ac110005","type_id":0,"company_name":"Kay Hugo","parent_folder":"action cheats collective/day.dll","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"D1902BB2910C00B9024F7FAD53B1AEF5D9CDD9897B4C1D0D59CB7986288BF7D59846CC65CF09FF73604CC643C20D1A4920C9EFAE6E4BE4982718A0B3021841EA","algorithm":"quickXorHash","algorithm_id":7}]},"user":{"name":"Nike","type":"Unknown","uid":"b207597c-53f9-11ef-bb63-0242ac110005","type_id":0,"ldap_person":{"office_location":"signing equations keith"},"uid_alt":"earthquake race promises"},"tid":76,"uid":"b2076714-53f9-11ef-8876-0242ac110005","cmd_line":"accurate revenue def","created_time":1722951737056663,"integrity":"Medium","integrity_id":3,"lineage":["guidance rider vanilla","ambient glow well"]}}},"terminated_time":1722951737056691}},"xattributes":{}}},"terminated_time":1722951737056729},"terminated_time":1722951737056732}},"sandbox":"participants safer outlets"}},"user":{"uid":"b207743e-53f9-11ef-b930-0242ac110005","org":{"name":"martial makers bras","uid":"b2077cea-53f9-11ef-98a2-0242ac110005","ou_name":"announced plastic serial"},"credential_uid":"b20785dc-53f9-11ef-9a4e-0242ac110005"},"authorizations":[{},{"decision":"ssl meaning excellence"}]},"dst_endpoint":{"name":"bouquet observations flashing","port":47351,"type":"Desktop","os":{"name":"reductions loans null","type":"Unknown","type_id":0,"sp_name":"cloud heat faith"},"domain":"developer resistance cove","ip":"41.251.197.63","location":{"desc":"Angola, Republic of","city":"Extras separated","country":"AO","coordinates":[-51.2157,-88.1173],"continent":"Africa"},"hostname":"brakes.travel","uid":"b207abc0-53f9-11ef-984e-0242ac110005","type_id":2,"interface_name":"responsible ips bits","interface_uid":"b207b336-53f9-11ef-992b-0242ac110005","intermediate_ips":["43.42.170.135","161.178.9.23"],"proxy_endpoint":{"name":"ray maximum theology","port":59643,"type":"Firewall","ip":"128.28.111.51","hostname":"upcoming.biz","uid":"b207c466-53f9-11ef-9061-0242ac110005","type_id":9,"instance_uid":"b207cc90-53f9-11ef-ace5-0242ac110005","interface_name":"acts unavailable caught","interface_uid":"b207d4ec-53f9-11ef-a2a8-0242ac110005","svc_name":"xi marketplace productivity"},"svc_name":"motorcycle cnn eh"},"src_endpoint":{"name":"clerk massive hints","port":3366,"type":"Server","ip":"135.11.251.187","uid":"b207e1c6-53f9-11ef-bd79-0242ac110005","mac":"E3:9B:50:54:D4:43:80:D1","type_id":1,"instance_uid":"b207ec52-53f9-11ef-870e-0242ac110005","interface_name":"sale cut divided","interface_uid":"b207f38c-53f9-11ef-af93-0242ac110005","intermediate_ips":["141.220.224.128","133.184.5.152"],"svc_name":"princess realize wax"}}],"finding_info":{"title":"cocktail graphics controlled","uid":"b200a0e6-53f9-11ef-a714-0242ac110005","analytic":{"name":"shirts deutsche times","type":"Statistical","uid":"b200b234-53f9-11ef-88a2-0242ac110005","type_id":3},"first_seen_time":1722951737012703,"kill_chain":[{"phase":"Unknown","phase_id":0}],"related_events":[{"uid":"b200c6ca-53f9-11ef-88d3-0242ac110005","type_uid":1760088869}]},"risk_level":"Low","risk_level_id":1,"severity_id":2,"status_id":3} +{"message":"areas cw visa","status":"Unknown","time":1723016984120626,"metadata":{"version":"1.1.0","product":{"name":"cn caused bonus","version":"1.1.0","feature":{"version":"1.1.0","uid":"9c4f2a4a-5491-11ef-80d2-0242ac110005"},"vendor_name":"contains most val"},"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"fit grey earned","log_provider":"fragrances reducing respected","original_time":"pointed creating triangle","tenant_uid":"9c4f3792-5491-11ef-ba7c-0242ac110005"},"severity":"Medium","type_name":"Compliance Finding: Close","activity_id":3,"type_uid":200303,"category_name":"Findings","class_uid":2003,"category_uid":2,"class_name":"Compliance Finding","timezone_offset":98,"activity_name":"Close","cloud":{"provider":"video protected tea","region":"kent shakespeare marker","zone":"arrested turkey actual"},"compliance":{"control":"verse calculator changed","status":"Pass","standards":["juice sally violations","facility volume savannah"],"status_id":1},"confidence_id":0,"finding_info":{"title":"disappointed ghz egyptian","uid":"9c4ee378-5491-11ef-a51e-0242ac110005","attacks":[{"version":"12.1","tactics":[{"name":"Defense Evasion The adversary is trying to avoid being detected.","uid":"TA0005"}],"technique":{"name":"Pass the Ticket","uid":"T1097"}}],"analytic":{"name":"connection stones velocity","type":"Unknown","uid":"9c4f1398-5491-11ef-9918-0242ac110005","type_id":0},"src_url":"country","modified_time_dt":"2024-08-07T07:49:44.119423Z","first_seen_time_dt":"2024-08-07T07:49:44.119443Z"},"remediation":{"desc":"rw wt gives"},"severity_id":3,"status_id":0} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json index c7a86b71f609..dad757959830 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json @@ -338,7 +338,7 @@ "tenant_uid": "c6afe64e-4e4c-11ef-bcf9-0242ac110005", "version": "1.1.0" }, - "resource": { + "resources": { "group": { "name": "resorts looking issues" }, @@ -346,7 +346,7 @@ "owner": { "name": "Dude", "type": "Admin", - "type_id": "2", + "type_id": 2, "uid": "c6b0192a-4e4c-11ef-90f9-0242ac110005", "uid_alt": "recommendation highs equipped" }, @@ -1638,6 +1638,127 @@ "paper", "james" ] + }, + { + "@timestamp": "+56570-03-27T04:55:20.626Z", + "cloud": { + "availability_zone": "arrested turkey actual", + "provider": "video protected tea", + "region": "kent shakespeare marker" + }, + "data_stream": { + "dataset": "amazon_security_lake.findings", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "close", + "kind": "alert", + "original": "{\"message\":\"areas cw visa\",\"status\":\"Unknown\",\"time\":1723016984120626,\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"cn caused bonus\",\"version\":\"1.1.0\",\"feature\":{\"version\":\"1.1.0\",\"uid\":\"9c4f2a4a-5491-11ef-80d2-0242ac110005\"},\"vendor_name\":\"contains most val\"},\"profiles\":[\"cloud\",\"container\",\"datetime\",\"host\",\"linux/linux_users\",\"load_balancer\",\"network_proxy\",\"security_control\"],\"log_name\":\"fit grey earned\",\"log_provider\":\"fragrances reducing respected\",\"original_time\":\"pointed creating triangle\",\"tenant_uid\":\"9c4f3792-5491-11ef-ba7c-0242ac110005\"},\"severity\":\"Medium\",\"type_name\":\"Compliance Finding: Close\",\"activity_id\":3,\"type_uid\":200303,\"category_name\":\"Findings\",\"class_uid\":2003,\"category_uid\":2,\"class_name\":\"Compliance Finding\",\"timezone_offset\":98,\"activity_name\":\"Close\",\"cloud\":{\"provider\":\"video protected tea\",\"region\":\"kent shakespeare marker\",\"zone\":\"arrested turkey actual\"},\"compliance\":{\"control\":\"verse calculator changed\",\"status\":\"Pass\",\"standards\":[\"juice sally violations\",\"facility volume savannah\"],\"status_id\":1},\"confidence_id\":0,\"finding_info\":{\"title\":\"disappointed ghz egyptian\",\"uid\":\"9c4ee378-5491-11ef-a51e-0242ac110005\",\"attacks\":[{\"version\":\"12.1\",\"tactics\":[{\"name\":\"Defense Evasion The adversary is trying to avoid being detected.\",\"uid\":\"TA0005\"}],\"technique\":{\"name\":\"Pass the Ticket\",\"uid\":\"T1097\"}}],\"analytic\":{\"name\":\"connection stones velocity\",\"type\":\"Unknown\",\"uid\":\"9c4f1398-5491-11ef-9918-0242ac110005\",\"type_id\":0},\"src_url\":\"country\",\"modified_time_dt\":\"2024-08-07T07:49:44.119423Z\",\"first_seen_time_dt\":\"2024-08-07T07:49:44.119443Z\"},\"remediation\":{\"desc\":\"rw wt gives\"},\"severity_id\":3,\"status_id\":0}", + "outcome": "unknown", + "provider": "fragrances reducing respected", + "severity": 3, + "type": [ + "info" + ] + }, + "message": "areas cw visa", + "ocsf": { + "activity_id": "3", + "activity_name": "Close", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Compliance Finding", + "class_uid": "2003", + "cloud": { + "provider": "video protected tea", + "region": "kent shakespeare marker", + "zone": "arrested turkey actual" + }, + "compliance": { + "control": "verse calculator changed", + "standards": [ + "juice sally violations", + "facility volume savannah" + ], + "status": "Pass", + "status_id": 1 + }, + "confidence_id": "0", + "finding_info": { + "analytic": { + "name": "connection stones velocity", + "type": "Unknown", + "type_id": 0, + "uid": "9c4f1398-5491-11ef-9918-0242ac110005" + }, + "attacks": [ + { + "tactics": [ + { + "name": "Defense Evasion The adversary is trying to avoid being detected.", + "uid": "TA0005" + } + ], + "technique": { + "name": "Pass the Ticket", + "uid": "T1097" + }, + "version": "12.1" + } + ], + "first_seen_time_dt": "2024-08-07T07:49:44.119443Z", + "modified_time_dt": "2024-08-07T07:49:44.119423Z", + "src_url": "country", + "title": "disappointed ghz egyptian", + "uid": "9c4ee378-5491-11ef-a51e-0242ac110005" + }, + "message": "areas cw visa", + "metadata": { + "log_name": "fit grey earned", + "log_provider": "fragrances reducing respected", + "original_time": "pointed creating triangle", + "product": { + "feature": { + "uid": "9c4f2a4a-5491-11ef-80d2-0242ac110005", + "version": "1.1.0" + }, + "name": "cn caused bonus", + "vendor_name": "contains most val", + "version": "1.1.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "linux/linux_users", + "load_balancer", + "network_proxy", + "security_control" + ], + "tenant_uid": "9c4f3792-5491-11ef-ba7c-0242ac110005", + "version": "1.1.0" + }, + "remediation": { + "desc": "rw wt gives" + }, + "severity": "Medium", + "severity_id": 3, + "status": "Unknown", + "status_id": "0", + "time": "+56570-03-27T04:55:20.626Z", + "timezone_offset": 98, + "type_name": "Compliance Finding: Close", + "type_uid": "200303" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] } ] } \ No newline at end of file diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-iam.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-iam.log-expected.json index 4db5c308ab38..ee700160f6ba 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-iam.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-iam.log-expected.json @@ -392,7 +392,7 @@ "privileges": [ "returned funeral cave" ], - "resource": { + "resources": { "group": { "name": "then nevada berkeley", "uid": "c52f1e24-6424-11ee-af05-0242ac110005" @@ -402,7 +402,7 @@ "email_addr": "Art@his.name", "name": "Fatty", "type": "forecast", - "type_id": "99", + "type_id": 99, "uid": "c52f060a-6424-11ee-b378-0242ac110005" } }, @@ -426,10 +426,7 @@ "related": { "user": [ "c52f5236-6424-11ee-9c16-0242ac110005", - "Dd", - "Art@his.name", - "Fatty", - "c52f060a-6424-11ee-b378-0242ac110005" + "Dd" ] }, "tags": [ diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml index effd08184a1d..d592bbe3473d 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -20,6 +20,12 @@ processors: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: ocsf.resource + target_field: ocsf.resources + tag: rename_resource_to_resources + ignore_missing: true + if : ctx.ocsf?.resources == null - convert: field: ocsf.class_uid tag: convert_class_uid_to_string @@ -693,7 +699,7 @@ processors: ignore_missing: true - pipeline: name: '{{ IngestPipeline "pipeline_object_actor" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','6001','6002','6003','6004','6005'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','2003','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','6001','6002','6003','6004','6005'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null tag: pipeline_object_actor ignore_missing_pipeline: true - pipeline: @@ -708,7 +714,7 @@ processors: ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_device" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4011','4012','4013','5001','5002','5004','6001','6002','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.device != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','2003','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4011','4012','4013','5001','5002','5004','6001','6002','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.device != null tag: pipeline_object_device ignore_missing_pipeline: true - pipeline: diff --git a/packages/amazon_security_lake/data_stream/event/fields/fields.yml b/packages/amazon_security_lake/data_stream/event/fields/fields.yml index bff6f86ceed4..10fea51944b4 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/fields.yml @@ -452,16 +452,29 @@ description: The list of responses to the FTP command. - name: compliance type: group + description: The compliance object provides context to compliance findings. fields: - - name: status_detail + - name: control type: keyword - description: The status details contains additional information about the event outcome. + description: A Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls. - name: requirements type: keyword - description: A list of applicable compliance requirements for which this finding is related to. + description: A list of requirements associated to a specific control in an industry or regulatory framework. e.g. NIST.800-53.r5 AU-10. + - name: standards + type: keyword + description: Security standards are a set of criteria organizations can follow to protect sensitive and confidential information. e.g. NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001. - name: status type: keyword - description: The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. + description: The resultant status of the compliance check normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. + - name: status_code + type: keyword + description: The resultant status code of the compliance check. + - name: status_detail + type: text + description: The contextual description of the status, status_code values. + - name: status_id + type: integer + description: The normalized status identifier of the compliance check. - name: comment type: keyword description: The user provided comment about why the entity was changed. @@ -3215,6 +3228,21 @@ - name: uid type: keyword description: The unique identifier for the network interface. + - name: remediation + type: group + fields: + - name: desc + type: keyword + description: The description of the remediation strategy. + - name: kb_articles + type: keyword + description: The KB article/s related to the entity. + - name: kb_article_list + type: flattened + description: A list of KB articles or patches related to an endpoint. + - name: references + type: keyword + description: A list of supporting URL/s, references that help describe the remediation strategy. - name: remote_display type: group fields: @@ -3245,138 +3273,6 @@ - name: requested_permissions type: long description: The permissions mask that were requested by the process. - - name: resources - type: group - fields: - - name: cloud_partition - type: keyword - description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' - - name: criticality - type: keyword - description: The criticality of the resource as defined by the event source. - - name: data - type: flattened - description: Additional data describing the resource. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: labels - type: keyword - description: The list of labels/tags associated to a resource. - - name: name - type: keyword - description: The name of the resource. - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: ldap_person - type: flattened - description: The LDAP person object. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: region - type: keyword - description: The cloud region of the resource. - - name: namespace - type: keyword - description: The namespace is useful when similar entities exist that you need to keep separate. - - name: type - type: keyword - description: The resource type as defined by the event source. - - name: uid - type: keyword - description: The unique identifier of the resource. - - name: version - type: keyword - description: The version of the resource. For example 1.2.3. - name: response type: group fields: diff --git a/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml index 8882a3b585e4..7b751ea16a07 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml @@ -1,7 +1,7 @@ - name: ocsf type: group fields: - - name: resource + - name: resources type: group fields: - name: cloud_partition @@ -13,9 +13,6 @@ - name: data type: flattened description: Additional data describing the resource. - - name: namespace - type: keyword - description: The resource namespace. - name: group type: group fields: @@ -40,6 +37,9 @@ - name: name type: keyword description: The name of the resource. + - name: namespace + type: keyword + description: The namespace is useful when similar entities exist that you need to keep separate. - name: owner type: group fields: @@ -53,7 +53,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -85,9 +85,15 @@ - name: type type: keyword description: The type of the group or account. + - name: type_id + type: integer + description: The resource group type identifier. - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. - name: name type: keyword description: The username. For example, janedoe1. @@ -110,7 +116,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -124,6 +130,9 @@ - name: type type: keyword description: The resource type as defined by the event source. + - name: type_id + type: integer + description: The resource type identifier. - name: uid type: keyword description: The unique identifier of the resource. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml index 2bafa210c63a..b3adede99925 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml @@ -200,16 +200,29 @@ description: The availability zone in the cloud region, as defined by the cloud provider. - name: compliance type: group + description: The compliance object provides context to compliance findings. fields: - - name: status_detail + - name: control type: keyword - description: The status details contains additional information about the event outcome. + description: A Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls. - name: requirements type: keyword - description: A list of applicable compliance requirements for which this finding is related to. + description: A list of requirements associated to a specific control in an industry or regulatory framework. e.g. NIST.800-53.r5 AU-10. + - name: standards + type: keyword + description: Security standards are a set of criteria organizations can follow to protect sensitive and confidential information. e.g. NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001. - name: status type: keyword - description: The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. + description: The resultant status of the compliance check normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. + - name: status_code + type: keyword + description: The resultant status code of the compliance check. + - name: status_detail + type: text + description: The contextual description of the status, status_code values. + - name: status_id + type: integer + description: The normalized status identifier of the compliance check. - name: confidence type: keyword description: The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source. @@ -504,143 +517,26 @@ - name: value type: keyword description: The value associated with the observable attribute. - - name: raw_data - type: flattened - description: The event data as received from the event source. - - name: raw_data_keyword - type: keyword - - name: resources + - name: remediation type: group fields: - - name: cloud_partition + - name: desc type: keyword - description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' - - name: criticality + description: The description of the remediation strategy. + - name: kb_articles type: keyword - description: The criticality of the resource as defined by the event source. - - name: data + description: The KB article/s related to the entity. + - name: kb_article_list type: flattened - description: Additional data describing the resource. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: labels - type: keyword - description: The list of labels/tags associated to a resource. - - name: name - type: keyword - description: The name of the resource. - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: ldap_person - type: flattened - description: The LDAP person object. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: region - type: keyword - description: The cloud region of the resource. - - name: namespace - type: keyword - description: The namespace is useful when similar entities exist that you need to keep separate. - - name: type - type: keyword - description: The resource type as defined by the event source. - - name: uid - type: keyword - description: The unique identifier of the resource. - - name: version + description: A list of KB articles or patches related to an endpoint. + - name: references type: keyword - description: The version of the resource. For example 1.2.3. + description: A list of supporting URL/s, references that help describe the remediation strategy. + - name: raw_data + type: flattened + description: The event data as received from the event source. + - name: raw_data_keyword + type: keyword - name: risk_level type: keyword description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. @@ -698,4 +594,3 @@ - name: unmapped type: flattened description: The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. - diff --git a/packages/amazon_security_lake/data_stream/findings/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/resource-fields.yml new file mode 100644 index 000000000000..7b751ea16a07 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/resource-fields.yml @@ -0,0 +1,141 @@ +- name: ocsf + type: group + fields: + - name: resources + type: group + fields: + - name: cloud_partition + type: keyword + description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' + - name: criticality + type: keyword + description: The criticality of the resource as defined by the event source. + - name: data + type: flattened + description: Additional data describing the resource. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: labels + type: keyword + description: The list of labels/tags associated to a resource. + - name: name + type: keyword + description: The name of the resource. + - name: namespace + type: keyword + description: The namespace is useful when similar entities exist that you need to keep separate. + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: type_id + type: integer + description: The resource group type identifier. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: region + type: keyword + description: The cloud region of the resource. + - name: type + type: keyword + description: The resource type as defined by the event source. + - name: type_id + type: integer + description: The resource type identifier. + - name: uid + type: keyword + description: The unique identifier of the resource. + - name: version + type: keyword + description: The version of the resource. For example 1.2.3. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml index 8882a3b585e4..7b751ea16a07 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml @@ -1,7 +1,7 @@ - name: ocsf type: group fields: - - name: resource + - name: resources type: group fields: - name: cloud_partition @@ -13,9 +13,6 @@ - name: data type: flattened description: Additional data describing the resource. - - name: namespace - type: keyword - description: The resource namespace. - name: group type: group fields: @@ -40,6 +37,9 @@ - name: name type: keyword description: The name of the resource. + - name: namespace + type: keyword + description: The namespace is useful when similar entities exist that you need to keep separate. - name: owner type: group fields: @@ -53,7 +53,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: keyword + type: integer description: The normalized account type identifier. - name: uid type: keyword @@ -85,9 +85,15 @@ - name: type type: keyword description: The type of the group or account. + - name: type_id + type: integer + description: The resource group type identifier. - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. - name: name type: keyword description: The username. For example, janedoe1. @@ -110,7 +116,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: keyword + type: integer description: The account type identifier. - name: uid type: keyword @@ -124,6 +130,9 @@ - name: type type: keyword description: The resource type as defined by the event source. + - name: type_id + type: integer + description: The resource type identifier. - name: uid type: keyword description: The unique identifier of the resource. diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index ba3bb4174747..2a8e28231431 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -675,9 +675,13 @@ This is the `Event` dataset. | ocsf.command | The command name. | keyword | | ocsf.command_responses | The list of responses to the FTP command. | keyword | | ocsf.comment | The user provided comment about why the entity was changed. | keyword | -| ocsf.compliance.requirements | A list of applicable compliance requirements for which this finding is related to. | keyword | -| ocsf.compliance.status | The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.compliance.status_detail | The status details contains additional information about the event outcome. | keyword | +| ocsf.compliance.control | A Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls. | keyword | +| ocsf.compliance.requirements | A list of requirements associated to a specific control in an industry or regulatory framework. e.g. NIST.800-53.r5 AU-10. | keyword | +| ocsf.compliance.standards | Security standards are a set of criteria organizations can follow to protect sensitive and confidential information. e.g. NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001. | keyword | +| ocsf.compliance.status | The resultant status of the compliance check normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. | keyword | +| ocsf.compliance.status_code | The resultant status code of the compliance check. | keyword | +| ocsf.compliance.status_detail | The contextual description of the status, status_code values. | text | +| ocsf.compliance.status_id | The normalized status identifier of the compliance check. | integer | | ocsf.component | The name or relative pathname of a sub-component of the data object, if applicable. | keyword | | ocsf.confidence | The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.confidence_id | The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature. | keyword | @@ -1705,6 +1709,10 @@ This is the `Event` dataset. | ocsf.relay.type | The type of network interface. | keyword | | ocsf.relay.type_id | The network interface type identifier. | keyword | | ocsf.relay.uid | The unique identifier for the network interface. | keyword | +| ocsf.remediation.desc | The description of the remediation strategy. | keyword | +| ocsf.remediation.kb_article_list | A list of KB articles or patches related to an endpoint. | flattened | +| ocsf.remediation.kb_articles | The KB article/s related to the entity. | keyword | +| ocsf.remediation.references | A list of supporting URL/s, references that help describe the remediation strategy. | keyword | | ocsf.remote_display.color_depth | The numeric color depth. | long | | ocsf.remote_display.physical_height | The numeric physical height of display. | long | | ocsf.remote_display.physical_orientation | The numeric physical orientation of display. | long | @@ -1713,43 +1721,6 @@ This is the `Event` dataset. | ocsf.request.flags | The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. | date | | ocsf.request.uid | The unique request identifier. | keyword | | ocsf.requested_permissions | The permissions mask that were requested by the process. | long | -| ocsf.resource.cloud_partition | The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov). | keyword | -| ocsf.resource.criticality | The criticality of the resource as defined by the event source. | keyword | -| ocsf.resource.data | Additional data describing the resource. | flattened | -| ocsf.resource.group.desc | The group description. | keyword | -| ocsf.resource.group.name | The group name. | keyword | -| ocsf.resource.group.privileges | The group privileges. | keyword | -| ocsf.resource.group.type | The type of the group or account. | keyword | -| ocsf.resource.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | -| ocsf.resource.labels | The list of labels/tags associated to a resource. | keyword | -| ocsf.resource.name | The name of the resource. | keyword | -| ocsf.resource.namespace | The resource namespace. | keyword | -| ocsf.resource.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword | -| ocsf.resource.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.resource.owner.account.type_id | The normalized account type identifier. | keyword | -| ocsf.resource.owner.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | -| ocsf.resource.owner.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | -| ocsf.resource.owner.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | -| ocsf.resource.owner.email_addr | The user's email address. | keyword | -| ocsf.resource.owner.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | -| ocsf.resource.owner.groups.desc | The group description. | keyword | -| ocsf.resource.owner.groups.name | The group name. | keyword | -| ocsf.resource.owner.groups.privileges | The group privileges. | keyword | -| ocsf.resource.owner.groups.type | The type of the group or account. | keyword | -| ocsf.resource.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | -| ocsf.resource.owner.name | The username. For example, janedoe1. | keyword | -| ocsf.resource.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.resource.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.resource.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.resource.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | -| ocsf.resource.owner.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.resource.owner.type_id | The account type identifier. | keyword | -| ocsf.resource.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | -| ocsf.resource.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | -| ocsf.resource.region | The cloud region of the resource. | keyword | -| ocsf.resource.type | The resource type as defined by the event source. | keyword | -| ocsf.resource.uid | The unique identifier of the resource. | keyword | -| ocsf.resource.version | The version of the resource. For example 1.2.3. | keyword | | ocsf.resources.cloud_partition | The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov). | keyword | | ocsf.resources.criticality | The criticality of the resource as defined by the event source. | keyword | | ocsf.resources.data | Additional data describing the resource. | flattened | @@ -1763,7 +1734,7 @@ This is the `Event` dataset. | ocsf.resources.namespace | The namespace is useful when similar entities exist that you need to keep separate. | keyword | | ocsf.resources.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.resources.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.resources.owner.account.type_id | The normalized account type identifier. | keyword | +| ocsf.resources.owner.account.type_id | The normalized account type identifier. | integer | | ocsf.resources.owner.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.resources.owner.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.resources.owner.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -1773,6 +1744,7 @@ This is the `Event` dataset. | ocsf.resources.owner.groups.name | The group name. | keyword | | ocsf.resources.owner.groups.privileges | The group privileges. | keyword | | ocsf.resources.owner.groups.type | The type of the group or account. | keyword | +| ocsf.resources.owner.groups.type_id | The resource group type identifier. | integer | | ocsf.resources.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.resources.owner.ldap_person | The LDAP person object. | flattened | | ocsf.resources.owner.name | The username. For example, janedoe1. | keyword | @@ -1781,11 +1753,12 @@ This is the `Event` dataset. | ocsf.resources.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | | ocsf.resources.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | | ocsf.resources.owner.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.resources.owner.type_id | The account type identifier. | keyword | +| ocsf.resources.owner.type_id | The account type identifier. | integer | | ocsf.resources.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.resources.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.resources.region | The cloud region of the resource. | keyword | | ocsf.resources.type | The resource type as defined by the event source. | keyword | +| ocsf.resources.type_id | The resource type identifier. | integer | | ocsf.resources.uid | The unique identifier of the resource. | keyword | | ocsf.resources.version | The version of the resource. For example 1.2.3. | keyword | | ocsf.response.code | The numeric response sent to a request. | long | From 03b509912c38455a1e26683de6c1f4ddec5d83da Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Wed, 7 Aug 2024 18:04:24 +0530 Subject: [PATCH 15/30] segregated and expanded api object across all data streams, added support for incitent findings event class --- .../fields/api-fields.yml | 154 ++++++++++ .../application_activity/fields/fields.yml | 51 --- .../discovery/fields/api-fields.yml | 154 ++++++++++ .../data_stream/discovery/fields/fields.yml | 51 --- .../_dev/test/pipeline/test-findings.log | 1 + .../pipeline/test-findings.log-expected.json | 290 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 20 +- .../data_stream/event/fields/api-fields.yml | 154 ++++++++++ .../data_stream/event/fields/fields.yml | 51 --- .../data_stream/event/fields/misc-fields.yml | 30 ++ .../findings/fields/api-fields.yml | 154 ++++++++++ .../findings/fields/assignee-fields.yml | 254 +++++++++++++++ .../data_stream/findings/fields/fields.yml | 83 +++-- .../data_stream/iam/fields/api-fields.yml | 154 ++++++++++ .../data_stream/iam/fields/fields.yml | 51 --- .../network_activity/fields/api-fields.yml | 154 ++++++++++ .../network_activity/fields/fields.yml | 51 --- .../system_activity/fields/api-fields.yml | 154 ++++++++++ .../system_activity/fields/fields.yml | 51 --- packages/amazon_security_lake/docs/README.md | 46 ++- 20 files changed, 1743 insertions(+), 365 deletions(-) create mode 100644 packages/amazon_security_lake/data_stream/application_activity/fields/api-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/discovery/fields/api-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/api-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/findings/fields/api-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/findings/fields/assignee-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/iam/fields/api-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/network_activity/fields/api-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/system_activity/fields/api-fields.yml diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml index 08b9eaab391d..60cd8163bb19 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml @@ -7,57 +7,6 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: api - type: group - fields: - - name: operation - type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version - type: keyword - description: The version of the API service. - name: app type: group fields: diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/discovery/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml index 31662dc2cf6d..8b0722426624 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml @@ -7,57 +7,6 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: api - type: group - fields: - - name: operation - type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version - type: keyword - description: The version of the API service. - name: category_name type: keyword description: 'The event category name, as defined by category_uid value: Identity & Access Management.' diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log index 462e3e922707..82014c0613ed 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log @@ -2,3 +2,4 @@ {"status":"In Progress","time":1722327712967320,"metadata":{"version":"1.1.0","product":{"name":"bouquet forget occupied","version":"1.1.0","uid":"c6afd262-4e4c-11ef-a63c-0242ac110005","feature":{"name":"updating lawyers string","uid":"c6afdb4a-4e4c-11ef-a8c4-0242ac110005"},"cpe_name":"words geographical gets","vendor_name":"trim massive setting"},"sequence":2,"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"shall none shipped","log_provider":"outlined produced examining","original_time":"scope institutions int","tenant_uid":"c6afe64e-4e4c-11ef-bcf9-0242ac110005","logged_time_dt":"2024-07-30T08:21:52.967232Z"},"resource":{"owner":{"name":"Dude","type":"Admin","uid":"c6b0192a-4e4c-11ef-90f9-0242ac110005","type_id":2,"uid_alt":"recommendation highs equipped"},"type":"carb le multimedia","group":{"name":"resorts looking issues"},"namespace":"explain les collections"},"severity":"Fatal","type_name":"Vulnerability Finding: Create","activity_id":1,"type_uid":200201,"category_name":"Findings","class_uid":2002,"category_uid":2,"class_name":"Vulnerability Finding","start_time_dt":"2024-07-30T08:21:52.968170Z","end_time_dt":"2024-07-30T08:21:52.967308Z","timezone_offset":17,"activity_name":"Create","actor":{"user":{"name":"Without","type":"Admin","uid":"c6af496e-4e4c-11ef-b35b-0242ac110005","type_id":2,"account":{"name":"susan amy ventures","type":"Windows Account","uid":"c6af57e2-4e4c-11ef-b613-0242ac110005","type_id":2},"credential_uid":"c6af5ecc-4e4c-11ef-bda8-0242ac110005"}},"cloud":{"org":{"name":"africa za springer","uid":"c6b002c8-4e4c-11ef-b707-0242ac110005","ou_name":"opponent const outlet"},"project_uid":"c6b00a0c-4e4c-11ef-a1c9-0242ac110005","provider":"loving fabulous seating","region":"needed costumes main"},"confidence":"characteristic benz automotive","confidence_id":3,"finding_info":{"title":"vinyl lease crown","uid":"c6af0030-4e4c-11ef-963a-0242ac110005","analytic":{"name":"incentives module joyce","type":"Rule","uid":"c6af34ec-4e4c-11ef-a5db-0242ac110005","category":"sanyo asus escorts","type_id":1},"data_sources":["reliable honey flexibility"],"created_time_dt":"2024-07-30T08:21:52.962788Z","modified_time_dt":"2024-07-30T08:21:52.962804Z"},"severity_id":6,"status_id":2,"vulnerabilities":[{"title":"trek ae danger","references":["suite featured smart","sanyo vbulletin contain"],"cve":{"type":"republicans offset expense","title":"smilies since terminal","uid":"c6af9176-4e4c-11ef-8fde-0242ac110005","references":["brass duty expected"],"created_time":1722327712965081,"cvss":[{"version":"1.1.0","depth":"Base","base_score":97.7035,"overall_score":29.3613}]},"cwe":{"uid":"c6af9f0e-4e4c-11ef-b234-0242ac110005","caption":"blanket toshiba olympics"},"kb_articles":["mounts el significantly","newer length frost"],"packages":[{"name":"nuts nine horn","version":"1.1.0","architecture":"diana zen collector"},{"name":"answered absence oxygen","version":"1.1.0","release":"classroom virtually satisfactory","architecture":"railway offering vietnamese"}]},{"references":["workshop surprising ceramic","grow annually mom"],"severity":"villas haiti links","cve":{"type":"coaching workflow sony","title":"jim patients rick","uid":"c6afb07a-4e4c-11ef-9138-0242ac110005","references":["propecia rebecca savage"],"created_time":1722327712965872,"created_time_dt":"2024-07-30T08:21:52.965881Z","modified_time_dt":"2024-07-30T08:21:52.965891Z"},"cwe":{"uid":"c6afba70-4e4c-11ef-8ac3-0242ac110005"},"kb_articles":["resistant verified wiring","redhead informal frankfurt"]}]} {"message":"satellite violent subscriptions","status":"Suppressed","time":1722951737015847,"metadata":{"version":"1.1.0","product":{"name":"favorite dictionary butter","version":"1.1.0","uid":"b201250c-53f9-11ef-a42e-0242ac110005","vendor_name":"routing attending username"},"labels":["paper","james"],"profiles":[],"log_name":"variables admin absolutely","log_provider":"facilities channels cradle","log_version":"unless mood revised","original_time":"complaint planning historic"},"severity":"Low","duration":19,"resources":[{"owner":{"name":"Plain","type":"Unknown","uid":"b2005820-53f9-11ef-9b03-0242ac110005","type_id":0,"ldap_person":{"deleted_time":1722951737010636,"job_title":"tp barely fancy"}},"version":"1.1.0","uid":"b2006efa-53f9-11ef-b4fa-0242ac110005","namespace":"inherited proceeds invalid"},{"owner":{"name":"Adsl","type":"User","type_id":1},"version":"1.1.0","group":{"name":"m biography divx","uid":"b200884a-53f9-11ef-b155-0242ac110005"},"labels":["circular","vip"],"namespace":"updating mic expo","criticality":"packaging neon hearings"}],"type_name":"Detection Finding: Create","activity_id":1,"type_uid":200401,"category_name":"Findings","class_uid":2004,"category_uid":2,"class_name":"Detection Finding","activity_name":"Create","confidence_id":2,"evidences":[{"process":{"pid":2,"file":{"attributes":61,"name":"mortgages.mp3","size":3964710393,"type":"Folder","path":"match fuzzy noise/royalty.cbr/mortgages.mp3","signature":{"certificate":{"uid":"b20156da-53f9-11ef-ae03-0242ac110005","subject":"norwegian satisfactory collective","issuer":"consist refers bite","fingerprints":[{"value":"98AA77CF5506DBAB9E87EF8088CEAC7C9C019C46E05DD1EE1ABE03DCDDB251EE8A82D602A74B165599EA81CD3F96BCD31351F02130F1826DE55314362F5E51A0","algorithm":"SHA-512","algorithm_id":4},{"value":"F074E3FC1A4F869EEF665EABF9EF6F7E4E08D51AD47FE695D451386D3DFC826FD679D11BCDF59682C9017FCB065A8C3E4C765AD0D81111D105A79724536E5AF3","algorithm":"TLSH","algorithm_id":6}],"created_time":1722951737017011,"expiration_time":1722951737017020,"serial_number":"headers futures rico"},"algorithm":"Authenticode","algorithm_id":4,"created_time":1722951737017030},"type_id":2,"parent_folder":"match fuzzy noise/royalty.cbr","hashes":[{"value":"989B7EC6D89636B773DD48E84A23A93EF0537374753B6CB2DC513D875E01FE4721CDFD519CCAE9B90092CEF08F3C38EC3C353271FE028C193AEA2DDB17A32653","algorithm":"TLSH","algorithm_id":6}]},"user":{"name":"Brunei","type":"Unknown","uid":"b20169ae-53f9-11ef-a7ab-0242ac110005","type_id":0},"uid":"b2017ba6-53f9-11ef-8664-0242ac110005","cmd_line":"cattle disk nat","created_time":1722951737017869,"parent_process":{"name":"Districts","pid":61,"file":{"name":"points.dat","owner":{"name":"Possession","type":"packaging","uid":"b20198de-53f9-11ef-99e3-0242ac110005","groups":[{"name":"framework chambers motorcycle","domain":"robots opportunities auburn","uid":"b201a2de-53f9-11ef-91ee-0242ac110005"}],"type_id":99},"type":"Local Socket","version":"1.1.0","path":"perfume cleveland crystal/database.vob/points.dat","modifier":{"name":"Tower","type":"Unknown","uid":"b201c520-53f9-11ef-8fe7-0242ac110005","org":{"name":"gabriel harmful teach","uid":"b201cf5c-53f9-11ef-90e0-0242ac110005","ou_name":"chapel library combinations"},"type_id":0,"email_addr":"Lynne@rated.jobs"},"type_id":5,"accessor":{"name":"Record","type":"Unknown","uid":"b201dc40-53f9-11ef-a0fe-0242ac110005","type_id":0,"email_addr":"Zada@czech.museum","ldap_person":{"location":{"desc":"San Marino, Republic of","city":"Component got","country":"SM","coordinates":[-25.0862,-71.9167],"continent":"Europe"},"deleted_time":1722951737020608,"job_title":"tobago rubber abstracts"}},"parent_folder":"perfume cleveland crystal/database.vob","hashes":[{"value":"115CE7973C9A37D3558656DB4BE3719A4E02E1C42BBD3D9FED201E22F5D5A770","algorithm":"magic","algorithm_id":99},{"value":"77F4DE0C4DB55DEC736561AC64C7EA6B","algorithm":"MD5","algorithm_id":1}],"modified_time":1722951737020691},"user":{"name":"April","type":"System","uid":"b201f540-53f9-11ef-b886-0242ac110005","type_id":3,"credential_uid":"b201fbb2-53f9-11ef-b9d8-0242ac110005"},"uid":"b2020184-53f9-11ef-85ea-0242ac110005","cmd_line":"inquiries sept nil","created_time":1722951737021297,"lineage":["barbara flow indiana"],"parent_process":{"pid":98,"session":{"uid":"b2021138-53f9-11ef-a183-0242ac110005","issuer":"boulder candle footwear","created_time":1722951737021699,"is_remote":true},"file":{"name":"bryan.htm","type":"Character Device","path":"fuji collectible creator/describes.tex/bryan.htm","type_id":3,"company_name":"Reagan Vincenza","creator":{"type":"sydney","uid":"b2022628-53f9-11ef-97c3-0242ac110005","type_id":99},"mime_type":"numeric/produces","parent_folder":"fuji collectible creator/describes.tex","modified_time":1722951737022248},"user":{"name":"Inventory","type":"User","groups":[{"name":"drums brisbane belfast","uid":"b2023438-53f9-11ef-b235-0242ac110005"},{"name":"distinction wp inquiries","desc":"subdivision centered matched","uid":"b2023b9a-53f9-11ef-8b76-0242ac110005"}],"type_id":1,"credential_uid":"b20243f6-53f9-11ef-995a-0242ac110005","email_addr":"Salena@tour.coop","uid_alt":"headline press postal"},"uid":"b2024b62-53f9-11ef-85ae-0242ac110005","cmd_line":"correlation jd nintendo","created_time":1722951737023185,"xattributes":{}},"terminated_time":1722951737023238}},"file":{"name":"pounds.sdf","type":"footwear","path":"bent hostel listed/knives.fnt/pounds.sdf","product":{"name":"soldier ut outer","version":"1.1.0","uid":"b20268d6-53f9-11ef-8389-0242ac110005","vendor_name":"prototype blog convertible"},"type_id":99,"mime_type":"quit/helen","parent_folder":"bent hostel listed/knives.fnt","hashes":[{"value":"05241F6680F10C78013CDDC1924651513B262F6318EFD85AC8D5EB13184DBF9742C515B85CF2ED8717B01AEA36CB0796CA62B9229E3047149B40B62FFCBE50AA","algorithm":"TLSH","algorithm_id":6},{"value":"EB108A6BBDAF145D08D811956465AD4382629CF361E1F696E021BE3ABADB6D47","algorithm":"SHA-256","algorithm_id":3}],"modified_time":1722951737024064},"query":{"type":"rrp look city","hostname":"monroe.museum","class":"researcher promotions theaters","opcode_id":3,"packet_uid":42},"connection_info":{"uid":"b2027e84-53f9-11ef-beec-0242ac110005","direction":"Outbound","direction_id":2,"protocol_num":63,"tcp_flags":39},"api":{"request":{"data":"courier","uid":"b2028ac8-53f9-11ef-bcf3-0242ac110005"},"response":{"error":"commissioner kill madness","code":48,"error_message":"whale holdings lol"},"operation":"prophet disabled joel"},"actor":{"process":{"pid":53,"file":{"name":"travel.ico","type":"Regular File","path":"choice estates triple/connecticut.rom/travel.ico","type_id":1,"accessor":{"name":"Japanese","type":"User","type_id":1,"ldap_person":{"hire_time":1722951737025505,"ldap_dn":"essentials incomplete main"},"uid_alt":"cassette dust evidence"},"parent_folder":"choice estates triple/connecticut.rom","confidentiality":"nation fishing professional","hashes":[{"value":"DE54555CB12989F6314B6AE9DDF8FE4F8AD41F970C0D21D5A4D8B7E6C6437A9F","algorithm":"magic","algorithm_id":99},{"value":"C989A5E557F5C7289ABE62F83373C88BDD0E698C72F8C8F511BF4E9E601E3C053FA00EA8B181974F5CDF25BA86E8C9FB4A717B9F8A672E6F45A4DFCEC39E529F","algorithm":"CTPH","algorithm_id":5}],"is_system":false,"security_descriptor":"burden authentication flashing"},"user":{"name":"Families","type":"System","domain":"authors subjects animal","uid":"b202b3e0-53f9-11ef-bc91-0242ac110005","groups":[{"name":"graphic university chile","uid":"b202c178-53f9-11ef-b0e0-0242ac110005"},{"name":"departure projects eastern","type":"direct hoping harder","uid":"b202c876-53f9-11ef-99bc-0242ac110005","privileges":["camcorders hazardous occurred","strong wav finland"]}],"type_id":3,"email_addr":"Hugh@vb.aero","ldap_person":{"location":{"desc":"Libyan Arab Jamahiriya","city":"Relaxation depend","country":"LY","coordinates":[72.6769,27.7735],"continent":"Africa"},"manager":{"name":"Titles","type":"System","domain":"many tvs hand","uid":"b202da8c-53f9-11ef-a9a8-0242ac110005","org":{"name":"declare commit gathering","uid":"b202e55e-53f9-11ef-90d3-0242ac110005"},"type_id":3,"credential_uid":"b202eba8-53f9-11ef-a0ef-0242ac110005"},"job_title":"evident gotten tcp","ldap_cn":"ran experiences isolation"}},"uid":"b202f3be-53f9-11ef-9c3b-0242ac110005","cmd_line":"hydrogen reporting ensemble","created_time":1722951737027494,"integrity":"extra dial resolved","parent_process":{"name":"Findings","file":{"name":"crude.sh","owner":{"type":"Admin","uid":"b2031308-53f9-11ef-b2f8-0242ac110005","groups":[{"uid":"b2031cd6-53f9-11ef-b786-0242ac110005"},{"name":"wrap smile durham","uid":"b2032866-53f9-11ef-bf54-0242ac110005","privileges":["preventing security wales","protest membership rs"]}],"type_id":2},"type":"Block Device","path":"hub clarity henderson/mailing.rss/crude.sh","product":{"name":"fund groundwater dom","version":"1.1.0","uid":"b2033324-53f9-11ef-ba5b-0242ac110005","feature":{"name":"producer depot financing","version":"1.1.0","uid":"b2033bc6-53f9-11ef-91fe-0242ac110005"},"cpe_name":"oven regulatory dairy","vendor_name":"disney intel antibody"},"type_id":4,"parent_folder":"hub clarity henderson/mailing.rss","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"5894ABC3288BA9FA689F8E5C7EF19816EA9839E4986E552B491A1ABF2D3F5F45738F7B3A0B53C15A19FD24B1B7402365D44871C3D6F00537E075A0007E7E261A","algorithm":"TLSH","algorithm_id":6},{"value":"A6DFAEBD54AB8C6EE7D571201347BC0C5FC04F3599B22FAF9AE6A142D72CB65DE290302FA9AD807BAD6F5F0648F8BF5497C6EE43AAF960B7C3137C8CB706E183","algorithm":"quickXorHash","algorithm_id":7}],"security_descriptor":"cross organic bookings","xattributes":{}},"user":{"name":"Adjust","domain":"wrong expanding proposal","uid":"b2034c56-53f9-11ef-aed8-0242ac110005","credential_uid":"b203526e-53f9-11ef-9e92-0242ac110005","email_addr":"Gerry@poker.biz"},"uid":"b20358d6-53f9-11ef-939b-0242ac110005","cmd_line":"arrested suits personally","created_time":1722951737030083,"parent_process":{"name":"Poverty","pid":42,"file":{"name":"sad.kml","type":"Unknown","path":"random horse explained/soap.csv/sad.kml","signature":{"digest":{"value":"A24F695AAF92949E2578A874832FF516","algorithm":"MD5","algorithm_id":1},"certificate":{"version":"1.1.0","uid":"b2037334-53f9-11ef-880c-0242ac110005","subject":"delay prairie cents","issuer":"thought loans celebrate","fingerprints":[{"value":"70CE515C96733618D3639DA3699227EEF2615296002DB79CFAE31A49F04D171107F820A86048A8A742037DA40CE56FEB5AF132CF0557508C821508DED8E25802","algorithm":"CTPH","algorithm_id":5},{"value":"054F4E3613BCAA252DED4DEC5193B4207F68218A0B57BD676DE5EA08E59343D24FEB8AC279470FB94F032C25AEE110A24BD17FC0EB41182E767A7710BD0F2082","algorithm":"TLSH","algorithm_id":6}],"created_time":1722951737030958,"expiration_time":1722951737030965,"serial_number":"concerned arthritis beam"},"algorithm":"Authenticode","algorithm_id":4,"developer_uid":"b2038324-53f9-11ef-a9fd-0242ac110005"},"uid":"b2038928-53f9-11ef-93ab-0242ac110005","type_id":0,"accessor":{"name":"Affordable","type":"User","domain":"mill nest ministers","uid":"b2039418-53f9-11ef-ace2-0242ac110005","type_id":1,"full_name":"Thu Dewitt","account":{"name":"provider queensland warranties","type":"AWS Account","uid":"b2039db4-53f9-11ef-ac2d-0242ac110005","type_id":10}},"parent_folder":"random horse explained/soap.csv","hashes":[{"value":"552BDF4BBC9329B555B93E7C9B6A38F36C6EDB58B0E7FCA0392F79528CC1B9E6","algorithm":"SHA-256","algorithm_id":3},{"value":"DCF06E858132CA1EDC2384EBDF0200885DD2AC3F","algorithm":"SHA-1","algorithm_id":2}],"modified_time":1722951737031923},"user":{"name":"Continuously","type":"cassette","uid":"b203c596-53f9-11ef-9213-0242ac110005","org":{"name":"vitamins causes lg","uid":"b203cf64-53f9-11ef-a9e6-0242ac110005","ou_name":"most worcester generator"},"type_id":99,"full_name":"Manie Demetra","ldap_person":{"labels":["results","considered"],"deleted_time":1722951737033239,"email_addrs":["Joeann@trials.com","Enrique@zshops.int"],"last_login_time":1722951737033262,"modified_time":1722951737033265}},"tid":39,"uid":"b203dc7a-53f9-11ef-8a2b-0242ac110005","created_time":1722951737033438,"integrity":"Protected","integrity_id":6,"lineage":["arab comparison charlotte","namibia republicans decorative"],"parent_process":{"name":"Labs","pid":22,"session":{"terminal":"signals click categories","uid":"b203f264-53f9-11ef-9ec3-0242ac110005","created_time":1722951737034000,"is_remote":false},"file":{"name":"leaders.ged","type":"anthony","path":"zimbabwe co hyundai/telecom.rom/leaders.ged","type_id":99,"parent_folder":"zimbabwe co hyundai/telecom.rom","hashes":[{"value":"FBBED8C2F97068EC6807B00BE7C3183932F576D73C208D1D8ABD78AAC60411FF78D7442895C204E292CFA8F6FAC25EC3FEE7954AA27C6024B6F47D3A5BEF4AC2","algorithm":"quickXorHash","algorithm_id":7},{"value":"B336DF698D12AC8E54570BA6EA2679F0","algorithm":"MD5","algorithm_id":1}]},"user":{"type":"tears","org":{"name":"bye lenses alabama","uid":"b2040b0a-53f9-11ef-98b5-0242ac110005","ou_name":"antiques compliant tutorial","ou_uid":"b204153c-53f9-11ef-a6ea-0242ac110005"},"type_id":99},"uid":"b2042360-53f9-11ef-9794-0242ac110005","cmd_line":"windsor installed invite","created_time":1722951737035272,"parent_process":{"name":"Asus","pid":64,"session":{"uid":"b2048058-53f9-11ef-8e0f-0242ac110005","uuid":"b20486ca-53f9-11ef-9010-0242ac110005","issuer":"planner providence titles","created_time":1722951737037814,"credential_uid":"b2048dfa-53f9-11ef-8e51-0242ac110005","is_remote":true},"file":{"name":"badge.avi","type":"Unknown","path":"showed conf citizenship/alto.csr/badge.avi","signature":{"certificate":{"version":"1.1.0","subject":"voters crazy chelsea","issuer":"balance rip flags","fingerprints":[{"value":"AD9B86237F7CD511073B023864629995D42D434D7A9A3DE38CC9C353E9263BCA131C239C9851342A16967895231B1436AA8DBBD6229A517C76E3539639BDCEDD","algorithm":"CTPH","algorithm_id":5}],"created_time":1722951737038366,"expiration_time":1722951737038371,"serial_number":"generally grande babies"},"algorithm":"RSA","algorithm_id":2,"developer_uid":"b204a4e8-53f9-11ef-a45f-0242ac110005"},"desc":"jersey pod crafts","type_id":0,"mime_type":"minimal/wisconsin","parent_folder":"showed conf citizenship/alto.csr","hashes":[{"value":"5B612EDB571C479D1A33C2355B8933EF943BD5715B25116AAF91DBF3A842C2BD","algorithm":"SHA-256","algorithm_id":3},{"value":"1A41B0D707D5D14EA20C1DD0A10CED258A1322589440FD67387BED26CE48E453","algorithm":"magic","algorithm_id":99}]},"user":{"name":"Churches","type":"User","uid":"b204b8ca-53f9-11ef-ae39-0242ac110005","org":{"name":"asking bookmark builders","ou_name":"nightlife fragrance into"},"type_id":1,"account":{"name":"essential wishing wanted","type":"Windows Account","uid":"b204c8ce-53f9-11ef-9832-0242ac110005","type_id":2}},"uid":"b204cf68-53f9-11ef-9210-0242ac110005","loaded_modules":["/condition/tunisia/phillips/accounting/tension.pkg","/argue/aboriginal/connectors/journal/clinic.dcr"],"cmd_line":"dryer thereby reliable","created_time":1722951737039702,"parent_process":{"name":"Multi","pid":51,"file":{"attributes":37,"name":"option.swf","type":"Block Device","path":"associate spas climb/canadian.rar/option.swf","product":{"name":"or dynamic distinguished","version":"1.1.0","path":"weddings competent korea","uid":"b205092e-53f9-11ef-b82a-0242ac110005","lang":"en","vendor_name":"hunt vitamins columns"},"type_id":4,"accessor":{"name":"Finish","type":"System","uid":"b205141e-53f9-11ef-bef4-0242ac110005","groups":[{"name":"tablet drivers broader","domain":"orange says vegetation","uid":"b2051dd8-53f9-11ef-9d88-0242ac110005"},{"name":"rid planets gp","domain":"antique hans ez","uid":"b20524b8-53f9-11ef-bfc7-0242ac110005","privileges":["obesity descriptions paintball"]}],"type_id":3},"parent_folder":"associate spas climb/canadian.rar","hashes":[{"value":"D5924A11CBADB27A986421344623CBFE538FD3F096A9A0FDC3F0BC302F3EC0C1","algorithm":"magic","algorithm_id":99},{"value":"E16704D9E243B23B4F4E557748D6EEF6","algorithm":"MD5","algorithm_id":1}],"security_descriptor":"sentences angela guides"},"user":{"name":"Auditor","domain":"france designer commissioner","uid":"b2053246-53f9-11ef-8f1f-0242ac110005","groups":[{"name":"front license tide","type":"scope nebraska suffered","uid":"b2054b5a-53f9-11ef-b10c-0242ac110005"},{"name":"belts transform phone","type":"ir paul vector","uid":"b2055956-53f9-11ef-bac5-0242ac110005"}]},"cmd_line":"int assets shanghai","created_time":1722951737043210,"integrity":"philip energy traveler","parent_process":{"name":"Auctions","pid":97,"file":{"name":"mainland.sav","type":"Character Device","path":"easter advert gregory/briefing.vcd/mainland.sav","uid":"b2057062-53f9-11ef-b33c-0242ac110005","type_id":3,"company_name":"Shay Geoffrey","mime_type":"came/dui","parent_folder":"easter advert gregory/briefing.vcd","hashes":[{"value":"D28CCA18F2C34C4120D0689FFD9EE4F4FFEAE0402B7C59A202FA980D9359A4E54BF2289BF5ED8C083B3EC8735F44C955DB680854EEF42D53E126839B635DA171","algorithm":"TLSH","algorithm_id":6}],"security_descriptor":"ugly embedded sql"},"user":{"name":"Yahoo","uid":"b20585de-53f9-11ef-a722-0242ac110005"},"uid":"b2058d2c-53f9-11ef-9c93-0242ac110005","cmd_line":"computers qt caribbean","created_time":1722951737044530,"integrity":"classifieds conceptual contest","parent_process":{"name":"Portable","pid":15,"user":{"name":"Camel","type":"System","uid":"b205a618-53f9-11ef-b616-0242ac110005","type_id":3},"uid":"b205ac6c-53f9-11ef-b326-0242ac110005","cmd_line":"letter agencies family","created_time":1722951737045332,"parent_process":{"name":"Weed","pid":38,"file":{"name":"leslie.indd","type":"Symbolic Link","path":"rating malawi ash/ny.bin/leslie.indd","signature":{"certificate":{"version":"1.1.0","subject":"conscious forecasts poland","issuer":"henry recognize short","fingerprints":[{"value":"3697621565DCC42F701641C483DD9F531ED1B40987DD5D58FA4EEAC5C6E127657BED12A5ED10012607C476DFE31339C6557044007AE04C2F96C120D7E68F9B46","algorithm":"TLSH","algorithm_id":6},{"value":"CB2785DC1EFEBF4604D971B80C7BA7A49061E6B2","algorithm":"SHA-1","algorithm_id":2}],"created_time":1722951737046152,"expiration_time":1722951737046157,"serial_number":"number emotional belly"},"algorithm":"weekends","algorithm_id":99},"modifier":{"name":"Measurements","type":"User","uid":"b205d93a-53f9-11ef-97c9-0242ac110005","type_id":1,"ldap_person":{"manager":{"name":"Satisfy","type":"Unknown","domain":"combat mall responded","uid":"b205e8bc-53f9-11ef-b220-0242ac110005","org":{"name":"simulations kelkoo picture","uid":"b205fb4a-53f9-11ef-bcdf-0242ac110005","ou_name":"ntsc tab er"},"type_id":0},"cost_center":"believed defeat workout","given_name":"country medicine susan","job_title":"minister hugh opponent"}},"type_id":7,"accessor":{"name":"Differential","type":"User","domain":"second heaven reg","uid":"b2060720-53f9-11ef-b3d3-0242ac110005","type_id":1,"email_addr":"Iliana@easter.jobs"},"creator":{"type":"Admin","uid":"b206126a-53f9-11ef-bcf1-0242ac110005","type_id":2,"full_name":"Zelma Brady","credential_uid":"b2061990-53f9-11ef-92d2-0242ac110005"},"parent_folder":"rating malawi ash/ny.bin","hashes":[{"value":"80354281FAAA2126E5D2CA51A907C1D2F15B2719AAE8EBF70AE4DAFD8F369DC8D23BE2285768C8C6A83CF5496A2440965EC79B4857350AD79273385359E6272C","algorithm":"TLSH","algorithm_id":6},{"value":"2FACE219B9E0ACE4E7841FB7019D658D","algorithm":"MD5","algorithm_id":1}],"modified_time":1722951737048171},"user":{"name":"Smoking","type":"Admin","uid":"b20633f8-53f9-11ef-84d6-0242ac110005","groups":[{"name":"lyric cent failure","uid":"b2063dc6-53f9-11ef-be9b-0242ac110005"},{"name":"tests australian manufacturing","domain":"indonesia performances dispute","uid":"b20644a6-53f9-11ef-88ec-0242ac110005"}],"type_id":2},"uid":"b2064a96-53f9-11ef-9a3a-0242ac110005","cmd_line":"abandoned plaintiff consult","created_time":1722951737049379,"parent_process":{"name":"Shore","pid":47,"file":{"name":"grip.py","type":"Regular File","path":"travesti promotes incentives/ask.c/grip.py","type_id":1,"accessor":{"name":"Composition","type":"Unknown","uid":"b206ba3a-53f9-11ef-8d45-0242ac110005","type_id":0,"account":{"type":"Unknown","uid":"b206dd4e-53f9-11ef-8a0d-0242ac110005","type_id":0}},"parent_folder":"travesti promotes incentives/ask.c","accessed_time":1722951737053129,"confidentiality":"scholarships introducing scientific","modified_time":1722951737053154},"user":{"name":"Indicators","org":{"name":"assisted difficulty submit","uid":"b206eb0e-53f9-11ef-93f9-0242ac110005","ou_name":"hazardous oracle array","ou_uid":"b206f194-53f9-11ef-98e9-0242ac110005"},"uid_alt":"significant beverages mail"},"uid":"b206f84c-53f9-11ef-b820-0242ac110005","cmd_line":"age ratings employees","lineage":["gauge exists gmbh","ieee drawing bat"],"parent_process":{"name":"Vb","pid":42,"file":{"name":"hereby.txt","type":"Unknown","path":"alumni broad whatever/editing.dat/hereby.txt","type_id":0,"parent_folder":"alumni broad whatever/editing.dat","hashes":[{"value":"0F682A9E816B4E78B01EF28B990B90A619718C249F0502C3BC26EE953198973B8ECAA2A598633947C6F575ED7DA43412557660B2E8796466CDF950DEEF210794","algorithm":"SHA-512","algorithm_id":4},{"value":"8C766AB995CDFBDBB9EB5FCA53F8D53AB3690305C46FDBB5D10554FAAB868502D870FF46248C01AC8E1A8BA4547B5B7C6A85CA5D280CBDEC1FEE04484110E043","algorithm":"Unknown","algorithm_id":0}],"security_descriptor":"fuel horses cialis"},"uid":"b2071688-53f9-11ef-9e48-0242ac110005","cmd_line":"stuart notify nc","created_time":1722951737054600,"integrity":"argument historic decision","lineage":["gathered then container"],"parent_process":{"name":"Protect","pid":69,"file":{"name":"animation.wsf","size":668783954,"type":"Unknown","path":"action cheats collective/day.dll/animation.wsf","product":{"name":"assessed delete infection","version":"1.1.0","uid":"b2073b5e-53f9-11ef-89e3-0242ac110005","url_string":"indigenous","vendor_name":"perhaps weak mattress"},"uid":"b20742b6-53f9-11ef-b089-0242ac110005","type_id":0,"company_name":"Kay Hugo","parent_folder":"action cheats collective/day.dll","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"D1902BB2910C00B9024F7FAD53B1AEF5D9CDD9897B4C1D0D59CB7986288BF7D59846CC65CF09FF73604CC643C20D1A4920C9EFAE6E4BE4982718A0B3021841EA","algorithm":"quickXorHash","algorithm_id":7}]},"user":{"name":"Nike","type":"Unknown","uid":"b207597c-53f9-11ef-bb63-0242ac110005","type_id":0,"ldap_person":{"office_location":"signing equations keith"},"uid_alt":"earthquake race promises"},"tid":76,"uid":"b2076714-53f9-11ef-8876-0242ac110005","cmd_line":"accurate revenue def","created_time":1722951737056663,"integrity":"Medium","integrity_id":3,"lineage":["guidance rider vanilla","ambient glow well"]}}},"terminated_time":1722951737056691}},"xattributes":{}}},"terminated_time":1722951737056729},"terminated_time":1722951737056732}},"sandbox":"participants safer outlets"}},"user":{"uid":"b207743e-53f9-11ef-b930-0242ac110005","org":{"name":"martial makers bras","uid":"b2077cea-53f9-11ef-98a2-0242ac110005","ou_name":"announced plastic serial"},"credential_uid":"b20785dc-53f9-11ef-9a4e-0242ac110005"},"authorizations":[{},{"decision":"ssl meaning excellence"}]},"dst_endpoint":{"name":"bouquet observations flashing","port":47351,"type":"Desktop","os":{"name":"reductions loans null","type":"Unknown","type_id":0,"sp_name":"cloud heat faith"},"domain":"developer resistance cove","ip":"41.251.197.63","location":{"desc":"Angola, Republic of","city":"Extras separated","country":"AO","coordinates":[-51.2157,-88.1173],"continent":"Africa"},"hostname":"brakes.travel","uid":"b207abc0-53f9-11ef-984e-0242ac110005","type_id":2,"interface_name":"responsible ips bits","interface_uid":"b207b336-53f9-11ef-992b-0242ac110005","intermediate_ips":["43.42.170.135","161.178.9.23"],"proxy_endpoint":{"name":"ray maximum theology","port":59643,"type":"Firewall","ip":"128.28.111.51","hostname":"upcoming.biz","uid":"b207c466-53f9-11ef-9061-0242ac110005","type_id":9,"instance_uid":"b207cc90-53f9-11ef-ace5-0242ac110005","interface_name":"acts unavailable caught","interface_uid":"b207d4ec-53f9-11ef-a2a8-0242ac110005","svc_name":"xi marketplace productivity"},"svc_name":"motorcycle cnn eh"},"src_endpoint":{"name":"clerk massive hints","port":3366,"type":"Server","ip":"135.11.251.187","uid":"b207e1c6-53f9-11ef-bd79-0242ac110005","mac":"E3:9B:50:54:D4:43:80:D1","type_id":1,"instance_uid":"b207ec52-53f9-11ef-870e-0242ac110005","interface_name":"sale cut divided","interface_uid":"b207f38c-53f9-11ef-af93-0242ac110005","intermediate_ips":["141.220.224.128","133.184.5.152"],"svc_name":"princess realize wax"}}],"finding_info":{"title":"cocktail graphics controlled","uid":"b200a0e6-53f9-11ef-a714-0242ac110005","analytic":{"name":"shirts deutsche times","type":"Statistical","uid":"b200b234-53f9-11ef-88a2-0242ac110005","type_id":3},"first_seen_time":1722951737012703,"kill_chain":[{"phase":"Unknown","phase_id":0}],"related_events":[{"uid":"b200c6ca-53f9-11ef-88d3-0242ac110005","type_uid":1760088869}]},"risk_level":"Low","risk_level_id":1,"severity_id":2,"status_id":3} {"message":"areas cw visa","status":"Unknown","time":1723016984120626,"metadata":{"version":"1.1.0","product":{"name":"cn caused bonus","version":"1.1.0","feature":{"version":"1.1.0","uid":"9c4f2a4a-5491-11ef-80d2-0242ac110005"},"vendor_name":"contains most val"},"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"fit grey earned","log_provider":"fragrances reducing respected","original_time":"pointed creating triangle","tenant_uid":"9c4f3792-5491-11ef-ba7c-0242ac110005"},"severity":"Medium","type_name":"Compliance Finding: Close","activity_id":3,"type_uid":200303,"category_name":"Findings","class_uid":2003,"category_uid":2,"class_name":"Compliance Finding","timezone_offset":98,"activity_name":"Close","cloud":{"provider":"video protected tea","region":"kent shakespeare marker","zone":"arrested turkey actual"},"compliance":{"control":"verse calculator changed","status":"Pass","standards":["juice sally violations","facility volume savannah"],"status_id":1},"confidence_id":0,"finding_info":{"title":"disappointed ghz egyptian","uid":"9c4ee378-5491-11ef-a51e-0242ac110005","attacks":[{"version":"12.1","tactics":[{"name":"Defense Evasion The adversary is trying to avoid being detected.","uid":"TA0005"}],"technique":{"name":"Pass the Ticket","uid":"T1097"}}],"analytic":{"name":"connection stones velocity","type":"Unknown","uid":"9c4f1398-5491-11ef-9918-0242ac110005","type_id":0},"src_url":"country","modified_time_dt":"2024-08-07T07:49:44.119423Z","first_seen_time_dt":"2024-08-07T07:49:44.119443Z"},"remediation":{"desc":"rw wt gives"},"severity_id":3,"status_id":0} +{"count":77,"message":"impressed asia renew","priority":"Low","status":"Closed","time":1723019525138425,"metadata":{"version":"1.1.0","extension":{"name":"stability buyers refer","version":"1.1.0","uid":"86df2204-5497-11ef-a661-0242ac110005"},"product":{"name":"momentum solely directors","version":"1.1.0","path":"ips order worse","uid":"86df2dbc-5497-11ef-9ed6-0242ac110005","lang":"en","vendor_name":"gibraltar sake ef"},"labels":["handbags","utilize"],"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"perform minneapolis sql","log_provider":"ringtones families geological","loggers":[{"name":"jc aid elsewhere","version":"1.1.0","device":{"name":"player went applicant","type":"Server","ip":"83.67.102.26","hostname":"morocco.int","uid":"86df90e0-5497-11ef-b924-0242ac110005","groups":[{"name":"credits protection thin","uid":"86df736c-5497-11ef-97bb-0242ac110005"}],"type_id":1,"autoscale_uid":"86df7b6e-5497-11ef-bbeb-0242ac110005","container":{"size":156606858,"tag":"settle sagem dod","image":{"name":"lg beautifully year","uid":"86df9f54-5497-11ef-bfb3-0242ac110005"},"hash":{"value":"967A3E0384C0E41A534A20C1853BE04257FFF441766F2B206C644657B05089ADD53DB57F2DDF977E2B27845951A83AE6BDD58AF2C692C596AFC7C8C175049D05","algorithm":"TLSH","algorithm_id":6},"network_driver":"sure sweden manufacturer"},"first_seen_time":1723019525136547,"hw_info":{"chassis":"newspaper batman rating","cpu_speed":32,"ram_size":30},"imei":"br montgomery wishlist","instance_uid":"86df8618-5497-11ef-9c0d-0242ac110005","interface_name":"commissioner mile specify","interface_uid":"86dfa8d2-5497-11ef-933f-0242ac110005","is_managed":true,"is_personal":false,"namespace_pid":9,"region":"dt dame formation","zone":"cigarette techniques relevance"},"product":{"name":"writings money profile","version":"1.1.0","uid":"86dfba8e-5497-11ef-a247-0242ac110005","cpe_name":"rca purchases af","vendor_name":"rule minimize holding"},"uid":"86dfc22c-5497-11ef-9d92-0242ac110005","log_name":"licking costume kde","log_provider":"clinics spectrum jackie","log_version":"picnic taiwan saddam"}],"original_time":"warehouse quilt gay","tenant_uid":"86dfcf38-5497-11ef-970b-0242ac110005"},"desc":"dress arthur je","severity":"Medium","api":{"request":{"uid":"86dfe23e-5497-11ef-ac3a-0242ac110005","containers":[{"name":"lovely examination boxing","size":3136831313,"uid":"86dffb70-5497-11ef-90e7-0242ac110005","image":{"name":"several accepting therefore","uid":"86e00bc4-5497-11ef-9d0b-0242ac110005"}},{"name":"logged warm leaders","size":2090102397,"tag":"short require the","uid":"86e0139e-5497-11ef-84cb-0242ac110005","image":{"uid":"86e02064-5497-11ef-a577-0242ac110005"},"hash":{"value":"DDC8757708FB43E4C2DD74D4BB807C29320BD22CDA6DD541DDD15CB7C33269096384474B54AABAB83A00FF1FD576755FF68DAF6DB11D4831D1489C7D07BE193A","algorithm":"SHA-512","algorithm_id":4},"network_driver":"effects colleagues committee"}]},"service":{"name":"hdtv outlook indication","version":"1.1.0","uid":"86e02ca8-5497-11ef-b385-0242ac110005"},"group":{"name":"point awarded uv","domain":"promotional identifying lenders","uid":"86e036bc-5497-11ef-991c-0242ac110005"},"response":{"error":"collect mp amounts","code":54,"message":"canada motorola tough","error_message":"aid graham dining"},"operation":"columbia nano ny"},"type_name":"Incident Finding: Other","activity_id":99,"type_uid":200599,"category_name":"Findings","class_uid":2005,"category_uid":2,"class_name":"Incident Finding","timezone_offset":75,"activity_name":"its","assignee":{"name":"Bills","type":"Unknown","uid":"86defec8-5497-11ef-bef8-0242ac110005","type_id":0,"account":{"name":"reef details costumes","type":"Mac OS Account","uid":"86df0b20-5497-11ef-a1d8-0242ac110005","type_id":7},"credential_uid":"86df1200-5497-11ef-87ca-0242ac110005"},"assignee_group":{"name":"convergence super lebanon","domain":"panels horse consultation","uid":"86ded1d2-5497-11ef-b1fe-0242ac110005"},"cloud":{"provider":"leone semester automated","region":"proper hip florence","zone":"proceed combines pets"},"confidence_id":3,"finding_info_list":[{"title":"rear machinery worldcat","uid":"86e0a890-5497-11ef-bbb2-0242ac110005","attacks":[{"version":"12.1","tactics":[{"name":"Resource Development | The adversary is trying to establish resources they can use to support operations.","uid":"TA0042"},{"name":"Initial Access | The adversary is trying to get into your network.","uid":"TA0001"},{"name":"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.","uid":"TA0043"}],"technique":{"name":"Web Session Cookie","uid":"T1550.004"}},{"version":"12.1","tactics":[{"name":"Execution The adversary is trying to run malicious code.","uid":"TA0002"},{"name":"Execution The adversary is trying to run malicious code.","uid":"TA0002"},{"name":"Resource Development | The adversary is trying to establish resources they can use to support operations.","uid":"TA0042"}],"technique":{"name":"Process Hollowing","uid":"T1093"}}],"analytic":{"name":"infinite samba delete","type":"Statistical","desc":"site modern hair","type_id":3},"product_uid":"86e0b678-5497-11ef-b1d6-0242ac110005","related_events":[{"uid":"86e0c384-5497-11ef-9073-0242ac110005","type_uid":2467649147}],"first_seen_time_dt":"2024-08-07T08:32:05.144678Z"}],"impact":"Low","impact_id":1,"priority_id":1,"severity_id":3,"src_url":"unity","status_id":5,"verdict":"Disregard","verdict_id":3} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json index dad757959830..be56ce5703fc 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json @@ -1759,6 +1759,296 @@ "preserve_original_event", "preserve_duplicate_custom_fields" ] + }, + { + "@timestamp": "+56570-04-25T14:45:38.425Z", + "cloud": { + "availability_zone": "proceed combines pets", + "provider": "leone semester automated", + "region": "proper hip florence" + }, + "data_stream": { + "dataset": "amazon_security_lake.findings", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "its", + "kind": "alert", + "original": "{\"count\":77,\"message\":\"impressed asia renew\",\"priority\":\"Low\",\"status\":\"Closed\",\"time\":1723019525138425,\"metadata\":{\"version\":\"1.1.0\",\"extension\":{\"name\":\"stability buyers refer\",\"version\":\"1.1.0\",\"uid\":\"86df2204-5497-11ef-a661-0242ac110005\"},\"product\":{\"name\":\"momentum solely directors\",\"version\":\"1.1.0\",\"path\":\"ips order worse\",\"uid\":\"86df2dbc-5497-11ef-9ed6-0242ac110005\",\"lang\":\"en\",\"vendor_name\":\"gibraltar sake ef\"},\"labels\":[\"handbags\",\"utilize\"],\"profiles\":[\"cloud\",\"container\",\"datetime\",\"host\",\"linux/linux_users\",\"load_balancer\",\"network_proxy\",\"security_control\"],\"log_name\":\"perform minneapolis sql\",\"log_provider\":\"ringtones families geological\",\"loggers\":[{\"name\":\"jc aid elsewhere\",\"version\":\"1.1.0\",\"device\":{\"name\":\"player went applicant\",\"type\":\"Server\",\"ip\":\"83.67.102.26\",\"hostname\":\"morocco.int\",\"uid\":\"86df90e0-5497-11ef-b924-0242ac110005\",\"groups\":[{\"name\":\"credits protection thin\",\"uid\":\"86df736c-5497-11ef-97bb-0242ac110005\"}],\"type_id\":1,\"autoscale_uid\":\"86df7b6e-5497-11ef-bbeb-0242ac110005\",\"container\":{\"size\":156606858,\"tag\":\"settle sagem dod\",\"image\":{\"name\":\"lg beautifully year\",\"uid\":\"86df9f54-5497-11ef-bfb3-0242ac110005\"},\"hash\":{\"value\":\"967A3E0384C0E41A534A20C1853BE04257FFF441766F2B206C644657B05089ADD53DB57F2DDF977E2B27845951A83AE6BDD58AF2C692C596AFC7C8C175049D05\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},\"network_driver\":\"sure sweden manufacturer\"},\"first_seen_time\":1723019525136547,\"hw_info\":{\"chassis\":\"newspaper batman rating\",\"cpu_speed\":32,\"ram_size\":30},\"imei\":\"br montgomery wishlist\",\"instance_uid\":\"86df8618-5497-11ef-9c0d-0242ac110005\",\"interface_name\":\"commissioner mile specify\",\"interface_uid\":\"86dfa8d2-5497-11ef-933f-0242ac110005\",\"is_managed\":true,\"is_personal\":false,\"namespace_pid\":9,\"region\":\"dt dame formation\",\"zone\":\"cigarette techniques relevance\"},\"product\":{\"name\":\"writings money profile\",\"version\":\"1.1.0\",\"uid\":\"86dfba8e-5497-11ef-a247-0242ac110005\",\"cpe_name\":\"rca purchases af\",\"vendor_name\":\"rule minimize holding\"},\"uid\":\"86dfc22c-5497-11ef-9d92-0242ac110005\",\"log_name\":\"licking costume kde\",\"log_provider\":\"clinics spectrum jackie\",\"log_version\":\"picnic taiwan saddam\"}],\"original_time\":\"warehouse quilt gay\",\"tenant_uid\":\"86dfcf38-5497-11ef-970b-0242ac110005\"},\"desc\":\"dress arthur je\",\"severity\":\"Medium\",\"api\":{\"request\":{\"uid\":\"86dfe23e-5497-11ef-ac3a-0242ac110005\",\"containers\":[{\"name\":\"lovely examination boxing\",\"size\":3136831313,\"uid\":\"86dffb70-5497-11ef-90e7-0242ac110005\",\"image\":{\"name\":\"several accepting therefore\",\"uid\":\"86e00bc4-5497-11ef-9d0b-0242ac110005\"}},{\"name\":\"logged warm leaders\",\"size\":2090102397,\"tag\":\"short require the\",\"uid\":\"86e0139e-5497-11ef-84cb-0242ac110005\",\"image\":{\"uid\":\"86e02064-5497-11ef-a577-0242ac110005\"},\"hash\":{\"value\":\"DDC8757708FB43E4C2DD74D4BB807C29320BD22CDA6DD541DDD15CB7C33269096384474B54AABAB83A00FF1FD576755FF68DAF6DB11D4831D1489C7D07BE193A\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},\"network_driver\":\"effects colleagues committee\"}]},\"service\":{\"name\":\"hdtv outlook indication\",\"version\":\"1.1.0\",\"uid\":\"86e02ca8-5497-11ef-b385-0242ac110005\"},\"group\":{\"name\":\"point awarded uv\",\"domain\":\"promotional identifying lenders\",\"uid\":\"86e036bc-5497-11ef-991c-0242ac110005\"},\"response\":{\"error\":\"collect mp amounts\",\"code\":54,\"message\":\"canada motorola tough\",\"error_message\":\"aid graham dining\"},\"operation\":\"columbia nano ny\"},\"type_name\":\"Incident Finding: Other\",\"activity_id\":99,\"type_uid\":200599,\"category_name\":\"Findings\",\"class_uid\":2005,\"category_uid\":2,\"class_name\":\"Incident Finding\",\"timezone_offset\":75,\"activity_name\":\"its\",\"assignee\":{\"name\":\"Bills\",\"type\":\"Unknown\",\"uid\":\"86defec8-5497-11ef-bef8-0242ac110005\",\"type_id\":0,\"account\":{\"name\":\"reef details costumes\",\"type\":\"Mac OS Account\",\"uid\":\"86df0b20-5497-11ef-a1d8-0242ac110005\",\"type_id\":7},\"credential_uid\":\"86df1200-5497-11ef-87ca-0242ac110005\"},\"assignee_group\":{\"name\":\"convergence super lebanon\",\"domain\":\"panels horse consultation\",\"uid\":\"86ded1d2-5497-11ef-b1fe-0242ac110005\"},\"cloud\":{\"provider\":\"leone semester automated\",\"region\":\"proper hip florence\",\"zone\":\"proceed combines pets\"},\"confidence_id\":3,\"finding_info_list\":[{\"title\":\"rear machinery worldcat\",\"uid\":\"86e0a890-5497-11ef-bbb2-0242ac110005\",\"attacks\":[{\"version\":\"12.1\",\"tactics\":[{\"name\":\"Resource Development | The adversary is trying to establish resources they can use to support operations.\",\"uid\":\"TA0042\"},{\"name\":\"Initial Access | The adversary is trying to get into your network.\",\"uid\":\"TA0001\"},{\"name\":\"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\",\"uid\":\"TA0043\"}],\"technique\":{\"name\":\"Web Session Cookie\",\"uid\":\"T1550.004\"}},{\"version\":\"12.1\",\"tactics\":[{\"name\":\"Execution The adversary is trying to run malicious code.\",\"uid\":\"TA0002\"},{\"name\":\"Execution The adversary is trying to run malicious code.\",\"uid\":\"TA0002\"},{\"name\":\"Resource Development | The adversary is trying to establish resources they can use to support operations.\",\"uid\":\"TA0042\"}],\"technique\":{\"name\":\"Process Hollowing\",\"uid\":\"T1093\"}}],\"analytic\":{\"name\":\"infinite samba delete\",\"type\":\"Statistical\",\"desc\":\"site modern hair\",\"type_id\":3},\"product_uid\":\"86e0b678-5497-11ef-b1d6-0242ac110005\",\"related_events\":[{\"uid\":\"86e0c384-5497-11ef-9073-0242ac110005\",\"type_uid\":2467649147}],\"first_seen_time_dt\":\"2024-08-07T08:32:05.144678Z\"}],\"impact\":\"Low\",\"impact_id\":1,\"priority_id\":1,\"severity_id\":3,\"src_url\":\"unity\",\"status_id\":5,\"verdict\":\"Disregard\",\"verdict_id\":3}", + "provider": "ringtones families geological", + "severity": 3, + "type": [ + "info" + ] + }, + "message": "impressed asia renew", + "ocsf": { + "activity_id": "99", + "activity_name": "its", + "api": { + "group": { + "domain": "promotional identifying lenders", + "name": "point awarded uv", + "uid": "86e036bc-5497-11ef-991c-0242ac110005" + }, + "operation": "columbia nano ny", + "request": { + "containers": [ + { + "image": { + "name": "several accepting therefore", + "uid": "86e00bc4-5497-11ef-9d0b-0242ac110005" + }, + "name": "lovely examination boxing", + "size": 3136831313, + "uid": "86dffb70-5497-11ef-90e7-0242ac110005" + }, + { + "hash": { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "DDC8757708FB43E4C2DD74D4BB807C29320BD22CDA6DD541DDD15CB7C33269096384474B54AABAB83A00FF1FD576755FF68DAF6DB11D4831D1489C7D07BE193A" + }, + "image": { + "uid": "86e02064-5497-11ef-a577-0242ac110005" + }, + "name": "logged warm leaders", + "network_driver": "effects colleagues committee", + "size": 2090102397, + "tag": "short require the", + "uid": "86e0139e-5497-11ef-84cb-0242ac110005" + } + ], + "uid": "86dfe23e-5497-11ef-ac3a-0242ac110005" + }, + "response": { + "code": 54, + "error": "collect mp amounts", + "error_message": "aid graham dining", + "message": "canada motorola tough" + }, + "service": { + "name": "hdtv outlook indication", + "uid": "86e02ca8-5497-11ef-b385-0242ac110005", + "version": "1.1.0" + } + }, + "assignee": { + "account": { + "name": "reef details costumes", + "type": "Mac OS Account", + "type_id": 7, + "uid": "86df0b20-5497-11ef-a1d8-0242ac110005" + }, + "credential_uid": "86df1200-5497-11ef-87ca-0242ac110005", + "name": "Bills", + "type": "Unknown", + "type_id": 0, + "uid": "86defec8-5497-11ef-bef8-0242ac110005" + }, + "assignee_group": { + "domain": "panels horse consultation", + "name": "convergence super lebanon", + "uid": "86ded1d2-5497-11ef-b1fe-0242ac110005" + }, + "category_name": "Findings", + "category_uid": "2", + "class_name": "Incident Finding", + "class_uid": "2005", + "cloud": { + "provider": "leone semester automated", + "region": "proper hip florence", + "zone": "proceed combines pets" + }, + "confidence_id": "3", + "count": 77, + "desc": "dress arthur je", + "finding_info": [ + { + "analytic": { + "desc": "site modern hair", + "name": "infinite samba delete", + "type": "Statistical", + "type_id": 3 + }, + "attacks": [ + { + "tactics": [ + { + "name": "Resource Development | The adversary is trying to establish resources they can use to support operations.", + "uid": "TA0042" + }, + { + "name": "Initial Access | The adversary is trying to get into your network.", + "uid": "TA0001" + }, + { + "name": "Reconnaissance | The adversary is trying to gather information they can use to plan future operations.", + "uid": "TA0043" + } + ], + "technique": { + "name": "Web Session Cookie", + "uid": "T1550.004" + }, + "version": "12.1" + }, + { + "tactics": [ + { + "name": "Execution The adversary is trying to run malicious code.", + "uid": "TA0002" + }, + { + "name": "Execution The adversary is trying to run malicious code.", + "uid": "TA0002" + }, + { + "name": "Resource Development | The adversary is trying to establish resources they can use to support operations.", + "uid": "TA0042" + } + ], + "technique": { + "name": "Process Hollowing", + "uid": "T1093" + }, + "version": "12.1" + } + ], + "first_seen_time_dt": "2024-08-07T08:32:05.144678Z", + "product_uid": "86e0b678-5497-11ef-b1d6-0242ac110005", + "related_events": [ + { + "type_uid": 2467649147, + "uid": "86e0c384-5497-11ef-9073-0242ac110005" + } + ], + "title": "rear machinery worldcat", + "uid": "86e0a890-5497-11ef-bbb2-0242ac110005" + } + ], + "impact": "Low", + "impact_id": "1", + "message": "impressed asia renew", + "metadata": { + "extension": { + "name": "stability buyers refer", + "uid": "86df2204-5497-11ef-a661-0242ac110005", + "version": "1.1.0" + }, + "labels": [ + "handbags", + "utilize" + ], + "log_name": "perform minneapolis sql", + "log_provider": "ringtones families geological", + "loggers": [ + { + "device": { + "autoscale_uid": "86df7b6e-5497-11ef-bbeb-0242ac110005", + "container": { + "hash": { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "967A3E0384C0E41A534A20C1853BE04257FFF441766F2B206C644657B05089ADD53DB57F2DDF977E2B27845951A83AE6BDD58AF2C692C596AFC7C8C175049D05" + }, + "image": { + "name": "lg beautifully year", + "uid": "86df9f54-5497-11ef-bfb3-0242ac110005" + }, + "network_driver": "sure sweden manufacturer", + "size": 156606858, + "tag": "settle sagem dod" + }, + "first_seen_time": 1723019525136547, + "groups": [ + { + "name": "credits protection thin", + "uid": "86df736c-5497-11ef-97bb-0242ac110005" + } + ], + "hostname": "morocco.int", + "hw_info": { + "chassis": "newspaper batman rating", + "cpu_speed": 32, + "ram_size": 30 + }, + "imei": "br montgomery wishlist", + "instance_uid": "86df8618-5497-11ef-9c0d-0242ac110005", + "interface_name": "commissioner mile specify", + "interface_uid": "86dfa8d2-5497-11ef-933f-0242ac110005", + "ip": "83.67.102.26", + "is_managed": true, + "is_personal": false, + "name": "player went applicant", + "namespace_pid": 9, + "region": "dt dame formation", + "type": "Server", + "type_id": 1, + "uid": "86df90e0-5497-11ef-b924-0242ac110005", + "zone": "cigarette techniques relevance" + }, + "log_name": "licking costume kde", + "log_provider": "clinics spectrum jackie", + "log_version": "picnic taiwan saddam", + "name": "jc aid elsewhere", + "product": { + "cpe_name": "rca purchases af", + "name": "writings money profile", + "uid": "86dfba8e-5497-11ef-a247-0242ac110005", + "vendor_name": "rule minimize holding", + "version": "1.1.0" + }, + "uid": "86dfc22c-5497-11ef-9d92-0242ac110005", + "version": "1.1.0" + } + ], + "original_time": "warehouse quilt gay", + "product": { + "lang": "en", + "name": "momentum solely directors", + "path": "ips order worse", + "uid": "86df2dbc-5497-11ef-9ed6-0242ac110005", + "vendor_name": "gibraltar sake ef", + "version": "1.1.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "linux/linux_users", + "load_balancer", + "network_proxy", + "security_control" + ], + "tenant_uid": "86dfcf38-5497-11ef-970b-0242ac110005", + "version": "1.1.0" + }, + "priority": "Low", + "priority_id": 1, + "severity": "Medium", + "severity_id": 3, + "src_url": "unity", + "status": "Closed", + "status_id": "5", + "time": "+56570-04-25T14:45:38.425Z", + "timezone_offset": 75, + "type_name": "Incident Finding: Other", + "type_uid": "200599", + "verdict": "Disregard", + "verdict_id": 3 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "handbags", + "utilize" + ] } ] } \ No newline at end of file diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml index d592bbe3473d..a12d8a257955 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -26,6 +26,12 @@ processors: tag: rename_resource_to_resources ignore_missing: true if : ctx.ocsf?.resources == null + - rename: + field: ocsf.finding_info_list + target_field: ocsf.finding_info + tag: rename_finding_info_list_to_finding_info + ignore_missing: true + if : ctx.ocsf?.finding_info == null - convert: field: ocsf.class_uid tag: convert_class_uid_to_string @@ -39,7 +45,7 @@ processors: - set: field: event.kind tag: set_event_kind - if: ctx.ocsf?.class_uid != null && ['2001', '2002','2003','2004'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['2001','2002','2003','2004','2005'].contains(ctx.ocsf.class_uid) value: alert - append: field: event.category @@ -52,7 +58,7 @@ processors: tag: append_vulnerability_into_event_category value: vulnerability allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['2001', '2002','2003','2004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.vulnerabilities != null + if: ctx.ocsf?.class_uid != null && ['2001','2002','2003','2004','2005'].contains(ctx.ocsf.class_uid) && ctx.ocsf.vulnerabilities != null - append: field: event.category tag: append_iam_into_event_category @@ -130,7 +136,7 @@ processors: tag: append_info_into_event_type value: info allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001', '2002','2003','2004','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','6002','6003','6004','6005'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001', '2002','2003','2004','2005','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','6002','6003','6004','6005'].contains(ctx.ocsf.class_uid) - append: field: event.type tag: append_user_into_event_type @@ -154,7 +160,7 @@ processors: tag: append_creation_into_event_type value: creation allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','3001','4006','5002'].contains(ctx.ocsf.class_uid) && ['Create','File Create','Log'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['1001','2005','3001','4006','5002'].contains(ctx.ocsf.class_uid) && ['Create','File Create','Log'].contains(ctx.ocsf.activity_name) - append: field: event.type tag: append_access_into_event_type @@ -178,7 +184,7 @@ processors: tag: append_end_into_event_type value: end allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1007','3002','4001','4007','4013','6002'].contains(ctx.ocsf.class_uid) && ['Terminate','Logoff','Close','Stop','Symmetric Passive Response','Server Response','Private Use Case','Other'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['1007','2005','3002','4001','4007','4013','6002'].contains(ctx.ocsf.class_uid) && ['Terminate','Logoff','Close','Stop','Symmetric Passive Response','Server Response','Private Use Case','Other'].contains(ctx.ocsf.activity_name) - append: field: event.type tag: append_denied_into_event_type @@ -196,7 +202,7 @@ processors: tag: append_change_into_event_type value: change allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','4006','4010'].contains(ctx.ocsf.class_uid) && ['Update','File Supersede','File Overwrite','Update','Rename'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['1001','2005','4006','4010'].contains(ctx.ocsf.class_uid) && ['Update','File Supersede','File Overwrite','Update','Rename'].contains(ctx.ocsf.activity_name) - append: field: event.type tag: append_connection_into_event_type @@ -754,7 +760,7 @@ processors: ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_user" }}' - if: ctx.ocsf?.class_uid != null && ['3001','3002','3003','3005','3006','5003'].contains(ctx.ocsf.class_uid) && ctx.ocsf.user != null + if: ctx.ocsf?.class_uid != null && ['2005','3001','3002','3003','3005','3006','5003'].contains(ctx.ocsf.class_uid) && ctx.ocsf.user != null tag: pipeline_object_user ignore_missing_pipeline: true - pipeline: diff --git a/packages/amazon_security_lake/data_stream/event/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/event/fields/fields.yml b/packages/amazon_security_lake/data_stream/event/fields/fields.yml index 10fea51944b4..54f0ec654838 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/fields.yml @@ -93,57 +93,6 @@ - name: type type: keyword description: 'The type of data contained in this resource record. See RFC1035. For example: CNAME.' - - name: api - type: group - fields: - - name: operation - type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version - type: keyword - description: The version of the API service. - name: app type: group fields: diff --git a/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml new file mode 100644 index 000000000000..b613e82537f2 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml @@ -0,0 +1,30 @@ +# The misc fields are used to store additional information about the event that does not fit into the other categories and spans across multiple event types. +# They have extended mappings in their respective data streams +- name: ocsf + type: group + fields: + # These fields are used to store misc information about a findings category event. + - name: assignee + type: flattened + description: The details of the user assigned to an Incident. + - name: assignee_group + type: flattened + description: The details of the group assigned to an Incident. + - name: desc + type: keyword + description: The short description of the incident. + - name: priority + type: keyword + description: The priority, normalized to the caption of the priority_id value. + - name: priority_id + type: integer + description: The priority, normalized to the ID of the priority_id value. + - name: src_url + type: keyword + description: A Url link used to access the original incident. + - name: verdict + type: keyword + description: The verdict assigned to an Incident finding. + - name: verdict_id + type: integer + description: The normalized verdict of an Incident. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/assignee-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/assignee-fields.yml new file mode 100644 index 000000000000..d3df3ca6d629 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/assignee-fields.yml @@ -0,0 +1,254 @@ +- name: ocsf + type: group + fields: + - name: assignee + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: integer + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: integer + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml index b3adede99925..fbb1890f79b8 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml @@ -57,57 +57,28 @@ - name: version type: keyword description: 'The analytic version. For example: 1.1.' - - name: api + - name: assignee_group type: group + description: The details of the group assigned to an Incident. fields: - - name: operation + - name: desc + type: text + description: The group description. + - name: domain type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges type: keyword - description: The version of the API service. + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: attacks type: group fields: @@ -238,6 +209,9 @@ - name: data_sources type: keyword description: The data sources for the finding. + - name: desc + type: keyword + description: The short description of the incident. - name: duration type: long description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. @@ -517,6 +491,12 @@ - name: value type: keyword description: The value associated with the observable attribute. + - name: priority + type: keyword + description: The priority, normalized to the caption of the priority_id value. + - name: priority_id + type: integer + description: The priority, normalized to the ID of the priority_id value. - name: remediation type: group fields: @@ -552,6 +532,9 @@ - name: severity_id type: long description: The normalized identifier of the event severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events. + - name: src_url + type: keyword + description: A Url link used to access the original incident. - name: start_time type: date description: The start time of a time period, or the time of the least recent event included in the aggregate event. @@ -594,3 +577,9 @@ - name: unmapped type: flattened description: The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. + - name: verdict + type: keyword + description: The verdict assigned to an Incident finding. + - name: verdict_id + type: integer + description: The normalized verdict of an Incident. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml index 83a867224a41..a915cde0324b 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml @@ -7,57 +7,6 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: api - type: group - fields: - - name: operation - type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version - type: keyword - description: The version of the API service. - name: auth_protocol type: keyword description: The authentication protocol as defined by the caption of 'auth_protocol_id'. In the case of 'Other', it is defined by the event source. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml index 91063c5a28b6..2e1c87c1346b 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml @@ -37,57 +37,6 @@ - name: type type: keyword description: 'The type of data contained in this resource record. See RFC1035. For example: CNAME.' - - name: api - type: group - fields: - - name: operation - type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version - type: keyword - description: The version of the API service. - name: app_name type: keyword description: The name of the application that is associated with the event or object. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml index e4a9c3821cd1..5e548c46596a 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml @@ -13,57 +13,6 @@ - name: actual_permissions type: long description: The permissions that were granted to the in a platform-native format. - - name: api - type: group - fields: - - name: operation - type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version - type: keyword - description: The version of the API service. - name: attacks type: group fields: diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index 2a8e28231431..b4ec5acfc277 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -578,14 +578,42 @@ This is the `Event` dataset. | ocsf.answers.rdata | The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record. | keyword | | ocsf.answers.ttl | The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached. | long | | ocsf.answers.type | The type of data contained in this resource record. See RFC1035. For example: CNAME. | keyword | +| ocsf.api.group.desc | The group description. | text | +| ocsf.api.group.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | +| ocsf.api.group.name | The group name. | keyword | +| ocsf.api.group.privileges | The group privileges. | keyword | +| ocsf.api.group.type | The type of the group or account. | keyword | +| ocsf.api.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.api.operation | Verb/Operation associated with the request. | keyword | -| ocsf.api.request.flags | The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. | keyword | +| ocsf.api.request.containers.hash | Commit hash of image created for docker or the SHA256 hash of the container. | flattened | +| ocsf.api.request.containers.image | The container image used as a template to run the container. | flattened | +| ocsf.api.request.containers.name | The container name. | keyword | +| ocsf.api.request.containers.network_driver | The network driver used by the container. For example, bridge, overlay, host, none, etc. | keyword | +| ocsf.api.request.containers.orchestrator | The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. | keyword | +| ocsf.api.request.containers.pod_uuid | The unique identifier of the pod (or equivalent) that the container is executing on. | keyword | +| ocsf.api.request.containers.runtime | The backend running the container, such as containerd or cri-o. | keyword | +| ocsf.api.request.containers.size | The size of the container image. | integer | +| ocsf.api.request.containers.tag | The tag used by the container. It can indicate version, format, OS. | keyword | +| ocsf.api.request.containers.uid | The full container unique identifier for this instantiation of the container. | keyword | +| ocsf.api.request.data | The additional data that is associated with the api request. | flattened | +| ocsf.api.request.flags | The list of communication flags, normalized to the captions of the flag_ids values. | keyword | | ocsf.api.request.uid | The unique request identifier. | keyword | -| ocsf.api.response.code | The numeric response sent to a request. | long | +| ocsf.api.response.code | The numeric response sent to a request. | integer | +| ocsf.api.response.containers.hash | Commit hash of image created for docker or the SHA256 hash of the container. | flattened | +| ocsf.api.response.containers.image | The container image used as a template to run the container. | flattened | +| ocsf.api.response.containers.name | The container name. | keyword | +| ocsf.api.response.containers.network_driver | The network driver used by the container. For example, bridge, overlay, host, none, etc. | keyword | +| ocsf.api.response.containers.orchestrator | The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. | keyword | +| ocsf.api.response.containers.pod_uuid | The unique identifier of the pod (or equivalent) that the container is executing on. | keyword | +| ocsf.api.response.containers.runtime | The backend running the container, such as containerd or cri-o. | keyword | +| ocsf.api.response.containers.size | The size of the container image. | integer | +| ocsf.api.response.containers.tag | The tag used by the container. It can indicate version, format, OS. | keyword | +| ocsf.api.response.containers.uid | The full container unique identifier for this instantiation of the container. | keyword | +| ocsf.api.response.data | The additional data that is associated with the api response. | flattened | | ocsf.api.response.error | Error Code. | keyword | -| ocsf.api.response.error_message | Error Message. | keyword | -| ocsf.api.response.flags | The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. | keyword | -| ocsf.api.response.message | The description of the event, as defined by the event source. | keyword | +| ocsf.api.response.error_message | Error Message. | text | +| ocsf.api.response.flags | The list of communication flags, normalized to the captions of the flag_ids values. | keyword | +| ocsf.api.response.message | The description of the event/finding, as defined by the source. | text | | ocsf.api.service.labels | The list of labels associated with the service. | keyword | | ocsf.api.service.name | The name of the service. | keyword | | ocsf.api.service.uid | The unique identifier of the service. | keyword | @@ -602,6 +630,8 @@ This is the `Event` dataset. | ocsf.app.vendor_name | The name of the vendor of the product. | keyword | | ocsf.app.version | The version of the product, as defined by the event source. | keyword | | ocsf.app_name | The name of the application that is associated with the event or object. | keyword | +| ocsf.assignee | The details of the user assigned to an Incident. | flattened | +| ocsf.assignee_group | The details of the group assigned to an Incident. | flattened | | ocsf.attacks.tactics.name | The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. | keyword | | ocsf.attacks.tactics.uid | The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. | keyword | | ocsf.attacks.technique.name | The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise. | keyword | @@ -710,6 +740,7 @@ This is the `Event` dataset. | ocsf.dce_rpc.rpc_interface.ack_result | An integer that denotes the acknowledgment result of the DCE/RPC call. | long | | ocsf.dce_rpc.rpc_interface.uuid | The unique identifier of the particular remote procedure or service. | keyword | | ocsf.dce_rpc.rpc_interface.version | The version of the DCE/RPC protocol being used in the session. | keyword | +| ocsf.desc | The short description of the incident. | keyword | | ocsf.device.autoscale_uid | The unique identifier of the cloud autoscale configuration. | keyword | | ocsf.device.container | The information describing an instance of a container. | flattened | | ocsf.device.created_time | The time when the device was known to have been created. | date | @@ -1622,6 +1653,8 @@ This is the `Event` dataset. | ocsf.open_type | Indicates how the file was opened (e.g. normal, delete on close). | keyword | | ocsf.port | The dynamic port established for impending data transfers. | long | | ocsf.precision | The NTP precision quantifies a clock's accuracy and stability in log2 seconds, as defined in RFC-5905. | integer | +| ocsf.priority | The priority, normalized to the caption of the priority_id value. | keyword | +| ocsf.priority_id | The priority, normalized to the ID of the priority_id value. | integer | | ocsf.privileges | The list of sensitive privileges, assigned to the new user session. | keyword | | ocsf.protocol_ver | The Protocol version. | keyword | | ocsf.proxy.domain | The name of the domain. | keyword | @@ -1829,6 +1862,7 @@ This is the `Event` dataset. | ocsf.src_endpoint.vlan_uid | The Virtual LAN identifier. | keyword | | ocsf.src_endpoint.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | | ocsf.src_endpoint.zone | The network zone or LAN segment. | keyword | +| ocsf.src_url | A Url link used to access the original incident. | keyword | | ocsf.start_time | The start time of a time period, or the time of the least recent event included in the aggregate event. | date | | ocsf.start_time_dt | The start time of a time period, or the time of the least recent event included in the aggregate event. | date | | ocsf.state | The normalized state of a security finding. | keyword | @@ -1991,6 +2025,8 @@ This is the `Event` dataset. | ocsf.user_result.type_id | The account type identifier. | keyword | | ocsf.user_result.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.user_result.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | +| ocsf.verdict | The verdict assigned to an Incident finding. | keyword | +| ocsf.verdict_id | The normalized verdict of an Incident. | integer | | ocsf.version | The version number of the NTP protocol. | keyword | | ocsf.vulnerabilities.cve.created_time | The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. | date | | ocsf.vulnerabilities.cve.created_time_dt | The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. | date | From e99119c3110222fc1bda8476b6638a8a74bb24fe Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Thu, 8 Aug 2024 14:25:18 +0530 Subject: [PATCH 16/30] added support for Device Config State Change event class, updated schema version in comment and dashboard links to 1.1.0 --- .../data_stream/discovery/fields/fields.yml | 26 ++ .../_dev/test/pipeline/test-discovery.log | 2 + .../pipeline/test-discovery.log-expected.json | 430 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 10 +- ...pipeline_category_application_activity.yml | 2 +- .../pipeline_category_discovery.yml | 2 +- .../pipeline_category_findings.yml | 2 +- ...ategory_identity_and_access_management.yml | 2 +- .../pipeline_category_network_activity.yml | 2 +- .../pipeline_category_system_activity.yml | 2 +- .../ingest_pipeline/pipeline_object_actor.yml | 2 +- .../pipeline_object_attack.yml | 2 +- .../pipeline_object_device.yml | 2 +- .../ingest_pipeline/pipeline_object_file.yml | 2 +- .../pipeline_object_http_request.yml | 2 +- .../pipeline_object_malware.yml | 2 +- ...ipeline_object_network_connection_info.yml | 2 +- .../pipeline_object_network_endpoint.yml | 2 +- .../pipeline_object_process.yml | 2 +- .../ingest_pipeline/pipeline_object_proxy.yml | 2 +- ...pipeline_object_system_activity_helper.yml | 2 +- .../ingest_pipeline/pipeline_object_tls.yml | 2 +- .../pipeline_object_traffic.yml | 2 +- .../ingest_pipeline/pipeline_object_user.yml | 2 +- .../data_stream/event/fields/misc-fields.yml | 27 ++ packages/amazon_security_lake/docs/README.md | 6 + ...-0d2d7a60-2472-11ee-8d80-89e82659e0f1.json | 2 +- ...-15b6e140-24a3-11ee-bb84-975fc16e8386.json | 2 +- ...-1bbac7b0-2632-11ee-a94e-bfa24df19b15.json | 2 +- ...-3ec9b110-7d82-11ee-8bb4-f99e39910112.json | 2 +- ...-41b73270-25fe-11ee-983a-17fb20a3b25d.json | 2 +- ...-48997710-7d65-11ee-8bb4-f99e39910112.json | 2 +- ...-9f829d40-7e1e-11ee-8bb4-f99e39910112.json | 2 +- ...-c2efb230-7d48-11ee-8bb4-f99e39910112.json | 2 +- ...-ed18e3a0-2565-11ee-be5c-17edc959116c.json | 2 +- ...-f21df8e0-249d-11ee-aa05-4dd9349682f3.json | 2 +- 36 files changed, 526 insertions(+), 35 deletions(-) diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml index 8b0722426624..d312b12006bc 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml @@ -212,9 +212,35 @@ - name: value type: keyword description: The value associated with the observable attribute. + - name: prev_security_states + type: group + description: The previous security states of the device. + fields: + - name: state + type: keyword + description: The security state of the discovery. + - name: state_id + type: integer + description: The security state of the managed entity. - name: raw_data type: flattened description: The event data as received from the event source. + - name: security_level + type: keyword + description: The current security level of the entity. + - name: security_level_id + type: integer + description: The current security level of the entity. + - name: security_states + type: group + description: The current security states of the device. + fields: + - name: state + type: keyword + description: The security state of the discovery. + - name: state_id + type: integer + description: The security state of the managed entity. - name: severity type: keyword description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log index 12dc667f7c4e..d746bdcc6a43 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log @@ -2,3 +2,5 @@ {"message":"poster thongs assumptions","status":"Success","time":1695277679358,"device":{"name":"craig functioning literally","type":"Laptop","os":{"name":"spy chronic casual","type":"Android","version":"1.0.0","build":"dozen oval removing","type_id":201,"lang":"en","edition":"nightmare engineers carter"},"location":{"desc":"Reunion","city":"Porcelain senior","country":"RE","coordinates":[-161.6608,-47.0418],"continent":"Africa"},"uid":"7f256308-584d-11ee-8de0-0242ac110005","image":{"name":"saudi enhanced surgical","uid":"7f2554b2-584d-11ee-b26b-0242ac110005"},"mac":"C6:49:F0:76:1D:13:CE:F7","type_id":3,"autoscale_uid":"7f25415c-584d-11ee-b3fc-0242ac110005","hw_info":{"cpu_bits":66},"instance_uid":"7f254ea4-584d-11ee-a68f-0242ac110005","interface_name":"watt profile rs","is_personal":false,"last_seen_time":1695277679358,"region":"airport leaves kitchen","risk_level":"organizational economic connecticut"},"metadata":{"version":"1.0.0","product":{"name":"butterfly knight log","version":"1.0.0","uid":"7f25336a-584d-11ee-b2a5-0242ac110005","lang":"en","vendor_name":"disciplinary rec report"},"profiles":["cloud","container","datetime","host"],"event_code":"spelling","log_name":"len falling educational","log_provider":"tales asset extremely","log_version":"learners headlines linear","original_time":"programmers less barcelona","processed_time":1695280036393},"severity":"Critical","type_name":"Device Inventory Info: Collect","activity_id":2,"type_uid":500102,"category_name":"Discovery","class_uid":5001,"category_uid":5,"class_name":"Device Inventory Info","timezone_offset":65,"activity_name":"Collect","cloud":{"org":{"name":"black lets promotions","ou_name":"recover sol revolutionary"},"provider":"mod force sailing","region":"ticket resident buried"},"enrichments":[{"data":{"nintendo":"abcd"},"name":"visual mv bottom","type":"calibration basics quebec","value":"alice stick spray","provider":"lucy permanent trips"}],"severity_id":5,"status_code":"vancouver","status_id":1,"start_time_dt":"2023-09-21T07:07:16.394812Z"} {"activity_id":1,"activity_name":"Login Attempt","actor":{"authorizations":[{"decision":"allow","policy":{"desc":"Allow login","group":{"desc":"Employee Group","domain":"example.com","name":"employees","privileges":["read","write"],"type":"internal","uid":"grp101"},"name":"Login Policy","uid":"pol101","version":"1.0"}}],"idp":{"name":"IDP Service","uid":"idp101"},"invoked_by":"web_app","process":{"cmd_line":"/usr/bin/login","created_time":1672444800,"file":{"accessed_time":1672531200,"accessor":{"account":{"name":"john.doe","type":"user","type_id":1,"uid":"acc101"},"credential_uid":"cred101","domain":"example.com","email_addr":"john.doe@example.com","full_name":"John Doe","groups":[{"desc":"Employee Group","domain":"example.com","name":"employees","privileges":["read","write"],"type":"internal","uid":"grp101"}],"ldap_person":null,"name":"John Doe","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr101","uid_alt":"john_doe_alt"},"attributes":777,"company_name":"Example Corp","confidentiality":"high","confidentiality_id":2,"created_time":1672444800,"creator":null,"desc":"Login script","hashes":[{"algorithm":"SHA-256","algorithm_id":4,"value":"abcd1234"}],"is_system":true,"mime_type":"application/x-sh","modified_time":1672444800,"modifier":null,"name":"login.sh","owner":null,"parent_folder":"/usr/bin","path":"/usr/bin/login.sh","product":null,"security_descriptor":"D:P(A;;FA;;;BA)","signature":{"algorithm":"RSA","algorithm_id":1,"certificate":{"created_time":1577836800,"expiration_time":1893456000,"fingerprints":[{"algorithm":"SHA-1","algorithm_id":3,"value":"abc123"}],"issuer":"Example CA","serial_number":"123456","subject":"Example Corp","uid":"cert101","version":"1"},"created_time":1672444800,"developer_uid":"dev101","digest":{"algorithm":"SHA-256","algorithm_id":4,"value":"abcd1234"}},"size":2048,"type":"script","type_id":1,"uid":"file101","version":"1.0","xattributes":{}},"integrity":"valid","integrity_id":1,"lineage":["/sbin/init","/usr/bin/login"],"loaded_modules":["pam","bash"],"name":"login","parent_process":null,"pid":1234,"sandbox":"none","session":null,"terminated_time":1672531200,"tid":5678,"uid":"proc101","user":null,"xattributes":{}},"session":{"count":1,"created_time":1672444800,"credential_uid":"cred101","expiration_reason":"timeout","expiration_time":1672531200,"is_mfa":true,"is_remote":false,"is_vpn":false,"issuer":"IDP Service","terminal":"pts/1","uid":"sess101","uid_alt":"sess102","uuid":"uuid-1234"},"user":{"account":{"name":"john.doe","type":"user","type_id":1,"uid":"acc101"},"credential_uid":"cred101","domain":"example.com","email_addr":"john.doe@example.com","full_name":"John Doe","groups":[{"desc":"Employee Group","domain":"example.com","name":"employees","privileges":["read","write"],"type":"internal","uid":"grp101"}],"ldap_person":{"cost_center":"IT","created_time":1577836800,"deleted_time":null,"email_addrs":["john.doe@example.com"],"employee_uid":"emp101","given_name":"John","hire_time":1546300800,"job_title":"System Administrator","labels":["full-time"],"last_login_time":1672444800,"ldap_cn":"john_doe_cn","ldap_dn":"cn=John Doe,ou=users,dc=example,dc=com","leave_time":null,"location":{"city":"San Francisco","continent":"North America","coordinates":[37.7749,-122.4194],"country":"USA","desc":"Head Office","is_on_premises":true,"isp":"Example ISP","postal_code":"94103","provider":"Example Provider","region":"California"},"manager":{"account":{"name":"jane.manager","type":"user","type_id":1,"uid":"acc102"},"credential_uid":"cred102","domain":"example.com","email_addr":"jane.manager@example.com","full_name":"Jane Manager","groups":[{"desc":"Managers Group","domain":"example.com","name":"managers","privileges":["read","write","manage"],"type":"internal","uid":"grp102"}],"ldap_person":null,"name":"Jane Manager","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr102","uid_alt":"jane_manager_alt"},"modified_time":1622505600,"office_location":"Building A","surname":"Doe"},"name":"John Doe","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr101","uid_alt":"john_doe_alt"}},"category_name":"User Activity","category_uid":5,"class_name":"Login Events","class_uid":5003,"count":1,"duration":3600,"end_time":1672531200,"enrichments":[{"data":{},"name":"GeoIP Enrichment","provider":"GeoIP Service","type":"location","value":"San Francisco, USA"}],"message":"User John Doe attempted a login from San Francisco.","metadata":{"correlation_uid":"cor-1234","event_code":"login_attempt","extension":{"name":"Login Extension","uid":"ext-1234","version":"1.0"},"extensions":[],"labels":["security"],"log_level":"info","log_name":"user_activity","log_provider":"Example Provider","log_version":"1.0","logged_time":1672444800,"loggers":[],"modified_time":1672444800,"original_time":"2023-01-01T00:00:00Z","processed_time":1672531200,"product":{"cpe_name":"cpe:/a:example:product","feature":{"name":"Login Feature","uid":"fea-1234","version":"1.0"},"lang":"en","name":"User Activity Logger","path":"/var/log/user_activity","uid":"prod-1234","url_string":"https://example.com","vendor_name":"Example Vendor","version":"1.0"},"profiles":["default"],"sequence":1,"tenant_uid":"tenant123","uid":"evt-1234","version":"1.0"},"observables":[{"name":"San Francisco","reputation":{"base_score":90,"provider":"GeoIP Service","score":"high","score_id":1},"type":"location","type_id":2,"value":"San Francisco, USA"}],"raw_data":"raw_event_data","severity":"medium","severity_id":2,"start_time":1672444800,"status":"processed","status_code":"200","status_detail":"Event processed successfully.","status_id":1,"time":1672444800,"timezone_offset":-8,"type_name":"login_event","type_uid":1001,"unmapped":{},"user":{"account":{"name":"john.doe","type":"user","type_id":1,"uid":"acc101"},"credential_uid":"cred101","domain":"example.com","email_addr":"john.doe@example.com","full_name":"John Doe","groups":[{"desc":"Employee Group","domain":"example.com","name":"employees","privileges":["read","write"],"type":"internal","uid":"grp101"}],"ldap_person":{"cost_center":"IT","created_time":1577836800,"deleted_time":null,"email_addrs":["john.doe@example.com"],"employee_uid":"emp101","given_name":"John","hire_time":1546300800,"job_title":"System Administrator","labels":["full-time"],"last_login_time":1672444800,"ldap_cn":"john_doe_cn","ldap_dn":"cn=John Doe,ou=users,dc=example,dc=com","leave_time":null,"location":{"city":"San Francisco","continent":"North America","coordinates":[37.7749,-122.4194],"country":"USA","desc":"Head Office","is_on_premises":true,"isp":"Example ISP","postal_code":"94103","provider":"Example Provider","region":"California"},"manager":{"account":{"name":"jane.manager","type":"user","type_id":1,"uid":"acc102"},"credential_uid":"cred102","domain":"example.com","email_addr":"jane.manager@example.com","full_name":"Jane Manager","groups":[{"desc":"Managers Group","domain":"example.com","name":"managers","privileges":["read","write","manage"],"type":"internal","uid":"grp102"}],"ldap_person":null,"name":"Jane Manager","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr102","uid_alt":"jane_manager_alt"},"modified_time":1622505600,"office_location":"Building A","surname":"Doe"},"name":"John Doe","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr101","uid_alt":"john_doe_alt"}} {"message":"ol avatar webster","status":"jim","time":1722592439954199,"device":{"name":"sk feat cups","type":"Browser","ip":"81.2.69.144","location":{"desc":"Burundi, Republic of","city":"Randy wellington","country":"BI","coordinates":[-44.0959,34.4006],"continent":"Africa"},"hostname":"surfaces.biz","uid":"2444035c-50b5-11ef-be7d-0242ac110005","type_id":8,"container":{"name":"ent give c","size":2809284742,"uid":"2444104a-50b5-11ef-a8ef-0242ac110005","image":{"name":"rt href dubai","tag":"team established germany","path":"enhancing zope celtic","uid":"24441aea-50b5-11ef-a95e-0242ac110005","labels":["determines","dirt"]},"hash":{"value":"A0F0F23EF42637BEC6F126E2A94D58802124DC4B559791CE9583CBC1BB474C954FEF9FD047DFB80F46A869FBB1BAC07C4841FC2C92C4A9DF1755072825DEBBC8","algorithm":"Unknown","algorithm_id":0},"orchestrator":"carries pretty ranks"},"instance_uid":"2443f740-50b5-11ef-8557-0242ac110005","interface_name":"mb built rip","interface_uid":"24442436-50b5-11ef-a4a7-0242ac110005","is_managed":false,"is_trusted":true,"last_seen_time":1722592439950666,"region":"topic toshiba inform","risk_score":3,"vlan_uid":"2443ec0a-50b5-11ef-95ed-0242ac110005","zone":"percent databases fairfield","first_seen_time_dt":"2024-08-02T09:53:59.950879Z"},"metadata":{"version":"1.1.0","extension":{"name":"columbia merely switzerland","version":"1.1.0","uid":"24428c98-50b5-11ef-955a-0242ac110005"},"product":{"name":"semi boston electric","path":"norm eggs ranges","uid":"24429a8a-50b5-11ef-924a-0242ac110005","vendor_name":"gauge thereby modes"},"log_level":"ata ty announcements","sequence":29,"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"correlation_uid":"2442a34a-50b5-11ef-adc6-0242ac110005","log_name":"orientation will game","log_provider":"rod seasons weed","loggers":[{"name":"netherlands devoted extensive","device":{"name":"tender harmony powerseller","type":"Laptop","os":{"name":"ian distributor collectible","type":"HP-UX","type_id":402,"cpu_bits":9},"ip":"97.19.65.133","uid":"24433d8c-50b5-11ef-b570-0242ac110005","type_id":3,"subnet":"164.124.0.0/16","autoscale_uid":"24432c02-50b5-11ef-b1ff-0242ac110005","container":{"size":2010633241,"uid":"2443498a-50b5-11ef-ae6c-0242ac110005","image":{"name":"anxiety patents return","uid":"2443540c-50b5-11ef-8146-0242ac110005","labels":["intimate","momentum"]},"hash":{"value":"FA43AD9444AD97C075FDAE70D75E938A031C84A9C642A94B9F058555892B875F","algorithm":"magic","algorithm_id":99}},"imei":"relatively drums significantly","instance_uid":"2443362a-50b5-11ef-b381-0242ac110005","interface_name":"own monitoring ph","interface_uid":"24435e02-50b5-11ef-81a2-0242ac110005","is_managed":true,"is_personal":false,"namespace_pid":85,"region":"impacts trackbacks authentication","uid_alt":"kelkoo clinics nearby"},"product":{"name":"herself market quote","version":"1.1.0","uid":"2443cb58-50b5-11ef-b723-0242ac110005","cpe_name":"locale memorabilia board","url_string":"belt","vendor_name":"ultimately permalink scenes"},"log_name":"jul pregnant carrying","log_provider":"specifically executive dosage","transmit_time_dt":"2024-08-02T09:53:59.950077Z"}],"modified_time":1722592439950096,"original_time":"livecam yearly isbn","processed_time":1722592439950110,"tenant_uid":"2443d6b6-50b5-11ef-8908-0242ac110005","modified_time_dt":"2024-08-02T09:53:59.950313Z"},"severity":"Low","duration":84,"type_name":"Operating System Patch State: Unknown","activity_id":0,"type_uid":500400,"category_name":"Discovery","class_uid":5004,"category_uid":5,"class_name":"Operating System Patch State","timezone_offset":54,"activity_name":"Unknown","cloud":{"project_uid":"244256a6-50b5-11ef-b514-0242ac110005","provider":"examined thumbzilla applies","region":"refugees england number"},"kb_article_list":[{"os":{"name":"pills conversations dave","type":"Windows Mobile","type_id":101,"lang":"en","edition":"liechtenstein wildlife rooms"},"title":"survey chinese wales","uid":"24443296-50b5-11ef-a50c-0242ac110005","severity":"spectacular durham aw","bulletin":"mauritius journalists shaved"},{"os":{"name":"reaches ridge signatures","type":"overseas","version":"1.1.0","type_id":99,"cpe_name":"almost advertisement oe","cpu_bits":7},"product":{"name":"recorder engaging widescreen","version":"1.1.0","uid":"244462f2-50b5-11ef-86a0-0242ac110005","lang":"en","cpe_name":"stuffed robots bras","vendor_name":"spring russian core"},"uid":"24446d6a-50b5-11ef-ac9c-0242ac110005","severity":"paso strictly after","src_url":"reserved"}],"severity_id":2,"status_id":99} +{"message":"suppose intimate restaurant","status":"mayor jewel fixes","time":1723105732280760,"device":{"type":"Server","ip":"233.56.87.14","hostname":"scores.museum","uid":"3e55aa52-5560-11ef-b18f-0242ac110005","org":{"uid":"3e55922e-5560-11ef-8631-0242ac110005","ou_name":"gourmet biographies avon","ou_uid":"3e55997c-5560-11ef-b188-0242ac110005"},"type_id":1,"container":{"name":"china elections nathan","runtime":"fail gmc swap","size":72520595,"uid":"3e55b7a4-5560-11ef-96a7-0242ac110005","image":{"name":"ceo fly grenada","uid":"3e55c60e-5560-11ef-b505-0242ac110005"},"hash":{"value":"57799DCAEC3A56379406B2C2D009F1CEC4582CC018A5EA2902010D23F77C9604AC49FFDF893574E772F722ED8989C6E29473647F4D6751DBB0C22B88E9C07596","algorithm":"quickXorHash","algorithm_id":7},"network_driver":"british makeup series"},"first_seen_time":1723105732279498,"imei":"opt specializing courses","instance_uid":"3e559fb2-5560-11ef-b12b-0242ac110005","interface_name":"wet logos memorial","interface_uid":"3e55cfbe-5560-11ef-b385-0242ac110005","last_seen_time":1723105732278612,"namespace_pid":42,"network_interfaces":[{"name":"ext nasty pants","type":"Wireless","ip":"175.16.199.0","hostname":"description.travel","mac":"5A:10:D1:50:15:9A:55:A6","type_id":2}],"region":"wyoming founded blond","risk_level":"Low","risk_level_id":1,"vlan_uid":"3e558716-5560-11ef-8b46-0242ac110005"},"metadata":{"version":"1.1.0","product":{"name":"unions held pal","version":"1.1.0","uid":"3e54e914-5560-11ef-a37e-0242ac110005","url_string":"davidson","vendor_name":"dental magazines describing"},"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"event_code":"exceptional","log_name":"should ld recruiting","log_provider":"reducing descriptions andrea","modified_time":1723105732274878,"original_time":"gorgeous sometimes normal","processed_time":1723105732274895,"tenant_uid":"3e54f35a-5560-11ef-a63f-0242ac110005"},"severity":"Unknown","api":{"request":{"data":"except","uid":"3e55dcca-5560-11ef-8d98-0242ac110005"},"response":{"error":"disputes gardens passive","code":23,"flags":["int gadgets alliance","half blake tone"],"message":"art tunisia irish","error_message":"finish marine developers"},"operation":"hd inner forgot"},"type_name":"Device Config State Change: Unknown","activity_id":0,"type_uid":501900,"observables":[{"name":"betting joe uncertainty","type":"Unknown","type_id":0},{"name":"stations effectiveness bizrate","type":"IP Address","type_id":2,"reputation":{"base_score":70.4967,"provider":"murray office chronicles","score":"Malicious","score_id":10}}],"category_name":"Discovery","class_uid":5019,"category_uid":5,"class_name":"Device Config State Change","timezone_offset":41,"end_time_dt":"2024-08-08T08:28:52.280748Z","activity_name":"Unknown","cloud":{"provider":"prepaid policy genetic","region":"unusual accuracy coordinate","zone":"median conference permalink"},"security_level":"suppliers inf fabric","severity_id":0} +{"message":"enabling pushing tee","status":"Failure","time":1723106695785986,"device":{"type":"Laptop","domain":"parts patents bios","ip":"175.16.199.0","hostname":"apparel.store","uid":"7ca10520-5562-11ef-994f-0242ac110005","image":{"name":"you therapy gaming","uid":"7ca0ff12-5562-11ef-a321-0242ac110005"},"type_id":3,"created_time":1723106695785069,"hypervisor":"weblog operates spanish","instance_uid":"7ca0f4f4-5562-11ef-9585-0242ac110005","interface_name":"individually assembled riders","interface_uid":"7ca10bd8-5562-11ef-a0b4-0242ac110005","is_compliant":true,"modified_time":1723106695785112,"region":"click added cars"},"metadata":{"version":"1.1.0","product":{"name":"use four webpage","version":"1.1.0","uid":"7c9fb288-5562-11ef-850c-0242ac110005","feature":{"name":"iii exceptional erotica","version":"1.1.0","uid":"7c9fbdfa-5562-11ef-b36a-0242ac110005"},"url_string":"light","vendor_name":"whatever chan might"},"profiles":[],"event_code":"recognized","log_name":"durable flex field","loggers":[{"name":"senator babies ou","device":{"name":"camcorder zoning projector","type":"Server","os":{"name":"pottery laws resident","type":"Unknown","country":"Haiti, Republic of","type_id":0},"domain":"pain brilliant html","ip":"177.30.168.240","hostname":"array.mil","uid":"7ca01610-5562-11ef-80c2-0242ac110005","image":{"name":"threaded reduction registry","uid":"7ca00f80-5562-11ef-9605-0242ac110005"},"type_id":1,"instance_uid":"7ca00508-5562-11ef-aef5-0242ac110005","interface_name":"smoke shorts historic","interface_uid":"7ca01d0e-5562-11ef-8a28-0242ac110005","is_personal":true,"modified_time":1723106695779060,"network_interfaces":[{"type":"Wired","ip":"162.67.186.104","hostname":"majority.int","mac":"A5:AD:3C:E2:45:BB:1F:BD","type_id":1,"subnet_prefix":63},{"name":"fujitsu specials encourages","type":"Mobile","ip":"61.37.184.176","hostname":"signal.biz","mac":"42:EC:71:C:44:87:4D:3F","type_id":3}],"region":"enforcement mls cabinet","risk_score":32,"subnet_uid":"7c9ff360-5562-11ef-a23d-0242ac110005"},"product":{"version":"1.1.0","uid":"7ca028a8-5562-11ef-9f4e-0242ac110005","lang":"en","cpe_name":"eddie m loop","vendor_name":"wild stack ing"},"uid":"7ca02fe2-5562-11ef-85c4-0242ac110005","log_name":"virus estimated hospitality","log_provider":"snapshot survive ruled"},{"name":"photo missing lions","version":"1.1.0","device":{"name":"barrier problems southampton","type":"Unknown","ip":"178.130.62.185","location":{"desc":"Nauru, Republic of","city":"Corrections presence","country":"NR","coordinates":[-87.1695,-2.0139],"continent":"Oceania"},"hostname":"traveller.org","uid":"7ca0bd86-5562-11ef-913a-0242ac110005","groups":[{"type":"train fm brain","uid":"7ca0a350-5562-11ef-a3c7-0242ac110005","privileges":["airlines ricky practitioner","hometown nh fair"]}],"type_id":0,"subnet":"239.0.0.0/8","instance_uid":"7ca0b64c-5562-11ef-9d6d-0242ac110005","interface_name":"accompanied lesson color","interface_uid":"7ca0c466-5562-11ef-abf1-0242ac110005","is_compliant":true,"is_personal":true,"modified_time":1723106695783536,"region":"careers eval haiti","subnet_uid":"7ca0aaf8-5562-11ef-825e-0242ac110005","uid_alt":"square washington foster"},"product":{"name":"sh buttons specialties","version":"1.1.0","vendor_name":"acrylic pace draws"},"uid":"7ca0ceca-5562-11ef-844f-0242ac110005","log_name":"tagged mainstream equal","log_provider":"certified denial agree"}],"original_time":"fireplace chapel support","tenant_uid":"7ca0d924-5562-11ef-9d5f-0242ac110005"},"severity":"Critical","type_name":"Device Config State Change: Other","activity_id":99,"type_uid":501999,"observables":[{"name":"savage humanity jail","type":"shots","value":"lived creator planning","type_id":99}],"category_name":"Discovery","class_uid":5019,"category_uid":5,"class_name":"Device Config State Change","timezone_offset":85,"end_time":1723106695784773,"activity_name":"fraser","security_states":[{},{"state":"Protection malfunction","state_id":5}],"enrichments":[{"data":"mpeg","name":"needs included bag","type":"palestine spin down","value":"gay from titans","provider":"sherman centers profession"}],"prev_security_states":[{},{}],"severity_id":5,"status_id":2} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json index 8578dc4d5112..b69074b1add6 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json @@ -1161,6 +1161,436 @@ "preserve_original_event", "preserve_duplicate_custom_fields" ] + }, + { + "@timestamp": "+56573-01-17T09:11:20.760Z", + "cloud": { + "availability_zone": "median conference permalink", + "provider": "prepaid policy genetic", + "region": "unusual accuracy coordinate" + }, + "data_stream": { + "dataset": "amazon_security_lake.discovery", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "unknown", + "code": "exceptional", + "end": "2024-08-08T08:28:52.280Z", + "kind": "event", + "original": "{\"message\":\"suppose intimate restaurant\",\"status\":\"mayor jewel fixes\",\"time\":1723105732280760,\"device\":{\"type\":\"Server\",\"ip\":\"233.56.87.14\",\"hostname\":\"scores.museum\",\"uid\":\"3e55aa52-5560-11ef-b18f-0242ac110005\",\"org\":{\"uid\":\"3e55922e-5560-11ef-8631-0242ac110005\",\"ou_name\":\"gourmet biographies avon\",\"ou_uid\":\"3e55997c-5560-11ef-b188-0242ac110005\"},\"type_id\":1,\"container\":{\"name\":\"china elections nathan\",\"runtime\":\"fail gmc swap\",\"size\":72520595,\"uid\":\"3e55b7a4-5560-11ef-96a7-0242ac110005\",\"image\":{\"name\":\"ceo fly grenada\",\"uid\":\"3e55c60e-5560-11ef-b505-0242ac110005\"},\"hash\":{\"value\":\"57799DCAEC3A56379406B2C2D009F1CEC4582CC018A5EA2902010D23F77C9604AC49FFDF893574E772F722ED8989C6E29473647F4D6751DBB0C22B88E9C07596\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7},\"network_driver\":\"british makeup series\"},\"first_seen_time\":1723105732279498,\"imei\":\"opt specializing courses\",\"instance_uid\":\"3e559fb2-5560-11ef-b12b-0242ac110005\",\"interface_name\":\"wet logos memorial\",\"interface_uid\":\"3e55cfbe-5560-11ef-b385-0242ac110005\",\"last_seen_time\":1723105732278612,\"namespace_pid\":42,\"network_interfaces\":[{\"name\":\"ext nasty pants\",\"type\":\"Wireless\",\"ip\":\"175.16.199.0\",\"hostname\":\"description.travel\",\"mac\":\"5A:10:D1:50:15:9A:55:A6\",\"type_id\":2}],\"region\":\"wyoming founded blond\",\"risk_level\":\"Low\",\"risk_level_id\":1,\"vlan_uid\":\"3e558716-5560-11ef-8b46-0242ac110005\"},\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"unions held pal\",\"version\":\"1.1.0\",\"uid\":\"3e54e914-5560-11ef-a37e-0242ac110005\",\"url_string\":\"davidson\",\"vendor_name\":\"dental magazines describing\"},\"profiles\":[\"cloud\",\"container\",\"datetime\",\"host\",\"linux/linux_users\",\"load_balancer\",\"network_proxy\",\"security_control\"],\"event_code\":\"exceptional\",\"log_name\":\"should ld recruiting\",\"log_provider\":\"reducing descriptions andrea\",\"modified_time\":1723105732274878,\"original_time\":\"gorgeous sometimes normal\",\"processed_time\":1723105732274895,\"tenant_uid\":\"3e54f35a-5560-11ef-a63f-0242ac110005\"},\"severity\":\"Unknown\",\"api\":{\"request\":{\"data\":\"except\",\"uid\":\"3e55dcca-5560-11ef-8d98-0242ac110005\"},\"response\":{\"error\":\"disputes gardens passive\",\"code\":23,\"flags\":[\"int gadgets alliance\",\"half blake tone\"],\"message\":\"art tunisia irish\",\"error_message\":\"finish marine developers\"},\"operation\":\"hd inner forgot\"},\"type_name\":\"Device Config State Change: Unknown\",\"activity_id\":0,\"type_uid\":501900,\"observables\":[{\"name\":\"betting joe uncertainty\",\"type\":\"Unknown\",\"type_id\":0},{\"name\":\"stations effectiveness bizrate\",\"type\":\"IP Address\",\"type_id\":2,\"reputation\":{\"base_score\":70.4967,\"provider\":\"murray office chronicles\",\"score\":\"Malicious\",\"score_id\":10}}],\"category_name\":\"Discovery\",\"class_uid\":5019,\"category_uid\":5,\"class_name\":\"Device Config State Change\",\"timezone_offset\":41,\"end_time_dt\":\"2024-08-08T08:28:52.280748Z\",\"activity_name\":\"Unknown\",\"cloud\":{\"provider\":\"prepaid policy genetic\",\"region\":\"unusual accuracy coordinate\",\"zone\":\"median conference permalink\"},\"security_level\":\"suppliers inf fabric\",\"severity_id\":0}", + "provider": "reducing descriptions andrea", + "severity": 0, + "type": [ + "info" + ] + }, + "host": { + "hostname": "scores.museum", + "id": "3e55aa52-5560-11ef-b18f-0242ac110005", + "ip": [ + "233.56.87.14" + ], + "risk": { + "static_level": "Low" + }, + "type": "Server" + }, + "message": "suppose intimate restaurant", + "network": { + "vlan": { + "id": "3e558716-5560-11ef-8b46-0242ac110005" + } + }, + "ocsf": { + "activity_id": "0", + "activity_name": "Unknown", + "api": { + "operation": "hd inner forgot", + "request": { + "data": "except", + "uid": "3e55dcca-5560-11ef-8d98-0242ac110005" + }, + "response": { + "code": 23, + "error": "disputes gardens passive", + "error_message": "finish marine developers", + "flags": [ + "int gadgets alliance", + "half blake tone" + ], + "message": "art tunisia irish" + } + }, + "category_name": "Discovery", + "category_uid": "5", + "class_name": "Device Config State Change", + "class_uid": "5019", + "cloud": { + "provider": "prepaid policy genetic", + "region": "unusual accuracy coordinate", + "zone": "median conference permalink" + }, + "device": { + "container": { + "hash": { + "algorithm": "quickXorHash", + "algorithm_id": 7, + "value": "57799DCAEC3A56379406B2C2D009F1CEC4582CC018A5EA2902010D23F77C9604AC49FFDF893574E772F722ED8989C6E29473647F4D6751DBB0C22B88E9C07596" + }, + "image": { + "name": "ceo fly grenada", + "uid": "3e55c60e-5560-11ef-b505-0242ac110005" + }, + "name": "china elections nathan", + "network_driver": "british makeup series", + "runtime": "fail gmc swap", + "size": 72520595, + "uid": "3e55b7a4-5560-11ef-96a7-0242ac110005" + }, + "first_seen_time": "+56573-01-17T09:11:19.498Z", + "hostname": "scores.museum", + "imei": "opt specializing courses", + "instance_uid": "3e559fb2-5560-11ef-b12b-0242ac110005", + "interface_name": "wet logos memorial", + "interface_uid": "3e55cfbe-5560-11ef-b385-0242ac110005", + "ip": "233.56.87.14", + "last_seen_time": "+56573-01-17T09:11:18.612Z", + "namespace_pid": 42, + "network_interfaces": [ + { + "hostname": "description.travel", + "ip": "175.16.199.0", + "mac": "5A-10-D1-50-15-9A-55-A6", + "name": "ext nasty pants", + "type": "Wireless", + "type_id": "2" + } + ], + "org": { + "ou_name": "gourmet biographies avon", + "ou_uid": "3e55997c-5560-11ef-b188-0242ac110005", + "uid": "3e55922e-5560-11ef-8631-0242ac110005" + }, + "region": "wyoming founded blond", + "risk_level": "Low", + "risk_level_id": "1", + "type": "Server", + "type_id": "1", + "uid": "3e55aa52-5560-11ef-b18f-0242ac110005", + "vlan_uid": "3e558716-5560-11ef-8b46-0242ac110005" + }, + "end_time_dt": "2024-08-08T08:28:52.280Z", + "message": "suppose intimate restaurant", + "metadata": { + "event_code": "exceptional", + "log_name": "should ld recruiting", + "log_provider": "reducing descriptions andrea", + "modified_time": "+56573-01-17T09:11:14.878Z", + "original_time": "gorgeous sometimes normal", + "processed_time": "+56573-01-17T09:11:14.895Z", + "product": { + "name": "unions held pal", + "uid": "3e54e914-5560-11ef-a37e-0242ac110005", + "url_string": "davidson", + "vendor_name": "dental magazines describing", + "version": "1.1.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "linux/linux_users", + "load_balancer", + "network_proxy", + "security_control" + ], + "tenant_uid": "3e54f35a-5560-11ef-a63f-0242ac110005", + "version": "1.1.0" + }, + "observables": [ + { + "name": "betting joe uncertainty", + "type": "Unknown", + "type_id": "0" + }, + { + "name": "stations effectiveness bizrate", + "reputation": { + "base_score": 70.4967, + "provider": "murray office chronicles", + "score": "Malicious", + "score_id": "10" + }, + "type": "IP Address", + "type_id": "2" + } + ], + "security_level": "suppliers inf fabric", + "severity": "Unknown", + "severity_id": 0, + "status": "mayor jewel fixes", + "time": "+56573-01-17T09:11:20.760Z", + "timezone_offset": 41, + "type_name": "Device Config State Change: Unknown", + "type_uid": "501900" + }, + "related": { + "hosts": [ + "scores.museum", + "description.travel" + ], + "ip": [ + "233.56.87.14", + "175.16.199.0" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "+56573-01-28T12:49:45.986Z", + "data_stream": { + "dataset": "amazon_security_lake.discovery", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "fraser", + "code": "recognized", + "end": "+56573-01-28T12:49:44.773Z", + "kind": "event", + "original": "{\"message\":\"enabling pushing tee\",\"status\":\"Failure\",\"time\":1723106695785986,\"device\":{\"type\":\"Laptop\",\"domain\":\"parts patents bios\",\"ip\":\"175.16.199.0\",\"hostname\":\"apparel.store\",\"uid\":\"7ca10520-5562-11ef-994f-0242ac110005\",\"image\":{\"name\":\"you therapy gaming\",\"uid\":\"7ca0ff12-5562-11ef-a321-0242ac110005\"},\"type_id\":3,\"created_time\":1723106695785069,\"hypervisor\":\"weblog operates spanish\",\"instance_uid\":\"7ca0f4f4-5562-11ef-9585-0242ac110005\",\"interface_name\":\"individually assembled riders\",\"interface_uid\":\"7ca10bd8-5562-11ef-a0b4-0242ac110005\",\"is_compliant\":true,\"modified_time\":1723106695785112,\"region\":\"click added cars\"},\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"use four webpage\",\"version\":\"1.1.0\",\"uid\":\"7c9fb288-5562-11ef-850c-0242ac110005\",\"feature\":{\"name\":\"iii exceptional erotica\",\"version\":\"1.1.0\",\"uid\":\"7c9fbdfa-5562-11ef-b36a-0242ac110005\"},\"url_string\":\"light\",\"vendor_name\":\"whatever chan might\"},\"profiles\":[],\"event_code\":\"recognized\",\"log_name\":\"durable flex field\",\"loggers\":[{\"name\":\"senator babies ou\",\"device\":{\"name\":\"camcorder zoning projector\",\"type\":\"Server\",\"os\":{\"name\":\"pottery laws resident\",\"type\":\"Unknown\",\"country\":\"Haiti, Republic of\",\"type_id\":0},\"domain\":\"pain brilliant html\",\"ip\":\"177.30.168.240\",\"hostname\":\"array.mil\",\"uid\":\"7ca01610-5562-11ef-80c2-0242ac110005\",\"image\":{\"name\":\"threaded reduction registry\",\"uid\":\"7ca00f80-5562-11ef-9605-0242ac110005\"},\"type_id\":1,\"instance_uid\":\"7ca00508-5562-11ef-aef5-0242ac110005\",\"interface_name\":\"smoke shorts historic\",\"interface_uid\":\"7ca01d0e-5562-11ef-8a28-0242ac110005\",\"is_personal\":true,\"modified_time\":1723106695779060,\"network_interfaces\":[{\"type\":\"Wired\",\"ip\":\"162.67.186.104\",\"hostname\":\"majority.int\",\"mac\":\"A5:AD:3C:E2:45:BB:1F:BD\",\"type_id\":1,\"subnet_prefix\":63},{\"name\":\"fujitsu specials encourages\",\"type\":\"Mobile\",\"ip\":\"61.37.184.176\",\"hostname\":\"signal.biz\",\"mac\":\"42:EC:71:C:44:87:4D:3F\",\"type_id\":3}],\"region\":\"enforcement mls cabinet\",\"risk_score\":32,\"subnet_uid\":\"7c9ff360-5562-11ef-a23d-0242ac110005\"},\"product\":{\"version\":\"1.1.0\",\"uid\":\"7ca028a8-5562-11ef-9f4e-0242ac110005\",\"lang\":\"en\",\"cpe_name\":\"eddie m loop\",\"vendor_name\":\"wild stack ing\"},\"uid\":\"7ca02fe2-5562-11ef-85c4-0242ac110005\",\"log_name\":\"virus estimated hospitality\",\"log_provider\":\"snapshot survive ruled\"},{\"name\":\"photo missing lions\",\"version\":\"1.1.0\",\"device\":{\"name\":\"barrier problems southampton\",\"type\":\"Unknown\",\"ip\":\"178.130.62.185\",\"location\":{\"desc\":\"Nauru, Republic of\",\"city\":\"Corrections presence\",\"country\":\"NR\",\"coordinates\":[-87.1695,-2.0139],\"continent\":\"Oceania\"},\"hostname\":\"traveller.org\",\"uid\":\"7ca0bd86-5562-11ef-913a-0242ac110005\",\"groups\":[{\"type\":\"train fm brain\",\"uid\":\"7ca0a350-5562-11ef-a3c7-0242ac110005\",\"privileges\":[\"airlines ricky practitioner\",\"hometown nh fair\"]}],\"type_id\":0,\"subnet\":\"239.0.0.0/8\",\"instance_uid\":\"7ca0b64c-5562-11ef-9d6d-0242ac110005\",\"interface_name\":\"accompanied lesson color\",\"interface_uid\":\"7ca0c466-5562-11ef-abf1-0242ac110005\",\"is_compliant\":true,\"is_personal\":true,\"modified_time\":1723106695783536,\"region\":\"careers eval haiti\",\"subnet_uid\":\"7ca0aaf8-5562-11ef-825e-0242ac110005\",\"uid_alt\":\"square washington foster\"},\"product\":{\"name\":\"sh buttons specialties\",\"version\":\"1.1.0\",\"vendor_name\":\"acrylic pace draws\"},\"uid\":\"7ca0ceca-5562-11ef-844f-0242ac110005\",\"log_name\":\"tagged mainstream equal\",\"log_provider\":\"certified denial agree\"}],\"original_time\":\"fireplace chapel support\",\"tenant_uid\":\"7ca0d924-5562-11ef-9d5f-0242ac110005\"},\"severity\":\"Critical\",\"type_name\":\"Device Config State Change: Other\",\"activity_id\":99,\"type_uid\":501999,\"observables\":[{\"name\":\"savage humanity jail\",\"type\":\"shots\",\"value\":\"lived creator planning\",\"type_id\":99}],\"category_name\":\"Discovery\",\"class_uid\":5019,\"category_uid\":5,\"class_name\":\"Device Config State Change\",\"timezone_offset\":85,\"end_time\":1723106695784773,\"activity_name\":\"fraser\",\"security_states\":[{},{\"state\":\"Protection malfunction\",\"state_id\":5}],\"enrichments\":[{\"data\":\"mpeg\",\"name\":\"needs included bag\",\"type\":\"palestine spin down\",\"value\":\"gay from titans\",\"provider\":\"sherman centers profession\"}],\"prev_security_states\":[{},{}],\"severity_id\":5,\"status_id\":2}", + "outcome": "failure", + "provider": "whatever chan might", + "severity": 5, + "type": [ + "info" + ] + }, + "host": { + "domain": "parts patents bios", + "hostname": "apparel.store", + "id": "7ca10520-5562-11ef-994f-0242ac110005", + "ip": [ + "175.16.199.0" + ], + "type": "Laptop" + }, + "message": "enabling pushing tee", + "ocsf": { + "activity_id": "99", + "activity_name": "fraser", + "category_name": "Discovery", + "category_uid": "5", + "class_name": "Device Config State Change", + "class_uid": "5019", + "device": { + "created_time": "+56573-01-28T12:49:45.069Z", + "domain": "parts patents bios", + "hostname": "apparel.store", + "hypervisor": "weblog operates spanish", + "image": { + "name": "you therapy gaming", + "uid": "7ca0ff12-5562-11ef-a321-0242ac110005" + }, + "instance_uid": "7ca0f4f4-5562-11ef-9585-0242ac110005", + "interface_name": "individually assembled riders", + "interface_uid": "7ca10bd8-5562-11ef-a0b4-0242ac110005", + "ip": "175.16.199.0", + "is_compliant": true, + "modified_time": "+56573-01-28T12:49:45.112Z", + "region": "click added cars", + "type": "Laptop", + "type_id": "3", + "uid": "7ca10520-5562-11ef-994f-0242ac110005" + }, + "end_time": "+56573-01-28T12:49:44.773Z", + "enrichments": [ + { + "data": "mpeg", + "name": "needs included bag", + "provider": "sherman centers profession", + "type": "palestine spin down", + "value": "gay from titans" + } + ], + "message": "enabling pushing tee", + "metadata": { + "event_code": "recognized", + "log_name": "durable flex field", + "loggers": [ + { + "device": { + "domain": "pain brilliant html", + "hostname": "array.mil", + "image": { + "name": "threaded reduction registry", + "uid": "7ca00f80-5562-11ef-9605-0242ac110005" + }, + "instance_uid": "7ca00508-5562-11ef-aef5-0242ac110005", + "interface_name": "smoke shorts historic", + "interface_uid": "7ca01d0e-5562-11ef-8a28-0242ac110005", + "ip": "177.30.168.240", + "is_personal": true, + "modified_time": 1723106695779060, + "name": "camcorder zoning projector", + "network_interfaces": [ + { + "hostname": "majority.int", + "ip": "162.67.186.104", + "mac": "A5:AD:3C:E2:45:BB:1F:BD", + "subnet_prefix": 63, + "type": "Wired", + "type_id": 1 + }, + { + "hostname": "signal.biz", + "ip": "61.37.184.176", + "mac": "42:EC:71:C:44:87:4D:3F", + "name": "fujitsu specials encourages", + "type": "Mobile", + "type_id": 3 + } + ], + "os": { + "country": "Haiti, Republic of", + "name": "pottery laws resident", + "type": "Unknown", + "type_id": 0 + }, + "region": "enforcement mls cabinet", + "risk_score": 32, + "subnet_uid": "7c9ff360-5562-11ef-a23d-0242ac110005", + "type": "Server", + "type_id": 1, + "uid": "7ca01610-5562-11ef-80c2-0242ac110005" + }, + "log_name": "virus estimated hospitality", + "log_provider": "snapshot survive ruled", + "name": "senator babies ou", + "product": { + "cpe_name": "eddie m loop", + "lang": "en", + "uid": "7ca028a8-5562-11ef-9f4e-0242ac110005", + "vendor_name": "wild stack ing", + "version": "1.1.0" + }, + "uid": "7ca02fe2-5562-11ef-85c4-0242ac110005" + }, + { + "device": { + "groups": [ + { + "privileges": [ + "airlines ricky practitioner", + "hometown nh fair" + ], + "type": "train fm brain", + "uid": "7ca0a350-5562-11ef-a3c7-0242ac110005" + } + ], + "hostname": "traveller.org", + "instance_uid": "7ca0b64c-5562-11ef-9d6d-0242ac110005", + "interface_name": "accompanied lesson color", + "interface_uid": "7ca0c466-5562-11ef-abf1-0242ac110005", + "ip": "178.130.62.185", + "is_compliant": true, + "is_personal": true, + "location": { + "city": "Corrections presence", + "continent": "Oceania", + "coordinates": [ + -87.1695, + -2.0139 + ], + "country": "NR", + "desc": "Nauru, Republic of" + }, + "modified_time": 1723106695783536, + "name": "barrier problems southampton", + "region": "careers eval haiti", + "subnet": "239.0.0.0/8", + "subnet_uid": "7ca0aaf8-5562-11ef-825e-0242ac110005", + "type": "Unknown", + "type_id": 0, + "uid": "7ca0bd86-5562-11ef-913a-0242ac110005", + "uid_alt": "square washington foster" + }, + "log_name": "tagged mainstream equal", + "log_provider": "certified denial agree", + "name": "photo missing lions", + "product": { + "name": "sh buttons specialties", + "vendor_name": "acrylic pace draws", + "version": "1.1.0" + }, + "uid": "7ca0ceca-5562-11ef-844f-0242ac110005", + "version": "1.1.0" + } + ], + "original_time": "fireplace chapel support", + "product": { + "feature": { + "name": "iii exceptional erotica", + "uid": "7c9fbdfa-5562-11ef-b36a-0242ac110005", + "version": "1.1.0" + }, + "name": "use four webpage", + "uid": "7c9fb288-5562-11ef-850c-0242ac110005", + "url_string": "light", + "vendor_name": "whatever chan might", + "version": "1.1.0" + }, + "tenant_uid": "7ca0d924-5562-11ef-9d5f-0242ac110005", + "version": "1.1.0" + }, + "observables": [ + { + "name": "savage humanity jail", + "type": "shots", + "type_id": "99", + "value": "lived creator planning" + } + ], + "security_states": [ + { + "state": "Protection malfunction", + "state_id": 5 + } + ], + "severity": "Critical", + "severity_id": 5, + "status": "Failure", + "status_id": "2", + "time": "+56573-01-28T12:49:45.986Z", + "timezone_offset": 85, + "type_name": "Device Config State Change: Other", + "type_uid": "501999" + }, + "related": { + "hosts": [ + "parts patents bios", + "apparel.store" + ], + "ip": [ + "175.16.199.0" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] } ] } \ No newline at end of file diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml index a12d8a257955..2d671873e8ec 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Amazon Security Lake Events. -# Base Event docs: https://schema.ocsf.io/1.0.0/base_event?extensions= +# Base Event docs: https://schema.ocsf.io/1.1.0/base_event?extensions= processors: - set: field: ecs.version @@ -40,7 +40,7 @@ processors: - set: field: event.kind tag: set_event_kind - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','6001','6002','6003','6004','6005'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','5019','6001','6002','6003','6004','6005'].contains(ctx.ocsf.class_uid) value: event - set: field: event.kind @@ -136,7 +136,7 @@ processors: tag: append_info_into_event_type value: info allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001', '2002','2003','2004','2005','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','6002','6003','6004','6005'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001', '2002','2003','2004','2005','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','5019','6002','6003','6004','6005'].contains(ctx.ocsf.class_uid) - append: field: event.type tag: append_user_into_event_type @@ -705,7 +705,7 @@ processors: ignore_missing: true - pipeline: name: '{{ IngestPipeline "pipeline_object_actor" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','2003','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','6001','6002','6003','6004','6005'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','2003','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5019','6001','6002','6003','6004','6005'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null tag: pipeline_object_actor ignore_missing_pipeline: true - pipeline: @@ -720,7 +720,7 @@ processors: ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_device" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','2003','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4011','4012','4013','5001','5002','5004','6001','6002','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.device != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','2003','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4011','4012','4013','5001','5002','5004','5019','6001','6002','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.device != null tag: pipeline_object_device ignore_missing_pipeline: true - pipeline: diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_application_activity.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_application_activity.yml index 741c5a785be5..d7e402a1eca6 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_application_activity.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_application_activity.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing API Activity category. -# API Activity class docs: https://schema.ocsf.io/1.0.0/categories/application?extensions= +# API Activity class docs: https://schema.ocsf.io/1.1.0/categories/application?extensions= processors: - foreach: field: ocsf.resources diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_discovery.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_discovery.yml index d9322ab19053..6f6446831165 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_discovery.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_discovery.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing API Activity category. -# API Activity class docs: https://schema.ocsf.io/1.0.0/categories/discovery?extensions= +# API Activity class docs: https://schema.ocsf.io/1.1.0/categories/discovery?extensions= processors: - set: field: rule.category diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_findings.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_findings.yml index 347f06373c0f..9f996b89124d 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_findings.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_findings.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Findings category. -# Security Findings Class docs: https://schema.ocsf.io/1.0.0/categories/findings?extensions= +# Security Findings Class docs: https://schema.ocsf.io/1.1.0/categories/findings?extensions= processors: - set: field: event.reference diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_identity_and_access_management.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_identity_and_access_management.yml index da114b33d82f..ed1002cecc49 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_identity_and_access_management.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_identity_and_access_management.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Identity & Access Management category. -# Category docs: https://schema.ocsf.io/1.0.0/categories/iam?extensions= +# Category docs: https://schema.ocsf.io/1.1.0/categories/iam?extensions= processors: - set: field: user.changes.domain diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_network_activity.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_network_activity.yml index 69a0cd4574bb..10b22390f97c 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_network_activity.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_network_activity.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Network Activity category. -# Network Activity Class docs: https://schema.ocsf.io/1.0.0/categories/network?extensions= +# Network Activity Class docs: https://schema.ocsf.io/1.1.0/categories/network?extensions= processors: - convert: field: ocsf.disposition_id diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml index 8c1ab02ed585..210eaf1ce6d7 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing System Activity category. -# System Activity Class docs: https://schema.ocsf.io/1.0.0/categories/system?extensions= +# System Activity Class docs: https://schema.ocsf.io/1.1.0/categories/system?extensions= processors: - convert: field: ocsf.access_mask diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_actor.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_actor.yml index 3b2580319b47..48c4e8a85195 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_actor.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_actor.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Actor object. -# Actor object docs: https://schema.ocsf.io/1.0.0/objects/actor?extensions= +# Actor object docs: https://schema.ocsf.io/1.1.0/objects/actor?extensions= processors: - set: field: container.id diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_attack.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_attack.yml index c760fd60a50f..20fe17297f75 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_attack.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_attack.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Attack object. -# Attack object docs: https://schema.ocsf.io/1.0.0/objects/attack?extensions= +# Attack object docs: https://schema.ocsf.io/1.1.0/objects/attack?extensions= processors: - foreach: field: ocsf.attacks diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_device.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_device.yml index e1622502ef5a..a949ab475f0c 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_device.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_device.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Device object. -# Device object docs: https://schema.ocsf.io/1.0.0/objects/device?extensions= +# Device object docs: https://schema.ocsf.io/1.1.0/objects/device?extensions= processors: - set: field: host.domain diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_file.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_file.yml index 75160a3ea7e3..4c27525a4054 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_file.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_file.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing File object. -# File object docs: https://schema.ocsf.io/1.0.0/objects/file?extensions= +# File object docs: https://schema.ocsf.io/1.1.0/objects/file?extensions= processors: - remove: field: diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_http_request.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_http_request.yml index 5bed93443394..45a5567db1f7 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_http_request.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_http_request.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Http Request object. -# Http Request object docs: https://schema.ocsf.io/1.0.0/objects/http_request?extensions= +# Http Request object docs: https://schema.ocsf.io/1.1.0/objects/http_request?extensions= processors: - set: field: http.request.id diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_malware.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_malware.yml index 653e91bfe751..12cc9ecf0889 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_malware.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_malware.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Malware object. -# Malware object docs: https://schema.ocsf.io/1.0.0/objects/malware?extensions= +# Malware object docs: https://schema.ocsf.io/1.1.0/objects/malware?extensions= processors: - foreach: field: ocsf.malware diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_connection_info.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_connection_info.yml index a5cde447b830..18513e4098da 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_connection_info.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_connection_info.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Network Connection object. -# Network Connection object docs: https://schema.ocsf.io/1.0.0/objects/network_connection_info?extensions= +# Network Connection object docs: https://schema.ocsf.io/1.1.0/objects/network_connection_info?extensions= processors: - convert: field: ocsf.connection_info.boundary_id diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_endpoint.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_endpoint.yml index cb532f58e68c..320c91d35647 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_endpoint.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_endpoint.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Network Endpoint object. -# Network Endpoint object docs: https://schema.ocsf.io/1.0.0/objects/network_endpoint?extensions= +# Network Endpoint object docs: https://schema.ocsf.io/1.1.0/objects/network_endpoint?extensions= processors: - append: field: source.domain diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_process.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_process.yml index e9ae423f1214..49595bf8ced8 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_process.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_process.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Process object. -# Process object docs: https://schema.ocsf.io/1.0.0/objects/process?extensions= +# Process object docs: https://schema.ocsf.io/1.1.0/objects/process?extensions= processors: - set: field: container.id diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_proxy.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_proxy.yml index ec49777db755..95606ecbda51 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_proxy.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_proxy.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Network Proxy object. -# Network Proxy object docs: https://schema.ocsf.io/1.0.0/objects/network_proxy?extensions= +# Network Proxy object docs: https://schema.ocsf.io/1.1.0/objects/network_proxy?extensions= processors: - convert: field: ocsf.proxy.location.is_on_premises diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_system_activity_helper.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_system_activity_helper.yml index e6e49674c9b7..163eaf0921bf 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_system_activity_helper.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_system_activity_helper.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing System Activity helper category. -# System Activity Class docs: https://schema.ocsf.io/1.0.0/categories/system?extensions= +# System Activity Class docs: https://schema.ocsf.io/1.1.0/categories/system?extensions= processors: - remove: field: diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_tls.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_tls.yml index fb0b272afaa1..61409c7f1d33 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_tls.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_tls.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing TLS object. -# TLS object docs: https://schema.ocsf.io/1.0.0/objects/tls?extensions= +# TLS object docs: https://schema.ocsf.io/1.1.0/objects/tls?extensions= processors: - set: field: tls.cipher diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_traffic.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_traffic.yml index 2629b54fb14b..1b2ab5343f1a 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_traffic.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_traffic.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Network Traffic object. -# Network Traffic object docs: https://schema.ocsf.io/1.0.0/objects/network_traffic?extensions= +# Network Traffic object docs: https://schema.ocsf.io/1.1.0/objects/network_traffic?extensions= processors: - convert: field: ocsf.traffic.bytes_in diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml index 8652741ce9d6..803acf7a1956 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing User object. -# User object docs: https://schema.ocsf.io/1.0.0/objects/user?extensions= +# User object docs: https://schema.ocsf.io/1.1.0/objects/user?extensions= processors: - set: field: user.target.domain diff --git a/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml index b613e82537f2..d5a94da6d6ac 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml @@ -28,3 +28,30 @@ - name: verdict_id type: integer description: The normalized verdict of an Incident. + # These fields are used to store misc information about a discovery category event. + - name: prev_security_states + type: group + description: The previous security states of the device. + fields: + - name: state + type: keyword + description: The security state, normalized to the caption of the state_id value. + - name: state_id + type: integer + description: The security state of the managed entity. + - name: security_level + type: keyword + description: The current security level of the entity. + - name: security_level_id + type: integer + description: The current security level of the entity. + - name: security_states + type: group + description: The current security states of the device. + fields: + - name: state + type: keyword + description: The security state, normalized to the caption of the state_id value. + - name: state_id + type: integer + description: The security state of the managed entity. diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index b4ec5acfc277..8c6d4a4780fc 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -1653,6 +1653,8 @@ This is the `Event` dataset. | ocsf.open_type | Indicates how the file was opened (e.g. normal, delete on close). | keyword | | ocsf.port | The dynamic port established for impending data transfers. | long | | ocsf.precision | The NTP precision quantifies a clock's accuracy and stability in log2 seconds, as defined in RFC-5905. | integer | +| ocsf.prev_security_states.state | The security state, normalized to the caption of the state_id value. | keyword | +| ocsf.prev_security_states.state_id | The security state of the managed entity. | integer | | ocsf.priority | The priority, normalized to the caption of the priority_id value. | keyword | | ocsf.priority_id | The priority, normalized to the ID of the priority_id value. | integer | | ocsf.privileges | The list of sensitive privileges, assigned to the new user session. | keyword | @@ -1804,6 +1806,10 @@ This is the `Event` dataset. | ocsf.risk_level | The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.risk_level_id | The normalized risk level id. | keyword | | ocsf.risk_score | The risk score as reported by the event source. | long | +| ocsf.security_level | The current security level of the entity. | keyword | +| ocsf.security_level_id | The current security level of the entity. | integer | +| ocsf.security_states.state | The security state, normalized to the caption of the state_id value. | keyword | +| ocsf.security_states.state_id | The security state of the managed entity. | integer | | ocsf.server_hassh.algorithm | The concatenation of key exchange, encryption, authentication and compression algorithms (separated by ';'). NOTE: This is not the underlying algorithm for the hash implementation. | keyword | | ocsf.server_hassh.fingerprint.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.server_hassh.fingerprint.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1.json index 26f37d13c239..78b2c7d3c090 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- **[Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)** \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the behavior of applications and services.\n\nPlease visit the [Application Activity](https://schema.ocsf.io/1.0.0/categories/application) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- **[Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)** \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the behavior of applications and services.\n\nPlease visit the [Application Activity](https://schema.ocsf.io/1.1.0/categories/application) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386.json index 640aa6cc6f46..0af7bd6a9c53 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - **[DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386)** \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n \n\n**Overview**\n\nThis dashboard shows an overview of DNS queries and answers as seen on the network.\n\nPlease visit the [DNS Activity](https://schema.ocsf.io/1.0.0/classes/dns_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - **[DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386)** \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n \n\n**Overview**\n\nThis dashboard shows an overview of DNS queries and answers as seen on the network.\n\nPlease visit the [DNS Activity](https://schema.ocsf.io/1.1.0/classes/dns_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15.json index 252783b257e6..40810d7f0bd0 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - **[Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15)** \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n \n\n**Overview**\n\nThis dashboard shows an overview of Network connections and traffic activity.\n\nPlease visit the [Network Activity](https://schema.ocsf.io/1.0.0/classes/network_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - **[Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15)** \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n \n\n**Overview**\n\nThis dashboard shows an overview of Network connections and traffic activity.\n\nPlease visit the [Network Activity](https://schema.ocsf.io/1.1.0/classes/network_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112.json index 1c8940e9e13e..c8786042bd6b 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - **[Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112)** \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the Email and it's file and URL related activity on Network.\n\nPlease visit the [Email Activity](https://schema.ocsf.io/1.0.0/classes/email_activity), [Email File Activity](https://schema.ocsf.io/1.0.0/classes/email_file_activity) and [Email URL Activity](https://schema.ocsf.io/1.0.0/classes/email_url_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - **[Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112)** \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the Email and it's file and URL related activity on Network.\n\nPlease visit the [Email Activity](https://schema.ocsf.io/1.1.0/classes/email_activity), [Email File Activity](https://schema.ocsf.io/1.1.0/classes/email_file_activity) and [Email URL Activity](https://schema.ocsf.io/1.1.0/classes/email_url_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d.json index 29c8d9d7f5e7..ae34823c2765 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- **[Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d)** \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of Identity \u0026 Access Management (IAM) events relate to the supervision of the system's authentication and access control model.\n\nPlease visit the [Identity \u0026 Access Management](https://schema.ocsf.io/1.0.0/categories/iam) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- **[Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d)** \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of Identity \u0026 Access Management (IAM) events relate to the supervision of the system's authentication and access control model.\n\nPlease visit the [Identity \u0026 Access Management](https://schema.ocsf.io/1.1.0/categories/iam) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112.json index ff86ded51434..96229b2bb4ac 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - **[HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)** \n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n \n\n**Overview**\n\nThis dashboard shows an overview of HTTP, RDP, DHCP, SMB, SSH, FTP and Network File related activity on the network.\n\nPlease visit the [HTTP](https://schema.ocsf.io/1.0.0/classes/http_activity), [DHCP](https://schema.ocsf.io/1.0.0/classes/dhcp_activity), [RDP](https://schema.ocsf.io/1.0.0/classes/rdp_activity), [SMB](https://schema.ocsf.io/1.0.0/classes/smb_activity), [SSH](https://schema.ocsf.io/1.0.0/classes/ssh_activity), [FTP](https://schema.ocsf.io/1.0.0/classes/ftp_activity), [Network File Activity](https://schema.ocsf.io/1.0.0/classes/network_file_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - **[HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)** \n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n \n\n**Overview**\n\nThis dashboard shows an overview of HTTP, RDP, DHCP, SMB, SSH, FTP and Network File related activity on the network.\n\nPlease visit the [HTTP](https://schema.ocsf.io/1.1.0/classes/http_activity), [DHCP](https://schema.ocsf.io/1.1.0/classes/dhcp_activity), [RDP](https://schema.ocsf.io/1.1.0/classes/rdp_activity), [SMB](https://schema.ocsf.io/1.1.0/classes/smb_activity), [SSH](https://schema.ocsf.io/1.1.0/classes/ssh_activity), [FTP](https://schema.ocsf.io/1.1.0/classes/ftp_activity), [Network File Activity](https://schema.ocsf.io/1.1.0/classes/network_file_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112.json index 43a1bfee4156..a78d640b902c 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- **[System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112)** \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)\n \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the process, memory, file, scheduled job and kernel related activity.\n\nPlease visit the [System Activity](https://schema.ocsf.io/1.0.0/categories/system) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- **[System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112)** \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)\n \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the process, memory, file, scheduled job and kernel related activity.\n\nPlease visit the [System Activity](https://schema.ocsf.io/1.1.0/categories/system) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112.json index 20483d18ed6d..3567cfd7c294 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- **[Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112)** \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the device inventory data and device configuration data.\n\nPlease visit the [Discovery](https://schema.ocsf.io/1.0.0/categories/discovery) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- **[Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112)** \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the device inventory data and device configuration data.\n\nPlease visit the [Discovery](https://schema.ocsf.io/1.1.0/categories/discovery) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c.json index 435f1fd1abf2..ad394ef841b3 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- **[Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c)** \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)\n \n\n**Overview**\n\nThis dashboard shows an overview of findings, detections, anomalies, alerts, and/or actions performed by security products.\n\nPlease visit the [Findings](https://schema.ocsf.io/1.0.0/categories/findings) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- **[Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c)** \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)\n \n\n**Overview**\n\nThis dashboard shows an overview of findings, detections, anomalies, alerts, and/or actions performed by security products.\n\nPlease visit the [Findings](https://schema.ocsf.io/1.1.0/categories/findings) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3.json index 9db5a24f0746..d42628658559 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n**[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3)** \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of the most common data collected from the Amazon Security Lake Integration.\n\nPlease visit the [Base Event](https://schema.ocsf.io/1.0.0/base_event) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n\n", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n**[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3)** \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of the most common data collected from the Amazon Security Lake Integration.\n\nPlease visit the [Base Event](https://schema.ocsf.io/1.1.0/base_event) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n\n", "openLinksInNewTab": false }, "title": "", From 7e5f687665c88ab5f6e9e14e50161143ac5f75ae Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Thu, 8 Aug 2024 15:42:18 +0530 Subject: [PATCH 17/30] added support for scan activity event class --- .../application_activity/fields/fields.yml | 88 ++ .../pipeline/test-application-activity.log | 2 + ...est-application-activity.log-expected.json | 847 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 14 +- .../data_stream/event/fields/misc-fields.yml | 58 +- packages/amazon_security_lake/docs/README.md | 17 + 6 files changed, 1018 insertions(+), 8 deletions(-) diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml index 60cd8163bb19..608bbc0e7541 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml @@ -100,6 +100,9 @@ - name: zone type: keyword description: The availability zone in the cloud region, as defined by the cloud provider. + - name: command_uid + type: keyword + description: The command identifier that is associated with this scan event. This ID uniquely identifies the proactive scan command, e.g., if remotely initiated. - name: count type: long description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. @@ -331,6 +334,33 @@ - name: message type: keyword description: The description of the event, as defined by the event source. + - name: num_detections + type: integer + description: The number of detections. + - name: num_files + type: integer + description: The number of files scanned. + - name: num_folders + type: integer + description: The number of folders scanned. + - name: num_network_items + type: integer + description: The number of network items scanned. + - name: num_processes + type: integer + description: The number of processes scanned. + - name: num_registry_items + type: integer + description: The number of registry items scanned. + - name: num_resolutions + type: integer + description: The number of items that were resolved. + - name: num_skipped_items + type: integer + description: The number of items that were skipped. + - name: num_trusted_items + type: integer + description: The number of trusted items. - name: observables type: group fields: @@ -361,6 +391,42 @@ - name: value type: keyword description: The value associated with the observable attribute. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. - name: proxy type: group fields: @@ -469,6 +535,25 @@ - name: raw_data type: flattened description: The event data as received from the event source. + - name: scan + type: group + description: The Scan object describes characteristics of a proactive scan. + fields: + - name: name + type: keyword + description: The administrator-supplied or application-generated name of the scan. + - name: type + type: keyword + description: The type of scan. + - name: type_id + type: integer + description: The type id of the scan. + - name: uid + type: keyword + description: The application-defined unique identifier assigned to an instance of a scan. + - name: schedule_uid + type: keyword + description: The unique identifier of the schedule associated with a scan job. - name: severity type: keyword description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. @@ -493,6 +578,9 @@ - name: status_id type: keyword description: The normalized identifier of the event status. + - name: total + type: integer + description: The total number of items that were scanned; zero if no items were scanned. - name: time type: date description: The normalized event occurrence time. diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log index a48d2777d01f..ab62583ebd14 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log @@ -2,3 +2,5 @@ {"message":"washington like safari","status":"Failure","time":1695277679358,"metadata":{"version":"1.0.0","product":{"name":"eligible scenes worm","version":"1.0.0","uid":"f6508420-520e-11ee-adcc-0242ac110004","feature":{"name":"australia cup bios","version":"1.0.0","uid":"f6508bfa-520e-11ee-b54c-0242ac110004"},"lang":"en","vendor_name":"fix complicated accreditation"},"sequence":78,"profiles":[],"log_name":"ur bother bearing","log_provider":"performs elevation fox","log_version":"three maritime cowboy","logged_time":1695277679358,"original_time":"moore genetic symbols","processed_time":1695277679358},"start_time":1695277679358,"severity":"Unknown","type_name":"Web Resources Activity: Create","category_name":"Application Activity","timezone_offset":83,"activity_id":1,"class_uid":6001,"type_uid":600101,"category_uid":6,"class_name":"Web Resources Activity","activity_name":"Create","severity_id":0,"src_endpoint":{"name":"leasing imperial toner","port":31790,"domain":"hawaii unfortunately copying","ip":"81.2.69.142","hostname":"saudi.int","uid":"f650994c-520e-11ee-a9f4-0242ac110004","instance_uid":"f6509d0c-520e-11ee-9e6b-0242ac110004","interface_name":"somewhere mentor crm","interface_uid":"f650a3f6-520e-11ee-882f-0242ac110004","intermediate_ips":["81.2.69.142","81.2.69.143"],"svc_name":"sheets horror trader","vlan_uid":"f650a8a6-520e-11ee-b961-0242ac110004"},"status_detail":"only zone its","status_id":2,"web_resources":[{"data":{"discretion":"fhbds"},"desc":"Description of web resource","name":"concept navigator constitution","type":"fundamental previous ty","url_string":"past"}],"web_resources_result":[{"type":"prediction sunglasses rounds","uid":"f65072d2-520e-11ee-9b9a-0242ac110004","url_string":"military"},{"data":{"protect":"rfvfd"},"url_string":"association"}]} {"message":"issues kings loop","status":"Success","time":1695277679358,"device":{"name":"knows col covered","type":"Unknown","domain":"allied had insulation","ip":"81.2.69.142","uid":"651987a6-584c-11ee-ad31-0242ac110005","hostname":"zinc.biz","org":{"name":"chaos winner entered","uid":"65197a86-584c-11ee-96c1-0242ac110005","ou_name":"music client leaf"},"type_id":0,"created_time":1695277679358,"hw_info":{"ram_size":84,"serial_number":"training blink executives"},"instance_uid":"65197efa-584c-11ee-bc04-0242ac110005","interface_name":"lightbox bugs spain","interface_uid":"6519835a-584c-11ee-b813-0242ac110005","is_personal":false,"region":"casio paris norway","subnet_uid":"6519725c-584c-11ee-b6a2-0242ac110005","uid_alt":"older audience trends"},"metadata":{"version":"1.0.0","product":{"name":"enzyme cookie citations","version":"1.0.0","uid":"65195f88-584c-11ee-8118-0242ac110005","lang":"en","url_string":"deck","vendor_name":"rochester school force"},"profiles":["cloud","container","datetime","host"],"log_name":"collaboration blood loan","log_provider":"jurisdiction protecting witness","original_time":"effectively dimensional reservation","modified_time_dt":"2023-09-21T06:59:23.198620Z"},"app":{"name":"bottom loud knowledge","version":"1.0.0","uid":"6519a3da-584c-11ee-8c89-0242ac110005","path": "path o f","feature":{"name":"mit received implemented","version":"1.0.0","uid":"6519aa4c-584c-11ee-ac40-0242ac110005"},"lang":"en","vendor_name":"ss keeping administered"},"severity":"Fatal","type_name":"Application Lifecycle: Other","activity_id":99,"type_uid":600299,"category_name":"Application Activity","class_uid":6002,"category_uid":6,"class_name":"Application Lifecycle","activity_name":"look","cloud":{"org":{"name":"exclusive variables tag","uid":"65193f12-584c-11ee-ae9b-0242ac110005","ou_name":"custom packard pierre"},"account":{"type":"AWS Account","uid":"65194d7c-584c-11ee-8857-0242ac110005","type_id":10},"provider":"infrared delayed visiting","region":"initial lucia designer"},"severity_id":6,"status_detail":"rat forth dishes","status_id":1,"start_time_dt":"2023-09-21T06:59:23.200400Z"} {"message":"routing rosa speeds","status":"Failure","type":"loc","time":1722945774073580,"metadata":{"version":"1.1.0","product":{"name":"nightlife joint talked","version":"1.1.0","path":"roulette covered encryption","uid":"cfcfc1aa-53eb-11ef-80a9-0242ac110005","vendor_name":"rainbow league closure"},"extensions":[{"name":"importantly identifying causing","version":"1.1.0","uid":"cfcfce02-53eb-11ef-a17b-0242ac110005"},{"name":"feof nightlife dans","version":"1.1.0","uid":"cfcfd5d2-53eb-11ef-acdf-0242ac110005"}],"labels":["dominant"],"log_level":"consult supplements external","profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"ottawa triumph analysis","log_provider":"medal removing losses","original_time":"families batman star","tenant_uid":"cfcfde4c-53eb-11ef-9b9b-0242ac110005"},"severity":"Informational","duration":38,"type_name":"Datastore Activity: Write","activity_id":5,"type_uid":600505,"category_name":"Application Activity","class_uid":6005,"category_uid":6,"class_name":"Datastore Activity","type_id":99,"end_time_dt":"2024-08-06T12:02:54.073562Z","activity_name":"Write","actor":{"process":{"name":"Flashing","pid":98,"file":{"name":"senegal.dcr","type":"Folder","path":"stock armstrong ie/bobby.m3u/senegal.dcr","type_id":2,"creator":{"name":"Slight","type":"System","domain":"dedicated smile macintosh","uid":"cfd08748-53eb-11ef-8545-0242ac110005","type_id":3},"parent_folder":"stock armstrong ie/bobby.m3u","confidentiality":"Top Secret","confidentiality_id":4,"hashes":[{"value":"6AC2AD2B6F5A51A33103412CB1C13FA5FDB24737666758DD9FDD8402BB9D2A43","algorithm":"magic","algorithm_id":99},{"value":"7B849A50DA92F39D6AF294B10E0B93F5","algorithm":"MD5","algorithm_id":1}],"modified_time_dt":"2024-08-06T12:02:54.074547Z"},"user":{"name":"Contamination","type":"Admin","uid":"cfd09666-53eb-11ef-9cc7-0242ac110005","type_id":2},"group":{"name":"desired administration quotations","desc":"mime counsel uses","uid":"cfd0a0f2-53eb-11ef-a02f-0242ac110005"},"uid":"cfd0a73c-53eb-11ef-9622-0242ac110005","loaded_modules":["/chronicle/initiated/hormone/surprise/corps.html","/allan/appearance/viruses/college/naughty.rom"],"cmd_line":"associate directions partly","container":{"size":2753478121,"uid":"cfd0b25e-53eb-11ef-aab1-0242ac110005","image":{"name":"number serial patients","uid":"cfd0bb46-53eb-11ef-b743-0242ac110005"},"hash":{"value":"D908A0C6E33ABAEF5F1C8D9658E99DF9714CFF289FCE29B9DD5A362475554AF2","algorithm":"magic","algorithm_id":99}},"created_time":1722945774075951,"namespace_pid":78,"parent_process":{"name":"Basin","pid":63,"file":{"attributes":67,"name":"spirituality.mid","type":"Character Device","path":"analyzed election throws/composition.tax2020/spirituality.mid","uid":"cfd0d964-53eb-11ef-9f61-0242ac110005","type_id":3,"company_name":"Norberto Vena","parent_folder":"analyzed election throws/composition.tax2020","confidentiality":"Secret","confidentiality_id":3,"hashes":[{"value":"8C8D9D64A77C351C6AAFF4C0EF9B436F904638B7","algorithm":"SHA-1","algorithm_id":2}],"security_descriptor":"nor treasury uri","xattributes":{}},"user":{"name":"Revisions","type":"Admin","type_id":2,"ldap_person":{"created_time":1722945774077119,"hire_time":1722945774077128,"hire_time_dt":"2024-08-06T12:02:54.077132Z"}},"group":{"name":"adolescent antigua ui","domain":"detail blah motels","uid":"cfd0fa70-53eb-11ef-9120-0242ac110005"},"cmd_line":"hash unknown meters","container":{"name":"gnome face decisions","size":411217035,"uid":"cfd10448-53eb-11ef-8948-0242ac110005","image":{"name":"climbing quickly lonely","uid":"cfd10d12-53eb-11ef-8fcb-0242ac110005"},"hash":{"value":"48324C16BF85398DE1219E9270E663A1CCB2438C617A716A5F0F8D44034D7294","algorithm":"magic","algorithm_id":99}},"created_time":1722945774077934,"lineage":["off disturbed bidding","validity requested without"],"namespace_pid":60,"parent_process":{"name":"Zus","session":{"issuer":"informal witnesses endif","created_time":1722945774078143,"is_remote":false},"file":{"attributes":46,"name":"invite.flv","type":"Folder","path":"mobiles at hazards/feels.b/invite.flv","product":{"name":"executives dell bands","version":"1.1.0","uid":"cfd14174-53eb-11ef-ad92-0242ac110005","url_string":"divx","vendor_name":"neighbor advise animal"},"modifier":{"name":"Bang","type":"wicked","uid":"cfd14d0e-53eb-11ef-8822-0242ac110005","org":{"name":"snake dam rapidly","uid":"cfd155ba-53eb-11ef-9ea1-0242ac110005","ou_name":"photo acrylic highway"},"groups":[{"name":"wales indoor speaking","uid":"cfd160be-53eb-11ef-8f19-0242ac110005"},{"name":"mongolia records suffer","desc":"bathrooms transfers diego","uid":"cfd167da-53eb-11ef-b5a7-0242ac110005"}],"type_id":99,"full_name":"Etha Roy"},"uid":"cfd16ece-53eb-11ef-92bb-0242ac110005","type_id":2,"company_name":"Christian Cinda","parent_folder":"mobiles at hazards/feels.b","confidentiality":"promise","confidentiality_id":99,"hashes":[{"value":"CE59D0F436DBA3BA0A6A76043041A5E787C3B835","algorithm":"SHA-1","algorithm_id":2},{"value":"5DC822DDEFF863F87504863C2926EFADEA58E6CC12C9913FBF94816997FDAA2115104F362F7481BCFA8296CDB2EF69ABFF1D22A64E0B6F5D7B8BB6BDF0485F77","algorithm":"CTPH","algorithm_id":5}],"modified_time":1722945774080462,"security_descriptor":"allen mba skating"},"user":{"name":"Bernard","type":"Admin","type_id":2,"uid_alt":"denmark day sir"},"group":{"desc":"times substitute plasma","uid":"cfd17fa4-53eb-11ef-bb39-0242ac110005"},"tid":63,"uid":"cfd185c6-53eb-11ef-85ca-0242ac110005","loaded_modules":["/hotels/stream/anchor/ted/ghost.zipx","/secure/proprietary/execute/medicine/hl.dwg"],"cmd_line":"capabilities major outline","container":{"name":"ul primary rivers","size":4147443008,"uid":"cfd19624-53eb-11ef-b555-0242ac110005","image":{"name":"objectives cooper expenses","tag":"flashers incurred visiting","uid":"cfd19f5c-53eb-11ef-b6a5-0242ac110005"},"hash":{"value":"32F556C7248E9893205497FAD5588B52A815C9A2008D165B36C015A90F534BFA","algorithm":"SHA-256","algorithm_id":3}},"created_time":1722945774081680,"lineage":["feed prozac starring"],"parent_process":{"name":"Keep","pid":75,"file":{"name":"shirts.pct","type":"Folder","path":"reporters schools bermuda/investigations.apk/shirts.pct","modifier":{"name":"Drivers","type":"Admin","uid":"cfd1b884-53eb-11ef-9e17-0242ac110005","type_id":2,"credential_uid":"cfd1bf00-53eb-11ef-9ae0-0242ac110005"},"type_id":2,"parent_folder":"reporters schools bermuda/investigations.apk","confidentiality":"Secret","confidentiality_id":3,"hashes":[{"value":"8D99573EF8E69D00FAE94C1020E9BCDEAB0B2381D11507174E58B253935B16A8391E07FE4DDCFBC6B4EE66C04EB617345B997605559139B9986AC27695ACE216","algorithm":"SHA-512","algorithm_id":4}]},"user":{"name":"Northeast","type":"Admin","uid":"cfd1cbbc-53eb-11ef-86e4-0242ac110005","org":{"name":"demo dressing bloggers","ou_name":"infection replace kingdom"},"groups":[{"type":"multi extension th","domain":"rolled womens allowed","uid":"cfd1de54-53eb-11ef-9548-0242ac110005"},{"name":"shorter hydrocodone obtaining","type":"jenny version diploma"}],"type_id":2,"credential_uid":"cfd1e638-53eb-11ef-acdc-0242ac110005","email_addr":"Timika@starsmerchant.store","uid_alt":"jr participants illustration"},"group":{"name":"easily strengthening concept","type":"claimed farms dressed","domain":"jim presents tire","uid":"cfd1f0b0-53eb-11ef-a5b6-0242ac110005"},"tid":93,"uid":"cfd1f6b4-53eb-11ef-88fe-0242ac110005","container":{"name":"travesti borough biggest","size":3355225968,"uid":"cfd201c2-53eb-11ef-86c9-0242ac110005","hash":{"value":"A241B037A73C6DEFF4F66BAE284A4B2AEA05ACD3","algorithm":"SHA-1","algorithm_id":2}},"created_time":1722945774084196,"namespace_pid":63,"parent_process":{"name":"Acres","pid":41,"file":{"name":"cafe.fon","type":"Local Socket","path":"microwave cir nails/gtk.dmg/cafe.fon","uid":"cfd23214-53eb-11ef-aaf5-0242ac110005","type_id":5,"creator":{"name":"Soa","ldap_person":{"manager":{"name":"Arrangements","type":"bunch","domain":"permission eu anonymous","uid":"cfd25802-53eb-11ef-bc5e-0242ac110005","org":{"name":"positioning sending donald","uid":"cfd261e4-53eb-11ef-8e64-0242ac110005","ou_name":"americans pee mixed"},"type_id":99},"cost_center":"char immigration blue","employee_uid":"cfd269b4-53eb-11ef-862f-0242ac110005","job_title":"tm payday needed","office_location":"hack maintains suit","hire_time_dt":"2024-08-06T12:02:54.086830Z"}},"parent_folder":"microwave cir nails/gtk.dmg","security_descriptor":"hour rca writes"},"user":{"name":"Defence","type":"Admin","uid":"cfd27814-53eb-11ef-91f4-0242ac110005","groups":[{"name":"suppliers returns jewellery","uid":"cfd28336-53eb-11ef-a671-0242ac110005"},{"name":"archive honolulu restricted","uid":"cfd28a84-53eb-11ef-a27d-0242ac110005"}],"type_id":2,"account":{"name":"engage subscribe fireplace","type":"Unknown","uid":"cfd298e4-53eb-11ef-9fc1-0242ac110005","type_id":0},"ldap_person":{"manager":{"name":"Lucia","domain":"sides sheet lt","uid":"cfd2a640-53eb-11ef-b33d-0242ac110005","credential_uid":"cfd2ac3a-53eb-11ef-89b0-0242ac110005","email_addr":"Dodie@soundtrack.firm"},"modified_time":1722945774088534,"leave_time_dt":"2024-08-06T12:02:54.088544Z","last_login_time_dt":"2024-08-06T12:02:54.088552Z"},"uid_alt":"trustee tree normally"},"group":{"name":"income bridges uruguay","uid":"cfd2b96e-53eb-11ef-b3a0-0242ac110005"},"tid":47,"uid":"cfd2bf72-53eb-11ef-96ff-0242ac110005","loaded_modules":["/counters/kentucky/proceeding/yo/norwegian.mp3","/indianapolis/sega/statutes/java/purple.bat"],"cmd_line":"calibration signature temp","container":{"name":"begins magnetic inn","size":83122349,"uid":"cfd2ca08-53eb-11ef-af87-0242ac110005","image":{"name":"pot pulse ser","path":"seat employers licenses","uid":"cfd2d638-53eb-11ef-a4c4-0242ac110005"},"hash":{"value":"CEEA7A4A0C43E8765267E8AEF5F074E2D83C2B387ED111EB0F9E903BB79DFACD26A958A69404A2C9ACFC06C590DF12DFF79EAED625E9EE1BB25727BC3398F838","algorithm":"SHA-512","algorithm_id":4},"orchestrator":"essay brother facility","pod_uuid":"bachelor"},"created_time":1722945774089651,"integrity":"Protected","integrity_id":6,"namespace_pid":96,"parent_process":{"name":"Nationwide","pid":28,"file":{"name":"fragrance.otf","owner":{"name":"Does","type":"Admin","uid":"cfd2f1c2-53eb-11ef-9117-0242ac110005","type_id":2,"email_addr":"Patrina@prototype.gov","ldap_person":{"cost_center":"permits interact afternoon","deleted_time":1722945774090716,"ldap_dn":"renaissance exhibition far","leave_time_dt":"2024-08-06T12:02:54.090731Z","last_login_time_dt":"2024-08-06T12:02:54.090739Z"}},"type":"Block Device","path":"thumbzilla sir drawings/clicking.ico/fragrance.otf","modifier":{"name":"Romania","type":"Unknown","uid":"cfd30dd8-53eb-11ef-a1d7-0242ac110005","groups":[{"name":"boat generate canadian","type":"breast brave sacramento","domain":"mostly third hats","desc":"york yours falls","uid":"cfd317ec-53eb-11ef-b8c7-0242ac110005","privileges":["queries meyer wellness"]},{"name":"considerations wants books","uid":"cfd31f1c-53eb-11ef-8b0c-0242ac110005"}],"type_id":0},"type_id":4,"parent_folder":"thumbzilla sir drawings/clicking.ico","confidentiality":"Unknown","confidentiality_id":0,"created_time":1722945774091482,"hashes":[{"value":"8C4977626121F73FAF30273CA0604C3B2C1207E04716722E66C667D788C6F874","algorithm":"magic","algorithm_id":99},{"value":"A541714A17804AC281E6DDDA5B707952","algorithm":"MD5","algorithm_id":1}],"modified_time":1722945774091552,"xattributes":{}},"user":{"name":"Semester","type":"Unknown","uid":"cfd34d66-53eb-11ef-852b-0242ac110005","groups":[{"name":"ellis methods congratulations","uid":"cfd3572a-53eb-11ef-8889-0242ac110005","privileges":["deck version bathroom"]},{"name":"proposed margin drug","desc":"race pg usps","uid":"cfd35e64-53eb-11ef-8d1c-0242ac110005"}],"type_id":0,"email_addr":"Birdie@candle.edu","ldap_person":{},"uid_alt":"protein clubs membership"},"group":{"name":"blessed operates rug","uid":"cfd36e5e-53eb-11ef-9d98-0242ac110005"},"uid":"cfd374da-53eb-11ef-a5ba-0242ac110005","cmd_line":"vaccine l vegetarian","container":{"name":"matter venues paxil","size":3925402475,"uid":"cfd37e94-53eb-11ef-b3b8-0242ac110005","image":{"name":"troy when advertisers","path":"knife aluminum connectivity","uid":"cfd3879a-53eb-11ef-b5b2-0242ac110005"},"hash":{"value":"9B88DFD0CFCEDCD1108BAC8D96F5E7576E8AA5EFEE6228DEE92628994C808FA83487125996422844E815E8321734322E728259C00D5FC302552A542C80FC26DE","algorithm":"Unknown","algorithm_id":0},"pod_uuid":"examined"},"created_time":1722945774094193,"lineage":["relationship closed gathered","ment tu other"],"namespace_pid":26,"parent_process":{"name":"Pixel","pid":10,"session":{"uid":"cfd3a202-53eb-11ef-8e19-0242ac110005","issuer":"recognize lobby mon","created_time":1722945774095984,"is_remote":false},"file":{"name":"jane.m4a","type":"Folder","path":"living marsh smilies/turner.mim/jane.m4a","modifier":{"type":"System","uid":"cfd3e9ec-53eb-11ef-a8dd-0242ac110005","type_id":3,"uid_alt":"account qld kim"},"type_id":2,"parent_folder":"living marsh smilies/turner.mim","confidentiality":"auburn","confidentiality_id":99,"hashes":[{"value":"C6316326E7128B9D69A3C004DC06AF4240FCBE9CE2D36D76A6074A15DA9E1E5469C37D1BDEE8EB2EA2E4A0E20A366B43DB7C9529A7DFB7719025662F5B1B2868","algorithm":"quickXorHash","algorithm_id":7},{"value":"9ED2837AE1C9BF010E3821339FB9B60585584E697B0670BC2E532228F4DD9251B11715FE20D50FF600E1ED5B5BBA4637AF874B0CC900680B7ECDACBAD07624FD","algorithm":"SHA-512","algorithm_id":4}],"modified_time":1722945774096743,"security_descriptor":"ticket vegas generates","created_time_dt":"2024-08-06T12:02:54.096759Z"},"group":{"name":"bean learners accepting","type":"dietary firms hotels","uid":"cfd3fbe4-53eb-11ef-bdb1-0242ac110005"},"uid":"cfd40206-53eb-11ef-a429-0242ac110005","cmd_line":"initiative step gathered","container":{"name":"hundred central hrs","size":724491757,"uid":"cfd40e22-53eb-11ef-afb2-0242ac110005","image":{"name":"food qatar brain","uid":"cfd41700-53eb-11ef-a54d-0242ac110005"},"hash":{"value":"1C89EFCEB73F4433865E95F1BF2AB892DA6B9AA1C0205D1A8087C101B7AF953BE2F34683E786B31F4344403F35885F4D105EF2E764F6D299E44E31D284DBD5E3","algorithm":"Unknown","algorithm_id":0}},"created_time":1722945774097846,"namespace_pid":45,"parent_process":{"name":"Yield","pid":82,"file":{"name":"apartments.py","size":524979186,"type":"Named Pipe","path":"fig kelly companion/attorneys.com/apartments.py","uid":"cfd42dd0-53eb-11ef-8dc9-0242ac110005","type_id":6,"parent_folder":"fig kelly companion/attorneys.com","hashes":[{"value":"EBF49DCD836F810084C14E0F2DAB4DC1768BBDC5980481BF201FCF76771DFF7A","algorithm":"SHA-256","algorithm_id":3},{"value":"C2EB02DC35DC77D3373542631011FFD4C933AF5C6676646BAFB85126C8652AB679884C90C91E3109A28812D07AAC8C0DADDCF3DC7C86FAD4FBA91A1401900947","algorithm":"Unknown","algorithm_id":0}],"security_descriptor":"avoiding bear incoming"},"user":{"name":"Fatal","type":"Unknown","type_id":0},"group":{"name":"cam empirical path","uid":"cfd43d52-53eb-11ef-8205-0242ac110005"},"uid":"cfd4436a-53eb-11ef-84cf-0242ac110005","cmd_line":"pix potential mardi","container":{"name":"kerry courier tony","runtime":"ben dynamics vienna","size":3164331564,"image":{"name":"celebrities sensitive manufacture","tag":"staff ericsson duty","path":"selling rocky projection","uid":"cfd450d0-53eb-11ef-83f3-0242ac110005","labels":["healing","avoiding"]},"hash":{"value":"A9DCE75FB9B7C3AD1CCBE9A3001619DE593186058F77799D91C1413A074FDE187FE7C8719F8A94FA0453F77D76EB8AF6CC9074BABB51EAFF5476F9D169C724A7","algorithm":"SHA-512","algorithm_id":4},"orchestrator":"dui expansion focus"},"created_time":1722945774099345,"integrity":"g manner mambo","namespace_pid":96,"parent_process":{"name":"Organ","pid":90,"session":{"uid":"cfd469b2-53eb-11ef-8a8a-0242ac110005","issuer":"lyric fujitsu timber","created_time":1722945774099934,"is_remote":true,"created_time_dt":"2024-08-06T12:02:54.099943Z","expiration_time_dt":"2024-08-06T12:02:54.099951Z"},"file":{"name":"mothers.com","type":"Symbolic Link","version":"1.1.0","path":"wal quiz worker/skin.plugin/mothers.com","type_id":7,"company_name":"Delora Edyth","parent_folder":"wal quiz worker/skin.plugin","hashes":[{"value":"02799F801AA43966F78CC2C403CE6F0AB37F05D3AF823C0AEEDE58090A622F10470F614F19B68FE2CEFC4B1BEAFF7589FDF5E4DF0A47FF29700DA72C1E4A7966","algorithm":"SHA-512","algorithm_id":4},{"value":"805FAE387ABCC95FB8B74AD92202D2F367255E57291D4C54514FE11EB086C85E7B879FBC13E3405E1C6D5D663F69CD4F509A28B7F2BD0B7F57F71E31C52E2280","algorithm":"Unknown","algorithm_id":0}]},"user":{"type":"Unknown","uid":"cfd47e3e-53eb-11ef-a1ef-0242ac110005","type_id":0,"full_name":"Thuy Kristin"},"group":{"type":"figured eyes microphone","desc":"comparable likelihood jeep","uid":"cfd48fb4-53eb-11ef-bbb9-0242ac110005"},"uid":"cfd495e0-53eb-11ef-b81b-0242ac110005","cmd_line":"welding viewpicture sampling","container":{"name":"iii accessories ddr","size":3779122986,"uid":"cfd4a166-53eb-11ef-97e4-0242ac110005","image":{"name":"beach omaha protest","uid":"cfd4aa76-53eb-11ef-a970-0242ac110005"},"hash":{"value":"917004FD903B196255A9B56D08246E5E9FC34E38BC01CADD52A3ADABEB309DA5","algorithm":"magic","algorithm_id":99}},"created_time":1722945774101623,"namespace_pid":90,"parent_process":{"name":"Arrange","pid":5,"file":{"attributes":76,"name":"elizabeth.sln","size":1485425900,"type":"Folder","path":"kai surname approach/xp.wpd/elizabeth.sln","desc":"member dogs ports","type_id":2,"company_name":"Claudio Alejandra","parent_folder":"kai surname approach/xp.wpd","confidentiality":"says","confidentiality_id":99,"created_time_dt":"2024-08-06T12:02:54.102808Z"},"user":{"name":"Night","type":"Unknown","type_id":0,"ldap_person":{"manager":{"name":"Merchandise","type":"System","uid":"cfd4ff76-53eb-11ef-9efb-0242ac110005","org":{"name":"belief billion talented","ou_name":"volkswagen africa respect"},"groups":[{"name":"pos constraints inkjet","type":"stat tray charitable"},{"name":"yemen happiness theft"}],"type_id":3,"full_name":"Janiece Jon","credential_uid":"cfd50fd4-53eb-11ef-83d7-0242ac110005","ldap_person":{"surname":"cancelled present faced","modified_time_dt":"2024-08-06T12:02:54.104306Z"},"uid_alt":"fraud answers loved"},"email_addrs":["Sharonda@helena.name","Caroline@consent.mil"],"hire_time":1722945774104346,"office_location":"ways statement ni","surname":"cio evaluating bc","last_login_time_dt":"2024-08-06T12:02:54.104363Z"}},"group":{"name":"majority scores surveillance","desc":"bearing return gt","uid":"cfd52f3c-53eb-11ef-bb53-0242ac110005","privileges":["kansas religions cgi"]},"uid":"cfd53608-53eb-11ef-92de-0242ac110005","loaded_modules":["/save/tt/places/ballet/exclusive.psd","/administered/herbs/discrete/katie/rl.ttf"],"cmd_line":"visual dated alpha","container":{"name":"footwear checkout march","size":1641826457,"uid":"cfd542ec-53eb-11ef-be38-0242ac110005","image":{"name":"concentrations deck created","uid":"cfd54bf2-53eb-11ef-b477-0242ac110005"},"hash":{"value":"03C6D52314CF55EC4DFDAE665DC2100E56F08F7599D9B87FD76B0AF55FA44C4F3A7B4204C517E201F9326306ECC712A0CE46D93B7B4A03AAFDBDFAE7BD9A7471","algorithm":"TLSH","algorithm_id":6}},"created_time":1722945774105758,"integrity":"Unknown","integrity_id":0,"lineage":["length apr charm","farm chaos overseas"],"namespace_pid":33,"sandbox":"mexican mixer g","euid":59,"terminated_time_dt":"2024-08-06T12:02:54.105788Z"},"egid":49,"terminated_time_dt":"2024-08-06T12:02:54.105798Z"},"sandbox":"variance volleyball compile"},"auid":38,"terminated_time_dt":"2024-08-06T12:02:54.105811Z"}},"created_time_dt":"2024-08-06T12:02:54.105819Z"},"xattributes":{},"euid":32},"terminated_time":1722945774105859,"auid":17},"sandbox":"frequent dining arguments","xattributes":{},"created_time_dt":"2024-08-06T12:02:54.105883Z","terminated_time_dt":"2024-08-06T12:02:54.105888Z"},"euid":93,"terminated_time_dt":"2024-08-06T12:02:54.105894Z"},"user":{"name":"Ok","type":"System","domain":"rpm particular mae","uid":"cfd57668-53eb-11ef-ad7f-0242ac110005","groups":[{"name":"numbers nextel globe","type":"debug carpet per","domain":"indexed email mardi","uid":"cfd58068-53eb-11ef-b081-0242ac110005"},{"name":"fitting personalized estimation","uid":"cfd58ae0-53eb-11ef-850c-0242ac110005"}],"type_id":3}},"cloud":{"provider":"experimental mac seconds","region":"debate population smithsonian","zone":"raised expert baseball"},"database":{"name":"laden confidence arabic","type":"Object Oriented","uid":"cfcf8aaa-53eb-11ef-835d-0242ac110005","type_id":3,"created_time_dt":"2024-08-06T12:02:54.068006Z"},"databucket":{"name":"facts drug laos","type":"GCP Bucket","type_id":3},"severity_id":1,"src_endpoint":{"port":47139,"type":"Laptop","ip":"175.16.199.0","hostname":"thank.coop","uid":"cfcfee32-53eb-11ef-b8c3-0242ac110005","type_id":3,"container":{"name":"detect drop hobbies","size":2933944469,"tag":"together own republicans","uid":"cfd0401c-53eb-11ef-b764-0242ac110005","image":{"path":"constraint explosion ge","uid":"cfd04b5c-53eb-11ef-a7db-0242ac110005","labels":["er","distances"]}},"hw_info":{"cpu_count":74,"cpu_speed":92},"instance_uid":"cfd0555c-53eb-11ef-82ff-0242ac110005","interface_uid":"cfd05bd8-53eb-11ef-864c-0242ac110005","namespace_pid":25,"svc_name":"further compressed twisted","vlan_uid":"cfd06344-53eb-11ef-9b92-0242ac110005"},"status_id":2} +{"message":"fur stake pickup","status":"Failure","total":87,"time":1723108823724670,"metadata":{"version":"1.1.0","extension":{"name":"reward furniture awful","version":"1.1.0","uid":"70fa28aa-5567-11ef-9e8c-0242ac110005"},"product":{"name":"nintendo une exist","version":"1.1.0","uid":"70fa3656-5567-11ef-8ec3-0242ac110005","url_string":"eq","vendor_name":"investors viral conscious"},"labels":["sage"],"profiles":[],"log_name":"form rising isolated","log_provider":"commerce relatives qualify","loggers":[{"name":"configure fetish advertise","device":{"name":"scanners storage illinois","type":"Laptop","os":{"name":"bolt photographers oman","type":"Windows","build":"acne toolbox architectural","type_id":100,"edition":"hired moscow antibodies"},"ip":"151.112.44.246","desc":"bg falling her","hostname":"transformation.mobi","type_id":3,"subnet":"244.6.140.0/24","instance_uid":"70fa8246-5567-11ef-93ce-0242ac110005","interface_name":"bulletin keith reporters","interface_uid":"70fa8c3c-5567-11ef-b329-0242ac110005","is_trusted":false,"modified_time":1723108823723078,"region":"pm memorabilia penalty","subnet_uid":"70fa532a-5567-11ef-b983-0242ac110005","vlan_uid":"70fa5a0a-5567-11ef-a39d-0242ac110005"},"product":{"name":"april visit maximum","version":"1.1.0","uid":"70fa9c0e-5567-11ef-92a1-0242ac110005","vendor_name":"equivalent all operating"},"uid":"70faa3ac-5567-11ef-9136-0242ac110005","log_name":"thee mining your","transmit_time":1723108823724148},{"name":"gallery prayers vcr","product":{"name":"positioning tier electrical","version":"1.1.0","uid":"70faafd2-5567-11ef-9ce0-0242ac110005","url_string":"english","vendor_name":"reservation connection shell"},"log_name":"suggested blake pendant","log_provider":"beautifully ae beauty"}],"original_time":"sheffield origins travesti","tenant_uid":"70fab7d4-5567-11ef-9fcd-0242ac110005"},"scan":{"name":"cooperation edge magnificent","type":"Unknown","uid":"70fac396-5567-11ef-a8a3-0242ac110005","type_id":0},"start_time":1723108823725300,"severity":"Unknown","duration":39,"type_name":"Scan Activity: Cancelled","activity_id":3,"type_uid":600703,"category_name":"Application Activity","class_uid":6007,"category_uid":6,"class_name":"Scan Activity","timezone_offset":51,"end_time":1723108823724649,"activity_name":"Cancelled","command_uid":"70f9ff4c-5567-11ef-96d3-0242ac110005","num_files":85,"num_network_items":45,"num_processes":12,"num_registry_items":21,"num_resolutions":0,"num_skipped_items":80,"num_trusted_items":47,"policy":{"name":"these wordpress cos","version":"1.1.0","uid":"70fad110-5567-11ef-a15f-0242ac110005"},"schedule_uid":"70f9f600-5567-11ef-9766-0242ac110005","severity_id":0,"status_code":"shape","status_id":2} +{"actor":{"process":{"name":"Lightweight","pid":12,"file":{"attributes":83,"name":"hawk.wsf","owner":{"name":"Illegal","type":"System","domain":"shade variety cooper","uid":"ff702496-556b-11ef-9f4e-0242ac110005","type_id":3,"account":{"type":"AWS Account","uid":"ff702df6-556b-11ef-a8bb-0242ac110005","type_id":10},"email_addr":"Erick@invision.edu","uid_alt":"preceding psp cleared"},"type":"Character Device","modifier":{"name":"Hottest","type":"muscles","uid":"ff70411a-556b-11ef-9a1e-0242ac110005","type_id":99,"credential_uid":"ff7047d2-556b-11ef-966d-0242ac110005"},"desc":"playing motor literary","type_id":3,"accessor":{"name":"Golf","type":"died","uid":"ff70655a-556b-11ef-b23a-0242ac110005","type_id":99},"company_name":"Natalya Stormy"},"user":{"type":"brooklyn","uid":"ff707266-556b-11ef-8dd3-0242ac110005","org":{"name":"existence hypothetical audience","uid":"ff707b3a-556b-11ef-989b-0242ac110005","ou_name":"coupon tear compatibility","ou_uid":"ff7082c4-556b-11ef-8273-0242ac110005"},"type_id":99},"group":{"uid":"ff708c1a-556b-11ef-bea6-0242ac110005"},"tid":89,"uid":"ff709200-556b-11ef-a0bf-0242ac110005","cmd_line":"compression warner sapphire","container":{"name":"front myself techniques","size":3673925967,"uid":"ff70a01a-556b-11ef-98b5-0242ac110005","image":{"name":"stage trucks cw","uid":"ff70a8da-556b-11ef-9305-0242ac110005"},"hash":{"value":"892D74547E40E6FC23332CF6A88A2CAAC1D5BA6CF5201690F503FDE2B5717067D2C3B25EFEE63E1C5E5BCE1AF1F5A54076DCE0FDE9CDB56E3382C5F39AF3399B","algorithm":"Unknown","algorithm_id":0}},"created_time":1723110780721040,"parent_process":{"name":"Unlimited","pid":90,"file":{"name":"vulnerability.cue","type":"Local Socket","path":"full jewellery adverse/hans.xml/vulnerability.cue","uid":"ff70c5f4-556b-11ef-8001-0242ac110005","type_id":5,"accessor":{"name":"Breakfast","type":"Admin","uid":"ff70d09e-556b-11ef-82b8-0242ac110005","type_id":2,"full_name":"Cora Marchelle","uid_alt":"lesbian dk media"},"creator":{"name":"Broker","type":"juice","uid":"ff70ec96-556b-11ef-a10b-0242ac110005","type_id":99,"account":{"name":"develops til flu","type":"AWS IAM Role","uid":"ff70fb96-556b-11ef-b127-0242ac110005","type_id":4}},"parent_folder":"full jewellery adverse/hans.xml","hashes":[{"value":"88CB8A087B6E8CEBFC9AE5602F5A2159A6BCF923E7F2C56809BCDA6CAD1727A7","algorithm":"SHA-256","algorithm_id":3},{"value":"BFC7194DB6D123E245825AAF92C276855D32513520B471C67B94A62F46C8CBDB891CA09419FAD201F34F81C0CA0C72DCC1C4A68CFFFF5A7F0B629B35501E8EBA","algorithm":"Unknown","algorithm_id":0}],"xattributes":{}},"user":{"name":"Skip","type":"Admin","uid":"ff710f1e-556b-11ef-bcc2-0242ac110005","type_id":2,"uid_alt":"those facility genetic"},"group":{"name":"overseas avoiding attendance","uid":"ff711932-556b-11ef-8a55-0242ac110005","privileges":["drop welsh munich","developer strange beat"]},"uid":"ff71249a-556b-11ef-b2a4-0242ac110005","cmd_line":"legally hacker please","container":{"name":"ant elegant ana","runtime":"routes peripheral operates","size":3971411004,"uid":"ff712e7c-556b-11ef-b4ec-0242ac110005","image":{"name":"shanghai listen subaru","path":"toxic declaration intended","uid":"ff7150be-556b-11ef-a7e8-0242ac110005"},"hash":{"value":"994BB86DD62F615473EE5D1D05C5A1D950D2F3C3","algorithm":"SHA-1","algorithm_id":2}},"created_time":1723110780725334,"lineage":["viii define induced","starsmerchant interest city"],"namespace_pid":10,"parent_process":{"name":"Legs","pid":65,"file":{"attributes":62,"name":"figure.bin","type":"Local Socket","version":"1.1.0","type_id":5,"confidentiality":"outdoors archived regarding","hashes":[{"value":"AD6A21629A7DEABC182FDEA82DF619F693860085A862A8BFEE71FCD9BBAB45669A480AD8EDB096D0EAF29092215C7A39197EAC015A32E6D5957442A640C8ACDE","algorithm":"SHA-512","algorithm_id":4}],"modified_time":1723110780725738,"security_descriptor":"thesaurus stories skirts","accessed_time_dt":"2024-08-08T09:53:00.725750Z"},"user":{"name":"Marvel","type":"tunnel","uid":"ff716e14-556b-11ef-9183-0242ac110005","type_id":99},"group":{"name":"challenges photoshop want","type":"spice shine latex","uid":"ff717f9e-556b-11ef-beff-0242ac110005"},"tid":45,"uid":"ff71866a-556b-11ef-8d91-0242ac110005","container":{"name":"richard amendments yorkshire","size":2733947088,"uid":"ff7191fa-556b-11ef-b991-0242ac110005","image":{"tag":"g tiffany advocacy","path":"scoring skill rush","uid":"ff719b1e-556b-11ef-8397-0242ac110005"},"hash":{"value":"8A988DC6210B348668CFB0C69FFC40C3952920BEE33BEF02302FB1E486274CE8F56F324032A0BA2B9661E57022A3AF5C085E63028B71E4D30A36264236D98E83","algorithm":"quickXorHash","algorithm_id":7}},"integrity":"System","integrity_id":5,"namespace_pid":6,"parent_process":{"name":"Liability","pid":12,"file":{"name":"dress.pct","type":"Symbolic Link","path":"graphic easter hitting/celebration.xls/dress.pct","product":{"name":"relation resulting pride","version":"1.1.0","uid":"ff71b45a-556b-11ef-aee8-0242ac110005","lang":"en","vendor_name":"conversation gamespot myself"},"type_id":7,"accessor":{"name":"Nashville","type":"Admin","uid":"ff71c616-556b-11ef-89f0-0242ac110005","org":{"name":"steven harmony mediterranean","uid":"ff71cea4-556b-11ef-80aa-0242ac110005","ou_name":"beam transmit cook"},"type_id":2,"credential_uid":"ff71d5de-556b-11ef-bfb8-0242ac110005"},"parent_folder":"graphic easter hitting/celebration.xls","hashes":[{"value":"C597CBD53DDF5E7AA017A46E3D559E6DEE7AAB38151CD2B0116453D64744DCA63052DA0AC50DD2E29C8517583E688A23F85646ECB9E0746CCA1F447D33116333","algorithm":"Unknown","algorithm_id":0}]},"tid":23,"uid":"ff71e204-556b-11ef-b426-0242ac110005","cmd_line":"sponsored contractor notion","container":{"size":1046580299,"uid":"ff71eb82-556b-11ef-855e-0242ac110005","hash":{"value":"175A141E2713D00975BC765F1C4FE4ECBC01D88B69A016EE442829C445B4EE2C4C0776FADB4939337B8D43C185078967BA4AC71DD1651A0ABA1143394106DE8A","algorithm":"TLSH","algorithm_id":6}},"created_time":1723110780729284,"namespace_pid":66,"parent_process":{"name":"Believed","pid":12,"file":{"attributes":44,"name":"autumn.mid","size":1791990748,"type":"Symbolic Link","path":"normally soviet packaging/acne.js/autumn.mid","type_id":7,"mime_type":"foto/congo","parent_folder":"normally soviet packaging/acne.js","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"0F9ABBECBDEC7BA8948C5C34A6D1A65712B51F4DA69A43F4A55845FC98133C5422097F2AED463CBC2CC6EFD07AC9F6A0493E263E0AEC4CA93045EAF86AAE1527","algorithm":"SHA-512","algorithm_id":4},{"value":"41D12DF274FFAEF654EA947446DD0211E338D2651D95805632E5353798F189E4","algorithm":"SHA-256","algorithm_id":3}],"accessed_time_dt":"2024-08-08T09:53:00.729741Z"},"user":{"name":"Aol","type":"Admin","uid":"ff7209d2-556b-11ef-859c-0242ac110005","type_id":2,"email_addr":"Claudia@destroyed.museum"},"group":{"name":"rivers kde impaired","uid":"ff7213f0-556b-11ef-afbe-0242ac110005"},"uid":"ff721b66-556b-11ef-a28e-0242ac110005","loaded_modules":["/ol/wr/trades/lucky/trusts.mp4"],"cmd_line":"cole playback contribute","container":{"name":"blackjack example page","size":2950957499,"tag":"lexmark sandwich determining","uid":"ff72291c-556b-11ef-9cb3-0242ac110005","image":{"name":"eight bow edges","uid":"ff7231f0-556b-11ef-af8b-0242ac110005","labels":["builders","guitars"]},"hash":{"value":"3D586550FC15946B6FC20EC2BB31B6CB2BF53F3AAD6565BC38B72776CE2784F7AD19E73C0313EA7A12AE3A664203FB3CE7759B22867BAEF1FD46FD0B20BB60F2","algorithm":"SHA-512","algorithm_id":4}},"created_time":1723110780731096,"namespace_pid":27,"parent_process":{"name":"Raising","pid":88,"file":{"attributes":10,"name":"spyware.dds","type":"Block Device","path":"protocol validity absence/luther.rm/spyware.dds","type_id":4,"mime_type":"institute/ivory","parent_folder":"protocol validity absence/luther.rm","confidentiality":"torture lawn fuel","hashes":[{"value":"298388E81525736B459B8830EC555869E081200C11C67EFB7444F32DB67C39E4CBB72D5FDDB490B903D4435BA037DAB92B233C64B15D13C5E66D1461BF976D14","algorithm":"SHA-512","algorithm_id":4},{"value":"E1ACB66647F799D4BF5B74B3CECBB8400B1C392A7585421EC33809A31466BDB24362A4DF7E19777422B7C2665222458FC48C22B1BF26EA331DE6ECD557929101","algorithm":"TLSH","algorithm_id":6}],"security_descriptor":"delta caution ncaa"},"user":{"name":"Ieee","type":"Unknown","domain":"numerical circuit charts","type_id":0},"group":{"name":"damaged cumulative applicable","domain":"highways phones introduces"},"uid":"ff72525c-556b-11ef-b49e-0242ac110005","cmd_line":"donation gaps according","container":{"name":"meant she least","tag":"commented attitude magazines","uid":"ff72b166-556b-11ef-af11-0242ac110005","image":{"name":"justify greeting attorney","uid":"ff72c4ee-556b-11ef-ae90-0242ac110005"},"hash":{"value":"23AF3E3302D598D92331ADF8D2CDAA30642018D52F7E585E7C485EEED310C245FF761DB9C3F08973E9C00DF8B86A3E7B8241E92C34A9C30EA27E1B302939F910","algorithm":"SHA-512","algorithm_id":4}},"created_time":1723110780734859,"namespace_pid":56},"auid":91,"euid":25}},"terminated_time_dt":"2024-08-08T09:53:00.734879Z"},"terminated_time":1723110780734887,"auid":42,"euid":36},"created_time_dt":"2024-08-08T09:53:00.734894Z"},"user":{"type":"Unknown","uid":"ff72d2e0-556b-11ef-bbe1-0242ac110005","type_id":0,"credential_uid":"ff72de20-556b-11ef-a522-0242ac110005","uid_alt":"weights hobbies divorce"},"authorizations":[{},{}]},"activity_name":"Started","num_detections":89,"start_time":1723110780716472,"policy":{"name":"katie producing webcast","desc":"relevance lots trigger","uid":"ff6ff8fe-556b-11ef-874e-0242ac110005"},"category_uid":6,"class_name":"Scan Activity","num_skipped_items":59,"message":"tools motivated nightlife","api":{"request":{"uid":"ff6fddec-556b-11ef-a2d3-0242ac110005"},"group":{"name":"dividend consistency definitely","type":"posts vendors student","uid":"ff6feb8e-556b-11ef-8cd0-0242ac110005"},"response":{"error":"headquarters viii accurately","code":96,"data":"phenomenon","message":"definitely existing colleges","error_message":"unexpected amazon worm"},"operation":"cathedral participate wrapping"},"scan":{"name":"caribbean operate detected","type":"Updated Content","uid":"ff6fd18a-556b-11ef-887c-0242ac110005","type_id":3},"severity_id":6,"time":1723110780715169,"type_name":"Scan Activity: Started","num_files":43,"device":{"name":"cams witnesses summary","type":"Unknown","domain":"a licensed facility","ip":"175.16.199.0","location":{"desc":"Falkland Islands (Malvinas)","city":"Messaging management","country":"FK","coordinates":[170.507,-62.7832],"continent":"South America"},"hostname":"active.jobs","uid":"ff6f8cca-556b-11ef-9bc0-0242ac110005","type_id":0,"subnet":"28.0.0.0/8","container":{"name":"related understanding tricks","size":3329432332,"uid":"ff6fafac-556b-11ef-9f24-0242ac110005","image":{"name":"items discharge whale","uid":"ff6fbc7c-556b-11ef-9149-0242ac110005"},"hash":{"value":"788AE8183287A6A47C315CEEA8BC503A5434CAAFAF93FB41C1AD3C75EF8238F2","algorithm":"magic","algorithm_id":99}},"interface_uid":"ff6fc604-556b-11ef-a921-0242ac110005","last_seen_time":1723110780713330,"modified_time":1723110780713347,"namespace_pid":13,"region":"patricia link controversy","risk_level":"ratios capable administrator","uid_alt":"scientific addition power","vpc_uid":"ff6f7bea-556b-11ef-99b2-0242ac110005","zone":"districts fit connector","modified_time_dt":"2024-08-08T09:53:00.713297Z","first_seen_time_dt":"2024-08-08T09:53:00.713342Z"},"end_time":1723110780712791,"num_folders":37,"timezone_offset":20,"metadata":{"version":"1.1.0","product":{"name":"hospitality fabric loop","version":"1.1.0","uid":"ff6f5962-556b-11ef-9975-0242ac110005","vendor_name":"hindu carlo achieve"},"uid":"ff6f607e-556b-11ef-b5f9-0242ac110005","log_level":"entities staying supplemental","profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"brother lord wyoming","log_provider":"diana alternate finals","original_time":"negotiations hardwood avg","tenant_uid":"ff6f6844-556b-11ef-8efe-0242ac110005","logged_time_dt":"2024-08-08T09:53:00.712767Z"},"duration":0,"command_uid":"ff6f480a-556b-11ef-93ac-0242ac110005","status":"synthesis","num_resolutions":19,"activity_id":1,"total":63,"num_processes":41,"num_network_items":71,"class_uid":6007,"cloud":{"org":{"name":"serving invest coating","uid":"ff6f0be2-556b-11ef-9b41-0242ac110005","ou_name":"caroline au dos"},"account":{"name":"houston indexes puerto","type":"Apple Account","uid":"ff6f370c-556b-11ef-a592-0242ac110005","type_id":8},"project_uid":"ff6f3f0e-556b-11ef-913f-0242ac110005","provider":"greensboro gallery reporting","region":"consistency alert titten"},"type_uid":600701,"num_trusted_items":36,"severity":"Fatal","category_name":"Application Activity","status_id":99} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json index ec310bde054c..5d2c00db40b4 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json @@ -1581,6 +1581,853 @@ "id": "cfd57668-53eb-11ef-ad7f-0242ac110005", "name": "Ok" } + }, + { + "@timestamp": "+56573-02-22T03:55:24.670Z", + "data_stream": { + "dataset": "amazon_security_lake.application_activity", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "cancelled", + "duration": 39000000, + "end": "+56573-02-22T03:55:24.649Z", + "kind": "event", + "original": "{\"message\":\"fur stake pickup\",\"status\":\"Failure\",\"total\":87,\"time\":1723108823724670,\"metadata\":{\"version\":\"1.1.0\",\"extension\":{\"name\":\"reward furniture awful\",\"version\":\"1.1.0\",\"uid\":\"70fa28aa-5567-11ef-9e8c-0242ac110005\"},\"product\":{\"name\":\"nintendo une exist\",\"version\":\"1.1.0\",\"uid\":\"70fa3656-5567-11ef-8ec3-0242ac110005\",\"url_string\":\"eq\",\"vendor_name\":\"investors viral conscious\"},\"labels\":[\"sage\"],\"profiles\":[],\"log_name\":\"form rising isolated\",\"log_provider\":\"commerce relatives qualify\",\"loggers\":[{\"name\":\"configure fetish advertise\",\"device\":{\"name\":\"scanners storage illinois\",\"type\":\"Laptop\",\"os\":{\"name\":\"bolt photographers oman\",\"type\":\"Windows\",\"build\":\"acne toolbox architectural\",\"type_id\":100,\"edition\":\"hired moscow antibodies\"},\"ip\":\"151.112.44.246\",\"desc\":\"bg falling her\",\"hostname\":\"transformation.mobi\",\"type_id\":3,\"subnet\":\"244.6.140.0/24\",\"instance_uid\":\"70fa8246-5567-11ef-93ce-0242ac110005\",\"interface_name\":\"bulletin keith reporters\",\"interface_uid\":\"70fa8c3c-5567-11ef-b329-0242ac110005\",\"is_trusted\":false,\"modified_time\":1723108823723078,\"region\":\"pm memorabilia penalty\",\"subnet_uid\":\"70fa532a-5567-11ef-b983-0242ac110005\",\"vlan_uid\":\"70fa5a0a-5567-11ef-a39d-0242ac110005\"},\"product\":{\"name\":\"april visit maximum\",\"version\":\"1.1.0\",\"uid\":\"70fa9c0e-5567-11ef-92a1-0242ac110005\",\"vendor_name\":\"equivalent all operating\"},\"uid\":\"70faa3ac-5567-11ef-9136-0242ac110005\",\"log_name\":\"thee mining your\",\"transmit_time\":1723108823724148},{\"name\":\"gallery prayers vcr\",\"product\":{\"name\":\"positioning tier electrical\",\"version\":\"1.1.0\",\"uid\":\"70faafd2-5567-11ef-9ce0-0242ac110005\",\"url_string\":\"english\",\"vendor_name\":\"reservation connection shell\"},\"log_name\":\"suggested blake pendant\",\"log_provider\":\"beautifully ae beauty\"}],\"original_time\":\"sheffield origins travesti\",\"tenant_uid\":\"70fab7d4-5567-11ef-9fcd-0242ac110005\"},\"scan\":{\"name\":\"cooperation edge magnificent\",\"type\":\"Unknown\",\"uid\":\"70fac396-5567-11ef-a8a3-0242ac110005\",\"type_id\":0},\"start_time\":1723108823725300,\"severity\":\"Unknown\",\"duration\":39,\"type_name\":\"Scan Activity: Cancelled\",\"activity_id\":3,\"type_uid\":600703,\"category_name\":\"Application Activity\",\"class_uid\":6007,\"category_uid\":6,\"class_name\":\"Scan Activity\",\"timezone_offset\":51,\"end_time\":1723108823724649,\"activity_name\":\"Cancelled\",\"command_uid\":\"70f9ff4c-5567-11ef-96d3-0242ac110005\",\"num_files\":85,\"num_network_items\":45,\"num_processes\":12,\"num_registry_items\":21,\"num_resolutions\":0,\"num_skipped_items\":80,\"num_trusted_items\":47,\"policy\":{\"name\":\"these wordpress cos\",\"version\":\"1.1.0\",\"uid\":\"70fad110-5567-11ef-a15f-0242ac110005\"},\"schedule_uid\":\"70f9f600-5567-11ef-9766-0242ac110005\",\"severity_id\":0,\"status_code\":\"shape\",\"status_id\":2}", + "outcome": "failure", + "provider": "commerce relatives qualify", + "severity": 0, + "start": "+56573-02-22T03:55:25.300Z", + "type": [ + "info" + ] + }, + "message": "fur stake pickup", + "ocsf": { + "activity_id": "3", + "activity_name": "Cancelled", + "category_name": "Application Activity", + "category_uid": "6", + "class_name": "Scan Activity", + "class_uid": "6007", + "command_uid": "70f9ff4c-5567-11ef-96d3-0242ac110005", + "duration": 39, + "end_time": "+56573-02-22T03:55:24.649Z", + "message": "fur stake pickup", + "metadata": { + "extension": { + "name": "reward furniture awful", + "uid": "70fa28aa-5567-11ef-9e8c-0242ac110005", + "version": "1.1.0" + }, + "labels": [ + "sage" + ], + "log_name": "form rising isolated", + "log_provider": "commerce relatives qualify", + "loggers": [ + { + "device": { + "desc": "bg falling her", + "hostname": "transformation.mobi", + "instance_uid": "70fa8246-5567-11ef-93ce-0242ac110005", + "interface_name": "bulletin keith reporters", + "interface_uid": "70fa8c3c-5567-11ef-b329-0242ac110005", + "ip": "151.112.44.246", + "is_trusted": false, + "modified_time": 1723108823723078, + "name": "scanners storage illinois", + "os": { + "build": "acne toolbox architectural", + "edition": "hired moscow antibodies", + "name": "bolt photographers oman", + "type": "Windows", + "type_id": 100 + }, + "region": "pm memorabilia penalty", + "subnet": "244.6.140.0/24", + "subnet_uid": "70fa532a-5567-11ef-b983-0242ac110005", + "type": "Laptop", + "type_id": 3, + "vlan_uid": "70fa5a0a-5567-11ef-a39d-0242ac110005" + }, + "log_name": "thee mining your", + "name": "configure fetish advertise", + "product": { + "name": "april visit maximum", + "uid": "70fa9c0e-5567-11ef-92a1-0242ac110005", + "vendor_name": "equivalent all operating", + "version": "1.1.0" + }, + "transmit_time": 1723108823724148, + "uid": "70faa3ac-5567-11ef-9136-0242ac110005" + }, + { + "log_name": "suggested blake pendant", + "log_provider": "beautifully ae beauty", + "name": "gallery prayers vcr", + "product": { + "name": "positioning tier electrical", + "uid": "70faafd2-5567-11ef-9ce0-0242ac110005", + "url_string": "english", + "vendor_name": "reservation connection shell", + "version": "1.1.0" + } + } + ], + "original_time": "sheffield origins travesti", + "product": { + "name": "nintendo une exist", + "uid": "70fa3656-5567-11ef-8ec3-0242ac110005", + "url_string": "eq", + "vendor_name": "investors viral conscious", + "version": "1.1.0" + }, + "tenant_uid": "70fab7d4-5567-11ef-9fcd-0242ac110005", + "version": "1.1.0" + }, + "num_files": 85, + "num_network_items": 45, + "num_processes": 12, + "num_registry_items": 21, + "num_resolutions": 0, + "num_skipped_items": 80, + "num_trusted_items": 47, + "policy": { + "name": "these wordpress cos", + "uid": "70fad110-5567-11ef-a15f-0242ac110005", + "version": "1.1.0" + }, + "scan": { + "name": "cooperation edge magnificent", + "type": "Unknown", + "type_id": 0, + "uid": "70fac396-5567-11ef-a8a3-0242ac110005" + }, + "schedule_uid": "70f9f600-5567-11ef-9766-0242ac110005", + "severity": "Unknown", + "severity_id": 0, + "start_time": "+56573-02-22T03:55:25.300Z", + "status": "Failure", + "status_code": "shape", + "status_id": "2", + "time": "+56573-02-22T03:55:24.670Z", + "timezone_offset": 51, + "total": 87, + "type_name": "Scan Activity: Cancelled", + "type_uid": "600703" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "sage" + ] + }, + { + "@timestamp": "+56573-03-16T19:31:55.169Z", + "cloud": { + "account": { + "id": "ff6f370c-556b-11ef-a592-0242ac110005", + "name": "houston indexes puerto" + }, + "project": { + "id": "ff6f3f0e-556b-11ef-913f-0242ac110005" + }, + "provider": "greensboro gallery reporting", + "region": "consistency alert titten" + }, + "container": { + "id": "ff70a01a-556b-11ef-98b5-0242ac110005", + "image": { + "name": "stage trucks cw" + }, + "name": "front myself techniques" + }, + "data_stream": { + "dataset": "amazon_security_lake.application_activity", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "started", + "duration": 0, + "end": "+56573-03-16T19:31:52.791Z", + "id": "ff6f607e-556b-11ef-b5f9-0242ac110005", + "kind": "event", + "original": "{\"actor\":{\"process\":{\"name\":\"Lightweight\",\"pid\":12,\"file\":{\"attributes\":83,\"name\":\"hawk.wsf\",\"owner\":{\"name\":\"Illegal\",\"type\":\"System\",\"domain\":\"shade variety cooper\",\"uid\":\"ff702496-556b-11ef-9f4e-0242ac110005\",\"type_id\":3,\"account\":{\"type\":\"AWS Account\",\"uid\":\"ff702df6-556b-11ef-a8bb-0242ac110005\",\"type_id\":10},\"email_addr\":\"Erick@invision.edu\",\"uid_alt\":\"preceding psp cleared\"},\"type\":\"Character Device\",\"modifier\":{\"name\":\"Hottest\",\"type\":\"muscles\",\"uid\":\"ff70411a-556b-11ef-9a1e-0242ac110005\",\"type_id\":99,\"credential_uid\":\"ff7047d2-556b-11ef-966d-0242ac110005\"},\"desc\":\"playing motor literary\",\"type_id\":3,\"accessor\":{\"name\":\"Golf\",\"type\":\"died\",\"uid\":\"ff70655a-556b-11ef-b23a-0242ac110005\",\"type_id\":99},\"company_name\":\"Natalya Stormy\"},\"user\":{\"type\":\"brooklyn\",\"uid\":\"ff707266-556b-11ef-8dd3-0242ac110005\",\"org\":{\"name\":\"existence hypothetical audience\",\"uid\":\"ff707b3a-556b-11ef-989b-0242ac110005\",\"ou_name\":\"coupon tear compatibility\",\"ou_uid\":\"ff7082c4-556b-11ef-8273-0242ac110005\"},\"type_id\":99},\"group\":{\"uid\":\"ff708c1a-556b-11ef-bea6-0242ac110005\"},\"tid\":89,\"uid\":\"ff709200-556b-11ef-a0bf-0242ac110005\",\"cmd_line\":\"compression warner sapphire\",\"container\":{\"name\":\"front myself techniques\",\"size\":3673925967,\"uid\":\"ff70a01a-556b-11ef-98b5-0242ac110005\",\"image\":{\"name\":\"stage trucks cw\",\"uid\":\"ff70a8da-556b-11ef-9305-0242ac110005\"},\"hash\":{\"value\":\"892D74547E40E6FC23332CF6A88A2CAAC1D5BA6CF5201690F503FDE2B5717067D2C3B25EFEE63E1C5E5BCE1AF1F5A54076DCE0FDE9CDB56E3382C5F39AF3399B\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}},\"created_time\":1723110780721040,\"parent_process\":{\"name\":\"Unlimited\",\"pid\":90,\"file\":{\"name\":\"vulnerability.cue\",\"type\":\"Local Socket\",\"path\":\"full jewellery adverse/hans.xml/vulnerability.cue\",\"uid\":\"ff70c5f4-556b-11ef-8001-0242ac110005\",\"type_id\":5,\"accessor\":{\"name\":\"Breakfast\",\"type\":\"Admin\",\"uid\":\"ff70d09e-556b-11ef-82b8-0242ac110005\",\"type_id\":2,\"full_name\":\"Cora Marchelle\",\"uid_alt\":\"lesbian dk media\"},\"creator\":{\"name\":\"Broker\",\"type\":\"juice\",\"uid\":\"ff70ec96-556b-11ef-a10b-0242ac110005\",\"type_id\":99,\"account\":{\"name\":\"develops til flu\",\"type\":\"AWS IAM Role\",\"uid\":\"ff70fb96-556b-11ef-b127-0242ac110005\",\"type_id\":4}},\"parent_folder\":\"full jewellery adverse/hans.xml\",\"hashes\":[{\"value\":\"88CB8A087B6E8CEBFC9AE5602F5A2159A6BCF923E7F2C56809BCDA6CAD1727A7\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},{\"value\":\"BFC7194DB6D123E245825AAF92C276855D32513520B471C67B94A62F46C8CBDB891CA09419FAD201F34F81C0CA0C72DCC1C4A68CFFFF5A7F0B629B35501E8EBA\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}],\"xattributes\":{}},\"user\":{\"name\":\"Skip\",\"type\":\"Admin\",\"uid\":\"ff710f1e-556b-11ef-bcc2-0242ac110005\",\"type_id\":2,\"uid_alt\":\"those facility genetic\"},\"group\":{\"name\":\"overseas avoiding attendance\",\"uid\":\"ff711932-556b-11ef-8a55-0242ac110005\",\"privileges\":[\"drop welsh munich\",\"developer strange beat\"]},\"uid\":\"ff71249a-556b-11ef-b2a4-0242ac110005\",\"cmd_line\":\"legally hacker please\",\"container\":{\"name\":\"ant elegant ana\",\"runtime\":\"routes peripheral operates\",\"size\":3971411004,\"uid\":\"ff712e7c-556b-11ef-b4ec-0242ac110005\",\"image\":{\"name\":\"shanghai listen subaru\",\"path\":\"toxic declaration intended\",\"uid\":\"ff7150be-556b-11ef-a7e8-0242ac110005\"},\"hash\":{\"value\":\"994BB86DD62F615473EE5D1D05C5A1D950D2F3C3\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}},\"created_time\":1723110780725334,\"lineage\":[\"viii define induced\",\"starsmerchant interest city\"],\"namespace_pid\":10,\"parent_process\":{\"name\":\"Legs\",\"pid\":65,\"file\":{\"attributes\":62,\"name\":\"figure.bin\",\"type\":\"Local Socket\",\"version\":\"1.1.0\",\"type_id\":5,\"confidentiality\":\"outdoors archived regarding\",\"hashes\":[{\"value\":\"AD6A21629A7DEABC182FDEA82DF619F693860085A862A8BFEE71FCD9BBAB45669A480AD8EDB096D0EAF29092215C7A39197EAC015A32E6D5957442A640C8ACDE\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}],\"modified_time\":1723110780725738,\"security_descriptor\":\"thesaurus stories skirts\",\"accessed_time_dt\":\"2024-08-08T09:53:00.725750Z\"},\"user\":{\"name\":\"Marvel\",\"type\":\"tunnel\",\"uid\":\"ff716e14-556b-11ef-9183-0242ac110005\",\"type_id\":99},\"group\":{\"name\":\"challenges photoshop want\",\"type\":\"spice shine latex\",\"uid\":\"ff717f9e-556b-11ef-beff-0242ac110005\"},\"tid\":45,\"uid\":\"ff71866a-556b-11ef-8d91-0242ac110005\",\"container\":{\"name\":\"richard amendments yorkshire\",\"size\":2733947088,\"uid\":\"ff7191fa-556b-11ef-b991-0242ac110005\",\"image\":{\"tag\":\"g tiffany advocacy\",\"path\":\"scoring skill rush\",\"uid\":\"ff719b1e-556b-11ef-8397-0242ac110005\"},\"hash\":{\"value\":\"8A988DC6210B348668CFB0C69FFC40C3952920BEE33BEF02302FB1E486274CE8F56F324032A0BA2B9661E57022A3AF5C085E63028B71E4D30A36264236D98E83\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}},\"integrity\":\"System\",\"integrity_id\":5,\"namespace_pid\":6,\"parent_process\":{\"name\":\"Liability\",\"pid\":12,\"file\":{\"name\":\"dress.pct\",\"type\":\"Symbolic Link\",\"path\":\"graphic easter hitting/celebration.xls/dress.pct\",\"product\":{\"name\":\"relation resulting pride\",\"version\":\"1.1.0\",\"uid\":\"ff71b45a-556b-11ef-aee8-0242ac110005\",\"lang\":\"en\",\"vendor_name\":\"conversation gamespot myself\"},\"type_id\":7,\"accessor\":{\"name\":\"Nashville\",\"type\":\"Admin\",\"uid\":\"ff71c616-556b-11ef-89f0-0242ac110005\",\"org\":{\"name\":\"steven harmony mediterranean\",\"uid\":\"ff71cea4-556b-11ef-80aa-0242ac110005\",\"ou_name\":\"beam transmit cook\"},\"type_id\":2,\"credential_uid\":\"ff71d5de-556b-11ef-bfb8-0242ac110005\"},\"parent_folder\":\"graphic easter hitting/celebration.xls\",\"hashes\":[{\"value\":\"C597CBD53DDF5E7AA017A46E3D559E6DEE7AAB38151CD2B0116453D64744DCA63052DA0AC50DD2E29C8517583E688A23F85646ECB9E0746CCA1F447D33116333\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}]},\"tid\":23,\"uid\":\"ff71e204-556b-11ef-b426-0242ac110005\",\"cmd_line\":\"sponsored contractor notion\",\"container\":{\"size\":1046580299,\"uid\":\"ff71eb82-556b-11ef-855e-0242ac110005\",\"hash\":{\"value\":\"175A141E2713D00975BC765F1C4FE4ECBC01D88B69A016EE442829C445B4EE2C4C0776FADB4939337B8D43C185078967BA4AC71DD1651A0ABA1143394106DE8A\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}},\"created_time\":1723110780729284,\"namespace_pid\":66,\"parent_process\":{\"name\":\"Believed\",\"pid\":12,\"file\":{\"attributes\":44,\"name\":\"autumn.mid\",\"size\":1791990748,\"type\":\"Symbolic Link\",\"path\":\"normally soviet packaging/acne.js/autumn.mid\",\"type_id\":7,\"mime_type\":\"foto/congo\",\"parent_folder\":\"normally soviet packaging/acne.js\",\"confidentiality\":\"Unknown\",\"confidentiality_id\":0,\"hashes\":[{\"value\":\"0F9ABBECBDEC7BA8948C5C34A6D1A65712B51F4DA69A43F4A55845FC98133C5422097F2AED463CBC2CC6EFD07AC9F6A0493E263E0AEC4CA93045EAF86AAE1527\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"41D12DF274FFAEF654EA947446DD0211E338D2651D95805632E5353798F189E4\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3}],\"accessed_time_dt\":\"2024-08-08T09:53:00.729741Z\"},\"user\":{\"name\":\"Aol\",\"type\":\"Admin\",\"uid\":\"ff7209d2-556b-11ef-859c-0242ac110005\",\"type_id\":2,\"email_addr\":\"Claudia@destroyed.museum\"},\"group\":{\"name\":\"rivers kde impaired\",\"uid\":\"ff7213f0-556b-11ef-afbe-0242ac110005\"},\"uid\":\"ff721b66-556b-11ef-a28e-0242ac110005\",\"loaded_modules\":[\"/ol/wr/trades/lucky/trusts.mp4\"],\"cmd_line\":\"cole playback contribute\",\"container\":{\"name\":\"blackjack example page\",\"size\":2950957499,\"tag\":\"lexmark sandwich determining\",\"uid\":\"ff72291c-556b-11ef-9cb3-0242ac110005\",\"image\":{\"name\":\"eight bow edges\",\"uid\":\"ff7231f0-556b-11ef-af8b-0242ac110005\",\"labels\":[\"builders\",\"guitars\"]},\"hash\":{\"value\":\"3D586550FC15946B6FC20EC2BB31B6CB2BF53F3AAD6565BC38B72776CE2784F7AD19E73C0313EA7A12AE3A664203FB3CE7759B22867BAEF1FD46FD0B20BB60F2\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}},\"created_time\":1723110780731096,\"namespace_pid\":27,\"parent_process\":{\"name\":\"Raising\",\"pid\":88,\"file\":{\"attributes\":10,\"name\":\"spyware.dds\",\"type\":\"Block Device\",\"path\":\"protocol validity absence/luther.rm/spyware.dds\",\"type_id\":4,\"mime_type\":\"institute/ivory\",\"parent_folder\":\"protocol validity absence/luther.rm\",\"confidentiality\":\"torture lawn fuel\",\"hashes\":[{\"value\":\"298388E81525736B459B8830EC555869E081200C11C67EFB7444F32DB67C39E4CBB72D5FDDB490B903D4435BA037DAB92B233C64B15D13C5E66D1461BF976D14\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"E1ACB66647F799D4BF5B74B3CECBB8400B1C392A7585421EC33809A31466BDB24362A4DF7E19777422B7C2665222458FC48C22B1BF26EA331DE6ECD557929101\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}],\"security_descriptor\":\"delta caution ncaa\"},\"user\":{\"name\":\"Ieee\",\"type\":\"Unknown\",\"domain\":\"numerical circuit charts\",\"type_id\":0},\"group\":{\"name\":\"damaged cumulative applicable\",\"domain\":\"highways phones introduces\"},\"uid\":\"ff72525c-556b-11ef-b49e-0242ac110005\",\"cmd_line\":\"donation gaps according\",\"container\":{\"name\":\"meant she least\",\"tag\":\"commented attitude magazines\",\"uid\":\"ff72b166-556b-11ef-af11-0242ac110005\",\"image\":{\"name\":\"justify greeting attorney\",\"uid\":\"ff72c4ee-556b-11ef-ae90-0242ac110005\"},\"hash\":{\"value\":\"23AF3E3302D598D92331ADF8D2CDAA30642018D52F7E585E7C485EEED310C245FF761DB9C3F08973E9C00DF8B86A3E7B8241E92C34A9C30EA27E1B302939F910\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}},\"created_time\":1723110780734859,\"namespace_pid\":56},\"auid\":91,\"euid\":25}},\"terminated_time_dt\":\"2024-08-08T09:53:00.734879Z\"},\"terminated_time\":1723110780734887,\"auid\":42,\"euid\":36},\"created_time_dt\":\"2024-08-08T09:53:00.734894Z\"},\"user\":{\"type\":\"Unknown\",\"uid\":\"ff72d2e0-556b-11ef-bbe1-0242ac110005\",\"type_id\":0,\"credential_uid\":\"ff72de20-556b-11ef-a522-0242ac110005\",\"uid_alt\":\"weights hobbies divorce\"},\"authorizations\":[{},{}]},\"activity_name\":\"Started\",\"num_detections\":89,\"start_time\":1723110780716472,\"policy\":{\"name\":\"katie producing webcast\",\"desc\":\"relevance lots trigger\",\"uid\":\"ff6ff8fe-556b-11ef-874e-0242ac110005\"},\"category_uid\":6,\"class_name\":\"Scan Activity\",\"num_skipped_items\":59,\"message\":\"tools motivated nightlife\",\"api\":{\"request\":{\"uid\":\"ff6fddec-556b-11ef-a2d3-0242ac110005\"},\"group\":{\"name\":\"dividend consistency definitely\",\"type\":\"posts vendors student\",\"uid\":\"ff6feb8e-556b-11ef-8cd0-0242ac110005\"},\"response\":{\"error\":\"headquarters viii accurately\",\"code\":96,\"data\":\"phenomenon\",\"message\":\"definitely existing colleges\",\"error_message\":\"unexpected amazon worm\"},\"operation\":\"cathedral participate wrapping\"},\"scan\":{\"name\":\"caribbean operate detected\",\"type\":\"Updated Content\",\"uid\":\"ff6fd18a-556b-11ef-887c-0242ac110005\",\"type_id\":3},\"severity_id\":6,\"time\":1723110780715169,\"type_name\":\"Scan Activity: Started\",\"num_files\":43,\"device\":{\"name\":\"cams witnesses summary\",\"type\":\"Unknown\",\"domain\":\"a licensed facility\",\"ip\":\"175.16.199.0\",\"location\":{\"desc\":\"Falkland Islands (Malvinas)\",\"city\":\"Messaging management\",\"country\":\"FK\",\"coordinates\":[170.507,-62.7832],\"continent\":\"South America\"},\"hostname\":\"active.jobs\",\"uid\":\"ff6f8cca-556b-11ef-9bc0-0242ac110005\",\"type_id\":0,\"subnet\":\"28.0.0.0/8\",\"container\":{\"name\":\"related understanding tricks\",\"size\":3329432332,\"uid\":\"ff6fafac-556b-11ef-9f24-0242ac110005\",\"image\":{\"name\":\"items discharge whale\",\"uid\":\"ff6fbc7c-556b-11ef-9149-0242ac110005\"},\"hash\":{\"value\":\"788AE8183287A6A47C315CEEA8BC503A5434CAAFAF93FB41C1AD3C75EF8238F2\",\"algorithm\":\"magic\",\"algorithm_id\":99}},\"interface_uid\":\"ff6fc604-556b-11ef-a921-0242ac110005\",\"last_seen_time\":1723110780713330,\"modified_time\":1723110780713347,\"namespace_pid\":13,\"region\":\"patricia link controversy\",\"risk_level\":\"ratios capable administrator\",\"uid_alt\":\"scientific addition power\",\"vpc_uid\":\"ff6f7bea-556b-11ef-99b2-0242ac110005\",\"zone\":\"districts fit connector\",\"modified_time_dt\":\"2024-08-08T09:53:00.713297Z\",\"first_seen_time_dt\":\"2024-08-08T09:53:00.713342Z\"},\"end_time\":1723110780712791,\"num_folders\":37,\"timezone_offset\":20,\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"hospitality fabric loop\",\"version\":\"1.1.0\",\"uid\":\"ff6f5962-556b-11ef-9975-0242ac110005\",\"vendor_name\":\"hindu carlo achieve\"},\"uid\":\"ff6f607e-556b-11ef-b5f9-0242ac110005\",\"log_level\":\"entities staying supplemental\",\"profiles\":[\"cloud\",\"container\",\"datetime\",\"host\",\"linux/linux_users\",\"load_balancer\",\"network_proxy\",\"security_control\"],\"log_name\":\"brother lord wyoming\",\"log_provider\":\"diana alternate finals\",\"original_time\":\"negotiations hardwood avg\",\"tenant_uid\":\"ff6f6844-556b-11ef-8efe-0242ac110005\",\"logged_time_dt\":\"2024-08-08T09:53:00.712767Z\"},\"duration\":0,\"command_uid\":\"ff6f480a-556b-11ef-93ac-0242ac110005\",\"status\":\"synthesis\",\"num_resolutions\":19,\"activity_id\":1,\"total\":63,\"num_processes\":41,\"num_network_items\":71,\"class_uid\":6007,\"cloud\":{\"org\":{\"name\":\"serving invest coating\",\"uid\":\"ff6f0be2-556b-11ef-9b41-0242ac110005\",\"ou_name\":\"caroline au dos\"},\"account\":{\"name\":\"houston indexes puerto\",\"type\":\"Apple Account\",\"uid\":\"ff6f370c-556b-11ef-a592-0242ac110005\",\"type_id\":8},\"project_uid\":\"ff6f3f0e-556b-11ef-913f-0242ac110005\",\"provider\":\"greensboro gallery reporting\",\"region\":\"consistency alert titten\"},\"type_uid\":600701,\"num_trusted_items\":36,\"severity\":\"Fatal\",\"category_name\":\"Application Activity\",\"status_id\":99}", + "provider": "diana alternate finals", + "severity": 6, + "start": "+56573-03-16T19:31:56.472Z", + "type": [ + "info", + "start" + ] + }, + "file": { + "name": "hawk.wsf", + "owner": "Illegal", + "type": "Character Device", + "uid": "ff702496-556b-11ef-9f4e-0242ac110005" + }, + "host": { + "domain": "a licensed facility", + "geo": { + "city_name": "Messaging management", + "continent_name": "South America", + "country_iso_code": "FK", + "location": [ + 170.507, + -62.7832 + ], + "name": "Falkland Islands (Malvinas)" + }, + "hostname": "active.jobs", + "id": "ff6f8cca-556b-11ef-9bc0-0242ac110005", + "ip": [ + "175.16.199.0" + ], + "name": "cams witnesses summary", + "risk": { + "static_level": "ratios capable administrator" + }, + "type": "Unknown" + }, + "message": "tools motivated nightlife", + "ocsf": { + "activity_id": "1", + "activity_name": "Started", + "actor": { + "process": { + "cmd_line": "compression warner sapphire", + "container": { + "hash": { + "algorithm": "Unknown", + "algorithm_id": "0", + "value": "892D74547E40E6FC23332CF6A88A2CAAC1D5BA6CF5201690F503FDE2B5717067D2C3B25EFEE63E1C5E5BCE1AF1F5A54076DCE0FDE9CDB56E3382C5F39AF3399B" + }, + "image": { + "name": "stage trucks cw", + "uid": "ff70a8da-556b-11ef-9305-0242ac110005" + }, + "name": "front myself techniques", + "size": 3673925967, + "uid": "ff70a01a-556b-11ef-98b5-0242ac110005" + }, + "created_time": "+56573-03-16T19:32:01.040Z", + "created_time_dt": "2024-08-08T09:53:00.734Z", + "file": { + "accessor": { + "name": "Golf", + "type": "died", + "type_id": "99", + "uid": "ff70655a-556b-11ef-b23a-0242ac110005" + }, + "attributes": 83, + "company_name": "Natalya Stormy", + "desc": "playing motor literary", + "modifier": { + "credential_uid": "ff7047d2-556b-11ef-966d-0242ac110005", + "name": "Hottest", + "type": "muscles", + "type_id": "99", + "uid": "ff70411a-556b-11ef-9a1e-0242ac110005" + }, + "name": "hawk.wsf", + "owner": { + "account": { + "type": "AWS Account", + "type_id": "10", + "uid": "ff702df6-556b-11ef-a8bb-0242ac110005" + }, + "domain": "shade variety cooper", + "email_addr": "Erick@invision.edu", + "name": "Illegal", + "type": "System", + "type_id": "3", + "uid": "ff702496-556b-11ef-9f4e-0242ac110005", + "uid_alt": "preceding psp cleared" + }, + "type": "Character Device", + "type_id": "3" + }, + "group": { + "uid": "ff708c1a-556b-11ef-bea6-0242ac110005" + }, + "name": "Lightweight", + "parent_process": { + "auid": "42", + "cmd_line": "legally hacker please", + "container": { + "hash": { + "algorithm": "SHA-1", + "algorithm_id": "2", + "value": "994BB86DD62F615473EE5D1D05C5A1D950D2F3C3" + }, + "image": { + "name": "shanghai listen subaru", + "path": "toxic declaration intended", + "uid": "ff7150be-556b-11ef-a7e8-0242ac110005" + }, + "name": "ant elegant ana", + "runtime": "routes peripheral operates", + "size": 3971411004, + "uid": "ff712e7c-556b-11ef-b4ec-0242ac110005" + }, + "created_time": "+56573-03-16T19:32:05.334Z", + "euid": "36", + "file": { + "accessor": { + "full_name": "Cora Marchelle", + "name": "Breakfast", + "type": "Admin", + "type_id": "2", + "uid": "ff70d09e-556b-11ef-82b8-0242ac110005", + "uid_alt": "lesbian dk media" + }, + "creator": { + "account": { + "name": "develops til flu", + "type": "AWS IAM Role", + "type_id": "4", + "uid": "ff70fb96-556b-11ef-b127-0242ac110005" + }, + "name": "Broker", + "type": "juice", + "type_id": "99", + "uid": "ff70ec96-556b-11ef-a10b-0242ac110005" + }, + "hashes": [ + { + "algorithm": "SHA-256", + "algorithm_id": "3", + "value": "88CB8A087B6E8CEBFC9AE5602F5A2159A6BCF923E7F2C56809BCDA6CAD1727A7" + }, + { + "algorithm": "Unknown", + "algorithm_id": "0", + "value": "BFC7194DB6D123E245825AAF92C276855D32513520B471C67B94A62F46C8CBDB891CA09419FAD201F34F81C0CA0C72DCC1C4A68CFFFF5A7F0B629B35501E8EBA" + } + ], + "name": "vulnerability.cue", + "parent_folder": "full jewellery adverse/hans.xml", + "path": "full jewellery adverse/hans.xml/vulnerability.cue", + "type": "Local Socket", + "type_id": "5", + "uid": "ff70c5f4-556b-11ef-8001-0242ac110005" + }, + "group": { + "name": "overseas avoiding attendance", + "privileges": [ + "drop welsh munich", + "developer strange beat" + ], + "uid": "ff711932-556b-11ef-8a55-0242ac110005" + }, + "lineage": [ + "viii define induced", + "starsmerchant interest city" + ], + "name": "Unlimited", + "namespace_pid": 10, + "parent_process": { + "container": { + "hash": { + "algorithm": "quickXorHash", + "algorithm_id": 7, + "value": "8A988DC6210B348668CFB0C69FFC40C3952920BEE33BEF02302FB1E486274CE8F56F324032A0BA2B9661E57022A3AF5C085E63028B71E4D30A36264236D98E83" + }, + "image": { + "path": "scoring skill rush", + "tag": "g tiffany advocacy", + "uid": "ff719b1e-556b-11ef-8397-0242ac110005" + }, + "name": "richard amendments yorkshire", + "size": 2733947088, + "uid": "ff7191fa-556b-11ef-b991-0242ac110005" + }, + "file": { + "accessed_time_dt": "2024-08-08T09:53:00.725750Z", + "attributes": 62, + "confidentiality": "outdoors archived regarding", + "hashes": [ + { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "AD6A21629A7DEABC182FDEA82DF619F693860085A862A8BFEE71FCD9BBAB45669A480AD8EDB096D0EAF29092215C7A39197EAC015A32E6D5957442A640C8ACDE" + } + ], + "modified_time": 1723110780725738, + "name": "figure.bin", + "security_descriptor": "thesaurus stories skirts", + "type": "Local Socket", + "type_id": 5, + "version": "1.1.0" + }, + "group": { + "name": "challenges photoshop want", + "type": "spice shine latex", + "uid": "ff717f9e-556b-11ef-beff-0242ac110005" + }, + "integrity": "System", + "integrity_id": 5, + "name": "Legs", + "namespace_pid": 6, + "parent_process": { + "cmd_line": "sponsored contractor notion", + "container": { + "hash": { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "175A141E2713D00975BC765F1C4FE4ECBC01D88B69A016EE442829C445B4EE2C4C0776FADB4939337B8D43C185078967BA4AC71DD1651A0ABA1143394106DE8A" + }, + "size": 1046580299, + "uid": "ff71eb82-556b-11ef-855e-0242ac110005" + }, + "created_time": 1723110780729284, + "file": { + "accessor": { + "credential_uid": "ff71d5de-556b-11ef-bfb8-0242ac110005", + "name": "Nashville", + "org": { + "name": "steven harmony mediterranean", + "ou_name": "beam transmit cook", + "uid": "ff71cea4-556b-11ef-80aa-0242ac110005" + }, + "type": "Admin", + "type_id": 2, + "uid": "ff71c616-556b-11ef-89f0-0242ac110005" + }, + "hashes": [ + { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "C597CBD53DDF5E7AA017A46E3D559E6DEE7AAB38151CD2B0116453D64744DCA63052DA0AC50DD2E29C8517583E688A23F85646ECB9E0746CCA1F447D33116333" + } + ], + "name": "dress.pct", + "parent_folder": "graphic easter hitting/celebration.xls", + "path": "graphic easter hitting/celebration.xls/dress.pct", + "product": { + "lang": "en", + "name": "relation resulting pride", + "uid": "ff71b45a-556b-11ef-aee8-0242ac110005", + "vendor_name": "conversation gamespot myself", + "version": "1.1.0" + }, + "type": "Symbolic Link", + "type_id": 7 + }, + "name": "Liability", + "namespace_pid": 66, + "parent_process": { + "auid": 91, + "cmd_line": "cole playback contribute", + "container": { + "hash": { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "3D586550FC15946B6FC20EC2BB31B6CB2BF53F3AAD6565BC38B72776CE2784F7AD19E73C0313EA7A12AE3A664203FB3CE7759B22867BAEF1FD46FD0B20BB60F2" + }, + "image": { + "labels": [ + "builders", + "guitars" + ], + "name": "eight bow edges", + "uid": "ff7231f0-556b-11ef-af8b-0242ac110005" + }, + "name": "blackjack example page", + "size": 2950957499, + "tag": "lexmark sandwich determining", + "uid": "ff72291c-556b-11ef-9cb3-0242ac110005" + }, + "created_time": 1723110780731096, + "euid": 25, + "file": { + "accessed_time_dt": "2024-08-08T09:53:00.729741Z", + "attributes": 44, + "confidentiality": "Unknown", + "confidentiality_id": 0, + "hashes": [ + { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "0F9ABBECBDEC7BA8948C5C34A6D1A65712B51F4DA69A43F4A55845FC98133C5422097F2AED463CBC2CC6EFD07AC9F6A0493E263E0AEC4CA93045EAF86AAE1527" + }, + { + "algorithm": "SHA-256", + "algorithm_id": 3, + "value": "41D12DF274FFAEF654EA947446DD0211E338D2651D95805632E5353798F189E4" + } + ], + "mime_type": "foto/congo", + "name": "autumn.mid", + "parent_folder": "normally soviet packaging/acne.js", + "path": "normally soviet packaging/acne.js/autumn.mid", + "size": 1791990748, + "type": "Symbolic Link", + "type_id": 7 + }, + "group": { + "name": "rivers kde impaired", + "uid": "ff7213f0-556b-11ef-afbe-0242ac110005" + }, + "loaded_modules": [ + "/ol/wr/trades/lucky/trusts.mp4" + ], + "name": "Believed", + "namespace_pid": 27, + "parent_process": { + "cmd_line": "donation gaps according", + "container": { + "hash": { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "23AF3E3302D598D92331ADF8D2CDAA30642018D52F7E585E7C485EEED310C245FF761DB9C3F08973E9C00DF8B86A3E7B8241E92C34A9C30EA27E1B302939F910" + }, + "image": { + "name": "justify greeting attorney", + "uid": "ff72c4ee-556b-11ef-ae90-0242ac110005" + }, + "name": "meant she least", + "tag": "commented attitude magazines", + "uid": "ff72b166-556b-11ef-af11-0242ac110005" + }, + "created_time": 1723110780734859, + "file": { + "attributes": 10, + "confidentiality": "torture lawn fuel", + "hashes": [ + { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "298388E81525736B459B8830EC555869E081200C11C67EFB7444F32DB67C39E4CBB72D5FDDB490B903D4435BA037DAB92B233C64B15D13C5E66D1461BF976D14" + }, + { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "E1ACB66647F799D4BF5B74B3CECBB8400B1C392A7585421EC33809A31466BDB24362A4DF7E19777422B7C2665222458FC48C22B1BF26EA331DE6ECD557929101" + } + ], + "mime_type": "institute/ivory", + "name": "spyware.dds", + "parent_folder": "protocol validity absence/luther.rm", + "path": "protocol validity absence/luther.rm/spyware.dds", + "security_descriptor": "delta caution ncaa", + "type": "Block Device", + "type_id": 4 + }, + "group": { + "domain": "highways phones introduces", + "name": "damaged cumulative applicable" + }, + "name": "Raising", + "namespace_pid": 56, + "pid": 88, + "uid": "ff72525c-556b-11ef-b49e-0242ac110005", + "user": { + "domain": "numerical circuit charts", + "name": "Ieee", + "type": "Unknown", + "type_id": 0 + } + }, + "pid": 12, + "uid": "ff721b66-556b-11ef-a28e-0242ac110005", + "user": { + "email_addr": "Claudia@destroyed.museum", + "name": "Aol", + "type": "Admin", + "type_id": 2, + "uid": "ff7209d2-556b-11ef-859c-0242ac110005" + } + }, + "pid": 12, + "tid": 23, + "uid": "ff71e204-556b-11ef-b426-0242ac110005" + }, + "pid": 65, + "terminated_time_dt": "2024-08-08T09:53:00.734879Z", + "tid": 45, + "uid": "ff71866a-556b-11ef-8d91-0242ac110005", + "user": { + "name": "Marvel", + "type": "tunnel", + "type_id": 99, + "uid": "ff716e14-556b-11ef-9183-0242ac110005" + } + }, + "pid": 90, + "terminated_time": "+56573-03-16T19:32:14.887Z", + "uid": "ff71249a-556b-11ef-b2a4-0242ac110005", + "user": { + "name": "Skip", + "type": "Admin", + "type_id": "2", + "uid": "ff710f1e-556b-11ef-bcc2-0242ac110005", + "uid_alt": "those facility genetic" + } + }, + "pid": 12, + "tid": 89, + "uid": "ff709200-556b-11ef-a0bf-0242ac110005", + "user": { + "org": { + "name": "existence hypothetical audience", + "ou_name": "coupon tear compatibility", + "ou_uid": "ff7082c4-556b-11ef-8273-0242ac110005", + "uid": "ff707b3a-556b-11ef-989b-0242ac110005" + }, + "type": "brooklyn", + "type_id": "99", + "uid": "ff707266-556b-11ef-8dd3-0242ac110005" + } + }, + "user": { + "credential_uid": "ff72de20-556b-11ef-a522-0242ac110005", + "type": "Unknown", + "type_id": "0", + "uid": "ff72d2e0-556b-11ef-bbe1-0242ac110005", + "uid_alt": "weights hobbies divorce" + } + }, + "api": { + "group": { + "name": "dividend consistency definitely", + "type": "posts vendors student", + "uid": "ff6feb8e-556b-11ef-8cd0-0242ac110005" + }, + "operation": "cathedral participate wrapping", + "request": { + "uid": "ff6fddec-556b-11ef-a2d3-0242ac110005" + }, + "response": { + "code": 96, + "data": "phenomenon", + "error": "headquarters viii accurately", + "error_message": "unexpected amazon worm", + "message": "definitely existing colleges" + } + }, + "category_name": "Application Activity", + "category_uid": "6", + "class_name": "Scan Activity", + "class_uid": "6007", + "cloud": { + "account": { + "name": "houston indexes puerto", + "type": "Apple Account", + "type_id": "8", + "uid": "ff6f370c-556b-11ef-a592-0242ac110005" + }, + "org": { + "name": "serving invest coating", + "ou_name": "caroline au dos", + "uid": "ff6f0be2-556b-11ef-9b41-0242ac110005" + }, + "project_uid": "ff6f3f0e-556b-11ef-913f-0242ac110005", + "provider": "greensboro gallery reporting", + "region": "consistency alert titten" + }, + "command_uid": "ff6f480a-556b-11ef-93ac-0242ac110005", + "device": { + "container": { + "hash": { + "algorithm": "magic", + "algorithm_id": 99, + "value": "788AE8183287A6A47C315CEEA8BC503A5434CAAFAF93FB41C1AD3C75EF8238F2" + }, + "image": { + "name": "items discharge whale", + "uid": "ff6fbc7c-556b-11ef-9149-0242ac110005" + }, + "name": "related understanding tricks", + "size": 3329432332, + "uid": "ff6fafac-556b-11ef-9f24-0242ac110005" + }, + "domain": "a licensed facility", + "first_seen_time_dt": "2024-08-08T09:53:00.713Z", + "hostname": "active.jobs", + "interface_uid": "ff6fc604-556b-11ef-a921-0242ac110005", + "ip": "175.16.199.0", + "last_seen_time": "+56573-03-16T19:31:53.330Z", + "location": { + "city": "Messaging management", + "continent": "South America", + "coordinates": [ + 170.507, + -62.7832 + ], + "country": "FK", + "desc": "Falkland Islands (Malvinas)" + }, + "modified_time": "+56573-03-16T19:31:53.347Z", + "modified_time_dt": "2024-08-08T09:53:00.713Z", + "name": "cams witnesses summary", + "namespace_pid": 13, + "region": "patricia link controversy", + "risk_level": "ratios capable administrator", + "subnet": "28.0.0.0/8", + "type": "Unknown", + "type_id": "0", + "uid": "ff6f8cca-556b-11ef-9bc0-0242ac110005", + "uid_alt": "scientific addition power", + "vpc_uid": "ff6f7bea-556b-11ef-99b2-0242ac110005", + "zone": "districts fit connector" + }, + "duration": 0, + "end_time": "+56573-03-16T19:31:52.791Z", + "message": "tools motivated nightlife", + "metadata": { + "log_level": "entities staying supplemental", + "log_name": "brother lord wyoming", + "log_provider": "diana alternate finals", + "logged_time_dt": "2024-08-08T09:53:00.712Z", + "original_time": "negotiations hardwood avg", + "product": { + "name": "hospitality fabric loop", + "uid": "ff6f5962-556b-11ef-9975-0242ac110005", + "vendor_name": "hindu carlo achieve", + "version": "1.1.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "linux/linux_users", + "load_balancer", + "network_proxy", + "security_control" + ], + "tenant_uid": "ff6f6844-556b-11ef-8efe-0242ac110005", + "uid": "ff6f607e-556b-11ef-b5f9-0242ac110005", + "version": "1.1.0" + }, + "num_detections": 89, + "num_files": 43, + "num_folders": 37, + "num_network_items": 71, + "num_processes": 41, + "num_resolutions": 19, + "num_skipped_items": 59, + "num_trusted_items": 36, + "policy": { + "desc": "relevance lots trigger", + "name": "katie producing webcast", + "uid": "ff6ff8fe-556b-11ef-874e-0242ac110005" + }, + "scan": { + "name": "caribbean operate detected", + "type": "Updated Content", + "type_id": 3, + "uid": "ff6fd18a-556b-11ef-887c-0242ac110005" + }, + "severity": "Fatal", + "severity_id": 6, + "start_time": "+56573-03-16T19:31:56.472Z", + "status": "synthesis", + "status_id": "99", + "time": "+56573-03-16T19:31:55.169Z", + "timezone_offset": 20, + "total": 63, + "type_name": "Scan Activity: Started", + "type_uid": "600701" + }, + "process": { + "command_line": "compression warner sapphire", + "entity_id": "ff709200-556b-11ef-a0bf-0242ac110005", + "group": { + "id": [ + "ff708c1a-556b-11ef-bea6-0242ac110005" + ] + }, + "name": "Lightweight", + "parent": { + "command_line": "legally hacker please", + "end": "+56573-03-16T19:32:14.887Z", + "entity_id": "ff71249a-556b-11ef-b2a4-0242ac110005", + "group": { + "id": [ + "ff711932-556b-11ef-8a55-0242ac110005" + ], + "name": "overseas avoiding attendance" + }, + "name": "Unlimited", + "pid": 90, + "start": "+56573-03-16T19:32:05.334Z", + "user": { + "id": [ + "36", + "ff710f1e-556b-11ef-bcc2-0242ac110005" + ], + "name": "Skip" + } + }, + "pid": 12, + "start": "+56573-03-16T19:32:01.040Z", + "thread": { + "id": 89 + }, + "user": { + "id": [ + "ff707266-556b-11ef-8dd3-0242ac110005" + ] + } + }, + "related": { + "hash": [ + "892D74547E40E6FC23332CF6A88A2CAAC1D5BA6CF5201690F503FDE2B5717067D2C3B25EFEE63E1C5E5BCE1AF1F5A54076DCE0FDE9CDB56E3382C5F39AF3399B", + "994BB86DD62F615473EE5D1D05C5A1D950D2F3C3", + "88CB8A087B6E8CEBFC9AE5602F5A2159A6BCF923E7F2C56809BCDA6CAD1727A7", + "BFC7194DB6D123E245825AAF92C276855D32513520B471C67B94A62F46C8CBDB891CA09419FAD201F34F81C0CA0C72DCC1C4A68CFFFF5A7F0B629B35501E8EBA" + ], + "hosts": [ + "a licensed facility", + "active.jobs", + "cams witnesses summary" + ], + "ip": [ + "175.16.199.0" + ], + "user": [ + "Illegal", + "ff702496-556b-11ef-9f4e-0242ac110005", + "ff707266-556b-11ef-8dd3-0242ac110005", + "ff72d2e0-556b-11ef-bbe1-0242ac110005", + "Golf", + "ff70655a-556b-11ef-b23a-0242ac110005", + "36", + "ff710f1e-556b-11ef-bcc2-0242ac110005", + "Skip", + "lesbian dk media", + "Cora Marchelle", + "Breakfast", + "ff70d09e-556b-11ef-82b8-0242ac110005", + "Broker", + "ff70ec96-556b-11ef-a10b-0242ac110005", + "those facility genetic", + "Hottest", + "ff70411a-556b-11ef-9a1e-0242ac110005", + "preceding psp cleared", + "Erick@invision.edu", + "weights hobbies divorce" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "id": "ff72d2e0-556b-11ef-bbe1-0242ac110005" + } } ] } \ No newline at end of file diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml index 2d671873e8ec..9396dbd01a05 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -40,7 +40,7 @@ processors: - set: field: event.kind tag: set_event_kind - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','5019','6001','6002','6003','6004','6005'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','5019','6001','6002','6003','6004','6005','6007'].contains(ctx.ocsf.class_uid) value: event - set: field: event.kind @@ -136,7 +136,7 @@ processors: tag: append_info_into_event_type value: info allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001', '2002','2003','2004','2005','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','5019','6002','6003','6004','6005'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001', '2002','2003','2004','2005','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','5019','6002','6003','6004','6005','6007'].contains(ctx.ocsf.class_uid) - append: field: event.type tag: append_user_into_event_type @@ -178,13 +178,13 @@ processors: tag: append_start_into_event_type value: start allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1007','3002','4001','4013','4007','6002'].contains(ctx.ocsf.class_uid) && ['Launch','Logon','Open','Start','Symmetric Active Exchange','Client Synchronization','Broadcast','Control'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['1007','3002','4001','4013','4007','6002','6007'].contains(ctx.ocsf.class_uid) && ['Launch','Logon','Open','Start','Started','Symmetric Active Exchange','Client Synchronization','Broadcast','Control'].contains(ctx.ocsf.activity_name) - append: field: event.type tag: append_end_into_event_type value: end allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1007','2005','3002','4001','4007','4013','6002'].contains(ctx.ocsf.class_uid) && ['Terminate','Logoff','Close','Stop','Symmetric Passive Response','Server Response','Private Use Case','Other'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['1007','2005','3002','4001','4007','4013','6002','6007'].contains(ctx.ocsf.class_uid) && ['Terminate','Logoff','Close','Completed','Stop','Symmetric Passive Response','Server Response','Private Use Case','Other'].contains(ctx.ocsf.activity_name) - append: field: event.type tag: append_denied_into_event_type @@ -220,7 +220,7 @@ processors: tag: append_error_into_event_type value: error allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['6004'].contains(ctx.ocsf.class_uid) && ['Access Error'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['6004','6007'].contains(ctx.ocsf.class_uid) && ['Access Error','Error'].contains(ctx.ocsf.activity_name) - set: field: cloud.account.id tag: set_cloud_account_uid @@ -705,7 +705,7 @@ processors: ignore_missing: true - pipeline: name: '{{ IngestPipeline "pipeline_object_actor" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','2003','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5019','6001','6002','6003','6004','6005'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','2003','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5019','6001','6002','6003','6004','6005','6007'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null tag: pipeline_object_actor ignore_missing_pipeline: true - pipeline: @@ -720,7 +720,7 @@ processors: ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_device" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','2003','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4011','4012','4013','5001','5002','5004','5019','6001','6002','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.device != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','2003','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4011','4012','4013','5001','5002','5004','5019','6001','6002','6004','6007'].contains(ctx.ocsf.class_uid) && ctx.ocsf.device != null tag: pipeline_object_device ignore_missing_pipeline: true - pipeline: diff --git a/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml index d5a94da6d6ac..71a35ad6718b 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml @@ -28,7 +28,7 @@ - name: verdict_id type: integer description: The normalized verdict of an Incident. - # These fields are used to store misc information about a discovery category event. + # These fields are used to store misc information about a discovery category event. - name: prev_security_states type: group description: The previous security states of the device. @@ -55,3 +55,59 @@ - name: state_id type: integer description: The security state of the managed entity. + # These fields are used to store misc information about an application activity category event. + - name: command_uid + type: keyword + description: The command identifier that is associated with this scan event. This ID uniquely identifies the proactive scan command, e.g., if remotely initiated. + - name: num_detections + type: integer + description: The number of detections. + - name: num_files + type: integer + description: The number of files scanned. + - name: num_folders + type: integer + description: The number of folders scanned. + - name: num_network_items + type: integer + description: The number of network items scanned. + - name: num_processes + type: integer + description: The number of processes scanned. + - name: num_registry_items + type: integer + description: The number of registry items scanned. + - name: num_resolutions + type: integer + description: The number of items that were resolved. + - name: num_skipped_items + type: integer + description: The number of items that were skipped. + - name: num_trusted_items + type: integer + description: The number of trusted items. + - name: policy + type: flattened + description: The policy that was used to scan the device. + - name: scan + type: group + description: The Scan object describes characteristics of a proactive scan. + fields: + - name: name + type: keyword + description: The administrator-supplied or application-generated name of the scan. + - name: type + type: keyword + description: The type of scan. + - name: type_id + type: integer + description: The type id of the scan. + - name: uid + type: keyword + description: The application-defined unique identifier assigned to an instance of a scan. + - name: schedule_uid + type: keyword + description: The unique identifier of the schedule associated with a scan job. + - name: total + type: integer + description: The total number of items that were scanned; zero if no items were scanned. diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index 8c6d4a4780fc..91c851664eea 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -704,6 +704,7 @@ This is the `Event` dataset. | ocsf.codes | The list of return codes to the FTP command. | long | | ocsf.command | The command name. | keyword | | ocsf.command_responses | The list of responses to the FTP command. | keyword | +| ocsf.command_uid | The command identifier that is associated with this scan event. This ID uniquely identifies the proactive scan command, e.g., if remotely initiated. | keyword | | ocsf.comment | The user provided comment about why the entity was changed. | keyword | | ocsf.compliance.control | A Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls. | keyword | | ocsf.compliance.requirements | A list of requirements associated to a specific control in an industry or regulatory framework. e.g. NIST.800-53.r5 AU-10. | keyword | @@ -1642,6 +1643,15 @@ This is the `Event` dataset. | ocsf.module.type | The module type. | keyword | | ocsf.name | The name of the data affiliated with the command. | keyword | | ocsf.nist | The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk. | keyword | +| ocsf.num_detections | The number of detections. | integer | +| ocsf.num_files | The number of files scanned. | integer | +| ocsf.num_folders | The number of folders scanned. | integer | +| ocsf.num_network_items | The number of network items scanned. | integer | +| ocsf.num_processes | The number of processes scanned. | integer | +| ocsf.num_registry_items | The number of registry items scanned. | integer | +| ocsf.num_resolutions | The number of items that were resolved. | integer | +| ocsf.num_skipped_items | The number of items that were skipped. | integer | +| ocsf.num_trusted_items | The number of trusted items. | integer | | ocsf.observables.name | The full name of the observable attribute. The name is a pointer/reference to an attribute within the event data. For example: file.name. | keyword | | ocsf.observables.reputation.base_score | The reputation score as reported by the event source. | double | | ocsf.observables.reputation.provider | The provider of the reputation information. | keyword | @@ -1651,6 +1661,7 @@ This is the `Event` dataset. | ocsf.observables.type_id | The observable value type identifier. | keyword | | ocsf.observables.value | The value associated with the observable attribute. | keyword | | ocsf.open_type | Indicates how the file was opened (e.g. normal, delete on close). | keyword | +| ocsf.policy | The policy that was used to scan the device. | flattened | | ocsf.port | The dynamic port established for impending data transfers. | long | | ocsf.precision | The NTP precision quantifies a clock's accuracy and stability in log2 seconds, as defined in RFC-5905. | integer | | ocsf.prev_security_states.state | The security state, normalized to the caption of the state_id value. | keyword | @@ -1806,6 +1817,11 @@ This is the `Event` dataset. | ocsf.risk_level | The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.risk_level_id | The normalized risk level id. | keyword | | ocsf.risk_score | The risk score as reported by the event source. | long | +| ocsf.scan.name | The administrator-supplied or application-generated name of the scan. | keyword | +| ocsf.scan.type | The type of scan. | keyword | +| ocsf.scan.type_id | The type id of the scan. | integer | +| ocsf.scan.uid | The application-defined unique identifier assigned to an instance of a scan. | keyword | +| ocsf.schedule_uid | The unique identifier of the schedule associated with a scan job. | keyword | | ocsf.security_level | The current security level of the entity. | keyword | | ocsf.security_level_id | The current security level of the entity. | integer | | ocsf.security_states.state | The security state, normalized to the caption of the state_id value. | keyword | @@ -1914,6 +1930,7 @@ This is the `Event` dataset. | ocsf.tls.server_ciphers | The server cipher suites that were exchanged during the TLS handshake negotiation. | keyword | | ocsf.tls.sni | The Server Name Indication (SNI) extension sent by the client. | keyword | | ocsf.tls.version | The TLS protocol version. | keyword | +| ocsf.total | The total number of items that were scanned; zero if no items were scanned. | integer | | ocsf.traffic.bytes | The total number of bytes (in and out). | long | | ocsf.traffic.bytes_in | The number of bytes sent from the destination to the source. | long | | ocsf.traffic.bytes_out | The number of bytes sent from the source to the destination. | long | From 516b63b0d1d12feac4c2569a15222a4dea192d07 Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Thu, 8 Aug 2024 17:12:02 +0530 Subject: [PATCH 18/30] segregated file fields across required data streams, added support for file hosting activity class --- .../fields/actor-fields.yml | 3 + .../application_activity/fields/fields.yml | 67 +- .../fields/file-fields.yml | 516 ++++++++++++++ .../discovery/fields/actor-fields.yml | 3 + .../pipeline/test-application-activity.log | 1 + ...est-application-activity.log-expected.json | 635 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 14 +- .../data_stream/event/fields/actor-fields.yml | 3 + .../data_stream/event/fields/fields.yml | 501 -------------- .../data_stream/event/fields/file-fields.yml | 516 ++++++++++++++ .../data_stream/event/fields/misc-fields.yml | 28 +- .../findings/fields/actor-fields.yml | 3 + .../data_stream/iam/fields/actor-fields.yml | 3 + .../network_activity/fields/actor-fields.yml | 3 + .../network_activity/fields/fields.yml | 501 -------------- .../network_activity/fields/file-fields.yml | 516 ++++++++++++++ .../system_activity/fields/actor-fields.yml | 3 + .../system_activity/fields/fields.yml | 501 -------------- .../system_activity/fields/file-fields.yml | 516 ++++++++++++++ packages/amazon_security_lake/docs/README.md | 15 +- 20 files changed, 2777 insertions(+), 1571 deletions(-) create mode 100644 packages/amazon_security_lake/data_stream/application_activity/fields/file-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/event/fields/file-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/network_activity/fields/file-fields.yml create mode 100644 packages/amazon_security_lake/data_stream/system_activity/fields/file-fields.yml diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml index 89de2343dcc3..6b9f27dd831d 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml @@ -615,6 +615,9 @@ - name: group type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml index 608bbc0e7541..9a2b855148db 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml @@ -49,6 +49,39 @@ - name: category_uid type: keyword description: The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. + - name: connection_info + type: group + fields: + - name: boundary + type: keyword + description: The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source.For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. + - name: boundary_id + type: keyword + description: The normalized identifier of the boundary of the connection. For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. + - name: direction + type: keyword + description: The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source. + - name: direction_id + type: keyword + description: The normalized identifier of the direction of the initiated connection, traffic, or email. + - name: protocol_name + type: keyword + description: 'The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp.' + - name: protocol_num + type: keyword + description: 'The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol Numbers. For example: 6 for TCP and 17 for UDP.' + - name: protocol_ver + type: keyword + description: The Internet Protocol version. + - name: protocol_ver_id + type: keyword + description: The Internet Protocol version identifier. + - name: tcp_flags + type: long + description: The network connection TCP header flags (i.e., control bits). + - name: uid + type: keyword + description: The unique identifier of the connection. - name: class_name type: keyword description: 'The event class name, as defined by class_uid value: Security Finding.' @@ -244,6 +277,12 @@ - name: value type: keyword description: The value of the attribute to which the enriched data pertains. + - name: expiration_time + type: date + description: The share expiration time. + - name: expiration_time_dt + type: date + description: The share expiration time (date). - name: http_request type: group fields: @@ -334,33 +373,9 @@ - name: message type: keyword description: The description of the event, as defined by the event source. - - name: num_detections - type: integer - description: The number of detections. - - name: num_files - type: integer - description: The number of files scanned. - - name: num_folders - type: integer - description: The number of folders scanned. - - name: num_network_items - type: integer - description: The number of network items scanned. - - name: num_processes - type: integer - description: The number of processes scanned. - - name: num_registry_items - type: integer - description: The number of registry items scanned. - - name: num_resolutions - type: integer - description: The number of items that were resolved. - - name: num_skipped_items - type: integer - description: The number of items that were skipped. - - name: num_trusted_items + - name: num_* type: integer - description: The number of trusted items. + description: The number fields for counting various item scan results. - name: observables type: group fields: diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/file-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/file-fields.yml new file mode 100644 index 000000000000..3fc861e2b4de --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/file-fields.yml @@ -0,0 +1,516 @@ +- name: ocsf + type: group + fields: + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml index 89de2343dcc3..6b9f27dd831d 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml @@ -615,6 +615,9 @@ - name: group type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log index ab62583ebd14..3d62c91b4947 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log @@ -4,3 +4,4 @@ {"message":"routing rosa speeds","status":"Failure","type":"loc","time":1722945774073580,"metadata":{"version":"1.1.0","product":{"name":"nightlife joint talked","version":"1.1.0","path":"roulette covered encryption","uid":"cfcfc1aa-53eb-11ef-80a9-0242ac110005","vendor_name":"rainbow league closure"},"extensions":[{"name":"importantly identifying causing","version":"1.1.0","uid":"cfcfce02-53eb-11ef-a17b-0242ac110005"},{"name":"feof nightlife dans","version":"1.1.0","uid":"cfcfd5d2-53eb-11ef-acdf-0242ac110005"}],"labels":["dominant"],"log_level":"consult supplements external","profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"ottawa triumph analysis","log_provider":"medal removing losses","original_time":"families batman star","tenant_uid":"cfcfde4c-53eb-11ef-9b9b-0242ac110005"},"severity":"Informational","duration":38,"type_name":"Datastore Activity: Write","activity_id":5,"type_uid":600505,"category_name":"Application Activity","class_uid":6005,"category_uid":6,"class_name":"Datastore Activity","type_id":99,"end_time_dt":"2024-08-06T12:02:54.073562Z","activity_name":"Write","actor":{"process":{"name":"Flashing","pid":98,"file":{"name":"senegal.dcr","type":"Folder","path":"stock armstrong ie/bobby.m3u/senegal.dcr","type_id":2,"creator":{"name":"Slight","type":"System","domain":"dedicated smile macintosh","uid":"cfd08748-53eb-11ef-8545-0242ac110005","type_id":3},"parent_folder":"stock armstrong ie/bobby.m3u","confidentiality":"Top Secret","confidentiality_id":4,"hashes":[{"value":"6AC2AD2B6F5A51A33103412CB1C13FA5FDB24737666758DD9FDD8402BB9D2A43","algorithm":"magic","algorithm_id":99},{"value":"7B849A50DA92F39D6AF294B10E0B93F5","algorithm":"MD5","algorithm_id":1}],"modified_time_dt":"2024-08-06T12:02:54.074547Z"},"user":{"name":"Contamination","type":"Admin","uid":"cfd09666-53eb-11ef-9cc7-0242ac110005","type_id":2},"group":{"name":"desired administration quotations","desc":"mime counsel uses","uid":"cfd0a0f2-53eb-11ef-a02f-0242ac110005"},"uid":"cfd0a73c-53eb-11ef-9622-0242ac110005","loaded_modules":["/chronicle/initiated/hormone/surprise/corps.html","/allan/appearance/viruses/college/naughty.rom"],"cmd_line":"associate directions partly","container":{"size":2753478121,"uid":"cfd0b25e-53eb-11ef-aab1-0242ac110005","image":{"name":"number serial patients","uid":"cfd0bb46-53eb-11ef-b743-0242ac110005"},"hash":{"value":"D908A0C6E33ABAEF5F1C8D9658E99DF9714CFF289FCE29B9DD5A362475554AF2","algorithm":"magic","algorithm_id":99}},"created_time":1722945774075951,"namespace_pid":78,"parent_process":{"name":"Basin","pid":63,"file":{"attributes":67,"name":"spirituality.mid","type":"Character Device","path":"analyzed election throws/composition.tax2020/spirituality.mid","uid":"cfd0d964-53eb-11ef-9f61-0242ac110005","type_id":3,"company_name":"Norberto Vena","parent_folder":"analyzed election throws/composition.tax2020","confidentiality":"Secret","confidentiality_id":3,"hashes":[{"value":"8C8D9D64A77C351C6AAFF4C0EF9B436F904638B7","algorithm":"SHA-1","algorithm_id":2}],"security_descriptor":"nor treasury uri","xattributes":{}},"user":{"name":"Revisions","type":"Admin","type_id":2,"ldap_person":{"created_time":1722945774077119,"hire_time":1722945774077128,"hire_time_dt":"2024-08-06T12:02:54.077132Z"}},"group":{"name":"adolescent antigua ui","domain":"detail blah motels","uid":"cfd0fa70-53eb-11ef-9120-0242ac110005"},"cmd_line":"hash unknown meters","container":{"name":"gnome face decisions","size":411217035,"uid":"cfd10448-53eb-11ef-8948-0242ac110005","image":{"name":"climbing quickly lonely","uid":"cfd10d12-53eb-11ef-8fcb-0242ac110005"},"hash":{"value":"48324C16BF85398DE1219E9270E663A1CCB2438C617A716A5F0F8D44034D7294","algorithm":"magic","algorithm_id":99}},"created_time":1722945774077934,"lineage":["off disturbed bidding","validity requested without"],"namespace_pid":60,"parent_process":{"name":"Zus","session":{"issuer":"informal witnesses endif","created_time":1722945774078143,"is_remote":false},"file":{"attributes":46,"name":"invite.flv","type":"Folder","path":"mobiles at hazards/feels.b/invite.flv","product":{"name":"executives dell bands","version":"1.1.0","uid":"cfd14174-53eb-11ef-ad92-0242ac110005","url_string":"divx","vendor_name":"neighbor advise animal"},"modifier":{"name":"Bang","type":"wicked","uid":"cfd14d0e-53eb-11ef-8822-0242ac110005","org":{"name":"snake dam rapidly","uid":"cfd155ba-53eb-11ef-9ea1-0242ac110005","ou_name":"photo acrylic highway"},"groups":[{"name":"wales indoor speaking","uid":"cfd160be-53eb-11ef-8f19-0242ac110005"},{"name":"mongolia records suffer","desc":"bathrooms transfers diego","uid":"cfd167da-53eb-11ef-b5a7-0242ac110005"}],"type_id":99,"full_name":"Etha Roy"},"uid":"cfd16ece-53eb-11ef-92bb-0242ac110005","type_id":2,"company_name":"Christian Cinda","parent_folder":"mobiles at hazards/feels.b","confidentiality":"promise","confidentiality_id":99,"hashes":[{"value":"CE59D0F436DBA3BA0A6A76043041A5E787C3B835","algorithm":"SHA-1","algorithm_id":2},{"value":"5DC822DDEFF863F87504863C2926EFADEA58E6CC12C9913FBF94816997FDAA2115104F362F7481BCFA8296CDB2EF69ABFF1D22A64E0B6F5D7B8BB6BDF0485F77","algorithm":"CTPH","algorithm_id":5}],"modified_time":1722945774080462,"security_descriptor":"allen mba skating"},"user":{"name":"Bernard","type":"Admin","type_id":2,"uid_alt":"denmark day sir"},"group":{"desc":"times substitute plasma","uid":"cfd17fa4-53eb-11ef-bb39-0242ac110005"},"tid":63,"uid":"cfd185c6-53eb-11ef-85ca-0242ac110005","loaded_modules":["/hotels/stream/anchor/ted/ghost.zipx","/secure/proprietary/execute/medicine/hl.dwg"],"cmd_line":"capabilities major outline","container":{"name":"ul primary rivers","size":4147443008,"uid":"cfd19624-53eb-11ef-b555-0242ac110005","image":{"name":"objectives cooper expenses","tag":"flashers incurred visiting","uid":"cfd19f5c-53eb-11ef-b6a5-0242ac110005"},"hash":{"value":"32F556C7248E9893205497FAD5588B52A815C9A2008D165B36C015A90F534BFA","algorithm":"SHA-256","algorithm_id":3}},"created_time":1722945774081680,"lineage":["feed prozac starring"],"parent_process":{"name":"Keep","pid":75,"file":{"name":"shirts.pct","type":"Folder","path":"reporters schools bermuda/investigations.apk/shirts.pct","modifier":{"name":"Drivers","type":"Admin","uid":"cfd1b884-53eb-11ef-9e17-0242ac110005","type_id":2,"credential_uid":"cfd1bf00-53eb-11ef-9ae0-0242ac110005"},"type_id":2,"parent_folder":"reporters schools bermuda/investigations.apk","confidentiality":"Secret","confidentiality_id":3,"hashes":[{"value":"8D99573EF8E69D00FAE94C1020E9BCDEAB0B2381D11507174E58B253935B16A8391E07FE4DDCFBC6B4EE66C04EB617345B997605559139B9986AC27695ACE216","algorithm":"SHA-512","algorithm_id":4}]},"user":{"name":"Northeast","type":"Admin","uid":"cfd1cbbc-53eb-11ef-86e4-0242ac110005","org":{"name":"demo dressing bloggers","ou_name":"infection replace kingdom"},"groups":[{"type":"multi extension th","domain":"rolled womens allowed","uid":"cfd1de54-53eb-11ef-9548-0242ac110005"},{"name":"shorter hydrocodone obtaining","type":"jenny version diploma"}],"type_id":2,"credential_uid":"cfd1e638-53eb-11ef-acdc-0242ac110005","email_addr":"Timika@starsmerchant.store","uid_alt":"jr participants illustration"},"group":{"name":"easily strengthening concept","type":"claimed farms dressed","domain":"jim presents tire","uid":"cfd1f0b0-53eb-11ef-a5b6-0242ac110005"},"tid":93,"uid":"cfd1f6b4-53eb-11ef-88fe-0242ac110005","container":{"name":"travesti borough biggest","size":3355225968,"uid":"cfd201c2-53eb-11ef-86c9-0242ac110005","hash":{"value":"A241B037A73C6DEFF4F66BAE284A4B2AEA05ACD3","algorithm":"SHA-1","algorithm_id":2}},"created_time":1722945774084196,"namespace_pid":63,"parent_process":{"name":"Acres","pid":41,"file":{"name":"cafe.fon","type":"Local Socket","path":"microwave cir nails/gtk.dmg/cafe.fon","uid":"cfd23214-53eb-11ef-aaf5-0242ac110005","type_id":5,"creator":{"name":"Soa","ldap_person":{"manager":{"name":"Arrangements","type":"bunch","domain":"permission eu anonymous","uid":"cfd25802-53eb-11ef-bc5e-0242ac110005","org":{"name":"positioning sending donald","uid":"cfd261e4-53eb-11ef-8e64-0242ac110005","ou_name":"americans pee mixed"},"type_id":99},"cost_center":"char immigration blue","employee_uid":"cfd269b4-53eb-11ef-862f-0242ac110005","job_title":"tm payday needed","office_location":"hack maintains suit","hire_time_dt":"2024-08-06T12:02:54.086830Z"}},"parent_folder":"microwave cir nails/gtk.dmg","security_descriptor":"hour rca writes"},"user":{"name":"Defence","type":"Admin","uid":"cfd27814-53eb-11ef-91f4-0242ac110005","groups":[{"name":"suppliers returns jewellery","uid":"cfd28336-53eb-11ef-a671-0242ac110005"},{"name":"archive honolulu restricted","uid":"cfd28a84-53eb-11ef-a27d-0242ac110005"}],"type_id":2,"account":{"name":"engage subscribe fireplace","type":"Unknown","uid":"cfd298e4-53eb-11ef-9fc1-0242ac110005","type_id":0},"ldap_person":{"manager":{"name":"Lucia","domain":"sides sheet lt","uid":"cfd2a640-53eb-11ef-b33d-0242ac110005","credential_uid":"cfd2ac3a-53eb-11ef-89b0-0242ac110005","email_addr":"Dodie@soundtrack.firm"},"modified_time":1722945774088534,"leave_time_dt":"2024-08-06T12:02:54.088544Z","last_login_time_dt":"2024-08-06T12:02:54.088552Z"},"uid_alt":"trustee tree normally"},"group":{"name":"income bridges uruguay","uid":"cfd2b96e-53eb-11ef-b3a0-0242ac110005"},"tid":47,"uid":"cfd2bf72-53eb-11ef-96ff-0242ac110005","loaded_modules":["/counters/kentucky/proceeding/yo/norwegian.mp3","/indianapolis/sega/statutes/java/purple.bat"],"cmd_line":"calibration signature temp","container":{"name":"begins magnetic inn","size":83122349,"uid":"cfd2ca08-53eb-11ef-af87-0242ac110005","image":{"name":"pot pulse ser","path":"seat employers licenses","uid":"cfd2d638-53eb-11ef-a4c4-0242ac110005"},"hash":{"value":"CEEA7A4A0C43E8765267E8AEF5F074E2D83C2B387ED111EB0F9E903BB79DFACD26A958A69404A2C9ACFC06C590DF12DFF79EAED625E9EE1BB25727BC3398F838","algorithm":"SHA-512","algorithm_id":4},"orchestrator":"essay brother facility","pod_uuid":"bachelor"},"created_time":1722945774089651,"integrity":"Protected","integrity_id":6,"namespace_pid":96,"parent_process":{"name":"Nationwide","pid":28,"file":{"name":"fragrance.otf","owner":{"name":"Does","type":"Admin","uid":"cfd2f1c2-53eb-11ef-9117-0242ac110005","type_id":2,"email_addr":"Patrina@prototype.gov","ldap_person":{"cost_center":"permits interact afternoon","deleted_time":1722945774090716,"ldap_dn":"renaissance exhibition far","leave_time_dt":"2024-08-06T12:02:54.090731Z","last_login_time_dt":"2024-08-06T12:02:54.090739Z"}},"type":"Block Device","path":"thumbzilla sir drawings/clicking.ico/fragrance.otf","modifier":{"name":"Romania","type":"Unknown","uid":"cfd30dd8-53eb-11ef-a1d7-0242ac110005","groups":[{"name":"boat generate canadian","type":"breast brave sacramento","domain":"mostly third hats","desc":"york yours falls","uid":"cfd317ec-53eb-11ef-b8c7-0242ac110005","privileges":["queries meyer wellness"]},{"name":"considerations wants books","uid":"cfd31f1c-53eb-11ef-8b0c-0242ac110005"}],"type_id":0},"type_id":4,"parent_folder":"thumbzilla sir drawings/clicking.ico","confidentiality":"Unknown","confidentiality_id":0,"created_time":1722945774091482,"hashes":[{"value":"8C4977626121F73FAF30273CA0604C3B2C1207E04716722E66C667D788C6F874","algorithm":"magic","algorithm_id":99},{"value":"A541714A17804AC281E6DDDA5B707952","algorithm":"MD5","algorithm_id":1}],"modified_time":1722945774091552,"xattributes":{}},"user":{"name":"Semester","type":"Unknown","uid":"cfd34d66-53eb-11ef-852b-0242ac110005","groups":[{"name":"ellis methods congratulations","uid":"cfd3572a-53eb-11ef-8889-0242ac110005","privileges":["deck version bathroom"]},{"name":"proposed margin drug","desc":"race pg usps","uid":"cfd35e64-53eb-11ef-8d1c-0242ac110005"}],"type_id":0,"email_addr":"Birdie@candle.edu","ldap_person":{},"uid_alt":"protein clubs membership"},"group":{"name":"blessed operates rug","uid":"cfd36e5e-53eb-11ef-9d98-0242ac110005"},"uid":"cfd374da-53eb-11ef-a5ba-0242ac110005","cmd_line":"vaccine l vegetarian","container":{"name":"matter venues paxil","size":3925402475,"uid":"cfd37e94-53eb-11ef-b3b8-0242ac110005","image":{"name":"troy when advertisers","path":"knife aluminum connectivity","uid":"cfd3879a-53eb-11ef-b5b2-0242ac110005"},"hash":{"value":"9B88DFD0CFCEDCD1108BAC8D96F5E7576E8AA5EFEE6228DEE92628994C808FA83487125996422844E815E8321734322E728259C00D5FC302552A542C80FC26DE","algorithm":"Unknown","algorithm_id":0},"pod_uuid":"examined"},"created_time":1722945774094193,"lineage":["relationship closed gathered","ment tu other"],"namespace_pid":26,"parent_process":{"name":"Pixel","pid":10,"session":{"uid":"cfd3a202-53eb-11ef-8e19-0242ac110005","issuer":"recognize lobby mon","created_time":1722945774095984,"is_remote":false},"file":{"name":"jane.m4a","type":"Folder","path":"living marsh smilies/turner.mim/jane.m4a","modifier":{"type":"System","uid":"cfd3e9ec-53eb-11ef-a8dd-0242ac110005","type_id":3,"uid_alt":"account qld kim"},"type_id":2,"parent_folder":"living marsh smilies/turner.mim","confidentiality":"auburn","confidentiality_id":99,"hashes":[{"value":"C6316326E7128B9D69A3C004DC06AF4240FCBE9CE2D36D76A6074A15DA9E1E5469C37D1BDEE8EB2EA2E4A0E20A366B43DB7C9529A7DFB7719025662F5B1B2868","algorithm":"quickXorHash","algorithm_id":7},{"value":"9ED2837AE1C9BF010E3821339FB9B60585584E697B0670BC2E532228F4DD9251B11715FE20D50FF600E1ED5B5BBA4637AF874B0CC900680B7ECDACBAD07624FD","algorithm":"SHA-512","algorithm_id":4}],"modified_time":1722945774096743,"security_descriptor":"ticket vegas generates","created_time_dt":"2024-08-06T12:02:54.096759Z"},"group":{"name":"bean learners accepting","type":"dietary firms hotels","uid":"cfd3fbe4-53eb-11ef-bdb1-0242ac110005"},"uid":"cfd40206-53eb-11ef-a429-0242ac110005","cmd_line":"initiative step gathered","container":{"name":"hundred central hrs","size":724491757,"uid":"cfd40e22-53eb-11ef-afb2-0242ac110005","image":{"name":"food qatar brain","uid":"cfd41700-53eb-11ef-a54d-0242ac110005"},"hash":{"value":"1C89EFCEB73F4433865E95F1BF2AB892DA6B9AA1C0205D1A8087C101B7AF953BE2F34683E786B31F4344403F35885F4D105EF2E764F6D299E44E31D284DBD5E3","algorithm":"Unknown","algorithm_id":0}},"created_time":1722945774097846,"namespace_pid":45,"parent_process":{"name":"Yield","pid":82,"file":{"name":"apartments.py","size":524979186,"type":"Named Pipe","path":"fig kelly companion/attorneys.com/apartments.py","uid":"cfd42dd0-53eb-11ef-8dc9-0242ac110005","type_id":6,"parent_folder":"fig kelly companion/attorneys.com","hashes":[{"value":"EBF49DCD836F810084C14E0F2DAB4DC1768BBDC5980481BF201FCF76771DFF7A","algorithm":"SHA-256","algorithm_id":3},{"value":"C2EB02DC35DC77D3373542631011FFD4C933AF5C6676646BAFB85126C8652AB679884C90C91E3109A28812D07AAC8C0DADDCF3DC7C86FAD4FBA91A1401900947","algorithm":"Unknown","algorithm_id":0}],"security_descriptor":"avoiding bear incoming"},"user":{"name":"Fatal","type":"Unknown","type_id":0},"group":{"name":"cam empirical path","uid":"cfd43d52-53eb-11ef-8205-0242ac110005"},"uid":"cfd4436a-53eb-11ef-84cf-0242ac110005","cmd_line":"pix potential mardi","container":{"name":"kerry courier tony","runtime":"ben dynamics vienna","size":3164331564,"image":{"name":"celebrities sensitive manufacture","tag":"staff ericsson duty","path":"selling rocky projection","uid":"cfd450d0-53eb-11ef-83f3-0242ac110005","labels":["healing","avoiding"]},"hash":{"value":"A9DCE75FB9B7C3AD1CCBE9A3001619DE593186058F77799D91C1413A074FDE187FE7C8719F8A94FA0453F77D76EB8AF6CC9074BABB51EAFF5476F9D169C724A7","algorithm":"SHA-512","algorithm_id":4},"orchestrator":"dui expansion focus"},"created_time":1722945774099345,"integrity":"g manner mambo","namespace_pid":96,"parent_process":{"name":"Organ","pid":90,"session":{"uid":"cfd469b2-53eb-11ef-8a8a-0242ac110005","issuer":"lyric fujitsu timber","created_time":1722945774099934,"is_remote":true,"created_time_dt":"2024-08-06T12:02:54.099943Z","expiration_time_dt":"2024-08-06T12:02:54.099951Z"},"file":{"name":"mothers.com","type":"Symbolic Link","version":"1.1.0","path":"wal quiz worker/skin.plugin/mothers.com","type_id":7,"company_name":"Delora Edyth","parent_folder":"wal quiz worker/skin.plugin","hashes":[{"value":"02799F801AA43966F78CC2C403CE6F0AB37F05D3AF823C0AEEDE58090A622F10470F614F19B68FE2CEFC4B1BEAFF7589FDF5E4DF0A47FF29700DA72C1E4A7966","algorithm":"SHA-512","algorithm_id":4},{"value":"805FAE387ABCC95FB8B74AD92202D2F367255E57291D4C54514FE11EB086C85E7B879FBC13E3405E1C6D5D663F69CD4F509A28B7F2BD0B7F57F71E31C52E2280","algorithm":"Unknown","algorithm_id":0}]},"user":{"type":"Unknown","uid":"cfd47e3e-53eb-11ef-a1ef-0242ac110005","type_id":0,"full_name":"Thuy Kristin"},"group":{"type":"figured eyes microphone","desc":"comparable likelihood jeep","uid":"cfd48fb4-53eb-11ef-bbb9-0242ac110005"},"uid":"cfd495e0-53eb-11ef-b81b-0242ac110005","cmd_line":"welding viewpicture sampling","container":{"name":"iii accessories ddr","size":3779122986,"uid":"cfd4a166-53eb-11ef-97e4-0242ac110005","image":{"name":"beach omaha protest","uid":"cfd4aa76-53eb-11ef-a970-0242ac110005"},"hash":{"value":"917004FD903B196255A9B56D08246E5E9FC34E38BC01CADD52A3ADABEB309DA5","algorithm":"magic","algorithm_id":99}},"created_time":1722945774101623,"namespace_pid":90,"parent_process":{"name":"Arrange","pid":5,"file":{"attributes":76,"name":"elizabeth.sln","size":1485425900,"type":"Folder","path":"kai surname approach/xp.wpd/elizabeth.sln","desc":"member dogs ports","type_id":2,"company_name":"Claudio Alejandra","parent_folder":"kai surname approach/xp.wpd","confidentiality":"says","confidentiality_id":99,"created_time_dt":"2024-08-06T12:02:54.102808Z"},"user":{"name":"Night","type":"Unknown","type_id":0,"ldap_person":{"manager":{"name":"Merchandise","type":"System","uid":"cfd4ff76-53eb-11ef-9efb-0242ac110005","org":{"name":"belief billion talented","ou_name":"volkswagen africa respect"},"groups":[{"name":"pos constraints inkjet","type":"stat tray charitable"},{"name":"yemen happiness theft"}],"type_id":3,"full_name":"Janiece Jon","credential_uid":"cfd50fd4-53eb-11ef-83d7-0242ac110005","ldap_person":{"surname":"cancelled present faced","modified_time_dt":"2024-08-06T12:02:54.104306Z"},"uid_alt":"fraud answers loved"},"email_addrs":["Sharonda@helena.name","Caroline@consent.mil"],"hire_time":1722945774104346,"office_location":"ways statement ni","surname":"cio evaluating bc","last_login_time_dt":"2024-08-06T12:02:54.104363Z"}},"group":{"name":"majority scores surveillance","desc":"bearing return gt","uid":"cfd52f3c-53eb-11ef-bb53-0242ac110005","privileges":["kansas religions cgi"]},"uid":"cfd53608-53eb-11ef-92de-0242ac110005","loaded_modules":["/save/tt/places/ballet/exclusive.psd","/administered/herbs/discrete/katie/rl.ttf"],"cmd_line":"visual dated alpha","container":{"name":"footwear checkout march","size":1641826457,"uid":"cfd542ec-53eb-11ef-be38-0242ac110005","image":{"name":"concentrations deck created","uid":"cfd54bf2-53eb-11ef-b477-0242ac110005"},"hash":{"value":"03C6D52314CF55EC4DFDAE665DC2100E56F08F7599D9B87FD76B0AF55FA44C4F3A7B4204C517E201F9326306ECC712A0CE46D93B7B4A03AAFDBDFAE7BD9A7471","algorithm":"TLSH","algorithm_id":6}},"created_time":1722945774105758,"integrity":"Unknown","integrity_id":0,"lineage":["length apr charm","farm chaos overseas"],"namespace_pid":33,"sandbox":"mexican mixer g","euid":59,"terminated_time_dt":"2024-08-06T12:02:54.105788Z"},"egid":49,"terminated_time_dt":"2024-08-06T12:02:54.105798Z"},"sandbox":"variance volleyball compile"},"auid":38,"terminated_time_dt":"2024-08-06T12:02:54.105811Z"}},"created_time_dt":"2024-08-06T12:02:54.105819Z"},"xattributes":{},"euid":32},"terminated_time":1722945774105859,"auid":17},"sandbox":"frequent dining arguments","xattributes":{},"created_time_dt":"2024-08-06T12:02:54.105883Z","terminated_time_dt":"2024-08-06T12:02:54.105888Z"},"euid":93,"terminated_time_dt":"2024-08-06T12:02:54.105894Z"},"user":{"name":"Ok","type":"System","domain":"rpm particular mae","uid":"cfd57668-53eb-11ef-ad7f-0242ac110005","groups":[{"name":"numbers nextel globe","type":"debug carpet per","domain":"indexed email mardi","uid":"cfd58068-53eb-11ef-b081-0242ac110005"},{"name":"fitting personalized estimation","uid":"cfd58ae0-53eb-11ef-850c-0242ac110005"}],"type_id":3}},"cloud":{"provider":"experimental mac seconds","region":"debate population smithsonian","zone":"raised expert baseball"},"database":{"name":"laden confidence arabic","type":"Object Oriented","uid":"cfcf8aaa-53eb-11ef-835d-0242ac110005","type_id":3,"created_time_dt":"2024-08-06T12:02:54.068006Z"},"databucket":{"name":"facts drug laos","type":"GCP Bucket","type_id":3},"severity_id":1,"src_endpoint":{"port":47139,"type":"Laptop","ip":"175.16.199.0","hostname":"thank.coop","uid":"cfcfee32-53eb-11ef-b8c3-0242ac110005","type_id":3,"container":{"name":"detect drop hobbies","size":2933944469,"tag":"together own republicans","uid":"cfd0401c-53eb-11ef-b764-0242ac110005","image":{"path":"constraint explosion ge","uid":"cfd04b5c-53eb-11ef-a7db-0242ac110005","labels":["er","distances"]}},"hw_info":{"cpu_count":74,"cpu_speed":92},"instance_uid":"cfd0555c-53eb-11ef-82ff-0242ac110005","interface_uid":"cfd05bd8-53eb-11ef-864c-0242ac110005","namespace_pid":25,"svc_name":"further compressed twisted","vlan_uid":"cfd06344-53eb-11ef-9b92-0242ac110005"},"status_id":2} {"message":"fur stake pickup","status":"Failure","total":87,"time":1723108823724670,"metadata":{"version":"1.1.0","extension":{"name":"reward furniture awful","version":"1.1.0","uid":"70fa28aa-5567-11ef-9e8c-0242ac110005"},"product":{"name":"nintendo une exist","version":"1.1.0","uid":"70fa3656-5567-11ef-8ec3-0242ac110005","url_string":"eq","vendor_name":"investors viral conscious"},"labels":["sage"],"profiles":[],"log_name":"form rising isolated","log_provider":"commerce relatives qualify","loggers":[{"name":"configure fetish advertise","device":{"name":"scanners storage illinois","type":"Laptop","os":{"name":"bolt photographers oman","type":"Windows","build":"acne toolbox architectural","type_id":100,"edition":"hired moscow antibodies"},"ip":"151.112.44.246","desc":"bg falling her","hostname":"transformation.mobi","type_id":3,"subnet":"244.6.140.0/24","instance_uid":"70fa8246-5567-11ef-93ce-0242ac110005","interface_name":"bulletin keith reporters","interface_uid":"70fa8c3c-5567-11ef-b329-0242ac110005","is_trusted":false,"modified_time":1723108823723078,"region":"pm memorabilia penalty","subnet_uid":"70fa532a-5567-11ef-b983-0242ac110005","vlan_uid":"70fa5a0a-5567-11ef-a39d-0242ac110005"},"product":{"name":"april visit maximum","version":"1.1.0","uid":"70fa9c0e-5567-11ef-92a1-0242ac110005","vendor_name":"equivalent all operating"},"uid":"70faa3ac-5567-11ef-9136-0242ac110005","log_name":"thee mining your","transmit_time":1723108823724148},{"name":"gallery prayers vcr","product":{"name":"positioning tier electrical","version":"1.1.0","uid":"70faafd2-5567-11ef-9ce0-0242ac110005","url_string":"english","vendor_name":"reservation connection shell"},"log_name":"suggested blake pendant","log_provider":"beautifully ae beauty"}],"original_time":"sheffield origins travesti","tenant_uid":"70fab7d4-5567-11ef-9fcd-0242ac110005"},"scan":{"name":"cooperation edge magnificent","type":"Unknown","uid":"70fac396-5567-11ef-a8a3-0242ac110005","type_id":0},"start_time":1723108823725300,"severity":"Unknown","duration":39,"type_name":"Scan Activity: Cancelled","activity_id":3,"type_uid":600703,"category_name":"Application Activity","class_uid":6007,"category_uid":6,"class_name":"Scan Activity","timezone_offset":51,"end_time":1723108823724649,"activity_name":"Cancelled","command_uid":"70f9ff4c-5567-11ef-96d3-0242ac110005","num_files":85,"num_network_items":45,"num_processes":12,"num_registry_items":21,"num_resolutions":0,"num_skipped_items":80,"num_trusted_items":47,"policy":{"name":"these wordpress cos","version":"1.1.0","uid":"70fad110-5567-11ef-a15f-0242ac110005"},"schedule_uid":"70f9f600-5567-11ef-9766-0242ac110005","severity_id":0,"status_code":"shape","status_id":2} {"actor":{"process":{"name":"Lightweight","pid":12,"file":{"attributes":83,"name":"hawk.wsf","owner":{"name":"Illegal","type":"System","domain":"shade variety cooper","uid":"ff702496-556b-11ef-9f4e-0242ac110005","type_id":3,"account":{"type":"AWS Account","uid":"ff702df6-556b-11ef-a8bb-0242ac110005","type_id":10},"email_addr":"Erick@invision.edu","uid_alt":"preceding psp cleared"},"type":"Character Device","modifier":{"name":"Hottest","type":"muscles","uid":"ff70411a-556b-11ef-9a1e-0242ac110005","type_id":99,"credential_uid":"ff7047d2-556b-11ef-966d-0242ac110005"},"desc":"playing motor literary","type_id":3,"accessor":{"name":"Golf","type":"died","uid":"ff70655a-556b-11ef-b23a-0242ac110005","type_id":99},"company_name":"Natalya Stormy"},"user":{"type":"brooklyn","uid":"ff707266-556b-11ef-8dd3-0242ac110005","org":{"name":"existence hypothetical audience","uid":"ff707b3a-556b-11ef-989b-0242ac110005","ou_name":"coupon tear compatibility","ou_uid":"ff7082c4-556b-11ef-8273-0242ac110005"},"type_id":99},"group":{"uid":"ff708c1a-556b-11ef-bea6-0242ac110005"},"tid":89,"uid":"ff709200-556b-11ef-a0bf-0242ac110005","cmd_line":"compression warner sapphire","container":{"name":"front myself techniques","size":3673925967,"uid":"ff70a01a-556b-11ef-98b5-0242ac110005","image":{"name":"stage trucks cw","uid":"ff70a8da-556b-11ef-9305-0242ac110005"},"hash":{"value":"892D74547E40E6FC23332CF6A88A2CAAC1D5BA6CF5201690F503FDE2B5717067D2C3B25EFEE63E1C5E5BCE1AF1F5A54076DCE0FDE9CDB56E3382C5F39AF3399B","algorithm":"Unknown","algorithm_id":0}},"created_time":1723110780721040,"parent_process":{"name":"Unlimited","pid":90,"file":{"name":"vulnerability.cue","type":"Local Socket","path":"full jewellery adverse/hans.xml/vulnerability.cue","uid":"ff70c5f4-556b-11ef-8001-0242ac110005","type_id":5,"accessor":{"name":"Breakfast","type":"Admin","uid":"ff70d09e-556b-11ef-82b8-0242ac110005","type_id":2,"full_name":"Cora Marchelle","uid_alt":"lesbian dk media"},"creator":{"name":"Broker","type":"juice","uid":"ff70ec96-556b-11ef-a10b-0242ac110005","type_id":99,"account":{"name":"develops til flu","type":"AWS IAM Role","uid":"ff70fb96-556b-11ef-b127-0242ac110005","type_id":4}},"parent_folder":"full jewellery adverse/hans.xml","hashes":[{"value":"88CB8A087B6E8CEBFC9AE5602F5A2159A6BCF923E7F2C56809BCDA6CAD1727A7","algorithm":"SHA-256","algorithm_id":3},{"value":"BFC7194DB6D123E245825AAF92C276855D32513520B471C67B94A62F46C8CBDB891CA09419FAD201F34F81C0CA0C72DCC1C4A68CFFFF5A7F0B629B35501E8EBA","algorithm":"Unknown","algorithm_id":0}],"xattributes":{}},"user":{"name":"Skip","type":"Admin","uid":"ff710f1e-556b-11ef-bcc2-0242ac110005","type_id":2,"uid_alt":"those facility genetic"},"group":{"name":"overseas avoiding attendance","uid":"ff711932-556b-11ef-8a55-0242ac110005","privileges":["drop welsh munich","developer strange beat"]},"uid":"ff71249a-556b-11ef-b2a4-0242ac110005","cmd_line":"legally hacker please","container":{"name":"ant elegant ana","runtime":"routes peripheral operates","size":3971411004,"uid":"ff712e7c-556b-11ef-b4ec-0242ac110005","image":{"name":"shanghai listen subaru","path":"toxic declaration intended","uid":"ff7150be-556b-11ef-a7e8-0242ac110005"},"hash":{"value":"994BB86DD62F615473EE5D1D05C5A1D950D2F3C3","algorithm":"SHA-1","algorithm_id":2}},"created_time":1723110780725334,"lineage":["viii define induced","starsmerchant interest city"],"namespace_pid":10,"parent_process":{"name":"Legs","pid":65,"file":{"attributes":62,"name":"figure.bin","type":"Local Socket","version":"1.1.0","type_id":5,"confidentiality":"outdoors archived regarding","hashes":[{"value":"AD6A21629A7DEABC182FDEA82DF619F693860085A862A8BFEE71FCD9BBAB45669A480AD8EDB096D0EAF29092215C7A39197EAC015A32E6D5957442A640C8ACDE","algorithm":"SHA-512","algorithm_id":4}],"modified_time":1723110780725738,"security_descriptor":"thesaurus stories skirts","accessed_time_dt":"2024-08-08T09:53:00.725750Z"},"user":{"name":"Marvel","type":"tunnel","uid":"ff716e14-556b-11ef-9183-0242ac110005","type_id":99},"group":{"name":"challenges photoshop want","type":"spice shine latex","uid":"ff717f9e-556b-11ef-beff-0242ac110005"},"tid":45,"uid":"ff71866a-556b-11ef-8d91-0242ac110005","container":{"name":"richard amendments yorkshire","size":2733947088,"uid":"ff7191fa-556b-11ef-b991-0242ac110005","image":{"tag":"g tiffany advocacy","path":"scoring skill rush","uid":"ff719b1e-556b-11ef-8397-0242ac110005"},"hash":{"value":"8A988DC6210B348668CFB0C69FFC40C3952920BEE33BEF02302FB1E486274CE8F56F324032A0BA2B9661E57022A3AF5C085E63028B71E4D30A36264236D98E83","algorithm":"quickXorHash","algorithm_id":7}},"integrity":"System","integrity_id":5,"namespace_pid":6,"parent_process":{"name":"Liability","pid":12,"file":{"name":"dress.pct","type":"Symbolic Link","path":"graphic easter hitting/celebration.xls/dress.pct","product":{"name":"relation resulting pride","version":"1.1.0","uid":"ff71b45a-556b-11ef-aee8-0242ac110005","lang":"en","vendor_name":"conversation gamespot myself"},"type_id":7,"accessor":{"name":"Nashville","type":"Admin","uid":"ff71c616-556b-11ef-89f0-0242ac110005","org":{"name":"steven harmony mediterranean","uid":"ff71cea4-556b-11ef-80aa-0242ac110005","ou_name":"beam transmit cook"},"type_id":2,"credential_uid":"ff71d5de-556b-11ef-bfb8-0242ac110005"},"parent_folder":"graphic easter hitting/celebration.xls","hashes":[{"value":"C597CBD53DDF5E7AA017A46E3D559E6DEE7AAB38151CD2B0116453D64744DCA63052DA0AC50DD2E29C8517583E688A23F85646ECB9E0746CCA1F447D33116333","algorithm":"Unknown","algorithm_id":0}]},"tid":23,"uid":"ff71e204-556b-11ef-b426-0242ac110005","cmd_line":"sponsored contractor notion","container":{"size":1046580299,"uid":"ff71eb82-556b-11ef-855e-0242ac110005","hash":{"value":"175A141E2713D00975BC765F1C4FE4ECBC01D88B69A016EE442829C445B4EE2C4C0776FADB4939337B8D43C185078967BA4AC71DD1651A0ABA1143394106DE8A","algorithm":"TLSH","algorithm_id":6}},"created_time":1723110780729284,"namespace_pid":66,"parent_process":{"name":"Believed","pid":12,"file":{"attributes":44,"name":"autumn.mid","size":1791990748,"type":"Symbolic Link","path":"normally soviet packaging/acne.js/autumn.mid","type_id":7,"mime_type":"foto/congo","parent_folder":"normally soviet packaging/acne.js","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"0F9ABBECBDEC7BA8948C5C34A6D1A65712B51F4DA69A43F4A55845FC98133C5422097F2AED463CBC2CC6EFD07AC9F6A0493E263E0AEC4CA93045EAF86AAE1527","algorithm":"SHA-512","algorithm_id":4},{"value":"41D12DF274FFAEF654EA947446DD0211E338D2651D95805632E5353798F189E4","algorithm":"SHA-256","algorithm_id":3}],"accessed_time_dt":"2024-08-08T09:53:00.729741Z"},"user":{"name":"Aol","type":"Admin","uid":"ff7209d2-556b-11ef-859c-0242ac110005","type_id":2,"email_addr":"Claudia@destroyed.museum"},"group":{"name":"rivers kde impaired","uid":"ff7213f0-556b-11ef-afbe-0242ac110005"},"uid":"ff721b66-556b-11ef-a28e-0242ac110005","loaded_modules":["/ol/wr/trades/lucky/trusts.mp4"],"cmd_line":"cole playback contribute","container":{"name":"blackjack example page","size":2950957499,"tag":"lexmark sandwich determining","uid":"ff72291c-556b-11ef-9cb3-0242ac110005","image":{"name":"eight bow edges","uid":"ff7231f0-556b-11ef-af8b-0242ac110005","labels":["builders","guitars"]},"hash":{"value":"3D586550FC15946B6FC20EC2BB31B6CB2BF53F3AAD6565BC38B72776CE2784F7AD19E73C0313EA7A12AE3A664203FB3CE7759B22867BAEF1FD46FD0B20BB60F2","algorithm":"SHA-512","algorithm_id":4}},"created_time":1723110780731096,"namespace_pid":27,"parent_process":{"name":"Raising","pid":88,"file":{"attributes":10,"name":"spyware.dds","type":"Block Device","path":"protocol validity absence/luther.rm/spyware.dds","type_id":4,"mime_type":"institute/ivory","parent_folder":"protocol validity absence/luther.rm","confidentiality":"torture lawn fuel","hashes":[{"value":"298388E81525736B459B8830EC555869E081200C11C67EFB7444F32DB67C39E4CBB72D5FDDB490B903D4435BA037DAB92B233C64B15D13C5E66D1461BF976D14","algorithm":"SHA-512","algorithm_id":4},{"value":"E1ACB66647F799D4BF5B74B3CECBB8400B1C392A7585421EC33809A31466BDB24362A4DF7E19777422B7C2665222458FC48C22B1BF26EA331DE6ECD557929101","algorithm":"TLSH","algorithm_id":6}],"security_descriptor":"delta caution ncaa"},"user":{"name":"Ieee","type":"Unknown","domain":"numerical circuit charts","type_id":0},"group":{"name":"damaged cumulative applicable","domain":"highways phones introduces"},"uid":"ff72525c-556b-11ef-b49e-0242ac110005","cmd_line":"donation gaps according","container":{"name":"meant she least","tag":"commented attitude magazines","uid":"ff72b166-556b-11ef-af11-0242ac110005","image":{"name":"justify greeting attorney","uid":"ff72c4ee-556b-11ef-ae90-0242ac110005"},"hash":{"value":"23AF3E3302D598D92331ADF8D2CDAA30642018D52F7E585E7C485EEED310C245FF761DB9C3F08973E9C00DF8B86A3E7B8241E92C34A9C30EA27E1B302939F910","algorithm":"SHA-512","algorithm_id":4}},"created_time":1723110780734859,"namespace_pid":56},"auid":91,"euid":25}},"terminated_time_dt":"2024-08-08T09:53:00.734879Z"},"terminated_time":1723110780734887,"auid":42,"euid":36},"created_time_dt":"2024-08-08T09:53:00.734894Z"},"user":{"type":"Unknown","uid":"ff72d2e0-556b-11ef-bbe1-0242ac110005","type_id":0,"credential_uid":"ff72de20-556b-11ef-a522-0242ac110005","uid_alt":"weights hobbies divorce"},"authorizations":[{},{}]},"activity_name":"Started","num_detections":89,"start_time":1723110780716472,"policy":{"name":"katie producing webcast","desc":"relevance lots trigger","uid":"ff6ff8fe-556b-11ef-874e-0242ac110005"},"category_uid":6,"class_name":"Scan Activity","num_skipped_items":59,"message":"tools motivated nightlife","api":{"request":{"uid":"ff6fddec-556b-11ef-a2d3-0242ac110005"},"group":{"name":"dividend consistency definitely","type":"posts vendors student","uid":"ff6feb8e-556b-11ef-8cd0-0242ac110005"},"response":{"error":"headquarters viii accurately","code":96,"data":"phenomenon","message":"definitely existing colleges","error_message":"unexpected amazon worm"},"operation":"cathedral participate wrapping"},"scan":{"name":"caribbean operate detected","type":"Updated Content","uid":"ff6fd18a-556b-11ef-887c-0242ac110005","type_id":3},"severity_id":6,"time":1723110780715169,"type_name":"Scan Activity: Started","num_files":43,"device":{"name":"cams witnesses summary","type":"Unknown","domain":"a licensed facility","ip":"175.16.199.0","location":{"desc":"Falkland Islands (Malvinas)","city":"Messaging management","country":"FK","coordinates":[170.507,-62.7832],"continent":"South America"},"hostname":"active.jobs","uid":"ff6f8cca-556b-11ef-9bc0-0242ac110005","type_id":0,"subnet":"28.0.0.0/8","container":{"name":"related understanding tricks","size":3329432332,"uid":"ff6fafac-556b-11ef-9f24-0242ac110005","image":{"name":"items discharge whale","uid":"ff6fbc7c-556b-11ef-9149-0242ac110005"},"hash":{"value":"788AE8183287A6A47C315CEEA8BC503A5434CAAFAF93FB41C1AD3C75EF8238F2","algorithm":"magic","algorithm_id":99}},"interface_uid":"ff6fc604-556b-11ef-a921-0242ac110005","last_seen_time":1723110780713330,"modified_time":1723110780713347,"namespace_pid":13,"region":"patricia link controversy","risk_level":"ratios capable administrator","uid_alt":"scientific addition power","vpc_uid":"ff6f7bea-556b-11ef-99b2-0242ac110005","zone":"districts fit connector","modified_time_dt":"2024-08-08T09:53:00.713297Z","first_seen_time_dt":"2024-08-08T09:53:00.713342Z"},"end_time":1723110780712791,"num_folders":37,"timezone_offset":20,"metadata":{"version":"1.1.0","product":{"name":"hospitality fabric loop","version":"1.1.0","uid":"ff6f5962-556b-11ef-9975-0242ac110005","vendor_name":"hindu carlo achieve"},"uid":"ff6f607e-556b-11ef-b5f9-0242ac110005","log_level":"entities staying supplemental","profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"brother lord wyoming","log_provider":"diana alternate finals","original_time":"negotiations hardwood avg","tenant_uid":"ff6f6844-556b-11ef-8efe-0242ac110005","logged_time_dt":"2024-08-08T09:53:00.712767Z"},"duration":0,"command_uid":"ff6f480a-556b-11ef-93ac-0242ac110005","status":"synthesis","num_resolutions":19,"activity_id":1,"total":63,"num_processes":41,"num_network_items":71,"class_uid":6007,"cloud":{"org":{"name":"serving invest coating","uid":"ff6f0be2-556b-11ef-9b41-0242ac110005","ou_name":"caroline au dos"},"account":{"name":"houston indexes puerto","type":"Apple Account","uid":"ff6f370c-556b-11ef-a592-0242ac110005","type_id":8},"project_uid":"ff6f3f0e-556b-11ef-913f-0242ac110005","provider":"greensboro gallery reporting","region":"consistency alert titten"},"type_uid":600701,"num_trusted_items":36,"severity":"Fatal","category_name":"Application Activity","status_id":99} +{"message":"epa stanley speech","status":"Unknown","time":1723114384287674,"file":{"name":"ate.cue","type":"Folder","version":"1.1.0","path":"wiki optimization counter/prohibited.ai/ate.cue","signature":{"certificate":{"version":"1.1.0","subject":"advised chess egyptian","issuer":"warning cute armor","fingerprints":[{"value":"367C62D5A1EE13A74F11A143DB9DD2389B73DE066483521D1905177739F6EB41DE30BDAFD42E95AF3306EF8BC6273C97A75C8276B592B1D5FCC7458F1EBBEB03","algorithm":"SHA-512","algorithm_id":4},{"value":"DEE5E5BE829C1FF9E773E27CDA4A8960CAB5C8A6F392DA6ACCBACB430B13B9BC64822221325357EAA87B60D5F4474090332CD89561EBEC061294834301DF9AE9","algorithm":"CTPH","algorithm_id":5}],"created_time":1723114384273661,"expiration_time":1723114384273675,"serial_number":"qld undergraduate cowboy","created_time_dt":"2024-08-08T10:53:04.273685Z"},"algorithm":"Unknown","algorithm_id":0,"created_time":1723114384273699},"modifier":{"name":"Scenic","type":"User","uid":"63533b6c-5574-11ef-bfed-0242ac110005","type_id":1,"account":{"name":"interactions minister lamps","type":"Windows Account","uid":"635347c4-5574-11ef-a25d-0242ac110005","type_id":2},"credential_uid":"63534eea-5574-11ef-8a7c-0242ac110005","ldap_person":{"created_time":1723114384275284,"email_addrs":["Leonida@consoles.gov"],"given_name":"routines identical brunswick","hire_time":1723114384275320,"job_title":"voted awareness pt","modified_time":1723114384275329,"leave_time_dt":"2024-08-08T10:53:04.275331Z"}},"type_id":2,"parent_folder":"wiki optimization counter/prohibited.ai","hashes":[{"value":"F6B8BFDD92E45272F30B728D921EF2A47DD9D950600D885830D30532F39E2A5688B4797CF0B172989E4C95B557B2497E98AC07417E8766E06BDFFEBDEBBE76C8","algorithm":"TLSH","algorithm_id":6},{"value":"4A2B4592EAC6D75C3BD4FE50308A2316D54BC427F65F109C7EC4105B6467C984","algorithm":"SHA-256","algorithm_id":3}]},"metadata":{"version":"1.1.0","product":{"name":"cooling florist anna","version":"1.1.0","path":"avoid meeting appear","uid":"63545eac-5574-11ef-8bb1-0242ac110005","vendor_name":"buying fa joel"},"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"correlation_uid":"635472c0-5574-11ef-8c5d-0242ac110005","event_code":"sessions","log_name":"standing band submission","logged_time":1723114384282107,"original_time":"sum shipped decreased"},"severity":"Low","type_name":"File Hosting Activity: Move","activity_id":7,"type_uid":600607,"observables":[{"name":"affiliated fuji ralph","type":"Hostname","type_id":1},{"name":"sponsored fw illustrated","type":"Hostname","type_id":1}],"category_name":"Application Activity","class_uid":6006,"category_uid":6,"class_name":"File Hosting Activity","timezone_offset":56,"activity_name":"Move","actor":{"process":{"name":"Eden","pid":95,"file":{"attributes":91,"name":"physician.asf","type":"Regular File","path":"donors replied magazine/elder.accdb/physician.asf","modifier":{"name":"Dimensional","type":"System","domain":"beneficial az attraction","uid":"63556d6a-5574-11ef-ac26-0242ac110005","type_id":3,"email_addr":"Lura@consolidated.mil"},"desc":"xp endif record","type_id":1,"creator":{"name":"Resource","type":"System","uid":"6355ab18-5574-11ef-bc66-0242ac110005","type_id":3,"full_name":"Melodee Norma","email_addr":"Blaine@highlight.pro"},"mime_type":"incl/johnston","parent_folder":"donors replied magazine/elder.accdb","hashes":[{"value":"28E532D56B18548CC0B68A63311D2DCD2D258B2F","algorithm":"SHA-1","algorithm_id":2},{"value":"695BF60E03F83A36699AF46519E8E584","algorithm":"MD5","algorithm_id":1}],"xattributes":{}},"user":{"type":"Unknown","domain":"random john findlaw","groups":[{"name":"rural legislature built","type":"harm slovakia tone","uid":"6355ca8a-5574-11ef-8efb-0242ac110005","privileges":["clearing transfer worthy","jim pdas remind"]},{"domain":"seeing dynamics qualified","uid":"6355d2aa-5574-11ef-8276-0242ac110005"}],"type_id":0,"full_name":"Alexander Helena","credential_uid":"6355da02-5574-11ef-89ed-0242ac110005","uid_alt":"providing arms servers"},"group":{"name":"manage livestock tribes","domain":"problem choosing reform","uid":"6355e5e2-5574-11ef-b983-0242ac110005"},"uid":"6355ece0-5574-11ef-9b58-0242ac110005","loaded_modules":["/sic/measurement/morrison/routing/classroom.class","/projector/dare/dt/fancy/governance.wma"],"cmd_line":"syndication traveler charges","container":{"name":"slim rehabilitation nest","size":2119671744,"uid":"63560cca-5574-11ef-8db7-0242ac110005","image":{"name":"technician rogers federal","tag":"pub flexible interface","uid":"63561756-5574-11ef-85d8-0242ac110005","labels":["pants","firewall"]},"hash":{"value":"10EFC79292FD96E5C3DDF56D50E2BF33CB5A2EC1","algorithm":"SHA-1","algorithm_id":2}},"created_time":1723114384292928,"integrity":"cr darwin wearing","namespace_pid":27,"parent_process":{"name":"Outreach","pid":24,"session":{"uid":"63562c6e-5574-11ef-a07c-0242ac110005","uuid":"635632b8-5574-11ef-8dc9-0242ac110005","issuer":"watt ips cash","created_time":1723114384293568,"expiration_time":1723114384293578,"is_remote":false,"expiration_time_dt":"2024-08-08T10:53:04.293582Z"},"file":{"attributes":91,"name":"engineers.png","type":"Character Device","path":"judgment entering hydrocodone/sharp.uue/engineers.png","type_id":3,"accessor":{"type":"republican","uid":"6356478a-5574-11ef-bd16-0242ac110005","type_id":99,"email_addr":"Sunni@holders.jobs"},"parent_folder":"judgment entering hydrocodone/sharp.uue"},"user":{"type":"User","domain":"shortly payments endorsement","uid":"6356532e-5574-11ef-a4a6-0242ac110005","type_id":1,"uid_alt":"mysql syria beaches"},"group":{"type":"savannah weapon canon","desc":"rogers eco outlets","uid":"63565dba-5574-11ef-80bf-0242ac110005"},"uid":"635663a0-5574-11ef-b2fa-0242ac110005","cmd_line":"asks eight printed","container":{"name":"te beginners geology","size":1467240565,"uid":"63567160-5574-11ef-a13e-0242ac110005","image":{"name":"abu collectables clinical","uid":"63567a16-5574-11ef-8843-0242ac110005"},"hash":{"value":"D0A3630555BBEC7FC05A98D311C23B00FD1AB4D8296AC4A4125976D80B6A6959","algorithm":"SHA-256","algorithm_id":3}},"created_time":1723114384295435,"integrity":"eternal reservation which","namespace_pid":73,"parent_process":{"name":"Hung","pid":85,"user":{"name":"Paint","type":"creative","uid":"63568cfe-5574-11ef-9336-0242ac110005","type_id":99,"full_name":"Gussie Leila","email_addr":"Claire@longitude.arpa"},"group":{"name":"prince enhance terrain","desc":"dual yacht replace","uid":"635698ac-5574-11ef-a457-0242ac110005"},"cmd_line":"tools aluminium combinations","container":{"name":"diving invited scoring","runtime":"louise demanding pontiac","size":3349958052,"tag":"witness indicators oral","uid":"6356a234-5574-11ef-a31f-0242ac110005","image":{"name":"bag belief such","uid":"6356aaae-5574-11ef-80e9-0242ac110005","labels":["memorabilia","producers"]},"hash":{"value":"5EF93A057B5E36A7F6F0880E87F5CF4B","algorithm":"MD5","algorithm_id":1},"pod_uuid":"pp"},"created_time":1723114384296685,"namespace_pid":42,"parent_process":{"name":"Dead","pid":15,"file":{"name":"creations.ico","owner":{"name":"Answer","uid":"6356c534-5574-11ef-9ab7-0242ac110005","full_name":"Henry Tonja"},"type":"ti","path":"defining inch factors/ist.mpa/creations.ico","product":{"name":"amateur bristol cuba","version":"1.1.0","uid":"6356cfa2-5574-11ef-a798-0242ac110005","vendor_name":"gentleman quit confirm"},"type_id":99,"parent_folder":"defining inch factors/ist.mpa","created_time":1723114384297596,"hashes":[{"value":"0976ABA0D430405622A00981BC58C6F16D2A40F1","algorithm":"SHA-1","algorithm_id":2},{"value":"36324C961DBB9EF924720EB1C5F7E53B29AD9EF8D2A5A4CF1FD2686CCF8FC21A7A1368175B23CFFF36A4DB33D4F7C399148E923594A5667C996C53E9AB311088","algorithm":"SHA-512","algorithm_id":4}],"accessed_time_dt":"2024-08-08T10:53:04.297651Z","created_time_dt":"2024-08-08T10:53:04.297659Z"},"user":{"name":"Theatre","type":"Admin","uid":"6356e906-5574-11ef-bcbc-0242ac110005","type_id":2},"tid":82,"uid":"6356ef50-5574-11ef-9f3f-0242ac110005","cmd_line":"capable homepage reject","container":{"name":"slovenia anybody colors","runtime":"organic worked yn","size":420397581,"uid":"6356f91e-5574-11ef-ae76-0242ac110005","image":{"name":"sao naked toddler","uid":"635701a2-5574-11ef-bc46-0242ac110005","labels":["toolbox","taught"]},"hash":{"value":"E6E7B71309D96CA832137A8E06B9E34906F7A42708F8EBD9C2B75A423AC058A7F0DD0B2AB768E8090DF7E6E6C89E95D7D80DCC4FD0F84464C499AFA89D9AE294","algorithm":"quickXorHash","algorithm_id":7},"pod_uuid":"arranged"},"created_time":1723114384298907,"integrity":"System","integrity_id":5,"namespace_pid":34,"parent_process":{"name":"Whilst","pid":51,"file":{"name":"sitting.bmp","owner":{"name":"Excessive","type":"System","domain":"harmony served deadly","uid":"63572f2e-5574-11ef-80bc-0242ac110005","groups":[{"name":"recruiting member combine","uid":"635738e8-5574-11ef-b1ba-0242ac110005"}],"type_id":3,"full_name":"Mistie Belkis","account":{"type":"Mac OS Account","uid":"6357423e-5574-11ef-bd28-0242ac110005","type_id":7}},"type":"Local Socket","path":"everything packaging fears/sat.crdownload/sitting.bmp","uid":"635748e2-5574-11ef-9899-0242ac110005","type_id":5,"creator":{"name":"Health","type":"User","domain":"cabinet satisfaction excitement","uid":"635752c4-5574-11ef-9816-0242ac110005","type_id":1,"full_name":"Lauralee Thomasine","ldap_person":{"location":{"desc":"Serbia, Republic of","city":"Princeton judy","country":"RS","coordinates":[-170.2881,-62.2248],"continent":"Europe"},"ldap_dn":"roy noticed vertical","surname":"tract olympus editor","created_time_dt":"2024-08-08T10:53:04.301134Z"}},"parent_folder":"everything packaging fears/sat.crdownload","accessed_time":1723114384301146,"hashes":[{"value":"D496B4FAFB1139B1F80F1B60D5AB3A22EF18A1625889B6793BDD41EAF1EB68F093E7AF5254D7DB838F22711DAA2F5E3A0CA6BF5F983AAAC163D7D525C760277B","algorithm":"Unknown","algorithm_id":0}],"is_system":false,"modified_time":1723114384301182,"xattributes":{}},"user":{"name":"Pavilion","type":"Unknown","uid":"63576804-5574-11ef-9ed9-0242ac110005","type_id":0,"credential_uid":"63576e4e-5574-11ef-85ed-0242ac110005"},"group":{"name":"sale point solutions","uid":"6357784e-5574-11ef-9c0c-0242ac110005"},"tid":93,"uid":"63577e16-5574-11ef-8086-0242ac110005","cmd_line":"consists posters menus","container":{"name":"loving revealed remarkable","size":2152153573,"uid":"6357871c-5574-11ef-9b53-0242ac110005","image":{"name":"lots time boolean","uid":"63578f78-5574-11ef-83eb-0242ac110005"},"hash":{"value":"EA7F1EC6B430560FE1BA023D62E5D33D29746DD5F0355FB118B1E4536D6230111964615215FCE2BE609D341EACB3B42869EE304F80BBAEC3F6720FA8FD50AD97","algorithm":"CTPH","algorithm_id":5},"orchestrator":"board luis adopted"},"created_time":1723114384302534,"parent_process":{"pid":93,"session":{"uid":"6357a396-5574-11ef-8ef4-0242ac110005","issuer":"demonstration holmes california","created_time":1723114384303010,"is_mfa":true,"is_remote":false},"file":{"name":"kerry.sdf","type":"terrorist","path":"pre memo parish/bibliographic.db/kerry.sdf","product":{"name":"forum activists cancelled","version":"1.1.0","uid":"6357b6b0-5574-11ef-9715-0242ac110005","cpe_name":"realty contributions melissa","vendor_name":"actress mess enjoyed"},"modifier":{"name":"Criterion","type":"System","domain":"theology suzuki inn","uid":"6357d28a-5574-11ef-b53e-0242ac110005","groups":[{"name":"meanwhile vid contributed"},{"name":"difference white sensors","type":"chef laos flat","desc":"undertake carried ones","uid":"6357dc9e-5574-11ef-a420-0242ac110005"}],"type_id":3,"account":{"name":"fans car enable","type":"Linux Account","type_id":9},"credential_uid":"6357e5f4-5574-11ef-8af6-0242ac110005","uid_alt":"repair trains victim"},"type_id":99,"creator":{"name":"Filme","type":"Unknown","uid":"6357f01c-5574-11ef-9c74-0242ac110005","type_id":0},"mime_type":"architecture/hall","parent_folder":"pre memo parish/bibliographic.db","hashes":[{"value":"35431593FE35166DB2935F72C55A3E0A8F8255878BACFF713A775559201158B2429DDF8B60D7FC65E8A640435ECA4BE8239A740FE91DA7560AC32207BF2F73AB","algorithm":"TLSH","algorithm_id":6},{"value":"BA2F52D229E66F7D965D4AAFDBB382D12FBA5669FBE91F4700E0B7A9355279E7FC2108CAA3AAB2AA5DDAD12B63AC6953845DD468A203773BE8FC734CE9FF93AB","algorithm":"CTPH","algorithm_id":5}],"security_descriptor":"volvo workflow pros"},"group":{"name":"mad integrity assessment","type":"glossary scotia pete","uid":"63580af2-5574-11ef-88eb-0242ac110005"},"uid":"63581182-5574-11ef-aeb6-0242ac110005","cmd_line":"mentor dust attending","container":{"name":"drill modern difference","size":3636193350,"uid":"63597a54-5574-11ef-acbb-0242ac110005","image":{"name":"hanging assume mill","uid":"63599c96-5574-11ef-8abe-0242ac110005"},"hash":{"value":"90C9EFE0343A584FD260823A0B266073C0E319EDC8D3C7CD2CCF69E236CF45D870E30646022FDB667F085AEA84B64830C3B3DC702C35A111DCCB3F05F05F9529","algorithm":"TLSH","algorithm_id":6}},"created_time":1723114384316151,"integrity":"delivering shaved mexico","namespace_pid":49,"parent_process":{"name":"Ft","pid":85,"file":{"name":"venice.pct","type":"Character Device","path":"proper unified cingular/outsourcing.cs/venice.pct","product":{"version":"1.1.0","vendor_name":"staying attachment med"},"desc":"advantage profit fall","type_id":3,"accessor":{"name":"Arlington","type":"Admin","uid":"635a477c-5574-11ef-8dd3-0242ac110005","type_id":2,"credential_uid":"635a4f2e-5574-11ef-b0c1-0242ac110005"},"parent_folder":"proper unified cingular/outsourcing.cs","accessed_time":1723114384320502,"created_time":1723114384320518,"hashes":[{"value":"5B54C0A045F179BCBBBC9ABCB8B5CD4C","algorithm":"MD5","algorithm_id":1},{"value":"B1A66BA2E7D51C706F9A2CA80905DF475AE44EDC79EC60CA4D7580FBD6548B91","algorithm":"magic","algorithm_id":99}],"modified_time_dt":"2024-08-08T10:53:04.320622Z"},"uid":"635a5c26-5574-11ef-8945-0242ac110005","cmd_line":"cup rights charger","container":{"name":"answers camera televisions","size":560452224,"uid":"635a7206-5574-11ef-b9d6-0242ac110005","image":{"uid":"635a8282-5574-11ef-8212-0242ac110005"},"hash":{"value":"FAF5EB7985BA4C9CBED8EED0D046F77F7C6ADCB15B9F3537256D717C2D370E448132CECC73264489D250CE463844ECFF1DC62C554DC6654B0C11659842BD7828","algorithm":"quickXorHash","algorithm_id":7}},"created_time":1723114384322300,"namespace_pid":14,"parent_process":{"pid":1,"file":{"attributes":8,"name":"stop.rom","size":184463636,"type":"Folder","path":"qc stunning upcoming/freelance.b/stop.rom","type_id":2,"creator":{"name":"Televisions","type":"restaurant","uid":"635ab20c-5574-11ef-8a49-0242ac110005","type_id":99,"ldap_person":{"modified_time":1723114384328321,"created_time_dt":"2024-08-08T10:53:04.328333Z"}},"parent_folder":"qc stunning upcoming/freelance.b","accessed_time":1723114384328345,"confidentiality":"dare assembly conflicts","hashes":[{"value":"D6DF1AB7AC275F8C7AFF9D010CCFD0DB08BBE2D8","algorithm":"SHA-1","algorithm_id":2},{"value":"A99E2AF60B8C1ACE6169FBA74BE6B9CB5ECA5D5A24F28F39E4EC50A265F7F5F4","algorithm":"SHA-256","algorithm_id":3}],"security_descriptor":"streets teacher movie","accessed_time_dt":"2024-08-08T10:53:04.328434Z","modified_time_dt":"2024-08-08T10:53:04.328440Z"},"user":{"name":"Fountain","type":"Admin","uid":"635b94ec-5574-11ef-90e7-0242ac110005","type_id":2},"group":{"name":"lang drivers mood","uid":"635baaf4-5574-11ef-8c3f-0242ac110005"},"uid":"635bb51c-5574-11ef-96c1-0242ac110005","cmd_line":"assignment position expression","container":{"name":"ink bio mileage","runtime":"effort des lu","size":1841031275,"uid":"635bd29a-5574-11ef-a523-0242ac110005","image":{"name":"junction naval insulation","tag":"watches wellington muscle","uid":"635c0198-5574-11ef-ba77-0242ac110005"},"hash":{"value":"FA987EC04918567E13A7554C7DDC4D86FB705EAD55207E05ED4E224FB0A9F1570BE1D51F9AE581D415E2D13894EECAEEF402D9901F8C9E70CD839691DD428BBD","algorithm":"CTPH","algorithm_id":5},"pod_uuid":"nuclear"},"created_time":1723114384332144,"integrity":"Low","integrity_id":2,"namespace_pid":91,"parent_process":{"name":"Surprise","pid":46,"file":{"name":"settled.exe","type":"Local Socket","version":"1.1.0","path":"justin jm kenya/acknowledged.cgi/settled.exe","signature":{"certificate":{"version":"1.1.0","uid":"635c43c4-5574-11ef-a8eb-0242ac110005","subject":"pets documentary mutual","issuer":"rounds eds contests","fingerprints":[{"value":"4D78419C492968B9564F7F87CEBFA246405627A31D833B60027D564FB453A9F76CDBDF3D6229EFE19244F6B38DC9C1E531EC641A042F38CE33A3E62DEEB1E115","algorithm":"quickXorHash","algorithm_id":7}],"created_time":1723114384334572,"expiration_time":1723114384334590,"serial_number":"anything repair rank","expiration_time_dt":"2024-08-08T10:53:04.334601Z"},"algorithm":"ECDSA","algorithm_id":3,"developer_uid":"635c7e16-5574-11ef-b814-0242ac110005"},"type_id":5,"accessor":{"name":"Contents","type":"Unknown","domain":"weighted organize jim","uid":"635cc204-5574-11ef-85ce-0242ac110005","type_id":0},"creator":{"name":"Heel","type":"System","uid":"635ce108-5574-11ef-b897-0242ac110005","type_id":3,"account":{"name":"discs sure enclosed","type":"AWS IAM Role","uid":"635d0a66-5574-11ef-bcd7-0242ac110005","type_id":4},"uid_alt":"rapidly specification instructional"},"parent_folder":"justin jm kenya/acknowledged.cgi","created_time":1723114384339821,"hashes":[{"value":"E3406337AAEB1C0AC1339EA8DBC6212C72E6551C007F921C64EADEDFC50CEAF2D661F48148C64A04B17DEC7D46C8D70913DA02218205F62B8170DF4110BEE8BE","algorithm":"Unknown","algorithm_id":0},{"value":"3F9D17F4A6D80A19A14E6E6464F3E85457666C674359CE0CCEBD5BF88B46CD79CC44F0213344FB06287280BC58AA62C13301DEC710F880AE66297C4F2F4477F4","algorithm":"quickXorHash","algorithm_id":7}],"modified_time":1723114384340026,"xattributes":{},"accessed_time_dt":"2024-08-08T10:53:04.340128Z","created_time_dt":"2024-08-08T10:53:04.340139Z"},"user":{"type":"Unknown","uid":"635d5bd8-5574-11ef-a7e3-0242ac110005","type_id":0,"uid_alt":"charging build burning"},"group":{"name":"pendant alike china","domain":"remove ix couple","uid":"635d7852-5574-11ef-8eaa-0242ac110005","privileges":["verbal spokesman stuart","audio mozambique mae"]},"uid":"635d7fa0-5574-11ef-9af0-0242ac110005","loaded_modules":["/desert/arch/conditional/mas/zinc.cgi","/direct/appendix/stated/partition/awareness.gam"],"cmd_line":"masters treatments custody","container":{"name":"ate worth powerpoint","runtime":"society mem dependence","size":175725837,"uid":"635d91e8-5574-11ef-bfc1-0242ac110005","image":{"name":"bring president swap","uid":"635dba88-5574-11ef-a7d2-0242ac110005"},"hash":{"value":"7D1BDD4F5CF16C23DEE15E0673B9B700804F55D5AC5DAA8E6A6F6DD1951AB502D960DF687EDC47B11A696C8F4A969208DFC7E3E4043EE2C907B4FCC244E9FD74","algorithm":"CTPH","algorithm_id":5},"network_driver":"crawford invitation pierce","orchestrator":"differences lycos cut"},"created_time":1723114384343050,"namespace_pid":17,"parent_process":{"name":"During","pid":22,"file":{"name":"earnings.otf","owner":{"name":"Tissue","type":"User","uid":"635ddb94-5574-11ef-ab3f-0242ac110005","org":{"name":"whom demand thereof","ou_name":"weighted fundraising drainage"},"type_id":1},"type":"Regular File","path":"commons employ nickel/humanity.swf/earnings.otf","type_id":1,"company_name":"Abby Cyrus","parent_folder":"commons employ nickel/humanity.swf","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"EE1150845FA3041CEB3A3FCDBE42D68A","algorithm":"MD5","algorithm_id":1},{"value":"DC684E0A948E820C9B32AE34F0E147CCCAEAB3646C95D1FBF6E5EA257B9107251945EB892CD81A3750D89799ADF86C76382C60E73A85B10D110CE39164882C8F","algorithm":"quickXorHash","algorithm_id":7}],"is_system":false,"security_descriptor":"correctly screenshots reached","created_time_dt":"2024-08-08T10:53:04.344543Z","modified_time_dt":"2024-08-08T10:53:04.344556Z"},"user":{"name":"Greenhouse","uid":"635e09a2-5574-11ef-8b02-0242ac110005","uid_alt":"nu tiny challenging"},"group":{"name":"function bought terrace","desc":"oo phase relocation","uid":"635e1960-5574-11ef-bc86-0242ac110005"},"uid":"635e1f5a-5574-11ef-aad7-0242ac110005","cmd_line":"macedonia reid wanna","container":{"name":"dry age their","size":1634165265,"tag":"revised bytes swingers","uid":"635e290a-5574-11ef-8290-0242ac110005","image":{"tag":"developer characterized chelsea","uid":"635e31d4-5574-11ef-8b11-0242ac110005"},"hash":{"value":"D5F2E5C77054C44C2C72A1B017DECA06FC637C99","algorithm":"SHA-1","algorithm_id":2}},"created_time":1723114384346014,"parent_process":{"name":"Door","pid":15,"file":{"attributes":27,"name":"modification.php","type":"Regular File","path":"monkey refused genesis/pictures.cs/modification.php","type_id":1,"parent_folder":"monkey refused genesis/pictures.cs","confidentiality":"Not Confidential","confidentiality_id":1},"user":{"name":"Roller","type":"System","uid":"635e6e38-5574-11ef-9132-0242ac110005","type_id":3},"group":{"name":"dogs republic occurrence","type":"headers brunei ontario","uid":"635e79b4-5574-11ef-b9e2-0242ac110005","privileges":["later conversion foreign","shadows phpbb ate"]},"uid":"635e817a-5574-11ef-850e-0242ac110005","cmd_line":"rides vids label","container":{"name":"car ericsson vary","size":2909077433,"tag":"apparent philadelphia southern","uid":"635eaa7e-5574-11ef-99fc-0242ac110005","image":{"name":"carolina bio conversion","uid":"635eb3a2-5574-11ef-8a60-0242ac110005"},"hash":{"value":"62B8E80D982A1EF7D7764527C89E80FE2D9EFE4990B43078E143E4C6EDD2F407","algorithm":"SHA-256","algorithm_id":3},"orchestrator":"wto murray posted","pod_uuid":"designed"},"created_time":1723114384349350,"integrity":"ag disagree anymore","namespace_pid":5,"parent_process":{"name":"Lm","pid":58,"file":{"name":"closing.3ds","size":2333859778,"type":"Block Device","path":"newsletter tulsa locale/wait.cab/closing.3ds","signature":{"certificate":{"version":"1.1.0","subject":"durham sitting hiv","issuer":"eq designers loc","fingerprints":[{"value":"B133E6238B0833E7D12E8F6E64EABBFE2780E49FD028477670556B99E873D6C8CC7E38E25BAF9228F2324C513ECA25C63FF88415399CBD0FF61001ACC2BD0B10","algorithm":"TLSH","algorithm_id":6},{"value":"8B4AB0E3B292ED97FB8DCFB7C0267D1F7366F45CE8FDC2E3F0EAE57312A3F4D83BB72E25B072DF7E3416CF022B3276885495F9F245FE9CB67704AFD4B94EBF99","algorithm":"quickXorHash","algorithm_id":7}],"expiration_time":1723114384349769,"serial_number":"field geek theater"},"algorithm":"RSA","algorithm_id":2},"uid":"635ed24c-5574-11ef-9b19-0242ac110005","type_id":4,"mime_type":"radio/minolta","parent_folder":"newsletter tulsa locale/wait.cab","hashes":[{"value":"65BD10756687E64C347423BA3836F065","algorithm":"MD5","algorithm_id":1},{"value":"B3140286AC71AD2ACF69681F4F2A907B0B83D8EDFBFFDD4E0A38C05A23180495","algorithm":"SHA-256","algorithm_id":3}],"modified_time":1723114384350131,"security_descriptor":"went stick curious","xattributes":{}},"user":{"name":"Gossip","type":"System","uid":"635ee0e8-5574-11ef-ac61-0242ac110005","type_id":3,"credential_uid":"635ee75a-5574-11ef-ac0c-0242ac110005"},"group":{"name":"alcohol surprise http","desc":"wales if adams","uid":"635ef114-5574-11ef-8c2b-0242ac110005"},"uid":"635ef6dc-5574-11ef-a3ad-0242ac110005","cmd_line":"statutes columnists commerce","container":{"name":"thomson multi reliable","size":22516444,"uid":"635f000a-5574-11ef-bd88-0242ac110005","image":{"name":"procedures later palestinian","uid":"635f0898-5574-11ef-a44a-0242ac110005"},"hash":{"value":"B330ECA1D2F13AB95C1C8C41637D9CD297E8221B1DBE869BDE2ACD408F9548B864002FB987EEDA759EF00CDF20345836767C45CA1D40C2DCACE6B6A569E48F09","algorithm":"TLSH","algorithm_id":6},"orchestrator":"teens motion deaths"},"created_time":1723114384351625,"namespace_pid":7,"parent_process":{"name":"Gen","pid":86,"file":{"name":"offered.avi","type":"Folder","path":"sports amp assess/explosion.sln/offered.avi","type_id":2,"parent_folder":"sports amp assess/explosion.sln","accessed_time":1723114384352980,"security_descriptor":"salmon sister tucson"},"user":{"name":"Rest","type":"Unknown","uid":"635f51c2-5574-11ef-bad8-0242ac110005","type_id":0},"group":{"name":"produces consequence selling","uid":"635f5d02-5574-11ef-be03-0242ac110005","privileges":["seasonal railroad already"]},"uid":"635f63d8-5574-11ef-8afe-0242ac110005","cmd_line":"reflects champion naughty","container":{"name":"inquire justice risks","runtime":"fragrance instances sun","size":574926482,"uid":"635f7e18-5574-11ef-84ec-0242ac110005","image":{"name":"packs auction technical","uid":"635f891c-5574-11ef-9147-0242ac110005"}},"created_time":1723114384354756,"integrity":"deutsche what indians","lineage":["lying advertisements renew","buf prescribed puerto"],"namespace_pid":80,"parent_process":{"name":"Blogger","pid":77,"user":{"name":"Lenses","type":"dairy","uid":"635f9c7c-5574-11ef-b4d1-0242ac110005","type_id":99,"uid_alt":"penalty spray weight"},"uid":"635fa406-5574-11ef-809b-0242ac110005","cmd_line":"information propecia md","lineage":["trees saving alias","ssl september rack"],"namespace_pid":50,"parent_process":{"name":"Defense","pid":15,"file":{"attributes":31,"name":"lotus.pkg","type":"Local Socket","path":"seem party existence/buried.3dm/lotus.pkg","type_id":5,"parent_folder":"seem party existence/buried.3dm","confidentiality":"belief hard romania","created_time":1723114384355919,"hashes":[{"value":"921DB9BE9AB2B726859E733D87A56CDEB799FBC45281315CFE4A7BAAF6BB9A1DD4359096B697BBB33B1DCA573CD79CB87614124DFA2B3C79768B3F29A7DBF0EF","algorithm":"CTPH","algorithm_id":5},{"value":"E9C848387AB1784EBC52FD937D18A8D44D2CF6BDBEB2BAB7B04E28413AE39FA4C07EAFA782325DD3B65A30B4AE8538D0ACCE7FC48BF1A3AB1B4651A5CFB050AA","algorithm":"quickXorHash","algorithm_id":7}],"is_system":true,"accessed_time_dt":"2024-08-08T10:53:04.355980Z"},"user":{"name":"Blogs","type":"novel","uid":"635fca94-5574-11ef-82f0-0242ac110005","groups":[{"type":"buyer spirit webcam","uid":"635fd57a-5574-11ef-84bc-0242ac110005"},{"name":"cooperation meditation memo","desc":"discretion fantastic tactics","uid":"635fe13c-5574-11ef-85a3-0242ac110005"}],"type_id":99,"credential_uid":"635fe862-5574-11ef-ba0c-0242ac110005","ldap_person":{"email_addrs":["Kimberley@sip.int"],"leave_time":1723114384357313,"modified_time_dt":"2024-08-08T10:53:04.357320Z"}},"group":{"name":"care viii external","type":"right crowd crops","desc":"appointed opponent written","uid":"635ff8a2-5574-11ef-af7e-0242ac110005"},"tid":26,"uid":"635ffed8-5574-11ef-b0fd-0242ac110005","cmd_line":"gamecube forbes described","container":{"name":"homes commonwealth recall","size":3538073681,"uid":"63600950-5574-11ef-aae8-0242ac110005","image":{"name":"jersey elected projector","tag":"members breathing powers","path":"trades mess wishlist","uid":"6360136e-5574-11ef-8aec-0242ac110005"}},"created_time":1723114384358291,"integrity":"High","integrity_id":4,"namespace_pid":6,"parent_process":{"pid":31,"file":{"name":"patches.tar","type":"Unknown","path":"throws additions myspace/jackets.b/patches.tar","signature":{"certificate":{"version":"1.1.0","subject":"donate tons media","issuer":"italic hamburg judges","fingerprints":[{"value":"F13F9E344F8839E5D7D17303ABAE106FC66E7D519B232C80C8D6066EF1A5148A796818425ED64282D159C7D8749343FBF193D9C83256C16B72857EBE0151F543","algorithm":"CTPH","algorithm_id":5}],"created_time":1723114384358869,"expiration_time":1723114384358874,"serial_number":"fell lab weddings"},"algorithm":"DSA","algorithm_id":1,"developer_uid":"63603196-5574-11ef-ac47-0242ac110005"},"uid":"636040d2-5574-11ef-965c-0242ac110005","type_id":0,"parent_folder":"throws additions myspace/jackets.b","confidentiality":"Top Secret","confidentiality_id":4,"hashes":[{"value":"04ACD168BF6D98D85736E4DB0EF815B53830AF1882C47ABFC357172729DFCD84EF6553958C4CB4593A3844E5D7FC9136FDDF5C82B1171ACAD84F52F7F133AA21","algorithm":"SHA-512","algorithm_id":4},{"value":"6B85712C92509BE057A8284F4CBF4868755DC0FFB2611096D26209767429967390E3CADE2D1733A0C8D9217CFF1BFA985A184E36695A411B7DEAC20411C9DED8","algorithm":"quickXorHash","algorithm_id":7}],"modified_time_dt":"2024-08-08T10:53:04.359528Z"},"group":{"name":"recommends pollution humans","uid":"63604e4c-5574-11ef-9f32-0242ac110005"},"uid":"636054f0-5574-11ef-8588-0242ac110005","cmd_line":"swingers centers burke","container":{"name":"heather troubleshooting considerable","size":119356271,"image":{"name":"listing hardwood defined","uid":"636066de-5574-11ef-9bc9-0242ac110005"},"hash":{"value":"F0F33A03B88C641E422DA78295DB088A0C19D463F4BD44A1CE20D3BB9892A0063ABB61D6124EB7D79EF56FC55ADEFAF30542712C4C8D0A1B952AFB4A346C0876","algorithm":"SHA-512","algorithm_id":4},"orchestrator":"australian future sponsor"},"created_time":1723114384360489,"lineage":["seeds spouse noble","lifestyle fault floors"],"namespace_pid":18,"parent_process":{"pid":42,"file":{"name":"implemented.rom","type":"Unknown","path":"calcium amateur harmony/ltd.toast/implemented.rom","modifier":{"type":"Admin","uid":"6360b08a-5574-11ef-ae8e-0242ac110005","type_id":2,"ldap_person":{"location":{"desc":"Croatia, Republic of","city":"Regulations technician","country":"HR","coordinates":[-57.4552,63.8901],"continent":"Europe"},"cost_center":"verify nut levels","ldap_cn":"racing morgan volt","ldap_dn":"census doors though","modified_time_dt":"2024-08-08T10:53:04.363022Z"}},"type_id":0,"creator":{"name":"With","type":"Unknown","domain":"adjustment container harris","uid":"6360d920-5574-11ef-a83a-0242ac110005","type_id":0,"account":{"name":"europe eating mailing","type":"Linux Account","uid":"6360e442-5574-11ef-9167-0242ac110005","type_id":9}},"parent_folder":"calcium amateur harmony/ltd.toast","hashes":[{"value":"19C64195EB8F22C39B4BAD63078823DDD82E6D61847B25F1F5B969BE6C891661","algorithm":"SHA-256","algorithm_id":3},{"value":"652D75F9BAFB25E55C0E8DB77C3A9EA11F87C5167431C08F827375741D1B0C2F","algorithm":"SHA-256","algorithm_id":3}],"modified_time_dt":"2024-08-08T10:53:04.363717Z"},"user":{"name":"Satisfaction","type":"System","uid":"6360f752-5574-11ef-a1db-0242ac110005","type_id":3,"account":{"type":"LDAP Account","uid":"636119d0-5574-11ef-a86d-0242ac110005","type_id":1},"credential_uid":"6361204c-5574-11ef-8854-0242ac110005"},"group":{"name":"flags gang blow","desc":"mistakes prediction toy","uid":"63612c22-5574-11ef-800b-0242ac110005","privileges":["joining boots aw","gang robust transport"]},"uid":"636132c6-5574-11ef-83af-0242ac110005","cmd_line":"psp bush feet","container":{"name":"obligation catalyst concentrations","runtime":"tex strings mounted","size":1952448709,"uid":"63613c44-5574-11ef-bd50-0242ac110005","image":{"name":"rate ben fish","uid":"63614568-5574-11ef-bf7a-0242ac110005"},"hash":{"value":"43CF305C9FBAF25955B6B640407705DE473A6AECC1D3684D43A7E6E113AD35E3","algorithm":"magic","algorithm_id":99}},"created_time":1723114384366178,"namespace_pid":17,"parent_process":{"name":"Versions","pid":16,"session":{"uid":"6361567a-5574-11ef-b26b-0242ac110005","issuer":"level boc morrison","created_time":1723114384366575,"credential_uid":"63615e22-5574-11ef-b196-0242ac110005","is_remote":false},"file":{"name":"python.bin","owner":{"name":"Yoga","type":"Admin","type_id":2},"type":"afghanistan","path":"variable their precipitation/moving.sql/python.bin","signature":{"certificate":{"version":"1.1.0","subject":"x tide described","issuer":"equations different edward","fingerprints":[{"value":"90290C4ADF68C053210274BB5414BED2BC4FCB71C37F521FF4EDBF5AFF66421A60FED68A12C81359536FCF2B89DB3463979F17F089E68FEA0B179D5DEF6F3A00","algorithm":"TLSH","algorithm_id":6}],"created_time":1723114384368646,"expiration_time":1723114384368652,"serial_number":"ultimate nervous george"},"algorithm":"Authenticode","algorithm_id":4},"type_id":99,"accessor":{"name":"Jd","type":"deviant","domain":"elizabeth cheapest solution","uid":"6361bec6-5574-11ef-81b5-0242ac110005","type_id":99},"mime_type":"personnel/bids","parent_folder":"variable their precipitation/moving.sql","hashes":[{"value":"2056009EE1A3B111E2E00906EDA7AD1AAC1EF242387CFB2CEE5B57763863C0EF228A7536B36C462A03C687D2F886BE6C218F00A2FC11674F8FF5454966830CB3","algorithm":"CTPH","algorithm_id":5}]},"user":{"name":"Spring","type":"nu","uid":"6361cccc-5574-11ef-994f-0242ac110005","org":{"name":"watts desktop hong","uid":"6361d546-5574-11ef-b2b3-0242ac110005"},"type_id":99,"account":{"name":"bd atom berkeley","type":"Apple Account","uid":"6361dec4-5574-11ef-80de-0242ac110005","type_id":8},"email_addr":"Kristin@tion.net"},"group":{"name":"academics secondary simon","uid":"6361ef22-5574-11ef-8892-0242ac110005"},"uid":"6361f634-5574-11ef-87d8-0242ac110005","cmd_line":"distances participating maintenance","container":{"name":"waste counties homepage","size":3565502421,"uid":"63620160-5574-11ef-b37a-0242ac110005","image":{"name":"apt lp screen","path":"gulf brian arrow","uid":"63620bec-5574-11ef-8f30-0242ac110005"},"network_driver":"ks field roger","pod_uuid":"breathing"},"created_time":1723114384371224,"namespace_pid":72,"parent_process":{"name":"Definitely","pid":14,"file":{"attributes":39,"name":"wing.crdownload","type":"Folder","path":"regularly drivers sacred/rational.fla/wing.crdownload","product":{"name":"cr fat generators","version":"1.1.0","uid":"636288ba-5574-11ef-b671-0242ac110005","lang":"en","vendor_name":"conflicts feed receivers"},"type_id":2,"parent_folder":"regularly drivers sacred/rational.fla","created_time":1723114384374429,"hashes":[{"value":"140C02576C0D51BBE84B1C70EEE68AD61D116AA6E8F7BBD899753EB4599951C5E2DF128141610C2F838E0C7181B50795297C0E8D1398FDAD5ED2095EA783FC02","algorithm":"quickXorHash","algorithm_id":7},{"value":"E405FA83FE9CFE003B49FD852D4429D0EFF2F914","algorithm":"SHA-1","algorithm_id":2}],"modified_time":1723114384374497,"xattributes":{},"created_time_dt":"2024-08-08T10:53:04.374525Z"},"user":{"name":"Influenced","type":"User","domain":"adding merit extend","uid":"63629a58-5574-11ef-8c2b-0242ac110005","type_id":1,"credential_uid":"6362a124-5574-11ef-a23f-0242ac110005"},"group":{"domain":"enterprises civil knowledge","desc":"patch celebration lancaster","uid":"6362ab10-5574-11ef-adda-0242ac110005"},"uid":"6362b0ec-5574-11ef-bb67-0242ac110005","loaded_modules":["/fri/tall/bit/rap/meyer.hqx"],"cmd_line":"railway filling consistent","container":{"name":"calvin actor describe","size":1384069832,"tag":"automobiles gratuit tower","uid":"6362bb3c-5574-11ef-8a12-0242ac110005","image":{"name":"pi churches es","uid":"6362c56e-5574-11ef-8c25-0242ac110005"},"hash":{"value":"67C09C289C121B7595556E03199ABF1EC4E85049DC99DB50BBB35FD8B5E2636C89497184BE8F2ED184301E2A5411B5565E97D87BCC951CB5F2CA9C8E696E6341","algorithm":"CTPH","algorithm_id":5},"orchestrator":"asking jerry namespace"},"created_time":1723114384376016,"integrity":"System","integrity_id":5,"namespace_pid":67,"parent_process":{"name":"Animal","pid":95,"file":{"attributes":1,"name":"tennessee.wsf","type":"Folder","path":"pennsylvania matthew somewhere/saw.dbf/tennessee.wsf","uid":"6362dc0c-5574-11ef-b631-0242ac110005","type_id":2,"creator":{"name":"Cognitive","type":"User","uid":"6362e6ac-5574-11ef-a13c-0242ac110005","type_id":1,"email_addr":"Lorretta@components.nato"},"parent_folder":"pennsylvania matthew somewhere/saw.dbf","hashes":[{"value":"1701CFB023A18B1534D60983D25660944BF18C8928D27C2658306664990BC734","algorithm":"SHA-256","algorithm_id":3},{"value":"DEF35473338568D93D88C11638B8777B05D03931E8939FF2B7E675DB82DA9434","algorithm":"magic","algorithm_id":99}],"is_system":false,"security_descriptor":"lcd elementary surround"},"user":{"name":"Guys","type":"Unknown","uid":"63630eca-5574-11ef-b29c-0242ac110005","org":{"name":"mighty thou ff","uid":"636317ee-5574-11ef-b39a-0242ac110005","ou_name":"companies functions hockey"},"groups":[{"name":"hood powers merely","domain":"parties entertainment lemon","uid":"636321d0-5574-11ef-ae4b-0242ac110005"},{"name":"rise parcel bookmarks","privileges":["etc survey at","cohen mails bio"]}],"type_id":0,"email_addr":"Classie@municipality.pro"},"group":{"name":"legislature normal lectures","uid":"63632d38-5574-11ef-85c8-0242ac110005"},"uid":"63633300-5574-11ef-80ee-0242ac110005","cmd_line":"magazines spin aaron","container":{"name":"deputy mirror eagle","size":2004032787,"tag":"magazine looking deemed","uid":"63633e40-5574-11ef-9825-0242ac110005","image":{"uid":"6363469c-5574-11ef-9299-0242ac110005"},"hash":{"value":"55601A1804A5DD2CDDC702A8DBFD7D6EF6FB18BBD4EF25B7BA0FDF2AF274DC5BDD0AA03C3DF2E03891033BB6780C2DFC3D777203E7CC6D1D1B6AAA24A5B53037","algorithm":"SHA-512","algorithm_id":4}},"created_time":1723114384379317,"namespace_pid":66,"parent_process":{"name":"Delight","file":{"name":"plasma.3dm","type":"Folder","path":"important companion consultancy/wallpaper.drv/plasma.3dm","signature":{"certificate":{"version":"1.1.0","subject":"assuming remarks brass","issuer":"sheet registry concord","fingerprints":[{"value":"EC6B1A9A8BA16A6F215D2D1F3906D6499B49BE59A250E976C526E3C93470BEAF","algorithm":"SHA-256","algorithm_id":3},{"value":"E8F0948E22757C48DC176AC0971E4DC26962E907CD0016E2D3F3F85B10496DB3ADA83ABE28D5C02C0E75801F09CE16ECBC57DC728CA43C1AF4A195603D2E9D59","algorithm":"CTPH","algorithm_id":5}],"created_time":1723114384380115,"expiration_time":1723114384380123,"serial_number":"provinces medicine it"},"algorithm":"Unknown","algorithm_id":0},"type_id":2,"parent_folder":"important companion consultancy/wallpaper.drv","confidentiality":"Secret","confidentiality_id":3,"hashes":[{"value":"9159E7F170D8AC61900DA4485A05F8FA752EBB6B1271EB39B603C7BD22C9F591","algorithm":"SHA-256","algorithm_id":3},{"value":"208252F637543172F0D9AA5A077FB15DC8E779E2AB911FADCC37F9C807EB56EFBAC0FC78C2916944595F6C58BE380B5BA4AC2E0A76A1D10091E0847D61B627D5","algorithm":"TLSH","algorithm_id":6}]},"user":{"name":"Focused","type":"Admin","type_id":2,"email_addr":"Numbers@si.coop","uid_alt":"biggest stupid linking"},"group":{"name":"jar transparency sing","privileges":["costs anthropology nickname","nbc dns flex"]},"tid":66,"uid":"63637afe-5574-11ef-b99b-0242ac110005","cmd_line":"felt essay relax","container":{"name":"contain accepted gba","runtime":"admin hammer variance","tag":"geographical registered suspension","uid":"63638544-5574-11ef-bbd6-0242ac110005","image":{"name":"exist acceptance britney","uid":"63638df0-5574-11ef-8d90-0242ac110005"},"hash":{"value":"83D3D1C470830C64B9B04152B2CD1D11DD99205143049050D298FD7C21CC125A","algorithm":"magic","algorithm_id":99},"network_driver":"shops congratulations variance"},"created_time":1723114384381145,"integrity":"Protected","integrity_id":6,"namespace_pid":1,"parent_process":{"pid":44,"file":{"attributes":2,"name":"fits.cfm","type":"Symbolic Link","path":"watts leave ukraine/ringtones.rtf/fits.cfm","type_id":7,"parent_folder":"watts leave ukraine/ringtones.rtf","confidentiality":"Confidential","confidentiality_id":2,"hashes":[{"value":"B90D6FEF7CE6A21866AE315B5A971CA7C32531C74C5A720508ED5490C80E51AF7F2194E67D30333457C00E700B4CAACF979ECA995DF46837A0D1ED6847A7CE7E","algorithm":"SHA-512","algorithm_id":4},{"value":"3F2C9248EE951C2D98A3CD5B4AF06BD317DB2124","algorithm":"SHA-1","algorithm_id":2}],"is_system":true,"security_descriptor":"selling dt few","accessed_time_dt":"2024-08-08T10:53:04.381694Z","created_time_dt":"2024-08-08T10:53:04.381707Z"},"user":{"name":"Edgar","uid":"6363b992-5574-11ef-9143-0242ac110005","ldap_person":{"email_addrs":["Mariann@routine.net"],"job_title":"alto languages tanks","deleted_time_dt":"2024-08-08T10:53:04.382339Z"}},"group":{"name":"thinking offices worcester","uid":"6363ca0e-5574-11ef-837d-0242ac110005","privileges":["ingredients pins connector"]},"uid":"6363d120-5574-11ef-b647-0242ac110005","cmd_line":"effects day pocket","container":{"name":"astronomy routing grocery","size":2306842201,"tag":"exchange timber candles","uid":"6363dbde-5574-11ef-a3c5-0242ac110005","image":{"name":"errors request zdnet","uid":"6363e57a-5574-11ef-8bf7-0242ac110005"},"hash":{"value":"237ED8923CABFCED8263F1C5E537EDA9F4C9DF97C64000C74437C23D8564FDCB9AB6A7D16DD6E62D0915824B5BFF1CF112DD0BAEAA89171E14E068515290265E","algorithm":"SHA-512","algorithm_id":4},"orchestrator":"viral lindsay intellectual"},"created_time":1723114384383389,"namespace_pid":39,"parent_process":{"name":"Vessels","pid":73,"file":{"name":"photo.gadget","owner":{"name":"Priorities","type":"uploaded","uid":"63640244-5574-11ef-864e-0242ac110005","type_id":99,"account":{"name":"charles verification grave","type":"Unknown","uid":"63640bea-5574-11ef-881a-0242ac110005","type_id":0}},"type":"Symbolic Link","version":"1.1.0","path":"alter checked emperor/toner.htm/photo.gadget","type_id":7,"parent_folder":"alter checked emperor/toner.htm","confidentiality":"Not Confidential","confidentiality_id":1,"created_time":1723114384384361,"hashes":[{"value":"DB52AE7062C6819F07456657BE8F96A41BD461DAB2FF0DB18FF7DFABECA6AB0522C141821715890230BE5D35FDE767FE5CB592C5B2A8CD9CE93B3396F2701EA0","algorithm":"SHA-512","algorithm_id":4},{"value":"5CC3F82838BA7260203E4590CE03D00E1663D41F6A5167144F5C95D6BE2166A0","algorithm":"SHA-256","algorithm_id":3}]},"user":{"type":"carmen","uid":"63641a22-5574-11ef-8919-0242ac110005","type_id":99,"account":{"name":"reef terrorist graduation","type":"AWS Account","uid":"636423be-5574-11ef-8304-0242ac110005","type_id":10},"email_addr":"Lauryn@reliance.travel"},"cmd_line":"lung mega nn","container":{"name":"texas comments creator","size":639972788,"uid":"63642e36-5574-11ef-aac4-0242ac110005","hash":{"value":"1C073A2AE40F35C9E559128C518EF6BB606F87F47F7A6D8AF51E96DEBBDCF7E746F35B0E8CF42CF24B80034B359D710FF883F08C153BB4B4717E83FAED4E08A6","algorithm":"quickXorHash","algorithm_id":7},"orchestrator":"preview contractors helps"},"created_time":1723114384385246,"namespace_pid":8,"parent_process":{"name":"Scott","pid":56,"file":{"name":"ba.3ds","type":"Block Device","path":"diagnosis angeles portsmouth/travels.mpa/ba.3ds","type_id":4,"parent_folder":"diagnosis angeles portsmouth/travels.mpa","accessed_time":1723114384386177,"created_time":1723114384386185,"hashes":[{"value":"50D299D6D7966A2DC1E0CF7FEB739E33","algorithm":"MD5","algorithm_id":1},{"value":"328AFE7E94B22225322E3B4913F934C50B1CBF2E70837C0DC87BE27DA150B3EBA052395D9A4CC1FB7FC4E8C89E2EFEB5DF2FD8EC79D5A1215267ABF6EE2505F9","algorithm":"TLSH","algorithm_id":6}],"created_time_dt":"2024-08-08T10:53:04.386239Z"},"user":{"name":"Kit","type":"Admin","domain":"amendment spot sudan","type_id":2},"group":{"name":"passed rankings affects","uid":"63646496-5574-11ef-bfc5-0242ac110005"},"uid":"63646b44-5574-11ef-a77a-0242ac110005","cmd_line":"notre cameras draw","container":{"name":"katrina commonly sweet","uid":"636474e0-5574-11ef-bca8-0242ac110005","image":{"name":"advertisement metabolism bound","tag":"parent prostores taste","path":"advantage bm record","uid":"63647df0-5574-11ef-b02b-0242ac110005"},"hash":{"value":"36604EB0C3355689302D7694E45FA957071097E28B061276AABCBAC610B98FCE4F7A18C5D7566551D4EBC9F0E6D2EE5157C288FE26459003392E240F8FBEB605","algorithm":"Unknown","algorithm_id":0},"orchestrator":"child railroad thehun"},"created_time":1723114384387286,"namespace_pid":4,"parent_process":{"name":"Burning","pid":34,"session":{"issuer":"mounts burns budgets","created_time":1723114384387484,"is_remote":true,"is_vpn":true},"file":{"attributes":97,"name":"employment.wma","owner":{"name":"Nov","type":"User","uid":"6364960a-5574-11ef-ad32-0242ac110005","org":{"name":"arrive protecting fy","uid":"6364a60e-5574-11ef-aaf1-0242ac110005","ou_name":"cat saints infringement","ou_uid":"6364acb2-5574-11ef-b1ce-0242ac110005"},"groups":[{"name":"head state rubber","uid":"6364d64c-5574-11ef-a880-0242ac110005"},{"name":"catalyst strong mins","desc":"consortium bald removing","uid":"6364de3a-5574-11ef-9448-0242ac110005"}],"type_id":1},"type":"Symbolic Link","version":"1.1.0","path":"executed removal years/among.yuv/employment.wma","product":{"version":"1.1.0","path":"internship progress gun","lang":"en","vendor_name":"sp protection requests"},"type_id":7,"mime_type":"medal/nearly","parent_folder":"executed removal years/among.yuv","hashes":[{"value":"5E759101C609F4B740EF80E765AE365B2AF502D28946FFDB14A008BA3B8F3B38D22724597DB1A2727631E47BE95BF3DBC91421426B178885ABB756996AA2ED28","algorithm":"CTPH","algorithm_id":5},{"value":"BA5273E243BB87B0BDE0E2E45609708C95F1B8CD05342C435BFE11DDFE05790E8640967A0D5DB90EE7DC886350B9345D9484533BB633B821A82462D74B3318A8","algorithm":"TLSH","algorithm_id":6}],"accessed_time_dt":"2024-08-08T10:53:04.389945Z","created_time_dt":"2024-08-08T10:53:04.389957Z"},"user":{"name":"Without","type":"celebs","uid":"6364f62c-5574-11ef-be1d-0242ac110005","type_id":99},"group":{"desc":"allowance vacation ae"},"tid":42,"uid":"636504b4-5574-11ef-af4a-0242ac110005","cmd_line":"macintosh enjoying disposal","container":{"size":117561636,"image":{"name":"federation technical rally","uid":"636511ac-5574-11ef-b939-0242ac110005"},"hash":{"value":"1C6EE66D49C991A2FC79EC6D6B64F4AB5B8E29D3C774F3B6DD10F3A024271023CD29C66DA147EADA969690FFC2FA73C8B9EC6C4377580CF3CE89AEF8A8136657","algorithm":"SHA-512","algorithm_id":4},"orchestrator":"winning business collaborative"},"created_time":1723114384391076,"parent_process":{"name":"Vic","pid":16,"session":{"count":58,"uid":"636527dc-5574-11ef-a1e5-0242ac110005","issuer":"petition disclaimer clara","created_time":1723114384391616,"expiration_reason":"declined attorney sunday","is_remote":false,"is_vpn":false,"uid_alt":"sim yorkshire adaptation","expiration_time_dt":"2024-08-08T10:53:04.391655Z"},"file":{"name":"medication.pdf","owner":{"type":"System","domain":"affiliation arab invision","uid":"63653dee-5574-11ef-8c70-0242ac110005","type_id":3,"ldap_person":{"created_time":1723114384392352,"email_addrs":["Olympia@jesse.travel","Mina@seeking.com"],"employee_uid":"63654de8-5574-11ef-a8ac-0242ac110005","given_name":"pulse waiver footwear","ldap_cn":"professionals worm eng","leave_time":1723114384392577}},"size":1001943972,"type":"Folder","version":"1.1.0","path":"gotten unique thereafter/championship.deskthemepack/medication.pdf","product":{"name":"mumbai determined nobody","version":"1.1.0","uid":"6365590a-5574-11ef-aaa7-0242ac110005","lang":"en","vendor_name":"infected listen uk"},"uid":"63655f9a-5574-11ef-add1-0242ac110005","type_id":2,"creator":{"name":"Kurt","type":"examines","uid":"636569d6-5574-11ef-bef4-0242ac110005","type_id":99,"account":{"name":"petite suggestions british","type":"AWS Account","uid":"63657340-5574-11ef-b69a-0242ac110005","type_id":10},"uid_alt":"rack fake bleeding"},"parent_folder":"gotten unique thereafter/championship.deskthemepack","confidentiality":"Secret","confidentiality_id":3,"hashes":[{"value":"C67541E14008D6AF094C938459E575DFB5FA24FD50ADAFC615DB56E4A773FD0BEBA072C2A8F3ECB17D4CBB51818B31ECE4F0A810CB8E5C42C622592DB55DA0A1","algorithm":"quickXorHash","algorithm_id":7}],"is_system":true},"user":{"type":"recent","uid":"6365822c-5574-11ef-95fb-0242ac110005","org":{"name":"jerry calling mardi","uid":"63658ac4-5574-11ef-bea5-0242ac110005","ou_name":"motion ampland acknowledged"},"type_id":99,"credential_uid":"63659186-5574-11ef-a13d-0242ac110005","email_addr":"Lynetta@lib.jobs"},"group":{"name":"phys dollar not","type":"foster prefer phys","domain":"explicitly retreat de","uid":"63659b86-5574-11ef-ac1a-0242ac110005"},"uid":"6365a1b2-5574-11ef-847c-0242ac110005","cmd_line":"sorts sites obtained","container":{"name":"hack aud canadian","size":2490340163,"uid":"6365ab4e-5574-11ef-a5b2-0242ac110005","image":{"name":"graphs uni learned","uid":"6365b47c-5574-11ef-94cc-0242ac110005"},"hash":{"value":"1348CB592CE159B2F0A3E0A0B20233BF7F40585376BD14ED638003DF65CE6028072010B42D85244F83CA87E928EA1C229FCDC44AFE29B22E34B99D3C8B26EB98","algorithm":"TLSH","algorithm_id":6},"network_driver":"nh essentials blogs","pod_uuid":"automobiles"},"created_time":1723114384395481,"namespace_pid":90,"parent_process":{"name":"Offline","pid":2,"session":{"uuid":"6365e014-5574-11ef-a98e-0242ac110005","issuer":"bluetooth raise shopping","created_time":1723114384396317,"expiration_reason":"politics nt username","expiration_time":1723114384396336,"is_remote":true,"expiration_time_dt":"2024-08-08T10:53:04.396343Z"},"file":{"name":"atlantic.icns","type":"Symbolic Link","path":"rear biology finest/nintendo.class/atlantic.icns","signature":{"certificate":{"version":"1.1.0","subject":"national garmin even","issuer":"cut duo agencies","fingerprints":[{"value":"E8D8654C197E7B3BEED4D69E3EDD3A5B","algorithm":"MD5","algorithm_id":1},{"value":"75529D527C6CDFA48546F9F7ED5AFD587F24AB584370D91EBFC1743E519B936C7780070A7709D4FECA4C639302E40E1BD1F842B3613B900269D77BEA17429361","algorithm":"Unknown","algorithm_id":0}],"expiration_time":1723114384396755,"serial_number":"rhode realty talented"},"algorithm":"vendor","algorithm_id":99},"desc":"specific aside io","type_id":7,"parent_folder":"rear biology finest/nintendo.class","confidentiality":"freelance pty ferrari","created_time":1723114384396786,"hashes":[{"value":"0C900BDED46D1122DBC26B7D537D76633CD9937DF7B4C9C56ECFC151D2E269764BD92568B8FFD9877177AA338BB4EEE65DC5AE4D07BE354D503F9D3EF0B36007","algorithm":"Unknown","algorithm_id":0},{"value":"D0278DE5F6E5DF29D9C928BCB6D5A285EA17CE11","algorithm":"SHA-1","algorithm_id":2}],"modified_time":1723114384396821,"xattributes":{},"modified_time_dt":"2024-08-08T10:53:04.396853Z"},"user":{"name":"Collectables","type":"User","domain":"crops midi hope","uid":"6366010c-5574-11ef-bfe7-0242ac110005","type_id":1,"uid_alt":"thunder pickup tab"},"group":{"desc":"muze comply jets"},"uid":"63660b34-5574-11ef-bbcf-0242ac110005","cmd_line":"canada federation computational","container":{"name":"barriers cheaper logged","runtime":"logos drilling schools","uid":"636616ce-5574-11ef-bd26-0242ac110005","image":{"name":"handy derek tb","uid":"63661fac-5574-11ef-9e80-0242ac110005"},"hash":{"value":"6F08C5DDCDD0BE06D83AA3E0E3D5A09E","algorithm":"MD5","algorithm_id":1}},"created_time":1723114384397969,"namespace_pid":82,"parent_process":{"name":"Recommendations","pid":76,"file":{"attributes":9,"name":"placement.3dm","type":"Symbolic Link","version":"1.1.0","path":"arizona concentrations widescreen/wire.tax2020/placement.3dm","modifier":{"name":"Incident","type":"Admin","uid":"63663aa0-5574-11ef-89ff-0242ac110005","groups":[{"name":"guest demographic terry","domain":"adventure charter tom","uid":"63665ca6-5574-11ef-abfa-0242ac110005"},{"name":"moderators broker asian","uid":"636664f8-5574-11ef-96ca-0242ac110005"}],"type_id":2,"account":{"type":"Windows Account","uid":"63666f0c-5574-11ef-98ef-0242ac110005","type_id":2},"uid_alt":"notre sponsorship elections"},"desc":"populations servers environments","type_id":7,"company_name":"Christa Marta","creator":{"name":"Quotes","type":"System","uid":"63667ca4-5574-11ef-a8ae-0242ac110005","groups":[{"name":"engineers constitute papers","uid":"636685fa-5574-11ef-8fd9-0242ac110005"},{"type":"introducing amendments portuguese","uid":"63668c80-5574-11ef-bd3d-0242ac110005"}],"type_id":3,"account":{"name":"hewlett beats hit","type":"GCP Account","uid":"636695b8-5574-11ef-8e13-0242ac110005","type_id":5},"ldap_person":{"location":{"desc":"Cyprus, Republic of","city":"Bibliographic selections","country":"CY","coordinates":[-120.1139,17.5612],"continent":"Asia"},"modified_time":1723114384401210,"office_location":"dl td transition","last_login_time_dt":"2024-08-08T10:53:04.401225Z"}},"parent_folder":"arizona concentrations widescreen/wire.tax2020","accessed_time":1723114384401235,"hashes":[{"value":"5509CE62AD4908E35D559F0487FCFAFEAA7A7AA2B4771FF42C45FF34397DF6E1F848AF224697A1C8BB77C1A81AFAA825437582905189C5346490D5121B91F366","algorithm":"quickXorHash","algorithm_id":7},{"value":"E2A4DD55AA0F76F85A047DAF5B859095","algorithm":"MD5","algorithm_id":1}],"xattributes":{},"created_time_dt":"2024-08-08T10:53:04.401316Z"},"user":{"name":"Taxes","type":"System","uid":"6366aed6-5574-11ef-855a-0242ac110005","type_id":3},"group":{"name":"split viking nike","domain":"apollo clicking incorrect","uid":"6366b8c2-5574-11ef-a4e8-0242ac110005"},"uid":"6366be8a-5574-11ef-a313-0242ac110005","cmd_line":"accessible annotated plus","container":{"name":"butter repeated annie","size":1994539178,"uid":"6366e1b2-5574-11ef-a230-0242ac110005","image":{"name":"newspapers marriage translations","uid":"6366ed6a-5574-11ef-9f59-0242ac110005"},"hash":{"value":"E94025BE336B1F89159AF64B1F6EDA5D470AC8D6","algorithm":"SHA-1","algorithm_id":2}},"created_time":1723114384403255,"integrity":"applying observe nba","namespace_pid":98,"parent_process":{"name":"Exotic","pid":64,"session":{"uid":"636701d8-5574-11ef-a4f1-0242ac110005","credential_uid":"6367082c-5574-11ef-aaa8-0242ac110005","expiration_reason":"washing sunday reaching","expiration_time":1723114384403944,"is_remote":true,"created_time_dt":"2024-08-08T10:53:04.403955Z","expiration_time_dt":"2024-08-08T10:53:04.403964Z"},"file":{"name":"accuracy.kmz","type":"Character Device","version":"1.1.0","path":"breast enjoying verbal/assure.gam/accuracy.kmz","signature":{"certificate":{"version":"1.1.0","subject":"lion struggle widespread","issuer":"clocks suppose products","fingerprints":[{"value":"83624D02DEDBF131BC80643811BDE31BB6FCBCDD128849E01A630F99100E4AEE2BF55A6610961457C3AA9B403628F34BC835B62EC068589F520AB344681A174E","algorithm":"TLSH","algorithm_id":6}],"created_time":1723114384404438,"expiration_time":1723114384404443,"serial_number":"negotiation feel cole"},"algorithm":"gotten","algorithm_id":99},"product":{"version":"1.1.0","uid":"6367296a-5574-11ef-8136-0242ac110005","lang":"en","vendor_name":"cindy specifications frontpage"},"uid":"63673090-5574-11ef-ad66-0242ac110005","type_id":3,"parent_folder":"breast enjoying verbal/assure.gam","confidentiality":"Top Secret","confidentiality_id":4,"hashes":[{"value":"D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C","algorithm":"quickXorHash","algorithm_id":7},{"value":"990D4710B15458E3EDAA8601CDF5B44648B4FC61","algorithm":"SHA-1","algorithm_id":2}],"is_system":false,"accessed_time_dt":"2024-08-08T10:53:04.404997Z"},"user":{"name":"Saver","type":"Admin","uid":"6367417a-5574-11ef-8cd6-0242ac110005","groups":[{"name":"guyana applied attribute","domain":"identification browsing structures","uid":"63676952-5574-11ef-a883-0242ac110005"}],"type_id":2,"full_name":"Mayme Lurline"},"group":{"name":"executive mathematical signals","uid":"63677460-5574-11ef-a07f-0242ac110005"},"tid":41,"uid":"63677a6e-5574-11ef-9578-0242ac110005","cmd_line":"mere loaded similar","created_time":1723114384406818,"lineage":["operational pilot citysearch"]},"auid":58,"euid":32,"created_time_dt":"2024-08-08T10:53:04.406843Z"},"terminated_time":1723114384406852}},"xattributes":{},"auid":30},"xattributes":{},"euid":78,"terminated_time_dt":"2024-08-08T10:53:04.406915Z"},"sandbox":"challenged profiles family","xattributes":{}},"sandbox":"declare indication occupations","xattributes":{}},"sandbox":"delays fighting soonest","euid":11},"created_time_dt":"2024-08-08T10:53:04.406974Z"},"terminated_time":1723114384406979},"euid":20},"auid":5},"sandbox":"representing stationery affiliated"},"euid":92},"auid":32}},"sandbox":"em therefore spoke","xattributes":{},"created_time_dt":"2024-08-08T10:53:04.407027Z"},"xattributes":{},"euid":11,"terminated_time_dt":"2024-08-08T10:53:04.407047Z"},"terminated_time_dt":"2024-08-08T10:53:04.407054Z"},"sandbox":"conversations poker oriented","auid":31,"euid":40,"terminated_time_dt":"2024-08-08T10:53:04.407066Z"},"terminated_time":1723114384407071,"euid":45},"egid":67},"xattributes":{},"euid":77,"egid":31},"auid":39}},"egid":16},"created_time_dt":"2024-08-08T10:53:04.407101Z"},"sandbox":"numbers audience guard","auid":45,"terminated_time_dt":"2024-08-08T10:53:04.407112Z"},"user":{"name":"Boy","type":"Admin","domain":"distance predicted facilities","uid":"63679120-5574-11ef-be81-0242ac110005","type_id":2},"invoked_by":"popularity puzzle provides"},"cloud":{"provider":"diabetes gaps ag","region":"act ran entity"},"dst_endpoint":{"name":"full essentials size","port":55506,"type":"ssl","os":{"name":"mailing possibilities either","type":"AIX","version":"1.1.0","build":"walking thermal neck","type_id":401},"ip":"226.140.221.18","uid":"635383ba-5574-11ef-bd0d-0242ac110005","type_id":99,"container":{"name":"twelve will royalty","runtime":"lopez bulletin thru","size":2829011720,"tag":"grain alert score","uid":"63539300-5574-11ef-82a9-0242ac110005","image":{"name":"routing playback sb","uid":"63539e90-5574-11ef-9508-0242ac110005"},"hash":{"value":"4447CDB3261C7AE4F053DC296FEE1093F25F731D23A692D5819318F1901FDEC79EB2CA760BABCD759285BAE417ACD21FC64BB623583834C076F16FA9A53F1107","algorithm":"Unknown","algorithm_id":0},"orchestrator":"georgia rr scheduled","pod_uuid":"municipality"},"instance_uid":"6353a91c-5574-11ef-b5fc-0242ac110005","interface_name":"ideas utility possible","interface_uid":"6353afd4-5574-11ef-b86c-0242ac110005","namespace_pid":72,"proxy_endpoint":{"name":"lit canberra terminology","port":64602,"type":"IOT","ip":"35.105.135.121","location":{"desc":"Guadeloupe","city":"Establishment kind","country":"GP","coordinates":[90.6576,-34.4194],"continent":"North America"},"hostname":"guided.name","uid":"6353bf1a-5574-11ef-be0c-0242ac110005","type_id":7,"container":{"name":"programmes relevance boot","size":2534954875,"image":{"name":"weblogs grad offices","uid":"6353ca32-5574-11ef-8405-0242ac110005","labels":["commit","walter"]},"hash":{"value":"71FAFC4E2FC1E47E234762A96B80512B6B5534C2","algorithm":"SHA-1","algorithm_id":2},"orchestrator":"mic waiting gains"},"instance_uid":"6353d496-5574-11ef-ba97-0242ac110005","interface_name":"nato pray consult","interface_uid":"6353db12-5574-11ef-861d-0242ac110005","namespace_pid":17,"proxy_endpoint":{"name":"slides weird discussion","port":38178,"type":"Server","domain":"equipped disagree kevin","ip":"114.100.167.141","hostname":"challenged.travel","uid":"6353ed14-5574-11ef-a94e-0242ac110005","type_id":1,"container":{"name":"produces integrate invitation","size":3462840380,"tag":"locks circuit hindu","uid":"6353f70a-5574-11ef-a129-0242ac110005","image":{"name":"amount dividend oregon","uid":"6353ff98-5574-11ef-8eac-0242ac110005"},"hash":{"value":"555F45D31B82ABEEDB74D75EACB96817602160400F9A16B894CB77D68292FE96CFDCF573199918FB36F17CCC5B1B99A9ABBB62D931C518CC5D6A05A5659B534C","algorithm":"CTPH","algorithm_id":5}},"hw_info":{"cpu_cores":9,"cpu_count":87,"cpu_speed":32,"keyboard_info":{"keyboard_type":"tries dramatically undo"}},"instance_uid":"63540c0e-5574-11ef-98f2-0242ac110005","interface_name":"detroit handbags discuss","interface_uid":"63541294-5574-11ef-aa42-0242ac110005","namespace_pid":67,"svc_name":"discovered occurs presidential","zone":"little tucson operations"},"svc_name":"history it exp","zone":"join your encourage"},"svc_name":"gl dropped workforce"},"severity_id":2,"src_endpoint":{"name":"allah pain blues","type":"Hub","ip":"175.16.199.0","hostname":"generic.edu","uid":"63552c6a-5574-11ef-847f-0242ac110005","mac":"E4:C5:2D:FD:E6:16:2B:96","type_id":11,"container":{"name":"involvement buses bowling","size":509766084,"tag":"lawyers genre trained","uid":"635539f8-5574-11ef-b41d-0242ac110005","image":{"name":"clause material fort","uid":"635540f6-5574-11ef-bbdd-0242ac110005","labels":["difficulties","confusion"]},"hash":{"value":"6DE8A320862880F35A99FE4448414E898831DCCD","algorithm":"SHA-1","algorithm_id":2}},"instance_uid":"63554826-5574-11ef-973b-0242ac110005","interface_name":"collections setting twelve","interface_uid":"63554c86-5574-11ef-90cb-0242ac110005","svc_name":"welding minute invention"},"status_id":0} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json index 5d2c00db40b4..309aed9a534d 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json @@ -2428,6 +2428,641 @@ "user": { "id": "ff72d2e0-556b-11ef-bbe1-0242ac110005" } + }, + { + "@timestamp": "+56573-04-27T12:31:27.674Z", + "cloud": { + "provider": "diabetes gaps ag", + "region": "act ran entity" + }, + "container": { + "id": "63560cca-5574-11ef-8db7-0242ac110005", + "image": { + "hash": { + "all": [ + "sha1:10EFC79292FD96E5C3DDF56D50E2BF33CB5A2EC1" + ] + }, + "name": "technician rogers federal", + "tag": [ + "pub flexible interface" + ] + }, + "labels": [ + "pants", + "firewall" + ], + "name": "slim rehabilitation nest" + }, + "data_stream": { + "dataset": "amazon_security_lake.application_activity", + "namespace": "default", + "type": "logs" + }, + "destination": { + "ip": "226.140.221.18", + "port": 55506 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "move", + "category": [ + "file" + ], + "code": "sessions", + "kind": "event", + "original": "{\"message\":\"epa stanley speech\",\"status\":\"Unknown\",\"time\":1723114384287674,\"file\":{\"name\":\"ate.cue\",\"type\":\"Folder\",\"version\":\"1.1.0\",\"path\":\"wiki optimization counter/prohibited.ai/ate.cue\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"subject\":\"advised chess egyptian\",\"issuer\":\"warning cute armor\",\"fingerprints\":[{\"value\":\"367C62D5A1EE13A74F11A143DB9DD2389B73DE066483521D1905177739F6EB41DE30BDAFD42E95AF3306EF8BC6273C97A75C8276B592B1D5FCC7458F1EBBEB03\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"DEE5E5BE829C1FF9E773E27CDA4A8960CAB5C8A6F392DA6ACCBACB430B13B9BC64822221325357EAA87B60D5F4474090332CD89561EBEC061294834301DF9AE9\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}],\"created_time\":1723114384273661,\"expiration_time\":1723114384273675,\"serial_number\":\"qld undergraduate cowboy\",\"created_time_dt\":\"2024-08-08T10:53:04.273685Z\"},\"algorithm\":\"Unknown\",\"algorithm_id\":0,\"created_time\":1723114384273699},\"modifier\":{\"name\":\"Scenic\",\"type\":\"User\",\"uid\":\"63533b6c-5574-11ef-bfed-0242ac110005\",\"type_id\":1,\"account\":{\"name\":\"interactions minister lamps\",\"type\":\"Windows Account\",\"uid\":\"635347c4-5574-11ef-a25d-0242ac110005\",\"type_id\":2},\"credential_uid\":\"63534eea-5574-11ef-8a7c-0242ac110005\",\"ldap_person\":{\"created_time\":1723114384275284,\"email_addrs\":[\"Leonida@consoles.gov\"],\"given_name\":\"routines identical brunswick\",\"hire_time\":1723114384275320,\"job_title\":\"voted awareness pt\",\"modified_time\":1723114384275329,\"leave_time_dt\":\"2024-08-08T10:53:04.275331Z\"}},\"type_id\":2,\"parent_folder\":\"wiki optimization counter/prohibited.ai\",\"hashes\":[{\"value\":\"F6B8BFDD92E45272F30B728D921EF2A47DD9D950600D885830D30532F39E2A5688B4797CF0B172989E4C95B557B2497E98AC07417E8766E06BDFFEBDEBBE76C8\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},{\"value\":\"4A2B4592EAC6D75C3BD4FE50308A2316D54BC427F65F109C7EC4105B6467C984\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3}]},\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"cooling florist anna\",\"version\":\"1.1.0\",\"path\":\"avoid meeting appear\",\"uid\":\"63545eac-5574-11ef-8bb1-0242ac110005\",\"vendor_name\":\"buying fa joel\"},\"profiles\":[\"cloud\",\"container\",\"datetime\",\"host\",\"linux/linux_users\",\"load_balancer\",\"network_proxy\",\"security_control\"],\"correlation_uid\":\"635472c0-5574-11ef-8c5d-0242ac110005\",\"event_code\":\"sessions\",\"log_name\":\"standing band submission\",\"logged_time\":1723114384282107,\"original_time\":\"sum shipped decreased\"},\"severity\":\"Low\",\"type_name\":\"File Hosting Activity: Move\",\"activity_id\":7,\"type_uid\":600607,\"observables\":[{\"name\":\"affiliated fuji ralph\",\"type\":\"Hostname\",\"type_id\":1},{\"name\":\"sponsored fw illustrated\",\"type\":\"Hostname\",\"type_id\":1}],\"category_name\":\"Application Activity\",\"class_uid\":6006,\"category_uid\":6,\"class_name\":\"File Hosting Activity\",\"timezone_offset\":56,\"activity_name\":\"Move\",\"actor\":{\"process\":{\"name\":\"Eden\",\"pid\":95,\"file\":{\"attributes\":91,\"name\":\"physician.asf\",\"type\":\"Regular File\",\"path\":\"donors replied magazine/elder.accdb/physician.asf\",\"modifier\":{\"name\":\"Dimensional\",\"type\":\"System\",\"domain\":\"beneficial az attraction\",\"uid\":\"63556d6a-5574-11ef-ac26-0242ac110005\",\"type_id\":3,\"email_addr\":\"Lura@consolidated.mil\"},\"desc\":\"xp endif record\",\"type_id\":1,\"creator\":{\"name\":\"Resource\",\"type\":\"System\",\"uid\":\"6355ab18-5574-11ef-bc66-0242ac110005\",\"type_id\":3,\"full_name\":\"Melodee Norma\",\"email_addr\":\"Blaine@highlight.pro\"},\"mime_type\":\"incl/johnston\",\"parent_folder\":\"donors replied magazine/elder.accdb\",\"hashes\":[{\"value\":\"28E532D56B18548CC0B68A63311D2DCD2D258B2F\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2},{\"value\":\"695BF60E03F83A36699AF46519E8E584\",\"algorithm\":\"MD5\",\"algorithm_id\":1}],\"xattributes\":{}},\"user\":{\"type\":\"Unknown\",\"domain\":\"random john findlaw\",\"groups\":[{\"name\":\"rural legislature built\",\"type\":\"harm slovakia tone\",\"uid\":\"6355ca8a-5574-11ef-8efb-0242ac110005\",\"privileges\":[\"clearing transfer worthy\",\"jim pdas remind\"]},{\"domain\":\"seeing dynamics qualified\",\"uid\":\"6355d2aa-5574-11ef-8276-0242ac110005\"}],\"type_id\":0,\"full_name\":\"Alexander Helena\",\"credential_uid\":\"6355da02-5574-11ef-89ed-0242ac110005\",\"uid_alt\":\"providing arms servers\"},\"group\":{\"name\":\"manage livestock tribes\",\"domain\":\"problem choosing reform\",\"uid\":\"6355e5e2-5574-11ef-b983-0242ac110005\"},\"uid\":\"6355ece0-5574-11ef-9b58-0242ac110005\",\"loaded_modules\":[\"/sic/measurement/morrison/routing/classroom.class\",\"/projector/dare/dt/fancy/governance.wma\"],\"cmd_line\":\"syndication traveler charges\",\"container\":{\"name\":\"slim rehabilitation nest\",\"size\":2119671744,\"uid\":\"63560cca-5574-11ef-8db7-0242ac110005\",\"image\":{\"name\":\"technician rogers federal\",\"tag\":\"pub flexible interface\",\"uid\":\"63561756-5574-11ef-85d8-0242ac110005\",\"labels\":[\"pants\",\"firewall\"]},\"hash\":{\"value\":\"10EFC79292FD96E5C3DDF56D50E2BF33CB5A2EC1\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}},\"created_time\":1723114384292928,\"integrity\":\"cr darwin wearing\",\"namespace_pid\":27,\"parent_process\":{\"name\":\"Outreach\",\"pid\":24,\"session\":{\"uid\":\"63562c6e-5574-11ef-a07c-0242ac110005\",\"uuid\":\"635632b8-5574-11ef-8dc9-0242ac110005\",\"issuer\":\"watt ips cash\",\"created_time\":1723114384293568,\"expiration_time\":1723114384293578,\"is_remote\":false,\"expiration_time_dt\":\"2024-08-08T10:53:04.293582Z\"},\"file\":{\"attributes\":91,\"name\":\"engineers.png\",\"type\":\"Character Device\",\"path\":\"judgment entering hydrocodone/sharp.uue/engineers.png\",\"type_id\":3,\"accessor\":{\"type\":\"republican\",\"uid\":\"6356478a-5574-11ef-bd16-0242ac110005\",\"type_id\":99,\"email_addr\":\"Sunni@holders.jobs\"},\"parent_folder\":\"judgment entering hydrocodone/sharp.uue\"},\"user\":{\"type\":\"User\",\"domain\":\"shortly payments endorsement\",\"uid\":\"6356532e-5574-11ef-a4a6-0242ac110005\",\"type_id\":1,\"uid_alt\":\"mysql syria beaches\"},\"group\":{\"type\":\"savannah weapon canon\",\"desc\":\"rogers eco outlets\",\"uid\":\"63565dba-5574-11ef-80bf-0242ac110005\"},\"uid\":\"635663a0-5574-11ef-b2fa-0242ac110005\",\"cmd_line\":\"asks eight printed\",\"container\":{\"name\":\"te beginners geology\",\"size\":1467240565,\"uid\":\"63567160-5574-11ef-a13e-0242ac110005\",\"image\":{\"name\":\"abu collectables clinical\",\"uid\":\"63567a16-5574-11ef-8843-0242ac110005\"},\"hash\":{\"value\":\"D0A3630555BBEC7FC05A98D311C23B00FD1AB4D8296AC4A4125976D80B6A6959\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3}},\"created_time\":1723114384295435,\"integrity\":\"eternal reservation which\",\"namespace_pid\":73,\"parent_process\":{\"name\":\"Hung\",\"pid\":85,\"user\":{\"name\":\"Paint\",\"type\":\"creative\",\"uid\":\"63568cfe-5574-11ef-9336-0242ac110005\",\"type_id\":99,\"full_name\":\"Gussie Leila\",\"email_addr\":\"Claire@longitude.arpa\"},\"group\":{\"name\":\"prince enhance terrain\",\"desc\":\"dual yacht replace\",\"uid\":\"635698ac-5574-11ef-a457-0242ac110005\"},\"cmd_line\":\"tools aluminium combinations\",\"container\":{\"name\":\"diving invited scoring\",\"runtime\":\"louise demanding pontiac\",\"size\":3349958052,\"tag\":\"witness indicators oral\",\"uid\":\"6356a234-5574-11ef-a31f-0242ac110005\",\"image\":{\"name\":\"bag belief such\",\"uid\":\"6356aaae-5574-11ef-80e9-0242ac110005\",\"labels\":[\"memorabilia\",\"producers\"]},\"hash\":{\"value\":\"5EF93A057B5E36A7F6F0880E87F5CF4B\",\"algorithm\":\"MD5\",\"algorithm_id\":1},\"pod_uuid\":\"pp\"},\"created_time\":1723114384296685,\"namespace_pid\":42,\"parent_process\":{\"name\":\"Dead\",\"pid\":15,\"file\":{\"name\":\"creations.ico\",\"owner\":{\"name\":\"Answer\",\"uid\":\"6356c534-5574-11ef-9ab7-0242ac110005\",\"full_name\":\"Henry Tonja\"},\"type\":\"ti\",\"path\":\"defining inch factors/ist.mpa/creations.ico\",\"product\":{\"name\":\"amateur bristol cuba\",\"version\":\"1.1.0\",\"uid\":\"6356cfa2-5574-11ef-a798-0242ac110005\",\"vendor_name\":\"gentleman quit confirm\"},\"type_id\":99,\"parent_folder\":\"defining inch factors/ist.mpa\",\"created_time\":1723114384297596,\"hashes\":[{\"value\":\"0976ABA0D430405622A00981BC58C6F16D2A40F1\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2},{\"value\":\"36324C961DBB9EF924720EB1C5F7E53B29AD9EF8D2A5A4CF1FD2686CCF8FC21A7A1368175B23CFFF36A4DB33D4F7C399148E923594A5667C996C53E9AB311088\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}],\"accessed_time_dt\":\"2024-08-08T10:53:04.297651Z\",\"created_time_dt\":\"2024-08-08T10:53:04.297659Z\"},\"user\":{\"name\":\"Theatre\",\"type\":\"Admin\",\"uid\":\"6356e906-5574-11ef-bcbc-0242ac110005\",\"type_id\":2},\"tid\":82,\"uid\":\"6356ef50-5574-11ef-9f3f-0242ac110005\",\"cmd_line\":\"capable homepage reject\",\"container\":{\"name\":\"slovenia anybody colors\",\"runtime\":\"organic worked yn\",\"size\":420397581,\"uid\":\"6356f91e-5574-11ef-ae76-0242ac110005\",\"image\":{\"name\":\"sao naked toddler\",\"uid\":\"635701a2-5574-11ef-bc46-0242ac110005\",\"labels\":[\"toolbox\",\"taught\"]},\"hash\":{\"value\":\"E6E7B71309D96CA832137A8E06B9E34906F7A42708F8EBD9C2B75A423AC058A7F0DD0B2AB768E8090DF7E6E6C89E95D7D80DCC4FD0F84464C499AFA89D9AE294\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7},\"pod_uuid\":\"arranged\"},\"created_time\":1723114384298907,\"integrity\":\"System\",\"integrity_id\":5,\"namespace_pid\":34,\"parent_process\":{\"name\":\"Whilst\",\"pid\":51,\"file\":{\"name\":\"sitting.bmp\",\"owner\":{\"name\":\"Excessive\",\"type\":\"System\",\"domain\":\"harmony served deadly\",\"uid\":\"63572f2e-5574-11ef-80bc-0242ac110005\",\"groups\":[{\"name\":\"recruiting member combine\",\"uid\":\"635738e8-5574-11ef-b1ba-0242ac110005\"}],\"type_id\":3,\"full_name\":\"Mistie Belkis\",\"account\":{\"type\":\"Mac OS Account\",\"uid\":\"6357423e-5574-11ef-bd28-0242ac110005\",\"type_id\":7}},\"type\":\"Local Socket\",\"path\":\"everything packaging fears/sat.crdownload/sitting.bmp\",\"uid\":\"635748e2-5574-11ef-9899-0242ac110005\",\"type_id\":5,\"creator\":{\"name\":\"Health\",\"type\":\"User\",\"domain\":\"cabinet satisfaction excitement\",\"uid\":\"635752c4-5574-11ef-9816-0242ac110005\",\"type_id\":1,\"full_name\":\"Lauralee Thomasine\",\"ldap_person\":{\"location\":{\"desc\":\"Serbia, Republic of\",\"city\":\"Princeton judy\",\"country\":\"RS\",\"coordinates\":[-170.2881,-62.2248],\"continent\":\"Europe\"},\"ldap_dn\":\"roy noticed vertical\",\"surname\":\"tract olympus editor\",\"created_time_dt\":\"2024-08-08T10:53:04.301134Z\"}},\"parent_folder\":\"everything packaging fears/sat.crdownload\",\"accessed_time\":1723114384301146,\"hashes\":[{\"value\":\"D496B4FAFB1139B1F80F1B60D5AB3A22EF18A1625889B6793BDD41EAF1EB68F093E7AF5254D7DB838F22711DAA2F5E3A0CA6BF5F983AAAC163D7D525C760277B\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}],\"is_system\":false,\"modified_time\":1723114384301182,\"xattributes\":{}},\"user\":{\"name\":\"Pavilion\",\"type\":\"Unknown\",\"uid\":\"63576804-5574-11ef-9ed9-0242ac110005\",\"type_id\":0,\"credential_uid\":\"63576e4e-5574-11ef-85ed-0242ac110005\"},\"group\":{\"name\":\"sale point solutions\",\"uid\":\"6357784e-5574-11ef-9c0c-0242ac110005\"},\"tid\":93,\"uid\":\"63577e16-5574-11ef-8086-0242ac110005\",\"cmd_line\":\"consists posters menus\",\"container\":{\"name\":\"loving revealed remarkable\",\"size\":2152153573,\"uid\":\"6357871c-5574-11ef-9b53-0242ac110005\",\"image\":{\"name\":\"lots time boolean\",\"uid\":\"63578f78-5574-11ef-83eb-0242ac110005\"},\"hash\":{\"value\":\"EA7F1EC6B430560FE1BA023D62E5D33D29746DD5F0355FB118B1E4536D6230111964615215FCE2BE609D341EACB3B42869EE304F80BBAEC3F6720FA8FD50AD97\",\"algorithm\":\"CTPH\",\"algorithm_id\":5},\"orchestrator\":\"board luis adopted\"},\"created_time\":1723114384302534,\"parent_process\":{\"pid\":93,\"session\":{\"uid\":\"6357a396-5574-11ef-8ef4-0242ac110005\",\"issuer\":\"demonstration holmes california\",\"created_time\":1723114384303010,\"is_mfa\":true,\"is_remote\":false},\"file\":{\"name\":\"kerry.sdf\",\"type\":\"terrorist\",\"path\":\"pre memo parish/bibliographic.db/kerry.sdf\",\"product\":{\"name\":\"forum activists cancelled\",\"version\":\"1.1.0\",\"uid\":\"6357b6b0-5574-11ef-9715-0242ac110005\",\"cpe_name\":\"realty contributions melissa\",\"vendor_name\":\"actress mess enjoyed\"},\"modifier\":{\"name\":\"Criterion\",\"type\":\"System\",\"domain\":\"theology suzuki inn\",\"uid\":\"6357d28a-5574-11ef-b53e-0242ac110005\",\"groups\":[{\"name\":\"meanwhile vid contributed\"},{\"name\":\"difference white sensors\",\"type\":\"chef laos flat\",\"desc\":\"undertake carried ones\",\"uid\":\"6357dc9e-5574-11ef-a420-0242ac110005\"}],\"type_id\":3,\"account\":{\"name\":\"fans car enable\",\"type\":\"Linux Account\",\"type_id\":9},\"credential_uid\":\"6357e5f4-5574-11ef-8af6-0242ac110005\",\"uid_alt\":\"repair trains victim\"},\"type_id\":99,\"creator\":{\"name\":\"Filme\",\"type\":\"Unknown\",\"uid\":\"6357f01c-5574-11ef-9c74-0242ac110005\",\"type_id\":0},\"mime_type\":\"architecture/hall\",\"parent_folder\":\"pre memo parish/bibliographic.db\",\"hashes\":[{\"value\":\"35431593FE35166DB2935F72C55A3E0A8F8255878BACFF713A775559201158B2429DDF8B60D7FC65E8A640435ECA4BE8239A740FE91DA7560AC32207BF2F73AB\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},{\"value\":\"BA2F52D229E66F7D965D4AAFDBB382D12FBA5669FBE91F4700E0B7A9355279E7FC2108CAA3AAB2AA5DDAD12B63AC6953845DD468A203773BE8FC734CE9FF93AB\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}],\"security_descriptor\":\"volvo workflow pros\"},\"group\":{\"name\":\"mad integrity assessment\",\"type\":\"glossary scotia pete\",\"uid\":\"63580af2-5574-11ef-88eb-0242ac110005\"},\"uid\":\"63581182-5574-11ef-aeb6-0242ac110005\",\"cmd_line\":\"mentor dust attending\",\"container\":{\"name\":\"drill modern difference\",\"size\":3636193350,\"uid\":\"63597a54-5574-11ef-acbb-0242ac110005\",\"image\":{\"name\":\"hanging assume mill\",\"uid\":\"63599c96-5574-11ef-8abe-0242ac110005\"},\"hash\":{\"value\":\"90C9EFE0343A584FD260823A0B266073C0E319EDC8D3C7CD2CCF69E236CF45D870E30646022FDB667F085AEA84B64830C3B3DC702C35A111DCCB3F05F05F9529\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}},\"created_time\":1723114384316151,\"integrity\":\"delivering shaved mexico\",\"namespace_pid\":49,\"parent_process\":{\"name\":\"Ft\",\"pid\":85,\"file\":{\"name\":\"venice.pct\",\"type\":\"Character Device\",\"path\":\"proper unified cingular/outsourcing.cs/venice.pct\",\"product\":{\"version\":\"1.1.0\",\"vendor_name\":\"staying attachment med\"},\"desc\":\"advantage profit fall\",\"type_id\":3,\"accessor\":{\"name\":\"Arlington\",\"type\":\"Admin\",\"uid\":\"635a477c-5574-11ef-8dd3-0242ac110005\",\"type_id\":2,\"credential_uid\":\"635a4f2e-5574-11ef-b0c1-0242ac110005\"},\"parent_folder\":\"proper unified cingular/outsourcing.cs\",\"accessed_time\":1723114384320502,\"created_time\":1723114384320518,\"hashes\":[{\"value\":\"5B54C0A045F179BCBBBC9ABCB8B5CD4C\",\"algorithm\":\"MD5\",\"algorithm_id\":1},{\"value\":\"B1A66BA2E7D51C706F9A2CA80905DF475AE44EDC79EC60CA4D7580FBD6548B91\",\"algorithm\":\"magic\",\"algorithm_id\":99}],\"modified_time_dt\":\"2024-08-08T10:53:04.320622Z\"},\"uid\":\"635a5c26-5574-11ef-8945-0242ac110005\",\"cmd_line\":\"cup rights charger\",\"container\":{\"name\":\"answers camera televisions\",\"size\":560452224,\"uid\":\"635a7206-5574-11ef-b9d6-0242ac110005\",\"image\":{\"uid\":\"635a8282-5574-11ef-8212-0242ac110005\"},\"hash\":{\"value\":\"FAF5EB7985BA4C9CBED8EED0D046F77F7C6ADCB15B9F3537256D717C2D370E448132CECC73264489D250CE463844ECFF1DC62C554DC6654B0C11659842BD7828\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}},\"created_time\":1723114384322300,\"namespace_pid\":14,\"parent_process\":{\"pid\":1,\"file\":{\"attributes\":8,\"name\":\"stop.rom\",\"size\":184463636,\"type\":\"Folder\",\"path\":\"qc stunning upcoming/freelance.b/stop.rom\",\"type_id\":2,\"creator\":{\"name\":\"Televisions\",\"type\":\"restaurant\",\"uid\":\"635ab20c-5574-11ef-8a49-0242ac110005\",\"type_id\":99,\"ldap_person\":{\"modified_time\":1723114384328321,\"created_time_dt\":\"2024-08-08T10:53:04.328333Z\"}},\"parent_folder\":\"qc stunning upcoming/freelance.b\",\"accessed_time\":1723114384328345,\"confidentiality\":\"dare assembly conflicts\",\"hashes\":[{\"value\":\"D6DF1AB7AC275F8C7AFF9D010CCFD0DB08BBE2D8\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2},{\"value\":\"A99E2AF60B8C1ACE6169FBA74BE6B9CB5ECA5D5A24F28F39E4EC50A265F7F5F4\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3}],\"security_descriptor\":\"streets teacher movie\",\"accessed_time_dt\":\"2024-08-08T10:53:04.328434Z\",\"modified_time_dt\":\"2024-08-08T10:53:04.328440Z\"},\"user\":{\"name\":\"Fountain\",\"type\":\"Admin\",\"uid\":\"635b94ec-5574-11ef-90e7-0242ac110005\",\"type_id\":2},\"group\":{\"name\":\"lang drivers mood\",\"uid\":\"635baaf4-5574-11ef-8c3f-0242ac110005\"},\"uid\":\"635bb51c-5574-11ef-96c1-0242ac110005\",\"cmd_line\":\"assignment position expression\",\"container\":{\"name\":\"ink bio mileage\",\"runtime\":\"effort des lu\",\"size\":1841031275,\"uid\":\"635bd29a-5574-11ef-a523-0242ac110005\",\"image\":{\"name\":\"junction naval insulation\",\"tag\":\"watches wellington muscle\",\"uid\":\"635c0198-5574-11ef-ba77-0242ac110005\"},\"hash\":{\"value\":\"FA987EC04918567E13A7554C7DDC4D86FB705EAD55207E05ED4E224FB0A9F1570BE1D51F9AE581D415E2D13894EECAEEF402D9901F8C9E70CD839691DD428BBD\",\"algorithm\":\"CTPH\",\"algorithm_id\":5},\"pod_uuid\":\"nuclear\"},\"created_time\":1723114384332144,\"integrity\":\"Low\",\"integrity_id\":2,\"namespace_pid\":91,\"parent_process\":{\"name\":\"Surprise\",\"pid\":46,\"file\":{\"name\":\"settled.exe\",\"type\":\"Local Socket\",\"version\":\"1.1.0\",\"path\":\"justin jm kenya/acknowledged.cgi/settled.exe\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"uid\":\"635c43c4-5574-11ef-a8eb-0242ac110005\",\"subject\":\"pets documentary mutual\",\"issuer\":\"rounds eds contests\",\"fingerprints\":[{\"value\":\"4D78419C492968B9564F7F87CEBFA246405627A31D833B60027D564FB453A9F76CDBDF3D6229EFE19244F6B38DC9C1E531EC641A042F38CE33A3E62DEEB1E115\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"created_time\":1723114384334572,\"expiration_time\":1723114384334590,\"serial_number\":\"anything repair rank\",\"expiration_time_dt\":\"2024-08-08T10:53:04.334601Z\"},\"algorithm\":\"ECDSA\",\"algorithm_id\":3,\"developer_uid\":\"635c7e16-5574-11ef-b814-0242ac110005\"},\"type_id\":5,\"accessor\":{\"name\":\"Contents\",\"type\":\"Unknown\",\"domain\":\"weighted organize jim\",\"uid\":\"635cc204-5574-11ef-85ce-0242ac110005\",\"type_id\":0},\"creator\":{\"name\":\"Heel\",\"type\":\"System\",\"uid\":\"635ce108-5574-11ef-b897-0242ac110005\",\"type_id\":3,\"account\":{\"name\":\"discs sure enclosed\",\"type\":\"AWS IAM Role\",\"uid\":\"635d0a66-5574-11ef-bcd7-0242ac110005\",\"type_id\":4},\"uid_alt\":\"rapidly specification instructional\"},\"parent_folder\":\"justin jm kenya/acknowledged.cgi\",\"created_time\":1723114384339821,\"hashes\":[{\"value\":\"E3406337AAEB1C0AC1339EA8DBC6212C72E6551C007F921C64EADEDFC50CEAF2D661F48148C64A04B17DEC7D46C8D70913DA02218205F62B8170DF4110BEE8BE\",\"algorithm\":\"Unknown\",\"algorithm_id\":0},{\"value\":\"3F9D17F4A6D80A19A14E6E6464F3E85457666C674359CE0CCEBD5BF88B46CD79CC44F0213344FB06287280BC58AA62C13301DEC710F880AE66297C4F2F4477F4\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"modified_time\":1723114384340026,\"xattributes\":{},\"accessed_time_dt\":\"2024-08-08T10:53:04.340128Z\",\"created_time_dt\":\"2024-08-08T10:53:04.340139Z\"},\"user\":{\"type\":\"Unknown\",\"uid\":\"635d5bd8-5574-11ef-a7e3-0242ac110005\",\"type_id\":0,\"uid_alt\":\"charging build burning\"},\"group\":{\"name\":\"pendant alike china\",\"domain\":\"remove ix couple\",\"uid\":\"635d7852-5574-11ef-8eaa-0242ac110005\",\"privileges\":[\"verbal spokesman stuart\",\"audio mozambique mae\"]},\"uid\":\"635d7fa0-5574-11ef-9af0-0242ac110005\",\"loaded_modules\":[\"/desert/arch/conditional/mas/zinc.cgi\",\"/direct/appendix/stated/partition/awareness.gam\"],\"cmd_line\":\"masters treatments custody\",\"container\":{\"name\":\"ate worth powerpoint\",\"runtime\":\"society mem dependence\",\"size\":175725837,\"uid\":\"635d91e8-5574-11ef-bfc1-0242ac110005\",\"image\":{\"name\":\"bring president swap\",\"uid\":\"635dba88-5574-11ef-a7d2-0242ac110005\"},\"hash\":{\"value\":\"7D1BDD4F5CF16C23DEE15E0673B9B700804F55D5AC5DAA8E6A6F6DD1951AB502D960DF687EDC47B11A696C8F4A969208DFC7E3E4043EE2C907B4FCC244E9FD74\",\"algorithm\":\"CTPH\",\"algorithm_id\":5},\"network_driver\":\"crawford invitation pierce\",\"orchestrator\":\"differences lycos cut\"},\"created_time\":1723114384343050,\"namespace_pid\":17,\"parent_process\":{\"name\":\"During\",\"pid\":22,\"file\":{\"name\":\"earnings.otf\",\"owner\":{\"name\":\"Tissue\",\"type\":\"User\",\"uid\":\"635ddb94-5574-11ef-ab3f-0242ac110005\",\"org\":{\"name\":\"whom demand thereof\",\"ou_name\":\"weighted fundraising drainage\"},\"type_id\":1},\"type\":\"Regular File\",\"path\":\"commons employ nickel/humanity.swf/earnings.otf\",\"type_id\":1,\"company_name\":\"Abby Cyrus\",\"parent_folder\":\"commons employ nickel/humanity.swf\",\"confidentiality\":\"Unknown\",\"confidentiality_id\":0,\"hashes\":[{\"value\":\"EE1150845FA3041CEB3A3FCDBE42D68A\",\"algorithm\":\"MD5\",\"algorithm_id\":1},{\"value\":\"DC684E0A948E820C9B32AE34F0E147CCCAEAB3646C95D1FBF6E5EA257B9107251945EB892CD81A3750D89799ADF86C76382C60E73A85B10D110CE39164882C8F\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"is_system\":false,\"security_descriptor\":\"correctly screenshots reached\",\"created_time_dt\":\"2024-08-08T10:53:04.344543Z\",\"modified_time_dt\":\"2024-08-08T10:53:04.344556Z\"},\"user\":{\"name\":\"Greenhouse\",\"uid\":\"635e09a2-5574-11ef-8b02-0242ac110005\",\"uid_alt\":\"nu tiny challenging\"},\"group\":{\"name\":\"function bought terrace\",\"desc\":\"oo phase relocation\",\"uid\":\"635e1960-5574-11ef-bc86-0242ac110005\"},\"uid\":\"635e1f5a-5574-11ef-aad7-0242ac110005\",\"cmd_line\":\"macedonia reid wanna\",\"container\":{\"name\":\"dry age their\",\"size\":1634165265,\"tag\":\"revised bytes swingers\",\"uid\":\"635e290a-5574-11ef-8290-0242ac110005\",\"image\":{\"tag\":\"developer characterized chelsea\",\"uid\":\"635e31d4-5574-11ef-8b11-0242ac110005\"},\"hash\":{\"value\":\"D5F2E5C77054C44C2C72A1B017DECA06FC637C99\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}},\"created_time\":1723114384346014,\"parent_process\":{\"name\":\"Door\",\"pid\":15,\"file\":{\"attributes\":27,\"name\":\"modification.php\",\"type\":\"Regular File\",\"path\":\"monkey refused genesis/pictures.cs/modification.php\",\"type_id\":1,\"parent_folder\":\"monkey refused genesis/pictures.cs\",\"confidentiality\":\"Not Confidential\",\"confidentiality_id\":1},\"user\":{\"name\":\"Roller\",\"type\":\"System\",\"uid\":\"635e6e38-5574-11ef-9132-0242ac110005\",\"type_id\":3},\"group\":{\"name\":\"dogs republic occurrence\",\"type\":\"headers brunei ontario\",\"uid\":\"635e79b4-5574-11ef-b9e2-0242ac110005\",\"privileges\":[\"later conversion foreign\",\"shadows phpbb ate\"]},\"uid\":\"635e817a-5574-11ef-850e-0242ac110005\",\"cmd_line\":\"rides vids label\",\"container\":{\"name\":\"car ericsson vary\",\"size\":2909077433,\"tag\":\"apparent philadelphia southern\",\"uid\":\"635eaa7e-5574-11ef-99fc-0242ac110005\",\"image\":{\"name\":\"carolina bio conversion\",\"uid\":\"635eb3a2-5574-11ef-8a60-0242ac110005\"},\"hash\":{\"value\":\"62B8E80D982A1EF7D7764527C89E80FE2D9EFE4990B43078E143E4C6EDD2F407\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},\"orchestrator\":\"wto murray posted\",\"pod_uuid\":\"designed\"},\"created_time\":1723114384349350,\"integrity\":\"ag disagree anymore\",\"namespace_pid\":5,\"parent_process\":{\"name\":\"Lm\",\"pid\":58,\"file\":{\"name\":\"closing.3ds\",\"size\":2333859778,\"type\":\"Block Device\",\"path\":\"newsletter tulsa locale/wait.cab/closing.3ds\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"subject\":\"durham sitting hiv\",\"issuer\":\"eq designers loc\",\"fingerprints\":[{\"value\":\"B133E6238B0833E7D12E8F6E64EABBFE2780E49FD028477670556B99E873D6C8CC7E38E25BAF9228F2324C513ECA25C63FF88415399CBD0FF61001ACC2BD0B10\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},{\"value\":\"8B4AB0E3B292ED97FB8DCFB7C0267D1F7366F45CE8FDC2E3F0EAE57312A3F4D83BB72E25B072DF7E3416CF022B3276885495F9F245FE9CB67704AFD4B94EBF99\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"expiration_time\":1723114384349769,\"serial_number\":\"field geek theater\"},\"algorithm\":\"RSA\",\"algorithm_id\":2},\"uid\":\"635ed24c-5574-11ef-9b19-0242ac110005\",\"type_id\":4,\"mime_type\":\"radio/minolta\",\"parent_folder\":\"newsletter tulsa locale/wait.cab\",\"hashes\":[{\"value\":\"65BD10756687E64C347423BA3836F065\",\"algorithm\":\"MD5\",\"algorithm_id\":1},{\"value\":\"B3140286AC71AD2ACF69681F4F2A907B0B83D8EDFBFFDD4E0A38C05A23180495\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3}],\"modified_time\":1723114384350131,\"security_descriptor\":\"went stick curious\",\"xattributes\":{}},\"user\":{\"name\":\"Gossip\",\"type\":\"System\",\"uid\":\"635ee0e8-5574-11ef-ac61-0242ac110005\",\"type_id\":3,\"credential_uid\":\"635ee75a-5574-11ef-ac0c-0242ac110005\"},\"group\":{\"name\":\"alcohol surprise http\",\"desc\":\"wales if adams\",\"uid\":\"635ef114-5574-11ef-8c2b-0242ac110005\"},\"uid\":\"635ef6dc-5574-11ef-a3ad-0242ac110005\",\"cmd_line\":\"statutes columnists commerce\",\"container\":{\"name\":\"thomson multi reliable\",\"size\":22516444,\"uid\":\"635f000a-5574-11ef-bd88-0242ac110005\",\"image\":{\"name\":\"procedures later palestinian\",\"uid\":\"635f0898-5574-11ef-a44a-0242ac110005\"},\"hash\":{\"value\":\"B330ECA1D2F13AB95C1C8C41637D9CD297E8221B1DBE869BDE2ACD408F9548B864002FB987EEDA759EF00CDF20345836767C45CA1D40C2DCACE6B6A569E48F09\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},\"orchestrator\":\"teens motion deaths\"},\"created_time\":1723114384351625,\"namespace_pid\":7,\"parent_process\":{\"name\":\"Gen\",\"pid\":86,\"file\":{\"name\":\"offered.avi\",\"type\":\"Folder\",\"path\":\"sports amp assess/explosion.sln/offered.avi\",\"type_id\":2,\"parent_folder\":\"sports amp assess/explosion.sln\",\"accessed_time\":1723114384352980,\"security_descriptor\":\"salmon sister tucson\"},\"user\":{\"name\":\"Rest\",\"type\":\"Unknown\",\"uid\":\"635f51c2-5574-11ef-bad8-0242ac110005\",\"type_id\":0},\"group\":{\"name\":\"produces consequence selling\",\"uid\":\"635f5d02-5574-11ef-be03-0242ac110005\",\"privileges\":[\"seasonal railroad already\"]},\"uid\":\"635f63d8-5574-11ef-8afe-0242ac110005\",\"cmd_line\":\"reflects champion naughty\",\"container\":{\"name\":\"inquire justice risks\",\"runtime\":\"fragrance instances sun\",\"size\":574926482,\"uid\":\"635f7e18-5574-11ef-84ec-0242ac110005\",\"image\":{\"name\":\"packs auction technical\",\"uid\":\"635f891c-5574-11ef-9147-0242ac110005\"}},\"created_time\":1723114384354756,\"integrity\":\"deutsche what indians\",\"lineage\":[\"lying advertisements renew\",\"buf prescribed puerto\"],\"namespace_pid\":80,\"parent_process\":{\"name\":\"Blogger\",\"pid\":77,\"user\":{\"name\":\"Lenses\",\"type\":\"dairy\",\"uid\":\"635f9c7c-5574-11ef-b4d1-0242ac110005\",\"type_id\":99,\"uid_alt\":\"penalty spray weight\"},\"uid\":\"635fa406-5574-11ef-809b-0242ac110005\",\"cmd_line\":\"information propecia md\",\"lineage\":[\"trees saving alias\",\"ssl september rack\"],\"namespace_pid\":50,\"parent_process\":{\"name\":\"Defense\",\"pid\":15,\"file\":{\"attributes\":31,\"name\":\"lotus.pkg\",\"type\":\"Local Socket\",\"path\":\"seem party existence/buried.3dm/lotus.pkg\",\"type_id\":5,\"parent_folder\":\"seem party existence/buried.3dm\",\"confidentiality\":\"belief hard romania\",\"created_time\":1723114384355919,\"hashes\":[{\"value\":\"921DB9BE9AB2B726859E733D87A56CDEB799FBC45281315CFE4A7BAAF6BB9A1DD4359096B697BBB33B1DCA573CD79CB87614124DFA2B3C79768B3F29A7DBF0EF\",\"algorithm\":\"CTPH\",\"algorithm_id\":5},{\"value\":\"E9C848387AB1784EBC52FD937D18A8D44D2CF6BDBEB2BAB7B04E28413AE39FA4C07EAFA782325DD3B65A30B4AE8538D0ACCE7FC48BF1A3AB1B4651A5CFB050AA\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"is_system\":true,\"accessed_time_dt\":\"2024-08-08T10:53:04.355980Z\"},\"user\":{\"name\":\"Blogs\",\"type\":\"novel\",\"uid\":\"635fca94-5574-11ef-82f0-0242ac110005\",\"groups\":[{\"type\":\"buyer spirit webcam\",\"uid\":\"635fd57a-5574-11ef-84bc-0242ac110005\"},{\"name\":\"cooperation meditation memo\",\"desc\":\"discretion fantastic tactics\",\"uid\":\"635fe13c-5574-11ef-85a3-0242ac110005\"}],\"type_id\":99,\"credential_uid\":\"635fe862-5574-11ef-ba0c-0242ac110005\",\"ldap_person\":{\"email_addrs\":[\"Kimberley@sip.int\"],\"leave_time\":1723114384357313,\"modified_time_dt\":\"2024-08-08T10:53:04.357320Z\"}},\"group\":{\"name\":\"care viii external\",\"type\":\"right crowd crops\",\"desc\":\"appointed opponent written\",\"uid\":\"635ff8a2-5574-11ef-af7e-0242ac110005\"},\"tid\":26,\"uid\":\"635ffed8-5574-11ef-b0fd-0242ac110005\",\"cmd_line\":\"gamecube forbes described\",\"container\":{\"name\":\"homes commonwealth recall\",\"size\":3538073681,\"uid\":\"63600950-5574-11ef-aae8-0242ac110005\",\"image\":{\"name\":\"jersey elected projector\",\"tag\":\"members breathing powers\",\"path\":\"trades mess wishlist\",\"uid\":\"6360136e-5574-11ef-8aec-0242ac110005\"}},\"created_time\":1723114384358291,\"integrity\":\"High\",\"integrity_id\":4,\"namespace_pid\":6,\"parent_process\":{\"pid\":31,\"file\":{\"name\":\"patches.tar\",\"type\":\"Unknown\",\"path\":\"throws additions myspace/jackets.b/patches.tar\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"subject\":\"donate tons media\",\"issuer\":\"italic hamburg judges\",\"fingerprints\":[{\"value\":\"F13F9E344F8839E5D7D17303ABAE106FC66E7D519B232C80C8D6066EF1A5148A796818425ED64282D159C7D8749343FBF193D9C83256C16B72857EBE0151F543\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}],\"created_time\":1723114384358869,\"expiration_time\":1723114384358874,\"serial_number\":\"fell lab weddings\"},\"algorithm\":\"DSA\",\"algorithm_id\":1,\"developer_uid\":\"63603196-5574-11ef-ac47-0242ac110005\"},\"uid\":\"636040d2-5574-11ef-965c-0242ac110005\",\"type_id\":0,\"parent_folder\":\"throws additions myspace/jackets.b\",\"confidentiality\":\"Top Secret\",\"confidentiality_id\":4,\"hashes\":[{\"value\":\"04ACD168BF6D98D85736E4DB0EF815B53830AF1882C47ABFC357172729DFCD84EF6553958C4CB4593A3844E5D7FC9136FDDF5C82B1171ACAD84F52F7F133AA21\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"6B85712C92509BE057A8284F4CBF4868755DC0FFB2611096D26209767429967390E3CADE2D1733A0C8D9217CFF1BFA985A184E36695A411B7DEAC20411C9DED8\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"modified_time_dt\":\"2024-08-08T10:53:04.359528Z\"},\"group\":{\"name\":\"recommends pollution humans\",\"uid\":\"63604e4c-5574-11ef-9f32-0242ac110005\"},\"uid\":\"636054f0-5574-11ef-8588-0242ac110005\",\"cmd_line\":\"swingers centers burke\",\"container\":{\"name\":\"heather troubleshooting considerable\",\"size\":119356271,\"image\":{\"name\":\"listing hardwood defined\",\"uid\":\"636066de-5574-11ef-9bc9-0242ac110005\"},\"hash\":{\"value\":\"F0F33A03B88C641E422DA78295DB088A0C19D463F4BD44A1CE20D3BB9892A0063ABB61D6124EB7D79EF56FC55ADEFAF30542712C4C8D0A1B952AFB4A346C0876\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},\"orchestrator\":\"australian future sponsor\"},\"created_time\":1723114384360489,\"lineage\":[\"seeds spouse noble\",\"lifestyle fault floors\"],\"namespace_pid\":18,\"parent_process\":{\"pid\":42,\"file\":{\"name\":\"implemented.rom\",\"type\":\"Unknown\",\"path\":\"calcium amateur harmony/ltd.toast/implemented.rom\",\"modifier\":{\"type\":\"Admin\",\"uid\":\"6360b08a-5574-11ef-ae8e-0242ac110005\",\"type_id\":2,\"ldap_person\":{\"location\":{\"desc\":\"Croatia, Republic of\",\"city\":\"Regulations technician\",\"country\":\"HR\",\"coordinates\":[-57.4552,63.8901],\"continent\":\"Europe\"},\"cost_center\":\"verify nut levels\",\"ldap_cn\":\"racing morgan volt\",\"ldap_dn\":\"census doors though\",\"modified_time_dt\":\"2024-08-08T10:53:04.363022Z\"}},\"type_id\":0,\"creator\":{\"name\":\"With\",\"type\":\"Unknown\",\"domain\":\"adjustment container harris\",\"uid\":\"6360d920-5574-11ef-a83a-0242ac110005\",\"type_id\":0,\"account\":{\"name\":\"europe eating mailing\",\"type\":\"Linux Account\",\"uid\":\"6360e442-5574-11ef-9167-0242ac110005\",\"type_id\":9}},\"parent_folder\":\"calcium amateur harmony/ltd.toast\",\"hashes\":[{\"value\":\"19C64195EB8F22C39B4BAD63078823DDD82E6D61847B25F1F5B969BE6C891661\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},{\"value\":\"652D75F9BAFB25E55C0E8DB77C3A9EA11F87C5167431C08F827375741D1B0C2F\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3}],\"modified_time_dt\":\"2024-08-08T10:53:04.363717Z\"},\"user\":{\"name\":\"Satisfaction\",\"type\":\"System\",\"uid\":\"6360f752-5574-11ef-a1db-0242ac110005\",\"type_id\":3,\"account\":{\"type\":\"LDAP Account\",\"uid\":\"636119d0-5574-11ef-a86d-0242ac110005\",\"type_id\":1},\"credential_uid\":\"6361204c-5574-11ef-8854-0242ac110005\"},\"group\":{\"name\":\"flags gang blow\",\"desc\":\"mistakes prediction toy\",\"uid\":\"63612c22-5574-11ef-800b-0242ac110005\",\"privileges\":[\"joining boots aw\",\"gang robust transport\"]},\"uid\":\"636132c6-5574-11ef-83af-0242ac110005\",\"cmd_line\":\"psp bush feet\",\"container\":{\"name\":\"obligation catalyst concentrations\",\"runtime\":\"tex strings mounted\",\"size\":1952448709,\"uid\":\"63613c44-5574-11ef-bd50-0242ac110005\",\"image\":{\"name\":\"rate ben fish\",\"uid\":\"63614568-5574-11ef-bf7a-0242ac110005\"},\"hash\":{\"value\":\"43CF305C9FBAF25955B6B640407705DE473A6AECC1D3684D43A7E6E113AD35E3\",\"algorithm\":\"magic\",\"algorithm_id\":99}},\"created_time\":1723114384366178,\"namespace_pid\":17,\"parent_process\":{\"name\":\"Versions\",\"pid\":16,\"session\":{\"uid\":\"6361567a-5574-11ef-b26b-0242ac110005\",\"issuer\":\"level boc morrison\",\"created_time\":1723114384366575,\"credential_uid\":\"63615e22-5574-11ef-b196-0242ac110005\",\"is_remote\":false},\"file\":{\"name\":\"python.bin\",\"owner\":{\"name\":\"Yoga\",\"type\":\"Admin\",\"type_id\":2},\"type\":\"afghanistan\",\"path\":\"variable their precipitation/moving.sql/python.bin\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"subject\":\"x tide described\",\"issuer\":\"equations different edward\",\"fingerprints\":[{\"value\":\"90290C4ADF68C053210274BB5414BED2BC4FCB71C37F521FF4EDBF5AFF66421A60FED68A12C81359536FCF2B89DB3463979F17F089E68FEA0B179D5DEF6F3A00\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}],\"created_time\":1723114384368646,\"expiration_time\":1723114384368652,\"serial_number\":\"ultimate nervous george\"},\"algorithm\":\"Authenticode\",\"algorithm_id\":4},\"type_id\":99,\"accessor\":{\"name\":\"Jd\",\"type\":\"deviant\",\"domain\":\"elizabeth cheapest solution\",\"uid\":\"6361bec6-5574-11ef-81b5-0242ac110005\",\"type_id\":99},\"mime_type\":\"personnel/bids\",\"parent_folder\":\"variable their precipitation/moving.sql\",\"hashes\":[{\"value\":\"2056009EE1A3B111E2E00906EDA7AD1AAC1EF242387CFB2CEE5B57763863C0EF228A7536B36C462A03C687D2F886BE6C218F00A2FC11674F8FF5454966830CB3\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}]},\"user\":{\"name\":\"Spring\",\"type\":\"nu\",\"uid\":\"6361cccc-5574-11ef-994f-0242ac110005\",\"org\":{\"name\":\"watts desktop hong\",\"uid\":\"6361d546-5574-11ef-b2b3-0242ac110005\"},\"type_id\":99,\"account\":{\"name\":\"bd atom berkeley\",\"type\":\"Apple Account\",\"uid\":\"6361dec4-5574-11ef-80de-0242ac110005\",\"type_id\":8},\"email_addr\":\"Kristin@tion.net\"},\"group\":{\"name\":\"academics secondary simon\",\"uid\":\"6361ef22-5574-11ef-8892-0242ac110005\"},\"uid\":\"6361f634-5574-11ef-87d8-0242ac110005\",\"cmd_line\":\"distances participating maintenance\",\"container\":{\"name\":\"waste counties homepage\",\"size\":3565502421,\"uid\":\"63620160-5574-11ef-b37a-0242ac110005\",\"image\":{\"name\":\"apt lp screen\",\"path\":\"gulf brian arrow\",\"uid\":\"63620bec-5574-11ef-8f30-0242ac110005\"},\"network_driver\":\"ks field roger\",\"pod_uuid\":\"breathing\"},\"created_time\":1723114384371224,\"namespace_pid\":72,\"parent_process\":{\"name\":\"Definitely\",\"pid\":14,\"file\":{\"attributes\":39,\"name\":\"wing.crdownload\",\"type\":\"Folder\",\"path\":\"regularly drivers sacred/rational.fla/wing.crdownload\",\"product\":{\"name\":\"cr fat generators\",\"version\":\"1.1.0\",\"uid\":\"636288ba-5574-11ef-b671-0242ac110005\",\"lang\":\"en\",\"vendor_name\":\"conflicts feed receivers\"},\"type_id\":2,\"parent_folder\":\"regularly drivers sacred/rational.fla\",\"created_time\":1723114384374429,\"hashes\":[{\"value\":\"140C02576C0D51BBE84B1C70EEE68AD61D116AA6E8F7BBD899753EB4599951C5E2DF128141610C2F838E0C7181B50795297C0E8D1398FDAD5ED2095EA783FC02\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7},{\"value\":\"E405FA83FE9CFE003B49FD852D4429D0EFF2F914\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}],\"modified_time\":1723114384374497,\"xattributes\":{},\"created_time_dt\":\"2024-08-08T10:53:04.374525Z\"},\"user\":{\"name\":\"Influenced\",\"type\":\"User\",\"domain\":\"adding merit extend\",\"uid\":\"63629a58-5574-11ef-8c2b-0242ac110005\",\"type_id\":1,\"credential_uid\":\"6362a124-5574-11ef-a23f-0242ac110005\"},\"group\":{\"domain\":\"enterprises civil knowledge\",\"desc\":\"patch celebration lancaster\",\"uid\":\"6362ab10-5574-11ef-adda-0242ac110005\"},\"uid\":\"6362b0ec-5574-11ef-bb67-0242ac110005\",\"loaded_modules\":[\"/fri/tall/bit/rap/meyer.hqx\"],\"cmd_line\":\"railway filling consistent\",\"container\":{\"name\":\"calvin actor describe\",\"size\":1384069832,\"tag\":\"automobiles gratuit tower\",\"uid\":\"6362bb3c-5574-11ef-8a12-0242ac110005\",\"image\":{\"name\":\"pi churches es\",\"uid\":\"6362c56e-5574-11ef-8c25-0242ac110005\"},\"hash\":{\"value\":\"67C09C289C121B7595556E03199ABF1EC4E85049DC99DB50BBB35FD8B5E2636C89497184BE8F2ED184301E2A5411B5565E97D87BCC951CB5F2CA9C8E696E6341\",\"algorithm\":\"CTPH\",\"algorithm_id\":5},\"orchestrator\":\"asking jerry namespace\"},\"created_time\":1723114384376016,\"integrity\":\"System\",\"integrity_id\":5,\"namespace_pid\":67,\"parent_process\":{\"name\":\"Animal\",\"pid\":95,\"file\":{\"attributes\":1,\"name\":\"tennessee.wsf\",\"type\":\"Folder\",\"path\":\"pennsylvania matthew somewhere/saw.dbf/tennessee.wsf\",\"uid\":\"6362dc0c-5574-11ef-b631-0242ac110005\",\"type_id\":2,\"creator\":{\"name\":\"Cognitive\",\"type\":\"User\",\"uid\":\"6362e6ac-5574-11ef-a13c-0242ac110005\",\"type_id\":1,\"email_addr\":\"Lorretta@components.nato\"},\"parent_folder\":\"pennsylvania matthew somewhere/saw.dbf\",\"hashes\":[{\"value\":\"1701CFB023A18B1534D60983D25660944BF18C8928D27C2658306664990BC734\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},{\"value\":\"DEF35473338568D93D88C11638B8777B05D03931E8939FF2B7E675DB82DA9434\",\"algorithm\":\"magic\",\"algorithm_id\":99}],\"is_system\":false,\"security_descriptor\":\"lcd elementary surround\"},\"user\":{\"name\":\"Guys\",\"type\":\"Unknown\",\"uid\":\"63630eca-5574-11ef-b29c-0242ac110005\",\"org\":{\"name\":\"mighty thou ff\",\"uid\":\"636317ee-5574-11ef-b39a-0242ac110005\",\"ou_name\":\"companies functions hockey\"},\"groups\":[{\"name\":\"hood powers merely\",\"domain\":\"parties entertainment lemon\",\"uid\":\"636321d0-5574-11ef-ae4b-0242ac110005\"},{\"name\":\"rise parcel bookmarks\",\"privileges\":[\"etc survey at\",\"cohen mails bio\"]}],\"type_id\":0,\"email_addr\":\"Classie@municipality.pro\"},\"group\":{\"name\":\"legislature normal lectures\",\"uid\":\"63632d38-5574-11ef-85c8-0242ac110005\"},\"uid\":\"63633300-5574-11ef-80ee-0242ac110005\",\"cmd_line\":\"magazines spin aaron\",\"container\":{\"name\":\"deputy mirror eagle\",\"size\":2004032787,\"tag\":\"magazine looking deemed\",\"uid\":\"63633e40-5574-11ef-9825-0242ac110005\",\"image\":{\"uid\":\"6363469c-5574-11ef-9299-0242ac110005\"},\"hash\":{\"value\":\"55601A1804A5DD2CDDC702A8DBFD7D6EF6FB18BBD4EF25B7BA0FDF2AF274DC5BDD0AA03C3DF2E03891033BB6780C2DFC3D777203E7CC6D1D1B6AAA24A5B53037\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}},\"created_time\":1723114384379317,\"namespace_pid\":66,\"parent_process\":{\"name\":\"Delight\",\"file\":{\"name\":\"plasma.3dm\",\"type\":\"Folder\",\"path\":\"important companion consultancy/wallpaper.drv/plasma.3dm\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"subject\":\"assuming remarks brass\",\"issuer\":\"sheet registry concord\",\"fingerprints\":[{\"value\":\"EC6B1A9A8BA16A6F215D2D1F3906D6499B49BE59A250E976C526E3C93470BEAF\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},{\"value\":\"E8F0948E22757C48DC176AC0971E4DC26962E907CD0016E2D3F3F85B10496DB3ADA83ABE28D5C02C0E75801F09CE16ECBC57DC728CA43C1AF4A195603D2E9D59\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}],\"created_time\":1723114384380115,\"expiration_time\":1723114384380123,\"serial_number\":\"provinces medicine it\"},\"algorithm\":\"Unknown\",\"algorithm_id\":0},\"type_id\":2,\"parent_folder\":\"important companion consultancy/wallpaper.drv\",\"confidentiality\":\"Secret\",\"confidentiality_id\":3,\"hashes\":[{\"value\":\"9159E7F170D8AC61900DA4485A05F8FA752EBB6B1271EB39B603C7BD22C9F591\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},{\"value\":\"208252F637543172F0D9AA5A077FB15DC8E779E2AB911FADCC37F9C807EB56EFBAC0FC78C2916944595F6C58BE380B5BA4AC2E0A76A1D10091E0847D61B627D5\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}]},\"user\":{\"name\":\"Focused\",\"type\":\"Admin\",\"type_id\":2,\"email_addr\":\"Numbers@si.coop\",\"uid_alt\":\"biggest stupid linking\"},\"group\":{\"name\":\"jar transparency sing\",\"privileges\":[\"costs anthropology nickname\",\"nbc dns flex\"]},\"tid\":66,\"uid\":\"63637afe-5574-11ef-b99b-0242ac110005\",\"cmd_line\":\"felt essay relax\",\"container\":{\"name\":\"contain accepted gba\",\"runtime\":\"admin hammer variance\",\"tag\":\"geographical registered suspension\",\"uid\":\"63638544-5574-11ef-bbd6-0242ac110005\",\"image\":{\"name\":\"exist acceptance britney\",\"uid\":\"63638df0-5574-11ef-8d90-0242ac110005\"},\"hash\":{\"value\":\"83D3D1C470830C64B9B04152B2CD1D11DD99205143049050D298FD7C21CC125A\",\"algorithm\":\"magic\",\"algorithm_id\":99},\"network_driver\":\"shops congratulations variance\"},\"created_time\":1723114384381145,\"integrity\":\"Protected\",\"integrity_id\":6,\"namespace_pid\":1,\"parent_process\":{\"pid\":44,\"file\":{\"attributes\":2,\"name\":\"fits.cfm\",\"type\":\"Symbolic Link\",\"path\":\"watts leave ukraine/ringtones.rtf/fits.cfm\",\"type_id\":7,\"parent_folder\":\"watts leave ukraine/ringtones.rtf\",\"confidentiality\":\"Confidential\",\"confidentiality_id\":2,\"hashes\":[{\"value\":\"B90D6FEF7CE6A21866AE315B5A971CA7C32531C74C5A720508ED5490C80E51AF7F2194E67D30333457C00E700B4CAACF979ECA995DF46837A0D1ED6847A7CE7E\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"3F2C9248EE951C2D98A3CD5B4AF06BD317DB2124\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}],\"is_system\":true,\"security_descriptor\":\"selling dt few\",\"accessed_time_dt\":\"2024-08-08T10:53:04.381694Z\",\"created_time_dt\":\"2024-08-08T10:53:04.381707Z\"},\"user\":{\"name\":\"Edgar\",\"uid\":\"6363b992-5574-11ef-9143-0242ac110005\",\"ldap_person\":{\"email_addrs\":[\"Mariann@routine.net\"],\"job_title\":\"alto languages tanks\",\"deleted_time_dt\":\"2024-08-08T10:53:04.382339Z\"}},\"group\":{\"name\":\"thinking offices worcester\",\"uid\":\"6363ca0e-5574-11ef-837d-0242ac110005\",\"privileges\":[\"ingredients pins connector\"]},\"uid\":\"6363d120-5574-11ef-b647-0242ac110005\",\"cmd_line\":\"effects day pocket\",\"container\":{\"name\":\"astronomy routing grocery\",\"size\":2306842201,\"tag\":\"exchange timber candles\",\"uid\":\"6363dbde-5574-11ef-a3c5-0242ac110005\",\"image\":{\"name\":\"errors request zdnet\",\"uid\":\"6363e57a-5574-11ef-8bf7-0242ac110005\"},\"hash\":{\"value\":\"237ED8923CABFCED8263F1C5E537EDA9F4C9DF97C64000C74437C23D8564FDCB9AB6A7D16DD6E62D0915824B5BFF1CF112DD0BAEAA89171E14E068515290265E\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},\"orchestrator\":\"viral lindsay intellectual\"},\"created_time\":1723114384383389,\"namespace_pid\":39,\"parent_process\":{\"name\":\"Vessels\",\"pid\":73,\"file\":{\"name\":\"photo.gadget\",\"owner\":{\"name\":\"Priorities\",\"type\":\"uploaded\",\"uid\":\"63640244-5574-11ef-864e-0242ac110005\",\"type_id\":99,\"account\":{\"name\":\"charles verification grave\",\"type\":\"Unknown\",\"uid\":\"63640bea-5574-11ef-881a-0242ac110005\",\"type_id\":0}},\"type\":\"Symbolic Link\",\"version\":\"1.1.0\",\"path\":\"alter checked emperor/toner.htm/photo.gadget\",\"type_id\":7,\"parent_folder\":\"alter checked emperor/toner.htm\",\"confidentiality\":\"Not Confidential\",\"confidentiality_id\":1,\"created_time\":1723114384384361,\"hashes\":[{\"value\":\"DB52AE7062C6819F07456657BE8F96A41BD461DAB2FF0DB18FF7DFABECA6AB0522C141821715890230BE5D35FDE767FE5CB592C5B2A8CD9CE93B3396F2701EA0\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"5CC3F82838BA7260203E4590CE03D00E1663D41F6A5167144F5C95D6BE2166A0\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3}]},\"user\":{\"type\":\"carmen\",\"uid\":\"63641a22-5574-11ef-8919-0242ac110005\",\"type_id\":99,\"account\":{\"name\":\"reef terrorist graduation\",\"type\":\"AWS Account\",\"uid\":\"636423be-5574-11ef-8304-0242ac110005\",\"type_id\":10},\"email_addr\":\"Lauryn@reliance.travel\"},\"cmd_line\":\"lung mega nn\",\"container\":{\"name\":\"texas comments creator\",\"size\":639972788,\"uid\":\"63642e36-5574-11ef-aac4-0242ac110005\",\"hash\":{\"value\":\"1C073A2AE40F35C9E559128C518EF6BB606F87F47F7A6D8AF51E96DEBBDCF7E746F35B0E8CF42CF24B80034B359D710FF883F08C153BB4B4717E83FAED4E08A6\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7},\"orchestrator\":\"preview contractors helps\"},\"created_time\":1723114384385246,\"namespace_pid\":8,\"parent_process\":{\"name\":\"Scott\",\"pid\":56,\"file\":{\"name\":\"ba.3ds\",\"type\":\"Block Device\",\"path\":\"diagnosis angeles portsmouth/travels.mpa/ba.3ds\",\"type_id\":4,\"parent_folder\":\"diagnosis angeles portsmouth/travels.mpa\",\"accessed_time\":1723114384386177,\"created_time\":1723114384386185,\"hashes\":[{\"value\":\"50D299D6D7966A2DC1E0CF7FEB739E33\",\"algorithm\":\"MD5\",\"algorithm_id\":1},{\"value\":\"328AFE7E94B22225322E3B4913F934C50B1CBF2E70837C0DC87BE27DA150B3EBA052395D9A4CC1FB7FC4E8C89E2EFEB5DF2FD8EC79D5A1215267ABF6EE2505F9\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}],\"created_time_dt\":\"2024-08-08T10:53:04.386239Z\"},\"user\":{\"name\":\"Kit\",\"type\":\"Admin\",\"domain\":\"amendment spot sudan\",\"type_id\":2},\"group\":{\"name\":\"passed rankings affects\",\"uid\":\"63646496-5574-11ef-bfc5-0242ac110005\"},\"uid\":\"63646b44-5574-11ef-a77a-0242ac110005\",\"cmd_line\":\"notre cameras draw\",\"container\":{\"name\":\"katrina commonly sweet\",\"uid\":\"636474e0-5574-11ef-bca8-0242ac110005\",\"image\":{\"name\":\"advertisement metabolism bound\",\"tag\":\"parent prostores taste\",\"path\":\"advantage bm record\",\"uid\":\"63647df0-5574-11ef-b02b-0242ac110005\"},\"hash\":{\"value\":\"36604EB0C3355689302D7694E45FA957071097E28B061276AABCBAC610B98FCE4F7A18C5D7566551D4EBC9F0E6D2EE5157C288FE26459003392E240F8FBEB605\",\"algorithm\":\"Unknown\",\"algorithm_id\":0},\"orchestrator\":\"child railroad thehun\"},\"created_time\":1723114384387286,\"namespace_pid\":4,\"parent_process\":{\"name\":\"Burning\",\"pid\":34,\"session\":{\"issuer\":\"mounts burns budgets\",\"created_time\":1723114384387484,\"is_remote\":true,\"is_vpn\":true},\"file\":{\"attributes\":97,\"name\":\"employment.wma\",\"owner\":{\"name\":\"Nov\",\"type\":\"User\",\"uid\":\"6364960a-5574-11ef-ad32-0242ac110005\",\"org\":{\"name\":\"arrive protecting fy\",\"uid\":\"6364a60e-5574-11ef-aaf1-0242ac110005\",\"ou_name\":\"cat saints infringement\",\"ou_uid\":\"6364acb2-5574-11ef-b1ce-0242ac110005\"},\"groups\":[{\"name\":\"head state rubber\",\"uid\":\"6364d64c-5574-11ef-a880-0242ac110005\"},{\"name\":\"catalyst strong mins\",\"desc\":\"consortium bald removing\",\"uid\":\"6364de3a-5574-11ef-9448-0242ac110005\"}],\"type_id\":1},\"type\":\"Symbolic Link\",\"version\":\"1.1.0\",\"path\":\"executed removal years/among.yuv/employment.wma\",\"product\":{\"version\":\"1.1.0\",\"path\":\"internship progress gun\",\"lang\":\"en\",\"vendor_name\":\"sp protection requests\"},\"type_id\":7,\"mime_type\":\"medal/nearly\",\"parent_folder\":\"executed removal years/among.yuv\",\"hashes\":[{\"value\":\"5E759101C609F4B740EF80E765AE365B2AF502D28946FFDB14A008BA3B8F3B38D22724597DB1A2727631E47BE95BF3DBC91421426B178885ABB756996AA2ED28\",\"algorithm\":\"CTPH\",\"algorithm_id\":5},{\"value\":\"BA5273E243BB87B0BDE0E2E45609708C95F1B8CD05342C435BFE11DDFE05790E8640967A0D5DB90EE7DC886350B9345D9484533BB633B821A82462D74B3318A8\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}],\"accessed_time_dt\":\"2024-08-08T10:53:04.389945Z\",\"created_time_dt\":\"2024-08-08T10:53:04.389957Z\"},\"user\":{\"name\":\"Without\",\"type\":\"celebs\",\"uid\":\"6364f62c-5574-11ef-be1d-0242ac110005\",\"type_id\":99},\"group\":{\"desc\":\"allowance vacation ae\"},\"tid\":42,\"uid\":\"636504b4-5574-11ef-af4a-0242ac110005\",\"cmd_line\":\"macintosh enjoying disposal\",\"container\":{\"size\":117561636,\"image\":{\"name\":\"federation technical rally\",\"uid\":\"636511ac-5574-11ef-b939-0242ac110005\"},\"hash\":{\"value\":\"1C6EE66D49C991A2FC79EC6D6B64F4AB5B8E29D3C774F3B6DD10F3A024271023CD29C66DA147EADA969690FFC2FA73C8B9EC6C4377580CF3CE89AEF8A8136657\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},\"orchestrator\":\"winning business collaborative\"},\"created_time\":1723114384391076,\"parent_process\":{\"name\":\"Vic\",\"pid\":16,\"session\":{\"count\":58,\"uid\":\"636527dc-5574-11ef-a1e5-0242ac110005\",\"issuer\":\"petition disclaimer clara\",\"created_time\":1723114384391616,\"expiration_reason\":\"declined attorney sunday\",\"is_remote\":false,\"is_vpn\":false,\"uid_alt\":\"sim yorkshire adaptation\",\"expiration_time_dt\":\"2024-08-08T10:53:04.391655Z\"},\"file\":{\"name\":\"medication.pdf\",\"owner\":{\"type\":\"System\",\"domain\":\"affiliation arab invision\",\"uid\":\"63653dee-5574-11ef-8c70-0242ac110005\",\"type_id\":3,\"ldap_person\":{\"created_time\":1723114384392352,\"email_addrs\":[\"Olympia@jesse.travel\",\"Mina@seeking.com\"],\"employee_uid\":\"63654de8-5574-11ef-a8ac-0242ac110005\",\"given_name\":\"pulse waiver footwear\",\"ldap_cn\":\"professionals worm eng\",\"leave_time\":1723114384392577}},\"size\":1001943972,\"type\":\"Folder\",\"version\":\"1.1.0\",\"path\":\"gotten unique thereafter/championship.deskthemepack/medication.pdf\",\"product\":{\"name\":\"mumbai determined nobody\",\"version\":\"1.1.0\",\"uid\":\"6365590a-5574-11ef-aaa7-0242ac110005\",\"lang\":\"en\",\"vendor_name\":\"infected listen uk\"},\"uid\":\"63655f9a-5574-11ef-add1-0242ac110005\",\"type_id\":2,\"creator\":{\"name\":\"Kurt\",\"type\":\"examines\",\"uid\":\"636569d6-5574-11ef-bef4-0242ac110005\",\"type_id\":99,\"account\":{\"name\":\"petite suggestions british\",\"type\":\"AWS Account\",\"uid\":\"63657340-5574-11ef-b69a-0242ac110005\",\"type_id\":10},\"uid_alt\":\"rack fake bleeding\"},\"parent_folder\":\"gotten unique thereafter/championship.deskthemepack\",\"confidentiality\":\"Secret\",\"confidentiality_id\":3,\"hashes\":[{\"value\":\"C67541E14008D6AF094C938459E575DFB5FA24FD50ADAFC615DB56E4A773FD0BEBA072C2A8F3ECB17D4CBB51818B31ECE4F0A810CB8E5C42C622592DB55DA0A1\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"is_system\":true},\"user\":{\"type\":\"recent\",\"uid\":\"6365822c-5574-11ef-95fb-0242ac110005\",\"org\":{\"name\":\"jerry calling mardi\",\"uid\":\"63658ac4-5574-11ef-bea5-0242ac110005\",\"ou_name\":\"motion ampland acknowledged\"},\"type_id\":99,\"credential_uid\":\"63659186-5574-11ef-a13d-0242ac110005\",\"email_addr\":\"Lynetta@lib.jobs\"},\"group\":{\"name\":\"phys dollar not\",\"type\":\"foster prefer phys\",\"domain\":\"explicitly retreat de\",\"uid\":\"63659b86-5574-11ef-ac1a-0242ac110005\"},\"uid\":\"6365a1b2-5574-11ef-847c-0242ac110005\",\"cmd_line\":\"sorts sites obtained\",\"container\":{\"name\":\"hack aud canadian\",\"size\":2490340163,\"uid\":\"6365ab4e-5574-11ef-a5b2-0242ac110005\",\"image\":{\"name\":\"graphs uni learned\",\"uid\":\"6365b47c-5574-11ef-94cc-0242ac110005\"},\"hash\":{\"value\":\"1348CB592CE159B2F0A3E0A0B20233BF7F40585376BD14ED638003DF65CE6028072010B42D85244F83CA87E928EA1C229FCDC44AFE29B22E34B99D3C8B26EB98\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},\"network_driver\":\"nh essentials blogs\",\"pod_uuid\":\"automobiles\"},\"created_time\":1723114384395481,\"namespace_pid\":90,\"parent_process\":{\"name\":\"Offline\",\"pid\":2,\"session\":{\"uuid\":\"6365e014-5574-11ef-a98e-0242ac110005\",\"issuer\":\"bluetooth raise shopping\",\"created_time\":1723114384396317,\"expiration_reason\":\"politics nt username\",\"expiration_time\":1723114384396336,\"is_remote\":true,\"expiration_time_dt\":\"2024-08-08T10:53:04.396343Z\"},\"file\":{\"name\":\"atlantic.icns\",\"type\":\"Symbolic Link\",\"path\":\"rear biology finest/nintendo.class/atlantic.icns\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"subject\":\"national garmin even\",\"issuer\":\"cut duo agencies\",\"fingerprints\":[{\"value\":\"E8D8654C197E7B3BEED4D69E3EDD3A5B\",\"algorithm\":\"MD5\",\"algorithm_id\":1},{\"value\":\"75529D527C6CDFA48546F9F7ED5AFD587F24AB584370D91EBFC1743E519B936C7780070A7709D4FECA4C639302E40E1BD1F842B3613B900269D77BEA17429361\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}],\"expiration_time\":1723114384396755,\"serial_number\":\"rhode realty talented\"},\"algorithm\":\"vendor\",\"algorithm_id\":99},\"desc\":\"specific aside io\",\"type_id\":7,\"parent_folder\":\"rear biology finest/nintendo.class\",\"confidentiality\":\"freelance pty ferrari\",\"created_time\":1723114384396786,\"hashes\":[{\"value\":\"0C900BDED46D1122DBC26B7D537D76633CD9937DF7B4C9C56ECFC151D2E269764BD92568B8FFD9877177AA338BB4EEE65DC5AE4D07BE354D503F9D3EF0B36007\",\"algorithm\":\"Unknown\",\"algorithm_id\":0},{\"value\":\"D0278DE5F6E5DF29D9C928BCB6D5A285EA17CE11\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}],\"modified_time\":1723114384396821,\"xattributes\":{},\"modified_time_dt\":\"2024-08-08T10:53:04.396853Z\"},\"user\":{\"name\":\"Collectables\",\"type\":\"User\",\"domain\":\"crops midi hope\",\"uid\":\"6366010c-5574-11ef-bfe7-0242ac110005\",\"type_id\":1,\"uid_alt\":\"thunder pickup tab\"},\"group\":{\"desc\":\"muze comply jets\"},\"uid\":\"63660b34-5574-11ef-bbcf-0242ac110005\",\"cmd_line\":\"canada federation computational\",\"container\":{\"name\":\"barriers cheaper logged\",\"runtime\":\"logos drilling schools\",\"uid\":\"636616ce-5574-11ef-bd26-0242ac110005\",\"image\":{\"name\":\"handy derek tb\",\"uid\":\"63661fac-5574-11ef-9e80-0242ac110005\"},\"hash\":{\"value\":\"6F08C5DDCDD0BE06D83AA3E0E3D5A09E\",\"algorithm\":\"MD5\",\"algorithm_id\":1}},\"created_time\":1723114384397969,\"namespace_pid\":82,\"parent_process\":{\"name\":\"Recommendations\",\"pid\":76,\"file\":{\"attributes\":9,\"name\":\"placement.3dm\",\"type\":\"Symbolic Link\",\"version\":\"1.1.0\",\"path\":\"arizona concentrations widescreen/wire.tax2020/placement.3dm\",\"modifier\":{\"name\":\"Incident\",\"type\":\"Admin\",\"uid\":\"63663aa0-5574-11ef-89ff-0242ac110005\",\"groups\":[{\"name\":\"guest demographic terry\",\"domain\":\"adventure charter tom\",\"uid\":\"63665ca6-5574-11ef-abfa-0242ac110005\"},{\"name\":\"moderators broker asian\",\"uid\":\"636664f8-5574-11ef-96ca-0242ac110005\"}],\"type_id\":2,\"account\":{\"type\":\"Windows Account\",\"uid\":\"63666f0c-5574-11ef-98ef-0242ac110005\",\"type_id\":2},\"uid_alt\":\"notre sponsorship elections\"},\"desc\":\"populations servers environments\",\"type_id\":7,\"company_name\":\"Christa Marta\",\"creator\":{\"name\":\"Quotes\",\"type\":\"System\",\"uid\":\"63667ca4-5574-11ef-a8ae-0242ac110005\",\"groups\":[{\"name\":\"engineers constitute papers\",\"uid\":\"636685fa-5574-11ef-8fd9-0242ac110005\"},{\"type\":\"introducing amendments portuguese\",\"uid\":\"63668c80-5574-11ef-bd3d-0242ac110005\"}],\"type_id\":3,\"account\":{\"name\":\"hewlett beats hit\",\"type\":\"GCP Account\",\"uid\":\"636695b8-5574-11ef-8e13-0242ac110005\",\"type_id\":5},\"ldap_person\":{\"location\":{\"desc\":\"Cyprus, Republic of\",\"city\":\"Bibliographic selections\",\"country\":\"CY\",\"coordinates\":[-120.1139,17.5612],\"continent\":\"Asia\"},\"modified_time\":1723114384401210,\"office_location\":\"dl td transition\",\"last_login_time_dt\":\"2024-08-08T10:53:04.401225Z\"}},\"parent_folder\":\"arizona concentrations widescreen/wire.tax2020\",\"accessed_time\":1723114384401235,\"hashes\":[{\"value\":\"5509CE62AD4908E35D559F0487FCFAFEAA7A7AA2B4771FF42C45FF34397DF6E1F848AF224697A1C8BB77C1A81AFAA825437582905189C5346490D5121B91F366\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7},{\"value\":\"E2A4DD55AA0F76F85A047DAF5B859095\",\"algorithm\":\"MD5\",\"algorithm_id\":1}],\"xattributes\":{},\"created_time_dt\":\"2024-08-08T10:53:04.401316Z\"},\"user\":{\"name\":\"Taxes\",\"type\":\"System\",\"uid\":\"6366aed6-5574-11ef-855a-0242ac110005\",\"type_id\":3},\"group\":{\"name\":\"split viking nike\",\"domain\":\"apollo clicking incorrect\",\"uid\":\"6366b8c2-5574-11ef-a4e8-0242ac110005\"},\"uid\":\"6366be8a-5574-11ef-a313-0242ac110005\",\"cmd_line\":\"accessible annotated plus\",\"container\":{\"name\":\"butter repeated annie\",\"size\":1994539178,\"uid\":\"6366e1b2-5574-11ef-a230-0242ac110005\",\"image\":{\"name\":\"newspapers marriage translations\",\"uid\":\"6366ed6a-5574-11ef-9f59-0242ac110005\"},\"hash\":{\"value\":\"E94025BE336B1F89159AF64B1F6EDA5D470AC8D6\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}},\"created_time\":1723114384403255,\"integrity\":\"applying observe nba\",\"namespace_pid\":98,\"parent_process\":{\"name\":\"Exotic\",\"pid\":64,\"session\":{\"uid\":\"636701d8-5574-11ef-a4f1-0242ac110005\",\"credential_uid\":\"6367082c-5574-11ef-aaa8-0242ac110005\",\"expiration_reason\":\"washing sunday reaching\",\"expiration_time\":1723114384403944,\"is_remote\":true,\"created_time_dt\":\"2024-08-08T10:53:04.403955Z\",\"expiration_time_dt\":\"2024-08-08T10:53:04.403964Z\"},\"file\":{\"name\":\"accuracy.kmz\",\"type\":\"Character Device\",\"version\":\"1.1.0\",\"path\":\"breast enjoying verbal/assure.gam/accuracy.kmz\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"subject\":\"lion struggle widespread\",\"issuer\":\"clocks suppose products\",\"fingerprints\":[{\"value\":\"83624D02DEDBF131BC80643811BDE31BB6FCBCDD128849E01A630F99100E4AEE2BF55A6610961457C3AA9B403628F34BC835B62EC068589F520AB344681A174E\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}],\"created_time\":1723114384404438,\"expiration_time\":1723114384404443,\"serial_number\":\"negotiation feel cole\"},\"algorithm\":\"gotten\",\"algorithm_id\":99},\"product\":{\"version\":\"1.1.0\",\"uid\":\"6367296a-5574-11ef-8136-0242ac110005\",\"lang\":\"en\",\"vendor_name\":\"cindy specifications frontpage\"},\"uid\":\"63673090-5574-11ef-ad66-0242ac110005\",\"type_id\":3,\"parent_folder\":\"breast enjoying verbal/assure.gam\",\"confidentiality\":\"Top Secret\",\"confidentiality_id\":4,\"hashes\":[{\"value\":\"D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7},{\"value\":\"990D4710B15458E3EDAA8601CDF5B44648B4FC61\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}],\"is_system\":false,\"accessed_time_dt\":\"2024-08-08T10:53:04.404997Z\"},\"user\":{\"name\":\"Saver\",\"type\":\"Admin\",\"uid\":\"6367417a-5574-11ef-8cd6-0242ac110005\",\"groups\":[{\"name\":\"guyana applied attribute\",\"domain\":\"identification browsing structures\",\"uid\":\"63676952-5574-11ef-a883-0242ac110005\"}],\"type_id\":2,\"full_name\":\"Mayme Lurline\"},\"group\":{\"name\":\"executive mathematical signals\",\"uid\":\"63677460-5574-11ef-a07f-0242ac110005\"},\"tid\":41,\"uid\":\"63677a6e-5574-11ef-9578-0242ac110005\",\"cmd_line\":\"mere loaded similar\",\"created_time\":1723114384406818,\"lineage\":[\"operational pilot citysearch\"]},\"auid\":58,\"euid\":32,\"created_time_dt\":\"2024-08-08T10:53:04.406843Z\"},\"terminated_time\":1723114384406852}},\"xattributes\":{},\"auid\":30},\"xattributes\":{},\"euid\":78,\"terminated_time_dt\":\"2024-08-08T10:53:04.406915Z\"},\"sandbox\":\"challenged profiles family\",\"xattributes\":{}},\"sandbox\":\"declare indication occupations\",\"xattributes\":{}},\"sandbox\":\"delays fighting soonest\",\"euid\":11},\"created_time_dt\":\"2024-08-08T10:53:04.406974Z\"},\"terminated_time\":1723114384406979},\"euid\":20},\"auid\":5},\"sandbox\":\"representing stationery affiliated\"},\"euid\":92},\"auid\":32}},\"sandbox\":\"em therefore spoke\",\"xattributes\":{},\"created_time_dt\":\"2024-08-08T10:53:04.407027Z\"},\"xattributes\":{},\"euid\":11,\"terminated_time_dt\":\"2024-08-08T10:53:04.407047Z\"},\"terminated_time_dt\":\"2024-08-08T10:53:04.407054Z\"},\"sandbox\":\"conversations poker oriented\",\"auid\":31,\"euid\":40,\"terminated_time_dt\":\"2024-08-08T10:53:04.407066Z\"},\"terminated_time\":1723114384407071,\"euid\":45},\"egid\":67},\"xattributes\":{},\"euid\":77,\"egid\":31},\"auid\":39}},\"egid\":16},\"created_time_dt\":\"2024-08-08T10:53:04.407101Z\"},\"sandbox\":\"numbers audience guard\",\"auid\":45,\"terminated_time_dt\":\"2024-08-08T10:53:04.407112Z\"},\"user\":{\"name\":\"Boy\",\"type\":\"Admin\",\"domain\":\"distance predicted facilities\",\"uid\":\"63679120-5574-11ef-be81-0242ac110005\",\"type_id\":2},\"invoked_by\":\"popularity puzzle provides\"},\"cloud\":{\"provider\":\"diabetes gaps ag\",\"region\":\"act ran entity\"},\"dst_endpoint\":{\"name\":\"full essentials size\",\"port\":55506,\"type\":\"ssl\",\"os\":{\"name\":\"mailing possibilities either\",\"type\":\"AIX\",\"version\":\"1.1.0\",\"build\":\"walking thermal neck\",\"type_id\":401},\"ip\":\"226.140.221.18\",\"uid\":\"635383ba-5574-11ef-bd0d-0242ac110005\",\"type_id\":99,\"container\":{\"name\":\"twelve will royalty\",\"runtime\":\"lopez bulletin thru\",\"size\":2829011720,\"tag\":\"grain alert score\",\"uid\":\"63539300-5574-11ef-82a9-0242ac110005\",\"image\":{\"name\":\"routing playback sb\",\"uid\":\"63539e90-5574-11ef-9508-0242ac110005\"},\"hash\":{\"value\":\"4447CDB3261C7AE4F053DC296FEE1093F25F731D23A692D5819318F1901FDEC79EB2CA760BABCD759285BAE417ACD21FC64BB623583834C076F16FA9A53F1107\",\"algorithm\":\"Unknown\",\"algorithm_id\":0},\"orchestrator\":\"georgia rr scheduled\",\"pod_uuid\":\"municipality\"},\"instance_uid\":\"6353a91c-5574-11ef-b5fc-0242ac110005\",\"interface_name\":\"ideas utility possible\",\"interface_uid\":\"6353afd4-5574-11ef-b86c-0242ac110005\",\"namespace_pid\":72,\"proxy_endpoint\":{\"name\":\"lit canberra terminology\",\"port\":64602,\"type\":\"IOT\",\"ip\":\"35.105.135.121\",\"location\":{\"desc\":\"Guadeloupe\",\"city\":\"Establishment kind\",\"country\":\"GP\",\"coordinates\":[90.6576,-34.4194],\"continent\":\"North America\"},\"hostname\":\"guided.name\",\"uid\":\"6353bf1a-5574-11ef-be0c-0242ac110005\",\"type_id\":7,\"container\":{\"name\":\"programmes relevance boot\",\"size\":2534954875,\"image\":{\"name\":\"weblogs grad offices\",\"uid\":\"6353ca32-5574-11ef-8405-0242ac110005\",\"labels\":[\"commit\",\"walter\"]},\"hash\":{\"value\":\"71FAFC4E2FC1E47E234762A96B80512B6B5534C2\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2},\"orchestrator\":\"mic waiting gains\"},\"instance_uid\":\"6353d496-5574-11ef-ba97-0242ac110005\",\"interface_name\":\"nato pray consult\",\"interface_uid\":\"6353db12-5574-11ef-861d-0242ac110005\",\"namespace_pid\":17,\"proxy_endpoint\":{\"name\":\"slides weird discussion\",\"port\":38178,\"type\":\"Server\",\"domain\":\"equipped disagree kevin\",\"ip\":\"114.100.167.141\",\"hostname\":\"challenged.travel\",\"uid\":\"6353ed14-5574-11ef-a94e-0242ac110005\",\"type_id\":1,\"container\":{\"name\":\"produces integrate invitation\",\"size\":3462840380,\"tag\":\"locks circuit hindu\",\"uid\":\"6353f70a-5574-11ef-a129-0242ac110005\",\"image\":{\"name\":\"amount dividend oregon\",\"uid\":\"6353ff98-5574-11ef-8eac-0242ac110005\"},\"hash\":{\"value\":\"555F45D31B82ABEEDB74D75EACB96817602160400F9A16B894CB77D68292FE96CFDCF573199918FB36F17CCC5B1B99A9ABBB62D931C518CC5D6A05A5659B534C\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}},\"hw_info\":{\"cpu_cores\":9,\"cpu_count\":87,\"cpu_speed\":32,\"keyboard_info\":{\"keyboard_type\":\"tries dramatically undo\"}},\"instance_uid\":\"63540c0e-5574-11ef-98f2-0242ac110005\",\"interface_name\":\"detroit handbags discuss\",\"interface_uid\":\"63541294-5574-11ef-aa42-0242ac110005\",\"namespace_pid\":67,\"svc_name\":\"discovered occurs presidential\",\"zone\":\"little tucson operations\"},\"svc_name\":\"history it exp\",\"zone\":\"join your encourage\"},\"svc_name\":\"gl dropped workforce\"},\"severity_id\":2,\"src_endpoint\":{\"name\":\"allah pain blues\",\"type\":\"Hub\",\"ip\":\"175.16.199.0\",\"hostname\":\"generic.edu\",\"uid\":\"63552c6a-5574-11ef-847f-0242ac110005\",\"mac\":\"E4:C5:2D:FD:E6:16:2B:96\",\"type_id\":11,\"container\":{\"name\":\"involvement buses bowling\",\"size\":509766084,\"tag\":\"lawyers genre trained\",\"uid\":\"635539f8-5574-11ef-b41d-0242ac110005\",\"image\":{\"name\":\"clause material fort\",\"uid\":\"635540f6-5574-11ef-bbdd-0242ac110005\",\"labels\":[\"difficulties\",\"confusion\"]},\"hash\":{\"value\":\"6DE8A320862880F35A99FE4448414E898831DCCD\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}},\"instance_uid\":\"63554826-5574-11ef-973b-0242ac110005\",\"interface_name\":\"collections setting twelve\",\"interface_uid\":\"63554c86-5574-11ef-90cb-0242ac110005\",\"svc_name\":\"welding minute invention\"},\"status_id\":0}", + "outcome": "unknown", + "provider": "buying fa joel", + "severity": 2, + "type": [ + "info" + ] + }, + "file": { + "directory": "wiki optimization counter/prohibited.ai", + "hash": { + "sha256": [ + "4A2B4592EAC6D75C3BD4FE50308A2316D54BC427F65F109C7EC4105B6467C984" + ], + "tlsh": [ + "F6B8BFDD92E45272F30B728D921EF2A47DD9D950600D885830D30532F39E2A5688B4797CF0B172989E4C95B557B2497E98AC07417E8766E06BDFFEBDEBBE76C8" + ] + }, + "name": "ate.cue", + "path": "wiki optimization counter/prohibited.ai/ate.cue", + "type": "Folder", + "x509": { + "issuer": { + "distinguished_name": "warning cute armor" + }, + "not_after": "+56573-04-27T12:31:13.675Z", + "serial_number": "qld undergraduate cowboy", + "subject": { + "distinguished_name": "advised chess egyptian" + }, + "version_number": "1.1.0" + } + }, + "message": "epa stanley speech", + "network": { + "application": [ + "welding minute invention", + "gl dropped workforce" + ] + }, + "ocsf": { + "activity_id": "7", + "activity_name": "Move", + "actor": { + "invoked_by": "popularity puzzle provides", + "process": { + "auid": "45", + "cmd_line": "syndication traveler charges", + "container": { + "hash": { + "algorithm": "SHA-1", + "algorithm_id": "2", + "value": "10EFC79292FD96E5C3DDF56D50E2BF33CB5A2EC1" + }, + "image": { + "labels": [ + "pants", + "firewall" + ], + "name": "technician rogers federal", + "tag": "pub flexible interface", + "uid": "63561756-5574-11ef-85d8-0242ac110005" + }, + "name": "slim rehabilitation nest", + "size": 2119671744, + "uid": "63560cca-5574-11ef-8db7-0242ac110005" + }, + "created_time": "+56573-04-27T12:31:32.928Z", + "file": { + "attributes": 91, + "creator": { + "email_addr": "Blaine@highlight.pro", + "full_name": "Melodee Norma", + "name": "Resource", + "type": "System", + "type_id": "3", + "uid": "6355ab18-5574-11ef-bc66-0242ac110005" + }, + "desc": "xp endif record", + "hashes": [ + { + "algorithm": "SHA-1", + "algorithm_id": "2", + "value": "28E532D56B18548CC0B68A63311D2DCD2D258B2F" + }, + { + "algorithm": "MD5", + "algorithm_id": "1", + "value": "695BF60E03F83A36699AF46519E8E584" + } + ], + "mime_type": "incl/johnston", + "modifier": { + "domain": "beneficial az attraction", + "email_addr": "Lura@consolidated.mil", + "name": "Dimensional", + "type": "System", + "type_id": "3", + "uid": "63556d6a-5574-11ef-ac26-0242ac110005" + }, + "name": "physician.asf", + "parent_folder": "donors replied magazine/elder.accdb", + "path": "donors replied magazine/elder.accdb/physician.asf", + "type": "Regular File", + "type_id": "1" + }, + "group": { + "domain": "problem choosing reform", + "name": "manage livestock tribes", + "uid": "6355e5e2-5574-11ef-b983-0242ac110005" + }, + "integrity": "cr darwin wearing", + "loaded_modules": [ + "/sic/measurement/morrison/routing/classroom.class", + "/projector/dare/dt/fancy/governance.wma" + ], + "name": "Eden", + "namespace_pid": 27, + "parent_process": { + "cmd_line": "asks eight printed", + "container": { + "hash": { + "algorithm": "SHA-256", + "algorithm_id": "3", + "value": "D0A3630555BBEC7FC05A98D311C23B00FD1AB4D8296AC4A4125976D80B6A6959" + }, + "image": { + "name": "abu collectables clinical", + "uid": "63567a16-5574-11ef-8843-0242ac110005" + }, + "name": "te beginners geology", + "size": 1467240565, + "uid": "63567160-5574-11ef-a13e-0242ac110005" + }, + "created_time": "+56573-04-27T12:31:35.435Z", + "created_time_dt": "2024-08-08T10:53:04.407Z", + "file": { + "accessor": { + "email_addr": "Sunni@holders.jobs", + "type": "republican", + "type_id": "99", + "uid": "6356478a-5574-11ef-bd16-0242ac110005" + }, + "attributes": 91, + "name": "engineers.png", + "parent_folder": "judgment entering hydrocodone/sharp.uue", + "path": "judgment entering hydrocodone/sharp.uue/engineers.png", + "type": "Character Device", + "type_id": "3" + }, + "group": { + "desc": "rogers eco outlets", + "type": "savannah weapon canon", + "uid": "63565dba-5574-11ef-80bf-0242ac110005" + }, + "integrity": "eternal reservation which", + "name": "Outreach", + "namespace_pid": 73, + "parent_process_keyword": "{container={uid=6356a234-5574-11ef-a31f-0242ac110005, image={uid=6356aaae-5574-11ef-80e9-0242ac110005, name=bag belief such, labels=[memorabilia, producers]}, size=3349958052, name=diving invited scoring, pod_uuid=pp, runtime=louise demanding pontiac, tag=witness indicators oral, hash={value=5EF93A057B5E36A7F6F0880E87F5CF4B, algorithm_id=1, algorithm=MD5}}, created_time=1723114384296685, egid=16, cmd_line=tools aluminium combinations, namespace_pid=42, name=Hung, pid=85, parent_process={container={uid=6356f91e-5574-11ef-ae76-0242ac110005, image={uid=635701a2-5574-11ef-bc46-0242ac110005, name=sao naked toddler, labels=[toolbox, taught]}, size=420397581, name=slovenia anybody colors, pod_uuid=arranged, runtime=organic worked yn, hash={value=E6E7B71309D96CA832137A8E06B9E34906F7A42708F8EBD9C2B75A423AC058A7F0DD0B2AB768E8090DF7E6E6C89E95D7D80DCC4FD0F84464C499AFA89D9AE294, algorithm_id=7, algorithm=quickXorHash}}, created_time=1723114384298907, namespace_pid=34, pid=15, parent_process={container={uid=6357871c-5574-11ef-9b53-0242ac110005, image={uid=63578f78-5574-11ef-83eb-0242ac110005, name=lots time boolean}, orchestrator=board luis adopted, size=2152153573, name=loving revealed remarkable, hash={value=EA7F1EC6B430560FE1BA023D62E5D33D29746DD5F0355FB118B1E4536D6230111964615215FCE2BE609D341EACB3B42869EE304F80BBAEC3F6720FA8FD50AD97, algorithm_id=5, algorithm=CTPH}}, uid=63577e16-5574-11ef-8086-0242ac110005, created_time=1723114384302534, auid=39, file={owner={uid=63572f2e-5574-11ef-80bc-0242ac110005, full_name=Mistie Belkis, type_id=3, domain=harmony served deadly, name=Excessive, groups=[{uid=635738e8-5574-11ef-b1ba-0242ac110005, name=recruiting member combine}], type=System, account={uid=6357423e-5574-11ef-bd28-0242ac110005, type_id=7, type=Mac OS Account}}, is_system=false, creator={uid=635752c4-5574-11ef-9816-0242ac110005, full_name=Lauralee Thomasine, type_id=1, domain=cabinet satisfaction excitement, name=Health, type=User, ldap_person={ldap_dn=roy noticed vertical, surname=tract olympus editor, created_time_dt=2024-08-08T10:53:04.301134Z, location={continent=Europe, country=RS, city=Princeton judy, coordinates=[-170.2881, -62.2248], desc=Serbia, Republic of}}}, type_id=5, type=Local Socket, xattributes={}, path=everything packaging fears/sat.crdownload/sitting.bmp, uid=635748e2-5574-11ef-9899-0242ac110005, parent_folder=everything packaging fears/sat.crdownload, modified_time=1723114384301182, name=sitting.bmp, hashes=[{value=D496B4FAFB1139B1F80F1B60D5AB3A22EF18A1625889B6793BDD41EAF1EB68F093E7AF5254D7DB838F22711DAA2F5E3A0CA6BF5F983AAAC163D7D525C760277B, algorithm_id=0, algorithm=Unknown}], accessed_time=1723114384301146}, cmd_line=consists posters menus, name=Whilst, pid=51, parent_process={container={uid=63597a54-5574-11ef-acbb-0242ac110005, image={uid=63599c96-5574-11ef-8abe-0242ac110005, name=hanging assume mill}, size=3636193350, name=drill modern difference, hash={value=90C9EFE0343A584FD260823A0B266073C0E319EDC8D3C7CD2CCF69E236CF45D870E30646022FDB667F085AEA84B64830C3B3DC702C35A111DCCB3F05F05F9529, algorithm_id=6, algorithm=TLSH}}, created_time=1723114384316151, euid=77, session={uid=6357a396-5574-11ef-8ef4-0242ac110005, created_time=1723114384303010, is_remote=false, is_mfa=true, issuer=demonstration holmes california}, namespace_pid=49, pid=93, parent_process={container={uid=635a7206-5574-11ef-b9d6-0242ac110005, image={uid=635a8282-5574-11ef-8212-0242ac110005}, size=560452224, name=answers camera televisions, hash={value=FAF5EB7985BA4C9CBED8EED0D046F77F7C6ADCB15B9F3537256D717C2D370E448132CECC73264489D250CE463844ECFF1DC62C554DC6654B0C11659842BD7828, algorithm_id=7, algorithm=quickXorHash}}, uid=635a5c26-5574-11ef-8945-0242ac110005, created_time=1723114384322300, egid=67, file={path=proper unified cingular/outsourcing.cs/venice.pct, created_time=1723114384320518, product={vendor_name=staying attachment med, version=1.1.0}, parent_folder=proper unified cingular/outsourcing.cs, type_id=3, name=venice.pct, accessor={uid=635a477c-5574-11ef-8dd3-0242ac110005, type_id=2, name=Arlington, type=Admin, credential_uid=635a4f2e-5574-11ef-b0c1-0242ac110005}, hashes=[{value=5B54C0A045F179BCBBBC9ABCB8B5CD4C, algorithm_id=1, algorithm=MD5}, {value=B1A66BA2E7D51C706F9A2CA80905DF475AE44EDC79EC60CA4D7580FBD6548B91, algorithm_id=99, algorithm=magic}], accessed_time=1723114384320502, modified_time_dt=2024-08-08T10:53:04.320622Z, type=Character Device, desc=advantage profit fall}, cmd_line=cup rights charger, namespace_pid=14, name=Ft, pid=85, parent_process={container={uid=635bd29a-5574-11ef-a523-0242ac110005, image={uid=635c0198-5574-11ef-ba77-0242ac110005, name=junction naval insulation, tag=watches wellington muscle}, size=1841031275, name=ink bio mileage, pod_uuid=nuclear, runtime=effort des lu, hash={value=FA987EC04918567E13A7554C7DDC4D86FB705EAD55207E05ED4E224FB0A9F1570BE1D51F9AE581D415E2D13894EECAEEF402D9901F8C9E70CD839691DD428BBD, algorithm_id=5, algorithm=CTPH}}, created_time=1723114384332144, euid=45, namespace_pid=91, pid=1, parent_process={container={uid=635d91e8-5574-11ef-bfc1-0242ac110005, image={uid=635dba88-5574-11ef-a7d2-0242ac110005, name=bring president swap}, network_driver=crawford invitation pierce, orchestrator=differences lycos cut, size=175725837, name=ate worth powerpoint, runtime=society mem dependence, hash={value=7D1BDD4F5CF16C23DEE15E0673B9B700804F55D5AC5DAA8E6A6F6DD1951AB502D960DF687EDC47B11A696C8F4A969208DFC7E3E4043EE2C907B4FCC244E9FD74, algorithm_id=5, algorithm=CTPH}}, created_time=1723114384343050, auid=31, euid=40, namespace_pid=17, sandbox=conversations poker oriented, pid=46, parent_process={container={uid=635e290a-5574-11ef-8290-0242ac110005, image={uid=635e31d4-5574-11ef-8b11-0242ac110005, tag=developer characterized chelsea}, size=1634165265, name=dry age their, tag=revised bytes swingers, hash={value=D5F2E5C77054C44C2C72A1B017DECA06FC637C99, algorithm_id=2, algorithm=SHA-1}}, uid=635e1f5a-5574-11ef-aad7-0242ac110005, created_time=1723114384346014, file={owner={uid=635ddb94-5574-11ef-ab3f-0242ac110005, org={name=whom demand thereof, ou_name=weighted fundraising drainage}, type_id=1, name=Tissue, type=User}, is_system=false, type_id=1, confidentiality=Unknown, modified_time_dt=2024-08-08T10:53:04.344556Z, type=Regular File, path=commons employ nickel/humanity.swf/earnings.otf, parent_folder=commons employ nickel/humanity.swf, confidentiality_id=0, company_name=Abby Cyrus, security_descriptor=correctly screenshots reached, name=earnings.otf, hashes=[{value=EE1150845FA3041CEB3A3FCDBE42D68A, algorithm_id=1, algorithm=MD5}, {value=DC684E0A948E820C9B32AE34F0E147CCCAEAB3646C95D1FBF6E5EA257B9107251945EB892CD81A3750D89799ADF86C76382C60E73A85B10D110CE39164882C8F, algorithm_id=7, algorithm=quickXorHash}], created_time_dt=2024-08-08T10:53:04.344543Z}, cmd_line=macedonia reid wanna, name=During, pid=22, parent_process={container={uid=635eaa7e-5574-11ef-99fc-0242ac110005, image={uid=635eb3a2-5574-11ef-8a60-0242ac110005, name=carolina bio conversion}, orchestrator=wto murray posted, size=2909077433, name=car ericsson vary, pod_uuid=designed, tag=apparent philadelphia southern, hash={value=62B8E80D982A1EF7D7764527C89E80FE2D9EFE4990B43078E143E4C6EDD2F407, algorithm_id=3, algorithm=SHA-256}}, created_time=1723114384349350, euid=11, namespace_pid=5, pid=15, parent_process={container={uid=635f000a-5574-11ef-bd88-0242ac110005, image={uid=635f0898-5574-11ef-a44a-0242ac110005, name=procedures later palestinian}, orchestrator=teens motion deaths, size=22516444, name=thomson multi reliable, hash={value=B330ECA1D2F13AB95C1C8C41637D9CD297E8221B1DBE869BDE2ACD408F9548B864002FB987EEDA759EF00CDF20345836767C45CA1D40C2DCACE6B6A569E48F09, algorithm_id=6, algorithm=TLSH}}, created_time=1723114384351625, namespace_pid=7, sandbox=em therefore spoke, pid=58, parent_process={container={uid=635f7e18-5574-11ef-84ec-0242ac110005, image={uid=635f891c-5574-11ef-9147-0242ac110005, name=packs auction technical}, size=574926482, name=inquire justice risks, runtime=fragrance instances sun}, lineage=[lying advertisements renew, buf prescribed puerto], created_time=1723114384354756, namespace_pid=80, pid=86, parent_process={lineage=[trees saving alias, ssl september rack], uid=635fa406-5574-11ef-809b-0242ac110005, auid=32, cmd_line=information propecia md, namespace_pid=50, name=Blogger, pid=77, parent_process={container={uid=63600950-5574-11ef-aae8-0242ac110005, image={path=trades mess wishlist, uid=6360136e-5574-11ef-8aec-0242ac110005, name=jersey elected projector, tag=members breathing powers}, size=3538073681, name=homes commonwealth recall}, created_time=1723114384358291, euid=92, namespace_pid=6, pid=15, parent_process={container={image={uid=636066de-5574-11ef-9bc9-0242ac110005, name=listing hardwood defined}, orchestrator=australian future sponsor, size=119356271, name=heather troubleshooting considerable, hash={value=F0F33A03B88C641E422DA78295DB088A0C19D463F4BD44A1CE20D3BB9892A0063ABB61D6124EB7D79EF56FC55ADEFAF30542712C4C8D0A1B952AFB4A346C0876, algorithm_id=4, algorithm=SHA-512}}, lineage=[seeds spouse noble, lifestyle fault floors], uid=636054f0-5574-11ef-8588-0242ac110005, created_time=1723114384360489, file={path=throws additions myspace/jackets.b/patches.tar, uid=636040d2-5574-11ef-965c-0242ac110005, parent_folder=throws additions myspace/jackets.b, confidentiality_id=4, signature={certificate={created_time=1723114384358869, subject=donate tons media, expiration_time=1723114384358874, serial_number=fell lab weddings, version=1.1.0, issuer=italic hamburg judges, fingerprints=[{value=F13F9E344F8839E5D7D17303ABAE106FC66E7D519B232C80C8D6066EF1A5148A796818425ED64282D159C7D8749343FBF193D9C83256C16B72857EBE0151F543, algorithm_id=5, algorithm=CTPH}]}, developer_uid=63603196-5574-11ef-ac47-0242ac110005, algorithm_id=1, algorithm=DSA}, type_id=0, confidentiality=Top Secret, name=patches.tar, hashes=[{value=04ACD168BF6D98D85736E4DB0EF815B53830AF1882C47ABFC357172729DFCD84EF6553958C4CB4593A3844E5D7FC9136FDDF5C82B1171ACAD84F52F7F133AA21, algorithm_id=4, algorithm=SHA-512}, {value=6B85712C92509BE057A8284F4CBF4868755DC0FFB2611096D26209767429967390E3CADE2D1733A0C8D9217CFF1BFA985A184E36695A411B7DEAC20411C9DED8, algorithm_id=7, algorithm=quickXorHash}], modified_time_dt=2024-08-08T10:53:04.359528Z, type=Unknown}, cmd_line=swingers centers burke, namespace_pid=18, sandbox=representing stationery affiliated, pid=31, parent_process={container={uid=63613c44-5574-11ef-bd50-0242ac110005, image={uid=63614568-5574-11ef-bf7a-0242ac110005, name=rate ben fish}, size=1952448709, name=obligation catalyst concentrations, runtime=tex strings mounted, hash={value=43CF305C9FBAF25955B6B640407705DE473A6AECC1D3684D43A7E6E113AD35E3, algorithm_id=99, algorithm=magic}}, uid=636132c6-5574-11ef-83af-0242ac110005, created_time=1723114384366178, auid=5, file={path=calcium amateur harmony/ltd.toast/implemented.rom, creator={uid=6360d920-5574-11ef-a83a-0242ac110005, type_id=0, domain=adjustment container harris, name=With, type=Unknown, account={uid=6360e442-5574-11ef-9167-0242ac110005, type_id=9, name=europe eating mailing, type=Linux Account}}, parent_folder=calcium amateur harmony/ltd.toast, type_id=0, modifier={uid=6360b08a-5574-11ef-ae8e-0242ac110005, type_id=2, type=Admin, ldap_person={ldap_dn=census doors though, ldap_cn=racing morgan volt, cost_center=verify nut levels, location={continent=Europe, country=HR, city=Regulations technician, coordinates=[-57.4552, 63.8901], desc=Croatia, Republic of}, modified_time_dt=2024-08-08T10:53:04.363022Z}}, name=implemented.rom, hashes=[{value=19C64195EB8F22C39B4BAD63078823DDD82E6D61847B25F1F5B969BE6C891661, algorithm_id=3, algorithm=SHA-256}, {value=652D75F9BAFB25E55C0E8DB77C3A9EA11F87C5167431C08F827375741D1B0C2F, algorithm_id=3, algorithm=SHA-256}], modified_time_dt=2024-08-08T10:53:04.363717Z, type=Unknown}, cmd_line=psp bush feet, namespace_pid=17, pid=42, parent_process={container={uid=63620160-5574-11ef-b37a-0242ac110005, image={path=gulf brian arrow, uid=63620bec-5574-11ef-8f30-0242ac110005, name=apt lp screen}, network_driver=ks field roger, size=3565502421, name=waste counties homepage, pod_uuid=breathing}, created_time=1723114384371224, euid=20, session={uid=6361567a-5574-11ef-b26b-0242ac110005, created_time=1723114384366575, is_remote=false, issuer=level boc morrison, credential_uid=63615e22-5574-11ef-b196-0242ac110005}, namespace_pid=72, pid=16, parent_process={container={uid=6362bb3c-5574-11ef-8a12-0242ac110005, image={uid=6362c56e-5574-11ef-8c25-0242ac110005, name=pi churches es}, orchestrator=asking jerry namespace, size=1384069832, name=calvin actor describe, tag=automobiles gratuit tower, hash={value=67C09C289C121B7595556E03199ABF1EC4E85049DC99DB50BBB35FD8B5E2636C89497184BE8F2ED184301E2A5411B5565E97D87BCC951CB5F2CA9C8E696E6341, algorithm_id=5, algorithm=CTPH}}, created_time=1723114384376016, namespace_pid=67, pid=14, parent_process={container={uid=63633e40-5574-11ef-9825-0242ac110005, image={uid=6363469c-5574-11ef-9299-0242ac110005}, size=2004032787, name=deputy mirror eagle, tag=magazine looking deemed, hash={value=55601A1804A5DD2CDDC702A8DBFD7D6EF6FB18BBD4EF25B7BA0FDF2AF274DC5BDD0AA03C3DF2E03891033BB6780C2DFC3D777203E7CC6D1D1B6AAA24A5B53037, algorithm_id=4, algorithm=SHA-512}}, uid=63633300-5574-11ef-80ee-0242ac110005, created_time=1723114384379317, file={path=pennsylvania matthew somewhere/saw.dbf/tennessee.wsf, uid=6362dc0c-5574-11ef-b631-0242ac110005, is_system=false, creator={uid=6362e6ac-5574-11ef-a13c-0242ac110005, email_addr=Lorretta@components.nato, type_id=1, name=Cognitive, type=User}, parent_folder=pennsylvania matthew somewhere/saw.dbf, type_id=2, security_descriptor=lcd elementary surround, name=tennessee.wsf, hashes=[{value=1701CFB023A18B1534D60983D25660944BF18C8928D27C2658306664990BC734, algorithm_id=3, algorithm=SHA-256}, {value=DEF35473338568D93D88C11638B8777B05D03931E8939FF2B7E675DB82DA9434, algorithm_id=99, algorithm=magic}], attributes=1, type=Folder}, cmd_line=magazines spin aaron, namespace_pid=66, name=Animal, created_time_dt=2024-08-08T10:53:04.406974Z, pid=95, parent_process={container={uid=63638544-5574-11ef-bbd6-0242ac110005, image={uid=63638df0-5574-11ef-8d90-0242ac110005, name=exist acceptance britney}, network_driver=shops congratulations variance, name=contain accepted gba, runtime=admin hammer variance, tag=geographical registered suspension, hash={value=83D3D1C470830C64B9B04152B2CD1D11DD99205143049050D298FD7C21CC125A, algorithm_id=99, algorithm=magic}}, created_time=1723114384381145, euid=11, namespace_pid=1, sandbox=delays fighting soonest, parent_process={container={uid=6363dbde-5574-11ef-a3c5-0242ac110005, image={uid=6363e57a-5574-11ef-8bf7-0242ac110005, name=errors request zdnet}, orchestrator=viral lindsay intellectual, size=2306842201, name=astronomy routing grocery, tag=exchange timber candles, hash={value=237ED8923CABFCED8263F1C5E537EDA9F4C9DF97C64000C74437C23D8564FDCB9AB6A7D16DD6E62D0915824B5BFF1CF112DD0BAEAA89171E14E068515290265E, algorithm_id=4, algorithm=SHA-512}}, uid=6363d120-5574-11ef-b647-0242ac110005, created_time=1723114384383389, file={is_system=true, type_id=7, confidentiality=Confidential, type=Symbolic Link, path=watts leave ukraine/ringtones.rtf/fits.cfm, parent_folder=watts leave ukraine/ringtones.rtf, confidentiality_id=2, accessed_time_dt=2024-08-08T10:53:04.381694Z, security_descriptor=selling dt few, name=fits.cfm, hashes=[{value=B90D6FEF7CE6A21866AE315B5A971CA7C32531C74C5A720508ED5490C80E51AF7F2194E67D30333457C00E700B4CAACF979ECA995DF46837A0D1ED6847A7CE7E, algorithm_id=4, algorithm=SHA-512}, {value=3F2C9248EE951C2D98A3CD5B4AF06BD317DB2124, algorithm_id=2, algorithm=SHA-1}], created_time_dt=2024-08-08T10:53:04.381707Z, attributes=2}, cmd_line=effects day pocket, namespace_pid=39, sandbox=declare indication occupations, pid=44, parent_process={container={uid=63642e36-5574-11ef-aac4-0242ac110005, orchestrator=preview contractors helps, size=639972788, name=texas comments creator, hash={value=1C073A2AE40F35C9E559128C518EF6BB606F87F47F7A6D8AF51E96DEBBDCF7E746F35B0E8CF42CF24B80034B359D710FF883F08C153BB4B4717E83FAED4E08A6, algorithm_id=7, algorithm=quickXorHash}}, created_time=1723114384385246, file={owner={uid=63640244-5574-11ef-864e-0242ac110005, type_id=99, name=Priorities, type=uploaded, account={uid=63640bea-5574-11ef-881a-0242ac110005, type_id=0, name=charles verification grave, type=Unknown}}, path=alter checked emperor/toner.htm/photo.gadget, created_time=1723114384384361, parent_folder=alter checked emperor/toner.htm, confidentiality_id=1, type_id=7, confidentiality=Not Confidential, name=photo.gadget, hashes=[{value=DB52AE7062C6819F07456657BE8F96A41BD461DAB2FF0DB18FF7DFABECA6AB0522C141821715890230BE5D35FDE767FE5CB592C5B2A8CD9CE93B3396F2701EA0, algorithm_id=4, algorithm=SHA-512}, {value=5CC3F82838BA7260203E4590CE03D00E1663D41F6A5167144F5C95D6BE2166A0, algorithm_id=3, algorithm=SHA-256}], type=Symbolic Link, version=1.1.0}, cmd_line=lung mega nn, namespace_pid=8, name=Vessels, sandbox=challenged profiles family, pid=73, parent_process={container={uid=636474e0-5574-11ef-bca8-0242ac110005, image={path=advantage bm record, uid=63647df0-5574-11ef-b02b-0242ac110005, name=advertisement metabolism bound, tag=parent prostores taste}, orchestrator=child railroad thehun, name=katrina commonly sweet, hash={value=36604EB0C3355689302D7694E45FA957071097E28B061276AABCBAC610B98FCE4F7A18C5D7566551D4EBC9F0E6D2EE5157C288FE26459003392E240F8FBEB605, algorithm_id=0, algorithm=Unknown}}, created_time=1723114384387286, euid=78, namespace_pid=4, pid=56, parent_process={container={image={uid=636511ac-5574-11ef-b939-0242ac110005, name=federation technical rally}, orchestrator=winning business collaborative, size=117561636, hash={value=1C6EE66D49C991A2FC79EC6D6B64F4AB5B8E29D3C774F3B6DD10F3A024271023CD29C66DA147EADA969690FFC2FA73C8B9EC6C4377580CF3CE89AEF8A8136657, algorithm_id=4, algorithm=SHA-512}}, created_time=1723114384391076, auid=30, session={created_time=1723114384387484, is_vpn=true, is_remote=true, issuer=mounts burns budgets}, pid=34, parent_process={container={uid=6365ab4e-5574-11ef-a5b2-0242ac110005, image={uid=6365b47c-5574-11ef-94cc-0242ac110005, name=graphs uni learned}, network_driver=nh essentials blogs, size=2490340163, name=hack aud canadian, pod_uuid=automobiles, hash={value=1348CB592CE159B2F0A3E0A0B20233BF7F40585376BD14ED638003DF65CE6028072010B42D85244F83CA87E928EA1C229FCDC44AFE29B22E34B99D3C8B26EB98, algorithm_id=6, algorithm=TLSH}}, uid=6365a1b2-5574-11ef-847c-0242ac110005, created_time=1723114384395481, file={owner={uid=63653dee-5574-11ef-8c70-0242ac110005, type_id=3, domain=affiliation arab invision, type=System, ldap_person={created_time=1723114384392352, leave_time=1723114384392577, email_addrs=[Olympia@jesse.travel, Mina@seeking.com], ldap_cn=professionals worm eng, given_name=pulse waiver footwear, employee_uid=63654de8-5574-11ef-a8ac-0242ac110005}}, is_system=true, product={uid=6365590a-5574-11ef-aaa7-0242ac110005, name=mumbai determined nobody, vendor_name=infected listen uk, lang=en, version=1.1.0}, creator={uid=636569d6-5574-11ef-bef4-0242ac110005, type_id=99, name=Kurt, uid_alt=rack fake bleeding, type=examines, account={uid=63657340-5574-11ef-b69a-0242ac110005, type_id=10, name=petite suggestions british, type=AWS Account}}, type_id=2, confidentiality=Secret, type=Folder, version=1.1.0, path=gotten unique thereafter/championship.deskthemepack/medication.pdf, uid=63655f9a-5574-11ef-add1-0242ac110005, parent_folder=gotten unique thereafter/championship.deskthemepack, size=1001943972, confidentiality_id=3, name=medication.pdf, hashes=[{value=C67541E14008D6AF094C938459E575DFB5FA24FD50ADAFC615DB56E4A773FD0BEBA072C2A8F3ECB17D4CBB51818B31ECE4F0A810CB8E5C42C622592DB55DA0A1, algorithm_id=7, algorithm=quickXorHash}]}, cmd_line=sorts sites obtained, session={uid=636527dc-5574-11ef-a1e5-0242ac110005, created_time=1723114384391616, is_vpn=false, expiration_reason=declined attorney sunday, expiration_time_dt=2024-08-08T10:53:04.391655Z, count=58, is_remote=false, uid_alt=sim yorkshire adaptation, issuer=petition disclaimer clara}, namespace_pid=90, name=Vic, pid=16, parent_process={container={uid=636616ce-5574-11ef-bd26-0242ac110005, image={uid=63661fac-5574-11ef-9e80-0242ac110005, name=handy derek tb}, name=barriers cheaper logged, runtime=logos drilling schools, hash={value=6F08C5DDCDD0BE06D83AA3E0E3D5A09E, algorithm_id=1, algorithm=MD5}}, created_time=1723114384397969, session={created_time=1723114384396317, expiration_reason=politics nt username, expiration_time_dt=2024-08-08T10:53:04.396343Z, expiration_time=1723114384396336, is_remote=true, uuid=6365e014-5574-11ef-a98e-0242ac110005, issuer=bluetooth raise shopping}, namespace_pid=82, pid=2, parent_process={container={uid=6366e1b2-5574-11ef-a230-0242ac110005, image={uid=6366ed6a-5574-11ef-9f59-0242ac110005, name=newspapers marriage translations}, size=1994539178, name=butter repeated annie, hash={value=E94025BE336B1F89159AF64B1F6EDA5D470AC8D6, algorithm_id=2, algorithm=SHA-1}}, created_time=1723114384403255, auid=58, euid=32, namespace_pid=98, pid=76, parent_process={lineage=[operational pilot citysearch], uid=63677a6e-5574-11ef-9578-0242ac110005, created_time=1723114384406818, file={is_system=false, product={uid=6367296a-5574-11ef-8136-0242ac110005, vendor_name=cindy specifications frontpage, lang=en, version=1.1.0}, signature={certificate={created_time=1723114384404438, subject=lion struggle widespread, expiration_time=1723114384404443, serial_number=negotiation feel cole, version=1.1.0, issuer=clocks suppose products, fingerprints=[{value=83624D02DEDBF131BC80643811BDE31BB6FCBCDD128849E01A630F99100E4AEE2BF55A6610961457C3AA9B403628F34BC835B62EC068589F520AB344681A174E, algorithm_id=6, algorithm=TLSH}]}, algorithm_id=99, algorithm=gotten}, type_id=3, confidentiality=Top Secret, type=Character Device, version=1.1.0, path=breast enjoying verbal/assure.gam/accuracy.kmz, uid=63673090-5574-11ef-ad66-0242ac110005, parent_folder=breast enjoying verbal/assure.gam, confidentiality_id=4, accessed_time_dt=2024-08-08T10:53:04.404997Z, name=accuracy.kmz, hashes=[{value=D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C, algorithm_id=7, algorithm=quickXorHash}, {value=990D4710B15458E3EDAA8601CDF5B44648B4FC61, algorithm_id=2, algorithm=SHA-1}]}, cmd_line=mere loaded similar, session={uid=636701d8-5574-11ef-a4f1-0242ac110005, expiration_reason=washing sunday reaching, expiration_time_dt=2024-08-08T10:53:04.403964Z, expiration_time=1723114384403944, is_remote=true, created_time_dt=2024-08-08T10:53:04.403955Z, credential_uid=6367082c-5574-11ef-aaa8-0242ac110005}, name=Exotic, pid=64, user={uid=6367417a-5574-11ef-8cd6-0242ac110005, full_name=Mayme Lurline, type_id=2, name=Saver, groups=[{uid=63676952-5574-11ef-a883-0242ac110005, domain=identification browsing structures, name=guyana applied attribute}], type=Admin}, tid=41, group={uid=63677460-5574-11ef-a07f-0242ac110005, name=executive mathematical signals}}, uid=6366be8a-5574-11ef-a313-0242ac110005, integrity=applying observe nba, file={creator={uid=63667ca4-5574-11ef-a8ae-0242ac110005, type_id=3, name=Quotes, groups=[{uid=636685fa-5574-11ef-8fd9-0242ac110005, name=engineers constitute papers}, {uid=63668c80-5574-11ef-bd3d-0242ac110005, type=introducing amendments portuguese}], type=System, ldap_person={modified_time=1723114384401210, last_login_time_dt=2024-08-08T10:53:04.401225Z, location={continent=Asia, country=CY, city=Bibliographic selections, coordinates=[-120.1139, 17.5612], desc=Cyprus, Republic of}, office_location=dl td transition}, account={uid=636695b8-5574-11ef-8e13-0242ac110005, type_id=5, name=hewlett beats hit, type=GCP Account}}, type_id=7, modifier={uid=63663aa0-5574-11ef-89ff-0242ac110005, type_id=2, name=Incident, groups=[{uid=63665ca6-5574-11ef-abfa-0242ac110005, domain=adventure charter tom, name=guest demographic terry}, {uid=636664f8-5574-11ef-96ca-0242ac110005, name=moderators broker asian}], uid_alt=notre sponsorship elections, type=Admin, account={uid=63666f0c-5574-11ef-98ef-0242ac110005, type_id=2, type=Windows Account}}, type=Symbolic Link, version=1.1.0, xattributes={}, path=arizona concentrations widescreen/wire.tax2020/placement.3dm, parent_folder=arizona concentrations widescreen/wire.tax2020, company_name=Christa Marta, name=placement.3dm, hashes=[{value=5509CE62AD4908E35D559F0487FCFAFEAA7A7AA2B4771FF42C45FF34397DF6E1F848AF224697A1C8BB77C1A81AFAA825437582905189C5346490D5121B91F366, algorithm_id=7, algorithm=quickXorHash}, {value=E2A4DD55AA0F76F85A047DAF5B859095, algorithm_id=1, algorithm=MD5}], created_time_dt=2024-08-08T10:53:04.401316Z, attributes=9, accessed_time=1723114384401235, desc=populations servers environments}, cmd_line=accessible annotated plus, name=Recommendations, created_time_dt=2024-08-08T10:53:04.406843Z, user={uid=6366aed6-5574-11ef-855a-0242ac110005, type_id=3, name=Taxes, type=System}, group={uid=6366b8c2-5574-11ef-a4e8-0242ac110005, domain=apollo clicking incorrect, name=split viking nike}}, terminated_time=1723114384406852, uid=63660b34-5574-11ef-bbcf-0242ac110005, file={created_time=1723114384396786, signature={certificate={subject=national garmin even, expiration_time=1723114384396755, serial_number=rhode realty talented, version=1.1.0, issuer=cut duo agencies, fingerprints=[{value=E8D8654C197E7B3BEED4D69E3EDD3A5B, algorithm_id=1, algorithm=MD5}, {value=75529D527C6CDFA48546F9F7ED5AFD587F24AB584370D91EBFC1743E519B936C7780070A7709D4FECA4C639302E40E1BD1F842B3613B900269D77BEA17429361, algorithm_id=0, algorithm=Unknown}]}, algorithm_id=99, algorithm=vendor}, type_id=7, confidentiality=freelance pty ferrari, modified_time_dt=2024-08-08T10:53:04.396853Z, type=Symbolic Link, xattributes={}, path=rear biology finest/nintendo.class/atlantic.icns, parent_folder=rear biology finest/nintendo.class, modified_time=1723114384396821, name=atlantic.icns, hashes=[{value=0C900BDED46D1122DBC26B7D537D76633CD9937DF7B4C9C56ECFC151D2E269764BD92568B8FFD9877177AA338BB4EEE65DC5AE4D07BE354D503F9D3EF0B36007, algorithm_id=0, algorithm=Unknown}, {value=D0278DE5F6E5DF29D9C928BCB6D5A285EA17CE11, algorithm_id=2, algorithm=SHA-1}], desc=specific aside io}, cmd_line=canada federation computational, name=Offline, user={uid=6366010c-5574-11ef-bfe7-0242ac110005, type_id=1, domain=crops midi hope, name=Collectables, uid_alt=thunder pickup tab, type=User}, group={desc=muze comply jets}}, user={uid=6365822c-5574-11ef-95fb-0242ac110005, email_addr=Lynetta@lib.jobs, org={uid=63658ac4-5574-11ef-bea5-0242ac110005, name=jerry calling mardi, ou_name=motion ampland acknowledged}, type_id=99, type=recent, credential_uid=63659186-5574-11ef-a13d-0242ac110005}, group={uid=63659b86-5574-11ef-ac1a-0242ac110005, domain=explicitly retreat de, name=phys dollar not, type=foster prefer phys}}, tid=42, xattributes={}, uid=636504b4-5574-11ef-af4a-0242ac110005, file={owner={uid=6364960a-5574-11ef-ad32-0242ac110005, org={ou_uid=6364acb2-5574-11ef-b1ce-0242ac110005, uid=6364a60e-5574-11ef-aaf1-0242ac110005, name=arrive protecting fy, ou_name=cat saints infringement}, type_id=1, name=Nov, groups=[{uid=6364d64c-5574-11ef-a880-0242ac110005, name=head state rubber}, {uid=6364de3a-5574-11ef-9448-0242ac110005, name=catalyst strong mins, desc=consortium bald removing}], type=User}, product={path=internship progress gun, vendor_name=sp protection requests, lang=en, version=1.1.0}, type_id=7, type=Symbolic Link, version=1.1.0, path=executed removal years/among.yuv/employment.wma, parent_folder=executed removal years/among.yuv, accessed_time_dt=2024-08-08T10:53:04.389945Z, mime_type=medal/nearly, name=employment.wma, hashes=[{value=5E759101C609F4B740EF80E765AE365B2AF502D28946FFDB14A008BA3B8F3B38D22724597DB1A2727631E47BE95BF3DBC91421426B178885ABB756996AA2ED28, algorithm_id=5, algorithm=CTPH}, {value=BA5273E243BB87B0BDE0E2E45609708C95F1B8CD05342C435BFE11DDFE05790E8640967A0D5DB90EE7DC886350B9345D9484533BB633B821A82462D74B3318A8, algorithm_id=6, algorithm=TLSH}], created_time_dt=2024-08-08T10:53:04.389957Z, attributes=97}, cmd_line=macintosh enjoying disposal, name=Burning, user={uid=6364f62c-5574-11ef-be1d-0242ac110005, type_id=99, name=Without, type=celebs}, group={desc=allowance vacation ae}}, xattributes={}, terminated_time_dt=2024-08-08T10:53:04.406915Z, uid=63646b44-5574-11ef-a77a-0242ac110005, file={path=diagnosis angeles portsmouth/travels.mpa/ba.3ds, created_time=1723114384386185, parent_folder=diagnosis angeles portsmouth/travels.mpa, type_id=4, name=ba.3ds, hashes=[{value=50D299D6D7966A2DC1E0CF7FEB739E33, algorithm_id=1, algorithm=MD5}, {value=328AFE7E94B22225322E3B4913F934C50B1CBF2E70837C0DC87BE27DA150B3EBA052395D9A4CC1FB7FC4E8C89E2EFEB5DF2FD8EC79D5A1215267ABF6EE2505F9, algorithm_id=6, algorithm=TLSH}], created_time_dt=2024-08-08T10:53:04.386239Z, accessed_time=1723114384386177, type=Block Device}, cmd_line=notre cameras draw, name=Scott, user={type_id=2, domain=amendment spot sudan, name=Kit, type=Admin}, group={uid=63646496-5574-11ef-bfc5-0242ac110005, name=passed rankings affects}}, user={uid=63641a22-5574-11ef-8919-0242ac110005, email_addr=Lauryn@reliance.travel, type_id=99, type=carmen, account={uid=636423be-5574-11ef-8304-0242ac110005, type_id=10, name=reef terrorist graduation, type=AWS Account}}, xattributes={}}, user={uid=6363b992-5574-11ef-9143-0242ac110005, name=Edgar, ldap_person={email_addrs=[Mariann@routine.net], deleted_time_dt=2024-08-08T10:53:04.382339Z, job_title=alto languages tanks}}, xattributes={}, group={uid=6363ca0e-5574-11ef-837d-0242ac110005, privileges=[ingredients pins connector], name=thinking offices worcester}}, tid=66, uid=63637afe-5574-11ef-b99b-0242ac110005, integrity=Protected, file={path=important companion consultancy/wallpaper.drv/plasma.3dm, parent_folder=important companion consultancy/wallpaper.drv, confidentiality_id=3, signature={certificate={created_time=1723114384380115, subject=assuming remarks brass, expiration_time=1723114384380123, serial_number=provinces medicine it, version=1.1.0, issuer=sheet registry concord, fingerprints=[{value=EC6B1A9A8BA16A6F215D2D1F3906D6499B49BE59A250E976C526E3C93470BEAF, algorithm_id=3, algorithm=SHA-256}, {value=E8F0948E22757C48DC176AC0971E4DC26962E907CD0016E2D3F3F85B10496DB3ADA83ABE28D5C02C0E75801F09CE16ECBC57DC728CA43C1AF4A195603D2E9D59, algorithm_id=5, algorithm=CTPH}]}, algorithm_id=0, algorithm=Unknown}, type_id=2, confidentiality=Secret, name=plasma.3dm, hashes=[{value=9159E7F170D8AC61900DA4485A05F8FA752EBB6B1271EB39B603C7BD22C9F591, algorithm_id=3, algorithm=SHA-256}, {value=208252F637543172F0D9AA5A077FB15DC8E779E2AB911FADCC37F9C807EB56EFBAC0FC78C2916944595F6C58BE380B5BA4AC2E0A76A1D10091E0847D61B627D5, algorithm_id=6, algorithm=TLSH}], type=Folder}, cmd_line=felt essay relax, name=Delight, user={email_addr=Numbers@si.coop, type_id=2, name=Focused, uid_alt=biggest stupid linking, type=Admin}, integrity_id=6, group={privileges=[costs anthropology nickname, nbc dns flex], name=jar transparency sing}}, user={uid=63630eca-5574-11ef-b29c-0242ac110005, email_addr=Classie@municipality.pro, org={uid=636317ee-5574-11ef-b39a-0242ac110005, name=mighty thou ff, ou_name=companies functions hockey}, type_id=0, name=Guys, groups=[{uid=636321d0-5574-11ef-ae4b-0242ac110005, domain=parties entertainment lemon, name=hood powers merely}, {privileges=[etc survey at, cohen mails bio], name=rise parcel bookmarks}], type=Unknown}, group={uid=63632d38-5574-11ef-85c8-0242ac110005, name=legislature normal lectures}}, terminated_time=1723114384406979, uid=6362b0ec-5574-11ef-bb67-0242ac110005, integrity=System, file={path=regularly drivers sacred/rational.fla/wing.crdownload, created_time=1723114384374429, product={uid=636288ba-5574-11ef-b671-0242ac110005, name=cr fat generators, vendor_name=conflicts feed receivers, lang=en, version=1.1.0}, parent_folder=regularly drivers sacred/rational.fla, modified_time=1723114384374497, type_id=2, name=wing.crdownload, hashes=[{value=140C02576C0D51BBE84B1C70EEE68AD61D116AA6E8F7BBD899753EB4599951C5E2DF128141610C2F838E0C7181B50795297C0E8D1398FDAD5ED2095EA783FC02, algorithm_id=7, algorithm=quickXorHash}, {value=E405FA83FE9CFE003B49FD852D4429D0EFF2F914, algorithm_id=2, algorithm=SHA-1}], created_time_dt=2024-08-08T10:53:04.374525Z, attributes=39, type=Folder, xattributes={}}, cmd_line=railway filling consistent, name=Definitely, loaded_modules=[/fri/tall/bit/rap/meyer.hqx], user={uid=63629a58-5574-11ef-8c2b-0242ac110005, type_id=1, domain=adding merit extend, name=Influenced, type=User, credential_uid=6362a124-5574-11ef-a23f-0242ac110005}, integrity_id=5, group={uid=6362ab10-5574-11ef-adda-0242ac110005, domain=enterprises civil knowledge, desc=patch celebration lancaster}}, uid=6361f634-5574-11ef-87d8-0242ac110005, file={owner={type_id=2, name=Yoga, type=Admin}, path=variable their precipitation/moving.sql/python.bin, parent_folder=variable their precipitation/moving.sql, signature={certificate={created_time=1723114384368646, subject=x tide described, expiration_time=1723114384368652, serial_number=ultimate nervous george, version=1.1.0, issuer=equations different edward, fingerprints=[{value=90290C4ADF68C053210274BB5414BED2BC4FCB71C37F521FF4EDBF5AFF66421A60FED68A12C81359536FCF2B89DB3463979F17F089E68FEA0B179D5DEF6F3A00, algorithm_id=6, algorithm=TLSH}]}, algorithm_id=4, algorithm=Authenticode}, mime_type=personnel/bids, type_id=99, name=python.bin, accessor={uid=6361bec6-5574-11ef-81b5-0242ac110005, type_id=99, domain=elizabeth cheapest solution, name=Jd, type=deviant}, hashes=[{value=2056009EE1A3B111E2E00906EDA7AD1AAC1EF242387CFB2CEE5B57763863C0EF228A7536B36C462A03C687D2F886BE6C218F00A2FC11674F8FF5454966830CB3, algorithm_id=5, algorithm=CTPH}], type=afghanistan}, cmd_line=distances participating maintenance, name=Versions, user={uid=6361cccc-5574-11ef-994f-0242ac110005, email_addr=Kristin@tion.net, org={uid=6361d546-5574-11ef-b2b3-0242ac110005, name=watts desktop hong}, type_id=99, name=Spring, type=nu, account={uid=6361dec4-5574-11ef-80de-0242ac110005, type_id=8, name=bd atom berkeley, type=Apple Account}}, group={uid=6361ef22-5574-11ef-8892-0242ac110005, name=academics secondary simon}}, user={uid=6360f752-5574-11ef-a1db-0242ac110005, type_id=3, name=Satisfaction, type=System, account={uid=636119d0-5574-11ef-a86d-0242ac110005, type_id=1, type=LDAP Account}, credential_uid=6361204c-5574-11ef-8854-0242ac110005}, group={uid=63612c22-5574-11ef-800b-0242ac110005, privileges=[joining boots aw, gang robust transport], name=flags gang blow, desc=mistakes prediction toy}}, group={uid=63604e4c-5574-11ef-9f32-0242ac110005, name=recommends pollution humans}}, tid=26, uid=635ffed8-5574-11ef-b0fd-0242ac110005, integrity=High, file={path=seem party existence/buried.3dm/lotus.pkg, created_time=1723114384355919, is_system=true, parent_folder=seem party existence/buried.3dm, accessed_time_dt=2024-08-08T10:53:04.355980Z, type_id=5, confidentiality=belief hard romania, name=lotus.pkg, hashes=[{value=921DB9BE9AB2B726859E733D87A56CDEB799FBC45281315CFE4A7BAAF6BB9A1DD4359096B697BBB33B1DCA573CD79CB87614124DFA2B3C79768B3F29A7DBF0EF, algorithm_id=5, algorithm=CTPH}, {value=E9C848387AB1784EBC52FD937D18A8D44D2CF6BDBEB2BAB7B04E28413AE39FA4C07EAFA782325DD3B65A30B4AE8538D0ACCE7FC48BF1A3AB1B4651A5CFB050AA, algorithm_id=7, algorithm=quickXorHash}], attributes=31, type=Local Socket}, cmd_line=gamecube forbes described, name=Defense, user={uid=635fca94-5574-11ef-82f0-0242ac110005, type_id=99, name=Blogs, groups=[{uid=635fd57a-5574-11ef-84bc-0242ac110005, type=buyer spirit webcam}, {uid=635fe13c-5574-11ef-85a3-0242ac110005, name=cooperation meditation memo, desc=discretion fantastic tactics}], type=novel, ldap_person={leave_time=1723114384357313, email_addrs=[Kimberley@sip.int], modified_time_dt=2024-08-08T10:53:04.357320Z}, credential_uid=635fe862-5574-11ef-ba0c-0242ac110005}, integrity_id=4, group={uid=635ff8a2-5574-11ef-af7e-0242ac110005, name=care viii external, type=right crowd crops, desc=appointed opponent written}}, user={uid=635f9c7c-5574-11ef-b4d1-0242ac110005, type_id=99, name=Lenses, uid_alt=penalty spray weight, type=dairy}}, uid=635f63d8-5574-11ef-8afe-0242ac110005, integrity=deutsche what indians, file={path=sports amp assess/explosion.sln/offered.avi, parent_folder=sports amp assess/explosion.sln, type_id=2, security_descriptor=salmon sister tucson, name=offered.avi, accessed_time=1723114384352980, type=Folder}, cmd_line=reflects champion naughty, name=Gen, user={uid=635f51c2-5574-11ef-bad8-0242ac110005, type_id=0, name=Rest, type=Unknown}, group={uid=635f5d02-5574-11ef-be03-0242ac110005, privileges=[seasonal railroad already], name=produces consequence selling}}, xattributes={}, uid=635ef6dc-5574-11ef-a3ad-0242ac110005, file={signature={certificate={subject=durham sitting hiv, expiration_time=1723114384349769, serial_number=field geek theater, version=1.1.0, issuer=eq designers loc, fingerprints=[{value=B133E6238B0833E7D12E8F6E64EABBFE2780E49FD028477670556B99E873D6C8CC7E38E25BAF9228F2324C513ECA25C63FF88415399CBD0FF61001ACC2BD0B10, algorithm_id=6, algorithm=TLSH}, {value=8B4AB0E3B292ED97FB8DCFB7C0267D1F7366F45CE8FDC2E3F0EAE57312A3F4D83BB72E25B072DF7E3416CF022B3276885495F9F245FE9CB67704AFD4B94EBF99, algorithm_id=7, algorithm=quickXorHash}]}, algorithm_id=2, algorithm=RSA}, type_id=4, type=Block Device, xattributes={}, path=newsletter tulsa locale/wait.cab/closing.3ds, uid=635ed24c-5574-11ef-9b19-0242ac110005, parent_folder=newsletter tulsa locale/wait.cab, modified_time=1723114384350131, size=2333859778, mime_type=radio/minolta, security_descriptor=went stick curious, name=closing.3ds, hashes=[{value=65BD10756687E64C347423BA3836F065, algorithm_id=1, algorithm=MD5}, {value=B3140286AC71AD2ACF69681F4F2A907B0B83D8EDFBFFDD4E0A38C05A23180495, algorithm_id=3, algorithm=SHA-256}]}, cmd_line=statutes columnists commerce, name=Lm, created_time_dt=2024-08-08T10:53:04.407027Z, user={uid=635ee0e8-5574-11ef-ac61-0242ac110005, type_id=3, name=Gossip, type=System, credential_uid=635ee75a-5574-11ef-ac0c-0242ac110005}, group={uid=635ef114-5574-11ef-8c2b-0242ac110005, name=alcohol surprise http, desc=wales if adams}}, xattributes={}, terminated_time_dt=2024-08-08T10:53:04.407047Z, uid=635e817a-5574-11ef-850e-0242ac110005, integrity=ag disagree anymore, file={path=monkey refused genesis/pictures.cs/modification.php, parent_folder=monkey refused genesis/pictures.cs, confidentiality_id=1, type_id=1, confidentiality=Not Confidential, name=modification.php, attributes=27, type=Regular File}, cmd_line=rides vids label, name=Door, user={uid=635e6e38-5574-11ef-9132-0242ac110005, type_id=3, name=Roller, type=System}, group={uid=635e79b4-5574-11ef-b9e2-0242ac110005, privileges=[later conversion foreign, shadows phpbb ate], name=dogs republic occurrence, type=headers brunei ontario}}, user={uid=635e09a2-5574-11ef-8b02-0242ac110005, name=Greenhouse, uid_alt=nu tiny challenging}, terminated_time_dt=2024-08-08T10:53:04.407054Z, group={uid=635e1960-5574-11ef-bc86-0242ac110005, name=function bought terrace, desc=oo phase relocation}}, terminated_time_dt=2024-08-08T10:53:04.407066Z, uid=635d7fa0-5574-11ef-9af0-0242ac110005, file={created_time=1723114384339821, creator={uid=635ce108-5574-11ef-b897-0242ac110005, type_id=3, name=Heel, uid_alt=rapidly specification instructional, type=System, account={uid=635d0a66-5574-11ef-bcd7-0242ac110005, type_id=4, name=discs sure enclosed, type=AWS IAM Role}}, signature={certificate={uid=635c43c4-5574-11ef-a8eb-0242ac110005, created_time=1723114384334572, expiration_time_dt=2024-08-08T10:53:04.334601Z, subject=pets documentary mutual, expiration_time=1723114384334590, serial_number=anything repair rank, version=1.1.0, issuer=rounds eds contests, fingerprints=[{value=4D78419C492968B9564F7F87CEBFA246405627A31D833B60027D564FB453A9F76CDBDF3D6229EFE19244F6B38DC9C1E531EC641A042F38CE33A3E62DEEB1E115, algorithm_id=7, algorithm=quickXorHash}]}, developer_uid=635c7e16-5574-11ef-b814-0242ac110005, algorithm_id=3, algorithm=ECDSA}, type_id=5, accessor={uid=635cc204-5574-11ef-85ce-0242ac110005, type_id=0, domain=weighted organize jim, name=Contents, type=Unknown}, type=Local Socket, version=1.1.0, xattributes={}, path=justin jm kenya/acknowledged.cgi/settled.exe, parent_folder=justin jm kenya/acknowledged.cgi, modified_time=1723114384340026, accessed_time_dt=2024-08-08T10:53:04.340128Z, name=settled.exe, hashes=[{value=E3406337AAEB1C0AC1339EA8DBC6212C72E6551C007F921C64EADEDFC50CEAF2D661F48148C64A04B17DEC7D46C8D70913DA02218205F62B8170DF4110BEE8BE, algorithm_id=0, algorithm=Unknown}, {value=3F9D17F4A6D80A19A14E6E6464F3E85457666C674359CE0CCEBD5BF88B46CD79CC44F0213344FB06287280BC58AA62C13301DEC710F880AE66297C4F2F4477F4, algorithm_id=7, algorithm=quickXorHash}], created_time_dt=2024-08-08T10:53:04.340139Z}, cmd_line=masters treatments custody, name=Surprise, loaded_modules=[/desert/arch/conditional/mas/zinc.cgi, /direct/appendix/stated/partition/awareness.gam], user={uid=635d5bd8-5574-11ef-a7e3-0242ac110005, type_id=0, uid_alt=charging build burning, type=Unknown}, group={uid=635d7852-5574-11ef-8eaa-0242ac110005, privileges=[verbal spokesman stuart, audio mozambique mae], domain=remove ix couple, name=pendant alike china}}, terminated_time=1723114384407071, uid=635bb51c-5574-11ef-96c1-0242ac110005, integrity=Low, file={creator={uid=635ab20c-5574-11ef-8a49-0242ac110005, type_id=99, name=Televisions, type=restaurant, ldap_person={modified_time=1723114384328321, created_time_dt=2024-08-08T10:53:04.328333Z}}, type_id=2, confidentiality=dare assembly conflicts, modified_time_dt=2024-08-08T10:53:04.328440Z, type=Folder, path=qc stunning upcoming/freelance.b/stop.rom, parent_folder=qc stunning upcoming/freelance.b, size=184463636, accessed_time_dt=2024-08-08T10:53:04.328434Z, security_descriptor=streets teacher movie, name=stop.rom, hashes=[{value=D6DF1AB7AC275F8C7AFF9D010CCFD0DB08BBE2D8, algorithm_id=2, algorithm=SHA-1}, {value=A99E2AF60B8C1ACE6169FBA74BE6B9CB5ECA5D5A24F28F39E4EC50A265F7F5F4, algorithm_id=3, algorithm=SHA-256}], attributes=8, accessed_time=1723114384328345}, cmd_line=assignment position expression, user={uid=635b94ec-5574-11ef-90e7-0242ac110005, type_id=2, name=Fountain, type=Admin}, integrity_id=2, group={uid=635baaf4-5574-11ef-8c3f-0242ac110005, name=lang drivers mood}}}, xattributes={}, uid=63581182-5574-11ef-aeb6-0242ac110005, integrity=delivering shaved mexico, egid=31, file={path=pre memo parish/bibliographic.db/kerry.sdf, product={uid=6357b6b0-5574-11ef-9715-0242ac110005, cpe_name=realty contributions melissa, name=forum activists cancelled, vendor_name=actress mess enjoyed, version=1.1.0}, creator={uid=6357f01c-5574-11ef-9c74-0242ac110005, type_id=0, name=Filme, type=Unknown}, parent_folder=pre memo parish/bibliographic.db, mime_type=architecture/hall, type_id=99, modifier={uid=6357d28a-5574-11ef-b53e-0242ac110005, type_id=3, domain=theology suzuki inn, name=Criterion, groups=[{name=meanwhile vid contributed}, {uid=6357dc9e-5574-11ef-a420-0242ac110005, name=difference white sensors, type=chef laos flat, desc=undertake carried ones}], uid_alt=repair trains victim, type=System, account={type_id=9, name=fans car enable, type=Linux Account}, credential_uid=6357e5f4-5574-11ef-8af6-0242ac110005}, security_descriptor=volvo workflow pros, name=kerry.sdf, hashes=[{value=35431593FE35166DB2935F72C55A3E0A8F8255878BACFF713A775559201158B2429DDF8B60D7FC65E8A640435ECA4BE8239A740FE91DA7560AC32207BF2F73AB, algorithm_id=6, algorithm=TLSH}, {value=BA2F52D229E66F7D965D4AAFDBB382D12FBA5669FBE91F4700E0B7A9355279E7FC2108CAA3AAB2AA5DDAD12B63AC6953845DD468A203773BE8FC734CE9FF93AB, algorithm_id=5, algorithm=CTPH}], type=terrorist}, cmd_line=mentor dust attending, group={uid=63580af2-5574-11ef-88eb-0242ac110005, name=mad integrity assessment, type=glossary scotia pete}}, user={uid=63576804-5574-11ef-9ed9-0242ac110005, type_id=0, name=Pavilion, type=Unknown, credential_uid=63576e4e-5574-11ef-85ed-0242ac110005}, tid=93, group={uid=6357784e-5574-11ef-9c0c-0242ac110005, name=sale point solutions}}, tid=82, uid=6356ef50-5574-11ef-9f3f-0242ac110005, integrity=System, file={owner={uid=6356c534-5574-11ef-9ab7-0242ac110005, full_name=Henry Tonja, name=Answer}, path=defining inch factors/ist.mpa/creations.ico, created_time=1723114384297596, product={uid=6356cfa2-5574-11ef-a798-0242ac110005, name=amateur bristol cuba, vendor_name=gentleman quit confirm, version=1.1.0}, parent_folder=defining inch factors/ist.mpa, accessed_time_dt=2024-08-08T10:53:04.297651Z, type_id=99, name=creations.ico, hashes=[{value=0976ABA0D430405622A00981BC58C6F16D2A40F1, algorithm_id=2, algorithm=SHA-1}, {value=36324C961DBB9EF924720EB1C5F7E53B29AD9EF8D2A5A4CF1FD2686CCF8FC21A7A1368175B23CFFF36A4DB33D4F7C399148E923594A5667C996C53E9AB311088, algorithm_id=4, algorithm=SHA-512}], created_time_dt=2024-08-08T10:53:04.297659Z, type=ti}, cmd_line=capable homepage reject, name=Dead, user={uid=6356e906-5574-11ef-bcbc-0242ac110005, type_id=2, name=Theatre, type=Admin}, integrity_id=5}, user={uid=63568cfe-5574-11ef-9336-0242ac110005, full_name=Gussie Leila, email_addr=Claire@longitude.arpa, type_id=99, name=Paint, type=creative}, group={uid=635698ac-5574-11ef-a457-0242ac110005, name=prince enhance terrain, desc=dual yacht replace}}", + "pid": 24, + "session": { + "created_time": "+56573-04-27T12:31:33.568Z", + "expiration_time": "+56573-04-27T12:31:33.578Z", + "expiration_time_dt": "2024-08-08T10:53:04.293Z", + "is_remote": false, + "issuer": "watt ips cash", + "uid": "63562c6e-5574-11ef-a07c-0242ac110005", + "uuid": "635632b8-5574-11ef-8dc9-0242ac110005" + }, + "uid": "635663a0-5574-11ef-b2fa-0242ac110005", + "user": { + "domain": "shortly payments endorsement", + "type": "User", + "type_id": "1", + "uid": "6356532e-5574-11ef-a4a6-0242ac110005", + "uid_alt": "mysql syria beaches" + } + }, + "pid": 95, + "sandbox": "numbers audience guard", + "terminated_time_dt": "2024-08-08T10:53:04.407Z", + "uid": "6355ece0-5574-11ef-9b58-0242ac110005", + "user": { + "credential_uid": "6355da02-5574-11ef-89ed-0242ac110005", + "domain": "random john findlaw", + "full_name": "Alexander Helena", + "groups": [ + { + "name": "rural legislature built", + "privileges": [ + "clearing transfer worthy", + "jim pdas remind" + ], + "type": "harm slovakia tone", + "uid": "6355ca8a-5574-11ef-8efb-0242ac110005" + }, + { + "domain": "seeing dynamics qualified", + "uid": "6355d2aa-5574-11ef-8276-0242ac110005" + } + ], + "type": "Unknown", + "type_id": "0", + "uid_alt": "providing arms servers" + } + }, + "user": { + "domain": "distance predicted facilities", + "name": "Boy", + "type": "Admin", + "type_id": "2", + "uid": "63679120-5574-11ef-be81-0242ac110005" + } + }, + "category_name": "Application Activity", + "category_uid": "6", + "class_name": "File Hosting Activity", + "class_uid": "6006", + "cloud": { + "provider": "diabetes gaps ag", + "region": "act ran entity" + }, + "dst_endpoint": { + "container": { + "hash": { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "4447CDB3261C7AE4F053DC296FEE1093F25F731D23A692D5819318F1901FDEC79EB2CA760BABCD759285BAE417ACD21FC64BB623583834C076F16FA9A53F1107" + }, + "image": { + "name": "routing playback sb", + "uid": "63539e90-5574-11ef-9508-0242ac110005" + }, + "name": "twelve will royalty", + "orchestrator": "georgia rr scheduled", + "pod_uuid": "municipality", + "runtime": "lopez bulletin thru", + "size": 2829011720, + "tag": "grain alert score", + "uid": "63539300-5574-11ef-82a9-0242ac110005" + }, + "instance_uid": "6353a91c-5574-11ef-b5fc-0242ac110005", + "interface_name": "ideas utility possible", + "interface_uid": "6353afd4-5574-11ef-b86c-0242ac110005", + "ip": "226.140.221.18", + "name": "full essentials size", + "namespace_pid": 72, + "os": { + "build": "walking thermal neck", + "name": "mailing possibilities either", + "type": "AIX", + "type_id": 401, + "version": "1.1.0" + }, + "port": 55506, + "proxy_endpoint": { + "container": { + "hash": { + "algorithm": "SHA-1", + "algorithm_id": 2, + "value": "71FAFC4E2FC1E47E234762A96B80512B6B5534C2" + }, + "image": { + "labels": [ + "commit", + "walter" + ], + "name": "weblogs grad offices", + "uid": "6353ca32-5574-11ef-8405-0242ac110005" + }, + "name": "programmes relevance boot", + "orchestrator": "mic waiting gains", + "size": 2534954875 + }, + "hostname": "guided.name", + "instance_uid": "6353d496-5574-11ef-ba97-0242ac110005", + "interface_name": "nato pray consult", + "interface_uid": "6353db12-5574-11ef-861d-0242ac110005", + "ip": "35.105.135.121", + "location": { + "city": "Establishment kind", + "continent": "North America", + "coordinates": [ + 90.6576, + -34.4194 + ], + "country": "GP", + "desc": "Guadeloupe" + }, + "name": "lit canberra terminology", + "namespace_pid": 17, + "port": 64602, + "proxy_endpoint": { + "container": { + "hash": { + "algorithm": "CTPH", + "algorithm_id": 5, + "value": "555F45D31B82ABEEDB74D75EACB96817602160400F9A16B894CB77D68292FE96CFDCF573199918FB36F17CCC5B1B99A9ABBB62D931C518CC5D6A05A5659B534C" + }, + "image": { + "name": "amount dividend oregon", + "uid": "6353ff98-5574-11ef-8eac-0242ac110005" + }, + "name": "produces integrate invitation", + "size": 3462840380, + "tag": "locks circuit hindu", + "uid": "6353f70a-5574-11ef-a129-0242ac110005" + }, + "domain": "equipped disagree kevin", + "hostname": "challenged.travel", + "hw_info": { + "cpu_cores": 9, + "cpu_count": 87, + "cpu_speed": 32, + "keyboard_info": { + "keyboard_type": "tries dramatically undo" + } + }, + "instance_uid": "63540c0e-5574-11ef-98f2-0242ac110005", + "interface_name": "detroit handbags discuss", + "interface_uid": "63541294-5574-11ef-aa42-0242ac110005", + "ip": "114.100.167.141", + "name": "slides weird discussion", + "namespace_pid": 67, + "port": 38178, + "svc_name": "discovered occurs presidential", + "type": "Server", + "type_id": 1, + "uid": "6353ed14-5574-11ef-a94e-0242ac110005", + "zone": "little tucson operations" + }, + "svc_name": "history it exp", + "type": "IOT", + "type_id": 7, + "uid": "6353bf1a-5574-11ef-be0c-0242ac110005", + "zone": "join your encourage" + }, + "svc_name": "gl dropped workforce", + "type": "ssl", + "type_id": 99, + "uid": "635383ba-5574-11ef-bd0d-0242ac110005" + }, + "file": { + "hashes": [ + { + "algorithm": "TLSH", + "algorithm_id": "6", + "value": "F6B8BFDD92E45272F30B728D921EF2A47DD9D950600D885830D30532F39E2A5688B4797CF0B172989E4C95B557B2497E98AC07417E8766E06BDFFEBDEBBE76C8" + }, + { + "algorithm": "SHA-256", + "algorithm_id": "3", + "value": "4A2B4592EAC6D75C3BD4FE50308A2316D54BC427F65F109C7EC4105B6467C984" + } + ], + "modifier": { + "account": { + "name": "interactions minister lamps", + "type": "Windows Account", + "type_id": "2", + "uid": "635347c4-5574-11ef-a25d-0242ac110005" + }, + "credential_uid": "63534eea-5574-11ef-8a7c-0242ac110005", + "ldap_person": { + "created_time": 1723114384275284, + "email_addrs": [ + "Leonida@consoles.gov" + ], + "given_name": "routines identical brunswick", + "hire_time": 1723114384275320, + "job_title": "voted awareness pt", + "leave_time_dt": "2024-08-08T10:53:04.275331Z", + "modified_time": 1723114384275329 + }, + "name": "Scenic", + "type": "User", + "type_id": "1", + "uid": "63533b6c-5574-11ef-bfed-0242ac110005" + }, + "name": "ate.cue", + "parent_folder": "wiki optimization counter/prohibited.ai", + "path": "wiki optimization counter/prohibited.ai/ate.cue", + "signature": { + "algorithm": "Unknown", + "algorithm_id": "0", + "certificate": { + "created_time": "+56573-04-27T12:31:13.661Z", + "created_time_dt": "2024-08-08T10:53:04.273Z", + "expiration_time": "+56573-04-27T12:31:13.675Z", + "fingerprints": [ + { + "algorithm": "SHA-512", + "algorithm_id": "4", + "value": "367C62D5A1EE13A74F11A143DB9DD2389B73DE066483521D1905177739F6EB41DE30BDAFD42E95AF3306EF8BC6273C97A75C8276B592B1D5FCC7458F1EBBEB03" + }, + { + "algorithm": "CTPH", + "algorithm_id": "5", + "value": "DEE5E5BE829C1FF9E773E27CDA4A8960CAB5C8A6F392DA6ACCBACB430B13B9BC64822221325357EAA87B60D5F4474090332CD89561EBEC061294834301DF9AE9" + } + ], + "issuer": "warning cute armor", + "serial_number": "qld undergraduate cowboy", + "subject": "advised chess egyptian", + "version": "1.1.0" + }, + "created_time": "+56573-04-27T12:31:13.699Z" + }, + "type": "Folder", + "type_id": "2", + "version": "1.1.0" + }, + "message": "epa stanley speech", + "metadata": { + "correlation_uid": "635472c0-5574-11ef-8c5d-0242ac110005", + "event_code": "sessions", + "log_name": "standing band submission", + "logged_time": "+56573-04-27T12:31:22.107Z", + "original_time": "sum shipped decreased", + "product": { + "name": "cooling florist anna", + "path": "avoid meeting appear", + "uid": "63545eac-5574-11ef-8bb1-0242ac110005", + "vendor_name": "buying fa joel", + "version": "1.1.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "linux/linux_users", + "load_balancer", + "network_proxy", + "security_control" + ], + "version": "1.1.0" + }, + "observables": [ + { + "name": "affiliated fuji ralph", + "type": "Hostname", + "type_id": "1" + }, + { + "name": "sponsored fw illustrated", + "type": "Hostname", + "type_id": "1" + } + ], + "severity": "Low", + "severity_id": 2, + "src_endpoint": { + "container": { + "hash": { + "algorithm": "SHA-1", + "algorithm_id": 2, + "value": "6DE8A320862880F35A99FE4448414E898831DCCD" + }, + "image": { + "labels": [ + "difficulties", + "confusion" + ], + "name": "clause material fort", + "uid": "635540f6-5574-11ef-bbdd-0242ac110005" + }, + "name": "involvement buses bowling", + "size": 509766084, + "tag": "lawyers genre trained", + "uid": "635539f8-5574-11ef-b41d-0242ac110005" + }, + "hostname": "generic.edu", + "instance_uid": "63554826-5574-11ef-973b-0242ac110005", + "interface_name": "collections setting twelve", + "interface_uid": "63554c86-5574-11ef-90cb-0242ac110005", + "ip": "175.16.199.0", + "mac": "E4-C5-2D-FD-E6-16-2B-96", + "name": "allah pain blues", + "svc_name": "welding minute invention", + "type": "Hub", + "type_id": 11, + "uid": "63552c6a-5574-11ef-847f-0242ac110005" + }, + "status": "Unknown", + "status_id": "0", + "time": "+56573-04-27T12:31:27.674Z", + "timezone_offset": 56, + "type_name": "File Hosting Activity: Move", + "type_uid": "600607" + }, + "process": { + "command_line": "syndication traveler charges", + "end": "2024-08-08T10:53:04.407Z", + "entity_id": "6355ece0-5574-11ef-9b58-0242ac110005", + "group": { + "id": [ + "6355e5e2-5574-11ef-b983-0242ac110005" + ], + "name": "manage livestock tribes" + }, + "name": "Eden", + "parent": { + "command_line": "asks eight printed", + "entity_id": "635663a0-5574-11ef-b2fa-0242ac110005", + "group": { + "id": [ + "63565dba-5574-11ef-80bf-0242ac110005" + ] + }, + "name": "Outreach", + "pid": 24, + "start": "+56573-04-27T12:31:35.435Z", + "user": { + "domain": "shortly payments endorsement", + "id": [ + "6356532e-5574-11ef-a4a6-0242ac110005" + ] + } + }, + "pid": 95, + "start": "+56573-04-27T12:31:32.928Z", + "user": { + "domain": "random john findlaw", + "full_name": "Alexander Helena", + "group": { + "id": [ + "6355ca8a-5574-11ef-8efb-0242ac110005", + "6355d2aa-5574-11ef-8276-0242ac110005" + ], + "name": [ + "rural legislature built" + ] + } + } + }, + "related": { + "hash": [ + "10EFC79292FD96E5C3DDF56D50E2BF33CB5A2EC1", + "28E532D56B18548CC0B68A63311D2DCD2D258B2F", + "695BF60E03F83A36699AF46519E8E584", + "D0A3630555BBEC7FC05A98D311C23B00FD1AB4D8296AC4A4125976D80B6A6959", + "F6B8BFDD92E45272F30B728D921EF2A47DD9D950600D885830D30532F39E2A5688B4797CF0B172989E4C95B557B2497E98AC07417E8766E06BDFFEBDEBBE76C8", + "4A2B4592EAC6D75C3BD4FE50308A2316D54BC427F65F109C7EC4105B6467C984", + "367C62D5A1EE13A74F11A143DB9DD2389B73DE066483521D1905177739F6EB41DE30BDAFD42E95AF3306EF8BC6273C97A75C8276B592B1D5FCC7458F1EBBEB03", + "DEE5E5BE829C1FF9E773E27CDA4A8960CAB5C8A6F392DA6ACCBACB430B13B9BC64822221325357EAA87B60D5F4474090332CD89561EBEC061294834301DF9AE9" + ], + "hosts": [ + "generic.edu" + ], + "ip": [ + "175.16.199.0", + "226.140.221.18" + ], + "user": [ + "Alexander Helena", + "63679120-5574-11ef-be81-0242ac110005", + "Boy", + "6356532e-5574-11ef-a4a6-0242ac110005", + "Sunni@holders.jobs", + "6356478a-5574-11ef-bd16-0242ac110005", + "mysql syria beaches", + "Blaine@highlight.pro", + "Melodee Norma", + "Resource", + "6355ab18-5574-11ef-bc66-0242ac110005", + "Lura@consolidated.mil", + "Dimensional", + "63556d6a-5574-11ef-ac26-0242ac110005", + "providing arms servers", + "Scenic", + "63533b6c-5574-11ef-bfed-0242ac110005" + ] + }, + "source": { + "domain": [ + "generic.edu" + ], + "ip": "175.16.199.0", + "mac": "E4-C5-2D-FD-E6-16-2B-96" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "distance predicted facilities", + "id": "63679120-5574-11ef-be81-0242ac110005", + "name": "Boy" + } } ] } \ No newline at end of file diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml index 9396dbd01a05..fafac1adf707 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -40,7 +40,7 @@ processors: - set: field: event.kind tag: set_event_kind - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','5019','6001','6002','6003','6004','6005','6007'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','5019','6001','6002','6003','6004','6005','6006','6007'].contains(ctx.ocsf.class_uid) value: event - set: field: event.kind @@ -94,7 +94,7 @@ processors: tag: append_file_into_event_category value: file allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','4006','4008','4010','4011'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','4006','4008','4010','4011','6006'].contains(ctx.ocsf.class_uid) - append: field: event.category tag: append_email_into_event_category @@ -136,7 +136,7 @@ processors: tag: append_info_into_event_type value: info allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001', '2002','2003','2004','2005','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','5019','6002','6003','6004','6005','6007'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001', '2002','2003','2004','2005','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','5019','6002','6003','6004','6005','6006','6007'].contains(ctx.ocsf.class_uid) - append: field: event.type tag: append_user_into_event_type @@ -705,7 +705,7 @@ processors: ignore_missing: true - pipeline: name: '{{ IngestPipeline "pipeline_object_actor" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','2003','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5019','6001','6002','6003','6004','6005','6007'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','2003','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5019','6001','6002','6003','6004','6005','6006','6007'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null tag: pipeline_object_actor ignore_missing_pipeline: true - pipeline: @@ -715,7 +715,7 @@ processors: ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_network_connection_info" }}' - if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008','4013'].contains(ctx.ocsf.class_uid) && ctx.ocsf.connection_info != null + if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008','4013','6006'].contains(ctx.ocsf.class_uid) && ctx.ocsf.connection_info != null tag: pipeline_object_network_connection_info ignore_missing_pipeline: true - pipeline: @@ -735,7 +735,7 @@ processors: ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_network_endpoint" }}' - if: ctx.ocsf?.class_uid != null && ['3001','3002','3003','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4013','6001','6003','6004','6005'].contains(ctx.ocsf.class_uid) && (ctx.ocsf.dst_endpoint != null || ctx.ocsf.src_endpoint != null) + if: ctx.ocsf?.class_uid != null && ['3001','3002','3003','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4013','6001','6003','6004','6005','6006'].contains(ctx.ocsf.class_uid) && (ctx.ocsf.dst_endpoint != null || ctx.ocsf.src_endpoint != null) tag: pipeline_object_network_endpoint ignore_missing_pipeline: true - pipeline: @@ -765,7 +765,7 @@ processors: ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_file" }}' - if: ctx.ocsf?.class_uid != null && ['1001','4006','4010','4011'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','4006','4010','4011','6006'].contains(ctx.ocsf.class_uid) tag: pipeline_object_file ignore_missing_pipeline: true - pipeline: diff --git a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml index 1468a03bb216..4bb76683ea42 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml @@ -615,6 +615,9 @@ - name: group type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. diff --git a/packages/amazon_security_lake/data_stream/event/fields/fields.yml b/packages/amazon_security_lake/data_stream/event/fields/fields.yml index 54f0ec654838..5702b3e5d69b 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/fields.yml @@ -1139,507 +1139,6 @@ - name: exit_code type: keyword description: The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - name: file_diff type: keyword description: File content differences used for change detection. For example, a common use case is to identify itemized changes within INI or configuration/property setting values. diff --git a/packages/amazon_security_lake/data_stream/event/fields/file-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/file-fields.yml new file mode 100644 index 000000000000..3fc861e2b4de --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/file-fields.yml @@ -0,0 +1,516 @@ +- name: ocsf + type: group + fields: + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. diff --git a/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml index 71a35ad6718b..4b306f6a4389 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml @@ -59,33 +59,9 @@ - name: command_uid type: keyword description: The command identifier that is associated with this scan event. This ID uniquely identifies the proactive scan command, e.g., if remotely initiated. - - name: num_detections + - name: num_* type: integer - description: The number of detections. - - name: num_files - type: integer - description: The number of files scanned. - - name: num_folders - type: integer - description: The number of folders scanned. - - name: num_network_items - type: integer - description: The number of network items scanned. - - name: num_processes - type: integer - description: The number of processes scanned. - - name: num_registry_items - type: integer - description: The number of registry items scanned. - - name: num_resolutions - type: integer - description: The number of items that were resolved. - - name: num_skipped_items - type: integer - description: The number of items that were skipped. - - name: num_trusted_items - type: integer - description: The number of trusted items. + description: The number fields for counting various item scan results. - name: policy type: flattened description: The policy that was used to scan the device. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml index 89de2343dcc3..6b9f27dd831d 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml @@ -615,6 +615,9 @@ - name: group type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml index 89de2343dcc3..6b9f27dd831d 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml @@ -615,6 +615,9 @@ - name: group type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml index 89de2343dcc3..6b9f27dd831d 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml @@ -615,6 +615,9 @@ - name: group type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml index 2e1c87c1346b..8db8af09e491 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml @@ -388,507 +388,6 @@ - name: expiration_time_dt type: date description: The share expiration time. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - name: firewall_rule type: flattened description: The firewall rule that triggered the event. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/file-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/file-fields.yml new file mode 100644 index 000000000000..3fc861e2b4de --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/file-fields.yml @@ -0,0 +1,516 @@ +- name: ocsf + type: group + fields: + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml index 89de2343dcc3..6b9f27dd831d 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml @@ -615,6 +615,9 @@ - name: group type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml index 5e548c46596a..ac813f70e4e9 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml @@ -602,507 +602,6 @@ - name: exit_code type: keyword description: The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - name: file_diff type: keyword description: File content differences used for change detection. For example, a common use case is to identify itemized changes within INI or configuration/property setting values. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/file-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/file-fields.yml new file mode 100644 index 000000000000..3fc861e2b4de --- /dev/null +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/file-fields.yml @@ -0,0 +1,516 @@ +- name: ocsf + type: group + fields: + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature + type: group + fields: + - name: name + type: keyword + description: The name of the feature. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: version + type: keyword + description: The version of the feature. + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index 91c851664eea..deea0e9f92b1 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -261,6 +261,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.version | The file version. For example: 8.0.7601.17514. | keyword | | ocsf.actor.process.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened | | ocsf.actor.process.group.desc | The group description. | keyword | +| ocsf.actor.process.group.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.group.name | The group name. | keyword | | ocsf.actor.process.group.privileges | The group privileges. | keyword | | ocsf.actor.process.group.type | The type of the group or account. | keyword | @@ -1073,6 +1074,7 @@ This is the `Event` dataset. | ocsf.file.accessor.groups.privileges | The group privileges. | keyword | | ocsf.file.accessor.groups.type | The type of the group or account. | keyword | | ocsf.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.file.accessor.ldap_person | The LDAP person object. | flattened | | ocsf.file.accessor.name | The username. For example, janedoe1. | keyword | | ocsf.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword | | ocsf.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | @@ -1101,6 +1103,7 @@ This is the `Event` dataset. | ocsf.file.creator.groups.privileges | The group privileges. | keyword | | ocsf.file.creator.groups.type | The type of the group or account. | keyword | | ocsf.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.file.creator.ldap_person | The LDAP person object. | flattened | | ocsf.file.creator.name | The username. For example, janedoe1. | keyword | | ocsf.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword | | ocsf.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | @@ -1131,6 +1134,7 @@ This is the `Event` dataset. | ocsf.file.modifier.groups.privileges | The group privileges. | keyword | | ocsf.file.modifier.groups.type | The type of the group or account. | keyword | | ocsf.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.file.modifier.ldap_person | The LDAP person object. | flattened | | ocsf.file.modifier.name | The username. For example, janedoe1. | keyword | | ocsf.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword | | ocsf.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | @@ -1154,6 +1158,7 @@ This is the `Event` dataset. | ocsf.file.owner.groups.privileges | The group privileges. | keyword | | ocsf.file.owner.groups.type | The type of the group or account. | keyword | | ocsf.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.file.owner.ldap_person | The LDAP person object. | flattened | | ocsf.file.owner.name | The username. For example, janedoe1. | keyword | | ocsf.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | | ocsf.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | @@ -1643,15 +1648,7 @@ This is the `Event` dataset. | ocsf.module.type | The module type. | keyword | | ocsf.name | The name of the data affiliated with the command. | keyword | | ocsf.nist | The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk. | keyword | -| ocsf.num_detections | The number of detections. | integer | -| ocsf.num_files | The number of files scanned. | integer | -| ocsf.num_folders | The number of folders scanned. | integer | -| ocsf.num_network_items | The number of network items scanned. | integer | -| ocsf.num_processes | The number of processes scanned. | integer | -| ocsf.num_registry_items | The number of registry items scanned. | integer | -| ocsf.num_resolutions | The number of items that were resolved. | integer | -| ocsf.num_skipped_items | The number of items that were skipped. | integer | -| ocsf.num_trusted_items | The number of trusted items. | integer | +| ocsf.num_\* | The number fields for counting various item scan results. | integer | | ocsf.observables.name | The full name of the observable attribute. The name is a pointer/reference to an attribute within the event data. For example: file.name. | keyword | | ocsf.observables.reputation.base_score | The reputation score as reported by the event source. | double | | ocsf.observables.reputation.provider | The provider of the reputation information. | keyword | From bf779a542ff6f3b2bbdf6a08070e654db7568886 Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Thu, 8 Aug 2024 17:37:47 +0530 Subject: [PATCH 19/30] added cwe & epss objects as flattened to cve object --- .../event/fields/vulnerability-fields.yml | 34 ++++++++++++++----- .../findings/fields/vulnerability-fields.yml | 34 ++++++++++++++----- packages/amazon_security_lake/docs/README.md | 10 ++++-- 3 files changed, 57 insertions(+), 21 deletions(-) diff --git a/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml index 12f16d9a892f..f144d7b0e269 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml @@ -43,12 +43,24 @@ - name: version type: keyword description: 'The CVSS version. For example: 3.1.' + - name: cwe + type: flattened + description: The Common Weakness Enumeration (CWE) object describes the type of weakness identified in the vulnerability. - name: cwe_uid type: keyword description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' - name: cwe_url type: keyword description: 'Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.' + - name: desc + type: keyword + description: The description of the vulnerability. + - name: epss + type: flattened + description: The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. + - name: fix_available + type: boolean + description: Indicates if a fix is available for the reported vulnerability. - name: modified_time type: date description: The Record Modified Date identifies when the CVE record was last updated. @@ -103,18 +115,22 @@ - name: title type: keyword description: The title of the cve. - - name: cwe - type: flattened - description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' - - name: desc - type: keyword - description: The description of the vulnerability. - - name: fix_available - type: boolean - description: Indicates if a fix is available for the reported vulnerability. - name: kb_articles type: keyword description: The KB article/s related to the entity. + - name: cwe + type: group + description: The Common Weakness Enumeration (CWE) object describes the type of weakness identified in the vulnerability. + fields: + - name: caption + type: keyword + description: The caption assigned to the Common Weakness Enumeration unique identifier. + - name: src_url + type: keyword + description: URL pointing to the CWE Specification. + - name: uid + type: keyword + description: The Common Weakness Enumeration unique number assigned to a specific weakness. - name: packages type: group fields: diff --git a/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml index 12f16d9a892f..f144d7b0e269 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml @@ -43,12 +43,24 @@ - name: version type: keyword description: 'The CVSS version. For example: 3.1.' + - name: cwe + type: flattened + description: The Common Weakness Enumeration (CWE) object describes the type of weakness identified in the vulnerability. - name: cwe_uid type: keyword description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' - name: cwe_url type: keyword description: 'Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.' + - name: desc + type: keyword + description: The description of the vulnerability. + - name: epss + type: flattened + description: The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. + - name: fix_available + type: boolean + description: Indicates if a fix is available for the reported vulnerability. - name: modified_time type: date description: The Record Modified Date identifies when the CVE record was last updated. @@ -103,18 +115,22 @@ - name: title type: keyword description: The title of the cve. - - name: cwe - type: flattened - description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' - - name: desc - type: keyword - description: The description of the vulnerability. - - name: fix_available - type: boolean - description: Indicates if a fix is available for the reported vulnerability. - name: kb_articles type: keyword description: The KB article/s related to the entity. + - name: cwe + type: group + description: The Common Weakness Enumeration (CWE) object describes the type of weakness identified in the vulnerability. + fields: + - name: caption + type: keyword + description: The caption assigned to the Common Weakness Enumeration unique identifier. + - name: src_url + type: keyword + description: URL pointing to the CWE Specification. + - name: uid + type: keyword + description: The Common Weakness Enumeration unique number assigned to a specific weakness. - name: packages type: group fields: diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index deea0e9f92b1..8c4e854dcb75 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -2058,8 +2058,12 @@ This is the `Event` dataset. | ocsf.vulnerabilities.cve.cvss.severity | The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. | keyword | | ocsf.vulnerabilities.cve.cvss.vector_string | The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. | keyword | | ocsf.vulnerabilities.cve.cvss.version | The CVSS version. For example: 3.1. | keyword | +| ocsf.vulnerabilities.cve.cwe | The Common Weakness Enumeration (CWE) object describes the type of weakness identified in the vulnerability. | flattened | | ocsf.vulnerabilities.cve.cwe_uid | The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787. | keyword | | ocsf.vulnerabilities.cve.cwe_url | Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html. | keyword | +| ocsf.vulnerabilities.cve.desc | The description of the vulnerability. | keyword | +| ocsf.vulnerabilities.cve.epss | The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. | flattened | +| ocsf.vulnerabilities.cve.fix_available | Indicates if a fix is available for the reported vulnerability. | boolean | | ocsf.vulnerabilities.cve.modified_time | The Record Modified Date identifies when the CVE record was last updated. | date | | ocsf.vulnerabilities.cve.modified_time_dt | The Record Modified Date identifies when the CVE record was last updated. | date | | ocsf.vulnerabilities.cve.product.feature.name | The name of the feature. | keyword | @@ -2076,9 +2080,9 @@ This is the `Event` dataset. | ocsf.vulnerabilities.cve.title | The title of the cve. | keyword | | ocsf.vulnerabilities.cve.type | The vulnerability type as selected from a large dropdown menu during CVE refinement. | keyword | | ocsf.vulnerabilities.cve.uid | The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345. | keyword | -| ocsf.vulnerabilities.cwe | The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787. | flattened | -| ocsf.vulnerabilities.desc | The description of the vulnerability. | keyword | -| ocsf.vulnerabilities.fix_available | Indicates if a fix is available for the reported vulnerability. | boolean | +| ocsf.vulnerabilities.cwe.caption | The caption assigned to the Common Weakness Enumeration unique identifier. | keyword | +| ocsf.vulnerabilities.cwe.src_url | URL pointing to the CWE Specification. | keyword | +| ocsf.vulnerabilities.cwe.uid | The Common Weakness Enumeration unique number assigned to a specific weakness. | keyword | | ocsf.vulnerabilities.kb_articles | The KB article/s related to the entity. | keyword | | ocsf.vulnerabilities.packages.architecture | Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. | keyword | | ocsf.vulnerabilities.packages.epoch | The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. | long | From 97459f5e8b2de504a47daa1b9559c65b9fb24d4e Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Thu, 8 Aug 2024 17:55:27 +0530 Subject: [PATCH 20/30] converted feature object to follow dynamic mapping rules across all data streams --- .../fields/actor-fields.yml | 34 ++--- .../application_activity/fields/fields.yml | 17 +-- .../fields/file-fields.yml | 17 +-- .../fields/metadata-fields.yml | 17 +-- .../discovery/fields/actor-fields.yml | 34 ++--- .../discovery/fields/metadata-fields.yml | 17 +-- .../data_stream/event/fields/actor-fields.yml | 34 ++--- .../data_stream/event/fields/fields.yml | 85 ++++--------- .../data_stream/event/fields/file-fields.yml | 17 +-- .../event/fields/metadata-fields.yml | 17 +-- .../event/fields/vulnerability-fields.yml | 17 +-- .../findings/fields/actor-fields.yml | 34 ++--- .../data_stream/findings/fields/fields.yml | 17 +-- .../findings/fields/metadata-fields.yml | 17 +-- .../findings/fields/process-fields.yml | 34 ++--- .../findings/fields/vulnerability-fields.yml | 17 +-- .../data_stream/iam/fields/actor-fields.yml | 34 ++--- .../data_stream/iam/fields/fields.yml | 34 ++--- .../iam/fields/metadata-fields.yml | 17 +-- .../network_activity/fields/actor-fields.yml | 34 ++--- .../network_activity/fields/fields.yml | 17 +-- .../network_activity/fields/file-fields.yml | 17 +-- .../fields/metadata-fields.yml | 17 +-- .../system_activity/fields/actor-fields.yml | 34 ++--- .../system_activity/fields/fields.yml | 119 ++++++------------ .../system_activity/fields/file-fields.yml | 17 +-- .../fields/metadata-fields.yml | 17 +-- packages/amazon_security_lake/docs/README.md | 40 ++---- 28 files changed, 240 insertions(+), 582 deletions(-) diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml index 6b9f27dd831d..316b1f41901a 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml @@ -486,18 +486,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -1075,18 +1068,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml index 9a2b855148db..328884f80092 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml @@ -16,18 +16,11 @@ - name: name type: keyword description: The CIS benchmark name. - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: path type: keyword description: The installation path of the product. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/file-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/file-fields.yml index 3fc861e2b4de..f0d2fe6bc6b1 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/file-fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/file-fields.yml @@ -391,18 +391,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/metadata-fields.yml index 00f399e22ecd..01b1c11c4dc4 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/metadata-fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/metadata-fields.yml @@ -79,18 +79,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml index 6b9f27dd831d..316b1f41901a 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml @@ -486,18 +486,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -1075,18 +1068,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/metadata-fields.yml index 00f399e22ecd..01b1c11c4dc4 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/metadata-fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/metadata-fields.yml @@ -79,18 +79,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml index 4bb76683ea42..aac49befedc6 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml @@ -486,18 +486,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -1075,18 +1068,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/event/fields/fields.yml b/packages/amazon_security_lake/data_stream/event/fields/fields.yml index 5702b3e5d69b..d9c8e1ee456b 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/fields.yml @@ -102,18 +102,11 @@ - name: name type: keyword description: The CIS benchmark name. - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: path type: keyword description: The installation path of the product. @@ -872,18 +865,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -1520,18 +1506,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -2010,18 +1989,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: The two letter lower case language codes, as defined by ISO 639-1. @@ -2404,18 +2376,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/event/fields/file-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/file-fields.yml index 3fc861e2b4de..f0d2fe6bc6b1 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/file-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/file-fields.yml @@ -391,18 +391,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/event/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/metadata-fields.yml index 00f399e22ecd..01b1c11c4dc4 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/metadata-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/metadata-fields.yml @@ -79,18 +79,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml index f144d7b0e269..621cf5229443 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml @@ -70,18 +70,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml index 6b9f27dd831d..316b1f41901a 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml @@ -486,18 +486,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -1075,18 +1068,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml index fbb1890f79b8..4d0241810dcb 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml @@ -404,18 +404,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: The two letter lower case language codes, as defined by ISO 639-1. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/metadata-fields.yml index 00f399e22ecd..01b1c11c4dc4 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/metadata-fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/metadata-fields.yml @@ -79,18 +79,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/findings/fields/process-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/process-fields.yml index 732e91359f37..9a2a81816026 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/process-fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/process-fields.yml @@ -413,18 +413,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -988,18 +981,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml index f144d7b0e269..621cf5229443 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml @@ -70,18 +70,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml index 6b9f27dd831d..316b1f41901a 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml @@ -486,18 +486,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -1075,18 +1068,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml index a915cde0324b..088a00284138 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml @@ -686,18 +686,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -1258,18 +1251,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/iam/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/metadata-fields.yml index 00f399e22ecd..01b1c11c4dc4 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/metadata-fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/metadata-fields.yml @@ -79,18 +79,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml index 6b9f27dd831d..316b1f41901a 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml @@ -486,18 +486,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -1075,18 +1068,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml index 8db8af09e491..cf29f2021768 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml @@ -556,18 +556,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: The two letter lower case language codes, as defined by ISO 639-1. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/file-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/file-fields.yml index 3fc861e2b4de..f0d2fe6bc6b1 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/file-fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/file-fields.yml @@ -391,18 +391,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/metadata-fields.yml index 00f399e22ecd..01b1c11c4dc4 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/metadata-fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/metadata-fields.yml @@ -79,18 +79,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml index 6b9f27dd831d..316b1f41901a 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml @@ -486,18 +486,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -1075,18 +1068,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml index ac813f70e4e9..77b001b803a1 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml @@ -452,18 +452,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -983,18 +976,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -1458,18 +1444,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -1761,18 +1740,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: The two letter lower case language codes, as defined by ISO 639-1. @@ -2155,18 +2127,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -2732,18 +2697,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -3307,18 +3265,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/file-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/file-fields.yml index 3fc861e2b4de..f0d2fe6bc6b1 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/file-fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/file-fields.yml @@ -391,18 +391,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/metadata-fields.yml index 00f399e22ecd..01b1c11c4dc4 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/metadata-fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/metadata-fields.yml @@ -79,18 +79,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index 8c4e854dcb75..c28d29986f31 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -223,9 +223,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | | ocsf.actor.process.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword | -| ocsf.actor.process.file.product.feature.name | The name of the feature. | keyword | -| ocsf.actor.process.file.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.actor.process.file.product.feature.version | The version of the feature. | keyword | +| ocsf.actor.process.file.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.actor.process.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.actor.process.file.product.name | The name of the feature. | keyword | | ocsf.actor.process.file.product.path | The installation path of the product. | keyword | @@ -393,9 +391,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.parent_process.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | | ocsf.actor.process.parent_process.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword | -| ocsf.actor.process.parent_process.file.product.feature.name | The name of the feature. | keyword | -| ocsf.actor.process.parent_process.file.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.actor.process.parent_process.file.product.feature.version | The version of the feature. | keyword | +| ocsf.actor.process.parent_process.file.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.actor.process.parent_process.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.actor.process.parent_process.file.product.name | The name of the feature. | keyword | | ocsf.actor.process.parent_process.file.product.path | The installation path of the product. | keyword | @@ -620,9 +616,7 @@ This is the `Event` dataset. | ocsf.api.service.uid | The unique identifier of the service. | keyword | | ocsf.api.service.version | The version of the service. | keyword | | ocsf.api.version | The version of the API service. | keyword | -| ocsf.app.feature.name | The name of the feature. | keyword | -| ocsf.app.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.app.feature.version | The version of the feature. | keyword | +| ocsf.app.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.app.lang | The two letter lower case language codes, as defined by ISO 639-1. | keyword | | ocsf.app.name | The CIS benchmark name. | keyword | | ocsf.app.path | The installation path of the product. | keyword | @@ -947,9 +941,7 @@ This is the `Event` dataset. | ocsf.driver.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.driver.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | | ocsf.driver.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword | -| ocsf.driver.file.product.feature.name | The name of the feature. | keyword | -| ocsf.driver.file.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.driver.file.product.feature.version | The version of the feature. | keyword | +| ocsf.driver.file.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.driver.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.driver.file.product.name | The name of the product. | keyword | | ocsf.driver.file.product.path | The installation path of the product. | keyword | @@ -1170,9 +1162,7 @@ This is the `Event` dataset. | ocsf.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | | ocsf.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword | -| ocsf.file.product.feature.name | The name of the feature. | keyword | -| ocsf.file.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.file.product.feature.version | The version of the feature. | keyword | +| ocsf.file.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.file.product.name | The name of the product. | keyword | | ocsf.file.product.path | The installation path of the product. | keyword | @@ -1314,9 +1304,7 @@ This is the `Event` dataset. | ocsf.file_result.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.file_result.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | | ocsf.file_result.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword | -| ocsf.file_result.product.feature.name | The name of the feature. | keyword | -| ocsf.file_result.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.file_result.product.feature.version | The version of the feature. | keyword | +| ocsf.file_result.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.file_result.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.file_result.product.name | The name of the product. | keyword | | ocsf.file_result.product.path | The installation path of the product. | keyword | @@ -1456,9 +1444,7 @@ This is the `Event` dataset. | ocsf.malware.cves.cwe_url | Common Weakness Enumeration (CWE) definition URL. | keyword | | ocsf.malware.cves.modified_time | The Record Modified Date identifies when the CVE record was last updated. | date | | ocsf.malware.cves.modified_time_dt | The Record Modified Date identifies when the CVE record was last updated. | date | -| ocsf.malware.cves.product.feature.name | The name of the feature. | keyword | -| ocsf.malware.cves.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.malware.cves.product.feature.version | The version of the feature. | keyword | +| ocsf.malware.cves.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.malware.cves.product.lang | The two letter lower case language codes, as defined by ISO 639-1. | keyword | | ocsf.malware.cves.product.name | The name of the product. | keyword | | ocsf.malware.cves.product.path | The installation path of the product. | keyword | @@ -1495,9 +1481,7 @@ This is the `Event` dataset. | ocsf.metadata.processed_time | The event processed time, such as an ETL operation. | date | | ocsf.metadata.processed_time_dt | The event processed time, such as an ETL operation. | date | | ocsf.metadata.product.cpe_name | The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. | keyword | -| ocsf.metadata.product.feature.name | The name of the feature. | keyword | -| ocsf.metadata.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.metadata.product.feature.version | The version of the feature. | keyword | +| ocsf.metadata.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.metadata.product.lang | The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.metadata.product.name | The name of the product. | keyword | | ocsf.metadata.product.path | The installation path of the product. | keyword | @@ -1606,9 +1590,7 @@ This is the `Event` dataset. | ocsf.module.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.module.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | | ocsf.module.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword | -| ocsf.module.file.product.feature.name | The name of the feature. | keyword | -| ocsf.module.file.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.module.file.product.feature.version | The version of the feature. | keyword | +| ocsf.module.file.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.module.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.module.file.product.name | The name of the product. | keyword | | ocsf.module.file.product.path | The installation path of the product. | keyword | @@ -2066,9 +2048,7 @@ This is the `Event` dataset. | ocsf.vulnerabilities.cve.fix_available | Indicates if a fix is available for the reported vulnerability. | boolean | | ocsf.vulnerabilities.cve.modified_time | The Record Modified Date identifies when the CVE record was last updated. | date | | ocsf.vulnerabilities.cve.modified_time_dt | The Record Modified Date identifies when the CVE record was last updated. | date | -| ocsf.vulnerabilities.cve.product.feature.name | The name of the feature. | keyword | -| ocsf.vulnerabilities.cve.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.vulnerabilities.cve.product.feature.version | The version of the feature. | keyword | +| ocsf.vulnerabilities.cve.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.vulnerabilities.cve.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.vulnerabilities.cve.product.name | The name of the product. | keyword | | ocsf.vulnerabilities.cve.product.path | The installation path of the product. | keyword | From bb88d570c4f7626b4297a7d0310648db299fc01d Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Thu, 8 Aug 2024 18:20:05 +0530 Subject: [PATCH 21/30] added firewall rule object to respective event categories --- .../application_activity/fields/fields.yml | 40 ++++++++++++++++++ .../data_stream/findings/fields/fields.yml | 40 ++++++++++++++++++ .../network_activity/fields/fields.yml | 41 ++++++++++++++++++- .../system_activity/fields/fields.yml | 40 ++++++++++++++++++ 4 files changed, 159 insertions(+), 2 deletions(-) diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml index 328884f80092..81348121868b 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml @@ -276,6 +276,46 @@ - name: expiration_time_dt type: date description: The share expiration time (date). + - name: firewall_rule + description: The Firewall Rule object represents a specific rule within a firewall policy or event. + type: group + fields: + - name: category + type: keyword + description: The rule category. + - name: condition + type: text + description: The rule trigger condition for the rule. For example, SQL_INJECTION. + - name: desc + type: text + description: The description of the rule that generated the event. + - name: duration + type: integer + description: The rule response time duration, usually used for challenge completion time. + - name: match_details + type: keyword + description: The data in a request that rule matched. + - name: match_location + type: keyword + description: The location of the matched data in the source which resulted in the triggered firewall rule. For example, HEADER. + - name: name + type: keyword + description: The name of the rule that generated the event. + - name: rate_limit + type: integer + description: The rate limit for a rate-based rule. + - name: sensitivity + type: keyword + description: The sensitivity of the firewall rule in the matched event. For example, HIGH. + - name: type + type: keyword + description: The rule type. + - name: uid + type: keyword + description: The unique identifier of the rule that generated the event. + - name: version + type: keyword + description: The rule version. For example, 1.1. - name: http_request type: group fields: diff --git a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml index 4d0241810dcb..d0b89c0d7ce9 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml @@ -323,6 +323,46 @@ - name: uid type: keyword description: The unique identifier of the reported finding. + - name: firewall_rule + description: The Firewall Rule object represents a specific rule within a firewall policy or event. + type: group + fields: + - name: category + type: keyword + description: The rule category. + - name: condition + type: text + description: The rule trigger condition for the rule. For example, SQL_INJECTION. + - name: desc + type: text + description: The description of the rule that generated the event. + - name: duration + type: integer + description: The rule response time duration, usually used for challenge completion time. + - name: match_details + type: keyword + description: The data in a request that rule matched. + - name: match_location + type: keyword + description: The location of the matched data in the source which resulted in the triggered firewall rule. For example, HEADER. + - name: name + type: keyword + description: The name of the rule that generated the event. + - name: rate_limit + type: integer + description: The rate limit for a rate-based rule. + - name: sensitivity + type: keyword + description: The sensitivity of the firewall rule in the matched event. For example, HIGH. + - name: type + type: keyword + description: The rule type. + - name: uid + type: keyword + description: The unique identifier of the rule that generated the event. + - name: version + type: keyword + description: The rule version. For example, 1.1. - name: impact type: keyword description: The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml index cf29f2021768..fa92b393379a 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml @@ -389,8 +389,45 @@ type: date description: The share expiration time. - name: firewall_rule - type: flattened - description: The firewall rule that triggered the event. + description: The Firewall Rule object represents a specific rule within a firewall policy or event. + type: group + fields: + - name: category + type: keyword + description: The rule category. + - name: condition + type: text + description: The rule trigger condition for the rule. For example, SQL_INJECTION. + - name: desc + type: text + description: The description of the rule that generated the event. + - name: duration + type: integer + description: The rule response time duration, usually used for challenge completion time. + - name: match_details + type: keyword + description: The data in a request that rule matched. + - name: match_location + type: keyword + description: The location of the matched data in the source which resulted in the triggered firewall rule. For example, HEADER. + - name: name + type: keyword + description: The name of the rule that generated the event. + - name: rate_limit + type: integer + description: The rate limit for a rate-based rule. + - name: sensitivity + type: keyword + description: The sensitivity of the firewall rule in the matched event. For example, HIGH. + - name: type + type: keyword + description: The rule type. + - name: uid + type: keyword + description: The unique identifier of the rule that generated the event. + - name: version + type: keyword + description: The rule version. For example, 1.1. - name: http_request type: group fields: diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml index 77b001b803a1..4d5025c0ac57 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml @@ -595,6 +595,46 @@ - name: exit_code type: keyword description: The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred. + - name: firewall_rule + description: The Firewall Rule object represents a specific rule within a firewall policy or event. + type: group + fields: + - name: category + type: keyword + description: The rule category. + - name: condition + type: text + description: The rule trigger condition for the rule. For example, SQL_INJECTION. + - name: desc + type: text + description: The description of the rule that generated the event. + - name: duration + type: integer + description: The rule response time duration, usually used for challenge completion time. + - name: match_details + type: keyword + description: The data in a request that rule matched. + - name: match_location + type: keyword + description: The location of the matched data in the source which resulted in the triggered firewall rule. For example, HEADER. + - name: name + type: keyword + description: The name of the rule that generated the event. + - name: rate_limit + type: integer + description: The rate limit for a rate-based rule. + - name: sensitivity + type: keyword + description: The sensitivity of the firewall rule in the matched event. For example, HIGH. + - name: type + type: keyword + description: The rule type. + - name: uid + type: keyword + description: The unique identifier of the rule that generated the event. + - name: version + type: keyword + description: The rule version. For example, 1.1. - name: file_diff type: keyword description: File content differences used for change detection. For example, a common use case is to identify itemized changes within INI or configuration/property setting values. From f0fdc329e76fd6f3f2f25e681bc4b9d91b342159 Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Fri, 9 Aug 2024 17:27:54 +0530 Subject: [PATCH 22/30] added some missing fields after locally running system tests for discovery datastream --- .../data_stream/application_activity/fields/fields.yml | 3 +++ .../data_stream/discovery/fields/fields.yml | 3 +++ .../data_stream/event/_dev/test/system/test-default-config.yml | 1 + .../amazon_security_lake/data_stream/event/fields/fields.yml | 1 + .../data_stream/findings/fields/fields.yml | 1 + .../amazon_security_lake/data_stream/iam/fields/fields.yml | 3 +++ .../data_stream/network_activity/fields/fields.yml | 1 + .../data_stream/system_activity/fields/fields.yml | 3 +++ packages/amazon_security_lake/docs/README.md | 2 +- 9 files changed, 17 insertions(+), 1 deletion(-) diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml index 81348121868b..9667aa67a566 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml @@ -583,6 +583,9 @@ - name: raw_data type: flattened description: The event data as received from the event source. + - name: raw_data_keyword + type: keyword + description: The raw event data keyword as received from the event source. - name: scan type: group description: The Scan object describes characteristics of a proactive scan. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml index d312b12006bc..8abeadd1c54f 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml @@ -225,6 +225,9 @@ - name: raw_data type: flattened description: The event data as received from the event source. + - name: raw_data_keyword + type: keyword + description: The raw event data keyword as received from the event source. - name: security_level type: keyword description: The current security level of the entity. diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-default-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-default-config.yml index e52b295cc1dc..87849c333032 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-default-config.yml +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-default-config.yml @@ -1,6 +1,7 @@ input: aws-s3 vars: data_stream.dataset: amazon_security_lake.discovery + event.dataset: amazon_security_lake.discovery data_stream: vars: access_key_id: '{{AWS_ACCESS_KEY_ID}}' diff --git a/packages/amazon_security_lake/data_stream/event/fields/fields.yml b/packages/amazon_security_lake/data_stream/event/fields/fields.yml index d9c8e1ee456b..4eaddb3ba42d 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/fields.yml @@ -2605,6 +2605,7 @@ description: The event data as received from the event source. - name: raw_data_keyword type: keyword + description: The event data as received from the event source. - name: rcode type: keyword description: The DNS server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml index d0b89c0d7ce9..ade2c04874b9 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml @@ -550,6 +550,7 @@ description: The event data as received from the event source. - name: raw_data_keyword type: keyword + description: The raw event data keyword as received from the event source. - name: risk_level type: keyword description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml index 088a00284138..5f5386baec4e 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml @@ -1702,6 +1702,9 @@ - name: raw_data type: flattened description: The event data as received from the event source. + - name: raw_data_keyword + type: keyword + description: The raw event data keyword as received from the event source. - name: service type: group fields: diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml index fa92b393379a..b4591760d870 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml @@ -732,6 +732,7 @@ description: The event data as received from the event source. - name: raw_data_keyword type: keyword + description: The raw event data keyword as received from the event source. - name: rcode type: keyword description: The DNS server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml index 4d5025c0ac57..c460822020e9 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml @@ -3713,6 +3713,9 @@ - name: raw_data type: flattened description: The event data as received from the event source. + - name: raw_data_keyword + type: keyword + description: The raw event data keyword as received from the event source. - name: requested_permissions type: long description: The permissions mask that were requested by the process. diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index c28d29986f31..89dd06a95afb 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -1722,7 +1722,7 @@ This is the `Event` dataset. | ocsf.query_time | The Domain Name System (DNS) query time. | date | | ocsf.query_time_dt | The Domain Name System (DNS) query time. | date | | ocsf.raw_data | The event data as received from the event source. | flattened | -| ocsf.raw_data_keyword | | keyword | +| ocsf.raw_data_keyword | The event data as received from the event source. | keyword | | ocsf.rcode | The DNS server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.rcode_id | The normalized identifier of the DNS server response code. | keyword | | ocsf.relay.hostname | The hostname associated with the network interface. | keyword | From 0b356dc9944cace73cdd5bb519f21bcea2c765c9 Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Fri, 9 Aug 2024 21:48:27 +0530 Subject: [PATCH 23/30] reworked terrform deployer to support multi-bucket based system tests --- ... => discovery_user_inventory_info.parquet} | Bin .../files/findings_detection_findings.parquet | Bin 0 -> 199487 bytes .../data_stream/event/_dev/deploy/tf/main.tf | 44 +++++++++++++----- .../event/_dev/deploy/tf/variables.tf | 5 -- ...t-config.yml => test-discovery-config.yml} | 2 +- 5 files changed, 33 insertions(+), 18 deletions(-) rename packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/{test.parquet => discovery_user_inventory_info.parquet} (100%) create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/findings_detection_findings.parquet rename packages/amazon_security_lake/data_stream/event/_dev/test/system/{test-default-config.yml => test-discovery-config.yml} (85%) diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/test.parquet b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/discovery_user_inventory_info.parquet similarity index 100% rename from packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/test.parquet rename to packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/discovery_user_inventory_info.parquet diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/findings_detection_findings.parquet b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/findings_detection_findings.parquet new file mode 100644 index 0000000000000000000000000000000000000000..916573cc443531c377c16470d4ff5d38de1d1494 GIT binary patch literal 199487 zcmb@v37k|_k~b;^Vu|3=np&l{oxS^dsmeWX`g&%_wYwec_7lfmX1;N5ZdEB&nPo0u z`R08O6%`efMnptFL_|bI1O!9`L_|OYMN~vYMMPA@4H0pB|G1g=<~bQR>!zcLKkM9k z;>OwH#EBCTC(il73!Jv2Y!~3)2iM*8PWQ>fi52_Gzh7<3L9PpR>)`<^a?m@bCUdw*BL1hU#=crPYzS zJXJcGNl-o2e6KxTDi%}uh70%)+ke=efA8@t2CxEth63U)htuVCB!264rvtxrI#cQ2 zsvcMBw+@%br6!zChr{8m)bfp)ONKEVRLOjM>?-P&O;V~OBAe!DOMU0(9uzho9htNxNC=<>b!5` zl>Q7yKdLW&mD=q8a^7A(?KZt*%mtUtWg9(j-tGMurW1gr*kg~Yc?`Net!5K6^o`9O zYUAq9wvFLM>uvO<(yGwLxCf6lr0ui$Y_o58@c^G6C!uPko}{V~cXuXXPhHlNL*+d9 zH|?{h4)S78#24N6cqZ48S9>~pF>6O&RvC-W#%_6@&vCt;isF&#>GXPQ>lw0zY#-nC z;$wV3PeZ9aYGQ=iK~$Md<+Aq96ed=-gVvXQK}meN?4jswrcq_B#us+{yYsGF-r}P=5MM~0Vp%%1qamPA z9{6+z@4A1YM&O59wc+0_U)*vX=Yc~2(4ET{JJgO;p{={eUFpBK*Wa~)x8d^#&fi}_ zNezAG+J#$r|4~C@xvr$fKrXReV!PtHZ{`hRgZ67GSuG|y?dj6xm-pJUIdIVSe6CmR zD)zP|;`#R4deKB(w(-8XocC2GfYa+siW5Lhab|Rp?IPRkuWtJ{R-YfEKG|G;RH`GR zX6;z$GljI80Bi2GCvsg~MBgLzMPb&eUGq6j5C={`3IIdLf{;$-3z)>(9GKK(!+#6k zUiu;D52Nu_%;EP$-LbGU=!q%5Kr|Zj`Ml9!C>B5}=8t-!4khAs1|uGSEb0q*BOb5Q zt@tADNGzQPT4fqsSIN)&lW8sj)=M5@hchnR1BNcH(6eoTWr^6fc z2mCIN*X@gXgE4*3Z@qK!!@OAoP{9j_4gW)hGIktT@E~WvH0boJ0Nu9i=}$POMNLC> zv4&`S<@m)j`0BHw3iLbM?`$g{U$~t!t5Z-ExD#ls0P-o8AXC|~h7w=>4gT$ZdfIKg z_`&!nSSofxYy)UgXHGLenKJ%ZMh?_!`c)cqC*5d#A5a1ze>CiiC;^|_7xMevk%&i$DxRRr9SpdmF^AXf zcl$kluRG)mhg^{`s3@ZNy-|lV7WMdDPS6j?ED#O{qk&Ms;Rv|G_)3Yn!)_%S#{a!; zmmjbWmlAdc+`(wj6^VqL{-E3C^M1cnMEqsW{?{Jk6NX4FlrLpd8T83d@bBt*-^}H_ zidg->Wk+Olqq2Y_-tqFnuU2u&)p>_6pr(XHUiGW-+QpN`_`an}mvAW*Wof@kNe{mD z&MTb$^pgB>)hCps_gBn*0skV{1c)LU)RPNWe?3~Fr3AD|?JfX(Qp4wk=9J z<*%KC|7`nb+iRb0x|TCr8>-Zy#`Bp}m%UTXcc)8T_F_s+bXLgnjyE5;ny)BE(P^)^ zQ4Tm#j@qJ$u$GM9^C*{ev`u8E+Jln2GVwg^A6q%DnxR47|MZMmXt~zIhu%5`3w2%rY*|w^8i9!K54~M2RH|!K9832xgK52*?jNXyLn%(KG9ens8M?!opppy zL26Vn7gsxS_IxQ0K1dptVjj{l(Z+w_-=z1)&*wb!7x=C*W&ku7;@`dpzgf%YtQ~0l z{+K5cb%Z^Ukk=cDhW&1z*XIm|eGqMBq(zMWp_Na3%Db63eHg13W-+Q6fdVr@tfGj258k%R$(XnU@afVe z8DlpLg)0_zXnAt^_GF5b;BlxBimA)m#R@b;mL%@pHevQ|-dYlOFG#5!V5t{nvWZmo zaut=Nc{TUQ=WlY(Nb{=Do6M$2|3`%S>?2o9=c|@J%r2ix9Oi&O!G@U{U@2o!H!qs} zO_uc<^>P-%5G3pNo_sD@N~Cn2`TT>=9N`N*@yy1$84aYmUH#I1S8+Nx`!s`;h*-vK zI5?IsRzxg+%#Os011(1doux`RVvE=o&D(V|pZzUBhdl`ton>9%s2;m9k1M0`(j8CV z#^;MZ8t!;NRNp9ZKjU)4Y{P8Vui14E=W=JFbQoixEX~kX!VX#iVW*OIZCh;^T&%c1 z(aifh5AWl%Q?I4Roffxmfq<7WHzJ33|MAeLoSumuhO4j~sY8poQob#b%k`jdNY;Gt z{dsTjX-cvtX*#+x*_2(g9oc(wBurO&bk_XCzh_iuR5k7snYrS{7Pm%mOQ~-Jma@r0TOmpE6RCj5eXwFGr*~2T3p_SyOWK}$;)$y{k)92}ILTO@=tWJ6 z#-C*Sh%B^wg|>9Ih<%ArB8}ud_fC6{mq;TCGgC4H?pZ3@VZHj6=CrTx+qRpxSsyx| zk`$>-aVvq^p(CT;mi0S65Ct(euR&xOQdqESVY&%-)S3 zF65P@fx!Y@Z0}5gl!1@-(N|5o`>%`=X&c>VcjMzp{pi2P*UmY}=gUxh9}PJj3S_)c zBp7pgybM3U^>JEm2k&q86Qxrj)j+-7I zZz4L7nrQeRg1>cneU*N(6rzZ#S3m#eEqt;LJ$E(g6r zrbvvJfG1tQ{{_yX%li3jK9{QQKF+tDZ`-u<-7k3gXA$mH0dhv76J!YzfWCtEg?4B? zv7gK9d%1?%cN>`zH@U_6yd)DkgG>6JGx8N=6T zn$mwR6(LAvb!&M;){yHKyn2`m2LGZ}TB|mV-^RC||CrC4Usi#LVir$dcN1S|h+-1p z-I(~5KDhPcE3T-&UMOlplriFoG?OvNy7u<24SeTC#x?BkyEB@43`061)76C)4FXO< zAItey&oUuJ64&U5Dw3$ZWzpuzoVrNV9@UBE2;2~y45mJiC9N#99xc9M?`+t)3 zdOA}@Qb3Z~J!!urm(oqjdsoalgVBSRYJwjy6H~eKA5&*>!Xl=EO(j%DZBPpx4gNZcjKwljViu{e}+9-f{hDX zhGYsdIX?SO{F^iJtuegBpEuh3z(Q)T>>ln#&@j_A0Bm?CDIQlPuIA!gN_{tjR)? zG!xsLLn~);wm2GJhhZHFdZS*iKjsblU3dsZeXf||hDju>D4|Hi0n3_#te6s3VqRF& zVxDLq>T@`w?l3GTv7o~d4Jsk0;tcpbKoW_$yrH1tiz?wjEaVCLo&HcDhK0)Siuz(6 zZ_oql9IPgRsMi&Up?NfR3-`WuEuT~asDc-subbE`HEpyzoN@KXQ~AuGDMstV`Zt~o zvuQ}n1JutLG`p(X!OF5-x=Yo16<-rgKl#j+Uvln9G#yjB;V+}@VH#9!kbpV!-rMiw z6iWgo)guSJIwbc?Fcsm!lg)G+!tItf=0D0QQD0r+ZfH)c9!K#+z*)Px&`kJX*QU3* z97r=End(uYn$MG9ohuigQXvi+3i^BQdEso2Kq@qs{`EpBAMd}zk!&+xt^ z17poY;vs{-M;-Ido*aO-TGjoZ&vyVXu8UV3Slt@*S(JboYNZlo8z0Q-W=%G85?#I68ekjC#*X951nuxI%)tId>tBO3Nb=R; zH`hJMv1#&^n(eh0M;0&yS}RDb*)w~_ExZ-_&?i+TAq>45P??g9w#iq&He(zgAZ?qR zN?`4R{)E13om_rH5Uu?W~Sn3 zSCzt52mJbKwvQxROxgL$3tVz1*`mBcX!>mI8|}pe?R81mdFI9EOc)GFJ9&^IJfzSY zw6tJ}!X8VbvP#$Noc_{>TvpU;oOZ{hzDc;55tkO36)W#w!nrUlGM&B2e69m^&8Nt0 zM-wxZEu^}u+oszVKQf6E@0?#7t1o#C-nDJ*EZ(o=AdH+%DL-1wx8Lon1>v#BAQX^1yApVZ>}k!4uA2z|upaM;^vl z)SZajazj9Ta@Vc5-pdDr_++RHcF(Hrv(wgTTlmP7wS0JK)6-ds!=wqjPO%rBaar;` z$z|IiH$gSi(Uvb1+J){X&VT##>9e>fL!3X2Esebc9 zV-Ie(+a>DWl7qua3EoujS-9W=R|v-bO8-MA()_%d)(?@a!A;`IbWO4t{T`XgSy6P6jb#~%ti!roZe;fcAufk4RRiUnhVVAL0MdR!5| zD;)B{#O4Y(+z#Xff)T~x4+SH>m^bF|d6bwEig`T&KOyzFgZR|v2>HX{6#lRh4*4Cv zD6A!DFU`FxCal`T`2x*7=#LU3{+i4G0g`8BHs5yh9aDMt(tewM03t!=t-GFD$}wuY zlRO+r?72LQ1u(eApQchQw;z9rPeu|Zg2_v;n*ny37JGI-Y{DyOT8zr)Xfe19 zdpgZKoi@R_f+4EjIA-U^oK|&$_awX`!K*2AtJ=W>D_7S?;&u6?#Vr+Z)pAiXq+Gjy z`{%r+WJvjaDxdEi+LIfR%D2Tcm!rwVOCDUZfP?E5_sVL>fIGmr39aX|7hbuCj~uP% zDip}1VTFXBfq0LF9b8lG(p>Y2(7!$~=@u@QJ>fN$Q<^pRO?>V;KITLi=YtdEH60ou zv(#7-viE1c@D=9|gsh+@+eUPgCZo}*8n?x5Zyb1U9`C?k0v}`Hwij>ir>L6--5O)pI~SHKg9y1afRsQ5jK+ZDr3l@yoX zm+`xC4*&G-yQlC~Ri_)j+bym_ih{!-HKHTQNguBHz{EICa#9l8i(c%@z}Pd8lcBMo znM|9>_pkW!X)dp5J_?;VY*|+vAR4e4-&G7e!n*d z-0O}!ZesRq3mDUiiu+{CdK0G?Zxx6*;x{iZ+rTF%aYU%kASPrnx3P=vgj|$?!*fcL z&4~4XzfQQssh(dxVJ5GNPI8zHBFU+Nbh4J@2+4wlYj^VLZy*WC24VOA&x5S+2Ts=X}1{(`12Q+=U|>(8)ophXuB*=%>~m-1^>Q ze6r}R4S1ZQaIYp(Y(*hDu~LIlW3PR2k-Ll)|=4^Bo+86@+9pZNL93+plb^KVEp4ORmRJxBg|gJ(z%QK1)SW^WQnN zeO4dMPsSyRNw^rrQ1jP5y8Z?8aYUIUme85OWiL(nGn2{b$e_g{fX~TTx$?amZszjx z+4w#ZhSU{RyowVXCFqPs!Y;Ssfn*nRxEu~e@kS!9VAxFxMq=JOZrFb}-;C3qkE~pD z!jYO}xo;w%S&LUp;C1@scLookS^o93JsUYul7JV^VbrpvT&bWf_S(+%o$E}jiQ3M! zqFF}$Xxz3ua`<`9sdchV;E;o`oea2~OanrCiMKW_>SRMgYKf7VBGj0)M5yrSgUv(N zyR2AscpGnwQEVEH+JZVHkYer$#4uOBara_QbHp&aVRE*^pBQ=#+Vnxqkiz`h^&b*G?VsEqTq>mPicGrQA5#t_mtZ=1Yk44=AfGSJ;` z?=hK4P8rD3szzhG>W0l*>W^(Q;g@_sR2LICsm`mGy)~ZKc~`YM51is1s<~B@t*KW$w-N;yaJ;;KKTeQG+P@ zHZKqlzGv~0S9mLl2X~cE<+OEZeM@rm_UZS$#fOUIZLsyuT$Xm=bWCjd(ht`0c|*s< zF3)tw)%Ykt%U8Y%xp^FMhd5OON}L@xC1vZP zs}|qDc@QaEX<5fg4{9eXB#zw`?Zp!KA(W$)3aohVzAc<4^a?n=Zb=RA<8G!65d$@K z_o3UT)SX!#m)j?rngWpXYh_EC*UO)J@H1}b(zFLS7hA~Xp?f0VEwY(svRH<6`ES|i zPfYxco6j|-B(>w#>5tvYM}zoJuu#(Z&qpg>evnsTD1hi!>DIO5zFN$uuimW+4s{Fb zoRV@dwLkUPGdFK~g_FO5#FvnW!{KD797u66{prOfMq^SOXb0r6N>*e-Y&Gmf-RwiX z@$pyBJkELOq2WfCQ5_$Camnub^rIxDbKOeH%M6Itez;%Fe)?g)DrkPVYO*8MrjGnJ z=hR3Aee=EdF69i9RM3S^9E8Dfnp`$bu0xs2F=;z9J?%I$n}bFn-yRo=Y-}q}it4>@ zPnym-11YLUVwr?>77-C}LKi+oUGOae4Uw|`+66b8xN?%RJ`N^A!v!Y`I}FR33T~2S zp8tI5mKB_2M&p}cBoI=3F1J7C590`;)8TiA91wKje z91hTN#Av|fqdmLR?Sxz$fR!I-8a=L{6MkTRCE#_rogt^k?F$B#2pq_KE*HE2oPL~# zjpA#ZlMI9+;bi z$SqWlmvIXsmp7(7yMxa}B9}`*VbIF=AdCj+ENvV>v{Zo;+UsswxRSFwLQ6YgcoMXa z$`mkP3Yxi#R_()ESC|;Z?D)cJcA?M8u8PmjcyI%6%TS=e0d8l=5%D{qZI3uTSnnNS zCtOQ{P6w#Wy^9jna!u=MgMMaKW%aP;>*2!1t%&$uhdnfRg>C!>sxnU z$rmR#py*ctT5$M_XE~~$mthEqR8%v@jeUZztE8gJY2lmN3Zux${9BofyKG&yn-)B0 zq5}C1@ItAPOJuN#vln_)ZBy4BZ^wxs754vZ8%}SwOC=K>zC3-xyS&4R4k0}zdl3%_ zwyp9hi;fcLQKQ4gmU=>eWZAaWocstq1dFl`B8THW=nox@37?+~ZQDRoFH%{B}Uo5S|p z#LqwEyN=^grF)?_dq{GdsL#;<+nbulCLL3 zs~POlRGfhy36+|r&7_(hS@7f)^=Z$G;~OIFsR^b#Ad|-@H(d1|FOy6jSl;cL&KSO< zAo`9@RbMbx9T@)!7ZV0$jJ1c>wH4pou!avZt!q7a_Og>Jg5{Cz9D4`SG4|rrW+nw^pN_VXi6pr-i4~v$-E_^2b)0?b zqzAVT@u*qc4b@DI!M7o1LOSjbUs`Lz6-mcEyc0&@-=}ivbY45*Nn`TqXGdP*Yk%3O z(4A^emWVL^ihm2=fA$SN=09nuLx7^Zg}v#fC!Xi)(`X=xASeztqDssac6-7e_}WAq zJ|z%~fpbN{vtqGmFzWC)TyU202Cy?A=NiQk3BU;_2#)3n#a!@9hjUFdqJ$laJLHar z6~EgX^LWAmoO%!W6o=yVfaPH`jIFQJSZWNCcRLh`7KNH*CM1b5qTi2tp8@=quPSEkX^Cv(2z=lMzf?ig9(U#XSGdiJWCHqC24=%&^Pc2FG!0A`A#P~+zJ=uT+*_Nj;w9=` zulgjLa@^-+R!c2v|%$z9`?i@C*QE-22L6pd+hCw=P269uuOIYps5e9+yDAC zT-=~Ogzb^G+fb6IqcT`bJKM9p@C(bf!?#{2va!ttowOM9<+9nF?@g$#TM7W43Kv7sy<J90T4sD&fnlHopq)rChlHI_cU^*l! z$x5X|0{L}!KY2H2dL)n!2jv&iG}9Y(^dlPGz4fzc93Rmr1ogNI=NnjdK&b^p@xi)S znSXO%+q<1l3ca~01*e9pJ_T_X!cx_UO*FG!n)=jDoD^tg6*ArA1g#zN9g*r9k;~b8 z5XB7xQz`$;sUN*ozq`|MIb>`i$#x9Ho;L27eifgd#Gc@nm#||!vTHIj4UMJVmNr>8 ze|Fnq-Yc}p0x4$@H!O*5P#R~J$zNgw4%eeK+KN5;3zHarD=nA zz$l$mBIBoAdj+Q~J3hqLAslr%5u`KfK*|&KD;{SIzW2^R#OGDWob`P<7*N07bJxS~ z@D_~tZ(~g(Hac(iD^GB$)!1#f=8BI>HBJxv_dowWm$CJpce`;6smeAL4}xXXuuYP| z4?VkV8?QIX;3R3o+X0UMd6ftkygOT>c)vK;Zydw>=+OEDoa^d!@Ob1fo(d0cKy~1^lZ6W1PfpojH^FU`cMA1a0Pb{0iwSHfDRM}fj#R6N?SLCL# zaP^|Ed1EyYIO8QDIcf7FfJ>Jhhy~3am8uvGrEZWPdnf4&V zA=2p$e(m6xMZ6lMwV)r$BT{>E|MqvyNv#7$=e8c2zQmdvjvhc}_hnB%VG>1~%fT)d1 zC`1SwwmkAK-+$`_8>f*MCQZ`AbZ%66%k}%))M(s2lb_{-uGc7;^oUw=MRk}u;9Ay* zv^%>#+Bb%`owPgF!&f2Wg}YX4;PYt1O$HhN-S&6eXG?B+jEfRKML7jTnZWr#^2i_x zDQf5FXorQZ4+#Nj!*ct~%QHXYM83OP5SgpS&HMZwP9S8i`Xf#t!8H)aN>FhU55L*} z%9EVQka$R%2JQGw60;V8E)ZLt&f4S9F+L@dd2sa8SMhGs2PhSHhyxU$>pg0C2Z>jE z$4|SB&wmoHI@QZ@uAMf1IYgSn@lEpP)>qf5OE+I_zBR>#BEGZ}PF7WN4JavAHnsiw z@gJ=)Z#!wxsnf}?EDn(preRE7I*--msfb0WZ>YI>rH9K0NuT0%xDX-T5rYcB<$+cfAxD*{6JbDt9xo13 zdZEkp1r;x_LH+9phj3;H@zJ5?^*|tVI*@RGi|%iz$4Csn^YFxFeEURVc)EnMt=fq* zC>OEs$Pka9iGFDH`ug@5ztg9P0#zX8VaL452(kM44F@@g)Iy;_hY4ds7V)OixXeNK zQQ7wL!I^xDkG;iUsWgROe*cqu`EstYuY3oBCu08Ux8z_~n9$<;ReJTNgKv%J9YI28 z#l;(N)T@tN{qmih#G-(sAAm@)_V||@Zse?l6l+>k5?YYkMit0MfKcw8^!8I6`hpjB z{<4Cy(Mi{1>#^Oj_wF^EeA}q#axg`B>Zp)dt5;DVn09Ylva74Twr=EBIcCN+FLAD} zoyXK-t!vwBE$&Yyn}*e{ENYOHW_{Nb5!2fr&Nd0vU0F5!?zj}8LNN)vPQ2^z!lfo> zlZbagG|oUNi)90SO-%OfB@Im@mViEcmo#c0XvEVj7LV7Jd zuDE1^bnpm!4b4Z=*1vz{^Uw4CCY{^A!eE7PEM)tjE!|^x%z2DYAUgo9#u*42C8&m~ zU1po(-`co`&(G1QPsAC3sVd|Oz;(^xz-0^i zP;jvXov*~1a|91|M#)2wMELLb06F!{d;3RU#i?Qdn*68C2-=1;+RZc(UVVGn{d_!i z67wRUtRTX~<347FYG|xTWA@C|iw|)osktSPoI_{RFD)60z)X?cSxEb^<<2W!-9^CK4rxP^ch8jckd0BXsur-aqCl%=B{WbYo#5gVrNUmVLto zJo5NC4^oR3%AHzj>ES{^i|%^*J+87}R4tHzUf4SMbG|uvSq7T^-sI1Cb9YvOXieOG z$Kla@L7+8}Vpc)Ji8usU4+<(Yj1+tn%v@)CTgUFbi{sbF#P4y7B7HpIW@0UQUcB(; zoa;E*XopRyeApbiK{&9F;)u0g@O`_NZQyk_3Qpj7hA7XgrrNT*A6{zWMnm+93-fTa zGf~zgnqE50%HmWEz-_sf6lo{(#J!_U0vXUwrcgkWVFT7? z+GRLgjuSIl>^q8m`uIJY{>F$=i+!3a;e-pq!^Tn9k(KEwL|Y@G`EvO_lK=vrEkmLB zRT$EWosXFu5G6q;k}8ZS8c~GDJoMQEd<E9?Hj>#0+}8c#@?YK2oj4X>sCoVfMI{omZdc^q-;vgxZpF^27=1HtWQ zI&0Xp{l3pRS?bk;w~#1`1p@rgCzZVLp@kDU3)V`8l+~?X23uG+xg_Th@tBkh)TVJ8 zR=v;HfG_r;zW4!%$H;Zg#f zMxr08MYMAG);*Kz4@M#(Sv4RTFf}2`BR9SJoXJsCl1CuP7VM?0Iue=|a#W#X*6`1- z6#l{kn{MPbd%c-Z2#Rc4b@9l0q^y2t+(%0|4U)3@vJ40zkIRgpt1inl8rOs0FcAb< z*QUMt=(BtXwId_O1*o(AH& zJD%FX1?yiBrQio3;sk5QE_$3dgXELpSS>V*DtTVs^V-D2ynOP!bh^EuxH6|xD9|+x z?;DFAGx0#sdpPBkVsFKhex_EV;oZOFI+G)UG`vywIf2kQUdK6J&p8p#IUe^pisPJ! z?tW&a`lbqwzv{VHIoCESh`X5tIRV-iwo(&g{$|I96`bK|st5{bjF`SKrBE~p-4MU? zvAx&vRYos0?UqA2rn$!$v7psYZhnTBN-PLhzL5O}_YkI_b%CSGD3xw)C6C{mA3U^* zPfGImO(6bU5z~YYaKZ63p*e&>aZD#fE2FvSmQSYFovaSTWE454N&qL^FPANlm7 zWxU!ye|}#l`jZ#}8EhN4{n=`QQ9oL)Ke{L)jQBzTZ9J=*{olK-r8a$In>eG9q6qs<-a`t^!m4-x3=_=$uU`#^s`2;L2qqo z2#lA0I>JS2{(8`H!HJ8uAqZZgU677;)Xy}*RR6woV5*;Kf(aILc*~nzpRV<7y-bej zWRu&}TU*TD@^8<8C{?yh^IO$hTl&i7xccLo_0|^pKhJBX6`y{fM?J}*2GITLtu5Lg zliYv9m?4+`@LVDd%Ny0p6l4j;u{ZZCSD)&yCrzOA3)caqCppv!HMgy|w$#4i-!w9R z99DO&S6Xic#!EkmUBcel!r$@lPOQC(y|snC;$LYaX>}iar7c!q9Q$d;MX2&c?X4~K zayX7wc73^iX?tr+{XCAxAf>*kO25b*Pu{p+*@0|4K%Nfws=}y^IlnFt-v_;A6s4k-`Zjg!||R> z?oyDKu{SWTg~#e<@|J%)^t)aT-`etBQT(3QY5?5`k9ADD7@ko?Gi_n%2g=fu97pq_ zrn0skPWsC9bM1ZrKi z-g?pmN@q>Lr6)Pm5Br>9tu1}$b9_U;>s9ffsqctF;kEicXlh{jW_WO`$`$d9Hjk-X z3g6nIr+7^?E@O2ee1*$cfpP4lR@8nNb3MtSv^rQ_6NWC!tUhqaV-4vE zH8j#3P8$KMOXMpfUA{o5M-FYZw{Vh=^|!i|zP07se`8WF?dp1HC(2jY|IfLR)rIwy(XayJ zHME)DWZ&9i{+@rY(MlrS_nr27?JU4J_A?UoFT1C`ef?aH%V4&B^4$}M_2O2zp_)lg zJH~?jUhOLr+~mhjKj7Ar9BSYNIKPumVs$DfIE20?S*}jWgmfdg>ZrLwqtfG6V7vy6 z_0maySCi_{#O0|(XXRo_?3>s-j{UUZIBRhp&QoV|lC>2(*E%^I#}Lgyo{nkRJ90(r zbEIbu-!%NZ))xGa=M0RN@~|#rJjw|U(Y*RZLq^q;9O|@UF0OXu?D-OoiQ_i z3WiqI$>BJD(HMtnZD|mYmtgn%V+d;R2zw$SgcFE{;gsd|!K2mZ3Hzf#U#PXk5`<&z ze_q53jT!#W^BU9*oP3he$9j_EIywjo3lwYRzdV27@Lo8&cVjHe2@augDqKAzTEgRs zBD*A2=8Y8?$KFhl_2>rtF$9jvZILNSCfE-kPYWW$cz< z9QzN9+q}u?0lvO8940UMm(7=+Y>cp;G=YkjJCJ%%PjV>gL6_6%7TuLqTsR|{y((?A z0^`_E!*#P1a}GA^Y!YTf{Z47jf5J;OCPbfe#FU!&poaq0tL&h!*JuZkeX^Vg<&rHzv!Thy(j@RZFzP#WIPz zwXiU-R~+{*8XGID2#o>q5}MCG&7f30$)S$@Bd!idG{ro+xtiv1no*;!ZKI_ew65&U zKB@-?q;LZig*I<(shh>i&_>f84@ef*c#T_WW%gTvaqMT}XcRdO6yOi9-8qBfEJ?U` z6k!>M)YfM<$JW^Dr?trAPK#!IoK=y}XjWQe1;*=e;&3=a;8=DM7go0=a=9K*UhOOX zm5sD%xYmw*g2|-;#}N^=8hZlM_x$^Eo8nSLD8;MFejIw6EWkMS(;!15-lXPCX}=_i zb%?^UC3E1>b#ge4=I2f~C|^&SKn*;@fYOs33Tg?&q%X7;l4(sxp+9iQ=IU}{BstXC zaqYwl`W#1jaDWHCh3zA~qYZ&FM3r;~N?cIUTr58ZoPbF{j5HaVQbR=|t2#kIx%KC~O65RUjP0 zl~qwEZW{1KAryt8IL#JBoUn+;4-M^iMZs%z4Ba8)^7^nlt)w_iV{3i$(6fx0r6)PA zA^Cg{oRxF92?PFn*y%~nCh*<4Y(AGVcBHU?3C|q*-WE{U8tNNsddKOa7E3&Bs$UQ3fh=$qI~PZ~k+s2$436bP0!tP65@@WF;xJmzC~88K=@1jdRHm~6>${sP>AU*>Vd0!UWmXPdNNl1tGlZTg;n-|Vf{Pfv2FL1j1dwoC#Gtnk1g2Van)3t98_81CtX z##Vgf&<>oI$F9YWKpdEC6m&Gx)0JumOV84QMEGxNce{wCf9p?psg22G&F88(UIX3$ zde)O1SKsn(gC)K3Q-crcNnXBT1lr<#Jp@aUTTkd!T5+ zF>lz9=$gS$)aQyRZnxhZ#z94d=8xi<9%RLou!6fZod^~e4McqoXVe{bK(X~*QTTYR z281s>pKRy!hvypVW6)lGO>#f5+I~mzug{8?@=4r{td_8dfns3PqrHrN;s`5R-vAtA zbBv-QYWp-J$)T*ZZ>Ld}5VC^8Ph5f-j_5nu1r3ne>*VlKG`=5qrz8ztA|RiHsH})q zU>y7DxbPZh+Yma9jzX5}SPo}Jv#fq5$E4LWL8l#s^KJn|dJ|of5ENGMbufF)ziv!I8H_W_okK^)+tgGZd|!IxI8Pmxi9=sx59SdF?p)j- z1*h^%FBCX+GB}2lF2IKFvNExvr?H)bJ%PRB-!%>U8+7}_{>F0#2Gh{EpbnLU3B-lk zeL{dJCrltLb;?5!wFyz8M;0jZI_fMxbBr2gBvtvWL7?W4ONBD5z&Q36L`T2^Oc$j= zf`NHN1s8y=rGs=Vb+R}Xt&SgP+s>m`w>(J_F@8h5tEnv%T|O&r>mUNtK~@W8Em69vW09|H;?1d+Lw06#iO`^ zgj>Gru+ly&Fpm9<&fa7`hX@LAIO{>URALi!zgxGqQSK|3<7%GsYePcOlN{>g6rF~I zB#MK<*i_}Z5Wx{1ZYFQ}w}z`HR=hsEJ`?#;GSyb-1eBiSxQ-4cajcH4MD&;EQ@`V; zdWT3?aTkKgan5WBRtLLFkxuHxVM;Q?ZUx4%pEL@GgzN>Z#w5KV>;)_Y{2l+!*tntR z>hIwOhq`bW$*?6zj~wT(I!kd}QVByY0!l&BAm6)OmcqtEZP?M4FBIDKL27OJ7Qnou zQ_|R@;(QcsRY%db+>SfdvD%rv=3h6WuX4NPo1^2Z*K8hIg7MN@AV(yj??;_64{_)@ zlf?<A-;ndfM-JUg@doIJvCxwo>eNI&2ctnQ4`UvJG{m951Ia^qQYV9B z7#K`mg6%2EZd!svw2aEWi`*iIr6s8lb6tqRGo5itctAQsWT}7g%Os(;5E3i7) zy)K`$#-{>u)Qj>O@3sQt*iZOR4mw2+YiZ3J{*BgNudJO9xC5r#&I*iU zZ$)fBy4e~xLO^W}tC6-Q;OsnRd;L6)r}+u5A#vzQ4t31=U`%<^3hOBjV<=Zaul4n; z#}w3L+lX$Ej-KL}8sP)Kg#3rKsT_TcNV5z28Q5+LIkgA3bB=5`%4rmm*TWt}7$#r9 z8w7uF1w6PD$?I2w3hqL3yJFB^Ks9d(!m)mLAD)KRD8IYr6tKf=M-0_W-(bA{CnvFc z#1)cxEKRrrJps)J*p1m+{_SbdN>F%$N>CI8c1a<=MiDBpdN~}&PzM4AdZIAK&|RcK zm)8}EM&N1{_BsQ&ugc}{$9xLnS|Prb*N?cWiFo7d|5 z@TYHX3m9`zPx6wQy;UeZ$)Q@H+l4GdfrO!E>4fN*L5z?TiLrIFI2P$}239Qb=mv*2 zM20@42aPXc28qF{)IeGeMqA<3R$#miW$Xdj1I4YHa$Us&jAL(1`WO^UBgAx)%mmQl zS06aOzO~vXWB1X8Lx<2E>yh(mrkT9un6-Wgc%ma4hUZh5th7GEC4vha5{V*%^B!~Ku#d?O*{}vD&=h+d&1N21|uY!wkaa&e2f@_-< z55(e_181KV+}RRw1;g%GYfHnRyp*HKI_-oOK>N${jcqX6Uw=p3{K@YO-lr!yuEAm4 z+my+c5Ui2}9qExnH|zEnl&mK?ls5VauN=4CWdeQ_+H<5!<^dyJUMkJZ=Oa5?bP57+J z%4G${u{ZCk)>Kb&sAJEER}Kskr17h!Ih=766fLTMDs;dwxX;5nMt@9jP$)k70f(OC zP%RYtn~bFiT!sbb5r}iR;;`&%STBoX(fT&+lBhk9GW8sFTY+)x%_l|;iqexDs-B(i zxUTYf*R~Gob@7SgI0h>g?(w9ZQYFPWKe`HZ3tUeYHykvU_f#xFEKPeF>RvC!j9VUPvJNqqV=hgdfCvQ+7C^5wpf^ZE;xGz_IyD{w2|{#}Rjk{2`#k<%n)&{$L5l zv7bS*5X2)2TLqs4+@n&o7faySFay9=-$yRTrPb8w#kHY=#m8rQcEMu>#<4d>b6Oo- z2vsc9A>hX~1blt-Sb_06w2VSr>jJLv&Sc4*mK=66S**p7$m?ctEX~d58hk@fa;O18 zTz>^FN`H86^H7b4YFt!Lawx4g6a<>#sXt>eadXhtxdn%b0XPJ`nn)xMo6bmqpz5YoN zHQAABQ%7d#q==s8-#4PW`W3EK#0~J|QH#rcurt3L+y)n!w5wgk9F$l2cB25;a~cQc zwXxC^oiY-_1l&XtdG+#MJ6ton;Gzk8kJ)RE{iHbfBMmmZ$;j)4)Xw}J|88h762N^A zF1J7C4@ck!7h0>E8>a?;*4vj7aEQHa|4w*p{tLo)&9Q`jCj?SY0 z^E_iS2I;Q;zD%2Kh~F&oCDr3K&G^G9I`HijR&Ed`x zd3Iy?j3md^x3){8w74S0cT`huIbdpKjj{scWw+q!F!IbG0~y7vwZ}^tI(vv3*Ud7) zlFdMS-IYn>up(|a!n6eUgRvD}TP^jnIF`n=XDx;wsvY!;aJL=Mh{3LlElAxgUe*bJ zp{wsk6{@BD$S%Gov2D7o|JBhSUC!?wl98z*Offh}4M&Z!EffI8Mw;REYxzK|c?AYda$J=paSA_#owk@yb z+pC4OwtOpaURn!8_GE7sZm@i;&lXE;yj5fF0<2wmS7xv6P<&?|9FnA6Swc$tBS=OUEBpmX8xXk-y^Y9BOCpaE!KV+?koF1ptL#edc9?xq9#>+oGpV6+#%;Gu@dk4G)N9( zk2~ao`4pB_IPk;79f8wKj4a$%AROy=*U_9tCosxBpK7)P_GUY{K$66ZdO5rn#{^5b zERPi0dWyrGiB+7IaG-_~6Dxw|%Ud~(gfqx}WpivArNFQ$dZH_7r)7+Iyg9ggV3gJ^%jr3^wR$smneR>SOAbniu>Ftvy~GgA{ZUaW!G4&+=M< zaqK5UZnA3!WN=IY^Rc5-#Y$=RmVetkC}XU?dXht(iYV`0*qWv=vK??7*RJp&@BKO% z97A)ka*GRO6+LMJrB>HxJ;|X4(+MInY_=8Dkyv%bM-I)xOEeU5qP={C!mcLCT?hL{ zQpNWoz(ghmcgT*mk%=U^jSAKHwqNj?YEV@ z`&2HS&QpL2`Pl?(LhVkqCrcnWSO&{U4)qi3-fV4Y0ElBAiVG~mu*fPgSJ>?dd*GQE zarhM6-3C@11rv_NqCwneiA&-9VQ&CCMK~!26h|Zgm&G7hH1>ku5rx@VsqZ1q=t-px zC@kRo4grgt(=LT>n!n>ca`fNS&K$N;<-a^%qcYqpB}x*i-(|KZ@mhh^!=7}B`tU%a z=2nXG-V?5ReS>lAr;?CKr~V7}ON%g&kFeVzPq5PNUHz-Z2 zKFOyg?sJ-1#JyHvy!^&EjYfwmuAvauM7PVl4i;d%4yWR%DOuxjn=xG1Vd_cKc|b6< zIvE^8^M#ihl%gj&)PTRFXh)^};knJfsE((eZlB)gwFPCFC1^P?NXr)fpP3syTj8-S(wPsMcNRw zQg9t12U{FHqC;nWWb%>_!zBwZe&ERA+DP0}1GQlu6Vd!V|NiW7$mNHdPS_cZMR8gd z_j*PGerE``ANxZ=KW_HK)l^Ym$OR9cMnQQg-;)Q=*rGvsdXksbJiZF0Cppxqh~Y%R z{Zi#95#V7EezkdEp20CRk4mLR;HV5~B=w{TlpYe5CIfEKdW8sCW?D{5FkW_Jn#E&=V|EqN^5t%>-=VH>l1oQBDg!DWs~>}%7Au0n2J zBM^27yXQJNyd;PwP%?pcb>s3@oT38jDita+i&=&V2Hj`X-U*j)d#(rMfeD1Q%shi* zFpj-ocGf=uGdPk-BhWukYmN}oBgfhI>^!LeP7T*n#H6Vl#Det7-f^r%AwGv6q$^Oe z+w>H#B^bxv*sT7+AIT>~9a`SBRHEscyyW;BImhX9x_mPIr_C(xmSDW}#_R#d{XNyy zt=dC*mCmz?PaLB*8qR=pvtq!NG}|lqtiU+-mU^-YbjS6wI2JoLbm6GW83+ZU4x~I$ zKW^fVh5Qa@AmZ~X5oq45KseU#u6b)7@!!TOt|xgp#|-b*&Y95)QciK0hN#Nz#&O{4 zoKZYUGfCQK1;$H1i*`J4;KIqaJgx}DL2?8SDB%h%@P9~_*bDUyz%go6-U|BOmUxk$f9ib>oRm?_ZK5%ujGfMaZIUX@#=%HGc^#1rm?d2Q%`cJqlZJnMt7C}^8DuZ>fT0A za;RfE;L_68LlROY#bKn7OOOitj==OQP5TIY7KJ;3REwe2BCi%H)L=V|(`|`%qtI^w z%YBE%<-u@PBNqoX(xjxd{(9y49B&kBs!pfS0p;d&-<^Q~A< z)nRtl!)FEdKdt9atZ4yyMQb3F@;BUM%n?1wp?-?XN3omDlg}BEA?`p;mguCs9lKtV zqtfIN(g+mC-MqV613k&12K^BSiQy@Z5Jj+6S06a!>7>!p&bcPRI}oX?3o#H7)d&$+ zAjQ|uAZ=i9NRBK1~VQl)^Wy9ZAFQTQoeF2Bt;SGCyG33Gr&f&#T-XJ10 z_!O@LI;`)C!sJ|TBcs$9glJ^YF7{Ak}h>~s~ulQHZV{b853O&i8PFM3Ch^7vf(FrDuqXuxwNhP$9 z-Nb$CW^zo&RL(6yqN=1gOmnm4UI!$-tt4#SuKU`oJM=*!$p?p@Mx>N*#g4 zsaS+sk+{FvB!Y;a{*VV=%#MgR5DxhR z@ajjT&lo(M$wK|zP?%V#rI0z;bA2BXbO!t>GXfh%?a%+LM>VSRLW?g*Zt=L!boN+* z@ftKXUZ-jD9Ypxlr6nyy9_hR@MY!+P%i$%p;9y*_6W@;@5e#lov{lW30g=aXoh*)} zd03T;>q!o!^_kD_6s28-f_QShgWn2_V?RYrBubDX(GCb)*%EnpVW}{E&A)EGb-J-O z>PZeY@H~idCB)OHBsfH47Ukwe)zb8&39gr`PM-o_=arO;bodj-aDj&qGo5itcb%e8u$TtEwL}S)_ zR$v_asf7Z14t^%Iu}@uwSUWh>szskR&)^t-h>-O-aEdD{;%ME-3R|g$H|{&1<7@tG zS(!CpWz>@#>X=BXFrrA8r|2mTW5ZQ370nK(XAXaI zFxvsmPt9$BW^ehoCq^miDEI{hZU$?Gp_jelUo{2)jQx1<&pgLEX7CV9_z}2>Mbm^~ zbmeD`QJYU{JRw@)0*d*3vI67S8`GzsQnrH^=$aHesn_C&&W4r8>@_b#YXO`mMfo)l zFpV(bw*uqXPk}-Ty!0~I#k=Y3OAgn%KtpBvnt$E=#Xe*9>PZu*7~*A*fndesHM=z6PW+(Sq+uj~rU-#e_$S3`>qOW_;BOjAL&;wkqG~ zNe)%6Lqf7aLZmX&hx-#2U>y5t*cuePQ-JL$9<0CI46QRSTBd;Xw1S? zZU^p279=pm5B0l=grBki<8?R@;YUFYxKE4jkkj0b*em{(R;RREjtHMN_4D;xfpP4o z;L=nw+7_^=Lp=z0zftOC;IC${`PXMA5E8nG`Ao;XadIJ{`S8LvL%}O>7NxIjj*VLC zKoECvB~fX+#e3fpjAOUKbd(1NN~TJ1Uh1T958axU-t;~H{QCgb0^{{; z{`vF!I*GfXHF}am^&gfSh1dc3KhJB712iTvS&zV(r#9P0_d^7#)>HrasMa%29ox@# zk@j>7J?-jeJC~wUAvw3nHcZPHL{A5sY$LTN4?VrxU(8!Fz;=BZ;~yw<_0hIs6?E}H z@xyt?h)*+{ZJiqAFX+3m$J#E_o_zE)dXO!qJ%LWnJaye5qh1q^(~_;HHdDq9>1p<0 zsV4J>*!}<<1b1kNfnfFVw*S&FpG6rnPY|23{{#uap%ZOM4fH2kStr@z+LN80R{TH$ zU3aprN6T!Z%q6E(`oKj`^K3>vKDHV4SaGWD0_}?v3FgMrjEwEok!yEtSEe{5UVq!lr`iE^}5vSQgulO|9S0M!Lqa8k} zs6BqMnXfD29N8X_KzE;G6nFpsE%xO#zY}SE>+fu{%Oe`6N*?+rF>}p7iyboYU!(%2 z4YhS?t@{;yI5sF{P7H}vyFP5xWm~w?S=zK&95FJ!j#Nt4$a!N_EO}~7LO%QV##aY^ zFHVWAe-NkLnm>vZKjYjA3mHJw-E*!u@C*OdK=|dqiYWFEv)x$koniFVk@Ix&A4-p3 z{z;q3t*2^SY3-klc|GoY1K*41iyb=ae~HC@_`jrP9l5~xYVB|-XY+;9HUZTg!5H~H_j-vJjP+WL2qT<83|$lu2PhizuLBmRp( z=l*X4!N>nwr2eh{DK>EC#Zo2a{g?68!T%D;V4Es+^X|9-cYi{x)99p@QJKdZleWCp z4GyZ(ij-8=y0qJHoc<|1rLw z{NG0M_5YT8?Ee+pzx@9gaAW>IBe}VnoHDwfSjByK6h(=Tujp49aBUskb7fULnSWJ3 zaY{@Y(@z}7(O35~hJQWMf`~KYntmd0JdDR#0-aBVK%@%|yO9=_=*8ESi?0yl*Lc(+ z*Ii$&*@PSViDP%oxPG>*){DQPUOb4$apm&PrRUK%_7nN$VLVDp>dJpeg^rzAEodv! z`b@s@=6;oRLK~~=CrLHmiAOvn9IPbay{dl3P7ThTeFOGm$?wnsOcFu#+5R6{X&o;SCZWj`{O@2rkywMA#ayQ{|Oc`3^ zf6p$G`f<%-3Hru|xXkUrqqsEeUn>#D>rYmzF>jsJ znj?7BYq<6)DQnVt>2VJpCzQMYPa3b-&`**+4s9%RoQn9d^64rAx@MC!G+Xf~641_P zBw}2|=)u5h}wTdOU&@%d_cyO5r>P3qlAFG!`uli${- zyC(h}!J|01W8RUv{tzDZGFQJV@yTiLRkQXA=>_|%?~e%SweQO%Z9Y(ioANPNf(LOw0qD>@iOTTqolepq98Q&!H@-J_aTDNXOwTct|QBCg< z(z7QviL%S2o0~Kttilp^;!&r5C^wFH(uYV36KD6# zCfk2%cr`87>N{n;8)sE(H0drmZ^rBtfHK&@jUq~;xr%7a{`03EANwX7u+vbcKHKMqL4Uxev>HX@5iIw@k<_T66MD+ z3#7-bcoZkg&WH5=JCo|Td|{Kg*iT&~L(g7ZE$0Bz6&XpBT|RzTCYFOsB#Kyau znPMV@X~p^)K5^yKWmJ_}w5jq)u#-1QQ}+lS1?pP&j9jN@H_OjEwn%-k{@H4kCqCCC ziU$#CN1gKSe_kr{Fdl`C%(`uIkFQ zYSsayg~f5*4ymtay&{)!|4zBKcoa1I2VRw^Y{#x9Nxa$rn)LCq*Q>R-@{MYGlaQXg zTWZsoH>G}j5s!L5&fFuB+YvkptaI&KayvHftxl}TZ%Z?2ul%@VpVX#V@5qSme^=^( zS?|?k@0WUa%=^^}Z$?^B`ma17wev@o$&ek8SY?8g#G@5iIax(?CEL~LYpPirkrrw@_1ga8ARWY`xRbvAy8edxXDiae44ikpgy;w!#oCP-S1ofh z(n6Ut#>=2{Z>)lTjI_ul58qVHTQi}*zB`T4AZ+|cHE+_y{^Dx=E*^ym|N6~xiSJJ8 zFRl*TZ;`WiPnN#kerrwkl>XxSy!p2N;_5wVYPD9okQO#%i*J|uVa&Atk_<6pdiBeF zNQ(>b{u%vcsdC|+60R#}RlnVYw4g{|c$ZxL6|?(`E8L8`t6%OzTIjZ2bEGon-&2J= zjI>~P+cvkFHRE3Cs{?qPQC|1{gGO!Kef>p=ef0ejscyofNJcL{Aobw=^QEqz@}LYo zYeBUd`;iuw-<1#bm&D!G3#D34SXBLT2hx%@X66!Uk{rRK&d%2^EvG9h){V;~th?|i zwr1ZW)h`z=?=SMzS&#M?Mc+v)s*t;omash5U)q1Htj^J?tNM$}@;*H3HC?#6n*LHq zuY0`ue!?1Q{I7XJE_lM){-V5f7>{DTu3RTI;UFHx?604aCf)w^{YAC@-VN1iEZ8XZ z;^?QPLEn!@ft#$@RQ>RpXC%_zhsUy&Uem1a+$_=TvMo|;WVTleS8zKE$Kg)FaPV>$G;8G+OgtkU^KdC}q!jsru!9q(uteE|od;Wr-*c;!&)^ z*E_0+*1sa>ZQUu6-kMkC>`l9*g=Ot){l$Ib+}EXUoA5@poE=CDoiulM|H}4F+kRa0 zrd-T~JyI=3zf~pU^+=12*}7L6o5gR-*(>)+eK_|Wow76|*(^A6h{*1LPa>x&`=w>= zLp+MmN8YctZ|#9<`o<3=D%^!feWuO*P)4!vqiWulNDD3>Yd)?v`ub0*VB7RGJZZi> zIN%Qh$!Drtwe3CjDBIwlH?{x-`HO2&G{aYz zy&Oz0aY#tJx>LeJ878F-!4cAq3~r0NSZj*V+~xwEjD~Zlj)ofCoTNiM)H=D*$5q-> zTgd^%-X5vpgDQYRBMI*@1a~nSUPVi<2bT|7Cd-wp=24#>dr2;i_c$b@SCHPGAa|@w z%+o80vZeROQmqk5KOtcnEHp_17tpvR^a;At7yffXpJ^4<+9vi4HSIV$OGv)Ayw%Ox z2h>Ayi-%Nh^6Qm`osb=?g%Q12{zU6Q;}bcL>NTkRkytT$J;bP(m_x{hAWlrWe47-n zbpIZyz63vrPK##Z2$oZ*X^GgkMjz5A0}61`tO3^hyOxv&^r*#7X#lFUgXk1A z+r)PRGlfDal^0(fJrZZ^B@#GR?V^hli=Ev%oYtqtTiy$U6L2)eNsL;8rSDF_o#>hJ z?5WMx`n`N!>Ed!cMZG}EIkD0%qg*|cu%29-$t$IU^iemRAMt6ZRSoA$aOC{rbdD}) z(MzWseIQxaom5*bV+v8FPpQpCrCl|{uA?R@l!jB!pt>4ZsWLjDfYiNuCAE&PlvZh6 zZ9&3kKK(O7*PQ51UfhL1d-_YU=3-ygBGfBLHJ2))Ge3E%i2X>PNR<$A`Sps3Ur?ir zDOA%7rXNrdiil}oGDi`}#aBX?7@#IS>8>+mR3~Z3YPhm#eQRg4*z$l_IX#0)F}k;= z<WaN}rOvp452*aN|NkEPnv*!86u=f;c8o4nQda9g8Iafm6U7^tV(I zo#FJcdh0yRbP?CtLtVC`_nO9bBp#qQ(%_W_tx?5v#6~Xoj!47=Go(9*z($DJZOWuY zQj!W5snT@b(Qp}Gm<*S{X1I#Sm=ZNw&macU zR|hLK9XyzVz^hqVni3IGNfIN`OQJq7IFHFt25L$=wj0}oiwT`ROQ;xIg_a~Lml~jx zYr_<2IxtkO%-y6;HX0%}omwa{9i1{nE;;B z(J`pX#khu3>^X59q`9WoMyG!RQ$2DN*|9c|i1m(Bjb0Q@2shT!MEpUdl@gmeHkwg%r24eDYO-3K}c@#(aUe`Osa96D3Lav`oHR1E&lKX{+`hl$Hn-#Yi6A9d=~sj5?_EM#MT zQ!>Cp$9X!~Y>)Mwo?N=`(VXQk>*X$U)f!XTq_%cxD!EBrI^;Xm zQw-hM5Lwu=m-=JWn0AeP#p>bu6~^zHWs*as=19{*^l77M1|Lt2B!O5MwdPm)$XXFR zTxCs4mB%dQ#7tY5EZ(e9LgP}hwO*2vvKZ1|V?0)ke8p8XFA+*LBGR4m_-&8y7CBm1 zU1#5_oy8q0Yjr3|jipeo6w7mSmj|i!(&4O}1>J=+=XvDywdXdLTwM06TE-$pzr$K* znK((ktB&+BSz)!M{uZ~3`-+$NEBVoHG8LBX)5yr2dJ@jaEHWw_59=-cIqI+$x0(X} zoK;itIhU_WQCMWp&cc(VZ%NyuXOzOZadpT`N|lo-Pb+M(=c;jejkCfS6O!ju7;1YI zm&(HC+WNfi0G&8)J>%ZcDG+tw!B;6MMouTcXc8iSCv`SEzi`sd`Y^QI*V@I8!!$;TodO(0{W2m zQh?$9-CRC}!EatwL{!(V^0pon2o3>5;yN zY%9y8Xswgzolw19T@~J+m}W6GG#V`wDTSanLJ}L|8T~wSXqn>Ur)L zq;hl5bD5-?>YnG?DnhM4ZS}lL&9qpu`hl+DR&tf2LTjRyOQHwHau2a=(@Z>sUDB=R zC7a3)uZ4=&qAq7dfEKD=OLXa$Y+FrVi*07k6)L?hRIt*`lk`};O&<`P5rNuNs1e<@ zNHxi;)CxW9f(NnB;A$KxuO3p}Mfz~{D!tu0xa%)_Yyeal< zYl~t@41L3x|8kZ~*-Z#Qs~xR$SfAJ3K-(5+@aaXZBJR4eMZ4zCvOHD`>sC}vW%a=7 zrg9ruwt~fYC3#vOsSn!yTi39rTE3S9AlGjgaSC^f}v@Xhftb*5{_B=fJ>BAOv?sTcCZ)MUOBOFX-TqJJPA}{v07S+#d=46EoONzx`tcKvUuWS_A8aW z(``;E1gm#e3PE=?*JZBBddww>J}&xhWy5MdNM13|&oPIdHQbk6L>1aS?RwHIWKP&NX~|HO#%sq^#lIWVO8JqCB42 z3atmbvR7>hR4cohRalbIRmx0TgjDwfmjfv_s~)il~HCQEEmGhrxWf7h6XcmEPc4YD0^N}ICw`#>wn;my6 z(QQ;OWR+@R@n(%ax`rFfl7}rri*G3qw?(|@sC1RJ@|kUCOGhkXYGE{O$jDBYSB@b zj9WbF8g5~?wJN$o++s+-!XI-Lt@0HMiu=dnkMbCnfmd@D?zB`kgLYs}42qt?_+x)ZsBzV$&p4p{xL zQZ)J#Za;K|K+@IACT^|WbOfSRrFKv}L1}HNfReHs1FW*6&nl&RbD6>uva`tca>YPG z(oM{b?{Y^q@)b)fbTgIbDwYA({Mv4?1u|RTwkzqg$Z)}l>FIriVt+-4(9o=xE_4+; zR!_0sacc-erOH;zv#)9rrDdR;RO3z(4R>_+N!GL+Xp7&~#ZDaVt`ftuO%*;Xxz^%ly>f>~LZ?R?zjk$B zBAMP*ww1PMb<1gXEm=r@T^;e_w{il6mQ?irv*hRwi^PWJkK`yVh3p30LEN{fM%&TuzM8^vI|sqvxghPHY4j3arRQvHqPGmS zfiMyx8CtYdiy1<+AauKHfmxL^sxlgANs;DTS|x>>tm)d?`v~%5u4KI=BPVB6e{W}Z z5$iOiJl1494n@r9>q?hgWug~m^Ameap(YU&7@`?Nxs$MCLyBknHFp=gOOHR=L$@?) zou#*)Z64dWsPb7lg++DMT`HM}RpH$6!uwwM%ulB`&c3hyo)^Yu&c<~-IuS_yH0KTn zDPWh>HO_8o`0Wx-i1pyGMn15xyMS9f`vX`@Rfi_v7Lt?yP^RZd&7tI>SpjfeEwn8s{~rYihXr;eozBy3#wJ zlV#9Xqef!=O@sA1V;%n4o%N4QYdiy_)5`+n6e*1IRnDtW)6_8g_im}Hn@kDlJe~?v zzwffQ_T#hb9cSZpWVM>s_|zSSJDqohaXsKXfXb!@by&h$b`5P{o_yZN|Ry0|!igclfb#;OA$lYCQ>95o~# zVv@K0{LcDyX!A>V8mYM6w@OOm3g^?5DM=R!uyHr(?B1J70rt!^q`PT?T*cip6Lc?3 z7rW`2%2FVm!-3a8I#Vk2AX7`v;<4(8?#aDbgYLad_mTfpbZ?(!=(aK$xwLPe#hotO z4cprd;aQu2$_>Z`PoFglRwXjG}$B7&M+Gk}WamT~1fy zW{expALxb1OMwN2LXIv%$5rk*&xas(+^~|oMx)JFn7q+nAlDd%fxC=k?UYYU-xJOg z0BLG?F|8W(AQ?zM-J;#g7gcxRRzTRe?3k6Hchc`l`s0TFm7gG$zI5wOWM!Y$xa4lb zfSZ|$Y4314P}{`!;_*MAh3?4Xvi$Z;^X+Z??WIem*C(en4&&2$v~u%X@uz9T8pfw* zKOf1x=>JR!NIaejbY{dF0y4+h2V@wr);!Dbq3050EnIwSp4HSay*XFvQU3yu_$9vY z%r@+tWOkOnX?lIrw8m2c1E=3|KYfZm{Z}wg>ReE~AF~nkjNJ=-kz^X7KPbgvxm(7EwD&tf9JD}Ht4KmEWuYg zuS6x3p-$-nltGtB8Fbk^73hpI>;y6>!<$(dt_xgNsx!CAt`oweKhpk^E)haqHuate z4>7{!%NXIo=a>dG`O_HN>z&s(9(+zy!@d1|feg|;^(@Bi>Al&-RS$sM7e-Lx%rSa; z3bf$9FwoL9t#R|ch88`CEHABwnIiJxHs3orH|08G+V_^}FxFB8gZJ0b}Y!8lS6e=!*2}q zAz=XdC=0r?0i3ofcsv5>`n0;Be(gi;#tqXo|Cj5>hcdluY<$Fm>j;)-IeACk!_x`3K_b#6PyCWj` z*?WJpso{lf`F@p9Bhb;!e)b;)S~=C;7*!y6QtwHk!-nWBO!SGjPsjC2(;Bzen{h(s za%36PSh2l+s$<0gAatAytJrjp3Vd#YNJd6p$|xcG`g86qdnvjE33xme{F#C2I3wHr z4o0@$F)dZbyq;c)qBf#xE(Nys)d75E}MEGN~5~#8Qspc z%+~G~n?{qPsv5)o&iT8>-7jvUG65uk&M5_wB=1OKF7HP#!q52J21y^ zu4N1tIm!Z1Zqb1`g2V z|F&UL=LBX3aX0zWy2iu5-PG{kdJDxx`T5=H-T;>PyGvM3!s5r`01|WckpHnTKMoME zc3Zw9nQAdDx0ji^_1@|AyU=n+0*0w_Qe)Dz!4xg^M4C??7c!!;-p=U?SQc>1Yi#M>~@7 zRC{|zJRWOrZs|y&)RAb9wg;1Ku~2hcG||x>PsQ4zu}~x#Z;P~bv?jyxj<$Fr)fNi1 zw6=A`Qt@QCH5CjcI$B$T@mO=RHPRk!O`y~kY)gjle{G>)tT~ZNgrl)Yygk<35&0D$ z0aE|99MBX}qn6xZl>I7HD&TC}IK6(y9n%_bywvEFNzToBMPBfYmtukIkp~`rrTQ1L z6~82g*#^OyeWbG^n|SSP=y%MRc8?4@a#0NZ4#u{b?pUr%K;`jNpfqFK4j^=#)gR!o zZPo7zgff`NMY!sBf$$S|+<*Pf-=2xVRF?>$E}N&G2!|NqDTVNaKvJs79WmE5o^CaWkHponFZZxg-Z0ke@V|>hctZ{Q=Q^Rj!28#6JC5*5A1K5%bV9~kY z{S=f;09sJ!yv(%x6>j-a(D=q_jVpi8(5N@)T?Jq=U+26IP)!Z@G!OK5QC?n3plJUB zS!2{nG8zmSD?dXDc;$oB>;GCk3wqMa|R#_Oq$J6{I8!>(%R65-WlQ}2m)KjU5hA;x<{;MH4|yaFIty+J6e zr(A@x`l%<%5k`4Vp&a^s)6&njPBXA@-{`!tap?D(8h&d`U(cr+v`y)K!G-fjMpZ7d zs_fh{9akp8XM4F}M9%{_s+jpuR+-rdks1t?{;GDjtcqBodLfwrH|F8EprROvKuQp^o-wA{@d9i-9=R+S=TnYDooysc|J5X*MgHrF_!W?Y)GRs9 zF56Gz?6D84adz1&jB4qaJ=YAWb#oeTm%U=*s+EExek2Ag`pq_KAgf!J~OZezQ%VXk3N_Z?bvR1+SWRBo7yNo7lMpf}&G{{mUX z6M;xhDo-$vOFzn!$_pN-$iyk$9&{dTyZ}_Q{;K!!-om0@w*X{S&m_9%7_%_S=!Svr zl~_!jXE+lxxfmOTa%{%D@=PwCO6Ok@i*%-55enryUy)9vGu4|NAwMWk$}>4XI5m^= zgOWUoncV8n(oAmkQ)(u6Flh8f?;Vwg4Wlv#gHW0B2no+gmq=xF**q0!jmqo*QVfy* z$SSik=kcePJobN*jpdI2 zZUn21C7BK7F4D@tj{lC8fd>k>{V(uvfv$_Ne*y6rwSoXgtPE@c3AmenFRu(NZ!#ok zw#(r%ifsy)S>80caG3*)X%v_cE;Ax9X)U62lH3Wl);U}20MgVD!i^A}0}Jv2bXx@F z521-Z;|c7JMm{Z&l3 zum7=W0<8sP;8H9ZlK=HThWsBXEJBE#`UCo{-x7}qIlsa3-|}ge|InXQqakHe{s&DM zhW=z~6NYu4C&fAkbeJ%#{ZoTZH#fF^6jRD*to_rn(a6TEsJ>)pKH=fl`awY`JU02k zDWl;BB}FQX#xC$U$JxG58I4W%8z$wsnNX11uE*(V+;o3aL;d`8rr4eD33R243y>-! z(4S9dyJ|cJ8xw+;gudM9*fDO53!j-@zXUqAqS+9tbquXhrc*V?ie}v$oiQ0(p98T)8=Xpd^=~IWBQ?T-dLgV{MD!QeU;_jCP1COa0*psF+{y(%KFkMA7YIDJ(z8QFMFS zY6?MFDH6h-HV9#cI|l0#sPK3yu$nRW1PfslI5AMr=Jysb&U`4JEfjP5 zFR)cS5t!tf&1L5Az~_0*=19B2rF$WnU^O`+6MUq7Y9@Ha7f7j=4zUT|*ins+I=$jd zb^47RU!CMu9|3I$z8ZO@p^b0fWO67xbL5o>&wLm$2(PA)%)%cA9?JI(WO@*^ zTj;D=0n#S?jwDlrXI^76hrX!7Gl%|M&`HO=nNEr`8v1j@8MWfbNP%tu4a_g}SNsG` zW7bRjBF<>dA?h4QhB?k?@KpxAzJin~po1TSuWD+zh^z` zULVCqoA|1^#FW2FtH0;*-I?tJMO=HP|Kj@l9 zO}hE&riMTw(GhKH54J|zT4J%b_SQrs9*c*XTjPjxX>X3V_(Ooj+wc|1*8PU9JA<9|S&Tb4+~$*mC}!QtGad~)m1Uz*OP z6~@JZ?IVNc&|ji=RUgp-LXW2cwdq|~fY@;czrww1)q@7HeP6KKpI1EyjL-iK-Jf-d zFzT|Y_r$ntm@r;a7*7DB?$26FXzm$OT0)c06Tmp5xv$vWQ~m>7)^CADo_F2|JUFs( zj3=L4{-?nsJs-7HNv3hj|Ac9LnC}hLe}Smti9{t#<6cH}9jIU$uX>;&uSapDyq>E- z#(qj?%<_6N$zkjH>8$8*(L~o=T=<{BJ%4 zWl_QV6fvtyq%68@o(i-^J+HE|T>l!Y=b?v9BUW4^&HAZid+1>;+e{`bcB?X}T+&On zK2WY~ec;ON=>sL0l)F{S|Ak~b^mQfMV~-d z|P~4oIPG{rEziMiDUU%;s2D-6+Q3{mu zef@!6SOSk{V8P?57o;TbcZ{JQ0(tj2`;Jeq??)8MYm9zt8!Wf!R9ldeA9xLv{0-07 z7EzZ-$#vP(3)Du*&j7LG?ED5R`HH_bi1oS^_RGw+;EKNnzKlEn)Fr~F%ckBF-!;Z} zQ{fu{K5c=evdI|f5uhXk6AmFxRVZ6Jl=Rrd@rBaLc6+`iSd?9AfZ0 zy2Chw<1hXBC*~QEP52EkHQ{$APL~wQ>y4>>3PQnn_wDKRm*G=C^}md+>ye=BOQ^OY zGyBy4nyN1`45To#-(fW$1x~G$_sFD@tm(A+I0}UKK9o<-$AZOcx_gnz`^j|G14z*q zM#?}$g`8%^xCwG_YJBAH1vw&Pl-jN!|8(T<;h&Zk=X&#t^Qv~2Lh@vt=bsYKSx;QK*=P#!+~;M5@F2PK&l{^`0Sq*L3zs|^13 z*Voi3B~#L=?XQPU=}lBq0=XVf1zKY|cLOO7%$;SOx(1wDr|xpEuP~!+|a~SmCsLJ=)+8j?CdUXCaYvDne9kudsJdKry@tK|R z!hw_9{6)#NSa~?lO~3J+T6s8^F-@WiQY}r!G$0gAxJ~;n z{W7)xneTJ^@5mZ?TLYaMtZAUzk;Opw=e@WBfX-iuB5-;>7g*&$w*h$XbGD!7fo@5z z8ZX(;^6naOx+FL894UJk$4%fs`jsOdICv0OW~1m70n*gafcQD2V&J45(wOyQzb#ovnuc0=loa^Z52x2}LPH&#Z@R2r)-8JgWhJIXwS)7~ zU8l6#wGCL2W$#DaT~~A&xoPtVH%r_U!4g#S?G;^RHHk(#WejX874w>J`$1_n@q<%p z;s+&VEYxH_xSiu%0JpSHwYJ-^t20!aJtH*~kW;+28^hGYX=Hy)-``&tD9+6m3Vqd2 zz`;16BxPclI>oKO<;OfsT@!@OLieQ1`Yd@0U$_Qp>gfbkPj_!Vz$qOAeYjdB-BaT+ z=$a6`q)>z}TxSYbUsmA@XCE`NlZHesb*-p#R@60~eN1aeCN9^Vk}*W1SLNCXM}44N z4e^01Ylsh&onC(whI(6{;o53tWo>xj zq7OD2nJshOShg7G4peanC2zMG<1!3YK{v`y3NUFlhMA%fr!1Vcrqsk<76b6@-Vf2P!Q8?{F)S}Fty9S zN^QLKXUf!`DH?g|!5EW*T%pK`$k~8UHr_KuBnHJ?vA;llEs#M5PAm&y{!r}i#M1}Z%PhCGS;o&0A2I?bk4?mykzX39xSxWrc46OJC2uN5~ei6J_xKZx<6-wFxYRz zrjgncZ8~N#*bf_sErb4fU3s`MvJ9crsF6&I6CNj+>A@Rp1Fs46+GDgP)XFfC&wULv z{MMLe$)_5WPU(Hgk2n)B%KVIiA3AG$Wx&W&n;PDvSBwnTIm2}TYHGN@y(JV(Vl%#_ zt+^u?2{;rbbw*QV#IP4i+zEf zLIFo}5aw0!6S&8$7gWfcQP)}YgSR-AYgEuNTi<)ZHk`uAMu~(4h2CNzuOsm6pG3k~ z^)*OX`*mvlTZ)8ZPa09o$o8a5CC2{`&ObCBd$Orv4iZmbA1m7he*wb@P9{;vaR3<~ z5LjC*`PGBMDSkon&?GdNc{uaS>GfM-j*k9sqr!I;`Y02HOb&7Me@|I&fzEN3zG((U z-mZV6!FD$tfy?*P0zW$9s_i}fmRhLLvb=lMl{!BMH%jk|NbZ3E1JMYr5QOnWg zIV4cBE0V}tyZV`YKI`Gw_(6fx+xRuXqTFb`4kmG0Zs`nOWw`i%43~H1x{E5iCCiki z2p9hkWcrr_{n%&i&6yI(wEC$;D5nS`r1vM@%#FD3A50_OuHNVpA=G74?}>1j5nfRUj|qf# z^=JDY?d(aIR^4he)Qgaw95}?eyA+ z@`D1g+#&qnR44R5qYgP>vHQ3Hu?R58 zFwT#6_w-;{7TbKK(il}>WK!=*l0^>KT_70~&=oT{2kiN!AX%SLpH5cT)ooNk-GZ*V z=@O}%E}MFR&Ge>Yz}4Vvd>gCV&NmC`Je#HS=mM~g1doi9Vt@dHAfQEESdzpXA9G%0 z^TlwEAfW1Jpu^*-7o?!g5kWu~SP~aN9fE+?EfdsXK+5A73Yv*2qs2+oV|5Znpsy?6 zPpJdw>WN(7u|giJlb(-3pLazKcuA#Lom_UD+UwNH8GN{E$y-Ew=^X&X3@Im`R?Y!| zW{bJarc2apx@_tNQqyc(fU?0k^>%Ky!-P>=3GI3Dc95E;(<}@yn1&(f8mB1dQpzh) z243+?)(G5kDQX`xylvGCT8bK6?tz{CKE*NleSpEq)ra!)2YS*)Bv-~<+4=bwg624H&IXDMx!towKEmfDp}*?J6L!B#@`enGnT>{0e@JNoYHR2`frd*4!x6A@|?U9%2G+?V3GF$7~p(Wx-Sj$nl~lt2Gvg`x5E9{39MK% zU&C1Uysefhn&}o`CcgQ4l(C!w7Hq!WA}qB;YI-@qrYh1)EYkJwV&;Zd3bc21!I|Sb z(%iuS^}zSNm+I-9E|EBO+0+Yh8mqGO1U2C~g>TKwI;8THHHlU$SZ z>M6UmkfpSDRh_e{j-Z$ZMRGW{yU^a(H>aE8~-s6Pm%m#h|zbT5o= zC&`{vNuT|qOc;Q|FY|GTFqC(ylr7kH9IFzHja5D7yOIfUO!qps-17A^ zI2FbX$%M9Yyke(XOr^&I6y?WjMRvO8SbHp%=!mr@!uZkB9uIdUBgl%^noPE|wFQxW zHi@c^WNWe`hLp1%(e_k(JQ!+^v?6(4M{_XP-kfX+B}1u16d!5p2*+BQlkxUsYpSCq z+MEa_T2dWY7fgiP;~mjha}+6TkvK2a9t)>Beg#NCgZx?!XbP!ZGC$tBZ_ciNi8J`# z8Jvgqz`H~jsam%*Td9D*m&7&O^v1nFg;TTd;}LDeT42&6n%8Qj zK?YEaGWwXcDFLa+Q-R!!GRJ|s!CAhMN3{_`EhC&ueCUTqHHvUXJwlwP;eWuue?7l> znZG%LZz9Bb^}B`Oo?psmF-PuS{HO}n?L(*+f1Pp#0TQcm$f*O{6G-cnt7;=16MMEd ze)XVhieC^MIbt<#*-2`mrSG4?t8pvW38u8IAt%2)MJJC6Fld~P^a9*YhhRpxM2%DZ zRH79g)fPs(Z4)=oX)mno+$)u!SXjVJ{;<|T#x@FUIIOk(Jsv!&`=hzZDBuAwhp?Rwbz~yQo?((9X0oY}$4a6f6u7yKUz2=_g_CE%XTUiys1{DPzE|*Rsh?t$d_us$ zC(PyHyHIXr8mLv{cG+%wPU?0$rnE1rf*U2x%olm6K>of$d}Eera)@F z7eM7^$|ezRXqqXN%6KjK`a$Vt@`F>V;Rhx86wR~`d_s;?q8Uho6Z*t_Af|ej9MuH zv0Sm{6e;A|t-M^Z>-~Zht&cQ7DSf0F3P3PJd7wLkb2x$KVmcFeReC`h^SUea=tG*E5}Kp?rrLkL29LXDoV0tle+cmxv11t$p; z$t{jDVWS_JLCGzaen8NrXL?u?@9i%x<^hAUHvkCf8y@%@`VYvS`aqC0NW#!VWFh|5;pru4Q$&O+bMgd?FSY0l5vsj;~bN64y4efLYoCCy7SSP ztt^1r>;O=CFvz8oG67aPmG(Hf9QK0(;XG#h!KuN(4@$Br27@K1X)qZ2M>QC1_>kb! zQYXbIZF&HP&I#nPNsSSkH$RYL1?#3b7t=exb`98>#9NZ=pcx!CgKS)mx_t(p6Ii)L zkS&`>jSOn622i9R<$-FGj(SDVLtm>QT@spKh}w?Nx_V{opjAXU)xLp!miqN(Yh6yE>BE56Ttv zZTVUaL0@MOD!b z*qGeIG!N}k85OEoewvMVSgRc6)>{1uwN^Rw6u8jVMz8V6*nBlXpdbc-!s2ZE1HF@=OQ6x?slaa5 zc-EXDi?eMHTbxz@C%rbeOST`XtL_c)O5^ zg;n()!U`B*%@zl8`MISoQ=)dLekyqt%Q@#6>)ySLb;Cb-U}cw2?G#hoIAAEnPi_G= zanv8+vwllVcbids>32!0OFuP(^822bn51z~YNm_>fRu5Fgd#yXwq(Mc9zK>Y6bPk} z$`_7}gD;e1Qy7QMU=uzT*rb4xD?5ZlC7;TNR(t}e%x4(4G>9=YgIq$@V`#(=O7rOl zr}*@Ps=?<$=JVFmiq9J#6MS0wsv49gfq=mza8WVc7bsx~l6KXK$iD9J2n>u1PLd`j zfoECM_U+?I;OU*9OdB?Bo=K+>c2+)HN=6M}=uFiyW+27msX%Ou+AW}MaJGMjyVACQ z_7DhnCAGs%VGn@8Izmeia&_x;7S=D|wtm~Nf(Dted;MAJX4gRl!XB3F5>#mQqp$~M zMb_6j>+1-pso~{a0~ut|My|*H#khvMmo7mo^v=UxErzlAbBm?YJlCd702VAv0D2-+ zNcJBwR%Q>_$Jo4oM*VSgzx5v%{99_N`X8-#0S4<`od|IZ%r8=;<06W(4Pfr+{S+)s z09umyGDGHZZl!Gpc)e@MZb46nLC7V(3E$k_1u!6}2}2PH)+4DXunQOlnLn`C&u_6Z?VtK}7= zG`R%~Cbw9I&LO!2S{yD}Kemy3)4f@q+}5fAJCk@zk}W2;yFm6FXYliCayzs~kX@k) z%94^Q0BUloaEy^{A7WKl{YimKs)DjmYHR|KR)tJfj!mhMSI*x^#0Sb%1s}MwD)>N2 znF>|7%&Kq+Y?3N$*em#)orUG6H8XZEDJ~Gzhzl&>Ko=ZKia?`e4}n~|8z~>WAA<+) ziW=~eN)Z>h>KwKFwnHi|aM`B>l{!nSIAx~hp+qnsK`;UskzEFHHFS(JjYY>yAqRpz z9}~fz6*b^%5WHOx{6$6ZRU)|7z^cqE4Xgmez*>DDBxv$@DlnUY^)T>awlK^C>%OOj zoIJx}l*v?<4A8hx*>`Lk2MFlBE#DCwIxS{EI13&F&M0`K3zZLiS}^G@!gxf%P^dS6 zrV3b9=lw6b-i}!mTZFB(4pof{`FOrZt9g5mlE_a zMGV=_8$`_PS#Bh_E|KljWm7MZ8{2uEyV!xF+{K0t2qCV`J>=BSnNtCW06jBmCT|^$#0Z`eei)Lfer%UI(vhGIwpui8i z_kM87r}Kl7dh<}FTIg9V_D?FYr&dqc`S@i%M z_`*oKL@vaqK-V1S#K;WFg?L_)B^6G^{ixkI0BP~tIUrJzl-GPR<^$!5-v_QNejg~w zrck(H7XN{NRpP&VNQhrABk6oQO8B%F12F8xq>*oj@|qz2tQ)~+*p$IqO1h_K@fcO$ zX;SY=>cw8n1#YC9$JJiU*)M|n$}vZ-?i+s{pcr$$5Ywysx&-<>o(k+{%vpAU+`5$~ zc+A;8ECeU*cG)D62MZW@un%GmR>YBST>wU1be{=)^04A2V1!BnBMvLxB#fF_9gcz% zR;ra~Tm=MptUeb^JXSvyI1P{cn8(3yGLMJ;r52B>7Z8tt0gt70Ztmj?dfWo>Souug zlRSWX6V0!5ao+*N+Iss=Q%k4Cve!;3jr8#xbCo<6QanjQS*Iv0nxj-4VS! zU4saq=#f)8V0Ia(u}W~7d*t$?g29S)G=-Jc(Ev5Mb+ly{iOo^qqPr?3F5NS*q#BWN z5&$X>fr&^&E~zGyL66{39Qqg=3d+Jhmmi!O0{x(*(ug5&3)l=eyT7A`z|&t5GSxnD zIl|iAtOXD@YjL|!dNDj(AG$0I3sxN0KZ;#LqIx7rv`P#P@tv(5weY zHZn?4)w&0uXx$?ii{jJ|68A(}TAQ20v2a^^8}8$2jfGN?mS{Mb=!hr7p=5KgC6;Ju zizni3?XmXeV6r`yibNxAuu<(T$>!E@A{9*pJ6clFj$kC*8jdx$w}(PO*szwiPy%Zw z?JdzzC>d@~#1qYlL@3zO7VHQIli^&LS^Sc?W}87}^N+|3Zu~x<5;`;jOk-JlgAAas_A}je z4P63KkEa5;@xKlLb%S#PsIhdo`d>XzOZV2G1}IR^O=wCm8jX^NjkW zM6D;H@Oipb_5u40E`WhN<|5Z6LaxiE-V^y1Mt(&h-*Q|ut{z}Z2mwoTk`r8|#&((Z zx&Vr`3M}Vhrwh(l0B10|u-DsN3S{!wgRfZw(rVV#eoK(=iJt=faFBIr_6Jv(}20fb6?#adt|hd?5t1qZ(^ zNR(Qx2vofpKxHjYMME;KEuGDKtw#DmX)X7IQ(Eo^CD|0cdDUg=&HMgMY57y9$Ixl>MUIeSpDnVXXgCqKIPP4Fh?^_V!>gB(Ml8g0x4E zGdVu>pwb7z?+cO}aa{NubF==cIxc+Zj0Zd1Vbwh8wa#lB0n^m*tmeOdIMAHsQ&ZLt z5L&ZNlHeG3aml~&@c-{K>R&spanpAN1+u58-CosG0Hk|LE@O>**|68Rm-2yfdx{TS zxu^I*Nj61K83dciE;_1u%C@uMQ~MSb<3V|`j;tfV&{OVqU1D7V#U4)uX5kV8Z-aB} zr>dtATHRAT!z9!a7U}I(!u{Jmt9HHspmfUL5PUg*Vie~DE6&DiGwPp$CvoL_f;HV0 zdBUuQSCwiUP{=jj){0I2_GBy>!Zf!z)ZW$_jwGW99Owv!gTZ7n*47qoZjE$|9};Z- zfB33o{6WL`HCCmepUvQ0<4e9T7}r}s?#^-f?hOtV{62V}LAh!}`YrK^80~de zsE4lpxe65|bXs$@3c2Vgd{%8LlKLJcj2?lqq`uWbwF0|Q-`&6s^#yK9_j%p}x0R<> znO(vSSm6F?lb+J)65-ZmQ}2oU2;<&(gK?iF+`8*%{bE;24dN6g02s_kTKTZ&Kw+SS ztsUzZa9h9aT0w&h-95+BzW^!_y1VZO9#pV}R-Drb0KkBAou$Z>i1X^F6610|fR>Y4BL3@nTjQj#amdmZ3bIP#x- z-s`5MPPT$t5mc=JAl(X`acgW$cq|RxSX9m5T+qFCwt0P{h$Tiq6InD$4IzDAuk4Ka+S%(k)glp5f-X`3tpj zah>Sama%e7H!~i9QTKGmbX@{v9!~{kV-z=DC8N0fm)toIUJ~NcXl*B$PDuj{r=(wv zV4XbN;01Y{o2vK;0>-Qtq{uYdyFttxX9UFHl=P+_3mNFOC#?G;!&{D5y_6$K1{$D{ z!wXupfz~CGgD#tTf!xU9Yb=M|OJ>sGa6zKJ7kPO4AH`J*-M#i=8=!!7u8UQd2&*oe zdQYqu8S5>Db=PIVupSPrA<1ko0~WYLE^b{S+`4S)J#jDjcWU_~Z(@#bO5At$i@evU z0jBEY!Gx*$sVAlljA{K+#&qc4gpNtmqkJo6dH_^5J-KYcx`!>{%`2iFnKI1l~E|G|J+0+Z{LVa1pgUeXN z8-5~0th=#&?2&FC1Q@O#d=S@(AcGMOJDMU8n;+u2KrOEyya?oToJ&Cd;Iziegj}1h zdt9tCuoocUSFg#N67gI8R3J6{E*~Z3-S-yeckflfuQk>xr-DobV6Zs!Ksr-W{{olz zC2%;ijps55ER>>pCZ*k6^6!E%5%rMvCi$?rALc-+~c55 zolxRBfQ=_{-FE);mX$Lpaoth+v{pE)BPqX-7Ht57MVlVn!G|T!x$|K+<%n)YwO1M}R@t5mvjp3cU#CDi?rR7u{zP<8w^6KFb)l zzkMbJI$e_(waQZ1kz#p6owET+PYLB8JlVY?yCvFJlbYJ2{BxMU#XcwRm+SL+?;J68rueOD-ScF)LXe<$IX^yuyhvSJawfUydNv#~# z;*h}vSSaR{b^+G?j1+UryI3(V5^k-Sy6xBssllF>zyO0Kuzp;lQ!4*K8(6=kG{q9w z4q!qA8!#cXYtMgrVB)19ltVmC#0lKEE61I z>UOT3NjDyBd`3{GZ6gBDqB7VYKx#OT1~WnFtEZBgSoPMiFBDjy;oKLFT?k(&$)*_2 zFM`d0v*q1tIN$mU!KV)9D=!l$^G69*0EGlAw9A5x7dTv$ZoC^m1N{S7CqPKVn3Z5_ z((g(pM1qwS*GZGkteeTnpf}wTOw0uJXejm-mDh#pax;Zu5i6fqJnwO5anuh=HD@$)RYbZQwBATz`*hrft6jhk9yJIZT=5T7XS;m>LG&250ws*&19WwAvcTUZ4z+ z5-)(t;tfaQGR0~Nk#HWpzz<4`*AGsK*AJ?Oc+aqSZ-GskvEE#Ahv8F;SD!#ohL4uZ z07i$Bkc*~NDB^f9-M&osoOJhMB{N^U1{_V|ElIgpF1y95zwdo&+Hv_!pj<149xE(& z+^m@a7TPiURoWfbC6MRwRG>Fb%%-1{b_{Q1?by3iNKKCwY{AV0A267FHkSr4`J{h= zOZ*ZzYx^Ffc~Y*9Zb5X-jT4^C;lACzEHuG3rso0!UNQd)m}nc#E! zfNeBUsrid%t+6c_3VQVFqz{zKpATG_KOd+X{H?q}{GIrK;_u8`1b=!7TtzG^lS!wF z0EAOTI7fjyX!uIN@=X+hewF95b`?0PT{*@lCGFx=(RR=drT^eezItk8xzKvger+Zv zfQ9~Fe^~cxT_XM0Wm7NE8~r~F-tB{+HyM#?C-x5Kis|>jTxYm?hr__{W zKIV~PJDT)?ay7*VuB<6OP=a0A6V9@xTmi#m|F^9G$9iEwhf8+rg#{&PT3G-bRu<~; zKM=`(#pjJQm;47wbNd!vSvW`E*49K?$+9a+>yd!LdSoV@o1dSXUf3;)z~lK`;Far< z8-N-2VF5GNBlo_|12g;b%68I<0$`?gkZCVt-2P!+QCPlGVATEsttcp$Ugbmr5ON}w zx(bUhbW#!ox{b8^NjUgj-F@@YJ^cloWGc=x(wG1DoviBKU0E^;Cr2m4q}0Q-~^ zY17*U|Js`_Uk|QCK=UU+P3~ySHJ0`8M|l2p(F<4k$cWNd%D@CDWMEo|irY~oB*^G%FE0W%i5cyh0C|iq>SSutAtE!E3B*t?FR!0`O7kx-XVxO zfNQ}5e7U2?BM>+)I7ynwU$%=$Tl&$Nl*D@PJ3L6^g^KbbraB)2FwTq7mTF1H!;wTs zqO}co!~_$OmLNi2aPxCGl}g3hkOCtbiMAz>_#)EQ9!a*grdlJhNP8+Arz0hyNC*)! zDO^SqLn@7Ma|pLXCz7dHI1*|JMI-U%=42bLm5ztQxU43WXidc1@pdX6Nwu`KwzsuW zUX1@@5+MBldLn)W}aKl|*^DYnE))d4{Pyq|vb6%re6d1$O;MIHptLn64RjUG&)vBubj-cBSC*w|l@;T0d9W(jz zly&bGq*v>vYB5^M1R$0&A9}c%{{cO2S>l;#jQ=&pGyE}L$~;YI#?(ur8-PXYR7bQ? z>r_7#*o|(ieTMY%7H~r^x2+Q_>TT#+r$7K)c4E`fyqwOZqcN}PoF5d3=INXtoN{9Q zpaiqhiQNu%1J041%8A|e9>K46zUX2LC1M(80fJ%nG57*VZ`N0U`&CSL;{0g!BhX*{ z&;w3VCWhG~pbQ?sE*@srtrtq5S6B2NiwW!i7}~!)i=SN5tBc(J*MS!8e}>R%$6Gt~ z3%VEJ@()*H~L9irt@JYY5l!HHU(5eZsLMyr(e!q@vMa2hQF`l8F{P zkGHl*lkL%1Wa?jlWPSyxkdj?eXN>9ri1sDUnNKLkV&z65+G^vix)jYc0En5!g7p0E zZ21q^w0=v3VyEUTtLn38Z zZkrQ!PY$0)PVHz1_%n(9_+S4|EpOuLc0d*|;P0fW3>e~pcw z!lIIUWUKN4h^%~6^^zn>tEQK(WVDf!PcxTY$I0 zx$-&I({&%NAzsxrlz0K8#oHN|^8uX0@Y?>!`arqj^?@sk*9S^4Ddz+GSiJiVD)A0( z6?|$lpf@#@cqtDhz>tSBS6qzk54w9QpIMA#&Dh?jQ_MAt)<2 zz`&h)^*~R5cli&nS-%AyN4QgK-b8E;e}UbpE!zZ_Vnfro7JvY65qCpVmxwoAHuVCh z;cX`{;&8(u=Iye?sAody{{CWjW}rV`;+YV+G=Kx%-*xfo65-WlQ}2m)nDLG%yn8=d zOQx!;(XnE{;8<~?ufMy{JGZo`QyC&YE42RA^&PTOx{xjdjk(Is$5H_``ImRLFKCj5$#1OLJKBg3P>Z zx;KrRd3xs-)5Up0OcR2JASVPrFuSFx$reuFK9D`f*?w4g2cwc~?F5#0 zbW{t{JPS~h+tE46$o77T4a0$d@(>ZJN_jVeLw#4_8HE;ZzVJu^ulJv8PkB zhD0>+w`z#!I#YceR8wBuT{{HXTEl4?qZ(F?rvOspX)KruOLrxc412_2`9gsoa#wue zcs%uml6(qxW!;-egO`3;ji>uQCit9=ovQh4IO(EORN?KCxyeG$z=GaVjmMy5LhzE_mz#b(!t{=U z-X&=5%S3Rk$%Prh0EVGtO1XTl0xu>PU*REa?>`GUS(6KelTuUz1}Um>RT#{L{tFpY zJds?A6xA!1ajP7gNw=Xd+vS0chK_P#Rl)|C$=}bqjj=8LDq|aw*klJ%tf>wJpmGNa zMMG8x%6EE1*~R>zbO-W-Qys_;N(xnUphI9Y;0%LJin2KUaSy5T5MX9nfN5%YPO&=| zppcwAGW^c(tNabpeIO(`_Zdw-ucZF|KF&7e3Zd05zMfuKOYUk!SJ#^W8rPfn`efq(0ll~7JAy-by~#$oO^)?Gz0G!zAiw(=E6Yl;dZ&~jDlu%BsCDvBD!30=n z=#)-h>;-Pz(*oRB?Oyh@VDZJZFOe|org#I}$|ZP!>S|heCCCpOfXj@XznT?jwF$o? z+emCHA7k0=J*l>puSo{1VOn)93ONG|Le828a@~|;Ko>xgF1pVoN^ywoGNU~3Ee<(5 z^l2e7t?$Z=EC2IJ=gCF@H8tFarCC~+g=S%Q+ph$tY(Id?wjZeqWp69-Pdt!)3{&j>!HhQ!p#8gg|316Mbb@4@ho3=6#_WYt>`=)BZlS&9lj__A5 zD005T{>s|V3TlLcl;x%r1VCj4iKVRTM>6TG$BCqvACy)QKRBfzeo&H4p&-jvkb(@I zQ3|r@fZ(%o*;0ALl#38x$VG@fmH>um@)Jw&&gOTeyFDL*k8#6FDn%~Bt)Oy_bL+b^ zDHq|g&w)to!RSH4TB%fn1i3MQ#UOEaw_d5#CD7#YRA4u5%n)!RQQuh}B#seo?Z)WU zJU82b8X9O}7jRhE?d!rVqkXsuJ71i?n0gbkpu*hMcn+Fs)YN)I&?_$(I>pi&`kq?Y z-G5M!Y;}6GiwhWtsd*qvD}mU>)g=;>E}N$kt=PrA!Dxriv7lCeUNn+eXf+-tAb>ON zdYHOIICa_73!J8D*1wIKX6^SG<4MA(o5tc(H47~{0tQQtxcs#j6P(=KQhK5N3%JLq z6*S27Ry#oj&clHUEIIBT@}Pq4mZBo#WC*6I;km6{>0&xdNq^e%3%j%V>L;LP98i*~ zfEnSAGFAJ|&#dpkwHjaWpo&+wln!jJb2irzR8zyeJo3(fsC15QEkURpC3aXmFN5R` zxI%RP+=ba3-JWX%IMElt)kI&JFi}z_e{W=R2{H*d+kP;!{vt;GJ%@x)q)}HgQAQm= zWuuN8^1|{C>j;iB2E);CI*V}RU@)f4upbn-=TYAeZhT*pdANV5p z)b>&vby7(>X0JRPGL-;Bf7J6lQv$^vPX%VvAGZT9qDL-re_Syv#H&}===5s3cd^NY zMTwmNiNsD1cj0PIv^dPR}M>8q0(|JjcHr;MWnp*3l zh!(&>4q2>@&&v&Tn-a;P`l-Y$Y~fkPd>xoEv)KDDLK6B+k2Uu#FETH$bC%Z;cvHhm z{JY_JU_kV3`jTX{&2*_-tZGA-X4daPm)d_=aH=N+Y67eTtb+OhMnU~;VT9>7hmsxP z)=0E9ifb<0g7IXkqXU!Tc1(vmI@+7taUwg6dn#iogr(8FmdRjS3in?&W3n7==?I6D zDcoz>-j-|)CL=A8_SR$~66=UYTT`)ETT46{Ova*^P2+d~4g-Y3@gySppxbpcT2x4)T??GLd`kJmH`m)VH3Rd;UI9~y4Wim zA9j>bX``u~Olu{=U;`{HMs*4)vKZA*1*^t#o&oL#=L~SeUaUVV*c@XeLUk!l>39?r z{Kmk1#J1-bWUxU+ceK5s$Kw%b8W)_P(h;%6*I7o}f5Kt3Hzl2x$E7Hv-8sNuckXY} zU4=sV4=AvHOH5+he%&f+jg41%cW(GALLzdgR!)@~ssU6Us*|ytT%}JZ!X8mMF+V5} z%0smuoEobApd_1OsNM}W1I{V1Nvrf#LIY8G|)YoNH&9$1r3V-Eledl2r`lTKX%X&z4ndSegPyo2n) ziEC^R)_z?`OM5Qvq*JK|<+}zP^0a4>II`5;*`3eP7Bv>#`uYdbJyb-vNxxq`Xq@5~ z1V4_*)BY4Vf_44b%=)cR^fe=bCChZEh#zvq00S{TSSa>$IFwr=F;+j7XoVv-%xH(N zvmnnAR^5nVQfi!FKmg~x?xa+g2&XQadV$k4-Fa@hwLfQ!JN~s6pK6VQOeA1nB3t2b z_LTnsoAq1Zk&#W$FmGpo2`PPUcwyp+r&18wHU-S&w@o*$rUo3m!P}<8#|2-~Aj>dG z0F@0@I&R$uk%@;qGWo{*pdc1D$bN9jQ29Ygp$dciG}uHsO|Z!Z`5QuGw4o}`oyz;s zBWk#^pGWiG)4H>jUMA*9WdFULU9$ z;=Rh^y#zK%yj#C1_|)RnBHE;aU0U^!sm`TlhtAzS<}aEV_6hs^mh%q(697MzUO`Ypks?%KF!R^*lh2pDU0 zt)wmyW4dhW1yaMEZt?oUbp z>HZM-Wdg`&nCV-f00|(6PkB(l)>9cYTBZODEmJIBkSQSPY2bnG-p4C`f{HQgB_%I1 zbLfq0NW)J2l9wsAeA|N(UaFJ6E}+o&=`J=L*}&1c^rCL8#dpo?U5s0?d*=!6#|H(< zZ{yb_pVG8~&w#Uc$t>>sJ5CEmb>A;X_my>xN5|9PbVg`yXl}6l2eewhB{ngEILT5S zebX!+9VIdyN?1zA5RC z8m+j_^zU9et9~6U<(2OUY3Y>}l}|^F3AA?yAPQ5<_ZBIPJX@IGi_{);=CIgb<1wh7 z5WJ*S?A@(<7isYDn`d#D+Nm=hw5nAg)tl5!CIG`tCao>u1g|HU74|pv5z973=H&tuVybFMk*P?v>@jR04nG(sX`l-Y%=3OTk_rAArdz~QE zW9q5V6~F>}*7YrPiLmRksTbIdu3Y2RTE3ETZ$2;Bwq}|NCv6J?2HS$K#*+I0(pmGZ z&ekvBwtm~Nf(E%Qxa!>`{Si=sZNZyfRIq}OJ!zEk-bTYe;HmFli2Rq76) zvbyJ!8Ecjt4tpFXjQK%nb@zi)>h1?6`4sAY3Vh=5!s_4zUT2mA<);I?T1wxs}3wp@=Zy;a9wY5GaY!Ba$UFlSdcH9Ng3dB zGyPaMQ)ebBtx_hN^NOzXgVN392dA3J4@&YWnrXv(sF_CAmYeCa;8V{r%4gP<-%In@ z9hbrAvwHhW*#Oox0|*C_KR~wpY1K(0#6<>Ag9zMhw{8~AW0(CKXwV~VrDaqTNOFk) z2Fq9;V<(sH9>IwX_vbfXg(JY0<7WtG8rCp7^!)`M3KZB}?am$Zr{r&a5zN%yT+j@yo(2wL^>|6_#= zu7&FF$s1o2a3Gm-3MUPbc8t7E94@yr1R zHJs)8db$LvJe~^7#@9OxybaFK23EuKgjTDeWhj+XK)xPe;On(@cXr~qHIk|$f4cPx zxUJuIt)M~rdS{vY)$e0p@4&x%P{D(?nT-Kv;=bN3#&QW*;Ongz6_F7X}da zg-cipz-7H%dBh*~VyK?)@d#{>3r-3^>9Ls$1bKX6c`{k)EABozAuzyQyBbxU=w$3yk8mo>pvYs%az3^ zHxyt~bwf`9FJ|7GSj!Jw6D_YNa(Tq$^*ox+<%()TK{q%65H~pdIo%eJzF)-?&4t}4 zc|C*p#tA7!BW`dQWephoz%07KVe8KXiMk_l7f`xMOCW&35=e6n=BNAzG+4hSCb6)$ zW&`Qk+Cg3dxhgRUT`RjrO4k5X)-^-`+0I3$N0#KcAC%TLKRBgpeo&H4p=&$ACY%ef zNmHJi*T>K`F^9ZPx;CX%o@2n<;H=)vx_0R2q9OIz<6h0E916Zu`{%&>tk>mx7Ni3$ z#dL15^#k&%Stq#{Ud;t=W#L^jez%wQIoFB;Jzr z2hBq0R?v_8Wwy-XbLksy3i|cvq?UkHOR1A^0K-W*g!Q$yheN5BRC^GmXnP_V4Ry36 zf}vDfJeF+phX5zH;VY6eaT0EbTju76XYoBm8~;;qrme5L<{DB%9GQIpPV6MyIhNqI zkIbTbh|Uoj?a1pzMi&iTQf)8+cB%u+l8w~q&j2^P`R&hm;I?iAH3kQ;!2S3e_0p~` zp+!8N3JDt*ZUf`qzKwBTBix=YoH90ih>dX0dU!#B5|+6IV61v3@Ht|QWfw3a^9?X! zjpfiUJTUTDr6f#a6<{VeRvlwZ2R_PU)tXxZlN_sLz&U`*#w!x(lt+w{(VWMwe%ucV zVqw3?4^9~`KPV|sVZ1Jb&46b@@t1;6J^IsG^SE;TDOL$Eh*hG9BwQ>tP{P?5 za#OIF)H~3LQxOA2YFeLqu;v5d_XWw0h*etke$tP9|2T_dl{PH7)2O6uHl>kj%mGlj z*`m?3bviJa_c$jI_k+^S<_D*m%@0cQDVl9N_zXB_wyS2_@+QHjw%KawPxXX1I&W+Q z5ZaBBvGw98XFAZAFVX=)I^0>Jlra>k=T}edHnlHEenh(+;da}&L$%xBQt+cqXysan ziPi(yR9&Wvz}w&)_!wKTi-cBNFsUv|`IWi=NUKZQzG^;=HTkMzCGn^al&da2aAkGz zfs*1C>at`LsmscpN?k_ZEcn!}p^n`tZ{XAYWq_mm%QDzMht6KhNU(%PuVwTA~M9Yadf7KP{U97OL{nH|fDnmq4V)Q-R(L zb_akQ1MMzWl|63}BD4&pnmy9c0~p#V#vXpY{0G>q-vW<}4m`nZZvQwBJxi7gF11op zP>&jVh&h0Oxq0qlj4ly#x@_tNQp4OeX6_PD!izXUD0M%um{Z;ZjpTsANIoBTPR#AY zZb`WSjJoJP6ZqsvzUl+imV0;eNWSr{9vEpPFW>e;%Rhj@^3Oy0`B*0}20FTtXV3Zt z+}3ZqR#MSmeBbR%#Vt^Qt-fnsRB!-~G63o#7C_-57CsV+G+TkbVu7yFEg^9!Eu3OK zvNR6~S?6ZwY2i!&7CcM4QshrvIB*gr9gFJf8wHlb^kc2_Ndk$(&@=-bqG z=YY4t+4)Jj&gkvrcj@rm0H?N&jww0!&l4 zuk@gR^-uLO(s;m3akq{!j_hTPzbP^5ZjBA!xUwH=tN~DYtjW;eVpiIcxv0mv^tc}s z#Kaz@ADkL%{Gg;@#aOc+Y~r@GPpPqH*{U&AN-Zhzw#F(_sVQx1oCaP5-apMMb&Swf zsuVYh4nvX@m<%c_%@0LMv8 zeUqewL*>v_?o*hh@RZ>qI^r-f8LXU#!HtqRv@S*9iEghL@JIT?no$ z(gkER{PhIE3y>oe{Btbob!&yFE$2!Nu$0{uFv#xu=e^jv zOd~T&NtS`PMvcHNv%BsCb}X3yJF>f8s)=3MVhTtA3<479C=zxfvEd7czdH+We=+t@ zGYh)=$EpK$lYCQBF9H%yGWACes(^&E?-s(7Mpm_#8Z`k_HnRClP#W13?Nn9I(EOml z6OWpHaLUN~K}kNvsCk_g^vvg#k-fA|@L3U%pvDv0=>`Xw1u_9$*(R2GuD5TH1w2VvakJ9OoD z2Eh}!;{fvn+U}#6o?3O(g=*K1^`>M%bfM$iQm4MCy3on@3I=2slA%`s(hZf2TA^1- zuh6S_rw^3dP(E{yeglH^5p^s`Ep;Aq5nWc zxgf{jE)rU;Z{8CG)$}S)DZnXDsb52k0|X+!E#HyCZ84tfDHiS(FiCkzFAoYX z^-90momDQ7O49-`O4E|WZK(0)7TmJh+Sbv6Yf@9~EwPT)=2)a7iL5HkEs=OC7zxH& zqwx;Z;tsK3EEer(ZpMwR$yhMlmP`aYaIz;HMUs|Kb8E6a)SPT-j>e*imKajI#G8{b zd=1%Pf~_rW?X97Xc4U2tVh=bJL?QAkKmuCl*K$BpNbQnoT5dwUUg8XX6J@LA=%DW8SX@c|C$_)5rIWDPly9WXeNo~FxFX)|N)qEctYPhcOjUeF;E z=WPTf2<8GMNSt^4DZ#wXno`2aV)yPMK!Ep$zH$2Zh<#Hc-m9MqoQC(OnfGJgV%`V; z(SvvPyOn;@*a4XT*WUF8$5mDF@;3_>&>6b3%pmSKW2eq&*v)RTyP3`~Ns|nt_-F8o z9~?Tno0n$EHXHU&8XP~wiV-WuSS!?8Vy#+Y8$tWkfl^{9rIb<& z##;TIbKl)}cJnr`$uffOgdw;vD?pBVH z{!85bmn;Qpxu+7_Q_$F6+;$Wb)?14w)k!Z8pbm%#|b2 z{_d|>CgLfy2NIv4J&wafyl;n17tl&Fq*OlZ&Jt$1=LSjvOul7|49L(yS1-0udtihp zT?HXaSI+W1$$FK=dhbJ|uKSNvEa?O5-GhR4y>!rt1=I*Zfpx$TSf58?fkCD=@gfJ- z4@qKrWT44ZEx6TW3XnOO24dCHml%#1HhbMePAD`VPo_>dHJLi0WTT47^dQ8H0ss4baEy3Y+;?rV*stf0l+F8+j`47Mb-MiEO`V?^8FC&N{1(9aUZ;A~EK$*=Ij+&e%D zxb0=-h1vLsU|8sc>9bHe0g$N^!K#?tFc$NLZM>KvCzRF+C!Ep=CzO;^=)^Y2i3GZ@ zD4p246LM;QkbcoIj?m5Gl&Du~-V2$Vjm4bFgLgR|3&;fw&o@58T1 z0mTOA^W3Y`5O5H~=iXriPZb+ z8k?#cA}bmiBH>7=K8Op|eGS!-74@M=xTY!`u5ZF+>ydDJ?2sB)ts(%4kjSkoA+ZwyAlRUv=4&Q~AsRr%o@X{@9CwI47G(8~{=iT{Ik zkZ+cBjEqCOKJFfwRF07?yM%hpbd0DWlM_73eL0oB6`7q1KcU%Ysg=x# zU213fO`Duj2`PvbJ$BnVORNEWnz*q!kV&JcKC)@m3+k46zkWNtWn-`NTej~B(F_Gk z8#Q#&qyY>LNPa%iW~l#zmiQ!S$UJ7-K?RHK6MR6jcef1{UPM^?4}mFf^g6&44}v0` z_eUi~Iq$2cRP#PS=Dc5xgc~Ay8H?4}*@8|eGz{BIBz@J))DZHmBmOn0o<0_uiIw zc<3kaWK$|=TBE{Y?%tudxOZ&SY(a%u-$e&4*(i96kQ5^lNYdhFcFA*2kAKylA- z*q1_-IiMx0%dCah`ax3OU2j(``P!nTDcEDWxrNNNM{yL_Kq>^Sbo0qO>}Jgsf#{d!1xi$KFu`+g?FguPKl`11F==^F^EXhW8Tj$MOxW zpQxervsEtyw;K8a6Yo9C#Lr9O+T1T9ZjI?cgZc}3>iUVO>u0Opmiqk9&psc1CHIH zS>*n}ttE8NRTNnxyvSGrPgiEPI&d`4ZwjspJmBCPX`#S3WrOVbonTy!m8z}OSP76h zR)&HB>2-=l0ydeCaP#EsD9FSkuMWZ=VD(Et@_auk1CzL6xdIBKb z6LCZCz>kEZHV4u}AqP~xCme8QPdK2Yn4%}PLQJoF~IMr27C@Hb%s+YN|)}B{gb>a7-t6Vx>$HN-!_e3@J zduB3tS8$C28_8X9-xw~>k){E>VM!M59>05BqK`R7ss0Q<8eP4=FYZ(vyEXvr0iX~exB2WGSqG;>k z@(yI&%{!@3g<0#}-O5t7p1_w)si0=f*n2<={?GsNthMu?O{?+3R<#;M$AH1Yw!z4> zWm6sb2T+_*Cg{n7b zMb7uNkCF=YeA7h{_T7ILSx8!5Vyy|##m4q^ zJbdqaPIUFPPe?&ccPE=TYF8w62Qbtfh$gR&b|KU5YHzmHNF`IN?zS)G?zm{QWK(p< zAlSUgeeAp39b5ko~9(MQmpwO(=|hQRK}*|Gx{n3gxaAh^&&gC36648tiUUH~(Ta~;@%fW-*z zU-@d`C$KV0tz<+5>-w3Ii9Q#nl#qJEq;LA!suz?k9X|rPi2AQ* zZ9DLH(a(z$?aCmfD2*870MgAHFGwngQQIbqLMZNl$~UhA&g@bLln_!z9?o*}j{HD1 z@AwfRr}pPtV|w1mpnT21B8-NOD;aODJ=%%WhI9!Zu3tn};cUqY2sP*LNY+IdZNsnl zP2Aw(e9dDo3fA?WAB*+Et^(NXDx^n{KAdP()Nb#(6H0fL6HaxN6H3Y}-h^Suixg@< zR9$uGsF2r{>5N;30p(OeHF7F-B`^`C+l*{S(hL{!;=2=e`K*4w_i$MN=duhD8#1comPCz%t;iBB_g;~QO+ zoOs}6!JD4Yc%oN3Hfga13>I5pDNP#)afH3ozy^2(0Bj4v-9=+1hhnkSyNfOFAMs+V z?-g*UEmA$&(!B_gw1_RAX*eEAMcq z_%ld5AS5d{TK4TRX5}DQX@(c&Rl$mGYg*;VbIbsl4XC7JhM9C z)Og~Al46SSr27dPPlh(D@ucs#kn^(D(Kyd+G|;041ASwlHd0?(?W?U0);0udgMr$x zueQNovH~K^`8$$PG0<-Tqc^!vJg5fx?$^MmR{mlWK$$xfZUzi5Kv~J7MnTu(KGUyE z03xej04w-wZwU}>)q(NqDzSqH=N#=q1cn1DuMQ5li=!!9S*XJVtHbC|OiN%=h^vDl z)^tk4p?Vw1vok&kc|V+q(g>Z)B9lia^0~mXQ(OW$W|YlDN&bXq=NxOn^cME)JpK>C z-b_OU@2BEUtv-P^`=ccgE|~6H?C!%3IiYlaIN?-(IH9DxqCYn5rq^@wr>Z|jr-Z;- z>-B`GWTgctU|4{5VBbBZ^MUge2L^G$-R=>NDhUAEhlvGeUrlC{v#tajZ{{C@H7Vr_-!YBfn7k zH28*)QyMv8b@-MKOS}Owmmq+ahK=8BtQ8+ANTMR+$D@x!ct0G|2_as~P z+f=}2<4GG<^fll#1)Rh)zY!Mf1jr%oH*i`ACbZRjv(=Ockg2V>rCV+|35V@2SMfQaw6;3ol(ssdMDIyw z#W=*o^}vHlTZi8k&8pXs>R8iE+gro9`wo@VV-Aty*r7X`~I_+xi4MnqQBQKLN|CmvIZg==}IKyGm@2L&3Y<~ zt|&4x8H+rhL1>cpl6-n~+H0N)^&++#tn_=A#d3*cvo{jL%_5PSZ~$B4e7sv{KiF#7XB@?z(NZww7^0OEVRHv3%p+~u;`W}mn`~X I-R=JW0mvn%W&i*H literal 0 HcmV?d00001 diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/main.tf b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/main.tf index 6a02d701f1b7..50576b55bbff 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/main.tf +++ b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/main.tf @@ -2,6 +2,12 @@ variable "TEST_RUN_ID" { default = "detached" } +variable "files_path" { + description = "Path to the directory containing files to upload" + type = string + default = "./files" +} + provider "aws" { default_tags { tags = { @@ -14,22 +20,36 @@ provider "aws" { } } +# Define a list of file prefixes to be used for creating buckets +locals { + file_prefixes = ["discovery", "findings"] +} + +# Create S3 buckets based on file prefixes resource "aws_s3_bucket" "security_lake_logs" { - bucket = "elastic-package-security-lake-logs-bucket-${var.TEST_RUN_ID}" + for_each = toset(local.file_prefixes) + + bucket = "security-lake-logs-${each.key}-bucket-${var.TEST_RUN_ID}" } -resource "aws_s3_object" "object" { - bucket = aws_s3_bucket.security_lake_logs.id - key = "aws_test_log" - source = "./files/test.parquet" +# Upload files to corresponding buckets based on their file prefix +resource "aws_s3_object" "objects" { + for_each = { for file in fileset(var.files_path, "**") : file => file if contains(local.file_prefixes, split("_", file)[0]) } + + bucket = aws_s3_bucket.security_lake_logs[split("_", each.value)[0]].id + + key = each.value # The S3 object key will reflect the nested directory structure + source = "${var.files_path}/${each.value}" # Full path to the source file + + etag = filemd5("${var.files_path}/${each.value}") +} - # The filemd5() function is available in Terraform 0.11.12 and later - # For Terraform 0.11.11 and earlier, use the md5() function and the file() function: - # etag = "${md5(file("path/to/file"))}" - etag = filemd5("./files/test.parquet") +output "bucket_arn_discovery" { + value = aws_s3_bucket.security_lake_logs["discovery"].arn + description = "The ARN of the 'discovery' bucket" } -output "bucket_arn" { - value = aws_s3_bucket.security_lake_logs.arn - description = "The ARN of the S3 bucket" +output "bucket_arn_findings" { + value = aws_s3_bucket.security_lake_logs["findings"].arn + description = "The ARN of the 'findings' bucket" } diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/variables.tf b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/variables.tf index 156637001321..9d78b1b3c4f8 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/variables.tf +++ b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/variables.tf @@ -20,8 +20,3 @@ variable "ENVIRONMENT" { variable "REPO" { default = "unknown-repo-name" } - -variable "bucket_name" { - default = "elastic-package-security-lake-logs-bucket" -} - diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-default-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-discovery-config.yml similarity index 85% rename from packages/amazon_security_lake/data_stream/event/_dev/test/system/test-default-config.yml rename to packages/amazon_security_lake/data_stream/event/_dev/test/system/test-discovery-config.yml index 87849c333032..69105dae260d 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-default-config.yml +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-discovery-config.yml @@ -7,6 +7,6 @@ data_stream: access_key_id: '{{AWS_ACCESS_KEY_ID}}' secret_access_key: '{{AWS_SECRET_ACCESS_KEY}}' session_token: '{{AWS_SESSION_TOKEN}}' - bucket_arn: '{{TF_OUTPUT_bucket_arn}}' + bucket_arn: '{{TF_OUTPUT_bucket_arn_discovery}}' assert: hit_count: 1 From 19ffbf7897fde115f81388e653008bfa506cd737 Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Fri, 9 Aug 2024 21:57:12 +0530 Subject: [PATCH 24/30] updated docs and changelog --- packages/amazon_security_lake/_dev/build/docs/README.md | 4 +++- packages/amazon_security_lake/changelog.yml | 4 ++-- packages/amazon_security_lake/docs/README.md | 4 +++- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/packages/amazon_security_lake/_dev/build/docs/README.md b/packages/amazon_security_lake/_dev/build/docs/README.md index f8795d620680..8bfb8b4c899e 100644 --- a/packages/amazon_security_lake/_dev/build/docs/README.md +++ b/packages/amazon_security_lake/_dev/build/docs/README.md @@ -9,7 +9,7 @@ The Amazon Security Lake integration currently supports only one mode of log col ## Compatibility -This module follows the latest OCSF Schema Version **v1.0.0**. +This module follows the OCSF Schema Version **v1.1.0**. ## Data streams @@ -18,6 +18,8 @@ The Amazon Security Lake integration collects logs from both [Third-party servic ### **NOTE**: - The Amazon Security Lake integration supports events collected from [AWS services](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html) and [third-party services](https://docs.aws.amazon.com/security-lake/latest/userguide/custom-sources.html). +- Due to the nature and structure of the OCSF schema, this integration has limitations on how deep the mappings run. Some important objects like 'Actor', 'User' and 'Product' have more fleshed-out mappings compared to others which get flattened after the initial 2-3 levels of nesting to keep them maintainable in a YAML format. This will evolve on a need-by-need basis going forward. + ## Requirements - Elastic Agent must be installed. diff --git a/packages/amazon_security_lake/changelog.yml b/packages/amazon_security_lake/changelog.yml index c5c3c26775e8..2781237b9f68 100644 --- a/packages/amazon_security_lake/changelog.yml +++ b/packages/amazon_security_lake/changelog.yml @@ -1,9 +1,9 @@ # newer versions go on top - version: "2.0.0" changes: - - description: Updated to support OCSF v1.1.0. + - description: Updated to support OCSF v1.1.0. with major pipeline rework and dynamic template support. type: enhancement - link: https://github.com/elastic/integrations/pull/1111 + link: https://github.com/elastic/integrations/pull/10405 - version: "1.3.0" changes: - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index 89dd06a95afb..6ea353f0073a 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -9,7 +9,7 @@ The Amazon Security Lake integration currently supports only one mode of log col ## Compatibility -This module follows the latest OCSF Schema Version **v1.0.0**. +This module follows the OCSF Schema Version **v1.1.0**. ## Data streams @@ -18,6 +18,8 @@ The Amazon Security Lake integration collects logs from both [Third-party servic ### **NOTE**: - The Amazon Security Lake integration supports events collected from [AWS services](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html) and [third-party services](https://docs.aws.amazon.com/security-lake/latest/userguide/custom-sources.html). +- Due to the nature and structure of the OCSF schema, this integration has limitations on how deep the mappings run. Some important objects like 'Actor', 'User' and 'Product' have more fleshed-out mappings compared to others which get flattened after the initial 2-3 levels of nesting to keep them maintainable in a YAML format. This will evolve on a need-by-need basis going forward. + ## Requirements - Elastic Agent must be installed. From dd90df2d7ab685aead26fb4e87985644d7422fa7 Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Wed, 14 Aug 2024 00:38:39 +0530 Subject: [PATCH 25/30] fixed timestamp issues across all data streams, added all system tests and updated missing mappings accorgingly --- .../fields/actor-fields.yml | 30 + .../fields/device-fields.yml | 3 + .../application_activity/fields/fields.yml | 1 + .../application_activity/manifest.yml | 6 + .../discovery/fields/actor-fields.yml | 30 + .../discovery/fields/device-fields.yml | 3 + .../data_stream/discovery/fields/fields.yml | 1 + .../tf/files/application_lifecycle.parquet | Bin 0 -> 28930 bytes .../findings_compliance_findings.parquet | Bin 0 -> 22402 bytes .../files/findings_detection_findings.parquet | Bin 199487 -> 0 bytes .../tf/files/iam_account_change.parquet | Bin 0 -> 22173 bytes .../tf/files/network_email_activity.parquet | Bin 0 -> 22696 bytes .../files/system_file_system_activity.parquet | Bin 0 -> 68986 bytes .../data_stream/event/_dev/deploy/tf/main.tf | 33 +- ...est-application-activity.log-expected.json | 136 ++--- .../pipeline/test-discovery.log-expected.json | 100 ++-- .../pipeline/test-findings.log-expected.json | 18 +- .../test/pipeline/test-iam.log-expected.json | 24 +- .../test/pipeline/test-network-activity.log | 1 + .../test-network-activity.log-expected.json | 217 +++++++- .../test-application-activity-config.yml | 13 + .../test/system/test-discovery-config.yml | 3 +- .../_dev/test/system/test-findings-config.yml | 13 + .../_dev/test/system/test-iam-config.yml | 13 + .../system/test-network-activity-config.yml | 13 + .../system/test-system-activity-config.yml | 13 + .../elasticsearch/ingest_pipeline/default.yml | 43 ++ .../data_stream/event/fields/actor-fields.yml | 30 + .../event/fields/device-fields.yml | 3 + .../data_stream/event/fields/fields.yml | 1 + .../data_stream/event/sample_event.json | 523 ++++-------------- .../findings/fields/actor-fields.yml | 30 + .../data_stream/findings/fields/fields.yml | 1 + .../data_stream/iam/fields/actor-fields.yml | 30 + .../data_stream/iam/fields/device-fields.yml | 3 + .../data_stream/iam/fields/fields.yml | 1 + .../data_stream/iam/manifest.yml | 6 + .../network_activity/fields/actor-fields.yml | 30 + .../network_activity/fields/device-fields.yml | 3 + .../network_activity/fields/fields.yml | 1 + .../data_stream/network_activity/manifest.yml | 6 + .../system_activity/fields/actor-fields.yml | 30 + .../system_activity/fields/device-fields.yml | 3 + .../system_activity/fields/fields.yml | 1 + .../data_stream/system_activity/manifest.yml | 6 + packages/amazon_security_lake/docs/README.md | 11 + 46 files changed, 856 insertions(+), 577 deletions(-) create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/application_lifecycle.parquet create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/findings_compliance_findings.parquet delete mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/findings_detection_findings.parquet create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/iam_account_change.parquet create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/network_email_activity.parquet create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/system_file_system_activity.parquet create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/test/system/test-application-activity-config.yml create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/test/system/test-findings-config.yml create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/test/system/test-iam-config.yml create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/test/system/test-network-activity-config.yml create mode 100644 packages/amazon_security_lake/data_stream/event/_dev/test/system/test-system-activity-config.yml diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml index 316b1f41901a..258ecf0528f0 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml @@ -196,6 +196,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -285,6 +288,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The name of the city. @@ -383,6 +389,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -457,6 +466,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -782,6 +794,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -870,6 +885,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The name of the city. @@ -967,6 +985,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -1040,6 +1061,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -1270,6 +1294,9 @@ - name: uuid type: keyword description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. - name: terminated_time type: date description: The time when the process was terminated. @@ -1397,6 +1424,9 @@ - name: uuid type: keyword description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. - name: terminated_time type: date description: The time when the process was terminated. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml index 5394314a13de..1fbf81b593e4 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml @@ -34,6 +34,9 @@ - name: desc type: keyword description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: name type: keyword description: The group name. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml index 9667aa67a566..1fcab231a18d 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml @@ -257,6 +257,7 @@ fields: - name: data type: flattened + ignore_malformed: true description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - name: name type: keyword diff --git a/packages/amazon_security_lake/data_stream/application_activity/manifest.yml b/packages/amazon_security_lake/data_stream/application_activity/manifest.yml index 74966e6d2d35..6f544e408a1c 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/manifest.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/manifest.yml @@ -1,3 +1,9 @@ title: Amazon Security Lake Application Activity Events dataset: amazon_security_lake.application_activity type: logs +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml index 316b1f41901a..258ecf0528f0 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml @@ -196,6 +196,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -285,6 +288,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The name of the city. @@ -383,6 +389,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -457,6 +466,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -782,6 +794,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -870,6 +885,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The name of the city. @@ -967,6 +985,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -1040,6 +1061,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -1270,6 +1294,9 @@ - name: uuid type: keyword description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. - name: terminated_time type: date description: The time when the process was terminated. @@ -1397,6 +1424,9 @@ - name: uuid type: keyword description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. - name: terminated_time type: date description: The time when the process was terminated. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/device-fields.yml index 5394314a13de..1fbf81b593e4 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/device-fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/device-fields.yml @@ -34,6 +34,9 @@ - name: desc type: keyword description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: name type: keyword description: The group name. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml index 8abeadd1c54f..62327894c949 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml @@ -126,6 +126,7 @@ fields: - name: data type: flattened + ignore_malformed: true description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - name: name type: keyword diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/application_lifecycle.parquet b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/application_lifecycle.parquet new file mode 100644 index 0000000000000000000000000000000000000000..a9e689098ce3efe7bb063eb8ce794f5a336614dc GIT binary patch literal 28930 zcmb_F4UiO9S~JTAHi1NvqdPr0%#FEAA9W-!JG%?B)EVvFWoJWRvuu{#W%UkwdU|(f znVs3p%Uekvk(sj4@&=;)xM4o)Hl-Mx=5vVvH#&m7@H< z@Ad0`J>5M$gmf*tJ@0+*`+MK}-h1Es-q5G@H%pDuSER43ml~wVU6IJ0kw_$0E>D}~ z_|{xutQ^l5i&IhrfEphFkj2t`Y5vmTJ3SzZw+Jvr8l*+Bw#fX&F=fG|SuX2irWBDI zuHqjsy2x={fGvLtgZ7Xa$VrVRs7dU#u4RVe($&By$5MXyXlGhky!6n@ksvcZ9c zRzPyGw3w5;zB7MfPc#zo&}-r~iv7kYHd>N5R&tX}>?h8MN9I>5QrG~zgN1K^S=-%rJ7eHSFCDZ(cGH!=x(79DBhw#krouEx7ci?T zhg9(K@Q7oA9>spcj}4MFia@O@fiuq!-{<%u!vKoiawEwT{_obx12~e1|}}bihr1 z5iB_>dciQa1Wi+)6>(6=3TXxJ^Unb{`P|reB~#oM&rHL@y*x#W695xe?w|7kQv3>i zrMn}CbI+&_;@Mv2bW}baRo7wH`r!#c?%$oMmNr*+rkY#o=+3ZK*2Euz+gIS*9f5=T z^RuE3PNYF1E5@hvQmz~?6ic)Ec8|ll%L}9Ulp#0vmX7l?zhsWl3LDmBr=swq z_MkENH1|j8ZwjlEZH73qSLw+*Od+h5HL^o+`-*v6c{)=tE5YMB1ZlmbK^;{anqoc+ z%RYTN3#$ghj8{r#A?x+yk}sIzU+gR40xCUeOo878i_{ZL%tIMO}fWRn-y*u98-9f_DQdvoN=P(u5sy zacd6#Vu#aTXIiprOwYCm!tgsTRTn^&Qiw|Z6S zvj=P&O{Ijfm}+iL)iD;sTCo8U1{I?5z%_gr-g>D+S1ghiapP(rb=54u2J{yG} zbqXbM;{!HRQi`iy0kja*%j=n9iJTQI+>6C5gkN=U>`DoOR03-Ny)bh-9OsK;j@BiV3fZZDQ{V>#f$*#aMFkdHK|6R3uI5Z6f^)bWt?5Ld_Nft_R` z2}}9*2b0YMiB)Ub+SepoRzPrZRWdQ+@hzXP0j$)j3=n(qWHFl?g_tmjy(P;QIM<@` zwWvCRlGnl+LJ%aaTCHV@l}d3E2JUn=jsftznZ;8N02KYF5mxmtVG3)+>N96 znrS!eY9VX`72P#6i{eWQ~8|1 z){^UUuo&5HZ=hhz&d*R-1T@V!t7rqrzK_yk0Kb5jjVP-i9d~g^0|}$b7^OkCzc%qcrh1gmV~K zWb4M;pS*?BHf3XR%BVl9R+6Gh?Gfx@PVxm){EHdeyi0Fm`m;x?xR$&ztZqf(jv98a zKH&>2RT}ZPo0Hq^acMK-1T4fxK&WbRFt-_bI8~i7<1-N9)-$mEj#qRDdH|^CV($(B zgfN^x1{a4Z76x#ik&AOf0FoNmfj^&ETgzy3Qd~}$?U_236Jf2`tR4mxByr$kA`D@@ zWI+{Gwr@}qkrno6~;uEWB@TCuJUgQ_K6 zpp}Iot(P>YLs&%IhP=Sz>6#{9qu6fXiPk;|8x{UsH(6sEZQrO6A;f& z8#x^$E9b@_4C|3d_J>mf%Kc;!k0Zq}@{MA4TMM7XJskVa<$|>+3;FupyX53Zon=7a z(qNgij4$pNgVYcs#=ty853;#3#Opn5Ev|-8JS8sWDYvt{*ezK&dCReL`n6gngWwey4Bm9_5Bw7>oh950p z|7f69=~ZZ{azi1<`iR8tY>4@!Tlk0 zdD4P~20XJDh}l`dHZlJM*;qh^tbkR_U5&YtR|TNDQbA*E$_USGwVAdPH9=~JNU zn<5$W&yf_G5wl_0h8DA7U;|?M=0>go{9OT z&j?MJnnJQrxSB%11hoDMBrsfkvqFT1EK4J1C3pxGK?xDDz>El?aUfO_KkU@s5J=qkH z)pI-;tLuDFKw9hME#^Pj+NXxLmi!ORz(Re`!vyNJZ7J;7$Fij`FoB+ZmIIEGAJYic zfd?wk+d*d}Lh}%5LgM~hnh-F7p3le#inGJW4v3u#_*n28{Dl=FxBItd6U6@P!x3NM~+m8HA%CnP;dAD*R zHooTqZ2VQI_VwS^HYUJ-TeTLFrE;${gL!AMrSh(MQm^%Txl!u3UUx6B0Z!j)1H8FV zf-b+mL_#`wmYT0oX$l^r?QIo zKJ2u7f4#KEDt@(B>abqV^+|hp!-E6T&soK12BrPHc*ltJ0)PMHYtk$HeNRR@#NW@E z4qHdYZThcFIP~`wY^^*$RG`SLSShr5dhg(l~|6SYn0=ywIE z-OoEjE*y?JmayY!)Y1Ao#~i5rzaN!KRu`Q9o>RX2#i*rgsUh}BZ_gsVR4UGHfn-Z_ zQkRxNR^j~-`?B=?k@a|#OJ&x@WnR<>V05!M(iTyy8+_7z43x5iI3VJqz_D0h-CY%n z;IgRr5u>r^J;w%NqfNX0@|&ZSu4PD2!HJehh{B^sMPHN{otvG2MRf-7zZ-vTQoDbRrH z!ii}tq5wYHq~5WUI7DD4SAv(~Fc4D|EW78K0?ZuT2k~N4=RBN`D1KxQgPAoJj(mAb zG++1mt5pM9XB$(g35Vm&40mYG&r58Dqf{afq6NFX19E5|QHV{fSU)c!^$Fp2OJA8!M1*~U#F2=6iqO9X=t1~rZu6qIPdRtc z_j8=SRek1G(17>5ALO?P)!{!T4V+)(LFN65hBp_gyB6N?mo&)l10hAe1cXWv_0W%b z2)Vy$;nh3TU3b*{t_6A5kFf8~os3HBBI@b8JP2_xP!F+9SQJLo70bg7ozerO3;AOI$kMFh-@*BeL^a++ebWK)| z$v5~V1M&}u_1%9Ol?pI`KJQDYN`?FHQ4hx~6^6yq+3`Ra6xj0H#K%X#2dePndwm(< zOCP~oJbADB%8$d4@dV|4;`Bh~W76yMe?~**&`;PSosUSqkg~`8nYjAhIE;Cixao1; zQa)usVc&abkGo!_o;&$P4+Yoa%qDZ?KK14MZp5`5CNi%vGMDbR$#4VVOFnz4XOr4{ zzxwuhd|DugI?g z{heSMPd;cfz&p*gN+r5%te;x0{_rc@P(zM0EJF=}0&ToY+?+ba4E5E7hnuRUG4aE$ zcAr|QUR!ZPm%HVi|Ap3c^)I5*L_~eA)kDm^*cN2JlvF=#=6){Z_{2KH3xNXJ4*)lc zeEu~i`bohAIAY2Hy8(T5wR&Xr4cvj2Under zfy5}xx;|Q??pec4CFDrQGL;Z0P}c=g*S^1G>iXoTJiPEt4KczJrapQ| zJ@ODttG;JK0Y^nZ>O&&+%4s&Ob~u#mT@qh~6D>@BeoIr2YMv{=@>B1l#U1~vsFaMT z?{(Rjy!T+8)eB4CyV$8d)%mGz>B`RmQAK_mh|WdS=hHQadc?Tctsd|8igA*}xbOoK zMAQo#YoHW2WrUNZ1)b|t zclLdX`=#>J|Bcct@&<1%|3 z*gI?zfZd)sGpJtM^eL}u%BM((6F~Bbi2B0M_>gq%--#@{Gr40#J+%2Vxiu-DCnjF} z+o*I9=E##}CESxy zkLx#en^4|!6;12f-(gTOqP{iia6q?a?BrQGe@|Zb z{c$%9kEc2^u6{h`XOsb>V*pLl8`fB zt4l(lK&oTFh$5c?MsPRu)^?i{pF3ZNwyPg)6Q_vRNQ$d((G;=g=iO~RE}YHXpUkO8 z=V0y*I9v`qbp~F~6R*$w6V2Txp0LUJ+_$>=4fWJFK<(}uSMmo;?dM7D`+q?Q4>^H7 z@(%10)YWgQPk-|!uR+PXKOhYQ&Ap)Ev%d&LdDf&DHzcwc`+?IG_1w-V?3?(BxAT_r zDFelPmq?ubXBrHbza>!c-dKVI8uiMPh@PLAJ8vnUGC=67AV~#p8-k`BY1C*AczwuwG{;?O6vQ+jFRwEdgm?W zQwI3oB}q>H3rTYQDFMI#bs#vXQg;BDbJFj;`RD!0JO7ua14iP#UlEig#BoUmHX*?I zmwI3?Xv#l9ARuo5WH|_g?vYPiq$y#?eu0oXGEB5^Nd|{&>i%y7B}y^iS9;_ZiQyyv zN{h1Bo_6rmxIY7DbLu-layTdlAuu@s7(YXd{}2em68y*kUxHPx503xTkADs5)s@h| zoL^Wz18{PgI5~TXIlp&)-IoK>)!WA7YI(iXk35r+m7fpE=$0f zu)6Co$Q_*BQ6upKh`vJ-9{vv&E!y+D9;#xDf$d-5=vh7fJ3uoaCnP9W1gKpnYDX^9 z4(7z~IqLMktpMlR>PyFN$a5X|KeV4i|4B-G^0*^T@I?bSF<0Ms0p#(dsCY9}K!)Q) z;Q~0yh0Kj{=+H>oMR%Q!8QPJ zwy(bM2OvSMv>5-aM*9kZd2ibG1b>!bij1;I>+gSbXbsC2P@Yv+ z;**$tRMWJL@DHCyG;LPv9Mjfe5&YG(4l0L_@LAIy#!pbh|H21s+BMq+e=1r+(|X2w zp>S;{d^WYsnzn9sEqpE`nm!`45k7Zq05aO7wn5XGN4SG!e2f3 zOKZhn#7a-s_LVDBoA5I>WX~o*WIbuB2Oc!dXz3p}3jL$mbiOh&*uFK3g^y4@$(zQ{ z^gK-Xw7x#j2QTB2Z-s)6xoo;Sksa*tVf+_J-vy| z!~M-hbNkkj;r?-bh~U?zK=q&qK#fYKr<3rd2j*6;Z0BXXXVznZksM5p46mEY_T-6= zN0Hy{B#JG6m$4DmM5xpFCr$Mv6(|;zHi7uJBK=_gJ2qiGvDULLKa$MPWPr^Hq_@pY zuVbSvzcz~Xvt%^0#$+l=%e>1S=W zhNjvvzB$=DlO1YHXz7Ur*e6Nt*h7-_5AxSd@;m*J9su~|8&RI%{^%rmNxpP@^Ki0l zJTtUOn-1ak@hbURLg42d`KC7yHCytLerAkGgAMg`Z#mO4Nd1-W8?LF}POP6rQ9(Z~ z{ZrY=e8L=Tw{brf(*99uU&QtknRNFYj3KLSN1}Z+VEptBH2aJn(*NdUcVc8HJ7W~` zquHT6$)G(l2k%3*G8--e~|7S&!z_pnU-~J zydQz)#&+-*zW$)6E9oN-4JGgcv*6b(9yF~V`Q1hmRE?L;t%$#RymX=|rn@J=KPL6z ze&7dm(lY_{YWY{HhxtL%Ec$kTP7!^g!t5PjME{V-dgdSIMutc72HFFGgMNTNXOJLv zt#_8(7>+NPO#p5LKX=Wdf3rTrTNe#A(nky7pJ=Jce;@Hr{xmx|I6abX-_HA?w+}k0 zhJRa!^|Q!uM|ty5TLE5RJkKG$u<=fVp8Rh&^0$0#du{)lz^w+?*3Kx=J%4xs#Gx(3XVI_gBz%FAo| zGtIzyN4}1Ywc$H7tgn{O?3<|BUpm&a{u1OPe>QHwy5e!HpCf*4d+pN4u$ySrVd8pZ zEv^H)XgocRpgq+8)QI|XJ?dxWSZ)5hNIp_hx_M?KouAZ)2Dc7_Ps|Jrj*bvcFr~gi zO?f)7p7~So$N7Rj1oJ?5dqTH-b$>|vUTTk~*ip_Tv!h1Ox*71vur6UUb2g;?2(?F3 zXYDhS-IWnk2dosA!_Z*+aU& zHT|7d#QN&-P2(%woQJjdR#-!ilh8d~z)w5ble4}`Y(m|vMJsxABNTVGqHmd?{RMv3 zQuw)xeMYpixXf%v^XsPhq=**S4iyN3{eizn@E1+mY`-(r2c6K4^lQwI8>pWA2d*)O zlilU4))gXu7s*fit)AZI&692UY_~P9cMiZ(xCXrrswew4CI`VMV4rntSn2h@X-8jL z3hUYYpPw6U>A*Q-2KuiI^M7r6X{x9F71(Y9>|}EDP;Y*?1?MSv9tml`j_PsGskz!) zYg(;0r2Ph}r(S~gxG$UDoE&u4bJ_$VIR^XOC_Ytb26*l+_EkY<0L;K%n4fW0Ltgf zUvD3nvWGt!|FplM^`JHYLo;-JG541w1P z9!2k{p8sh-^LR-6Nor61Rm`;XCLI6PwW+pzU2C!4S>JTEhQJpI9!aJ1XrKnT!y5B} zwgKzOG}8SunW63}+@JTun69P2UaV*9A!q-ZhHyYF`|qauYX6=_;~Pm2!X6*D@ttFU zgw6ltw6Rv}Bqs=i4#pLJe_lL3ZB`yEmE+cbBoJ?H S$N!8V@{N{Aq!0f0!~X~7dRH#aZKXRXuH|@ys^ig zkC_?UvD-yan$k3NDWzLVDWx<`DW#OAG>y^-A%r4?5M3dj?f;$Ie``&^g|ChGsN#uXY&AJuf1-A9y1v~7UR8fiVn#B8fAfO5V~zKzqc z8UROjM0SK-M69M}m3=rE-qKbyYN>3hmRdV+RI2$hNDL%jQ)=1{WV~)BAk<`yBism} zGNn)^HCHvVp>(-~f`cJ;-EXWLpw>4y$cb6x%vQ?TxlFCKlrqJ0R#MJNS~pTv55oiK z&5OoO%SuIblR6o231Mx{0IRGRDdBx2;Y$HLj@ z_HeW_n#x2X;c&RirMP=nGD}_2D2Iyuxmz`t&yw}M+@iePq7_inD}ujLD!?Z0lkek_ z`8HZ_xl~K#OVv=ZT&;!XQw5h8zU>;Kx|=mzEq zA4va1g1>#>bkOPITF(^9bJ<%gE{sYWe1WxWpi60m=PBR{*(~Hsb4T0h{RphpN)>%} zp`6MdNv8^_QpTuYL&>Nulq)kwVC5ZM+yo6(BQsaY*A|bU3@T+54*30T==Ydo-&8+B zT}?#6+!pw^>T7)8)Us;T$v3~`F5c3A8z9Q%3r4lIkgwLjbt;>b6RY4)JJo`s@rMr5 zsB=TPd@VFtF&0Bcs!}q*j9`ev4b=@$H`X-(q1HBJdBwIudD7CG-38Un_W%eabj#h` z-0lVhxk_rXg7U70Dh7DBd}$IMs=0Wq_4Tr0ZyM6dskNkk#=kr;kLW}K0i*lkx z`!Ncvm;8mN=V*aezC?D=`tr?|M zsdmKAnKlEvQsf|zJLEgKw$}hP`;BaVuIN(j8rH6wpANFswyFVf2lyDW#U*7)3!{=; zbKJJoQ!dUHz?w2fs4rj2f_3c*^%Tlg58Lt`ss??#oMhfoTbwm4KVUZ}UkD9>13$Lt zaTQ{NmrHhSyhjyJIIczJ(c`*Qrk0;aA8qcPRuJi)8WTY5;GCqCzs2UcN#Q+e8-H?= z(nd1kW@pjCM_cn^0)o{>!K^B)+@NqPGxh2YD%*IEDxMfE{1~wz1H0g4xw2^K>`_U1 zRMI-py2K>=bf*~p56=+ra*KiYsBQcS$5|S=B~wUMt77?Ca^SxB&5I^i>{xiJC7Y9m^<$=kS2Anpjb&D}-WZSFCuM;oJ-YwT7g zHW4DdAt`T2+5oD{W3D$mrwY@E0A4Qo+IWvDo^YHcxsAAQER{>fk#a6qHEQIWEJeDf z#{?idNFb-~B;f6zR#UUeJ{TojDjUS|7J{*kX3lAVZHK&rtLk=ugL`~A1e<-0;)_tt za39TY_ZXylH9F|p!ooZZ;H*I6ElGJx(gsmuUI2Wc0@?S=_j9uE1T-^7sTQhErDiZN zg3Ljvn5xWRumVHvA>Exm1698cFBaBRj7fgz{ZLXql(Z3Kzz;+N*g##U+{qbH09mR6 zu^om#aCDo2&=hnz=W)VNyvM0N?Ot58qOp>dzAq{7OWH8<;4|MJE^rW&W1IsO5MfHd zfb)GJGgnB}%9T)N3c@#!P*wFCsrvRf`M5PBw)3^(v;m2Tk0kih4k16jkQ(6to@~w( z&qTxEon5xnimfWW`_g4k4V9Dl|hJL zY*iF(E|tj_VBZeSmkV=695bIPl~Pkc+IQveZX>!Wd8YWlQ2ihPaCGmhTJXKKMOr1Y zYXdeZ-vWuQQZ`k|TBom8C3C^cWsLu%K+uUUfy5<6U+{P1QWsy7Y6DZy4t zf+rhE5TselXH0oospe~|lxwTB7swCZG-cleZ=l7x!}cNF%-T9_Y7J{w&ChQ@Dq^)f zAt_Ht=JC893(!}Wki!i%R0G30l+Vmy2wi9V8|wzB^$kwaZA)URfkJNq3!N(EAD%NT zWwN-G-5WGV3Y^ph?S~@a_)Zu7tEpLKA2&&>5b?64EKBCaixWPO^?>{UU&MC-LfDT= z5ZB}St=1s?tA^%{LODaJ6c}xfl<)E%t2XEZB-S#DIi%i}g7n%VEFDYC*Cgedq>ZBk zY5=n_KA`&>xyJJ&7BdvI<2Ak7bMI!kNJreho5kaiSo7Vi=`5CRYX*BIst{IGe|^#n z_)19t?bu>zBne-zGMv`t8Tr`4J0In&rSy?2i^Y)G<1*jSs?KyW^@ z4wXM33ZEcpZMBj)GFO3{4+xX&M&pJ7Sa!?1`3n6Gz>LEE+V(IQ$<9OJox3{YyE;2} zL?ZFdXh+gT)OQ*TRvUFTAbwM^oXzL*Mwas6N3txB@r9&(A!$imr;Xq?LAr8oJFkaZ z80?Q2Iva3%TP|Oz){aySqjcT;Hb)Em!m*5NcOB4CSqLq_ol}0^a33ev**aDG7bpGe zDn=1<=5#1*%^KAVnb}j4@|2|QLIv5U*1-XSY>ScSdR=zqnenwPMs*!ez`IX19H^Bn zUP%HOS;Uu{6xMEE%GhEZvG7RhdDe4J^!5S4Z?^>Ns!Qs>%Yh)A%V{95>42gWQ7j@l zMY%=Ls<*JsWn~dTv!cS*QD2!5bd@I92Kz$s?O4%uc#t{t<~RO=TlXb&(Bl@`PI(6J zo`b6EiqdN0`Ee$NJgMBMC>%oK66VK%VljaHCf zgW0u$=9ekZ%^&UE{N4h(`J=rXPptTY zZvJTN_Q>4_y^{B~DI%8+5Yr4cI1|AvOOwOWGn46}!z<|=^vpWjp!p?wgT9$w+hm^% zYtS#nYMbht%nbTxGi}o;?HFVUOIx#VP7p})PUqPsi}V@DooCnV-KHu~(frZY?Vp1J zBlb-y*#O|WYnp*!>#pfA8(2z)fTUOkMi|RYpX!4*f2_ArX&%?XJMeS8ptSy63~sdU z6l;USj-#+R%tNby(%?uIY;-2G!REW9=YC0Ev)Mtz^qS3v*>DO=^ENsj!2?Mm+7~Q0 zif)7cQ6@#_&4ED3*Z>Ih+PJWXaY08MXB#9uH?ZpE#QB`1iZ$5r;r@Ul7zH^rVaqe#U zc|Lggd-9X~`Gb2cAa87u2hEw6?z4tm+%Cv_w_QAb91)L~JH+E>UE=XfOwe&pBj)MnZ;NzC{F=F|r^0R#6$Hye=%L^wY0sYlSB{BCs$O4l&$SuLIdI#3SrDJ*FNHsHM6jSnj z0eSuR1ETo)`+*rC`fEG^`szz}loYxX?=EOoW2RBR}>AnX=3U< z{p^j7f;oGKv&zigW2?ZjH;Ymyd!toY#9L9q_NpF8UqFi}u3<89*02bWv>qv0e0W0|7@)wWju2 zP8$T|*5ze$&7$ z9(-q-w(nXlP6DiSH(xAGCWyQ(7q@GCE2iOmSSCy4c{-+eo*=W&aOIusogQf#ODy(; z2wS4yZ7?yyA<*KmWh|IFZR%B8f}4Y1MYNZs&Ai}PxHZbIu-}yQX>Cn^Q=*)CS(5Ki zE}R0#8PHx@WdXET0H>VqMZ6ON!}IE9$&p#l$= z3e5TD>itan3xo*=)@AYa?G0?2i__p=+dOW*p2f4rc)3RJ1eHK6KcDWILZ zLy+axlYKiRb+I2Dymq_x#ceD8$$|0<62o(UA<5~0c1;!dECGuR)>Xm(#huz!xlswf z@(Dpd{4fuP2t{QHe9 z+7nwm3c!`i07Owf`k5r(59-`%!LULooBS@_r(OL4$j>)@)*!P66n{<>Kl9g2e#<*7 zuWb*_2p`skUfixdwjG=|Ket&=F^@KYzx7Ffz<#$~JJSxZdFIY~ zig~mF?9&AM0|xtI)Do04Xe0!zYUJaHb}r&m7Oh+$a8LgYk$Se%BGrmC1+AAmv{yQS zR-Pxco?;$tKyoj)G(5OM?FkfS(I!=YQ9tzdo22EL_>8UDyRI@XV(56!T~U79M{E zP37X>5({rXXtCf^8+_tH?UxV0p609$R-Pv?UjP``DqJp4b|H!?*T4V`Ptt|@=`!s?yJXDUlV)0S9>LK168rg zCxqv*XC!$(pgpt4!ecwV@KXz^`6H@XJvE@6@4vySRpt19A#W%CUXmXPXz%Rx#A%O0 zu^#o*UhVQARDWT1ke9M5PXi!DIsU99?+9og4+%gkECqdizjk3C2+ccrtor7g!EVnI z3ugf{sOS7au{4@gcU~FRE)2u^;2CJ^Ddy1zc-|roU;GDJAD15zc>F3hmmktT903H7 z4WO6xG#Ti7X#xAj%l1zGMEmf^o5ycD!+-M$evsWolHG}af(%_tK>Ip(1N;dU zvjV(la@wZ`1W5HIc*=Vu$_0gyDsMCkr|Ar#1{$ z`cJ@z+YasdlL&vs+x#a4|09C0JUgJYXl?Lu2i~fw>-CY517o|`ZHfA;P&>YsCim;Q zeh~iQYp<>^=slDAAU46Lu6I*Ae1-42z6ZZS6aR!ShoL2r=~>YAvR>8o{)78;y=Ml- z>RBBC^d7{q`|*23&me{Ym{jhD@%!-m@IpV#*Slfpv_7HhLz8{<9mY=~SwrxkcZczP z7~hE0o;~s5_V!-xj~Y?t^y)r{K+PBSFJOQ7Omci^nze#V_3p*wSfr5bFHB|o3-js8?mb8!10v?b z1Z)AB>fISoBZv;Z@0kR3^$@=X0%WX^{zegBXCeahqY^<2{B>B+rw>s7L)eon78XH< zxlDAlkS@f-DWGXQIs&@s2_roue?-h)eHOf)8SE$2{gHX#qnH{Sof+>KnN5$4=8^+U z()Tx!Pn6_C{4HgQL%HnuU{&u&v!T5Z8`|xnuNB=z; z>}OOVC?+(tS$$xnE7L!kON|}W(=^{-pX1oSfTHY<;P{y)<0ol6=|60YcNY+|zHb`& z^ViQ_>L&uz#lBjS5l#A?80(r!4-`O8Or0^pPy7r0CiX0#m`GGTi0{B5#FyC$`XV4g zpS?p#k^@Z*Wl7W^>;imn5k0KTD504Iav$7#I3{0?EiO@5P2 z#%E|e$!~4~Y!eabI;y@qoE#e}r;CN7*)bGlPbcE<$8N!&zCTajNtDET1>tQy)P?fE zE@58>Bg6!;!WwCO7{|9Sbu`r10qUn&*)i}#J&DeSsd!zLbo){YfJr6DE zeM^nu^-@3hVDQi2$1+j$CpK`*e}JDHnVN{!mh{2t#_;w~zs1kKCiwSKKe-CqNkqS1IQ(|>dp{LVD`p^@PV z$Qvm!mp(isn1dpFVVfq=N9*Sxj*m9M-$(tV3ZodGW8iuYZv}ttl$UOoS1IMc2 zNz>-%5nqG-xPtu)WDg6OVmylWlp*!$glZysbUq7y9k>cN#-EtMeo}RR-!#~Ll*JF= zpUEHTGpKJ*``UA8r-yyfRt9it$?@6wba6D7jwXw+FNb0M!}tdKMKAU5MWq1!Q<;vT z9N#zc!$72GJd`LSeWWRzXzquk#Qq_ONk&WQj=`?+j?vj9^(S;+etHry4}NI9aC*ou z0-QL}Ls-RnvDO-(>-lPwm)Ko7{IXFuZex6kev_V*wb6F=7p?Ei?r(f*J9 zw0=PU(d78xY<7Uc9a#TBA9(`%`ddIYY5k@#j89;E$ed6aS?j0$o8niJ$1v(EmT3on z<4?c7AN%RNFn~U{Z!X&xr-}{vnF9H1vWNXN|DfJ|5Ld+k zU5}Z&$0S=N&<-zdzuk8GjU#*#Hx4m_qyeBmnw(Adk21|AreP`7$G73b7=IBF2M~S_ z=?jp938X|wqj($Wn*~cEF zZ)+IG``bs)4E7VK0rU}xiN@m-d$6Cy+sQ(vG&GxzcIx!KKUsja9?29B>j_vhjreOP z{xTqwZd?~jsj>K+o`5r7BYW(jesaZP4VvpE1AAR^V01bQ=T`vIfZy&3?60SvUQsW*Z8iQuA8#s3_FrkwrQ9qH#^gn=SC~^;aw23?xvA=%5 z2O|Q#5$MDMGg-h(-!zcLKkM9k z;>OwH#EBCTC(il73!Jv2Y!~3)2iM*8PWQ>fi52_Gzh7<3L9PpR>)`<^a?m@bCUdw*BL1hU#=crPYzS zJXJcGNl-o2e6KxTDi%}uh70%)+ke=efA8@t2CxEth63U)htuVCB!264rvtxrI#cQ2 zsvcMBw+@%br6!zChr{8m)bfp)ONKEVRLOjM>?-P&O;V~OBAe!DOMU0(9uzho9htNxNC=<>b!5` zl>Q7yKdLW&mD=q8a^7A(?KZt*%mtUtWg9(j-tGMurW1gr*kg~Yc?`Net!5K6^o`9O zYUAq9wvFLM>uvO<(yGwLxCf6lr0ui$Y_o58@c^G6C!uPko}{V~cXuXXPhHlNL*+d9 zH|?{h4)S78#24N6cqZ48S9>~pF>6O&RvC-W#%_6@&vCt;isF&#>GXPQ>lw0zY#-nC z;$wV3PeZ9aYGQ=iK~$Md<+Aq96ed=-gVvXQK}meN?4jswrcq_B#us+{yYsGF-r}P=5MM~0Vp%%1qamPA z9{6+z@4A1YM&O59wc+0_U)*vX=Yc~2(4ET{JJgO;p{={eUFpBK*Wa~)x8d^#&fi}_ zNezAG+J#$r|4~C@xvr$fKrXReV!PtHZ{`hRgZ67GSuG|y?dj6xm-pJUIdIVSe6CmR zD)zP|;`#R4deKB(w(-8XocC2GfYa+siW5Lhab|Rp?IPRkuWtJ{R-YfEKG|G;RH`GR zX6;z$GljI80Bi2GCvsg~MBgLzMPb&eUGq6j5C={`3IIdLf{;$-3z)>(9GKK(!+#6k zUiu;D52Nu_%;EP$-LbGU=!q%5Kr|Zj`Ml9!C>B5}=8t-!4khAs1|uGSEb0q*BOb5Q zt@tADNGzQPT4fqsSIN)&lW8sj)=M5@hchnR1BNcH(6eoTWr^6fc z2mCIN*X@gXgE4*3Z@qK!!@OAoP{9j_4gW)hGIktT@E~WvH0boJ0Nu9i=}$POMNLC> zv4&`S<@m)j`0BHw3iLbM?`$g{U$~t!t5Z-ExD#ls0P-o8AXC|~h7w=>4gT$ZdfIKg z_`&!nSSofxYy)UgXHGLenKJ%ZMh?_!`c)cqC*5d#A5a1ze>CiiC;^|_7xMevk%&i$DxRRr9SpdmF^AXf zcl$kluRG)mhg^{`s3@ZNy-|lV7WMdDPS6j?ED#O{qk&Ms;Rv|G_)3Yn!)_%S#{a!; zmmjbWmlAdc+`(wj6^VqL{-E3C^M1cnMEqsW{?{Jk6NX4FlrLpd8T83d@bBt*-^}H_ zidg->Wk+Olqq2Y_-tqFnuU2u&)p>_6pr(XHUiGW-+QpN`_`an}mvAW*Wof@kNe{mD z&MTb$^pgB>)hCps_gBn*0skV{1c)LU)RPNWe?3~Fr3AD|?JfX(Qp4wk=9J z<*%KC|7`nb+iRb0x|TCr8>-Zy#`Bp}m%UTXcc)8T_F_s+bXLgnjyE5;ny)BE(P^)^ zQ4Tm#j@qJ$u$GM9^C*{ev`u8E+Jln2GVwg^A6q%DnxR47|MZMmXt~zIhu%5`3w2%rY*|w^8i9!K54~M2RH|!K9832xgK52*?jNXyLn%(KG9ens8M?!opppy zL26Vn7gsxS_IxQ0K1dptVjj{l(Z+w_-=z1)&*wb!7x=C*W&ku7;@`dpzgf%YtQ~0l z{+K5cb%Z^Ukk=cDhW&1z*XIm|eGqMBq(zMWp_Na3%Db63eHg13W-+Q6fdVr@tfGj258k%R$(XnU@afVe z8DlpLg)0_zXnAt^_GF5b;BlxBimA)m#R@b;mL%@pHevQ|-dYlOFG#5!V5t{nvWZmo zaut=Nc{TUQ=WlY(Nb{=Do6M$2|3`%S>?2o9=c|@J%r2ix9Oi&O!G@U{U@2o!H!qs} zO_uc<^>P-%5G3pNo_sD@N~Cn2`TT>=9N`N*@yy1$84aYmUH#I1S8+Nx`!s`;h*-vK zI5?IsRzxg+%#Os011(1doux`RVvE=o&D(V|pZzUBhdl`ton>9%s2;m9k1M0`(j8CV z#^;MZ8t!;NRNp9ZKjU)4Y{P8Vui14E=W=JFbQoixEX~kX!VX#iVW*OIZCh;^T&%c1 z(aifh5AWl%Q?I4Roffxmfq<7WHzJ33|MAeLoSumuhO4j~sY8poQob#b%k`jdNY;Gt z{dsTjX-cvtX*#+x*_2(g9oc(wBurO&bk_XCzh_iuR5k7snYrS{7Pm%mOQ~-Jma@r0TOmpE6RCj5eXwFGr*~2T3p_SyOWK}$;)$y{k)92}ILTO@=tWJ6 z#-C*Sh%B^wg|>9Ih<%ArB8}ud_fC6{mq;TCGgC4H?pZ3@VZHj6=CrTx+qRpxSsyx| zk`$>-aVvq^p(CT;mi0S65Ct(euR&xOQdqESVY&%-)S3 zF65P@fx!Y@Z0}5gl!1@-(N|5o`>%`=X&c>VcjMzp{pi2P*UmY}=gUxh9}PJj3S_)c zBp7pgybM3U^>JEm2k&q86Qxrj)j+-7I zZz4L7nrQeRg1>cneU*N(6rzZ#S3m#eEqt;LJ$E(g6r zrbvvJfG1tQ{{_yX%li3jK9{QQKF+tDZ`-u<-7k3gXA$mH0dhv76J!YzfWCtEg?4B? zv7gK9d%1?%cN>`zH@U_6yd)DkgG>6JGx8N=6T zn$mwR6(LAvb!&M;){yHKyn2`m2LGZ}TB|mV-^RC||CrC4Usi#LVir$dcN1S|h+-1p z-I(~5KDhPcE3T-&UMOlplriFoG?OvNy7u<24SeTC#x?BkyEB@43`061)76C)4FXO< zAItey&oUuJ64&U5Dw3$ZWzpuzoVrNV9@UBE2;2~y45mJiC9N#99xc9M?`+t)3 zdOA}@Qb3Z~J!!urm(oqjdsoalgVBSRYJwjy6H~eKA5&*>!Xl=EO(j%DZBPpx4gNZcjKwljViu{e}+9-f{hDX zhGYsdIX?SO{F^iJtuegBpEuh3z(Q)T>>ln#&@j_A0Bm?CDIQlPuIA!gN_{tjR)? zG!xsLLn~);wm2GJhhZHFdZS*iKjsblU3dsZeXf||hDju>D4|Hi0n3_#te6s3VqRF& zVxDLq>T@`w?l3GTv7o~d4Jsk0;tcpbKoW_$yrH1tiz?wjEaVCLo&HcDhK0)Siuz(6 zZ_oql9IPgRsMi&Up?NfR3-`WuEuT~asDc-subbE`HEpyzoN@KXQ~AuGDMstV`Zt~o zvuQ}n1JutLG`p(X!OF5-x=Yo16<-rgKl#j+Uvln9G#yjB;V+}@VH#9!kbpV!-rMiw z6iWgo)guSJIwbc?Fcsm!lg)G+!tItf=0D0QQD0r+ZfH)c9!K#+z*)Px&`kJX*QU3* z97r=End(uYn$MG9ohuigQXvi+3i^BQdEso2Kq@qs{`EpBAMd}zk!&+xt^ z17poY;vs{-M;-Ido*aO-TGjoZ&vyVXu8UV3Slt@*S(JboYNZlo8z0Q-W=%G85?#I68ekjC#*X951nuxI%)tId>tBO3Nb=R; zH`hJMv1#&^n(eh0M;0&yS}RDb*)w~_ExZ-_&?i+TAq>45P??g9w#iq&He(zgAZ?qR zN?`4R{)E13om_rH5Uu?W~Sn3 zSCzt52mJbKwvQxROxgL$3tVz1*`mBcX!>mI8|}pe?R81mdFI9EOc)GFJ9&^IJfzSY zw6tJ}!X8VbvP#$Noc_{>TvpU;oOZ{hzDc;55tkO36)W#w!nrUlGM&B2e69m^&8Nt0 zM-wxZEu^}u+oszVKQf6E@0?#7t1o#C-nDJ*EZ(o=AdH+%DL-1wx8Lon1>v#BAQX^1yApVZ>}k!4uA2z|upaM;^vl z)SZajazj9Ta@Vc5-pdDr_++RHcF(Hrv(wgTTlmP7wS0JK)6-ds!=wqjPO%rBaar;` z$z|IiH$gSi(Uvb1+J){X&VT##>9e>fL!3X2Esebc9 zV-Ie(+a>DWl7qua3EoujS-9W=R|v-bO8-MA()_%d)(?@a!A;`IbWO4t{T`XgSy6P6jb#~%ti!roZe;fcAufk4RRiUnhVVAL0MdR!5| zD;)B{#O4Y(+z#Xff)T~x4+SH>m^bF|d6bwEig`T&KOyzFgZR|v2>HX{6#lRh4*4Cv zD6A!DFU`FxCal`T`2x*7=#LU3{+i4G0g`8BHs5yh9aDMt(tewM03t!=t-GFD$}wuY zlRO+r?72LQ1u(eApQchQw;z9rPeu|Zg2_v;n*ny37JGI-Y{DyOT8zr)Xfe19 zdpgZKoi@R_f+4EjIA-U^oK|&$_awX`!K*2AtJ=W>D_7S?;&u6?#Vr+Z)pAiXq+Gjy z`{%r+WJvjaDxdEi+LIfR%D2Tcm!rwVOCDUZfP?E5_sVL>fIGmr39aX|7hbuCj~uP% zDip}1VTFXBfq0LF9b8lG(p>Y2(7!$~=@u@QJ>fN$Q<^pRO?>V;KITLi=YtdEH60ou zv(#7-viE1c@D=9|gsh+@+eUPgCZo}*8n?x5Zyb1U9`C?k0v}`Hwij>ir>L6--5O)pI~SHKg9y1afRsQ5jK+ZDr3l@yoX zm+`xC4*&G-yQlC~Ri_)j+bym_ih{!-HKHTQNguBHz{EICa#9l8i(c%@z}Pd8lcBMo znM|9>_pkW!X)dp5J_?;VY*|+vAR4e4-&G7e!n*d z-0O}!ZesRq3mDUiiu+{CdK0G?Zxx6*;x{iZ+rTF%aYU%kASPrnx3P=vgj|$?!*fcL z&4~4XzfQQssh(dxVJ5GNPI8zHBFU+Nbh4J@2+4wlYj^VLZy*WC24VOA&x5S+2Ts=X}1{(`12Q+=U|>(8)ophXuB*=%>~m-1^>Q ze6r}R4S1ZQaIYp(Y(*hDu~LIlW3PR2k-Ll)|=4^Bo+86@+9pZNL93+plb^KVEp4ORmRJxBg|gJ(z%QK1)SW^WQnN zeO4dMPsSyRNw^rrQ1jP5y8Z?8aYUIUme85OWiL(nGn2{b$e_g{fX~TTx$?amZszjx z+4w#ZhSU{RyowVXCFqPs!Y;Ssfn*nRxEu~e@kS!9VAxFxMq=JOZrFb}-;C3qkE~pD z!jYO}xo;w%S&LUp;C1@scLookS^o93JsUYul7JV^VbrpvT&bWf_S(+%o$E}jiQ3M! zqFF}$Xxz3ua`<`9sdchV;E;o`oea2~OanrCiMKW_>SRMgYKf7VBGj0)M5yrSgUv(N zyR2AscpGnwQEVEH+JZVHkYer$#4uOBara_QbHp&aVRE*^pBQ=#+Vnxqkiz`h^&b*G?VsEqTq>mPicGrQA5#t_mtZ=1Yk44=AfGSJ;` z?=hK4P8rD3szzhG>W0l*>W^(Q;g@_sR2LICsm`mGy)~ZKc~`YM51is1s<~B@t*KW$w-N;yaJ;;KKTeQG+P@ zHZKqlzGv~0S9mLl2X~cE<+OEZeM@rm_UZS$#fOUIZLsyuT$Xm=bWCjd(ht`0c|*s< zF3)tw)%Ykt%U8Y%xp^FMhd5OON}L@xC1vZP zs}|qDc@QaEX<5fg4{9eXB#zw`?Zp!KA(W$)3aohVzAc<4^a?n=Zb=RA<8G!65d$@K z_o3UT)SX!#m)j?rngWpXYh_EC*UO)J@H1}b(zFLS7hA~Xp?f0VEwY(svRH<6`ES|i zPfYxco6j|-B(>w#>5tvYM}zoJuu#(Z&qpg>evnsTD1hi!>DIO5zFN$uuimW+4s{Fb zoRV@dwLkUPGdFK~g_FO5#FvnW!{KD797u66{prOfMq^SOXb0r6N>*e-Y&Gmf-RwiX z@$pyBJkELOq2WfCQ5_$Camnub^rIxDbKOeH%M6Itez;%Fe)?g)DrkPVYO*8MrjGnJ z=hR3Aee=EdF69i9RM3S^9E8Dfnp`$bu0xs2F=;z9J?%I$n}bFn-yRo=Y-}q}it4>@ zPnym-11YLUVwr?>77-C}LKi+oUGOae4Uw|`+66b8xN?%RJ`N^A!v!Y`I}FR33T~2S zp8tI5mKB_2M&p}cBoI=3F1J7C590`;)8TiA91wKje z91hTN#Av|fqdmLR?Sxz$fR!I-8a=L{6MkTRCE#_rogt^k?F$B#2pq_KE*HE2oPL~# zjpA#ZlMI9+;bi z$SqWlmvIXsmp7(7yMxa}B9}`*VbIF=AdCj+ENvV>v{Zo;+UsswxRSFwLQ6YgcoMXa z$`mkP3Yxi#R_()ESC|;Z?D)cJcA?M8u8PmjcyI%6%TS=e0d8l=5%D{qZI3uTSnnNS zCtOQ{P6w#Wy^9jna!u=MgMMaKW%aP;>*2!1t%&$uhdnfRg>C!>sxnU z$rmR#py*ctT5$M_XE~~$mthEqR8%v@jeUZztE8gJY2lmN3Zux${9BofyKG&yn-)B0 zq5}C1@ItAPOJuN#vln_)ZBy4BZ^wxs754vZ8%}SwOC=K>zC3-xyS&4R4k0}zdl3%_ zwyp9hi;fcLQKQ4gmU=>eWZAaWocstq1dFl`B8THW=nox@37?+~ZQDRoFH%{B}Uo5S|p z#LqwEyN=^grF)?_dq{GdsL#;<+nbulCLL3 zs~POlRGfhy36+|r&7_(hS@7f)^=Z$G;~OIFsR^b#Ad|-@H(d1|FOy6jSl;cL&KSO< zAo`9@RbMbx9T@)!7ZV0$jJ1c>wH4pou!avZt!q7a_Og>Jg5{Cz9D4`SG4|rrW+nw^pN_VXi6pr-i4~v$-E_^2b)0?b zqzAVT@u*qc4b@DI!M7o1LOSjbUs`Lz6-mcEyc0&@-=}ivbY45*Nn`TqXGdP*Yk%3O z(4A^emWVL^ihm2=fA$SN=09nuLx7^Zg}v#fC!Xi)(`X=xASeztqDssac6-7e_}WAq zJ|z%~fpbN{vtqGmFzWC)TyU202Cy?A=NiQk3BU;_2#)3n#a!@9hjUFdqJ$laJLHar z6~EgX^LWAmoO%!W6o=yVfaPH`jIFQJSZWNCcRLh`7KNH*CM1b5qTi2tp8@=quPSEkX^Cv(2z=lMzf?ig9(U#XSGdiJWCHqC24=%&^Pc2FG!0A`A#P~+zJ=uT+*_Nj;w9=` zulgjLa@^-+R!c2v|%$z9`?i@C*QE-22L6pd+hCw=P269uuOIYps5e9+yDAC zT-=~Ogzb^G+fb6IqcT`bJKM9p@C(bf!?#{2va!ttowOM9<+9nF?@g$#TM7W43Kv7sy<J90T4sD&fnlHopq)rChlHI_cU^*l! z$x5X|0{L}!KY2H2dL)n!2jv&iG}9Y(^dlPGz4fzc93Rmr1ogNI=NnjdK&b^p@xi)S znSXO%+q<1l3ca~01*e9pJ_T_X!cx_UO*FG!n)=jDoD^tg6*ArA1g#zN9g*r9k;~b8 z5XB7xQz`$;sUN*ozq`|MIb>`i$#x9Ho;L27eifgd#Gc@nm#||!vTHIj4UMJVmNr>8 ze|Fnq-Yc}p0x4$@H!O*5P#R~J$zNgw4%eeK+KN5;3zHarD=nA zz$l$mBIBoAdj+Q~J3hqLAslr%5u`KfK*|&KD;{SIzW2^R#OGDWob`P<7*N07bJxS~ z@D_~tZ(~g(Hac(iD^GB$)!1#f=8BI>HBJxv_dowWm$CJpce`;6smeAL4}xXXuuYP| z4?VkV8?QIX;3R3o+X0UMd6ftkygOT>c)vK;Zydw>=+OEDoa^d!@Ob1fo(d0cKy~1^lZ6W1PfpojH^FU`cMA1a0Pb{0iwSHfDRM}fj#R6N?SLCL# zaP^|Ed1EyYIO8QDIcf7FfJ>Jhhy~3am8uvGrEZWPdnf4&V zA=2p$e(m6xMZ6lMwV)r$BT{>E|MqvyNv#7$=e8c2zQmdvjvhc}_hnB%VG>1~%fT)d1 zC`1SwwmkAK-+$`_8>f*MCQZ`AbZ%66%k}%))M(s2lb_{-uGc7;^oUw=MRk}u;9Ay* zv^%>#+Bb%`owPgF!&f2Wg}YX4;PYt1O$HhN-S&6eXG?B+jEfRKML7jTnZWr#^2i_x zDQf5FXorQZ4+#Nj!*ct~%QHXYM83OP5SgpS&HMZwP9S8i`Xf#t!8H)aN>FhU55L*} z%9EVQka$R%2JQGw60;V8E)ZLt&f4S9F+L@dd2sa8SMhGs2PhSHhyxU$>pg0C2Z>jE z$4|SB&wmoHI@QZ@uAMf1IYgSn@lEpP)>qf5OE+I_zBR>#BEGZ}PF7WN4JavAHnsiw z@gJ=)Z#!wxsnf}?EDn(preRE7I*--msfb0WZ>YI>rH9K0NuT0%xDX-T5rYcB<$+cfAxD*{6JbDt9xo13 zdZEkp1r;x_LH+9phj3;H@zJ5?^*|tVI*@RGi|%iz$4Csn^YFxFeEURVc)EnMt=fq* zC>OEs$Pka9iGFDH`ug@5ztg9P0#zX8VaL452(kM44F@@g)Iy;_hY4ds7V)OixXeNK zQQ7wL!I^xDkG;iUsWgROe*cqu`EstYuY3oBCu08Ux8z_~n9$<;ReJTNgKv%J9YI28 z#l;(N)T@tN{qmih#G-(sAAm@)_V||@Zse?l6l+>k5?YYkMit0MfKcw8^!8I6`hpjB z{<4Cy(Mi{1>#^Oj_wF^EeA}q#axg`B>Zp)dt5;DVn09Ylva74Twr=EBIcCN+FLAD} zoyXK-t!vwBE$&Yyn}*e{ENYOHW_{Nb5!2fr&Nd0vU0F5!?zj}8LNN)vPQ2^z!lfo> zlZbagG|oUNi)90SO-%OfB@Im@mViEcmo#c0XvEVj7LV7Jd zuDE1^bnpm!4b4Z=*1vz{^Uw4CCY{^A!eE7PEM)tjE!|^x%z2DYAUgo9#u*42C8&m~ zU1po(-`co`&(G1QPsAC3sVd|Oz;(^xz-0^i zP;jvXov*~1a|91|M#)2wMELLb06F!{d;3RU#i?Qdn*68C2-=1;+RZc(UVVGn{d_!i z67wRUtRTX~<347FYG|xTWA@C|iw|)osktSPoI_{RFD)60z)X?cSxEb^<<2W!-9^CK4rxP^ch8jckd0BXsur-aqCl%=B{WbYo#5gVrNUmVLto zJo5NC4^oR3%AHzj>ES{^i|%^*J+87}R4tHzUf4SMbG|uvSq7T^-sI1Cb9YvOXieOG z$Kla@L7+8}Vpc)Ji8usU4+<(Yj1+tn%v@)CTgUFbi{sbF#P4y7B7HpIW@0UQUcB(; zoa;E*XopRyeApbiK{&9F;)u0g@O`_NZQyk_3Qpj7hA7XgrrNT*A6{zWMnm+93-fTa zGf~zgnqE50%HmWEz-_sf6lo{(#J!_U0vXUwrcgkWVFT7? z+GRLgjuSIl>^q8m`uIJY{>F$=i+!3a;e-pq!^Tn9k(KEwL|Y@G`EvO_lK=vrEkmLB zRT$EWosXFu5G6q;k}8ZS8c~GDJoMQEd<E9?Hj>#0+}8c#@?YK2oj4X>sCoVfMI{omZdc^q-;vgxZpF^27=1HtWQ zI&0Xp{l3pRS?bk;w~#1`1p@rgCzZVLp@kDU3)V`8l+~?X23uG+xg_Th@tBkh)TVJ8 zR=v;HfG_r;zW4!%$H;Zg#f zMxr08MYMAG);*Kz4@M#(Sv4RTFf}2`BR9SJoXJsCl1CuP7VM?0Iue=|a#W#X*6`1- z6#l{kn{MPbd%c-Z2#Rc4b@9l0q^y2t+(%0|4U)3@vJ40zkIRgpt1inl8rOs0FcAb< z*QUMt=(BtXwId_O1*o(AH& zJD%FX1?yiBrQio3;sk5QE_$3dgXELpSS>V*DtTVs^V-D2ynOP!bh^EuxH6|xD9|+x z?;DFAGx0#sdpPBkVsFKhex_EV;oZOFI+G)UG`vywIf2kQUdK6J&p8p#IUe^pisPJ! z?tW&a`lbqwzv{VHIoCESh`X5tIRV-iwo(&g{$|I96`bK|st5{bjF`SKrBE~p-4MU? zvAx&vRYos0?UqA2rn$!$v7psYZhnTBN-PLhzL5O}_YkI_b%CSGD3xw)C6C{mA3U^* zPfGImO(6bU5z~YYaKZ63p*e&>aZD#fE2FvSmQSYFovaSTWE454N&qL^FPANlm7 zWxU!ye|}#l`jZ#}8EhN4{n=`QQ9oL)Ke{L)jQBzTZ9J=*{olK-r8a$In>eG9q6qs<-a`t^!m4-x3=_=$uU`#^s`2;L2qqo z2#lA0I>JS2{(8`H!HJ8uAqZZgU677;)Xy}*RR6woV5*;Kf(aILc*~nzpRV<7y-bej zWRu&}TU*TD@^8<8C{?yh^IO$hTl&i7xccLo_0|^pKhJBX6`y{fM?J}*2GITLtu5Lg zliYv9m?4+`@LVDd%Ny0p6l4j;u{ZZCSD)&yCrzOA3)caqCppv!HMgy|w$#4i-!w9R z99DO&S6Xic#!EkmUBcel!r$@lPOQC(y|snC;$LYaX>}iar7c!q9Q$d;MX2&c?X4~K zayX7wc73^iX?tr+{XCAxAf>*kO25b*Pu{p+*@0|4K%Nfws=}y^IlnFt-v_;A6s4k-`Zjg!||R> z?oyDKu{SWTg~#e<@|J%)^t)aT-`etBQT(3QY5?5`k9ADD7@ko?Gi_n%2g=fu97pq_ zrn0skPWsC9bM1ZrKi z-g?pmN@q>Lr6)Pm5Br>9tu1}$b9_U;>s9ffsqctF;kEicXlh{jW_WO`$`$d9Hjk-X z3g6nIr+7^?E@O2ee1*$cfpP4lR@8nNb3MtSv^rQ_6NWC!tUhqaV-4vE zH8j#3P8$KMOXMpfUA{o5M-FYZw{Vh=^|!i|zP07se`8WF?dp1HC(2jY|IfLR)rIwy(XayJ zHME)DWZ&9i{+@rY(MlrS_nr27?JU4J_A?UoFT1C`ef?aH%V4&B^4$}M_2O2zp_)lg zJH~?jUhOLr+~mhjKj7Ar9BSYNIKPumVs$DfIE20?S*}jWgmfdg>ZrLwqtfG6V7vy6 z_0maySCi_{#O0|(XXRo_?3>s-j{UUZIBRhp&QoV|lC>2(*E%^I#}Lgyo{nkRJ90(r zbEIbu-!%NZ))xGa=M0RN@~|#rJjw|U(Y*RZLq^q;9O|@UF0OXu?D-OoiQ_i z3WiqI$>BJD(HMtnZD|mYmtgn%V+d;R2zw$SgcFE{;gsd|!K2mZ3Hzf#U#PXk5`<&z ze_q53jT!#W^BU9*oP3he$9j_EIywjo3lwYRzdV27@Lo8&cVjHe2@augDqKAzTEgRs zBD*A2=8Y8?$KFhl_2>rtF$9jvZILNSCfE-kPYWW$cz< z9QzN9+q}u?0lvO8940UMm(7=+Y>cp;G=YkjJCJ%%PjV>gL6_6%7TuLqTsR|{y((?A z0^`_E!*#P1a}GA^Y!YTf{Z47jf5J;OCPbfe#FU!&poaq0tL&h!*JuZkeX^Vg<&rHzv!Thy(j@RZFzP#WIPz zwXiU-R~+{*8XGID2#o>q5}MCG&7f30$)S$@Bd!idG{ro+xtiv1no*;!ZKI_ew65&U zKB@-?q;LZig*I<(shh>i&_>f84@ef*c#T_WW%gTvaqMT}XcRdO6yOi9-8qBfEJ?U` z6k!>M)YfM<$JW^Dr?trAPK#!IoK=y}XjWQe1;*=e;&3=a;8=DM7go0=a=9K*UhOOX zm5sD%xYmw*g2|-;#}N^=8hZlM_x$^Eo8nSLD8;MFejIw6EWkMS(;!15-lXPCX}=_i zb%?^UC3E1>b#ge4=I2f~C|^&SKn*;@fYOs33Tg?&q%X7;l4(sxp+9iQ=IU}{BstXC zaqYwl`W#1jaDWHCh3zA~qYZ&FM3r;~N?cIUTr58ZoPbF{j5HaVQbR=|t2#kIx%KC~O65RUjP0 zl~qwEZW{1KAryt8IL#JBoUn+;4-M^iMZs%z4Ba8)^7^nlt)w_iV{3i$(6fx0r6)PA zA^Cg{oRxF92?PFn*y%~nCh*<4Y(AGVcBHU?3C|q*-WE{U8tNNsddKOa7E3&Bs$UQ3fh=$qI~PZ~k+s2$436bP0!tP65@@WF;xJmzC~88K=@1jdRHm~6>${sP>AU*>Vd0!UWmXPdNNl1tGlZTg;n-|Vf{Pfv2FL1j1dwoC#Gtnk1g2Van)3t98_81CtX z##Vgf&<>oI$F9YWKpdEC6m&Gx)0JumOV84QMEGxNce{wCf9p?psg22G&F88(UIX3$ zde)O1SKsn(gC)K3Q-crcNnXBT1lr<#Jp@aUTTkd!T5+ zF>lz9=$gS$)aQyRZnxhZ#z94d=8xi<9%RLou!6fZod^~e4McqoXVe{bK(X~*QTTYR z281s>pKRy!hvypVW6)lGO>#f5+I~mzug{8?@=4r{td_8dfns3PqrHrN;s`5R-vAtA zbBv-QYWp-J$)T*ZZ>Ld}5VC^8Ph5f-j_5nu1r3ne>*VlKG`=5qrz8ztA|RiHsH})q zU>y7DxbPZh+Yma9jzX5}SPo}Jv#fq5$E4LWL8l#s^KJn|dJ|of5ENGMbufF)ziv!I8H_W_okK^)+tgGZd|!IxI8Pmxi9=sx59SdF?p)j- z1*h^%FBCX+GB}2lF2IKFvNExvr?H)bJ%PRB-!%>U8+7}_{>F0#2Gh{EpbnLU3B-lk zeL{dJCrltLb;?5!wFyz8M;0jZI_fMxbBr2gBvtvWL7?W4ONBD5z&Q36L`T2^Oc$j= zf`NHN1s8y=rGs=Vb+R}Xt&SgP+s>m`w>(J_F@8h5tEnv%T|O&r>mUNtK~@W8Em69vW09|H;?1d+Lw06#iO`^ zgj>Gru+ly&Fpm9<&fa7`hX@LAIO{>URALi!zgxGqQSK|3<7%GsYePcOlN{>g6rF~I zB#MK<*i_}Z5Wx{1ZYFQ}w}z`HR=hsEJ`?#;GSyb-1eBiSxQ-4cajcH4MD&;EQ@`V; zdWT3?aTkKgan5WBRtLLFkxuHxVM;Q?ZUx4%pEL@GgzN>Z#w5KV>;)_Y{2l+!*tntR z>hIwOhq`bW$*?6zj~wT(I!kd}QVByY0!l&BAm6)OmcqtEZP?M4FBIDKL27OJ7Qnou zQ_|R@;(QcsRY%db+>SfdvD%rv=3h6WuX4NPo1^2Z*K8hIg7MN@AV(yj??;_64{_)@ zlf?<A-;ndfM-JUg@doIJvCxwo>eNI&2ctnQ4`UvJG{m951Ia^qQYV9B z7#K`mg6%2EZd!svw2aEWi`*iIr6s8lb6tqRGo5itctAQsWT}7g%Os(;5E3i7) zy)K`$#-{>u)Qj>O@3sQt*iZOR4mw2+YiZ3J{*BgNudJO9xC5r#&I*iU zZ$)fBy4e~xLO^W}tC6-Q;OsnRd;L6)r}+u5A#vzQ4t31=U`%<^3hOBjV<=Zaul4n; z#}w3L+lX$Ej-KL}8sP)Kg#3rKsT_TcNV5z28Q5+LIkgA3bB=5`%4rmm*TWt}7$#r9 z8w7uF1w6PD$?I2w3hqL3yJFB^Ks9d(!m)mLAD)KRD8IYr6tKf=M-0_W-(bA{CnvFc z#1)cxEKRrrJps)J*p1m+{_SbdN>F%$N>CI8c1a<=MiDBpdN~}&PzM4AdZIAK&|RcK zm)8}EM&N1{_BsQ&ugc}{$9xLnS|Prb*N?cWiFo7d|5 z@TYHX3m9`zPx6wQy;UeZ$)Q@H+l4GdfrO!E>4fN*L5z?TiLrIFI2P$}239Qb=mv*2 zM20@42aPXc28qF{)IeGeMqA<3R$#miW$Xdj1I4YHa$Us&jAL(1`WO^UBgAx)%mmQl zS06aOzO~vXWB1X8Lx<2E>yh(mrkT9un6-Wgc%ma4hUZh5th7GEC4vha5{V*%^B!~Ku#d?O*{}vD&=h+d&1N21|uY!wkaa&e2f@_-< z55(e_181KV+}RRw1;g%GYfHnRyp*HKI_-oOK>N${jcqX6Uw=p3{K@YO-lr!yuEAm4 z+my+c5Ui2}9qExnH|zEnl&mK?ls5VauN=4CWdeQ_+H<5!<^dyJUMkJZ=Oa5?bP57+J z%4G${u{ZCk)>Kb&sAJEER}Kskr17h!Ih=766fLTMDs;dwxX;5nMt@9jP$)k70f(OC zP%RYtn~bFiT!sbb5r}iR;;`&%STBoX(fT&+lBhk9GW8sFTY+)x%_l|;iqexDs-B(i zxUTYf*R~Gob@7SgI0h>g?(w9ZQYFPWKe`HZ3tUeYHykvU_f#xFEKPeF>RvC!j9VUPvJNqqV=hgdfCvQ+7C^5wpf^ZE;xGz_IyD{w2|{#}Rjk{2`#k<%n)&{$L5l zv7bS*5X2)2TLqs4+@n&o7faySFay9=-$yRTrPb8w#kHY=#m8rQcEMu>#<4d>b6Oo- z2vsc9A>hX~1blt-Sb_06w2VSr>jJLv&Sc4*mK=66S**p7$m?ctEX~d58hk@fa;O18 zTz>^FN`H86^H7b4YFt!Lawx4g6a<>#sXt>eadXhtxdn%b0XPJ`nn)xMo6bmqpz5YoN zHQAABQ%7d#q==s8-#4PW`W3EK#0~J|QH#rcurt3L+y)n!w5wgk9F$l2cB25;a~cQc zwXxC^oiY-_1l&XtdG+#MJ6ton;Gzk8kJ)RE{iHbfBMmmZ$;j)4)Xw}J|88h762N^A zF1J7C4@ck!7h0>E8>a?;*4vj7aEQHa|4w*p{tLo)&9Q`jCj?SY0 z^E_iS2I;Q;zD%2Kh~F&oCDr3K&G^G9I`HijR&Ed`x zd3Iy?j3md^x3){8w74S0cT`huIbdpKjj{scWw+q!F!IbG0~y7vwZ}^tI(vv3*Ud7) zlFdMS-IYn>up(|a!n6eUgRvD}TP^jnIF`n=XDx;wsvY!;aJL=Mh{3LlElAxgUe*bJ zp{wsk6{@BD$S%Gov2D7o|JBhSUC!?wl98z*Offh}4M&Z!EffI8Mw;REYxzK|c?AYda$J=paSA_#owk@yb z+pC4OwtOpaURn!8_GE7sZm@i;&lXE;yj5fF0<2wmS7xv6P<&?|9FnA6Swc$tBS=OUEBpmX8xXk-y^Y9BOCpaE!KV+?koF1ptL#edc9?xq9#>+oGpV6+#%;Gu@dk4G)N9( zk2~ao`4pB_IPk;79f8wKj4a$%AROy=*U_9tCosxBpK7)P_GUY{K$66ZdO5rn#{^5b zERPi0dWyrGiB+7IaG-_~6Dxw|%Ud~(gfqx}WpivArNFQ$dZH_7r)7+Iyg9ggV3gJ^%jr3^wR$smneR>SOAbniu>Ftvy~GgA{ZUaW!G4&+=M< zaqK5UZnA3!WN=IY^Rc5-#Y$=RmVetkC}XU?dXht(iYV`0*qWv=vK??7*RJp&@BKO% z97A)ka*GRO6+LMJrB>HxJ;|X4(+MInY_=8Dkyv%bM-I)xOEeU5qP={C!mcLCT?hL{ zQpNWoz(ghmcgT*mk%=U^jSAKHwqNj?YEV@ z`&2HS&QpL2`Pl?(LhVkqCrcnWSO&{U4)qi3-fV4Y0ElBAiVG~mu*fPgSJ>?dd*GQE zarhM6-3C@11rv_NqCwneiA&-9VQ&CCMK~!26h|Zgm&G7hH1>ku5rx@VsqZ1q=t-px zC@kRo4grgt(=LT>n!n>ca`fNS&K$N;<-a^%qcYqpB}x*i-(|KZ@mhh^!=7}B`tU%a z=2nXG-V?5ReS>lAr;?CKr~V7}ON%g&kFeVzPq5PNUHz-Z2 zKFOyg?sJ-1#JyHvy!^&EjYfwmuAvauM7PVl4i;d%4yWR%DOuxjn=xG1Vd_cKc|b6< zIvE^8^M#ihl%gj&)PTRFXh)^};knJfsE((eZlB)gwFPCFC1^P?NXr)fpP3syTj8-S(wPsMcNRw zQg9t12U{FHqC;nWWb%>_!zBwZe&ERA+DP0}1GQlu6Vd!V|NiW7$mNHdPS_cZMR8gd z_j*PGerE``ANxZ=KW_HK)l^Ym$OR9cMnQQg-;)Q=*rGvsdXksbJiZF0Cppxqh~Y%R z{Zi#95#V7EezkdEp20CRk4mLR;HV5~B=w{TlpYe5CIfEKdW8sCW?D{5FkW_Jn#E&=V|EqN^5t%>-=VH>l1oQBDg!DWs~>}%7Au0n2J zBM^27yXQJNyd;PwP%?pcb>s3@oT38jDita+i&=&V2Hj`X-U*j)d#(rMfeD1Q%shi* zFpj-ocGf=uGdPk-BhWukYmN}oBgfhI>^!LeP7T*n#H6Vl#Det7-f^r%AwGv6q$^Oe z+w>H#B^bxv*sT7+AIT>~9a`SBRHEscyyW;BImhX9x_mPIr_C(xmSDW}#_R#d{XNyy zt=dC*mCmz?PaLB*8qR=pvtq!NG}|lqtiU+-mU^-YbjS6wI2JoLbm6GW83+ZU4x~I$ zKW^fVh5Qa@AmZ~X5oq45KseU#u6b)7@!!TOt|xgp#|-b*&Y95)QciK0hN#Nz#&O{4 zoKZYUGfCQK1;$H1i*`J4;KIqaJgx}DL2?8SDB%h%@P9~_*bDUyz%go6-U|BOmUxk$f9ib>oRm?_ZK5%ujGfMaZIUX@#=%HGc^#1rm?d2Q%`cJqlZJnMt7C}^8DuZ>fT0A za;RfE;L_68LlROY#bKn7OOOitj==OQP5TIY7KJ;3REwe2BCi%H)L=V|(`|`%qtI^w z%YBE%<-u@PBNqoX(xjxd{(9y49B&kBs!pfS0p;d&-<^Q~A< z)nRtl!)FEdKdt9atZ4yyMQb3F@;BUM%n?1wp?-?XN3omDlg}BEA?`p;mguCs9lKtV zqtfIN(g+mC-MqV613k&12K^BSiQy@Z5Jj+6S06a!>7>!p&bcPRI}oX?3o#H7)d&$+ zAjQ|uAZ=i9NRBK1~VQl)^Wy9ZAFQTQoeF2Bt;SGCyG33Gr&f&#T-XJ10 z_!O@LI;`)C!sJ|TBcs$9glJ^YF7{Ak}h>~s~ulQHZV{b853O&i8PFM3Ch^7vf(FrDuqXuxwNhP$9 z-Nb$CW^zo&RL(6yqN=1gOmnm4UI!$-tt4#SuKU`oJM=*!$p?p@Mx>N*#g4 zsaS+sk+{FvB!Y;a{*VV=%#MgR5DxhR z@ajjT&lo(M$wK|zP?%V#rI0z;bA2BXbO!t>GXfh%?a%+LM>VSRLW?g*Zt=L!boN+* z@ftKXUZ-jD9Ypxlr6nyy9_hR@MY!+P%i$%p;9y*_6W@;@5e#lov{lW30g=aXoh*)} zd03T;>q!o!^_kD_6s28-f_QShgWn2_V?RYrBubDX(GCb)*%EnpVW}{E&A)EGb-J-O z>PZeY@H~idCB)OHBsfH47Ukwe)zb8&39gr`PM-o_=arO;bodj-aDj&qGo5itcb%e8u$TtEwL}S)_ zR$v_asf7Z14t^%Iu}@uwSUWh>szskR&)^t-h>-O-aEdD{;%ME-3R|g$H|{&1<7@tG zS(!CpWz>@#>X=BXFrrA8r|2mTW5ZQ370nK(XAXaI zFxvsmPt9$BW^ehoCq^miDEI{hZU$?Gp_jelUo{2)jQx1<&pgLEX7CV9_z}2>Mbm^~ zbmeD`QJYU{JRw@)0*d*3vI67S8`GzsQnrH^=$aHesn_C&&W4r8>@_b#YXO`mMfo)l zFpV(bw*uqXPk}-Ty!0~I#k=Y3OAgn%KtpBvnt$E=#Xe*9>PZu*7~*A*fndesHM=z6PW+(Sq+uj~rU-#e_$S3`>qOW_;BOjAL&;wkqG~ zNe)%6Lqf7aLZmX&hx-#2U>y5t*cuePQ-JL$9<0CI46QRSTBd;Xw1S? zZU^p279=pm5B0l=grBki<8?R@;YUFYxKE4jkkj0b*em{(R;RREjtHMN_4D;xfpP4o z;L=nw+7_^=Lp=z0zftOC;IC${`PXMA5E8nG`Ao;XadIJ{`S8LvL%}O>7NxIjj*VLC zKoECvB~fX+#e3fpjAOUKbd(1NN~TJ1Uh1T958axU-t;~H{QCgb0^{{; z{`vF!I*GfXHF}am^&gfSh1dc3KhJB712iTvS&zV(r#9P0_d^7#)>HrasMa%29ox@# zk@j>7J?-jeJC~wUAvw3nHcZPHL{A5sY$LTN4?VrxU(8!Fz;=BZ;~yw<_0hIs6?E}H z@xyt?h)*+{ZJiqAFX+3m$J#E_o_zE)dXO!qJ%LWnJaye5qh1q^(~_;HHdDq9>1p<0 zsV4J>*!}<<1b1kNfnfFVw*S&FpG6rnPY|23{{#uap%ZOM4fH2kStr@z+LN80R{TH$ zU3aprN6T!Z%q6E(`oKj`^K3>vKDHV4SaGWD0_}?v3FgMrjEwEok!yEtSEe{5UVq!lr`iE^}5vSQgulO|9S0M!Lqa8k} zs6BqMnXfD29N8X_KzE;G6nFpsE%xO#zY}SE>+fu{%Oe`6N*?+rF>}p7iyboYU!(%2 z4YhS?t@{;yI5sF{P7H}vyFP5xWm~w?S=zK&95FJ!j#Nt4$a!N_EO}~7LO%QV##aY^ zFHVWAe-NkLnm>vZKjYjA3mHJw-E*!u@C*OdK=|dqiYWFEv)x$koniFVk@Ix&A4-p3 z{z;q3t*2^SY3-klc|GoY1K*41iyb=ae~HC@_`jrP9l5~xYVB|-XY+;9HUZTg!5H~H_j-vJjP+WL2qT<83|$lu2PhizuLBmRp( z=l*X4!N>nwr2eh{DK>EC#Zo2a{g?68!T%D;V4Es+^X|9-cYi{x)99p@QJKdZleWCp z4GyZ(ij-8=y0qJHoc<|1rLw z{NG0M_5YT8?Ee+pzx@9gaAW>IBe}VnoHDwfSjByK6h(=Tujp49aBUskb7fULnSWJ3 zaY{@Y(@z}7(O35~hJQWMf`~KYntmd0JdDR#0-aBVK%@%|yO9=_=*8ESi?0yl*Lc(+ z*Ii$&*@PSViDP%oxPG>*){DQPUOb4$apm&PrRUK%_7nN$VLVDp>dJpeg^rzAEodv! z`b@s@=6;oRLK~~=CrLHmiAOvn9IPbay{dl3P7ThTeFOGm$?wnsOcFu#+5R6{X&o;SCZWj`{O@2rkywMA#ayQ{|Oc`3^ zf6p$G`f<%-3Hru|xXkUrqqsEeUn>#D>rYmzF>jsJ znj?7BYq<6)DQnVt>2VJpCzQMYPa3b-&`**+4s9%RoQn9d^64rAx@MC!G+Xf~641_P zBw}2|=)u5h}wTdOU&@%d_cyO5r>P3qlAFG!`uli${- zyC(h}!J|01W8RUv{tzDZGFQJV@yTiLRkQXA=>_|%?~e%SweQO%Z9Y(ioANPNf(LOw0qD>@iOTTqolepq98Q&!H@-J_aTDNXOwTct|QBCg< z(z7QviL%S2o0~Kttilp^;!&r5C^wFH(uYV36KD6# zCfk2%cr`87>N{n;8)sE(H0drmZ^rBtfHK&@jUq~;xr%7a{`03EANwX7u+vbcKHKMqL4Uxev>HX@5iIw@k<_T66MD+ z3#7-bcoZkg&WH5=JCo|Td|{Kg*iT&~L(g7ZE$0Bz6&XpBT|RzTCYFOsB#Kyau znPMV@X~p^)K5^yKWmJ_}w5jq)u#-1QQ}+lS1?pP&j9jN@H_OjEwn%-k{@H4kCqCCC ziU$#CN1gKSe_kr{Fdl`C%(`uIkFQ zYSsayg~f5*4ymtay&{)!|4zBKcoa1I2VRw^Y{#x9Nxa$rn)LCq*Q>R-@{MYGlaQXg zTWZsoH>G}j5s!L5&fFuB+YvkptaI&KayvHftxl}TZ%Z?2ul%@VpVX#V@5qSme^=^( zS?|?k@0WUa%=^^}Z$?^B`ma17wev@o$&ek8SY?8g#G@5iIax(?CEL~LYpPirkrrw@_1ga8ARWY`xRbvAy8edxXDiae44ikpgy;w!#oCP-S1ofh z(n6Ut#>=2{Z>)lTjI_ul58qVHTQi}*zB`T4AZ+|cHE+_y{^Dx=E*^ym|N6~xiSJJ8 zFRl*TZ;`WiPnN#kerrwkl>XxSy!p2N;_5wVYPD9okQO#%i*J|uVa&Atk_<6pdiBeF zNQ(>b{u%vcsdC|+60R#}RlnVYw4g{|c$ZxL6|?(`E8L8`t6%OzTIjZ2bEGon-&2J= zjI>~P+cvkFHRE3Cs{?qPQC|1{gGO!Kef>p=ef0ejscyofNJcL{Aobw=^QEqz@}LYo zYeBUd`;iuw-<1#bm&D!G3#D34SXBLT2hx%@X66!Uk{rRK&d%2^EvG9h){V;~th?|i zwr1ZW)h`z=?=SMzS&#M?Mc+v)s*t;omash5U)q1Htj^J?tNM$}@;*H3HC?#6n*LHq zuY0`ue!?1Q{I7XJE_lM){-V5f7>{DTu3RTI;UFHx?604aCf)w^{YAC@-VN1iEZ8XZ z;^?QPLEn!@ft#$@RQ>RpXC%_zhsUy&Uem1a+$_=TvMo|;WVTleS8zKE$Kg)FaPV>$G;8G+OgtkU^KdC}q!jsru!9q(uteE|od;Wr-*c;!&)^ z*E_0+*1sa>ZQUu6-kMkC>`l9*g=Ot){l$Ib+}EXUoA5@poE=CDoiulM|H}4F+kRa0 zrd-T~JyI=3zf~pU^+=12*}7L6o5gR-*(>)+eK_|Wow76|*(^A6h{*1LPa>x&`=w>= zLp+MmN8YctZ|#9<`o<3=D%^!feWuO*P)4!vqiWulNDD3>Yd)?v`ub0*VB7RGJZZi> zIN%Qh$!Drtwe3CjDBIwlH?{x-`HO2&G{aYz zy&Oz0aY#tJx>LeJ878F-!4cAq3~r0NSZj*V+~xwEjD~Zlj)ofCoTNiM)H=D*$5q-> zTgd^%-X5vpgDQYRBMI*@1a~nSUPVi<2bT|7Cd-wp=24#>dr2;i_c$b@SCHPGAa|@w z%+o80vZeROQmqk5KOtcnEHp_17tpvR^a;At7yffXpJ^4<+9vi4HSIV$OGv)Ayw%Ox z2h>Ayi-%Nh^6Qm`osb=?g%Q12{zU6Q;}bcL>NTkRkytT$J;bP(m_x{hAWlrWe47-n zbpIZyz63vrPK##Z2$oZ*X^GgkMjz5A0}61`tO3^hyOxv&^r*#7X#lFUgXk1A z+r)PRGlfDal^0(fJrZZ^B@#GR?V^hli=Ev%oYtqtTiy$U6L2)eNsL;8rSDF_o#>hJ z?5WMx`n`N!>Ed!cMZG}EIkD0%qg*|cu%29-$t$IU^iemRAMt6ZRSoA$aOC{rbdD}) z(MzWseIQxaom5*bV+v8FPpQpCrCl|{uA?R@l!jB!pt>4ZsWLjDfYiNuCAE&PlvZh6 zZ9&3kKK(O7*PQ51UfhL1d-_YU=3-ygBGfBLHJ2))Ge3E%i2X>PNR<$A`Sps3Ur?ir zDOA%7rXNrdiil}oGDi`}#aBX?7@#IS>8>+mR3~Z3YPhm#eQRg4*z$l_IX#0)F}k;= z<WaN}rOvp452*aN|NkEPnv*!86u=f;c8o4nQda9g8Iafm6U7^tV(I zo#FJcdh0yRbP?CtLtVC`_nO9bBp#qQ(%_W_tx?5v#6~Xoj!47=Go(9*z($DJZOWuY zQj!W5snT@b(Qp}Gm<*S{X1I#Sm=ZNw&macU zR|hLK9XyzVz^hqVni3IGNfIN`OQJq7IFHFt25L$=wj0}oiwT`ROQ;xIg_a~Lml~jx zYr_<2IxtkO%-y6;HX0%}omwa{9i1{nE;;B z(J`pX#khu3>^X59q`9WoMyG!RQ$2DN*|9c|i1m(Bjb0Q@2shT!MEpUdl@gmeHkwg%r24eDYO-3K}c@#(aUe`Osa96D3Lav`oHR1E&lKX{+`hl$Hn-#Yi6A9d=~sj5?_EM#MT zQ!>Cp$9X!~Y>)Mwo?N=`(VXQk>*X$U)f!XTq_%cxD!EBrI^;Xm zQw-hM5Lwu=m-=JWn0AeP#p>bu6~^zHWs*as=19{*^l77M1|Lt2B!O5MwdPm)$XXFR zTxCs4mB%dQ#7tY5EZ(e9LgP}hwO*2vvKZ1|V?0)ke8p8XFA+*LBGR4m_-&8y7CBm1 zU1#5_oy8q0Yjr3|jipeo6w7mSmj|i!(&4O}1>J=+=XvDywdXdLTwM06TE-$pzr$K* znK((ktB&+BSz)!M{uZ~3`-+$NEBVoHG8LBX)5yr2dJ@jaEHWw_59=-cIqI+$x0(X} zoK;itIhU_WQCMWp&cc(VZ%NyuXOzOZadpT`N|lo-Pb+M(=c;jejkCfS6O!ju7;1YI zm&(HC+WNfi0G&8)J>%ZcDG+tw!B;6MMouTcXc8iSCv`SEzi`sd`Y^QI*V@I8!!$;TodO(0{W2m zQh?$9-CRC}!EatwL{!(V^0pon2o3>5;yN zY%9y8Xswgzolw19T@~J+m}W6GG#V`wDTSanLJ}L|8T~wSXqn>Ur)L zq;hl5bD5-?>YnG?DnhM4ZS}lL&9qpu`hl+DR&tf2LTjRyOQHwHau2a=(@Z>sUDB=R zC7a3)uZ4=&qAq7dfEKD=OLXa$Y+FrVi*07k6)L?hRIt*`lk`};O&<`P5rNuNs1e<@ zNHxi;)CxW9f(NnB;A$KxuO3p}Mfz~{D!tu0xa%)_Yyeal< zYl~t@41L3x|8kZ~*-Z#Qs~xR$SfAJ3K-(5+@aaXZBJR4eMZ4zCvOHD`>sC}vW%a=7 zrg9ruwt~fYC3#vOsSn!yTi39rTE3S9AlGjgaSC^f}v@Xhftb*5{_B=fJ>BAOv?sTcCZ)MUOBOFX-TqJJPA}{v07S+#d=46EoONzx`tcKvUuWS_A8aW z(``;E1gm#e3PE=?*JZBBddww>J}&xhWy5MdNM13|&oPIdHQbk6L>1aS?RwHIWKP&NX~|HO#%sq^#lIWVO8JqCB42 z3atmbvR7>hR4cohRalbIRmx0TgjDwfmjfv_s~)il~HCQEEmGhrxWf7h6XcmEPc4YD0^N}ICw`#>wn;my6 z(QQ;OWR+@R@n(%ax`rFfl7}rri*G3qw?(|@sC1RJ@|kUCOGhkXYGE{O$jDBYSB@b zj9WbF8g5~?wJN$o++s+-!XI-Lt@0HMiu=dnkMbCnfmd@D?zB`kgLYs}42qt?_+x)ZsBzV$&p4p{xL zQZ)J#Za;K|K+@IACT^|WbOfSRrFKv}L1}HNfReHs1FW*6&nl&RbD6>uva`tca>YPG z(oM{b?{Y^q@)b)fbTgIbDwYA({Mv4?1u|RTwkzqg$Z)}l>FIriVt+-4(9o=xE_4+; zR!_0sacc-erOH;zv#)9rrDdR;RO3z(4R>_+N!GL+Xp7&~#ZDaVt`ftuO%*;Xxz^%ly>f>~LZ?R?zjk$B zBAMP*ww1PMb<1gXEm=r@T^;e_w{il6mQ?irv*hRwi^PWJkK`yVh3p30LEN{fM%&TuzM8^vI|sqvxghPHY4j3arRQvHqPGmS zfiMyx8CtYdiy1<+AauKHfmxL^sxlgANs;DTS|x>>tm)d?`v~%5u4KI=BPVB6e{W}Z z5$iOiJl1494n@r9>q?hgWug~m^Ameap(YU&7@`?Nxs$MCLyBknHFp=gOOHR=L$@?) zou#*)Z64dWsPb7lg++DMT`HM}RpH$6!uwwM%ulB`&c3hyo)^Yu&c<~-IuS_yH0KTn zDPWh>HO_8o`0Wx-i1pyGMn15xyMS9f`vX`@Rfi_v7Lt?yP^RZd&7tI>SpjfeEwn8s{~rYihXr;eozBy3#wJ zlV#9Xqef!=O@sA1V;%n4o%N4QYdiy_)5`+n6e*1IRnDtW)6_8g_im}Hn@kDlJe~?v zzwffQ_T#hb9cSZpWVM>s_|zSSJDqohaXsKXfXb!@by&h$b`5P{o_yZN|Ry0|!igclfb#;OA$lYCQ>95o~# zVv@K0{LcDyX!A>V8mYM6w@OOm3g^?5DM=R!uyHr(?B1J70rt!^q`PT?T*cip6Lc?3 z7rW`2%2FVm!-3a8I#Vk2AX7`v;<4(8?#aDbgYLad_mTfpbZ?(!=(aK$xwLPe#hotO z4cprd;aQu2$_>Z`PoFglRwXjG}$B7&M+Gk}WamT~1fy zW{expALxb1OMwN2LXIv%$5rk*&xas(+^~|oMx)JFn7q+nAlDd%fxC=k?UYYU-xJOg z0BLG?F|8W(AQ?zM-J;#g7gcxRRzTRe?3k6Hchc`l`s0TFm7gG$zI5wOWM!Y$xa4lb zfSZ|$Y4314P}{`!;_*MAh3?4Xvi$Z;^X+Z??WIem*C(en4&&2$v~u%X@uz9T8pfw* zKOf1x=>JR!NIaejbY{dF0y4+h2V@wr);!Dbq3050EnIwSp4HSay*XFvQU3yu_$9vY z%r@+tWOkOnX?lIrw8m2c1E=3|KYfZm{Z}wg>ReE~AF~nkjNJ=-kz^X7KPbgvxm(7EwD&tf9JD}Ht4KmEWuYg zuS6x3p-$-nltGtB8Fbk^73hpI>;y6>!<$(dt_xgNsx!CAt`oweKhpk^E)haqHuate z4>7{!%NXIo=a>dG`O_HN>z&s(9(+zy!@d1|feg|;^(@Bi>Al&-RS$sM7e-Lx%rSa; z3bf$9FwoL9t#R|ch88`CEHABwnIiJxHs3orH|08G+V_^}FxFB8gZJ0b}Y!8lS6e=!*2}q zAz=XdC=0r?0i3ofcsv5>`n0;Be(gi;#tqXo|Cj5>hcdluY<$Fm>j;)-IeACk!_x`3K_b#6PyCWj` z*?WJpso{lf`F@p9Bhb;!e)b;)S~=C;7*!y6QtwHk!-nWBO!SGjPsjC2(;Bzen{h(s za%36PSh2l+s$<0gAatAytJrjp3Vd#YNJd6p$|xcG`g86qdnvjE33xme{F#C2I3wHr z4o0@$F)dZbyq;c)qBf#xE(Nys)d75E}MEGN~5~#8Qspc z%+~G~n?{qPsv5)o&iT8>-7jvUG65uk&M5_wB=1OKF7HP#!q52J21y^ zu4N1tIm!Z1Zqb1`g2V z|F&UL=LBX3aX0zWy2iu5-PG{kdJDxx`T5=H-T;>PyGvM3!s5r`01|WckpHnTKMoME zc3Zw9nQAdDx0ji^_1@|AyU=n+0*0w_Qe)Dz!4xg^M4C??7c!!;-p=U?SQc>1Yi#M>~@7 zRC{|zJRWOrZs|y&)RAb9wg;1Ku~2hcG||x>PsQ4zu}~x#Z;P~bv?jyxj<$Fr)fNi1 zw6=A`Qt@QCH5CjcI$B$T@mO=RHPRk!O`y~kY)gjle{G>)tT~ZNgrl)Yygk<35&0D$ z0aE|99MBX}qn6xZl>I7HD&TC}IK6(y9n%_bywvEFNzToBMPBfYmtukIkp~`rrTQ1L z6~82g*#^OyeWbG^n|SSP=y%MRc8?4@a#0NZ4#u{b?pUr%K;`jNpfqFK4j^=#)gR!o zZPo7zgff`NMY!sBf$$S|+<*Pf-=2xVRF?>$E}N&G2!|NqDTVNaKvJs79WmE5o^CaWkHponFZZxg-Z0ke@V|>hctZ{Q=Q^Rj!28#6JC5*5A1K5%bV9~kY z{S=f;09sJ!yv(%x6>j-a(D=q_jVpi8(5N@)T?Jq=U+26IP)!Z@G!OK5QC?n3plJUB zS!2{nG8zmSD?dXDc;$oB>;GCk3wqMa|R#_Oq$J6{I8!>(%R65-WlQ}2m)KjU5hA;x<{;MH4|yaFIty+J6e zr(A@x`l%<%5k`4Vp&a^s)6&njPBXA@-{`!tap?D(8h&d`U(cr+v`y)K!G-fjMpZ7d zs_fh{9akp8XM4F}M9%{_s+jpuR+-rdks1t?{;GDjtcqBodLfwrH|F8EprROvKuQp^o-wA{@d9i-9=R+S=TnYDooysc|J5X*MgHrF_!W?Y)GRs9 zF56Gz?6D84adz1&jB4qaJ=YAWb#oeTm%U=*s+EExek2Ag`pq_KAgf!J~OZezQ%VXk3N_Z?bvR1+SWRBo7yNo7lMpf}&G{{mUX z6M;xhDo-$vOFzn!$_pN-$iyk$9&{dTyZ}_Q{;K!!-om0@w*X{S&m_9%7_%_S=!Svr zl~_!jXE+lxxfmOTa%{%D@=PwCO6Ok@i*%-55enryUy)9vGu4|NAwMWk$}>4XI5m^= zgOWUoncV8n(oAmkQ)(u6Flh8f?;Vwg4Wlv#gHW0B2no+gmq=xF**q0!jmqo*QVfy* z$SSik=kcePJobN*jpdI2 zZUn21C7BK7F4D@tj{lC8fd>k>{V(uvfv$_Ne*y6rwSoXgtPE@c3AmenFRu(NZ!#ok zw#(r%ifsy)S>80caG3*)X%v_cE;Ax9X)U62lH3Wl);U}20MgVD!i^A}0}Jv2bXx@F z521-Z;|c7JMm{Z&l3 zum7=W0<8sP;8H9ZlK=HThWsBXEJBE#`UCo{-x7}qIlsa3-|}ge|InXQqakHe{s&DM zhW=z~6NYu4C&fAkbeJ%#{ZoTZH#fF^6jRD*to_rn(a6TEsJ>)pKH=fl`awY`JU02k zDWl;BB}FQX#xC$U$JxG58I4W%8z$wsnNX11uE*(V+;o3aL;d`8rr4eD33R243y>-! z(4S9dyJ|cJ8xw+;gudM9*fDO53!j-@zXUqAqS+9tbquXhrc*V?ie}v$oiQ0(p98T)8=Xpd^=~IWBQ?T-dLgV{MD!QeU;_jCP1COa0*psF+{y(%KFkMA7YIDJ(z8QFMFS zY6?MFDH6h-HV9#cI|l0#sPK3yu$nRW1PfslI5AMr=Jysb&U`4JEfjP5 zFR)cS5t!tf&1L5Az~_0*=19B2rF$WnU^O`+6MUq7Y9@Ha7f7j=4zUT|*ins+I=$jd zb^47RU!CMu9|3I$z8ZO@p^b0fWO67xbL5o>&wLm$2(PA)%)%cA9?JI(WO@*^ zTj;D=0n#S?jwDlrXI^76hrX!7Gl%|M&`HO=nNEr`8v1j@8MWfbNP%tu4a_g}SNsG` zW7bRjBF<>dA?h4QhB?k?@KpxAzJin~po1TSuWD+zh^z` zULVCqoA|1^#FW2FtH0;*-I?tJMO=HP|Kj@l9 zO}hE&riMTw(GhKH54J|zT4J%b_SQrs9*c*XTjPjxX>X3V_(Ooj+wc|1*8PU9JA<9|S&Tb4+~$*mC}!QtGad~)m1Uz*OP z6~@JZ?IVNc&|ji=RUgp-LXW2cwdq|~fY@;czrww1)q@7HeP6KKpI1EyjL-iK-Jf-d zFzT|Y_r$ntm@r;a7*7DB?$26FXzm$OT0)c06Tmp5xv$vWQ~m>7)^CADo_F2|JUFs( zj3=L4{-?nsJs-7HNv3hj|Ac9LnC}hLe}Smti9{t#<6cH}9jIU$uX>;&uSapDyq>E- z#(qj?%<_6N$zkjH>8$8*(L~o=T=<{BJ%4 zWl_QV6fvtyq%68@o(i-^J+HE|T>l!Y=b?v9BUW4^&HAZid+1>;+e{`bcB?X}T+&On zK2WY~ec;ON=>sL0l)F{S|Ak~b^mQfMV~-d z|P~4oIPG{rEziMiDUU%;s2D-6+Q3{mu zef@!6SOSk{V8P?57o;TbcZ{JQ0(tj2`;Jeq??)8MYm9zt8!Wf!R9ldeA9xLv{0-07 z7EzZ-$#vP(3)Du*&j7LG?ED5R`HH_bi1oS^_RGw+;EKNnzKlEn)Fr~F%ckBF-!;Z} zQ{fu{K5c=evdI|f5uhXk6AmFxRVZ6Jl=Rrd@rBaLc6+`iSd?9AfZ0 zy2Chw<1hXBC*~QEP52EkHQ{$APL~wQ>y4>>3PQnn_wDKRm*G=C^}md+>ye=BOQ^OY zGyBy4nyN1`45To#-(fW$1x~G$_sFD@tm(A+I0}UKK9o<-$AZOcx_gnz`^j|G14z*q zM#?}$g`8%^xCwG_YJBAH1vw&Pl-jN!|8(T<;h&Zk=X&#t^Qv~2Lh@vt=bsYKSx;QK*=P#!+~;M5@F2PK&l{^`0Sq*L3zs|^13 z*Voi3B~#L=?XQPU=}lBq0=XVf1zKY|cLOO7%$;SOx(1wDr|xpEuP~!+|a~SmCsLJ=)+8j?CdUXCaYvDne9kudsJdKry@tK|R z!hw_9{6)#NSa~?lO~3J+T6s8^F-@WiQY}r!G$0gAxJ~;n z{W7)xneTJ^@5mZ?TLYaMtZAUzk;Opw=e@WBfX-iuB5-;>7g*&$w*h$XbGD!7fo@5z z8ZX(;^6naOx+FL894UJk$4%fs`jsOdICv0OW~1m70n*gafcQD2V&J45(wOyQzb#ovnuc0=loa^Z52x2}LPH&#Z@R2r)-8JgWhJIXwS)7~ zU8l6#wGCL2W$#DaT~~A&xoPtVH%r_U!4g#S?G;^RHHk(#WejX874w>J`$1_n@q<%p z;s+&VEYxH_xSiu%0JpSHwYJ-^t20!aJtH*~kW;+28^hGYX=Hy)-``&tD9+6m3Vqd2 zz`;16BxPclI>oKO<;OfsT@!@OLieQ1`Yd@0U$_Qp>gfbkPj_!Vz$qOAeYjdB-BaT+ z=$a6`q)>z}TxSYbUsmA@XCE`NlZHesb*-p#R@60~eN1aeCN9^Vk}*W1SLNCXM}44N z4e^01Ylsh&onC(whI(6{;o53tWo>xj zq7OD2nJshOShg7G4peanC2zMG<1!3YK{v`y3NUFlhMA%fr!1Vcrqsk<76b6@-Vf2P!Q8?{F)S}Fty9S zN^QLKXUf!`DH?g|!5EW*T%pK`$k~8UHr_KuBnHJ?vA;llEs#M5PAm&y{!r}i#M1}Z%PhCGS;o&0A2I?bk4?mykzX39xSxWrc46OJC2uN5~ei6J_xKZx<6-wFxYRz zrjgncZ8~N#*bf_sErb4fU3s`MvJ9crsF6&I6CNj+>A@Rp1Fs46+GDgP)XFfC&wULv z{MMLe$)_5WPU(Hgk2n)B%KVIiA3AG$Wx&W&n;PDvSBwnTIm2}TYHGN@y(JV(Vl%#_ zt+^u?2{;rbbw*QV#IP4i+zEf zLIFo}5aw0!6S&8$7gWfcQP)}YgSR-AYgEuNTi<)ZHk`uAMu~(4h2CNzuOsm6pG3k~ z^)*OX`*mvlTZ)8ZPa09o$o8a5CC2{`&ObCBd$Orv4iZmbA1m7he*wb@P9{;vaR3<~ z5LjC*`PGBMDSkon&?GdNc{uaS>GfM-j*k9sqr!I;`Y02HOb&7Me@|I&fzEN3zG((U z-mZV6!FD$tfy?*P0zW$9s_i}fmRhLLvb=lMl{!BMH%jk|NbZ3E1JMYr5QOnWg zIV4cBE0V}tyZV`YKI`Gw_(6fx+xRuXqTFb`4kmG0Zs`nOWw`i%43~H1x{E5iCCiki z2p9hkWcrr_{n%&i&6yI(wEC$;D5nS`r1vM@%#FD3A50_OuHNVpA=G74?}>1j5nfRUj|qf# z^=JDY?d(aIR^4he)Qgaw95}?eyA+ z@`D1g+#&qnR44R5qYgP>vHQ3Hu?R58 zFwT#6_w-;{7TbKK(il}>WK!=*l0^>KT_70~&=oT{2kiN!AX%SLpH5cT)ooNk-GZ*V z=@O}%E}MFR&Ge>Yz}4Vvd>gCV&NmC`Je#HS=mM~g1doi9Vt@dHAfQEESdzpXA9G%0 z^TlwEAfW1Jpu^*-7o?!g5kWu~SP~aN9fE+?EfdsXK+5A73Yv*2qs2+oV|5Znpsy?6 zPpJdw>WN(7u|giJlb(-3pLazKcuA#Lom_UD+UwNH8GN{E$y-Ew=^X&X3@Im`R?Y!| zW{bJarc2apx@_tNQqyc(fU?0k^>%Ky!-P>=3GI3Dc95E;(<}@yn1&(f8mB1dQpzh) z243+?)(G5kDQX`xylvGCT8bK6?tz{CKE*NleSpEq)ra!)2YS*)Bv-~<+4=bwg624H&IXDMx!towKEmfDp}*?J6L!B#@`enGnT>{0e@JNoYHR2`frd*4!x6A@|?U9%2G+?V3GF$7~p(Wx-Sj$nl~lt2Gvg`x5E9{39MK% zU&C1Uysefhn&}o`CcgQ4l(C!w7Hq!WA}qB;YI-@qrYh1)EYkJwV&;Zd3bc21!I|Sb z(%iuS^}zSNm+I-9E|EBO+0+Yh8mqGO1U2C~g>TKwI;8THHHlU$SZ z>M6UmkfpSDRh_e{j-Z$ZMRGW{yU^a(H>aE8~-s6Pm%m#h|zbT5o= zC&`{vNuT|qOc;Q|FY|GTFqC(ylr7kH9IFzHja5D7yOIfUO!qps-17A^ zI2FbX$%M9Yyke(XOr^&I6y?WjMRvO8SbHp%=!mr@!uZkB9uIdUBgl%^noPE|wFQxW zHi@c^WNWe`hLp1%(e_k(JQ!+^v?6(4M{_XP-kfX+B}1u16d!5p2*+BQlkxUsYpSCq z+MEa_T2dWY7fgiP;~mjha}+6TkvK2a9t)>Beg#NCgZx?!XbP!ZGC$tBZ_ciNi8J`# z8Jvgqz`H~jsam%*Td9D*m&7&O^v1nFg;TTd;}LDeT42&6n%8Qj zK?YEaGWwXcDFLa+Q-R!!GRJ|s!CAhMN3{_`EhC&ueCUTqHHvUXJwlwP;eWuue?7l> znZG%LZz9Bb^}B`Oo?psmF-PuS{HO}n?L(*+f1Pp#0TQcm$f*O{6G-cnt7;=16MMEd ze)XVhieC^MIbt<#*-2`mrSG4?t8pvW38u8IAt%2)MJJC6Fld~P^a9*YhhRpxM2%DZ zRH79g)fPs(Z4)=oX)mno+$)u!SXjVJ{;<|T#x@FUIIOk(Jsv!&`=hzZDBuAwhp?Rwbz~yQo?((9X0oY}$4a6f6u7yKUz2=_g_CE%XTUiys1{DPzE|*Rsh?t$d_us$ zC(PyHyHIXr8mLv{cG+%wPU?0$rnE1rf*U2x%olm6K>of$d}Eera)@F z7eM7^$|ezRXqqXN%6KjK`a$Vt@`F>V;Rhx86wR~`d_s;?q8Uho6Z*t_Af|ej9MuH zv0Sm{6e;A|t-M^Z>-~Zht&cQ7DSf0F3P3PJd7wLkb2x$KVmcFeReC`h^SUea=tG*E5}Kp?rrLkL29LXDoV0tle+cmxv11t$p; z$t{jDVWS_JLCGzaen8NrXL?u?@9i%x<^hAUHvkCf8y@%@`VYvS`aqC0NW#!VWFh|5;pru4Q$&O+bMgd?FSY0l5vsj;~bN64y4efLYoCCy7SSP ztt^1r>;O=CFvz8oG67aPmG(Hf9QK0(;XG#h!KuN(4@$Br27@K1X)qZ2M>QC1_>kb! zQYXbIZF&HP&I#nPNsSSkH$RYL1?#3b7t=exb`98>#9NZ=pcx!CgKS)mx_t(p6Ii)L zkS&`>jSOn622i9R<$-FGj(SDVLtm>QT@spKh}w?Nx_V{opjAXU)xLp!miqN(Yh6yE>BE56Ttv zZTVUaL0@MOD!b z*qGeIG!N}k85OEoewvMVSgRc6)>{1uwN^Rw6u8jVMz8V6*nBlXpdbc-!s2ZE1HF@=OQ6x?slaa5 zc-EXDi?eMHTbxz@C%rbeOST`XtL_c)O5^ zg;n()!U`B*%@zl8`MISoQ=)dLekyqt%Q@#6>)ySLb;Cb-U}cw2?G#hoIAAEnPi_G= zanv8+vwllVcbids>32!0OFuP(^822bn51z~YNm_>fRu5Fgd#yXwq(Mc9zK>Y6bPk} z$`_7}gD;e1Qy7QMU=uzT*rb4xD?5ZlC7;TNR(t}e%x4(4G>9=YgIq$@V`#(=O7rOl zr}*@Ps=?<$=JVFmiq9J#6MS0wsv49gfq=mza8WVc7bsx~l6KXK$iD9J2n>u1PLd`j zfoECM_U+?I;OU*9OdB?Bo=K+>c2+)HN=6M}=uFiyW+27msX%Ou+AW}MaJGMjyVACQ z_7DhnCAGs%VGn@8Izmeia&_x;7S=D|wtm~Nf(Dted;MAJX4gRl!XB3F5>#mQqp$~M zMb_6j>+1-pso~{a0~ut|My|*H#khvMmo7mo^v=UxErzlAbBm?YJlCd702VAv0D2-+ zNcJBwR%Q>_$Jo4oM*VSgzx5v%{99_N`X8-#0S4<`od|IZ%r8=;<06W(4Pfr+{S+)s z09umyGDGHZZl!Gpc)e@MZb46nLC7V(3E$k_1u!6}2}2PH)+4DXunQOlnLn`C&u_6Z?VtK}7= zG`R%~Cbw9I&LO!2S{yD}Kemy3)4f@q+}5fAJCk@zk}W2;yFm6FXYliCayzs~kX@k) z%94^Q0BUloaEy^{A7WKl{YimKs)DjmYHR|KR)tJfj!mhMSI*x^#0Sb%1s}MwD)>N2 znF>|7%&Kq+Y?3N$*em#)orUG6H8XZEDJ~Gzhzl&>Ko=ZKia?`e4}n~|8z~>WAA<+) ziW=~eN)Z>h>KwKFwnHi|aM`B>l{!nSIAx~hp+qnsK`;UskzEFHHFS(JjYY>yAqRpz z9}~fz6*b^%5WHOx{6$6ZRU)|7z^cqE4Xgmez*>DDBxv$@DlnUY^)T>awlK^C>%OOj zoIJx}l*v?<4A8hx*>`Lk2MFlBE#DCwIxS{EI13&F&M0`K3zZLiS}^G@!gxf%P^dS6 zrV3b9=lw6b-i}!mTZFB(4pof{`FOrZt9g5mlE_a zMGV=_8$`_PS#Bh_E|KljWm7MZ8{2uEyV!xF+{K0t2qCV`J>=BSnNtCW06jBmCT|^$#0Z`eei)Lfer%UI(vhGIwpui8i z_kM87r}Kl7dh<}FTIg9V_D?FYr&dqc`S@i%M z_`*oKL@vaqK-V1S#K;WFg?L_)B^6G^{ixkI0BP~tIUrJzl-GPR<^$!5-v_QNejg~w zrck(H7XN{NRpP&VNQhrABk6oQO8B%F12F8xq>*oj@|qz2tQ)~+*p$IqO1h_K@fcO$ zX;SY=>cw8n1#YC9$JJiU*)M|n$}vZ-?i+s{pcr$$5Ywysx&-<>o(k+{%vpAU+`5$~ zc+A;8ECeU*cG)D62MZW@un%GmR>YBST>wU1be{=)^04A2V1!BnBMvLxB#fF_9gcz% zR;ra~Tm=MptUeb^JXSvyI1P{cn8(3yGLMJ;r52B>7Z8tt0gt70Ztmj?dfWo>Souug zlRSWX6V0!5ao+*N+Iss=Q%k4Cve!;3jr8#xbCo<6QanjQS*Iv0nxj-4VS! zU4saq=#f)8V0Ia(u}W~7d*t$?g29S)G=-Jc(Ev5Mb+ly{iOo^qqPr?3F5NS*q#BWN z5&$X>fr&^&E~zGyL66{39Qqg=3d+Jhmmi!O0{x(*(ug5&3)l=eyT7A`z|&t5GSxnD zIl|iAtOXD@YjL|!dNDj(AG$0I3sxN0KZ;#LqIx7rv`P#P@tv(5weY zHZn?4)w&0uXx$?ii{jJ|68A(}TAQ20v2a^^8}8$2jfGN?mS{Mb=!hr7p=5KgC6;Ju zizni3?XmXeV6r`yibNxAuu<(T$>!E@A{9*pJ6clFj$kC*8jdx$w}(PO*szwiPy%Zw z?JdzzC>d@~#1qYlL@3zO7VHQIli^&LS^Sc?W}87}^N+|3Zu~x<5;`;jOk-JlgAAas_A}je z4P63KkEa5;@xKlLb%S#PsIhdo`d>XzOZV2G1}IR^O=wCm8jX^NjkW zM6D;H@Oipb_5u40E`WhN<|5Z6LaxiE-V^y1Mt(&h-*Q|ut{z}Z2mwoTk`r8|#&((Z zx&Vr`3M}Vhrwh(l0B10|u-DsN3S{!wgRfZw(rVV#eoK(=iJt=faFBIr_6Jv(}20fb6?#adt|hd?5t1qZ(^ zNR(Qx2vofpKxHjYMME;KEuGDKtw#DmX)X7IQ(Eo^CD|0cdDUg=&HMgMY57y9$Ixl>MUIeSpDnVXXgCqKIPP4Fh?^_V!>gB(Ml8g0x4E zGdVu>pwb7z?+cO}aa{NubF==cIxc+Zj0Zd1Vbwh8wa#lB0n^m*tmeOdIMAHsQ&ZLt z5L&ZNlHeG3aml~&@c-{K>R&spanpAN1+u58-CosG0Hk|LE@O>**|68Rm-2yfdx{TS zxu^I*Nj61K83dciE;_1u%C@uMQ~MSb<3V|`j;tfV&{OVqU1D7V#U4)uX5kV8Z-aB} zr>dtATHRAT!z9!a7U}I(!u{Jmt9HHspmfUL5PUg*Vie~DE6&DiGwPp$CvoL_f;HV0 zdBUuQSCwiUP{=jj){0I2_GBy>!Zf!z)ZW$_jwGW99Owv!gTZ7n*47qoZjE$|9};Z- zfB33o{6WL`HCCmepUvQ0<4e9T7}r}s?#^-f?hOtV{62V}LAh!}`YrK^80~de zsE4lpxe65|bXs$@3c2Vgd{%8LlKLJcj2?lqq`uWbwF0|Q-`&6s^#yK9_j%p}x0R<> znO(vSSm6F?lb+J)65-ZmQ}2oU2;<&(gK?iF+`8*%{bE;24dN6g02s_kTKTZ&Kw+SS ztsUzZa9h9aT0w&h-95+BzW^!_y1VZO9#pV}R-Drb0KkBAou$Z>i1X^F6610|fR>Y4BL3@nTjQj#amdmZ3bIP#x- z-s`5MPPT$t5mc=JAl(X`acgW$cq|RxSX9m5T+qFCwt0P{h$Tiq6InD$4IzDAuk4Ka+S%(k)glp5f-X`3tpj zah>Sama%e7H!~i9QTKGmbX@{v9!~{kV-z=DC8N0fm)toIUJ~NcXl*B$PDuj{r=(wv zV4XbN;01Y{o2vK;0>-Qtq{uYdyFttxX9UFHl=P+_3mNFOC#?G;!&{D5y_6$K1{$D{ z!wXupfz~CGgD#tTf!xU9Yb=M|OJ>sGa6zKJ7kPO4AH`J*-M#i=8=!!7u8UQd2&*oe zdQYqu8S5>Db=PIVupSPrA<1ko0~WYLE^b{S+`4S)J#jDjcWU_~Z(@#bO5At$i@evU z0jBEY!Gx*$sVAlljA{K+#&qc4gpNtmqkJo6dH_^5J-KYcx`!>{%`2iFnKI1l~E|G|J+0+Z{LVa1pgUeXN z8-5~0th=#&?2&FC1Q@O#d=S@(AcGMOJDMU8n;+u2KrOEyya?oToJ&Cd;Iziegj}1h zdt9tCuoocUSFg#N67gI8R3J6{E*~Z3-S-yeckflfuQk>xr-DobV6Zs!Ksr-W{{olz zC2%;ijps55ER>>pCZ*k6^6!E%5%rMvCi$?rALc-+~c55 zolxRBfQ=_{-FE);mX$Lpaoth+v{pE)BPqX-7Ht57MVlVn!G|T!x$|K+<%n)YwO1M}R@t5mvjp3cU#CDi?rR7u{zP<8w^6KFb)l zzkMbJI$e_(waQZ1kz#p6owET+PYLB8JlVY?yCvFJlbYJ2{BxMU#XcwRm+SL+?;J68rueOD-ScF)LXe<$IX^yuyhvSJawfUydNv#~# z;*h}vSSaR{b^+G?j1+UryI3(V5^k-Sy6xBssllF>zyO0Kuzp;lQ!4*K8(6=kG{q9w z4q!qA8!#cXYtMgrVB)19ltVmC#0lKEE61I z>UOT3NjDyBd`3{GZ6gBDqB7VYKx#OT1~WnFtEZBgSoPMiFBDjy;oKLFT?k(&$)*_2 zFM`d0v*q1tIN$mU!KV)9D=!l$^G69*0EGlAw9A5x7dTv$ZoC^m1N{S7CqPKVn3Z5_ z((g(pM1qwS*GZGkteeTnpf}wTOw0uJXejm-mDh#pax;Zu5i6fqJnwO5anuh=HD@$)RYbZQwBATz`*hrft6jhk9yJIZT=5T7XS;m>LG&250ws*&19WwAvcTUZ4z+ z5-)(t;tfaQGR0~Nk#HWpzz<4`*AGsK*AJ?Oc+aqSZ-GskvEE#Ahv8F;SD!#ohL4uZ z07i$Bkc*~NDB^f9-M&osoOJhMB{N^U1{_V|ElIgpF1y95zwdo&+Hv_!pj<149xE(& z+^m@a7TPiURoWfbC6MRwRG>Fb%%-1{b_{Q1?by3iNKKCwY{AV0A267FHkSr4`J{h= zOZ*ZzYx^Ffc~Y*9Zb5X-jT4^C;lACzEHuG3rso0!UNQd)m}nc#E! zfNeBUsrid%t+6c_3VQVFqz{zKpATG_KOd+X{H?q}{GIrK;_u8`1b=!7TtzG^lS!wF z0EAOTI7fjyX!uIN@=X+hewF95b`?0PT{*@lCGFx=(RR=drT^eezItk8xzKvger+Zv zfQ9~Fe^~cxT_XM0Wm7NE8~r~F-tB{+HyM#?C-x5Kis|>jTxYm?hr__{W zKIV~PJDT)?ay7*VuB<6OP=a0A6V9@xTmi#m|F^9G$9iEwhf8+rg#{&PT3G-bRu<~; zKM=`(#pjJQm;47wbNd!vSvW`E*49K?$+9a+>yd!LdSoV@o1dSXUf3;)z~lK`;Far< z8-N-2VF5GNBlo_|12g;b%68I<0$`?gkZCVt-2P!+QCPlGVATEsttcp$Ugbmr5ON}w zx(bUhbW#!ox{b8^NjUgj-F@@YJ^cloWGc=x(wG1DoviBKU0E^;Cr2m4q}0Q-~^ zY17*U|Js`_Uk|QCK=UU+P3~ySHJ0`8M|l2p(F<4k$cWNd%D@CDWMEo|irY~oB*^G%FE0W%i5cyh0C|iq>SSutAtE!E3B*t?FR!0`O7kx-XVxO zfNQ}5e7U2?BM>+)I7ynwU$%=$Tl&$Nl*D@PJ3L6^g^KbbraB)2FwTq7mTF1H!;wTs zqO}co!~_$OmLNi2aPxCGl}g3hkOCtbiMAz>_#)EQ9!a*grdlJhNP8+Arz0hyNC*)! zDO^SqLn@7Ma|pLXCz7dHI1*|JMI-U%=42bLm5ztQxU43WXidc1@pdX6Nwu`KwzsuW zUX1@@5+MBldLn)W}aKl|*^DYnE))d4{Pyq|vb6%re6d1$O;MIHptLn64RjUG&)vBubj-cBSC*w|l@;T0d9W(jz zly&bGq*v>vYB5^M1R$0&A9}c%{{cO2S>l;#jQ=&pGyE}L$~;YI#?(ur8-PXYR7bQ? z>r_7#*o|(ieTMY%7H~r^x2+Q_>TT#+r$7K)c4E`fyqwOZqcN}PoF5d3=INXtoN{9Q zpaiqhiQNu%1J041%8A|e9>K46zUX2LC1M(80fJ%nG57*VZ`N0U`&CSL;{0g!BhX*{ z&;w3VCWhG~pbQ?sE*@srtrtq5S6B2NiwW!i7}~!)i=SN5tBc(J*MS!8e}>R%$6Gt~ z3%VEJ@()*H~L9irt@JYY5l!HHU(5eZsLMyr(e!q@vMa2hQF`l8F{P zkGHl*lkL%1Wa?jlWPSyxkdj?eXN>9ri1sDUnNKLkV&z65+G^vix)jYc0En5!g7p0E zZ21q^w0=v3VyEUTtLn38Z zZkrQ!PY$0)PVHz1_%n(9_+S4|EpOuLc0d*|;P0fW3>e~pcw z!lIIUWUKN4h^%~6^^zn>tEQK(WVDf!PcxTY$I0 zx$-&I({&%NAzsxrlz0K8#oHN|^8uX0@Y?>!`arqj^?@sk*9S^4Ddz+GSiJiVD)A0( z6?|$lpf@#@cqtDhz>tSBS6qzk54w9QpIMA#&Dh?jQ_MAt)<2 zz`&h)^*~R5cli&nS-%AyN4QgK-b8E;e}UbpE!zZ_Vnfro7JvY65qCpVmxwoAHuVCh z;cX`{;&8(u=Iye?sAody{{CWjW}rV`;+YV+G=Kx%-*xfo65-WlQ}2m)nDLG%yn8=d zOQx!;(XnE{;8<~?ufMy{JGZo`QyC&YE42RA^&PTOx{xjdjk(Is$5H_``ImRLFKCj5$#1OLJKBg3P>Z zx;KrRd3xs-)5Up0OcR2JASVPrFuSFx$reuFK9D`f*?w4g2cwc~?F5#0 zbW{t{JPS~h+tE46$o77T4a0$d@(>ZJN_jVeLw#4_8HE;ZzVJu^ulJv8PkB zhD0>+w`z#!I#YceR8wBuT{{HXTEl4?qZ(F?rvOspX)KruOLrxc412_2`9gsoa#wue zcs%uml6(qxW!;-egO`3;ji>uQCit9=ovQh4IO(EORN?KCxyeG$z=GaVjmMy5LhzE_mz#b(!t{=U z-X&=5%S3Rk$%Prh0EVGtO1XTl0xu>PU*REa?>`GUS(6KelTuUz1}Um>RT#{L{tFpY zJds?A6xA!1ajP7gNw=Xd+vS0chK_P#Rl)|C$=}bqjj=8LDq|aw*klJ%tf>wJpmGNa zMMG8x%6EE1*~R>zbO-W-Qys_;N(xnUphI9Y;0%LJin2KUaSy5T5MX9nfN5%YPO&=| zppcwAGW^c(tNabpeIO(`_Zdw-ucZF|KF&7e3Zd05zMfuKOYUk!SJ#^W8rPfn`efq(0ll~7JAy-by~#$oO^)?Gz0G!zAiw(=E6Yl;dZ&~jDlu%BsCDvBD!30=n z=#)-h>;-Pz(*oRB?Oyh@VDZJZFOe|org#I}$|ZP!>S|heCCCpOfXj@XznT?jwF$o? z+emCHA7k0=J*l>puSo{1VOn)93ONG|Le828a@~|;Ko>xgF1pVoN^ywoGNU~3Ee<(5 z^l2e7t?$Z=EC2IJ=gCF@H8tFarCC~+g=S%Q+ph$tY(Id?wjZeqWp69-Pdt!)3{&j>!HhQ!p#8gg|316Mbb@4@ho3=6#_WYt>`=)BZlS&9lj__A5 zD005T{>s|V3TlLcl;x%r1VCj4iKVRTM>6TG$BCqvACy)QKRBfzeo&H4p&-jvkb(@I zQ3|r@fZ(%o*;0ALl#38x$VG@fmH>um@)Jw&&gOTeyFDL*k8#6FDn%~Bt)Oy_bL+b^ zDHq|g&w)to!RSH4TB%fn1i3MQ#UOEaw_d5#CD7#YRA4u5%n)!RQQuh}B#seo?Z)WU zJU82b8X9O}7jRhE?d!rVqkXsuJ71i?n0gbkpu*hMcn+Fs)YN)I&?_$(I>pi&`kq?Y z-G5M!Y;}6GiwhWtsd*qvD}mU>)g=;>E}N$kt=PrA!Dxriv7lCeUNn+eXf+-tAb>ON zdYHOIICa_73!J8D*1wIKX6^SG<4MA(o5tc(H47~{0tQQtxcs#j6P(=KQhK5N3%JLq z6*S27Ry#oj&clHUEIIBT@}Pq4mZBo#WC*6I;km6{>0&xdNq^e%3%j%V>L;LP98i*~ zfEnSAGFAJ|&#dpkwHjaWpo&+wln!jJb2irzR8zyeJo3(fsC15QEkURpC3aXmFN5R` zxI%RP+=ba3-JWX%IMElt)kI&JFi}z_e{W=R2{H*d+kP;!{vt;GJ%@x)q)}HgQAQm= zWuuN8^1|{C>j;iB2E);CI*V}RU@)f4upbn-=TYAeZhT*pdANV5p z)b>&vby7(>X0JRPGL-;Bf7J6lQv$^vPX%VvAGZT9qDL-re_Syv#H&}===5s3cd^NY zMTwmNiNsD1cj0PIv^dPR}M>8q0(|JjcHr;MWnp*3l zh!(&>4q2>@&&v&Tn-a;P`l-Y$Y~fkPd>xoEv)KDDLK6B+k2Uu#FETH$bC%Z;cvHhm z{JY_JU_kV3`jTX{&2*_-tZGA-X4daPm)d_=aH=N+Y67eTtb+OhMnU~;VT9>7hmsxP z)=0E9ifb<0g7IXkqXU!Tc1(vmI@+7taUwg6dn#iogr(8FmdRjS3in?&W3n7==?I6D zDcoz>-j-|)CL=A8_SR$~66=UYTT`)ETT46{Ova*^P2+d~4g-Y3@gySppxbpcT2x4)T??GLd`kJmH`m)VH3Rd;UI9~y4Wim zA9j>bX``u~Olu{=U;`{HMs*4)vKZA*1*^t#o&oL#=L~SeUaUVV*c@XeLUk!l>39?r z{Kmk1#J1-bWUxU+ceK5s$Kw%b8W)_P(h;%6*I7o}f5Kt3Hzl2x$E7Hv-8sNuckXY} zU4=sV4=AvHOH5+he%&f+jg41%cW(GALLzdgR!)@~ssU6Us*|ytT%}JZ!X8mMF+V5} z%0smuoEobApd_1OsNM}W1I{V1Nvrf#LIY8G|)YoNH&9$1r3V-Eledl2r`lTKX%X&z4ndSegPyo2n) ziEC^R)_z?`OM5Qvq*JK|<+}zP^0a4>II`5;*`3eP7Bv>#`uYdbJyb-vNxxq`Xq@5~ z1V4_*)BY4Vf_44b%=)cR^fe=bCChZEh#zvq00S{TSSa>$IFwr=F;+j7XoVv-%xH(N zvmnnAR^5nVQfi!FKmg~x?xa+g2&XQadV$k4-Fa@hwLfQ!JN~s6pK6VQOeA1nB3t2b z_LTnsoAq1Zk&#W$FmGpo2`PPUcwyp+r&18wHU-S&w@o*$rUo3m!P}<8#|2-~Aj>dG z0F@0@I&R$uk%@;qGWo{*pdc1D$bN9jQ29Ygp$dciG}uHsO|Z!Z`5QuGw4o}`oyz;s zBWk#^pGWiG)4H>jUMA*9WdFULU9$ z;=Rh^y#zK%yj#C1_|)RnBHE;aU0U^!sm`TlhtAzS<}aEV_6hs^mh%q(697MzUO`Ypks?%KF!R^*lh2pDU0 zt)wmyW4dhW1yaMEZt?oUbp z>HZM-Wdg`&nCV-f00|(6PkB(l)>9cYTBZODEmJIBkSQSPY2bnG-p4C`f{HQgB_%I1 zbLfq0NW)J2l9wsAeA|N(UaFJ6E}+o&=`J=L*}&1c^rCL8#dpo?U5s0?d*=!6#|H(< zZ{yb_pVG8~&w#Uc$t>>sJ5CEmb>A;X_my>xN5|9PbVg`yXl}6l2eewhB{ngEILT5S zebX!+9VIdyN?1zA5RC z8m+j_^zU9et9~6U<(2OUY3Y>}l}|^F3AA?yAPQ5<_ZBIPJX@IGi_{);=CIgb<1wh7 z5WJ*S?A@(<7isYDn`d#D+Nm=hw5nAg)tl5!CIG`tCao>u1g|HU74|pv5z973=H&tuVybFMk*P?v>@jR04nG(sX`l-Y%=3OTk_rAArdz~QE zW9q5V6~F>}*7YrPiLmRksTbIdu3Y2RTE3ETZ$2;Bwq}|NCv6J?2HS$K#*+I0(pmGZ z&ekvBwtm~Nf(E%Qxa!>`{Si=sZNZyfRIq}OJ!zEk-bTYe;HmFli2Rq76) zvbyJ!8Ecjt4tpFXjQK%nb@zi)>h1?6`4sAY3Vh=5!s_4zUT2mA<);I?T1wxs}3wp@=Zy;a9wY5GaY!Ba$UFlSdcH9Ng3dB zGyPaMQ)ebBtx_hN^NOzXgVN392dA3J4@&YWnrXv(sF_CAmYeCa;8V{r%4gP<-%In@ z9hbrAvwHhW*#Oox0|*C_KR~wpY1K(0#6<>Ag9zMhw{8~AW0(CKXwV~VrDaqTNOFk) z2Fq9;V<(sH9>IwX_vbfXg(JY0<7WtG8rCp7^!)`M3KZB}?am$Zr{r&a5zN%yT+j@yo(2wL^>|6_#= zu7&FF$s1o2a3Gm-3MUPbc8t7E94@yr1R zHJs)8db$LvJe~^7#@9OxybaFK23EuKgjTDeWhj+XK)xPe;On(@cXr~qHIk|$f4cPx zxUJuIt)M~rdS{vY)$e0p@4&x%P{D(?nT-Kv;=bN3#&QW*;Ongz6_F7X}da zg-cipz-7H%dBh*~VyK?)@d#{>3r-3^>9Ls$1bKX6c`{k)EABozAuzyQyBbxU=w$3yk8mo>pvYs%az3^ zHxyt~bwf`9FJ|7GSj!Jw6D_YNa(Tq$^*ox+<%()TK{q%65H~pdIo%eJzF)-?&4t}4 zc|C*p#tA7!BW`dQWephoz%07KVe8KXiMk_l7f`xMOCW&35=e6n=BNAzG+4hSCb6)$ zW&`Qk+Cg3dxhgRUT`RjrO4k5X)-^-`+0I3$N0#KcAC%TLKRBgpeo&H4p=&$ACY%ef zNmHJi*T>K`F^9ZPx;CX%o@2n<;H=)vx_0R2q9OIz<6h0E916Zu`{%&>tk>mx7Ni3$ z#dL15^#k&%Stq#{Ud;t=W#L^jez%wQIoFB;Jzr z2hBq0R?v_8Wwy-XbLksy3i|cvq?UkHOR1A^0K-W*g!Q$yheN5BRC^GmXnP_V4Ry36 zf}vDfJeF+phX5zH;VY6eaT0EbTju76XYoBm8~;;qrme5L<{DB%9GQIpPV6MyIhNqI zkIbTbh|Uoj?a1pzMi&iTQf)8+cB%u+l8w~q&j2^P`R&hm;I?iAH3kQ;!2S3e_0p~` zp+!8N3JDt*ZUf`qzKwBTBix=YoH90ih>dX0dU!#B5|+6IV61v3@Ht|QWfw3a^9?X! zjpfiUJTUTDr6f#a6<{VeRvlwZ2R_PU)tXxZlN_sLz&U`*#w!x(lt+w{(VWMwe%ucV zVqw3?4^9~`KPV|sVZ1Jb&46b@@t1;6J^IsG^SE;TDOL$Eh*hG9BwQ>tP{P?5 za#OIF)H~3LQxOA2YFeLqu;v5d_XWw0h*etke$tP9|2T_dl{PH7)2O6uHl>kj%mGlj z*`m?3bviJa_c$jI_k+^S<_D*m%@0cQDVl9N_zXB_wyS2_@+QHjw%KawPxXX1I&W+Q z5ZaBBvGw98XFAZAFVX=)I^0>Jlra>k=T}edHnlHEenh(+;da}&L$%xBQt+cqXysan ziPi(yR9&Wvz}w&)_!wKTi-cBNFsUv|`IWi=NUKZQzG^;=HTkMzCGn^al&da2aAkGz zfs*1C>at`LsmscpN?k_ZEcn!}p^n`tZ{XAYWq_mm%QDzMht6KhNU(%PuVwTA~M9Yadf7KP{U97OL{nH|fDnmq4V)Q-R(L zb_akQ1MMzWl|63}BD4&pnmy9c0~p#V#vXpY{0G>q-vW<}4m`nZZvQwBJxi7gF11op zP>&jVh&h0Oxq0qlj4ly#x@_tNQp4OeX6_PD!izXUD0M%um{Z;ZjpTsANIoBTPR#AY zZb`WSjJoJP6ZqsvzUl+imV0;eNWSr{9vEpPFW>e;%Rhj@^3Oy0`B*0}20FTtXV3Zt z+}3ZqR#MSmeBbR%#Vt^Qt-fnsRB!-~G63o#7C_-57CsV+G+TkbVu7yFEg^9!Eu3OK zvNR6~S?6ZwY2i!&7CcM4QshrvIB*gr9gFJf8wHlb^kc2_Ndk$(&@=-bqG z=YY4t+4)Jj&gkvrcj@rm0H?N&jww0!&l4 zuk@gR^-uLO(s;m3akq{!j_hTPzbP^5ZjBA!xUwH=tN~DYtjW;eVpiIcxv0mv^tc}s z#Kaz@ADkL%{Gg;@#aOc+Y~r@GPpPqH*{U&AN-Zhzw#F(_sVQx1oCaP5-apMMb&Swf zsuVYh4nvX@m<%c_%@0LMv8 zeUqewL*>v_?o*hh@RZ>qI^r-f8LXU#!HtqRv@S*9iEghL@JIT?no$ z(gkER{PhIE3y>oe{Btbob!&yFE$2!Nu$0{uFv#xu=e^jv zOd~T&NtS`PMvcHNv%BsCb}X3yJF>f8s)=3MVhTtA3<479C=zxfvEd7czdH+We=+t@ zGYh)=$EpK$lYCQBF9H%yGWACes(^&E?-s(7Mpm_#8Z`k_HnRClP#W13?Nn9I(EOml z6OWpHaLUN~K}kNvsCk_g^vvg#k-fA|@L3U%pvDv0=>`Xw1u_9$*(R2GuD5TH1w2VvakJ9OoD z2Eh}!;{fvn+U}#6o?3O(g=*K1^`>M%bfM$iQm4MCy3on@3I=2slA%`s(hZf2TA^1- zuh6S_rw^3dP(E{yeglH^5p^s`Ep;Aq5nWc zxgf{jE)rU;Z{8CG)$}S)DZnXDsb52k0|X+!E#HyCZ84tfDHiS(FiCkzFAoYX z^-90momDQ7O49-`O4E|WZK(0)7TmJh+Sbv6Yf@9~EwPT)=2)a7iL5HkEs=OC7zxH& zqwx;Z;tsK3EEer(ZpMwR$yhMlmP`aYaIz;HMUs|Kb8E6a)SPT-j>e*imKajI#G8{b zd=1%Pf~_rW?X97Xc4U2tVh=bJL?QAkKmuCl*K$BpNbQnoT5dwUUg8XX6J@LA=%DW8SX@c|C$_)5rIWDPly9WXeNo~FxFX)|N)qEctYPhcOjUeF;E z=WPTf2<8GMNSt^4DZ#wXno`2aV)yPMK!Ep$zH$2Zh<#Hc-m9MqoQC(OnfGJgV%`V; z(SvvPyOn;@*a4XT*WUF8$5mDF@;3_>&>6b3%pmSKW2eq&*v)RTyP3`~Ns|nt_-F8o z9~?Tno0n$EHXHU&8XP~wiV-WuSS!?8Vy#+Y8$tWkfl^{9rIb<& z##;TIbKl)}cJnr`$uffOgdw;vD?pBVH z{!85bmn;Qpxu+7_Q_$F6+;$Wb)?14w)k!Z8pbm%#|b2 z{_d|>CgLfy2NIv4J&wafyl;n17tl&Fq*OlZ&Jt$1=LSjvOul7|49L(yS1-0udtihp zT?HXaSI+W1$$FK=dhbJ|uKSNvEa?O5-GhR4y>!rt1=I*Zfpx$TSf58?fkCD=@gfJ- z4@qKrWT44ZEx6TW3XnOO24dCHml%#1HhbMePAD`VPo_>dHJLi0WTT47^dQ8H0ss4baEy3Y+;?rV*stf0l+F8+j`47Mb-MiEO`V?^8FC&N{1(9aUZ;A~EK$*=Ij+&e%D zxb0=-h1vLsU|8sc>9bHe0g$N^!K#?tFc$NLZM>KvCzRF+C!Ep=CzO;^=)^Y2i3GZ@ zD4p246LM;QkbcoIj?m5Gl&Du~-V2$Vjm4bFgLgR|3&;fw&o@58T1 z0mTOA^W3Y`5O5H~=iXriPZb+ z8k?#cA}bmiBH>7=K8Op|eGS!-74@M=xTY!`u5ZF+>ydDJ?2sB)ts(%4kjSkoA+ZwyAlRUv=4&Q~AsRr%o@X{@9CwI47G(8~{=iT{Ik zkZ+cBjEqCOKJFfwRF07?yM%hpbd0DWlM_73eL0oB6`7q1KcU%Ysg=x# zU213fO`Duj2`PvbJ$BnVORNEWnz*q!kV&JcKC)@m3+k46zkWNtWn-`NTej~B(F_Gk z8#Q#&qyY>LNPa%iW~l#zmiQ!S$UJ7-K?RHK6MR6jcef1{UPM^?4}mFf^g6&44}v0` z_eUi~Iq$2cRP#PS=Dc5xgc~Ay8H?4}*@8|eGz{BIBz@J))DZHmBmOn0o<0_uiIw zc<3kaWK$|=TBE{Y?%tudxOZ&SY(a%u-$e&4*(i96kQ5^lNYdhFcFA*2kAKylA- z*q1_-IiMx0%dCah`ax3OU2j(``P!nTDcEDWxrNNNM{yL_Kq>^Sbo0qO>}Jgsf#{d!1xi$KFu`+g?FguPKl`11F==^F^EXhW8Tj$MOxW zpQxervsEtyw;K8a6Yo9C#Lr9O+T1T9ZjI?cgZc}3>iUVO>u0Opmiqk9&psc1CHIH zS>*n}ttE8NRTNnxyvSGrPgiEPI&d`4ZwjspJmBCPX`#S3WrOVbonTy!m8z}OSP76h zR)&HB>2-=l0ydeCaP#EsD9FSkuMWZ=VD(Et@_auk1CzL6xdIBKb z6LCZCz>kEZHV4u}AqP~xCme8QPdK2Yn4%}PLQJoF~IMr27C@Hb%s+YN|)}B{gb>a7-t6Vx>$HN-!_e3@J zduB3tS8$C28_8X9-xw~>k){E>VM!M59>05BqK`R7ss0Q<8eP4=FYZ(vyEXvr0iX~exB2WGSqG;>k z@(yI&%{!@3g<0#}-O5t7p1_w)si0=f*n2<={?GsNthMu?O{?+3R<#;M$AH1Yw!z4> zWm6sb2T+_*Cg{n7b zMb7uNkCF=YeA7h{_T7ILSx8!5Vyy|##m4q^ zJbdqaPIUFPPe?&ccPE=TYF8w62Qbtfh$gR&b|KU5YHzmHNF`IN?zS)G?zm{QWK(p< zAlSUgeeAp39b5ko~9(MQmpwO(=|hQRK}*|Gx{n3gxaAh^&&gC36648tiUUH~(Ta~;@%fW-*z zU-@d`C$KV0tz<+5>-w3Ii9Q#nl#qJEq;LA!suz?k9X|rPi2AQ* zZ9DLH(a(z$?aCmfD2*870MgAHFGwngQQIbqLMZNl$~UhA&g@bLln_!z9?o*}j{HD1 z@AwfRr}pPtV|w1mpnT21B8-NOD;aODJ=%%WhI9!Zu3tn};cUqY2sP*LNY+IdZNsnl zP2Aw(e9dDo3fA?WAB*+Et^(NXDx^n{KAdP()Nb#(6H0fL6HaxN6H3Y}-h^Suixg@< zR9$uGsF2r{>5N;30p(OeHF7F-B`^`C+l*{S(hL{!;=2=e`K*4w_i$MN=duhD8#1comPCz%t;iBB_g;~QO+ zoOs}6!JD4Yc%oN3Hfga13>I5pDNP#)afH3ozy^2(0Bj4v-9=+1hhnkSyNfOFAMs+V z?-g*UEmA$&(!B_gw1_RAX*eEAMcq z_%ld5AS5d{TK4TRX5}DQX@(c&Rl$mGYg*;VbIbsl4XC7JhM9C z)Og~Al46SSr27dPPlh(D@ucs#kn^(D(Kyd+G|;041ASwlHd0?(?W?U0);0udgMr$x zueQNovH~K^`8$$PG0<-Tqc^!vJg5fx?$^MmR{mlWK$$xfZUzi5Kv~J7MnTu(KGUyE z03xej04w-wZwU}>)q(NqDzSqH=N#=q1cn1DuMQ5li=!!9S*XJVtHbC|OiN%=h^vDl z)^tk4p?Vw1vok&kc|V+q(g>Z)B9lia^0~mXQ(OW$W|YlDN&bXq=NxOn^cME)JpK>C z-b_OU@2BEUtv-P^`=ccgE|~6H?C!%3IiYlaIN?-(IH9DxqCYn5rq^@wr>Z|jr-Z;- z>-B`GWTgctU|4{5VBbBZ^MUge2L^G$-R=>NDhUAEhlvGeUrlC{v#tajZ{{C@H7Vr_-!YBfn7k zH28*)QyMv8b@-MKOS}Owmmq+ahK=8BtQ8+ANTMR+$D@x!ct0G|2_as~P z+f=}2<4GG<^fll#1)Rh)zY!Mf1jr%oH*i`ACbZRjv(=Ockg2V>rCV+|35V@2SMfQaw6;3ol(ssdMDIyw z#W=*o^}vHlTZi8k&8pXs>R8iE+gro9`wo@VV-Aty*r7X`~I_+xi4MnqQBQKLN|CmvIZg==}IKyGm@2L&3Y<~ zt|&4x8H+rhL1>cpl6-n~+H0N)^&++#tn_=A#d3*cvo{jL%_5PSZ~$B4e7sv{KiF#7XB@?z(NZww7^0OEVRHv3%p+~u;`W}mn`~X I-R=JW0mvn%W&i*H diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/iam_account_change.parquet b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/iam_account_change.parquet new file mode 100644 index 0000000000000000000000000000000000000000..368a4134ba0ac45ec61f2cb3bcf60a5b4680677f GIT binary patch literal 22173 zcmb_E3v650b$p6q)3Kenso%q6rX_5aJfyWFk<`bOmwq1g^xC{iIQ z$r9EeOIqAP9_Z z=bZcQefRzJ=&lbIdEdR~p8x%wd*~r^IH@+Po77Fa)h0D^eYKMh?Iv}N zx~63;%3E|%LdYhyIo26jvni(EovSRA>uN-6(w^0xHMSa&78}$qrA2qUE`r25)DF&s z28bsLQ`vHSzEG_$$Fuc%wK%a*FVsA2Y5s6}Ks{r5gT?aNxk9a$ohlI1Hx=!sVhjP> zV*#CmkplYo39ruWe?BmrAA$TadNk&R?pTKKxEM94;1)kY)9tg z4zAu#Q~vMCw*OvwXidaJKgwHlQDT(2DVyuXIi?iblHNXP(Obp?JZx4sb5*PX#5*gs z>4mI^i#4oXx4s>+Ki0fZD^#1yS&NMoZN*5S@SaXik(&X_Q_#~xtQl){`t&1IU!G_3 zmbEf@?wF$k5E)X3xJ)<@I@&vPliNDdk9Vfi$;Xq)!sO%Kg?#eyM5-f|%_WnGM55Ef z#3POL(i?*E5#p|eVxD~ELX&o($ta<^8p72mMbLt4jOGiuY9U)I;nHB;5f!hEf{RIJq_wu{_Sv|D`m-YGqh zY+9Y(4PQ6~ZU*ADXBM*gc(GhBREw2re6m_8*LA3eIj&kPR8ijAe6gC%EypWM9%k;QYMp&CHY`thEIL=HXY<*5cI{%JTBAuAX3@G;tj7s%092E( z_LPc?;Mql3(x6>l3OC5Dy5r5kMcU?KzFNsI82c%ttZVA|` z#b+0)b@0Nu`AV(myU1w%aC$&}7~}KV`m|@6yi*b&%wy_fT+f?;W^JLmSXhREHnRZh ze6Hlt^(Hrj?x}IGKIqZ;+Q|Yeqt$|~`yVRW4;7;qb?-suhaTAWnf}x5-34j-pGa@( zZeaQk>%}JHFsKGa4qOt#@Hff@Xr@(dl-OfaTZiGW;&YH+#k1FCZiHJF@BmE3F`*C3BH_qhOccSQi_8<2C*@?tTMdt6x2 zE-LWP$RPJ_96m^aQ|YMp9KRmdOmIWO>@HjcEwX4jEd zNId;#AWytSkMdFgPaEed`Ql{JpDW(i#*!BJ>^kD=5%m#n(|dswEVJ=kcCHo&vu3^P z)VtrBKNNIC2}9c`ai@dhX>hPO1^X7Lmp5?DSgX^ggJC^dE5LrSSYM{W zWgiA*c)+z=-OXL&VL)K!DD)BUna-A{3ftp*`ptNMHdlv(LvOK`ohZTC(#65U;eGT5 zV4U2qqiwfX4bL`dXPb;^^rQw*HAc>`V+bng+vXdD zuDo{VJ?y?|fyJ&PyStVM=a}|zb+5BscfB(Xxi#-$suF`)UKYaeIJNX8L=2CIpD1t9 zMG4_-E!~I9`bwo-I8>ROtQFj`U2pfaKqR9CcDAZp`2c~9Wu$=#@_sLj?o-DY=1SWr zW)-2gw-oIy#TdjP;M3h7rBi=wUh&f(Z_%T?QcX zqXQn{z{l0J4)E8eD}~lvr2^QXQQktW6HU5ZT!o|Pbfs1oqw=_-9aoGl)Rx`bfe6U? zY;AMfy1V49ZML(cfvs&=FSff3gIYznz=L@h&PFMNHl#xmS_U7FQKGy>7bS!X7*PRH zS}%^Yz$WAMw@|*lJu6!%*VWm8g~ECw;AMx3{AvsqfMy77VRUN}Egwz}gmOi5^VMQ`wiYkIak(C!%g#cu z&NJzJ(FaKPs{|=vD)Jqk(b{6pc2_x!+chb(^Pzm73qW^QIC1d5bPe2q%^eSePjj!Mlz1c1#NtGP2kgnqsgaL#*&fMKuzGWDjZ%NVA7#%7f8Tmf4T{K}0H2txVaAxd36 zS9CG&9i0SDRtdY`vaAvYCZYAaPm1|oC`p|dFCmvRoR<(Vj#i233XC8HhH*@5VnZkR z;v%-n%>~B@L(_eC;H{B>MHnAkg-7}2W*%dQW?qz#lKR3z!XA# zE@0sotTzoraHMeLT>M-WQ##*!wo77{9Rla(+`b}P3Dj`zn0{HmrHo9v)La?{{ z)XN;*i5;Tj%ezGJqdm5`pAU)Z<4=m>>rV+PH%3M6$#HeXqJ86OQG4u=U7HoP&*w$) z#YrL4Po~uo3&TsZHuty70{Ek6?CPH{s1QA5Cc3a}*WdV-UH{YP6rtZM-&TaB-}sIq zsDAuih2e+PjN9hmhHSN3Svpk9O&8{}>Q^9u_h`gQ(vGMbpv<$MAC2tBTPv!wa*lZw zcA;e8NGB99Cs)0P0aApRgCVwN428-S7!3CSdDc0U2sI-7OM;8dF;olQD0 z=S2&>q(n!*p1?BnFQVN$^%KnIF3Z zF9}WWa*7h?6SXD5A*VcZ##hKD6teUNH<3tRk?}b)LwEx!M9$D)F5t|MU~)V25O{xN zRJysBtHnjRTxs7w^IGCST*?&lj017wY7rNgaTp(#yW01KtfS-Fj&+vq$>g5yt1F9= zV8u;IzN$graRgXY@K17acdur=ld#&{?hhe&&Jgw$@o%|O@&X#2!h4CFBW5XgbA|Zi zCT9rDY5{pXF(O}2a||cqn#W~i8ght4u6Kqjcni9K9Y25=Myw@vJ7pYIT7rH#(qTmJ z;FlxXZ;1>kv zzF^$k1TNwqYzYd&fb!oZqGwK!i@dH0ns=DLe^ND0Z2lz@__hBb`ltSY=%0)UrwT~P z|B-H-(!sfSu*WW?ed<8IqZiRHj(wjw*RKir>})_!uKmpijPnn8vhB6ggy{-kN=1zG zzb-I&GkooPXqGR3wZ%Bm5|S~my+-Ii2lRU*#+mqP=v`Uuryer?<3X^!e@rSURt37b z0wi_q${&*MPyL1okmbL`q_t#_rKI&KDzb+N%-bTMg3;P_}plKoNLs*{-|;7 z5o^?i1;JPVGYkrp@F^+b^dGTNcjYUBEw5eWZ4pfdEaZRn%f@qGzN6f2?ZiK!S6)4( zs524c^;SXC_DYxNpKdjdZRMhe#M~^=L!dzPmw^jiyY$CQ^iLBljb}$+P8eqrlpn3V zL9%@KqM|+=F@D_cBa7Jkkf9Ps*cSiQD$k! z*E)@3oed=(Yaf$nM}MHG;}PS%v^_bAO}e~MB^sC=b}VhYzYQiS9%i&lX`ebU#B;Bq zJA43iU&7p>X8CwnV3hfI7!(Nn7BHi0ul*VG z@e{p*8=tJ%YdywGJ+Lp3^JcZ1%r<{c`+{Qwc7OZaKr*nr)wlbM|LXk}X0B>KBmPgE zRv_>ZF+SKKd_(t5Mm@2^_;3&$g2!#`Qrf2u^z*_$qw8Jz3v!50ciHI0aYs1Y%e#!v zb^>l5^tDTApE|&OhH&3vxR36$RTr4_`OzNZg+2ezv`_64kkz$|XB71W?xXhGGTA3H zA=KwX#`Pf(ipQAkQrf2ugt|sTz4@1jg)g1pVoAtm9$CKm6)q{7C{9yw@YcCI*{Npp}%yNBslUrLIPJ(pU4Pfd4|Uh8E<_Pr0~Y@{o?vS=4~Q# z3&@}p6G93X8AtBmjjVA#3$pO|zg|TyS7{}%^H_xtmP=|B7-eQVNf9Ao4^U2@qiON<6W-= zn4X7JgeTuF8*i7v`uu9dE~S0yfY7@n@|nLSQ@v6P5ZMu|A!2MP{^%Lwvw2JQuND4@w1fxvd$Qk zq>Bs7##@KEE<&zyEM0^^fi6xHPq%?5)W!SH3a0KfN$SS8j9b6kNSc&(iAbLNdqo|K z7$5x}M6w!AYJxbvar!w0&Nx1|OTJf5AmTNm_xyP}dHbp?Y|QchlT~Z&1a*;pHi;>FZg- z`kHC(odO&^v)H%YgpZwOKeS9`fWjUVV27sqOtY8J&LG+T{qSxcL^53fVeVS$1^5nN z16uJN8q5s5L09}>tWI@LwzXkLK#iaH^Z+4v?@hL~bz_M=OfrziG;{64)A_-Xm9bQ5 z7T-sP#@gBr695omPi8-nqL(RbUrInZvyva^Pvpn;PL24u zihcNj9ig^+5o{a6->#tvkPqR3zq!4W6LbCbai*^d_8&k@Hh+8e(mQFL>_3YA(<|-p zflh#2vSXy_L2Ets)^>n zj934%zIGBmvR8JX8~C;41ga(EXBGcn!uBQXnwdu~7ee4W2_8jf@<0LfN&NciBZ2T9 zeNg|UiT0hWCDYph`V7`b?+Uh)Q%e3z_Q|#HoEb}vEQ}9k7SYzkPanbi@-s9voXlvhh8z7sqQE?9(a6oSE5!@V@f&t^j?HJTxD3e)!m# zB7TUfm_OwCxQgv;KAt%^He4D{buWWG77mUkOUPy|P@bMCKY3t1GtI%_&K%4?oCg^H zs4rr|J${pj-{Y_3AJYfhhv)OcKg@$$VEzpDk4zu7_aGIEzVO|?16`~7`(Q7&(|88^ zr(ph@&kxdaX6A;fZEY*Go(TQ*J~@SMN%r4@>&c$|Fz@u_aQzs@^(2Guy|@UN&)~-Z z_3ywU>1Pk}vn8>*JiSvS4`LY{E`cly`Tp)?b`*&0BYuO&ueq`fhPJBZoo$lBgQa{0_10W zZUpz6%dn@K_1eRf){D%3Y^M#uU-t->CcK7(BUB5Ly;#@K?1Vihvi~b&ZC)JVv_szgi-U2pj zYa^k=`rNm-LZs0Z*m;8B2UY;SJJ$wN!vM9@{D-AIY=2I&6TdS=ANS=bU5DAb#QYlY z5bLh-CfT>A1Mw4j_CfP;ZV={f9B-rfQVz&25q?4?#*e)IZNqkty=|Krn`t)rf}czL6H-DlP5uN$@IZt>M=6>iSO<^%JUXQXfT$iek&MYD<)wRy!U~BBkR` zNJ_G_uFW#T2t32{ye#Xo%*!$_OS8<&yv*}5FEEV4D2gBm3L_{2!!v>)Fp3}uf}#iv zqu6`z?z{WQJCc%9LY9u-_rCY{z3+YRd*3^cD5D)hi?CVPyiW)SzAZjq$Y*{8AGEjZ zg4WH#I$>Q~vX%8n_7g$|gqC2pZ{6mgv{oz3=PQCw42VAze<<&geQge?^Axp*J8eEB z78b&ciLHQmLDkf}metFlLOxr_hcX32cQLiq3rg~AHJROLF}psem&@u5U<7vG^23k3 z4;W5*4y}i|)`IbpWM$9aU^b9X5-lLV8}SwB%JwZ8!bmO}{*f+}6X@ zfXHW8p_{jrs&YgaVXAxp#O>^ibVhpg@b2#3sJgqOL!aIqRl}*>;Ye3R)jB%D;c&N0 zuMezbl(ZtKCK_KepG}i-oC}EO0&$k^`rCxn4f7>qs$3~$^D{J2%i^*eMpj*DfPos1yOh<9bUCzGD9ue9 zg~ia!eBQl?w|YTIo~=z-y>~&+rwb)VvAi2z4Hb~&h;U>d{J{-u8;~uQbR(O~=GD?t zsHEo#3!sirxl$;ku~##6H4j!aUj(NIUaL5t&z3Ve9XBuG%fgp;0VZqH+g2Zww5>iK zAQFIoYXbPYCE#BZ5UhRQATe)y@kZ#?f8p7*nPV(zXp6^?T5E)|{bsd9G=uB)e~ zhl5i)^^Phy*W8g~YBtJrOwD+>tNFB?WsCUS8u*bf({%n$nSv?aE^KE$WHWGCER-tc z(9BXURLYjg2LKH3A~)AUNUjz@15ur2uTF4qk5QPJGV}%AAjfjSFJAD=aWqjE1}~hn zrtBzl4HAKm%iFcG9?5<}I6KO8_-QTckI(CQtu}CSBZ%6lc%;A(kl%;Dz-z#tZNj!) zEZjBMZ-5p9tYINwhK+;v>TQJ>WE%D&YweOsl44SB1BLY9h^nBv1w<$p=8G%@wQm58=POfMA#Dnp7xNTaC#!}6xo-&HV3rUBTogO!E8zZS<_)!EEQP@9mGU0D zX0R@(RKKeZx2~kr@@6i0f=S-Zb!6FyvcNPiWYcE&V}?~Z5$PcX^5xsDv4E0nS`uooIr_A!GOWOWok5RZ_xYZ{_eCuB|aMjov7&DHZ` zy1^!+OyArLcO9uWz~-vL!l@UrHbc8o;-HXC!X{>+=zLNtgkClFxCR;}{8h!R1U?Lo zT-nMJnO8>4$UD%uIB3ArC3G?LA`FLfa5k+jg~||}WwLoalq-}}@X0k4MQ=E%PJ1<9 z>r!eSA|&GKUBCFQUmiie>Wr8fcwr=r2?FCnqpDvWrd%)khgx=zYkv!VG1ZtTs6>?-oSN!4?zdVR$C}hj+(=0e-5H6eJ^a1r2=fkOM7Mt3ogst>IEfv zwt9)zTGETg(o_XZz9tK}8oa>!v@p%A6kYUyI$y59j=MLlYY>LR2@eewqnEynQPB5l z(1Jk)1n7G-Tpu;2DtaT31kd3(Z}6|ay{<3kDn*czGupEO@oYeTl8z*+r3Ug!g2a4C zE08`gUr9mk*B!pJvL4BP0&vI7q5d1M*t&uNgHm?@N&oOqf)bFBnjwYq-tc_iSaF4iNpvL}SI&s@?ynxU4<9{OV7 z&cLXR!fB)3mzy^{4dKT&dZWlsp_FtX9siF@wY2xn~6#^SUQFAoS0F!S96`1>)q zs6TU?s{5sy?xvUw*@CT>W zp@zw=F}u`!)__f*97@5D+jnlN?w4x5*JbuzWOgcD0HZc9a(EMLh7-7~i4W0|%b^^E zR~npFHDf;IQt}ozjO5W)m*Y*uaXCAaS1a=+Gs5S?#g(E5=647?*vh^S=%q^`*k2(@ zpy{DaLF%T^2-Cb(A@|;ak_P_Wgu$@=ee|Qgi`a< z(|7^{D1IB+;)ant+Ujz=kvN_z!XZ*KPo2D`SBe~%s`2M)N<$N_PA#`!t3u~`d51sE9Mm2$EQDKJtLiY)fRYvZ}BHWx~j z;CiSW%4Ew$6)siUpk2?;z;!Ps`9rgXc}Rr83EHu^ngDF87Z$0l5sn%Gxs?B)hlJMt z&>~(8z>f?mbCB$=sDcK#GZMy_xur@b1c_0jP=?G>TAzkn1|3&JF*4%w-H54**zH%o`Yy+#0jwTRXw*i+qXUvPne^Ft(0vv*zv6sJ z%c!`hAZZ8ThKs*oT~MihmnnfAKhjw(qZ@{KDCJY=cZWTAUm)mI+HjA8F9?TK>h`R9 z33`{kaKr3^6u`>rRk&{RW)TX5tcnzyT)i5NVBI2(m0+dZT(jbdpqY_q2FB5AbjKfT zc*)Npv2Ndk>=vKv^1M0+-Fw}DbHf_kJ_n@+m&P25y7NPtY<4GVX|mY`D@V_DPZ)Gx z6msD9tsPhwIw$)iG513j-+ zV4!C^H*iI_BTWBIE>SqNc&!kmTL`YPPEJ2qFR9NBwG-_yK`al?b+0H_Zb{KBzs;fb z$Q}p1(#PBouPkp+^2*k7gNXfR`Av)cW?&pz&*UU5cdv{iH_SWr2eagzD&$7mi8Poc zmX71QSag^txY{~;CA*0u(9M2-_4RV(9IsX?wSlqur@`)f!Y}hz{C<7 zd^bxhKsS5jy1mc;urfW*^xVLjLpX3)eWK<-Jx;)2r|z>XH^hB#40@a#xd9$0KcL}0 z#c@OE_yk_kJh0hYa>KI?n5Wl)h{NiAN&xO%2MTVGJL(2PUO_V((=JV@?0ju@mJ;F%_adD&Fd~1^cM{E=j|J8Vu)?-IUcwcgk* z#H_~;+J$G>xRad%oTE)n&h$9XZ}mDHo_k1m*aA8IZQ(cr|CM6Xc_Z#XzceT;ThOmP zD*Tv1-xzj4u8%sh9Ul{3U@*^3*cgw0*M2pmTSc4Gn`L3aLUDP)Zhdx1n6z3?{6Khxv3ci5j#!uf)bA+s)-k_unL)jN z+;1~*`vil6s-Zja!HsIER9KuUYZ*u=3NoB&zUs4T<$c0NcxI*OU-j+7qaXECMYylq zC)ou@f@ncoHQE+5fUJi@8J0r}8%+qRBV@>kK=lwJiZ{(Xj9uc&H*&?Kd^2CTX|)3z zTsiu{NIn6Iu3+LDt4e|Rj_TSPzK5$n;hXJ>55CbVx3HQ(m*(xOu*ot8ta~t- zuAMfzUw6jA&9tZJ8&PzgB7d>Vx7#cYpGH|K_hA6a|pVU6eS9?(R%tiG_pL`d0vh6+u9&!F?|HF;{j%S;6GEmetDs{`os zxj-+C(lXhAoVH*V6c!E{tDOzyNw}6#3#yriFcVWwOF*(SIIIz;hfkYWN_Nr^7N8gi zwgvA*3W-Sr#6)< zi4KVPBF*{r^3nCKS82pMgz444@Cy;2e0773$^AYFD-I99i!S)C%f)--4_fc)Z5Q$M zf1+C61ER}5`L`Pz5Os-haie^Eqg#xZ0i!5hKTTr1ytx6!ngXX=o8&v6`yIbRB3>r> zPX47|IOq4tKi=Aa9edX!Q!`)exV=Swe#>WiwL|V=ttAFJedVKOvgALH~TQs+fu1NB4z6i_6E4SpGaRPHcb^-0>4p4<< z^o!rKsjlKxhBIyQ@h^RbcNxSp#KW(i@k4OuldptU!USi%?7f8d@0Ty!@3!9yfL#B}!%aEI8#LNt2v-BD${!J44g&&)Se15ylm*Z%hponJK zED*W;HTjOb!m@nveUkm{zwry-huPg>J4uIz9byp)yt{v5hkWhp;4xWN&UuP@w1FhI ziO9KU$z#5?t8L}=^rv^pzu8F@_2Q}j!ddzdkotrxtqCX^xul^lT zJoQZvidaNc{Bp-dK zs`6TV4u*^3+kfvDcKGDy_Bx~8)zPQFEnj)~F6yJj^Tgt9pt0bSFU6eI=T-6iD@A@o zfn~>Xt-WVin&ZdOv&7 zFH|6Cny~447l}SMA>T^YDH9bx0#u@S>7U8)uYcEGR+78$^Z0k=8wKXh1kj>d!< z_u*Sp@}()@on_jcr>I98Ab*vRKl2mP%bO_&dDS`F#(!It-%R$_ z^4qhp347j3)VZtxQfGjaB)$)%VB7y~-jfuc;~=G(Rf13FZk?LEG+FK5wae>5n z=M|cf_a678QIjtrGG?{et)l#V5xl(nHpJ_O1jxNf_#(&9z9rXcLjkL062f{Ain7S*jj6E6|DWB*PY@;gTxl5>@3 zK_XxN`ICMS)$6v&vl>ji1_ZZ>9|OURPk!mCh6L>-8%>s3CI$Be@(D6e1-3d@(6x|CiWM;?8laJ-=d=I zQ_6}mG6Oi`N({!%DHDp4IG9kBzA~bjMl$^e`{D5*evc?Hc4#q<hF6Q~nKi;P7klS9SypfRnEA5;z_{v$NrrXTMoQBWMz4`?P1 z_@c_rk@j{_1bi5O{lkL_a&Q>_^+mB~4u2&`o-TZ(@%w1}B91rtv&RpBqO4DRKgvV! zgR!Ml=VWm*F}6gV`%#`K5`kG@pTjo4%E&DC6Y6wspqw5@(0CZ}Rnt>Addf`iLVG(2 zIXK#_B?!GTIFf2OAK$_LMU*c#KQZ265I6mYB0wJugXb?y`Y^2!^&1N#y~!r{=LkQ+ z&#U9z;mPstxs<6cn(E2KKzM@GOO&l&V53URNacr$6Ol{>#)P%SKB8AWU&?ShjUfGy z{_^-eLGw@ilKw|fp7uH9w}Ji+_5u*iM`E-xksO*$cE%P`31e0_`8$mL^~c8)?2jR= zH6B?R8G%V_upU(GUqsW2&8ZQilI$EVPDZ*j>A|t3Nx+qAGCoJ+Nnhsp$ml|9e4v<` z>6>WGZ@i!QMJ5xYC3QTEPo_Ufj8!JajdC(F(2+)64#zve9!Lubg2G>qkbx~CeRC)_ zlKGkI3FJu*855nO#Z;u5)+PeHTB=rx6FDY4vDPo5<5=Pl3dL~_)ajPx$) zW4#^dYw%O7D^K5Hq+csfA2u+4I>(BWh-7#c`5}FJ`UB-qH}nr9=tN`y)=+vu%Nx_F z+&~3wL{Vn3pPp*xXQ!t;xISWGJsC5Sj0bStI~)3!SONP@{zr>iZfrK4FcwmXDnayV zRXhAgCeT;Jur)z;(S_gR=wJ6?V;`;8Bs?h!BI#R1{DqOc+kcz;i{rnC;~;PE!S=@f zw~Y7*z4>bp|7ekpur|;ePA$fXUj6l~Xgk4QnErdn&=NNy}!wGg4|U-yn`}?`kX`*cb3e{FuLp)pP>f-q4}O{Oylpzv+MTLklUg zoW3aHtFMoEf#}hCM7xd8;CDh&yI&6@e%F3YpjyP}F>O{MQj_By8FidYN88!hzdnNf zL@F_qN#(i?4a{bA1ej>xUp4GsBzs?;OimhF&Ip_SJhq7VNOXJuSB3{@gF}BBpTp+I zF^t-e_6wE|z~dAj;CIs~F_KXd#J>|C?4NzGy?tj_V|n6p*iZgxaMXacJf9x0{K|nt zFus95h{dDOPyQg)IRyKK0ekn6X;_b@KZqT|{`&r;pT^VrOC@^qu+LS;C;d&v57Kyw zFKImUtDp*PWVzvdCx82cA7ij0+0k@R#b0r4u?d+cC4_@`QV&8?BRqWy7(@GH1j!1}syKcr4r>}0yc zl&!D+;aL(GRT0zh(Nqe`-`9oo9&f^L2k}eeX^&fO0>6{skyH%h@MU$pcU~De1Y3Cn z`|FE?>6`w?*~5@q_Q6#ZGjv=R`C*J7mZ2fs4ojJwsx7Z##p|f5I4)YVXNcyTmgWI$ zr2Qq^=E zCwc3y#{gwGS R-V^rqeck69f&ZiU{{c0)zl;C? literal 0 HcmV?d00001 diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/system_file_system_activity.parquet b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/system_file_system_activity.parquet new file mode 100644 index 0000000000000000000000000000000000000000..22ced6bea44db065aec179b0b1d118f281287968 GIT binary patch literal 68986 zcmeIb4V+xXbtgLAGe`r7FXL|aDEfIPj(wLk7`l79N4NRe4*fAbBO#4G5YlLpwYI0H z=R=yA9#7AQG|!t=h(Z)rRumpf6pUpo%d$*}Ob9D07%N0e2#>Ie!V)df;}N2@iA)F& zD}-oSqJ95!>ejt=zxwtd?|S$5d;Ob_+qbIDId$q()v2m;POZ(ZPefWGosrH}k#MBx zBTY>oYiep59IaJKwMwmhq&iWZs45L?Vx$F zkr0y)cA6H|rc2W^s47U>8N!d2B$8xir4-;^AGuzl{Q8f-_TTUSXN#I#_*!L3%zP3U zTMRC=OplHW7W`85m$X}e&B|##>1Ju`T@%%9S!9`{;VJ;0n3+Pu-8x$ybWw7Zl@?Q; zZS}vYWoUG)(lSvpNV-21y+5Ss!~&&=y*P-tDRPq};(EZ#kCdiL<>|^)d!aHrT6Qx7r1)}C7l&G9O3ZwseBp@ER)RZ=iHt3y zU@&CFYBP6P-GrjT11(xalkB<<@Uv5+rHP4BdttORUY&3^+;xr&G3N_Gq|vPekxR@yF-$5cK}ho*pcr@bu7>7o#~ErCfAuOrV(hXZpju)6<-cKTyzJw?xoD(R z8>!S<#zt$?O;^m8#%4s9xX>KE(5xK^QTtvt4L^xmK!O}Y@?AaI&m_~GE~YOw5@PaU zAuPDEG&WqF8l4^)=l-}q6x}b!Y&TfDRLdUgBFMAfI$OmU6FgdFiAj~ejZRKir;Zf89bI_p>ezeaMC+wwMKtPjY z?!h!MJ~};JfzB{dny$L2y3Uay=6vBvS?fr(Htjj{1cL*OYa?qV-#!WW@u70Oq*wIM zq%)cLXA+6Z&}Z~yM*mDanM#(*i9|dePrC^JWFw_w4dwEzV)Kll0UQlSkA}4|;(kNW z8pR1dIMniV;r2xK_H6q0O#1d>=k3Mx?S;hc>4K~3AM?o=^Gooq;CQLb;-zZl3x|wq z=n-8uXAG!@Mr-BLSo`S2bY-j^Poo1?=yKC~Piaqh7gU zo^Kacvqgi|@zN+*is9jn5Pq~(R5wq^e)zmQVg|iV>4>Gyq2n0xS9j`w;=A}#}8CSbQYS7gk>^v9UA)u5YfdRP$7v!?f;KGv832b3Z zlq*~OCa55i8%2)h`+Vf{a?JY~P%~H=s!Y^IXDjWKBU8MAMC0B#!oM)7EM)# zSw+Bn_IwCG+Dd9yukt=X-Bb@%rfH5I0<{%va$=|;6~x|bH+p1>dA;flUy zx>3ZAZidlqs(ognHZwqL^npry8H;qMz8WzE#;E>mOheZ*^Eprnk6x}F$lM7#n@84Vne%U0)`%r5UQ zRsrxD#R^W0L`GKOAD!Nj7RH(Yj$bgc)!HlD%VRS%$hFr-s?)TKI66LAtwBS>XkD3Z zpPGTRL_Qw*_$`279P9l|9SE@-T;&0i)+o(k`r8r?HJc}VeI^^Os%)Po)et0!ool)D zZiyZV<44=Y8`lfQ45EFe173uhRdNjKHiDa4#JWsFtP%q1g_NPVlgb-0J!FQvbZMI%zlvU1>F6Rn4#M2zg1nHVgMw%4Xc!BBgpKH|<3^LXb| zi6vAC@O*X@N;Px)WGH$vr1elmJivH^21&_CQW72ku7R1+vFY|&xiT?YZZFMNM+dzc zB;uJZ=Kb2I2G`&;X?S!3+Xd!f<;$Vy%OS0os^AUE7XvDyY!Q9$yx%dZOo_G1CqbP& zcs7OPTJYBYEL9e^!00AG>z&_TM!J$vr_X^@Cegt38B|IPK0&#B8sjR=8l{P8-(^J* z*hZ0~og9ZXE3m&cg{=!rStYFA9G&DETXM|))mE2SYYpo^I$Pu3pq|y#hhY~T8ky+h zqNG)(#LOqkXYP*0S_fz3{<_Ux!Cg)_A*irG$EwIG*%vhsO&}^bJ1JNHT8J=skRnrJt@4TTS){Zw*W@OV zMTg97mD5cK);k_M9A}6QQE+kRI!A_>^MxQ#HtRKIY#8E9-^X?(7?_VW}CAB}ue z4$zALx0hC1?n!Hrcpo$V+X&FF00Gsh#fEwzmuKPVd~{xm)0pZiZEu+}fy2k$GBPFB zDxWBy*)k5y&66(6I$6vDpqrqqcP!$L9W$JSK-sNK!2o6Zp>Pmj6naNB&d#{82SsrI7LT5ZNy0KOH9z7^6o(iq|ov@SkW zQCUTO;~)H1Q8FdgDxUy)J@pdJ05zx`fMem?)nVq z>7hpYY(ObPI0JGu(n{B&=7TWJ8^vPRS4;!&G)fKTg>WQ%3;r|-=Ydct79!;(6lrSv zRMVn1pVql@w6YB1XNKojrU22~bo!h0D zt&Mqa#6IsakFKnZ4#Rj5-WFHWxy9%Zj4h@s%8qF`TIY1lvHdnt867i*EgHb^3mF}S zkh)C>mip(7)k(8)b^-Olx!cxCStyR`?%ao^0*&D?@Pm$k;~;1f?NcSFK{RZ8+Ugxc{W{Ko=xQQWUKyh+u6v@&`+D}SbGrBs23f@cpS*=Z@Bj^!It-MWoi<~iPKJJ zgO=!}EAXSe6Q()+e-Dm806!V|q!d5ebGdtB+eCG4q8X2?3uHfRZ|KEFdaN0#|ARPc z^Id3(J`%!@b_X%lfgRNIs#6>)fg1kErN4`IWdlIw#eb(v7+TR~$%NC@0mpeE{IFTR zwfhijm1L-U6Y?EvPl|qb=YRFn?_^4>RX!06b0yjMSYA)%lb|gmx{1zu=OlW)FVQk3 z)+(PqB+=Jl4Ld5fa=lbl3Eje@n;5NkOt-@zyEZd5OGbNRP=m2phLcH^{<|mKm|xDA zZ;Ghvf|ZABYS=P|Ryr{=K42^(gc-9i(f%-WpbuRexmK=|sN1i{XrHD|tiS>mMZ&2k(#M6})38^O@cMK(JEQ8IC{bD#!@gF;3ZZgu z+D)iTQFo{nLLJIHtBF4L&2C7(``-@Tb=8h?)h(n~@avfPM_e{_S1;}@=EYxi%G&U< zR8>15dlR+*@ZAtn7iU`NZH)gmj@(q`C!!PVCe~*I1Jv%-Wg@Pp%8Ip1rW9|$B_^;G zujc}DHC#2nZJ|I6jnV<$3`K_I#7+h-<*Djqd#zd?t>P?tNBc~fPP$5iHCk4bt5bAv z3@g=f*dXDTmlgJz{{|O;*i!%EfbE=EjnQtm$Dkp_&C?B~C3*#aw{Sp#v#4QWl1L_OMpBth_l}vJAJ^L9h=vJ*VrNUUVieRkTVTge z9!M?GXTtc=_Ay&NBsJj9RAfqWhb#(kv;(eG2HUHXI2st8C!_VrWk`V2&O~jp3fnw7 z{Dt)gR%K(zH&L1;OFgKOw_pcD*h+PVZ(3F_e=OpO23TkUYK}G0IMV#P*afkyrj9f! zH&;PBp9N{dign8(xVn(H%U)vEho%nP!sN7y{wOv#hBcL4;G5*mK*Q~7nhcqCIA8)W zD)Ww_+1jUPMYEN8z(7j{tT)8_%srLL+PUWygkjodk z;<>JPu^5MCaV`&w&#pvQ2X+NIGReGN$m+$6-qEG&DA}3Dwm_ycxjf&gXAAMXo=g_A z`6N6^bD6H?dS@z`&&6*-)jJdEOtJ$7I+u5Lc61i=%M*ooGK=(hrXwBi%5^5XGMSW) z-eDgoZ)&t;Y-i}FT~X>Z`1RN$*zVEZ-a!Xiq6Ze?N88y<+V1~ewa0kF-g06^O*$w= z3rHuDZ-Ftkeql@f|s zP_DqL`D*MzkQ>Dho+wj2(L*0sqnLX}*6tDIGk1Hugu-Wvr*ibMAnBgaL7BrwW^jrW z=vw=96?)cm`_L2zMnXQ-g5aZGx!_gpQI@FiU5}DjFGi@G>deHnCElvxj2B2hL?9C5 zm)!5T8i>2|Yhka);9cClT1kwlUmB;_>=Ggd%k4BNsE{0BL7zw0NToZ~BhyT|vynw@ zP$?mrLAe^Ps&5ww!q6xk;EmEnXiB1wtI=9zO3Zwsd}bGMYQw64`E(UGMBRj~V)1Fc za!4h=n(KCj z)wgp70c{jD*x_)S8>}Vgx+|Z5yZaDpR_0$_&Sz_*2^=j2x9v|E?Haa09EvOE2 zjX?&{%82rhp+|h870Q%Yt9%kv87iZL*Y(a(WO)mcZo;(Qv3lq*UlbO;E*>rt?_o~5+R}tb21gok? zGhW8%kBu7+)#%#E(iC<&$t{OmM=aICI;pV0*g5iff{Tv}ajQ&;nNO6@oO|AY~KE0dpy16P-Vy*H?&}VeNM(C?yE0e8Hf5{9dDq&erbrZhzj=Q46 zxOr8TLN(om_zq+-?GU~tYHG~(ZNXeMl}FX;xgLDb@}vU;*GM?zX%`OwJn%(~4VZ|<^?1H&wI_W>r9DSl$L*zr~ z+?PSX#D&Rc=Y#_!U3{y)}Zg=;ncfOd<`vtSfI7kRb&xY`$ zttBq`!1l+9+Ig&3I!g(g!)~VBfLV4TsFYAef^sdC55AgF5TZuO0gDtRL(X)r-W4>P zHZaOv{_5omkuOL|y%~&LK!mAQ?yTg&)IC&6S#7~ZsO zM(|T6iH<3L$|Rs+Xs;Vlkm;`y40*SG(dVV9c^_JYqwg)kkA|2N=o3Hv8vZZAWPAUm zGlUJR?&@)gWDC8G@!y|V!`RM3!qIy}_%TdiRBUz%$;pjAE(%*^O3ZvhHirlqqs>A^ z$axwPMoecbtg{=jZjzu9gNk^l5zF_-=bilgJ$4ev; zgriYPz#W$}Qw{OD;6gEiIBjgYgAhkE>El=UO`0+#)+(O_(S{h;Z?SqiG!mQzST|8v?|8a&?9g=2U?ha4cP!~W>>4jTeTZo&G&+_lu|De!3ET2Q_VrBmXq`-Q&=xy(aIleM;Gj~1OF_AO zTc?pzk|5xXl7NPCgpw#!u~S*O11{9HTPuSzt~R^Qks;=M;ajh(DhP-@wxu*UD8dq{ z*P#Rh1*HyKg6>LnYIxK=1}-)dV)DU8k+HPpQBbw^YDIKZHaBcB_bODw0yj($f1KLfb>zkl}Sh1<8w4Lkw*bSv;%KzpsKeywi&))$O>~=q`G9}h3 z^MV|rSGB3RN<<#pF4iUf4SaRE$~MUGkhEfw*$r#l_%Ny%)TuO}9?EtLY3KtP(^Y^V!m%G;uJU$Yr8LvNb&{eB+SRmc?ddVccN>X@ZsX$S zVm6c<6!GoVefS{Qc9wnYNw1lc3A4bGhicX1qEG_g8OUatXu)M(y*Up(&!kYslK%_mC;s z%^QY*kSxLJqa-^o=xU2O-zb^Q+p+*lUZ$laU-o5CZI^!=ltPZY;|c9RW|Vv%l*wq5 z7v5}fUqRI7aR-rt%yuzQoBd`WCEMbHxG?}U8Ba>0{YsrS$DKM#M(52qXtc8Pb{(^( z93nI5Qkynbq#C&U#suqk!wb5I&($qT1$=KlY4gAOL@Dlhxk#J$?IKDsaUnv$ts({| zf^P0mz?!af5G6UvD9NsiF3?|{cUCCb%^M*A?GEm(w*D&W5O7_CtV2LH1#7))3)<@5 zTc7}8+Ja*L8?*&wQ^0zK-f#1ay{{JXhg+|#X?Q=OE1DgXQ&f+x2;~}T?rF9i$};?&zDLO z?+~+XJ~3vMf@Y{!3{o-@tdh)J3ksMjxfU1-)|_(eu}?8S+QOPD_|52|AWsG#RgxQs z+1b`e&`t%U8AlTsrJJ#uEJI!*Sw1Ss&M1|b&mFNRmCR=RN5GQdA=PB5aU)qiD#@Pl z6ft#r1xi$knGp&Bwa+~(*}@G%`%!}kDo~8Ter+-?pps;6kpY3+>r#@vqU2#fgtG6B zx@XD@i(ybuI71ABvMIC(umKUmrmMH+taA9Dfj3%Ze3$g=ZY)P^M zvMFFgG@ON$7goqC%ok?(DkXzG`V_jcEs~Uy(RWm?6LJZorGJzp1-4)OBB-xEF^81G zfpKxLkh#p@J$VHk#f8Cw!SpFI1>AHk@$TzpFcBonSR)EpGiC>pWk?St**DMzbacO{ z7)o&pNzumfEtHq0ehiczs8W1e~50zx$&_@Cy-2O}fk$uOr7jdfuxttkd5|m9L zM(v!&jHzzCcsgy-8rH*?OM$AoIknmRoRmylqaY69k_3q+?h-kSOa`# zB-Vgz3RZ8A6ey{lt|dxArYFc1!=NW9n*!GDO@UtTa*a?5n7#;Ln{-uBk_{&VC`Hm6 z!Q`mPWp9R)H9m$|{8hl2rtByqE!~x5hy6GP8>fM?g#!#q)d{jzt^95N98O;}zO#$m~<7f{#fd(c&c4eC;@-!~ktSX;cx&b3P!Dk7}}12$3uw)nuuFBUwHg$;+bsk-Z^u zt7uymJ=q-TH69OM5m|3M9$OsgHy&TSGBRa6zJIlu;mEa-3FGZ+*PCxI-57ZxY`i|- z78x=g?^_nxYCL}M@yM+4`1;RA28_pxKW7s0?x)ORkKAP9xc}w|u745~@4n5Vet$B8 zQ(N)=)pX<``Fto7fs2NCfB17IeP@5(tjpn?`SxU&1^lHI5jYNsf{(AZ-aoM}@=M0+ z0~^f8CpTF+_WeSnXymx?i{|6bEoSBe16JleLy?U}=4VDsj=Z|f%CUPgf^f`&kfXK8 z7mUZ(XCtr5*XQOVpEX{e{gPGpT{}aOdE@;D_k<#_gcV@k`qhwG=d-&*7Oqo!LMGGC z?X@x;{moG1DYNtgR>D2MWj!DH?U30_XTD;+KmS$h`4QY@caH@0&Os~Tz&Ast5FGzj zD6-NZ_0YGiJU{rIkjcXbzN3(R^7oZ5uYNZaff=o+>BXn4;valp$@TIdg(4{<)06)p zWH!Ppe{6AJ&+{R(`CfS;WHI)IQz1+8o_QHxnhj9*zZ#1CE93dTzY0ahjOXL$EIJPU z(0YFAd?<3iBzEUpp~&Zr0w4UHmFd(w*7L5vw`jWOA3~9wMDUMFWcbYr{d*D$E>iNgQib#AXY)bgKCzKLrk69&N`vWE6()YubU?2M< zCFSTJhs_Rk=})ZU$6g4V;`P{z*8A5^g-!OKMr>(01RnZNVQbX-3+w$WuY^sJ-ScWV z@{ktT1zx90nfo8KOUHUBr(wVPVg`Ya0B%CagcY3)#!Ztmik68_&3W@q-hg zo+YKJsp{O8T6qK(cafVAAMR64vBl%?$t(?5KGn2}LhSLoMZzdVzG^|X7P_RTDUAnm zwT)aWGP1d_%tp{!$dp&UpmNeYQ{-QQWB19@gt$LS&1QEVB0PqV2>gH+t@T2%P8*9i?oQUT{$pXt!=@z+mck|xehGZHeH?EGB{eJTPMNw2*J5-a%4x1e0jHw zR7QtKrUis0FbaiXW4S_iRj6cK%g2dBIEUryGu5PPtRzPv<3@QkvvOU#`r5qM+;|DX z&FdH=9~HF8%MPq8bdwU@!VcndV#X~UMUVDl{aNSIx_+Bpt*yrIm$@(gj9p2IEo)`HB$O zoJ<4}4l{C@y9v3i8(kJQ(xa-@O(PhY@m;-dMAphnbQc?UcStg*qV{?KnC;2~FRA_s z%m^ObqF2t)?ndJyXwj${1YM=Qq1lH3n-e3+i4p2LvcyA9h$FUX)gcQgZ^SJ2(Z+70T#LM3Xg7bplFh7PN;VVguc>!jMy%h^MToGLou|Kw>OtYX7pDUi1Q7{q6u z|7@*h1cZxtv$uY$*`aZN_UV{J*JAW^3KwND-#r|dPH-}lheQ)BD*}%#qZ$~8IfpgRTFB!>vY)Ch zojnw=ii?Hk5OWm`F@g)0kAn@S;a?!%aWmU&`^Ctjn%IjsmZdvHm-T%NDsZJlp(aPF6L52E9~vXgx8`f~-qaL5a~NJp(bG>g zN9LQfeJvIeV`arSgd5SxW^G?Hu9Y!N-%T5MKzWOyyzo7&2Ai~ZuUIDC-^5~!VNfKY zgI8$pwIJ%NG>^BQbdPs{d(XFsx?N8CJ!JB;NLu%H^x zN6l*VafA9rTe#31z0j;(x=}mxk!5|C?Tc{vt_Y~ey+>LivFOu(*c>?!ZqiOItydFE z(_+Sn(5C0xv}0}PO@;%5>B#`t2LL-7J^M$ZH!U-p!h=b+%>srl;tAZhOndET79w9y zGR_BZB!Gsw@XyTZ2>JEefM9IGWAB5HYsWsmtk3OQ;o(_<`n|xoUIMOxChg=WEL_G; zhSje{Ag|YdRy*{w%ld4N7@ekCtP`PXX3k`(vE#qbilxxR>&4$1|B_A@~r zfFNq=i=Q)xsGAJ_yC%HDpVQv|ECwWb9%()49`AtSaiEAsAN^AvkY2pQtg|jL7<+@( zo*+w>n7YsYy!PPFW9oK#YJJB*B<)SSaP?foq3 zdIz?y=wm(U9`8WGt4zUjFLGUXb(?jS+_ddlD!uq*mv*Kg+cv-@$Y|SuTp;EGx9zU~ zDBAX&l`d)=Tcu3T#ZdHONPB68cClw!Up<$jx*kWse&6qqs6TP48RsdOhBFESQW;#UFjVIP==hrUl^YU%-bZr8b zr+_6Iee*O9N}9BX?{**YGg%z<4@;Rgn^CrU=U1UY?)b_vP_YMuc#vFKBOA=>5K zP#toVa|PyrxZ8TqkaniBtj}^SQ#{K6{}rz7`7<~kY|@U6)&Z}cPcVF;YCbcfy*~_9 z)8&Qc;g|+|Z!^9}|1+za2gXf&H<`lW;OeW}w0E{jt_FCh8C(s>1uAy^E^&3wD}t+! zebFSN&m==RXyL=dCaDA?tV0+-+U`khR~2Jx9k;ib+fNS2A7(QFFv*zw9PXc%}`uJJyDo<~31h~QQmgvLH_|aaU)gGBK7#`$jCm0^&w1+ys zz;!+cvPeHU@P91BxpKN`(e-UTCd19MC&6wOF}h6b+`RVOJZ?P$lyh9UeXll0K7n10 ze{ELI5+3tRii?X2z0ZD0yXQ;G`s(=o)pPp;+KWv56F_?}h`+Sc+WD~%+s?fhIc%g( zhBO!eX;1%~WqlqlgI;cgz_#xw$>#C@r#Ujzq}{X23z_{ajj@S~0AOOI9la;Ctk2us z(8t>lNRI&N(&&NLnj=%#h`AR?ji4A-4IRgHjFprtSTbqP{Avj5m2^+Eo^+3Qz;=?W zxbLr6y?XdQuPQ3%e~d{Cv9OfV-u^YzkJm{-ZjVAbgK~kMvt0XApogUM$uC<3#aiWo zBU2$3m@v`O_U!=`cCSc>lO*82%k})=bzWjV`5P8jts_g5jj;97j_oBjN;gXDN%wdM z@O!>Pl5*;=nT_Y~SE#m*KpFnQaP(kUg9VxP+&+-qfKz58KAE845GYt0-E*!vau|#| z@$Zxxs^_g{CEt1gvhn~`Qu-WOPrAoDpg6&meB!@wC13t61%r8hYl4R<1s6o}(^TQow(k;UE10Zvz~8SRvm! zRW|8|$)5J;SBQS;ZE8K~9`6AE-p5G>cK?vs^V9(azU`FSL;*`c?dh))3TdZmJ?S3r zfZ_n7cut@=_;rOvS6Qdtj6mFK1Or3u<*$K1o}RAW{;xoD3}}`{cfG-D>XYA4YT`Ua zH!B0{MeW&xR2k_gYdz^6?||hrSLOn+U|VhHVWl$IQAIp?vgsky8^$4ayI>coojZj3 z*nDm6p0|K}o*_T}H@x3<&k+lTMkXyFk){}19hgyC$)gJmCRKv?p*wc9!h#zOf7l0U=_L;{65j!+P*q>@gjsho720>oMVloKI1*)D0 zRZF9<{zyy)yZ(J3SuJEt!MqTY6ii{YGf$Xw1-K;}bOq!BUFVpt`~FtYb>Vm*U4|_L zQzinN!Y)_4_q(9X-vPRg|1)U#fN41XRx`{+o3t0c2O8|bv!vOIlogv12~$EU15ARo z7oQ>_mCn=FlkV{jm>+zCI>S?c$3lAI4+AUjI1yKx2R6vszVDmO6X1SrG*3V-5O@>> zE{$FUfuuw1J_!n&+CJ5^sLiJrSq3vqTPm8;U=aP;zEB80-hlT!SNQP%%ewA;&-zx_ zaquP<2Qa7BE`fwT%PU-Q5C`sW3-JRUwT@EZ4 z8Owd|u>SMX^A?s7$B;;dp_UntY5=6He8N%Mbbv*;_S&BSxpUiL-|v%zyb5I4cDV4T z9}1aaQN%4G77s8w*LJ=Dbai~)>-oWh3r9fM(&*kFi{-;BfA(Q0Q~R>mtA_!+cJV)g zFh3`HU+;R5bdpJW-~#W~pZd=hMf)3W7@J|0Sh5L&S}?CAdg%)MXt2xIPX9S*+!?w| zAN^b+tEX@Su-=8sgA<8DGL?zv5tm;_On-#kkL&SbS1z6{bQBV)d{?HJ?!r~WMIG_{ zr@~WWa-5-7!TAXHj-1*r!;)fyay&n)c zGGv4Gqy!azaei~=ZH8%S|CPo}o!B0hd<8L4^z9Av}gGGR}Gazkg z^c9eXW3m%(S)}#V?eaF+4M*v6G5E-6XZ{w1P}~U)I|1Eo}b>yEc+ID+LsN|^UxpGVNP#8ZNoUpWA{|%J7LxsfZgcboY_Z%Z) z?)z`ek!dVVemQJzH8xHQSt9aW_)IwZOjv^tnD*d*2Q7|}BZ5CckxD?)!%Wg8kVLxo z{(CK&jx@?2#Y)%QWL*>$$I@_1(_Z?OFg99mS~fjZny5`yrx4$Dv^vo~SeZtYZQOG@ zQJUQmi5Ke5Jo@2^|*HOw<}Cz|$s;ToqM-3@{e zeI$Asuw$?|`?r8~0bnu3^Jq+-`hpO-VF46J2pySv+i;f--I(*E+;6kV!{|!QW)V1KRsa^OA_`o)12)7dx@ppjg1?Kh(J6mY4=gqHK zjU32r=L{;5!68&Td4QT+M(?p^Q{Ceoh&abY?EK{xlK7_&TGe$*8eP0>pUU8Jsy+X8 zR87PK!c<0KfdKP;hIs-o=`i?E08DcV+Zl@D-~`UA+VO7?!;FAjW@IivzW+G&i+2DS zCa!OPt3G7M6b4UN?U`=^Fi&AYk%q(&9h3_sJqnVRMjySWg{QDL9<`d$i-WE~3NE?Y z`EOH`Np0JD^1jBNRD+<&!)9|Jc$BO-anNkVO3 z<=Q^DtA&i9PCecrZnKGn)#W?i32Vo`1Ket~C0np1V0w>hx$9S3A}gD;Lr*q_$v-rT1{TB1zb%J-)imXF=~1l?a6xbzDhWH z1ejyd5ANlrf8=`>Q@mu&e>)7G+}efXCSL-AMHzev$OXPU!+d$_*92d7{b7Cbq>~EI zlj0~7PUYI;-v?dZ!KZv;QUUW>#(aKv3ms)%JZT};?Gu+nKH#^mz3`0WLr{<^!H1w+ zpypks=IpNvJ{)?^mmJgCgLxoqE8sq_oqrZIxr1JL#K9tIe2QdZ_rGl+L*CQR1DT;L zIqL4c{)UIX_R^n_5X#tD)|2k>4hRo3!Z(4Cj#K{Bw|1825Lb^*J`e*yyY~fD&IraO zgK`1t35I%P56^~|Ui7bq>Um`9SO_Sf?L;A~2U$-(ed!D%d<_Uujfelts)nO4IXs)J zft1$82wtE)c?uO$?(dGi&5$4dGH!Nh(hmN)Rh9aXZD%@&grFTdO%;++#;hmZ;~hA7 z@ApU$o&#D`Xz$Bbg&d=jvqD~%VI%m0_JfyDFGu_`XFM~YJ-}#p?QMx{#FTKxs%;}^ zZFgLM@E2k2^j}b&Wjr+NN%wdM$j1HfYYRi^xaS%1E3|jd0_A0dal4!-Zm7;1sLs;p8>r5`VHnt)TUdRJ z1+To286h~dhyEJ%@reoN7ZMJ1?0lN&c$FPprAKIB8fC|?1g5t)B zVLd1pD13-1Ja@ks)*pHkBziAPy*ij{_D4(-?cpCSXvBIF1jM5I9$;aA?(GG!$nN#X zt1BmodV@AKx5i-VL`0(S>Gadi?;X2#6THd&wA25 z-jS>`1NT433_SO~#lYQmHNmR^y_dW45?Tb0(cb!daPj}YhZa{LgVmR~#m|7%;?u1Jf!{LS5aXe(}IF2iZLxH z7l?Zv#4U}!4&rDjvu97E)Y&yxVQGMHNZKR!fkglKjbv%y6TT6|oMU44ex-$XJKx)D zHD7&Jd26-^$fRBTGBuS90ckzy9`8WF2i#Qq9_FTc_BSnN7^*Z!1F#f8(r6LtNqd1j za*bG$GNvS;J#d1A@f4t8f9L4`=>yGFLI@gyMQKmoPtcqfnnoXEXuH13(BAlW-q2K6 zCt;+6kW<=$2LRD4P^D+|N>KhR<9Z6XV5IZRZ+qi%OuC3?rQQEqK*RzX6w6WwXizSY z@+wGK8a;GC2&}H zwo5zpRayU_sG6ewLAg->y?;pc-}i{9|6||qCQEV3=c!#7Eh2cB_QBUdk~2)FD{dzc z9RZ?P^u*U&$o2U2H!VDd8t=Ly&-Czj-gJpLW!mXOKq~`(nh`*O<{3t_{~+(+9X+xT zG>#i85duxSa2ROZfkQoFi30U2jQS;@#zOh*qYFSSBNH%h=^9FeT+=Ro8@SD@D5LK% z^e4Z8n^2py`+pbEeilM+Y zr87kYk<;EkikfmD)foQ;jz<{B{zE*`9(}^XVT{x+Y4Nz|5i#ksUB3s=ju5Od$9JGR z&gh;4I;=5YdlKl3LBJ24&;5-EeW$(t`@~Hd(A9dCKJX-56^l6?=gw?)E}I|DuB2D^pUvj@J-*_5 zHoJnp;g$T4FH|(QZ3X__neWPG*UX_*eq9g#mU30RT(=47@glyj&22{BIeahNT}1wg z+}+u1_wYt~N#8RBYxO$3%&#co<0V;t5AP_P4IJN!Z%9!=NX`t|L$x78JM44lz+`S zl+CBID7KAW7v~68mA>DcC5j1Nelx+_PVjc%s}27g)tg{u%k-y<@iF{4%761b>gUbB z4QmP>{3C|urU#PiC;P|8#`=qycxh8&j6koX{M+sI$*p64P;$0N>2pLyuGZgOoa;-j zpUHO34+B30!yu9#vhg_anMEnP4)hmDP_k3>r$F@;{JERpb#QrZZ>}VzX74unneFCu z$Zs~gIhmOm>>iux-;`#l_#)HG@XY)LZge3l-Bf5LmtU8Ktdca7=m|j@X6_sE!mLH^ zTy{IdBW%>@0Kuf=JF^`Btxuj<)7?8e(6Mq`X;XS+uzTZtHn(*I{P3?&meYF(3hI*> zm{`A~0v4svih^{L-#GO&KXa7Mba(ecUa1d29@q5LZLdv~K1c1D+t%OLyOj&Eyya>G z$zISqHaj4y%l%=Xd;Lhcn3+SLm>)={vb6yCRfbPZpBo$4RGb_rW=8tE*F%B}<@)t0 ztfq7ph3?)R{hQX0fe(|LH*Fsp+%!g&Tb-Kq>CfHsqaOX4`H6l!*S|3{*^fr1@^$!G zqjU_77>_n0e{Q&b{@glB=b@#0{VdlNd>dV}sxJR4lrH!muk_`(k7ZXCKz|+ixRcX) zC>t0rPWN+n6rzgpZmi7hRoF)Kh$K^9dV5(wYSheK1OP^u=(NL-`Rv^}WXn*eTs?=R ze3`OtrtbxUU5FDeAn*7Twt~J|3PTGE1v7~gdbjiVNBtpxH@)ts?<)yEY&r2+Pk&gx zvT-WEdCgkzhhNH0l+BJ1)rBmj3;HRYt1AXMmWN^-GBE`CH0qzld8W5OC5pOF)l z8K-)5(|8B&;CqIuCisy}gB7dRYydyF0j=?BHStdjNlbsfunqE^N~3+nh{Nf~($zaj zIk^p-{LZZ)_=60eGdcNvH>G>?yIAW_W_FbN)>j8a-vNMpjq=ywcbU@j1h88vPv3jD zg8n-EUd`zYdT_j08{EWA!$gZeM0&2exv#g{-v>73HjDutliqFS68gd5nm)hzZDey2 zeWjz2mi*)-R?4@J}#)5{+Df^qP1;{yEN1Se5a8?N;KKzr3&Ebnb9v=ujn;#%Gx1&A+{~ z>nNRv7p{+Jv%A&|`1J35mGZmzL6~}aCoAKke1*$%F0((V`bLS;#rQe1+0aph0+$;v zZQ3sS_nq_Oe)3URgGS+zi4YspzUV)5#NT89{vDq9Qv}MCk8;n-+0Ds~^JTPkk??tr zce!}lcf1>ePP1{MJU$k$nEfxen)26a51rCQ|5M5nD|@z1`0*p@$qy3J+}85=M$%ul z^>wVD95DK1jqBszK2=Jmxu7j>gkT8ee;8yv?nk??sp5I!nEB|>;7y1HpjlLwtAk6=S-=E*P zb(HR}ujDzMl~iTE6g46GxTP>(;#1(aOz$?LclkWg%aw4BZ#`?!lrH%te&kr6=u1LZ zTEpf2`+F~^Tk~74Fj<#BSx)Eif%Pe-ESu^?Q~UELTcva!AG*^cQhs>+>n?5;dhWXH z0M*B{e-u_zd4Y@TiQR6I`Bid5#xbDSgfwKj#AS*Em1H6Z|C1*)?11^QV{7 znLvO2EL-lx_~(@8mAryud5)7Vxr5dgy~Ajm{5BGs)l~1bTtAkNJJ(Fzc3Wb@7tvlk z-&p#{ya3Hvx&N&oeAPAc&h=xiP~uFY{i%M+`ms##)AIzMGdbn&HcEHNA2mvDWT1O+ zmd317cS5egvkA&yXMWvI>2th(SIP?nopr~%!W`9)*ONW{BLh7f#n?~v5g#VK)Lon} z(Hac;Kf&Wha_tAqgNTeQC-(y|)<7TL)Vmeyqy-U~o~?in17UnvU+>*Y`R)B< z9V>B0+Y-I`VXEKFYnD6ZGpFhsvxMJl9x8>RJvr#c{gVTjqgfx#&r>7$)3=uDuXCe9 zZ=ByO;8mB`A3rx!x^w)bIvO7qo&JuMvx9v($aijAeR#RMDczc1^D6@Kr%e2cepg$A zU8y?#xk~9S{fy@)L!Zd($gbHi4Ssma^LlCzmppTMYkteIJh0GN{jXy+FRO^Ryq}2m z7(Oh2xdO?9PV&bu-TfcwuKv&CDfS;Gu$MDA*gZ1Mb1MPu@sLN`{uHN+{VAn96|GYJ zXf#s$%LXQs^$%8CdTG6wuTr;|rku3VYV414eeRqGy|-tW^});np8KP%_Zwljl0V)`$wt-oKpiPGn2 zXv|GwEu3IkSXrn~&k9aw`7C#A94(D++&YN;YvPxG{qt2y7y4TNSb3s%lJ*ac{ZV}9 zz2>c(`_^OL7W?<5O@lM|o+uk@L26%r_=P!!Pc5m8Pj{}ZzyH}y>8|mKL|0iq7U#F4 zeR!0%#+O8y`XkpTKg`22eNPbnJE?!>SRbH`HL<^ws}lWVUi1tzXwEsp^l<$r%ZUv3 zJrlEo-6R_Dcd1+d{2ZnGuRp*aqD4j+JB7Ch8eLHoq15>&Yvp^L$i- zt~9ub_C|8+^t$6yE=%dm$exY7w?Pc4tX)-iekoD9qR&qRjMw0gF2H&GW)v@Dy571_l^yYZ>0U?G?(mV{5m~b<7;x5rg5QP z)9c(e(&yIFHjdaoUrpm}2Ne?IEo&9Zc&ih>FB1KA+IO7N=XiaD^91x2?B|MhDcnuv zJ>{#gA?YDsjN07mORD>1^T=OsJeVi`^ZJr>%l_mT_r95ZlUv6l94xq*d3L2V@V(|D-n_FO^bZ`*dWOa8iY zR(s~F8H}gYT*im-5x;Q8T;p{U5|(@6TgCm;!ndYC^-0}~_F*83zPFWu6REi}Jqn_k z{uLPz*}E2n>d3=NN>}ESO#%7u;{1dvM|J}9rA?Wc?1};wJ$2f zv`-(UEA6u_ApbDuC;6fM`1QotY(|P>1m6zjSF`#@Gr*nN!p6rfhaNc9_YXztCcx1J2lGg{kMB{({2jow2ern3xwt-|~q_hdcY;G%5^?Ll|^g8nc!^3%CCQ+t!esM#6cwL;%q6E8? ztvLUypTC>aIX~+{E9dLyU%~0j>QZ+G@-NpMIKNnnr9z$lK11nqR22IU_`5tHe+TEM z_EFAbavLz!)#E3pJNelSASCa}62=O^TS4+71|=Fl`P0k#rm(8x{lpaS-}Ct*@8_?j z?+jU-FK%3msWVlmPfri0Zy*dWdb@BJ|DAC`T{o$~~bNf-R23JCj<0_JG7$;2GyO=S&^b|QS<{EZ{U#b4+6x1P)U file if contains(local.file_prefixes, split("_", file)[0]) } + for_each = fileset(var.files_path, "**") - bucket = aws_s3_bucket.security_lake_logs[split("_", each.value)[0]].id + bucket = aws_s3_bucket.security_lake_logs.id + + # Create the directory structure based on the file prefix + key = "${split("_", each.value)[0]}/${each.value}" - key = each.value # The S3 object key will reflect the nested directory structure source = "${var.files_path}/${each.value}" # Full path to the source file etag = filemd5("${var.files_path}/${each.value}") } -output "bucket_arn_discovery" { - value = aws_s3_bucket.security_lake_logs["discovery"].arn - description = "The ARN of the 'discovery' bucket" -} - -output "bucket_arn_findings" { - value = aws_s3_bucket.security_lake_logs["findings"].arn - description = "The ARN of the 'findings' bucket" -} +output "bucket_arn" { + value = aws_s3_bucket.security_lake_logs.arn + description = "The ARN of the S3 bucket" +} \ No newline at end of file diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json index 309aed9a534d..515227166387 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json @@ -503,7 +503,7 @@ ] }, { - "@timestamp": "+56567-12-24T00:21:13.580Z", + "@timestamp": "2024-08-06T12:02:54.073Z", "cloud": { "availability_zone": "raised expert baseball", "provider": "experimental mac seconds", @@ -573,7 +573,7 @@ "size": 2753478121, "uid": "cfd0b25e-53eb-11ef-aab1-0242ac110005" }, - "created_time": "+56567-12-24T00:21:15.951Z", + "created_time": "2024-08-06T12:02:54.075Z", "euid": "93", "file": { "confidentiality": "Top Secret", @@ -631,7 +631,7 @@ "size": 411217035, "uid": "cfd10448-53eb-11ef-8948-0242ac110005" }, - "created_time": "+56567-12-24T00:21:17.934Z", + "created_time": "2024-08-06T12:02:54.077Z", "created_time_dt": "2024-08-06T12:02:54.105Z", "file": { "attributes": 67, @@ -682,7 +682,7 @@ "size": 4147443008, "uid": "cfd19624-53eb-11ef-b555-0242ac110005" }, - "created_time": 1722945774081680, + "created_time": 1722945774081, "file": { "attributes": 46, "company_name": "Christian Cinda", @@ -700,7 +700,7 @@ "value": "5DC822DDEFF863F87504863C2926EFADEA58E6CC12C9913FBF94816997FDAA2115104F362F7481BCFA8296CDB2EF69ABFF1D22A64E0B6F5D7B8BB6BDF0485F77" } ], - "modified_time": 1722945774080462, + "modified_time": 1722945774080, "modifier": { "full_name": "Etha Roy", "groups": [ @@ -762,7 +762,7 @@ "size": 3355225968, "uid": "cfd201c2-53eb-11ef-86c9-0242ac110005" }, - "created_time": 1722945774084196, + "created_time": 1722945774084, "euid": 32, "file": { "confidentiality": "Secret", @@ -814,7 +814,7 @@ "size": 83122349, "uid": "cfd2ca08-53eb-11ef-af87-0242ac110005" }, - "created_time": 1722945774089651, + "created_time": 1722945774089, "created_time_dt": "2024-08-06T12:02:54.105819Z", "file": { "creator": { @@ -877,11 +877,11 @@ "size": 3925402475, "uid": "cfd37e94-53eb-11ef-b3b8-0242ac110005" }, - "created_time": 1722945774094193, + "created_time": 1722945774094, "file": { "confidentiality": "Unknown", "confidentiality_id": 0, - "created_time": 1722945774091482, + "created_time": 1722945774091, "hashes": [ { "algorithm": "magic", @@ -894,7 +894,7 @@ "value": "A541714A17804AC281E6DDDA5B707952" } ], - "modified_time": 1722945774091552, + "modified_time": 1722945774091, "modifier": { "groups": [ { @@ -922,7 +922,7 @@ "email_addr": "Patrina@prototype.gov", "ldap_person": { "cost_center": "permits interact afternoon", - "deleted_time": 1722945774090716, + "deleted_time": 1722945774090, "last_login_time_dt": "2024-08-06T12:02:54.090739Z", "ldap_dn": "renaissance exhibition far", "leave_time_dt": "2024-08-06T12:02:54.090731Z" @@ -964,7 +964,7 @@ "size": 724491757, "uid": "cfd40e22-53eb-11ef-afb2-0242ac110005" }, - "created_time": 1722945774097846, + "created_time": 1722945774097, "file": { "confidentiality": "auburn", "confidentiality_id": 99, @@ -981,7 +981,7 @@ "value": "9ED2837AE1C9BF010E3821339FB9B60585584E697B0670BC2E532228F4DD9251B11715FE20D50FF600E1ED5B5BBA4637AF874B0CC900680B7ECDACBAD07624FD" } ], - "modified_time": 1722945774096743, + "modified_time": 1722945774096, "modifier": { "type": "System", "type_id": 3, @@ -1025,7 +1025,7 @@ "runtime": "ben dynamics vienna", "size": 3164331564 }, - "created_time": 1722945774099345, + "created_time": 1722945774099, "file": { "hashes": [ { @@ -1071,7 +1071,7 @@ "size": 3779122986, "uid": "cfd4a166-53eb-11ef-97e4-0242ac110005" }, - "created_time": 1722945774101623, + "created_time": 1722945774101, "egid": 49, "file": { "company_name": "Delora Edyth", @@ -1117,7 +1117,7 @@ "size": 1641826457, "uid": "cfd542ec-53eb-11ef-be38-0242ac110005" }, - "created_time": 1722945774105758, + "created_time": 1722945774105, "euid": 59, "file": { "attributes": 76, @@ -1163,7 +1163,7 @@ "Sharonda@helena.name", "Caroline@consent.mil" ], - "hire_time": 1722945774104346, + "hire_time": 1722945774104, "last_login_time_dt": "2024-08-06T12:02:54.104363Z", "manager": { "credential_uid": "cfd50fd4-53eb-11ef-83d7-0242ac110005", @@ -1201,7 +1201,7 @@ }, "pid": 90, "session": { - "created_time": 1722945774099934, + "created_time": 1722945774099, "created_time_dt": "2024-08-06T12:02:54.099943Z", "expiration_time_dt": "2024-08-06T12:02:54.099951Z", "is_remote": true, @@ -1228,7 +1228,7 @@ }, "pid": 10, "session": { - "created_time": 1722945774095984, + "created_time": 1722945774095, "is_remote": false, "issuer": "recognize lobby mon", "uid": "cfd3a202-53eb-11ef-8e19-0242ac110005" @@ -1291,7 +1291,7 @@ "name": "Lucia", "uid": "cfd2a640-53eb-11ef-b33d-0242ac110005" }, - "modified_time": 1722945774088534 + "modified_time": 1722945774088 }, "name": "Defence", "type": "Admin", @@ -1329,11 +1329,11 @@ } }, "session": { - "created_time": 1722945774078143, + "created_time": 1722945774078, "is_remote": false, "issuer": "informal witnesses endif" }, - "terminated_time": 1722945774105859, + "terminated_time": 1722945774105, "tid": 63, "uid": "cfd185c6-53eb-11ef-85ca-0242ac110005", "user": { @@ -1348,8 +1348,8 @@ "terminated_time_dt": "2024-08-06T12:02:54.105Z", "user": { "ldap_person": { - "created_time": 1722945774077119, - "hire_time": 1722945774077128, + "created_time": 1722945774077, + "hire_time": 1722945774077, "hire_time_dt": "2024-08-06T12:02:54.077132Z" }, "name": "Revisions", @@ -1486,7 +1486,7 @@ }, "status": "Failure", "status_id": "2", - "time": "+56567-12-24T00:21:13.580Z", + "time": "2024-08-06T12:02:54.073Z", "type": "loc", "type_id": 99, "type_name": "Datastore Activity: Write", @@ -1514,13 +1514,13 @@ }, "name": "Basin", "pid": 63, - "start": "+56567-12-24T00:21:17.934Z", + "start": "2024-08-06T12:02:54.077Z", "user": { "name": "Revisions" } }, "pid": 98, - "start": "+56567-12-24T00:21:15.951Z", + "start": "2024-08-06T12:02:54.075Z", "user": { "id": [ "93", @@ -1583,7 +1583,7 @@ } }, { - "@timestamp": "+56573-02-22T03:55:24.670Z", + "@timestamp": "2024-08-08T09:20:23.724Z", "data_stream": { "dataset": "amazon_security_lake.application_activity", "namespace": "default", @@ -1595,13 +1595,13 @@ "event": { "action": "cancelled", "duration": 39000000, - "end": "+56573-02-22T03:55:24.649Z", + "end": "2024-08-08T09:20:23.724Z", "kind": "event", "original": "{\"message\":\"fur stake pickup\",\"status\":\"Failure\",\"total\":87,\"time\":1723108823724670,\"metadata\":{\"version\":\"1.1.0\",\"extension\":{\"name\":\"reward furniture awful\",\"version\":\"1.1.0\",\"uid\":\"70fa28aa-5567-11ef-9e8c-0242ac110005\"},\"product\":{\"name\":\"nintendo une exist\",\"version\":\"1.1.0\",\"uid\":\"70fa3656-5567-11ef-8ec3-0242ac110005\",\"url_string\":\"eq\",\"vendor_name\":\"investors viral conscious\"},\"labels\":[\"sage\"],\"profiles\":[],\"log_name\":\"form rising isolated\",\"log_provider\":\"commerce relatives qualify\",\"loggers\":[{\"name\":\"configure fetish advertise\",\"device\":{\"name\":\"scanners storage illinois\",\"type\":\"Laptop\",\"os\":{\"name\":\"bolt photographers oman\",\"type\":\"Windows\",\"build\":\"acne toolbox architectural\",\"type_id\":100,\"edition\":\"hired moscow antibodies\"},\"ip\":\"151.112.44.246\",\"desc\":\"bg falling her\",\"hostname\":\"transformation.mobi\",\"type_id\":3,\"subnet\":\"244.6.140.0/24\",\"instance_uid\":\"70fa8246-5567-11ef-93ce-0242ac110005\",\"interface_name\":\"bulletin keith reporters\",\"interface_uid\":\"70fa8c3c-5567-11ef-b329-0242ac110005\",\"is_trusted\":false,\"modified_time\":1723108823723078,\"region\":\"pm memorabilia penalty\",\"subnet_uid\":\"70fa532a-5567-11ef-b983-0242ac110005\",\"vlan_uid\":\"70fa5a0a-5567-11ef-a39d-0242ac110005\"},\"product\":{\"name\":\"april visit maximum\",\"version\":\"1.1.0\",\"uid\":\"70fa9c0e-5567-11ef-92a1-0242ac110005\",\"vendor_name\":\"equivalent all operating\"},\"uid\":\"70faa3ac-5567-11ef-9136-0242ac110005\",\"log_name\":\"thee mining your\",\"transmit_time\":1723108823724148},{\"name\":\"gallery prayers vcr\",\"product\":{\"name\":\"positioning tier electrical\",\"version\":\"1.1.0\",\"uid\":\"70faafd2-5567-11ef-9ce0-0242ac110005\",\"url_string\":\"english\",\"vendor_name\":\"reservation connection shell\"},\"log_name\":\"suggested blake pendant\",\"log_provider\":\"beautifully ae beauty\"}],\"original_time\":\"sheffield origins travesti\",\"tenant_uid\":\"70fab7d4-5567-11ef-9fcd-0242ac110005\"},\"scan\":{\"name\":\"cooperation edge magnificent\",\"type\":\"Unknown\",\"uid\":\"70fac396-5567-11ef-a8a3-0242ac110005\",\"type_id\":0},\"start_time\":1723108823725300,\"severity\":\"Unknown\",\"duration\":39,\"type_name\":\"Scan Activity: Cancelled\",\"activity_id\":3,\"type_uid\":600703,\"category_name\":\"Application Activity\",\"class_uid\":6007,\"category_uid\":6,\"class_name\":\"Scan Activity\",\"timezone_offset\":51,\"end_time\":1723108823724649,\"activity_name\":\"Cancelled\",\"command_uid\":\"70f9ff4c-5567-11ef-96d3-0242ac110005\",\"num_files\":85,\"num_network_items\":45,\"num_processes\":12,\"num_registry_items\":21,\"num_resolutions\":0,\"num_skipped_items\":80,\"num_trusted_items\":47,\"policy\":{\"name\":\"these wordpress cos\",\"version\":\"1.1.0\",\"uid\":\"70fad110-5567-11ef-a15f-0242ac110005\"},\"schedule_uid\":\"70f9f600-5567-11ef-9766-0242ac110005\",\"severity_id\":0,\"status_code\":\"shape\",\"status_id\":2}", "outcome": "failure", "provider": "commerce relatives qualify", "severity": 0, - "start": "+56573-02-22T03:55:25.300Z", + "start": "2024-08-08T09:20:23.725Z", "type": [ "info" ] @@ -1616,7 +1616,7 @@ "class_uid": "6007", "command_uid": "70f9ff4c-5567-11ef-96d3-0242ac110005", "duration": 39, - "end_time": "+56573-02-22T03:55:24.649Z", + "end_time": "2024-08-08T09:20:23.724Z", "message": "fur stake pickup", "metadata": { "extension": { @@ -1711,11 +1711,11 @@ "schedule_uid": "70f9f600-5567-11ef-9766-0242ac110005", "severity": "Unknown", "severity_id": 0, - "start_time": "+56573-02-22T03:55:25.300Z", + "start_time": "2024-08-08T09:20:23.725Z", "status": "Failure", "status_code": "shape", "status_id": "2", - "time": "+56573-02-22T03:55:24.670Z", + "time": "2024-08-08T09:20:23.724Z", "timezone_offset": 51, "total": 87, "type_name": "Scan Activity: Cancelled", @@ -1728,7 +1728,7 @@ ] }, { - "@timestamp": "+56573-03-16T19:31:55.169Z", + "@timestamp": "2024-08-08T09:53:00.715Z", "cloud": { "account": { "id": "ff6f370c-556b-11ef-a592-0242ac110005", @@ -1758,13 +1758,13 @@ "event": { "action": "started", "duration": 0, - "end": "+56573-03-16T19:31:52.791Z", + "end": "2024-08-08T09:53:00.712Z", "id": "ff6f607e-556b-11ef-b5f9-0242ac110005", "kind": "event", "original": "{\"actor\":{\"process\":{\"name\":\"Lightweight\",\"pid\":12,\"file\":{\"attributes\":83,\"name\":\"hawk.wsf\",\"owner\":{\"name\":\"Illegal\",\"type\":\"System\",\"domain\":\"shade variety cooper\",\"uid\":\"ff702496-556b-11ef-9f4e-0242ac110005\",\"type_id\":3,\"account\":{\"type\":\"AWS Account\",\"uid\":\"ff702df6-556b-11ef-a8bb-0242ac110005\",\"type_id\":10},\"email_addr\":\"Erick@invision.edu\",\"uid_alt\":\"preceding psp cleared\"},\"type\":\"Character Device\",\"modifier\":{\"name\":\"Hottest\",\"type\":\"muscles\",\"uid\":\"ff70411a-556b-11ef-9a1e-0242ac110005\",\"type_id\":99,\"credential_uid\":\"ff7047d2-556b-11ef-966d-0242ac110005\"},\"desc\":\"playing motor literary\",\"type_id\":3,\"accessor\":{\"name\":\"Golf\",\"type\":\"died\",\"uid\":\"ff70655a-556b-11ef-b23a-0242ac110005\",\"type_id\":99},\"company_name\":\"Natalya Stormy\"},\"user\":{\"type\":\"brooklyn\",\"uid\":\"ff707266-556b-11ef-8dd3-0242ac110005\",\"org\":{\"name\":\"existence hypothetical audience\",\"uid\":\"ff707b3a-556b-11ef-989b-0242ac110005\",\"ou_name\":\"coupon tear compatibility\",\"ou_uid\":\"ff7082c4-556b-11ef-8273-0242ac110005\"},\"type_id\":99},\"group\":{\"uid\":\"ff708c1a-556b-11ef-bea6-0242ac110005\"},\"tid\":89,\"uid\":\"ff709200-556b-11ef-a0bf-0242ac110005\",\"cmd_line\":\"compression warner sapphire\",\"container\":{\"name\":\"front myself techniques\",\"size\":3673925967,\"uid\":\"ff70a01a-556b-11ef-98b5-0242ac110005\",\"image\":{\"name\":\"stage trucks cw\",\"uid\":\"ff70a8da-556b-11ef-9305-0242ac110005\"},\"hash\":{\"value\":\"892D74547E40E6FC23332CF6A88A2CAAC1D5BA6CF5201690F503FDE2B5717067D2C3B25EFEE63E1C5E5BCE1AF1F5A54076DCE0FDE9CDB56E3382C5F39AF3399B\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}},\"created_time\":1723110780721040,\"parent_process\":{\"name\":\"Unlimited\",\"pid\":90,\"file\":{\"name\":\"vulnerability.cue\",\"type\":\"Local Socket\",\"path\":\"full jewellery adverse/hans.xml/vulnerability.cue\",\"uid\":\"ff70c5f4-556b-11ef-8001-0242ac110005\",\"type_id\":5,\"accessor\":{\"name\":\"Breakfast\",\"type\":\"Admin\",\"uid\":\"ff70d09e-556b-11ef-82b8-0242ac110005\",\"type_id\":2,\"full_name\":\"Cora Marchelle\",\"uid_alt\":\"lesbian dk media\"},\"creator\":{\"name\":\"Broker\",\"type\":\"juice\",\"uid\":\"ff70ec96-556b-11ef-a10b-0242ac110005\",\"type_id\":99,\"account\":{\"name\":\"develops til flu\",\"type\":\"AWS IAM Role\",\"uid\":\"ff70fb96-556b-11ef-b127-0242ac110005\",\"type_id\":4}},\"parent_folder\":\"full jewellery adverse/hans.xml\",\"hashes\":[{\"value\":\"88CB8A087B6E8CEBFC9AE5602F5A2159A6BCF923E7F2C56809BCDA6CAD1727A7\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},{\"value\":\"BFC7194DB6D123E245825AAF92C276855D32513520B471C67B94A62F46C8CBDB891CA09419FAD201F34F81C0CA0C72DCC1C4A68CFFFF5A7F0B629B35501E8EBA\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}],\"xattributes\":{}},\"user\":{\"name\":\"Skip\",\"type\":\"Admin\",\"uid\":\"ff710f1e-556b-11ef-bcc2-0242ac110005\",\"type_id\":2,\"uid_alt\":\"those facility genetic\"},\"group\":{\"name\":\"overseas avoiding attendance\",\"uid\":\"ff711932-556b-11ef-8a55-0242ac110005\",\"privileges\":[\"drop welsh munich\",\"developer strange beat\"]},\"uid\":\"ff71249a-556b-11ef-b2a4-0242ac110005\",\"cmd_line\":\"legally hacker please\",\"container\":{\"name\":\"ant elegant ana\",\"runtime\":\"routes peripheral operates\",\"size\":3971411004,\"uid\":\"ff712e7c-556b-11ef-b4ec-0242ac110005\",\"image\":{\"name\":\"shanghai listen subaru\",\"path\":\"toxic declaration intended\",\"uid\":\"ff7150be-556b-11ef-a7e8-0242ac110005\"},\"hash\":{\"value\":\"994BB86DD62F615473EE5D1D05C5A1D950D2F3C3\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}},\"created_time\":1723110780725334,\"lineage\":[\"viii define induced\",\"starsmerchant interest city\"],\"namespace_pid\":10,\"parent_process\":{\"name\":\"Legs\",\"pid\":65,\"file\":{\"attributes\":62,\"name\":\"figure.bin\",\"type\":\"Local Socket\",\"version\":\"1.1.0\",\"type_id\":5,\"confidentiality\":\"outdoors archived regarding\",\"hashes\":[{\"value\":\"AD6A21629A7DEABC182FDEA82DF619F693860085A862A8BFEE71FCD9BBAB45669A480AD8EDB096D0EAF29092215C7A39197EAC015A32E6D5957442A640C8ACDE\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}],\"modified_time\":1723110780725738,\"security_descriptor\":\"thesaurus stories skirts\",\"accessed_time_dt\":\"2024-08-08T09:53:00.725750Z\"},\"user\":{\"name\":\"Marvel\",\"type\":\"tunnel\",\"uid\":\"ff716e14-556b-11ef-9183-0242ac110005\",\"type_id\":99},\"group\":{\"name\":\"challenges photoshop want\",\"type\":\"spice shine latex\",\"uid\":\"ff717f9e-556b-11ef-beff-0242ac110005\"},\"tid\":45,\"uid\":\"ff71866a-556b-11ef-8d91-0242ac110005\",\"container\":{\"name\":\"richard amendments yorkshire\",\"size\":2733947088,\"uid\":\"ff7191fa-556b-11ef-b991-0242ac110005\",\"image\":{\"tag\":\"g tiffany advocacy\",\"path\":\"scoring skill rush\",\"uid\":\"ff719b1e-556b-11ef-8397-0242ac110005\"},\"hash\":{\"value\":\"8A988DC6210B348668CFB0C69FFC40C3952920BEE33BEF02302FB1E486274CE8F56F324032A0BA2B9661E57022A3AF5C085E63028B71E4D30A36264236D98E83\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}},\"integrity\":\"System\",\"integrity_id\":5,\"namespace_pid\":6,\"parent_process\":{\"name\":\"Liability\",\"pid\":12,\"file\":{\"name\":\"dress.pct\",\"type\":\"Symbolic Link\",\"path\":\"graphic easter hitting/celebration.xls/dress.pct\",\"product\":{\"name\":\"relation resulting pride\",\"version\":\"1.1.0\",\"uid\":\"ff71b45a-556b-11ef-aee8-0242ac110005\",\"lang\":\"en\",\"vendor_name\":\"conversation gamespot myself\"},\"type_id\":7,\"accessor\":{\"name\":\"Nashville\",\"type\":\"Admin\",\"uid\":\"ff71c616-556b-11ef-89f0-0242ac110005\",\"org\":{\"name\":\"steven harmony mediterranean\",\"uid\":\"ff71cea4-556b-11ef-80aa-0242ac110005\",\"ou_name\":\"beam transmit cook\"},\"type_id\":2,\"credential_uid\":\"ff71d5de-556b-11ef-bfb8-0242ac110005\"},\"parent_folder\":\"graphic easter hitting/celebration.xls\",\"hashes\":[{\"value\":\"C597CBD53DDF5E7AA017A46E3D559E6DEE7AAB38151CD2B0116453D64744DCA63052DA0AC50DD2E29C8517583E688A23F85646ECB9E0746CCA1F447D33116333\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}]},\"tid\":23,\"uid\":\"ff71e204-556b-11ef-b426-0242ac110005\",\"cmd_line\":\"sponsored contractor notion\",\"container\":{\"size\":1046580299,\"uid\":\"ff71eb82-556b-11ef-855e-0242ac110005\",\"hash\":{\"value\":\"175A141E2713D00975BC765F1C4FE4ECBC01D88B69A016EE442829C445B4EE2C4C0776FADB4939337B8D43C185078967BA4AC71DD1651A0ABA1143394106DE8A\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}},\"created_time\":1723110780729284,\"namespace_pid\":66,\"parent_process\":{\"name\":\"Believed\",\"pid\":12,\"file\":{\"attributes\":44,\"name\":\"autumn.mid\",\"size\":1791990748,\"type\":\"Symbolic Link\",\"path\":\"normally soviet packaging/acne.js/autumn.mid\",\"type_id\":7,\"mime_type\":\"foto/congo\",\"parent_folder\":\"normally soviet packaging/acne.js\",\"confidentiality\":\"Unknown\",\"confidentiality_id\":0,\"hashes\":[{\"value\":\"0F9ABBECBDEC7BA8948C5C34A6D1A65712B51F4DA69A43F4A55845FC98133C5422097F2AED463CBC2CC6EFD07AC9F6A0493E263E0AEC4CA93045EAF86AAE1527\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"41D12DF274FFAEF654EA947446DD0211E338D2651D95805632E5353798F189E4\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3}],\"accessed_time_dt\":\"2024-08-08T09:53:00.729741Z\"},\"user\":{\"name\":\"Aol\",\"type\":\"Admin\",\"uid\":\"ff7209d2-556b-11ef-859c-0242ac110005\",\"type_id\":2,\"email_addr\":\"Claudia@destroyed.museum\"},\"group\":{\"name\":\"rivers kde impaired\",\"uid\":\"ff7213f0-556b-11ef-afbe-0242ac110005\"},\"uid\":\"ff721b66-556b-11ef-a28e-0242ac110005\",\"loaded_modules\":[\"/ol/wr/trades/lucky/trusts.mp4\"],\"cmd_line\":\"cole playback contribute\",\"container\":{\"name\":\"blackjack example page\",\"size\":2950957499,\"tag\":\"lexmark sandwich determining\",\"uid\":\"ff72291c-556b-11ef-9cb3-0242ac110005\",\"image\":{\"name\":\"eight bow edges\",\"uid\":\"ff7231f0-556b-11ef-af8b-0242ac110005\",\"labels\":[\"builders\",\"guitars\"]},\"hash\":{\"value\":\"3D586550FC15946B6FC20EC2BB31B6CB2BF53F3AAD6565BC38B72776CE2784F7AD19E73C0313EA7A12AE3A664203FB3CE7759B22867BAEF1FD46FD0B20BB60F2\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}},\"created_time\":1723110780731096,\"namespace_pid\":27,\"parent_process\":{\"name\":\"Raising\",\"pid\":88,\"file\":{\"attributes\":10,\"name\":\"spyware.dds\",\"type\":\"Block Device\",\"path\":\"protocol validity absence/luther.rm/spyware.dds\",\"type_id\":4,\"mime_type\":\"institute/ivory\",\"parent_folder\":\"protocol validity absence/luther.rm\",\"confidentiality\":\"torture lawn fuel\",\"hashes\":[{\"value\":\"298388E81525736B459B8830EC555869E081200C11C67EFB7444F32DB67C39E4CBB72D5FDDB490B903D4435BA037DAB92B233C64B15D13C5E66D1461BF976D14\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"E1ACB66647F799D4BF5B74B3CECBB8400B1C392A7585421EC33809A31466BDB24362A4DF7E19777422B7C2665222458FC48C22B1BF26EA331DE6ECD557929101\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}],\"security_descriptor\":\"delta caution ncaa\"},\"user\":{\"name\":\"Ieee\",\"type\":\"Unknown\",\"domain\":\"numerical circuit charts\",\"type_id\":0},\"group\":{\"name\":\"damaged cumulative applicable\",\"domain\":\"highways phones introduces\"},\"uid\":\"ff72525c-556b-11ef-b49e-0242ac110005\",\"cmd_line\":\"donation gaps according\",\"container\":{\"name\":\"meant she least\",\"tag\":\"commented attitude magazines\",\"uid\":\"ff72b166-556b-11ef-af11-0242ac110005\",\"image\":{\"name\":\"justify greeting attorney\",\"uid\":\"ff72c4ee-556b-11ef-ae90-0242ac110005\"},\"hash\":{\"value\":\"23AF3E3302D598D92331ADF8D2CDAA30642018D52F7E585E7C485EEED310C245FF761DB9C3F08973E9C00DF8B86A3E7B8241E92C34A9C30EA27E1B302939F910\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}},\"created_time\":1723110780734859,\"namespace_pid\":56},\"auid\":91,\"euid\":25}},\"terminated_time_dt\":\"2024-08-08T09:53:00.734879Z\"},\"terminated_time\":1723110780734887,\"auid\":42,\"euid\":36},\"created_time_dt\":\"2024-08-08T09:53:00.734894Z\"},\"user\":{\"type\":\"Unknown\",\"uid\":\"ff72d2e0-556b-11ef-bbe1-0242ac110005\",\"type_id\":0,\"credential_uid\":\"ff72de20-556b-11ef-a522-0242ac110005\",\"uid_alt\":\"weights hobbies divorce\"},\"authorizations\":[{},{}]},\"activity_name\":\"Started\",\"num_detections\":89,\"start_time\":1723110780716472,\"policy\":{\"name\":\"katie producing webcast\",\"desc\":\"relevance lots trigger\",\"uid\":\"ff6ff8fe-556b-11ef-874e-0242ac110005\"},\"category_uid\":6,\"class_name\":\"Scan Activity\",\"num_skipped_items\":59,\"message\":\"tools motivated nightlife\",\"api\":{\"request\":{\"uid\":\"ff6fddec-556b-11ef-a2d3-0242ac110005\"},\"group\":{\"name\":\"dividend consistency definitely\",\"type\":\"posts vendors student\",\"uid\":\"ff6feb8e-556b-11ef-8cd0-0242ac110005\"},\"response\":{\"error\":\"headquarters viii accurately\",\"code\":96,\"data\":\"phenomenon\",\"message\":\"definitely existing colleges\",\"error_message\":\"unexpected amazon worm\"},\"operation\":\"cathedral participate wrapping\"},\"scan\":{\"name\":\"caribbean operate detected\",\"type\":\"Updated Content\",\"uid\":\"ff6fd18a-556b-11ef-887c-0242ac110005\",\"type_id\":3},\"severity_id\":6,\"time\":1723110780715169,\"type_name\":\"Scan Activity: Started\",\"num_files\":43,\"device\":{\"name\":\"cams witnesses summary\",\"type\":\"Unknown\",\"domain\":\"a licensed facility\",\"ip\":\"175.16.199.0\",\"location\":{\"desc\":\"Falkland Islands (Malvinas)\",\"city\":\"Messaging management\",\"country\":\"FK\",\"coordinates\":[170.507,-62.7832],\"continent\":\"South America\"},\"hostname\":\"active.jobs\",\"uid\":\"ff6f8cca-556b-11ef-9bc0-0242ac110005\",\"type_id\":0,\"subnet\":\"28.0.0.0/8\",\"container\":{\"name\":\"related understanding tricks\",\"size\":3329432332,\"uid\":\"ff6fafac-556b-11ef-9f24-0242ac110005\",\"image\":{\"name\":\"items discharge whale\",\"uid\":\"ff6fbc7c-556b-11ef-9149-0242ac110005\"},\"hash\":{\"value\":\"788AE8183287A6A47C315CEEA8BC503A5434CAAFAF93FB41C1AD3C75EF8238F2\",\"algorithm\":\"magic\",\"algorithm_id\":99}},\"interface_uid\":\"ff6fc604-556b-11ef-a921-0242ac110005\",\"last_seen_time\":1723110780713330,\"modified_time\":1723110780713347,\"namespace_pid\":13,\"region\":\"patricia link controversy\",\"risk_level\":\"ratios capable administrator\",\"uid_alt\":\"scientific addition power\",\"vpc_uid\":\"ff6f7bea-556b-11ef-99b2-0242ac110005\",\"zone\":\"districts fit connector\",\"modified_time_dt\":\"2024-08-08T09:53:00.713297Z\",\"first_seen_time_dt\":\"2024-08-08T09:53:00.713342Z\"},\"end_time\":1723110780712791,\"num_folders\":37,\"timezone_offset\":20,\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"hospitality fabric loop\",\"version\":\"1.1.0\",\"uid\":\"ff6f5962-556b-11ef-9975-0242ac110005\",\"vendor_name\":\"hindu carlo achieve\"},\"uid\":\"ff6f607e-556b-11ef-b5f9-0242ac110005\",\"log_level\":\"entities staying supplemental\",\"profiles\":[\"cloud\",\"container\",\"datetime\",\"host\",\"linux/linux_users\",\"load_balancer\",\"network_proxy\",\"security_control\"],\"log_name\":\"brother lord wyoming\",\"log_provider\":\"diana alternate finals\",\"original_time\":\"negotiations hardwood avg\",\"tenant_uid\":\"ff6f6844-556b-11ef-8efe-0242ac110005\",\"logged_time_dt\":\"2024-08-08T09:53:00.712767Z\"},\"duration\":0,\"command_uid\":\"ff6f480a-556b-11ef-93ac-0242ac110005\",\"status\":\"synthesis\",\"num_resolutions\":19,\"activity_id\":1,\"total\":63,\"num_processes\":41,\"num_network_items\":71,\"class_uid\":6007,\"cloud\":{\"org\":{\"name\":\"serving invest coating\",\"uid\":\"ff6f0be2-556b-11ef-9b41-0242ac110005\",\"ou_name\":\"caroline au dos\"},\"account\":{\"name\":\"houston indexes puerto\",\"type\":\"Apple Account\",\"uid\":\"ff6f370c-556b-11ef-a592-0242ac110005\",\"type_id\":8},\"project_uid\":\"ff6f3f0e-556b-11ef-913f-0242ac110005\",\"provider\":\"greensboro gallery reporting\",\"region\":\"consistency alert titten\"},\"type_uid\":600701,\"num_trusted_items\":36,\"severity\":\"Fatal\",\"category_name\":\"Application Activity\",\"status_id\":99}", "provider": "diana alternate finals", "severity": 6, - "start": "+56573-03-16T19:31:56.472Z", + "start": "2024-08-08T09:53:00.716Z", "type": [ "info", "start" @@ -1820,7 +1820,7 @@ "size": 3673925967, "uid": "ff70a01a-556b-11ef-98b5-0242ac110005" }, - "created_time": "+56573-03-16T19:32:01.040Z", + "created_time": "2024-08-08T09:53:00.721Z", "created_time_dt": "2024-08-08T09:53:00.734Z", "file": { "accessor": { @@ -1880,7 +1880,7 @@ "size": 3971411004, "uid": "ff712e7c-556b-11ef-b4ec-0242ac110005" }, - "created_time": "+56573-03-16T19:32:05.334Z", + "created_time": "2024-08-08T09:53:00.725Z", "euid": "36", "file": { "accessor": { @@ -1963,7 +1963,7 @@ "value": "AD6A21629A7DEABC182FDEA82DF619F693860085A862A8BFEE71FCD9BBAB45669A480AD8EDB096D0EAF29092215C7A39197EAC015A32E6D5957442A640C8ACDE" } ], - "modified_time": 1723110780725738, + "modified_time": 1723110780725, "name": "figure.bin", "security_descriptor": "thesaurus stories skirts", "type": "Local Socket", @@ -1990,7 +1990,7 @@ "size": 1046580299, "uid": "ff71eb82-556b-11ef-855e-0242ac110005" }, - "created_time": 1723110780729284, + "created_time": 1723110780729, "file": { "accessor": { "credential_uid": "ff71d5de-556b-11ef-bfb8-0242ac110005", @@ -2048,7 +2048,7 @@ "tag": "lexmark sandwich determining", "uid": "ff72291c-556b-11ef-9cb3-0242ac110005" }, - "created_time": 1723110780731096, + "created_time": 1723110780731, "euid": 25, "file": { "accessed_time_dt": "2024-08-08T09:53:00.729741Z", @@ -2100,7 +2100,7 @@ "tag": "commented attitude magazines", "uid": "ff72b166-556b-11ef-af11-0242ac110005" }, - "created_time": 1723110780734859, + "created_time": 1723110780734, "file": { "attributes": 10, "confidentiality": "torture lawn fuel", @@ -2165,7 +2165,7 @@ } }, "pid": 90, - "terminated_time": "+56573-03-16T19:32:14.887Z", + "terminated_time": "2024-08-08T09:53:00.734Z", "uid": "ff71249a-556b-11ef-b2a4-0242ac110005", "user": { "name": "Skip", @@ -2257,7 +2257,7 @@ "hostname": "active.jobs", "interface_uid": "ff6fc604-556b-11ef-a921-0242ac110005", "ip": "175.16.199.0", - "last_seen_time": "+56573-03-16T19:31:53.330Z", + "last_seen_time": "2024-08-08T09:53:00.713Z", "location": { "city": "Messaging management", "continent": "South America", @@ -2268,7 +2268,7 @@ "country": "FK", "desc": "Falkland Islands (Malvinas)" }, - "modified_time": "+56573-03-16T19:31:53.347Z", + "modified_time": "2024-08-08T09:53:00.713Z", "modified_time_dt": "2024-08-08T09:53:00.713Z", "name": "cams witnesses summary", "namespace_pid": 13, @@ -2283,7 +2283,7 @@ "zone": "districts fit connector" }, "duration": 0, - "end_time": "+56573-03-16T19:31:52.791Z", + "end_time": "2024-08-08T09:53:00.712Z", "message": "tools motivated nightlife", "metadata": { "log_level": "entities staying supplemental", @@ -2332,10 +2332,10 @@ }, "severity": "Fatal", "severity_id": 6, - "start_time": "+56573-03-16T19:31:56.472Z", + "start_time": "2024-08-08T09:53:00.716Z", "status": "synthesis", "status_id": "99", - "time": "+56573-03-16T19:31:55.169Z", + "time": "2024-08-08T09:53:00.715Z", "timezone_offset": 20, "total": 63, "type_name": "Scan Activity: Started", @@ -2352,7 +2352,7 @@ "name": "Lightweight", "parent": { "command_line": "legally hacker please", - "end": "+56573-03-16T19:32:14.887Z", + "end": "2024-08-08T09:53:00.734Z", "entity_id": "ff71249a-556b-11ef-b2a4-0242ac110005", "group": { "id": [ @@ -2362,7 +2362,7 @@ }, "name": "Unlimited", "pid": 90, - "start": "+56573-03-16T19:32:05.334Z", + "start": "2024-08-08T09:53:00.725Z", "user": { "id": [ "36", @@ -2372,7 +2372,7 @@ } }, "pid": 12, - "start": "+56573-03-16T19:32:01.040Z", + "start": "2024-08-08T09:53:00.721Z", "thread": { "id": 89 }, @@ -2430,7 +2430,7 @@ } }, { - "@timestamp": "+56573-04-27T12:31:27.674Z", + "@timestamp": "2024-08-08T10:53:04.287Z", "cloud": { "provider": "diabetes gaps ag", "region": "act ran entity" @@ -2498,7 +2498,7 @@ "issuer": { "distinguished_name": "warning cute armor" }, - "not_after": "+56573-04-27T12:31:13.675Z", + "not_after": "2024-08-08T10:53:04.273Z", "serial_number": "qld undergraduate cowboy", "subject": { "distinguished_name": "advised chess egyptian" @@ -2540,7 +2540,7 @@ "size": 2119671744, "uid": "63560cca-5574-11ef-8db7-0242ac110005" }, - "created_time": "+56573-04-27T12:31:32.928Z", + "created_time": "2024-08-08T10:53:04.292Z", "file": { "attributes": 91, "creator": { @@ -2607,7 +2607,7 @@ "size": 1467240565, "uid": "63567160-5574-11ef-a13e-0242ac110005" }, - "created_time": "+56573-04-27T12:31:35.435Z", + "created_time": "2024-08-08T10:53:04.295Z", "created_time_dt": "2024-08-08T10:53:04.407Z", "file": { "accessor": { @@ -2631,11 +2631,11 @@ "integrity": "eternal reservation which", "name": "Outreach", "namespace_pid": 73, - "parent_process_keyword": "{container={uid=6356a234-5574-11ef-a31f-0242ac110005, image={uid=6356aaae-5574-11ef-80e9-0242ac110005, name=bag belief such, labels=[memorabilia, producers]}, size=3349958052, name=diving invited scoring, pod_uuid=pp, runtime=louise demanding pontiac, tag=witness indicators oral, hash={value=5EF93A057B5E36A7F6F0880E87F5CF4B, algorithm_id=1, algorithm=MD5}}, created_time=1723114384296685, egid=16, cmd_line=tools aluminium combinations, namespace_pid=42, name=Hung, pid=85, parent_process={container={uid=6356f91e-5574-11ef-ae76-0242ac110005, image={uid=635701a2-5574-11ef-bc46-0242ac110005, name=sao naked toddler, labels=[toolbox, taught]}, size=420397581, name=slovenia anybody colors, pod_uuid=arranged, runtime=organic worked yn, hash={value=E6E7B71309D96CA832137A8E06B9E34906F7A42708F8EBD9C2B75A423AC058A7F0DD0B2AB768E8090DF7E6E6C89E95D7D80DCC4FD0F84464C499AFA89D9AE294, algorithm_id=7, algorithm=quickXorHash}}, created_time=1723114384298907, namespace_pid=34, pid=15, parent_process={container={uid=6357871c-5574-11ef-9b53-0242ac110005, image={uid=63578f78-5574-11ef-83eb-0242ac110005, name=lots time boolean}, orchestrator=board luis adopted, size=2152153573, name=loving revealed remarkable, hash={value=EA7F1EC6B430560FE1BA023D62E5D33D29746DD5F0355FB118B1E4536D6230111964615215FCE2BE609D341EACB3B42869EE304F80BBAEC3F6720FA8FD50AD97, algorithm_id=5, algorithm=CTPH}}, uid=63577e16-5574-11ef-8086-0242ac110005, created_time=1723114384302534, auid=39, file={owner={uid=63572f2e-5574-11ef-80bc-0242ac110005, full_name=Mistie Belkis, type_id=3, domain=harmony served deadly, name=Excessive, groups=[{uid=635738e8-5574-11ef-b1ba-0242ac110005, name=recruiting member combine}], type=System, account={uid=6357423e-5574-11ef-bd28-0242ac110005, type_id=7, type=Mac OS Account}}, is_system=false, creator={uid=635752c4-5574-11ef-9816-0242ac110005, full_name=Lauralee Thomasine, type_id=1, domain=cabinet satisfaction excitement, name=Health, type=User, ldap_person={ldap_dn=roy noticed vertical, surname=tract olympus editor, created_time_dt=2024-08-08T10:53:04.301134Z, location={continent=Europe, country=RS, city=Princeton judy, coordinates=[-170.2881, -62.2248], desc=Serbia, Republic of}}}, type_id=5, type=Local Socket, xattributes={}, path=everything packaging fears/sat.crdownload/sitting.bmp, uid=635748e2-5574-11ef-9899-0242ac110005, parent_folder=everything packaging fears/sat.crdownload, modified_time=1723114384301182, name=sitting.bmp, hashes=[{value=D496B4FAFB1139B1F80F1B60D5AB3A22EF18A1625889B6793BDD41EAF1EB68F093E7AF5254D7DB838F22711DAA2F5E3A0CA6BF5F983AAAC163D7D525C760277B, algorithm_id=0, algorithm=Unknown}], accessed_time=1723114384301146}, cmd_line=consists posters menus, name=Whilst, pid=51, parent_process={container={uid=63597a54-5574-11ef-acbb-0242ac110005, image={uid=63599c96-5574-11ef-8abe-0242ac110005, name=hanging assume mill}, size=3636193350, name=drill modern difference, hash={value=90C9EFE0343A584FD260823A0B266073C0E319EDC8D3C7CD2CCF69E236CF45D870E30646022FDB667F085AEA84B64830C3B3DC702C35A111DCCB3F05F05F9529, algorithm_id=6, algorithm=TLSH}}, created_time=1723114384316151, euid=77, session={uid=6357a396-5574-11ef-8ef4-0242ac110005, created_time=1723114384303010, is_remote=false, is_mfa=true, issuer=demonstration holmes california}, namespace_pid=49, pid=93, parent_process={container={uid=635a7206-5574-11ef-b9d6-0242ac110005, image={uid=635a8282-5574-11ef-8212-0242ac110005}, size=560452224, name=answers camera televisions, hash={value=FAF5EB7985BA4C9CBED8EED0D046F77F7C6ADCB15B9F3537256D717C2D370E448132CECC73264489D250CE463844ECFF1DC62C554DC6654B0C11659842BD7828, algorithm_id=7, algorithm=quickXorHash}}, uid=635a5c26-5574-11ef-8945-0242ac110005, created_time=1723114384322300, egid=67, file={path=proper unified cingular/outsourcing.cs/venice.pct, created_time=1723114384320518, product={vendor_name=staying attachment med, version=1.1.0}, parent_folder=proper unified cingular/outsourcing.cs, type_id=3, name=venice.pct, accessor={uid=635a477c-5574-11ef-8dd3-0242ac110005, type_id=2, name=Arlington, type=Admin, credential_uid=635a4f2e-5574-11ef-b0c1-0242ac110005}, hashes=[{value=5B54C0A045F179BCBBBC9ABCB8B5CD4C, algorithm_id=1, algorithm=MD5}, {value=B1A66BA2E7D51C706F9A2CA80905DF475AE44EDC79EC60CA4D7580FBD6548B91, algorithm_id=99, algorithm=magic}], accessed_time=1723114384320502, modified_time_dt=2024-08-08T10:53:04.320622Z, type=Character Device, desc=advantage profit fall}, cmd_line=cup rights charger, namespace_pid=14, name=Ft, pid=85, parent_process={container={uid=635bd29a-5574-11ef-a523-0242ac110005, image={uid=635c0198-5574-11ef-ba77-0242ac110005, name=junction naval insulation, tag=watches wellington muscle}, size=1841031275, name=ink bio mileage, pod_uuid=nuclear, runtime=effort des lu, hash={value=FA987EC04918567E13A7554C7DDC4D86FB705EAD55207E05ED4E224FB0A9F1570BE1D51F9AE581D415E2D13894EECAEEF402D9901F8C9E70CD839691DD428BBD, algorithm_id=5, algorithm=CTPH}}, created_time=1723114384332144, euid=45, namespace_pid=91, pid=1, parent_process={container={uid=635d91e8-5574-11ef-bfc1-0242ac110005, image={uid=635dba88-5574-11ef-a7d2-0242ac110005, name=bring president swap}, network_driver=crawford invitation pierce, orchestrator=differences lycos cut, size=175725837, name=ate worth powerpoint, runtime=society mem dependence, hash={value=7D1BDD4F5CF16C23DEE15E0673B9B700804F55D5AC5DAA8E6A6F6DD1951AB502D960DF687EDC47B11A696C8F4A969208DFC7E3E4043EE2C907B4FCC244E9FD74, algorithm_id=5, algorithm=CTPH}}, created_time=1723114384343050, auid=31, euid=40, namespace_pid=17, sandbox=conversations poker oriented, pid=46, parent_process={container={uid=635e290a-5574-11ef-8290-0242ac110005, image={uid=635e31d4-5574-11ef-8b11-0242ac110005, tag=developer characterized chelsea}, size=1634165265, name=dry age their, tag=revised bytes swingers, hash={value=D5F2E5C77054C44C2C72A1B017DECA06FC637C99, algorithm_id=2, algorithm=SHA-1}}, uid=635e1f5a-5574-11ef-aad7-0242ac110005, created_time=1723114384346014, file={owner={uid=635ddb94-5574-11ef-ab3f-0242ac110005, org={name=whom demand thereof, ou_name=weighted fundraising drainage}, type_id=1, name=Tissue, type=User}, is_system=false, type_id=1, confidentiality=Unknown, modified_time_dt=2024-08-08T10:53:04.344556Z, type=Regular File, path=commons employ nickel/humanity.swf/earnings.otf, parent_folder=commons employ nickel/humanity.swf, confidentiality_id=0, company_name=Abby Cyrus, security_descriptor=correctly screenshots reached, name=earnings.otf, hashes=[{value=EE1150845FA3041CEB3A3FCDBE42D68A, algorithm_id=1, algorithm=MD5}, {value=DC684E0A948E820C9B32AE34F0E147CCCAEAB3646C95D1FBF6E5EA257B9107251945EB892CD81A3750D89799ADF86C76382C60E73A85B10D110CE39164882C8F, algorithm_id=7, algorithm=quickXorHash}], created_time_dt=2024-08-08T10:53:04.344543Z}, cmd_line=macedonia reid wanna, name=During, pid=22, parent_process={container={uid=635eaa7e-5574-11ef-99fc-0242ac110005, image={uid=635eb3a2-5574-11ef-8a60-0242ac110005, name=carolina bio conversion}, orchestrator=wto murray posted, size=2909077433, name=car ericsson vary, pod_uuid=designed, tag=apparent philadelphia southern, hash={value=62B8E80D982A1EF7D7764527C89E80FE2D9EFE4990B43078E143E4C6EDD2F407, algorithm_id=3, algorithm=SHA-256}}, created_time=1723114384349350, euid=11, namespace_pid=5, pid=15, parent_process={container={uid=635f000a-5574-11ef-bd88-0242ac110005, image={uid=635f0898-5574-11ef-a44a-0242ac110005, name=procedures later palestinian}, orchestrator=teens motion deaths, size=22516444, name=thomson multi reliable, hash={value=B330ECA1D2F13AB95C1C8C41637D9CD297E8221B1DBE869BDE2ACD408F9548B864002FB987EEDA759EF00CDF20345836767C45CA1D40C2DCACE6B6A569E48F09, algorithm_id=6, algorithm=TLSH}}, created_time=1723114384351625, namespace_pid=7, sandbox=em therefore spoke, pid=58, parent_process={container={uid=635f7e18-5574-11ef-84ec-0242ac110005, image={uid=635f891c-5574-11ef-9147-0242ac110005, name=packs auction technical}, size=574926482, name=inquire justice risks, runtime=fragrance instances sun}, lineage=[lying advertisements renew, buf prescribed puerto], created_time=1723114384354756, namespace_pid=80, pid=86, parent_process={lineage=[trees saving alias, ssl september rack], uid=635fa406-5574-11ef-809b-0242ac110005, auid=32, cmd_line=information propecia md, namespace_pid=50, name=Blogger, pid=77, parent_process={container={uid=63600950-5574-11ef-aae8-0242ac110005, image={path=trades mess wishlist, uid=6360136e-5574-11ef-8aec-0242ac110005, name=jersey elected projector, tag=members breathing powers}, size=3538073681, name=homes commonwealth recall}, created_time=1723114384358291, euid=92, namespace_pid=6, pid=15, parent_process={container={image={uid=636066de-5574-11ef-9bc9-0242ac110005, name=listing hardwood defined}, orchestrator=australian future sponsor, size=119356271, name=heather troubleshooting considerable, hash={value=F0F33A03B88C641E422DA78295DB088A0C19D463F4BD44A1CE20D3BB9892A0063ABB61D6124EB7D79EF56FC55ADEFAF30542712C4C8D0A1B952AFB4A346C0876, algorithm_id=4, algorithm=SHA-512}}, lineage=[seeds spouse noble, lifestyle fault floors], uid=636054f0-5574-11ef-8588-0242ac110005, created_time=1723114384360489, file={path=throws additions myspace/jackets.b/patches.tar, uid=636040d2-5574-11ef-965c-0242ac110005, parent_folder=throws additions myspace/jackets.b, confidentiality_id=4, signature={certificate={created_time=1723114384358869, subject=donate tons media, expiration_time=1723114384358874, serial_number=fell lab weddings, version=1.1.0, issuer=italic hamburg judges, fingerprints=[{value=F13F9E344F8839E5D7D17303ABAE106FC66E7D519B232C80C8D6066EF1A5148A796818425ED64282D159C7D8749343FBF193D9C83256C16B72857EBE0151F543, algorithm_id=5, algorithm=CTPH}]}, developer_uid=63603196-5574-11ef-ac47-0242ac110005, algorithm_id=1, algorithm=DSA}, type_id=0, confidentiality=Top Secret, name=patches.tar, hashes=[{value=04ACD168BF6D98D85736E4DB0EF815B53830AF1882C47ABFC357172729DFCD84EF6553958C4CB4593A3844E5D7FC9136FDDF5C82B1171ACAD84F52F7F133AA21, algorithm_id=4, algorithm=SHA-512}, {value=6B85712C92509BE057A8284F4CBF4868755DC0FFB2611096D26209767429967390E3CADE2D1733A0C8D9217CFF1BFA985A184E36695A411B7DEAC20411C9DED8, algorithm_id=7, algorithm=quickXorHash}], modified_time_dt=2024-08-08T10:53:04.359528Z, type=Unknown}, cmd_line=swingers centers burke, namespace_pid=18, sandbox=representing stationery affiliated, pid=31, parent_process={container={uid=63613c44-5574-11ef-bd50-0242ac110005, image={uid=63614568-5574-11ef-bf7a-0242ac110005, name=rate ben fish}, size=1952448709, name=obligation catalyst concentrations, runtime=tex strings mounted, hash={value=43CF305C9FBAF25955B6B640407705DE473A6AECC1D3684D43A7E6E113AD35E3, algorithm_id=99, algorithm=magic}}, uid=636132c6-5574-11ef-83af-0242ac110005, created_time=1723114384366178, auid=5, file={path=calcium amateur harmony/ltd.toast/implemented.rom, creator={uid=6360d920-5574-11ef-a83a-0242ac110005, type_id=0, domain=adjustment container harris, name=With, type=Unknown, account={uid=6360e442-5574-11ef-9167-0242ac110005, type_id=9, name=europe eating mailing, type=Linux Account}}, parent_folder=calcium amateur harmony/ltd.toast, type_id=0, modifier={uid=6360b08a-5574-11ef-ae8e-0242ac110005, type_id=2, type=Admin, ldap_person={ldap_dn=census doors though, ldap_cn=racing morgan volt, cost_center=verify nut levels, location={continent=Europe, country=HR, city=Regulations technician, coordinates=[-57.4552, 63.8901], desc=Croatia, Republic of}, modified_time_dt=2024-08-08T10:53:04.363022Z}}, name=implemented.rom, hashes=[{value=19C64195EB8F22C39B4BAD63078823DDD82E6D61847B25F1F5B969BE6C891661, algorithm_id=3, algorithm=SHA-256}, {value=652D75F9BAFB25E55C0E8DB77C3A9EA11F87C5167431C08F827375741D1B0C2F, algorithm_id=3, algorithm=SHA-256}], modified_time_dt=2024-08-08T10:53:04.363717Z, type=Unknown}, cmd_line=psp bush feet, namespace_pid=17, pid=42, parent_process={container={uid=63620160-5574-11ef-b37a-0242ac110005, image={path=gulf brian arrow, uid=63620bec-5574-11ef-8f30-0242ac110005, name=apt lp screen}, network_driver=ks field roger, size=3565502421, name=waste counties homepage, pod_uuid=breathing}, created_time=1723114384371224, euid=20, session={uid=6361567a-5574-11ef-b26b-0242ac110005, created_time=1723114384366575, is_remote=false, issuer=level boc morrison, credential_uid=63615e22-5574-11ef-b196-0242ac110005}, namespace_pid=72, pid=16, parent_process={container={uid=6362bb3c-5574-11ef-8a12-0242ac110005, image={uid=6362c56e-5574-11ef-8c25-0242ac110005, name=pi churches es}, orchestrator=asking jerry namespace, size=1384069832, name=calvin actor describe, tag=automobiles gratuit tower, hash={value=67C09C289C121B7595556E03199ABF1EC4E85049DC99DB50BBB35FD8B5E2636C89497184BE8F2ED184301E2A5411B5565E97D87BCC951CB5F2CA9C8E696E6341, algorithm_id=5, algorithm=CTPH}}, created_time=1723114384376016, namespace_pid=67, pid=14, parent_process={container={uid=63633e40-5574-11ef-9825-0242ac110005, image={uid=6363469c-5574-11ef-9299-0242ac110005}, size=2004032787, name=deputy mirror eagle, tag=magazine looking deemed, hash={value=55601A1804A5DD2CDDC702A8DBFD7D6EF6FB18BBD4EF25B7BA0FDF2AF274DC5BDD0AA03C3DF2E03891033BB6780C2DFC3D777203E7CC6D1D1B6AAA24A5B53037, algorithm_id=4, algorithm=SHA-512}}, uid=63633300-5574-11ef-80ee-0242ac110005, created_time=1723114384379317, file={path=pennsylvania matthew somewhere/saw.dbf/tennessee.wsf, uid=6362dc0c-5574-11ef-b631-0242ac110005, is_system=false, creator={uid=6362e6ac-5574-11ef-a13c-0242ac110005, email_addr=Lorretta@components.nato, type_id=1, name=Cognitive, type=User}, parent_folder=pennsylvania matthew somewhere/saw.dbf, type_id=2, security_descriptor=lcd elementary surround, name=tennessee.wsf, hashes=[{value=1701CFB023A18B1534D60983D25660944BF18C8928D27C2658306664990BC734, algorithm_id=3, algorithm=SHA-256}, {value=DEF35473338568D93D88C11638B8777B05D03931E8939FF2B7E675DB82DA9434, algorithm_id=99, algorithm=magic}], attributes=1, type=Folder}, cmd_line=magazines spin aaron, namespace_pid=66, name=Animal, created_time_dt=2024-08-08T10:53:04.406974Z, pid=95, parent_process={container={uid=63638544-5574-11ef-bbd6-0242ac110005, image={uid=63638df0-5574-11ef-8d90-0242ac110005, name=exist acceptance britney}, network_driver=shops congratulations variance, name=contain accepted gba, runtime=admin hammer variance, tag=geographical registered suspension, hash={value=83D3D1C470830C64B9B04152B2CD1D11DD99205143049050D298FD7C21CC125A, algorithm_id=99, algorithm=magic}}, created_time=1723114384381145, euid=11, namespace_pid=1, sandbox=delays fighting soonest, parent_process={container={uid=6363dbde-5574-11ef-a3c5-0242ac110005, image={uid=6363e57a-5574-11ef-8bf7-0242ac110005, name=errors request zdnet}, orchestrator=viral lindsay intellectual, size=2306842201, name=astronomy routing grocery, tag=exchange timber candles, hash={value=237ED8923CABFCED8263F1C5E537EDA9F4C9DF97C64000C74437C23D8564FDCB9AB6A7D16DD6E62D0915824B5BFF1CF112DD0BAEAA89171E14E068515290265E, algorithm_id=4, algorithm=SHA-512}}, uid=6363d120-5574-11ef-b647-0242ac110005, created_time=1723114384383389, file={is_system=true, type_id=7, confidentiality=Confidential, type=Symbolic Link, path=watts leave ukraine/ringtones.rtf/fits.cfm, parent_folder=watts leave ukraine/ringtones.rtf, confidentiality_id=2, accessed_time_dt=2024-08-08T10:53:04.381694Z, security_descriptor=selling dt few, name=fits.cfm, hashes=[{value=B90D6FEF7CE6A21866AE315B5A971CA7C32531C74C5A720508ED5490C80E51AF7F2194E67D30333457C00E700B4CAACF979ECA995DF46837A0D1ED6847A7CE7E, algorithm_id=4, algorithm=SHA-512}, {value=3F2C9248EE951C2D98A3CD5B4AF06BD317DB2124, algorithm_id=2, algorithm=SHA-1}], created_time_dt=2024-08-08T10:53:04.381707Z, attributes=2}, cmd_line=effects day pocket, namespace_pid=39, sandbox=declare indication occupations, pid=44, parent_process={container={uid=63642e36-5574-11ef-aac4-0242ac110005, orchestrator=preview contractors helps, size=639972788, name=texas comments creator, hash={value=1C073A2AE40F35C9E559128C518EF6BB606F87F47F7A6D8AF51E96DEBBDCF7E746F35B0E8CF42CF24B80034B359D710FF883F08C153BB4B4717E83FAED4E08A6, algorithm_id=7, algorithm=quickXorHash}}, created_time=1723114384385246, file={owner={uid=63640244-5574-11ef-864e-0242ac110005, type_id=99, name=Priorities, type=uploaded, account={uid=63640bea-5574-11ef-881a-0242ac110005, type_id=0, name=charles verification grave, type=Unknown}}, path=alter checked emperor/toner.htm/photo.gadget, created_time=1723114384384361, parent_folder=alter checked emperor/toner.htm, confidentiality_id=1, type_id=7, confidentiality=Not Confidential, name=photo.gadget, hashes=[{value=DB52AE7062C6819F07456657BE8F96A41BD461DAB2FF0DB18FF7DFABECA6AB0522C141821715890230BE5D35FDE767FE5CB592C5B2A8CD9CE93B3396F2701EA0, algorithm_id=4, algorithm=SHA-512}, {value=5CC3F82838BA7260203E4590CE03D00E1663D41F6A5167144F5C95D6BE2166A0, algorithm_id=3, algorithm=SHA-256}], type=Symbolic Link, version=1.1.0}, cmd_line=lung mega nn, namespace_pid=8, name=Vessels, sandbox=challenged profiles family, pid=73, parent_process={container={uid=636474e0-5574-11ef-bca8-0242ac110005, image={path=advantage bm record, uid=63647df0-5574-11ef-b02b-0242ac110005, name=advertisement metabolism bound, tag=parent prostores taste}, orchestrator=child railroad thehun, name=katrina commonly sweet, hash={value=36604EB0C3355689302D7694E45FA957071097E28B061276AABCBAC610B98FCE4F7A18C5D7566551D4EBC9F0E6D2EE5157C288FE26459003392E240F8FBEB605, algorithm_id=0, algorithm=Unknown}}, created_time=1723114384387286, euid=78, namespace_pid=4, pid=56, parent_process={container={image={uid=636511ac-5574-11ef-b939-0242ac110005, name=federation technical rally}, orchestrator=winning business collaborative, size=117561636, hash={value=1C6EE66D49C991A2FC79EC6D6B64F4AB5B8E29D3C774F3B6DD10F3A024271023CD29C66DA147EADA969690FFC2FA73C8B9EC6C4377580CF3CE89AEF8A8136657, algorithm_id=4, algorithm=SHA-512}}, created_time=1723114384391076, auid=30, session={created_time=1723114384387484, is_vpn=true, is_remote=true, issuer=mounts burns budgets}, pid=34, parent_process={container={uid=6365ab4e-5574-11ef-a5b2-0242ac110005, image={uid=6365b47c-5574-11ef-94cc-0242ac110005, name=graphs uni learned}, network_driver=nh essentials blogs, size=2490340163, name=hack aud canadian, pod_uuid=automobiles, hash={value=1348CB592CE159B2F0A3E0A0B20233BF7F40585376BD14ED638003DF65CE6028072010B42D85244F83CA87E928EA1C229FCDC44AFE29B22E34B99D3C8B26EB98, algorithm_id=6, algorithm=TLSH}}, uid=6365a1b2-5574-11ef-847c-0242ac110005, created_time=1723114384395481, file={owner={uid=63653dee-5574-11ef-8c70-0242ac110005, type_id=3, domain=affiliation arab invision, type=System, ldap_person={created_time=1723114384392352, leave_time=1723114384392577, email_addrs=[Olympia@jesse.travel, Mina@seeking.com], ldap_cn=professionals worm eng, given_name=pulse waiver footwear, employee_uid=63654de8-5574-11ef-a8ac-0242ac110005}}, is_system=true, product={uid=6365590a-5574-11ef-aaa7-0242ac110005, name=mumbai determined nobody, vendor_name=infected listen uk, lang=en, version=1.1.0}, creator={uid=636569d6-5574-11ef-bef4-0242ac110005, type_id=99, name=Kurt, uid_alt=rack fake bleeding, type=examines, account={uid=63657340-5574-11ef-b69a-0242ac110005, type_id=10, name=petite suggestions british, type=AWS Account}}, type_id=2, confidentiality=Secret, type=Folder, version=1.1.0, path=gotten unique thereafter/championship.deskthemepack/medication.pdf, uid=63655f9a-5574-11ef-add1-0242ac110005, parent_folder=gotten unique thereafter/championship.deskthemepack, size=1001943972, confidentiality_id=3, name=medication.pdf, hashes=[{value=C67541E14008D6AF094C938459E575DFB5FA24FD50ADAFC615DB56E4A773FD0BEBA072C2A8F3ECB17D4CBB51818B31ECE4F0A810CB8E5C42C622592DB55DA0A1, algorithm_id=7, algorithm=quickXorHash}]}, cmd_line=sorts sites obtained, session={uid=636527dc-5574-11ef-a1e5-0242ac110005, created_time=1723114384391616, is_vpn=false, expiration_reason=declined attorney sunday, expiration_time_dt=2024-08-08T10:53:04.391655Z, count=58, is_remote=false, uid_alt=sim yorkshire adaptation, issuer=petition disclaimer clara}, namespace_pid=90, name=Vic, pid=16, parent_process={container={uid=636616ce-5574-11ef-bd26-0242ac110005, image={uid=63661fac-5574-11ef-9e80-0242ac110005, name=handy derek tb}, name=barriers cheaper logged, runtime=logos drilling schools, hash={value=6F08C5DDCDD0BE06D83AA3E0E3D5A09E, algorithm_id=1, algorithm=MD5}}, created_time=1723114384397969, session={created_time=1723114384396317, expiration_reason=politics nt username, expiration_time_dt=2024-08-08T10:53:04.396343Z, expiration_time=1723114384396336, is_remote=true, uuid=6365e014-5574-11ef-a98e-0242ac110005, issuer=bluetooth raise shopping}, namespace_pid=82, pid=2, parent_process={container={uid=6366e1b2-5574-11ef-a230-0242ac110005, image={uid=6366ed6a-5574-11ef-9f59-0242ac110005, name=newspapers marriage translations}, size=1994539178, name=butter repeated annie, hash={value=E94025BE336B1F89159AF64B1F6EDA5D470AC8D6, algorithm_id=2, algorithm=SHA-1}}, created_time=1723114384403255, auid=58, euid=32, namespace_pid=98, pid=76, parent_process={lineage=[operational pilot citysearch], uid=63677a6e-5574-11ef-9578-0242ac110005, created_time=1723114384406818, file={is_system=false, product={uid=6367296a-5574-11ef-8136-0242ac110005, vendor_name=cindy specifications frontpage, lang=en, version=1.1.0}, signature={certificate={created_time=1723114384404438, subject=lion struggle widespread, expiration_time=1723114384404443, serial_number=negotiation feel cole, version=1.1.0, issuer=clocks suppose products, fingerprints=[{value=83624D02DEDBF131BC80643811BDE31BB6FCBCDD128849E01A630F99100E4AEE2BF55A6610961457C3AA9B403628F34BC835B62EC068589F520AB344681A174E, algorithm_id=6, algorithm=TLSH}]}, algorithm_id=99, algorithm=gotten}, type_id=3, confidentiality=Top Secret, type=Character Device, version=1.1.0, path=breast enjoying verbal/assure.gam/accuracy.kmz, uid=63673090-5574-11ef-ad66-0242ac110005, parent_folder=breast enjoying verbal/assure.gam, confidentiality_id=4, accessed_time_dt=2024-08-08T10:53:04.404997Z, name=accuracy.kmz, hashes=[{value=D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C, algorithm_id=7, algorithm=quickXorHash}, {value=990D4710B15458E3EDAA8601CDF5B44648B4FC61, algorithm_id=2, algorithm=SHA-1}]}, cmd_line=mere loaded similar, session={uid=636701d8-5574-11ef-a4f1-0242ac110005, expiration_reason=washing sunday reaching, expiration_time_dt=2024-08-08T10:53:04.403964Z, expiration_time=1723114384403944, is_remote=true, created_time_dt=2024-08-08T10:53:04.403955Z, credential_uid=6367082c-5574-11ef-aaa8-0242ac110005}, name=Exotic, pid=64, user={uid=6367417a-5574-11ef-8cd6-0242ac110005, full_name=Mayme Lurline, type_id=2, name=Saver, groups=[{uid=63676952-5574-11ef-a883-0242ac110005, domain=identification browsing structures, name=guyana applied attribute}], type=Admin}, tid=41, group={uid=63677460-5574-11ef-a07f-0242ac110005, name=executive mathematical signals}}, uid=6366be8a-5574-11ef-a313-0242ac110005, integrity=applying observe nba, file={creator={uid=63667ca4-5574-11ef-a8ae-0242ac110005, type_id=3, name=Quotes, groups=[{uid=636685fa-5574-11ef-8fd9-0242ac110005, name=engineers constitute papers}, {uid=63668c80-5574-11ef-bd3d-0242ac110005, type=introducing amendments portuguese}], type=System, ldap_person={modified_time=1723114384401210, last_login_time_dt=2024-08-08T10:53:04.401225Z, location={continent=Asia, country=CY, city=Bibliographic selections, coordinates=[-120.1139, 17.5612], desc=Cyprus, Republic of}, office_location=dl td transition}, account={uid=636695b8-5574-11ef-8e13-0242ac110005, type_id=5, name=hewlett beats hit, type=GCP Account}}, type_id=7, modifier={uid=63663aa0-5574-11ef-89ff-0242ac110005, type_id=2, name=Incident, groups=[{uid=63665ca6-5574-11ef-abfa-0242ac110005, domain=adventure charter tom, name=guest demographic terry}, {uid=636664f8-5574-11ef-96ca-0242ac110005, name=moderators broker asian}], uid_alt=notre sponsorship elections, type=Admin, account={uid=63666f0c-5574-11ef-98ef-0242ac110005, type_id=2, type=Windows Account}}, type=Symbolic Link, version=1.1.0, xattributes={}, path=arizona concentrations widescreen/wire.tax2020/placement.3dm, parent_folder=arizona concentrations widescreen/wire.tax2020, company_name=Christa Marta, name=placement.3dm, hashes=[{value=5509CE62AD4908E35D559F0487FCFAFEAA7A7AA2B4771FF42C45FF34397DF6E1F848AF224697A1C8BB77C1A81AFAA825437582905189C5346490D5121B91F366, algorithm_id=7, algorithm=quickXorHash}, {value=E2A4DD55AA0F76F85A047DAF5B859095, algorithm_id=1, algorithm=MD5}], created_time_dt=2024-08-08T10:53:04.401316Z, attributes=9, accessed_time=1723114384401235, desc=populations servers environments}, cmd_line=accessible annotated plus, name=Recommendations, created_time_dt=2024-08-08T10:53:04.406843Z, user={uid=6366aed6-5574-11ef-855a-0242ac110005, type_id=3, name=Taxes, type=System}, group={uid=6366b8c2-5574-11ef-a4e8-0242ac110005, domain=apollo clicking incorrect, name=split viking nike}}, terminated_time=1723114384406852, uid=63660b34-5574-11ef-bbcf-0242ac110005, file={created_time=1723114384396786, signature={certificate={subject=national garmin even, expiration_time=1723114384396755, serial_number=rhode realty talented, version=1.1.0, issuer=cut duo agencies, fingerprints=[{value=E8D8654C197E7B3BEED4D69E3EDD3A5B, algorithm_id=1, algorithm=MD5}, {value=75529D527C6CDFA48546F9F7ED5AFD587F24AB584370D91EBFC1743E519B936C7780070A7709D4FECA4C639302E40E1BD1F842B3613B900269D77BEA17429361, algorithm_id=0, algorithm=Unknown}]}, algorithm_id=99, algorithm=vendor}, type_id=7, confidentiality=freelance pty ferrari, modified_time_dt=2024-08-08T10:53:04.396853Z, type=Symbolic Link, xattributes={}, path=rear biology finest/nintendo.class/atlantic.icns, parent_folder=rear biology finest/nintendo.class, modified_time=1723114384396821, name=atlantic.icns, hashes=[{value=0C900BDED46D1122DBC26B7D537D76633CD9937DF7B4C9C56ECFC151D2E269764BD92568B8FFD9877177AA338BB4EEE65DC5AE4D07BE354D503F9D3EF0B36007, algorithm_id=0, algorithm=Unknown}, {value=D0278DE5F6E5DF29D9C928BCB6D5A285EA17CE11, algorithm_id=2, algorithm=SHA-1}], desc=specific aside io}, cmd_line=canada federation computational, name=Offline, user={uid=6366010c-5574-11ef-bfe7-0242ac110005, type_id=1, domain=crops midi hope, name=Collectables, uid_alt=thunder pickup tab, type=User}, group={desc=muze comply jets}}, user={uid=6365822c-5574-11ef-95fb-0242ac110005, email_addr=Lynetta@lib.jobs, org={uid=63658ac4-5574-11ef-bea5-0242ac110005, name=jerry calling mardi, ou_name=motion ampland acknowledged}, type_id=99, type=recent, credential_uid=63659186-5574-11ef-a13d-0242ac110005}, group={uid=63659b86-5574-11ef-ac1a-0242ac110005, domain=explicitly retreat de, name=phys dollar not, type=foster prefer phys}}, tid=42, xattributes={}, uid=636504b4-5574-11ef-af4a-0242ac110005, file={owner={uid=6364960a-5574-11ef-ad32-0242ac110005, org={ou_uid=6364acb2-5574-11ef-b1ce-0242ac110005, uid=6364a60e-5574-11ef-aaf1-0242ac110005, name=arrive protecting fy, ou_name=cat saints infringement}, type_id=1, name=Nov, groups=[{uid=6364d64c-5574-11ef-a880-0242ac110005, name=head state rubber}, {uid=6364de3a-5574-11ef-9448-0242ac110005, name=catalyst strong mins, desc=consortium bald removing}], type=User}, product={path=internship progress gun, vendor_name=sp protection requests, lang=en, version=1.1.0}, type_id=7, type=Symbolic Link, version=1.1.0, path=executed removal years/among.yuv/employment.wma, parent_folder=executed removal years/among.yuv, accessed_time_dt=2024-08-08T10:53:04.389945Z, mime_type=medal/nearly, name=employment.wma, hashes=[{value=5E759101C609F4B740EF80E765AE365B2AF502D28946FFDB14A008BA3B8F3B38D22724597DB1A2727631E47BE95BF3DBC91421426B178885ABB756996AA2ED28, algorithm_id=5, algorithm=CTPH}, {value=BA5273E243BB87B0BDE0E2E45609708C95F1B8CD05342C435BFE11DDFE05790E8640967A0D5DB90EE7DC886350B9345D9484533BB633B821A82462D74B3318A8, algorithm_id=6, algorithm=TLSH}], created_time_dt=2024-08-08T10:53:04.389957Z, attributes=97}, cmd_line=macintosh enjoying disposal, name=Burning, user={uid=6364f62c-5574-11ef-be1d-0242ac110005, type_id=99, name=Without, type=celebs}, group={desc=allowance vacation ae}}, xattributes={}, terminated_time_dt=2024-08-08T10:53:04.406915Z, uid=63646b44-5574-11ef-a77a-0242ac110005, file={path=diagnosis angeles portsmouth/travels.mpa/ba.3ds, created_time=1723114384386185, parent_folder=diagnosis angeles portsmouth/travels.mpa, type_id=4, name=ba.3ds, hashes=[{value=50D299D6D7966A2DC1E0CF7FEB739E33, algorithm_id=1, algorithm=MD5}, {value=328AFE7E94B22225322E3B4913F934C50B1CBF2E70837C0DC87BE27DA150B3EBA052395D9A4CC1FB7FC4E8C89E2EFEB5DF2FD8EC79D5A1215267ABF6EE2505F9, algorithm_id=6, algorithm=TLSH}], created_time_dt=2024-08-08T10:53:04.386239Z, accessed_time=1723114384386177, type=Block Device}, cmd_line=notre cameras draw, name=Scott, user={type_id=2, domain=amendment spot sudan, name=Kit, type=Admin}, group={uid=63646496-5574-11ef-bfc5-0242ac110005, name=passed rankings affects}}, user={uid=63641a22-5574-11ef-8919-0242ac110005, email_addr=Lauryn@reliance.travel, type_id=99, type=carmen, account={uid=636423be-5574-11ef-8304-0242ac110005, type_id=10, name=reef terrorist graduation, type=AWS Account}}, xattributes={}}, user={uid=6363b992-5574-11ef-9143-0242ac110005, name=Edgar, ldap_person={email_addrs=[Mariann@routine.net], deleted_time_dt=2024-08-08T10:53:04.382339Z, job_title=alto languages tanks}}, xattributes={}, group={uid=6363ca0e-5574-11ef-837d-0242ac110005, privileges=[ingredients pins connector], name=thinking offices worcester}}, tid=66, uid=63637afe-5574-11ef-b99b-0242ac110005, integrity=Protected, file={path=important companion consultancy/wallpaper.drv/plasma.3dm, parent_folder=important companion consultancy/wallpaper.drv, confidentiality_id=3, signature={certificate={created_time=1723114384380115, subject=assuming remarks brass, expiration_time=1723114384380123, serial_number=provinces medicine it, version=1.1.0, issuer=sheet registry concord, fingerprints=[{value=EC6B1A9A8BA16A6F215D2D1F3906D6499B49BE59A250E976C526E3C93470BEAF, algorithm_id=3, algorithm=SHA-256}, {value=E8F0948E22757C48DC176AC0971E4DC26962E907CD0016E2D3F3F85B10496DB3ADA83ABE28D5C02C0E75801F09CE16ECBC57DC728CA43C1AF4A195603D2E9D59, algorithm_id=5, algorithm=CTPH}]}, algorithm_id=0, algorithm=Unknown}, type_id=2, confidentiality=Secret, name=plasma.3dm, hashes=[{value=9159E7F170D8AC61900DA4485A05F8FA752EBB6B1271EB39B603C7BD22C9F591, algorithm_id=3, algorithm=SHA-256}, {value=208252F637543172F0D9AA5A077FB15DC8E779E2AB911FADCC37F9C807EB56EFBAC0FC78C2916944595F6C58BE380B5BA4AC2E0A76A1D10091E0847D61B627D5, algorithm_id=6, algorithm=TLSH}], type=Folder}, cmd_line=felt essay relax, name=Delight, user={email_addr=Numbers@si.coop, type_id=2, name=Focused, uid_alt=biggest stupid linking, type=Admin}, integrity_id=6, group={privileges=[costs anthropology nickname, nbc dns flex], name=jar transparency sing}}, user={uid=63630eca-5574-11ef-b29c-0242ac110005, email_addr=Classie@municipality.pro, org={uid=636317ee-5574-11ef-b39a-0242ac110005, name=mighty thou ff, ou_name=companies functions hockey}, type_id=0, name=Guys, groups=[{uid=636321d0-5574-11ef-ae4b-0242ac110005, domain=parties entertainment lemon, name=hood powers merely}, {privileges=[etc survey at, cohen mails bio], name=rise parcel bookmarks}], type=Unknown}, group={uid=63632d38-5574-11ef-85c8-0242ac110005, name=legislature normal lectures}}, terminated_time=1723114384406979, uid=6362b0ec-5574-11ef-bb67-0242ac110005, integrity=System, file={path=regularly drivers sacred/rational.fla/wing.crdownload, created_time=1723114384374429, product={uid=636288ba-5574-11ef-b671-0242ac110005, name=cr fat generators, vendor_name=conflicts feed receivers, lang=en, version=1.1.0}, parent_folder=regularly drivers sacred/rational.fla, modified_time=1723114384374497, type_id=2, name=wing.crdownload, hashes=[{value=140C02576C0D51BBE84B1C70EEE68AD61D116AA6E8F7BBD899753EB4599951C5E2DF128141610C2F838E0C7181B50795297C0E8D1398FDAD5ED2095EA783FC02, algorithm_id=7, algorithm=quickXorHash}, {value=E405FA83FE9CFE003B49FD852D4429D0EFF2F914, algorithm_id=2, algorithm=SHA-1}], created_time_dt=2024-08-08T10:53:04.374525Z, attributes=39, type=Folder, xattributes={}}, cmd_line=railway filling consistent, name=Definitely, loaded_modules=[/fri/tall/bit/rap/meyer.hqx], user={uid=63629a58-5574-11ef-8c2b-0242ac110005, type_id=1, domain=adding merit extend, name=Influenced, type=User, credential_uid=6362a124-5574-11ef-a23f-0242ac110005}, integrity_id=5, group={uid=6362ab10-5574-11ef-adda-0242ac110005, domain=enterprises civil knowledge, desc=patch celebration lancaster}}, uid=6361f634-5574-11ef-87d8-0242ac110005, file={owner={type_id=2, name=Yoga, type=Admin}, path=variable their precipitation/moving.sql/python.bin, parent_folder=variable their precipitation/moving.sql, signature={certificate={created_time=1723114384368646, subject=x tide described, expiration_time=1723114384368652, serial_number=ultimate nervous george, version=1.1.0, issuer=equations different edward, fingerprints=[{value=90290C4ADF68C053210274BB5414BED2BC4FCB71C37F521FF4EDBF5AFF66421A60FED68A12C81359536FCF2B89DB3463979F17F089E68FEA0B179D5DEF6F3A00, algorithm_id=6, algorithm=TLSH}]}, algorithm_id=4, algorithm=Authenticode}, mime_type=personnel/bids, type_id=99, name=python.bin, accessor={uid=6361bec6-5574-11ef-81b5-0242ac110005, type_id=99, domain=elizabeth cheapest solution, name=Jd, type=deviant}, hashes=[{value=2056009EE1A3B111E2E00906EDA7AD1AAC1EF242387CFB2CEE5B57763863C0EF228A7536B36C462A03C687D2F886BE6C218F00A2FC11674F8FF5454966830CB3, algorithm_id=5, algorithm=CTPH}], type=afghanistan}, cmd_line=distances participating maintenance, name=Versions, user={uid=6361cccc-5574-11ef-994f-0242ac110005, email_addr=Kristin@tion.net, org={uid=6361d546-5574-11ef-b2b3-0242ac110005, name=watts desktop hong}, type_id=99, name=Spring, type=nu, account={uid=6361dec4-5574-11ef-80de-0242ac110005, type_id=8, name=bd atom berkeley, type=Apple Account}}, group={uid=6361ef22-5574-11ef-8892-0242ac110005, name=academics secondary simon}}, user={uid=6360f752-5574-11ef-a1db-0242ac110005, type_id=3, name=Satisfaction, type=System, account={uid=636119d0-5574-11ef-a86d-0242ac110005, type_id=1, type=LDAP Account}, credential_uid=6361204c-5574-11ef-8854-0242ac110005}, group={uid=63612c22-5574-11ef-800b-0242ac110005, privileges=[joining boots aw, gang robust transport], name=flags gang blow, desc=mistakes prediction toy}}, group={uid=63604e4c-5574-11ef-9f32-0242ac110005, name=recommends pollution humans}}, tid=26, uid=635ffed8-5574-11ef-b0fd-0242ac110005, integrity=High, file={path=seem party existence/buried.3dm/lotus.pkg, created_time=1723114384355919, is_system=true, parent_folder=seem party existence/buried.3dm, accessed_time_dt=2024-08-08T10:53:04.355980Z, type_id=5, confidentiality=belief hard romania, name=lotus.pkg, hashes=[{value=921DB9BE9AB2B726859E733D87A56CDEB799FBC45281315CFE4A7BAAF6BB9A1DD4359096B697BBB33B1DCA573CD79CB87614124DFA2B3C79768B3F29A7DBF0EF, algorithm_id=5, algorithm=CTPH}, {value=E9C848387AB1784EBC52FD937D18A8D44D2CF6BDBEB2BAB7B04E28413AE39FA4C07EAFA782325DD3B65A30B4AE8538D0ACCE7FC48BF1A3AB1B4651A5CFB050AA, algorithm_id=7, algorithm=quickXorHash}], attributes=31, type=Local Socket}, cmd_line=gamecube forbes described, name=Defense, user={uid=635fca94-5574-11ef-82f0-0242ac110005, type_id=99, name=Blogs, groups=[{uid=635fd57a-5574-11ef-84bc-0242ac110005, type=buyer spirit webcam}, {uid=635fe13c-5574-11ef-85a3-0242ac110005, name=cooperation meditation memo, desc=discretion fantastic tactics}], type=novel, ldap_person={leave_time=1723114384357313, email_addrs=[Kimberley@sip.int], modified_time_dt=2024-08-08T10:53:04.357320Z}, credential_uid=635fe862-5574-11ef-ba0c-0242ac110005}, integrity_id=4, group={uid=635ff8a2-5574-11ef-af7e-0242ac110005, name=care viii external, type=right crowd crops, desc=appointed opponent written}}, user={uid=635f9c7c-5574-11ef-b4d1-0242ac110005, type_id=99, name=Lenses, uid_alt=penalty spray weight, type=dairy}}, uid=635f63d8-5574-11ef-8afe-0242ac110005, integrity=deutsche what indians, file={path=sports amp assess/explosion.sln/offered.avi, parent_folder=sports amp assess/explosion.sln, type_id=2, security_descriptor=salmon sister tucson, name=offered.avi, accessed_time=1723114384352980, type=Folder}, cmd_line=reflects champion naughty, name=Gen, user={uid=635f51c2-5574-11ef-bad8-0242ac110005, type_id=0, name=Rest, type=Unknown}, group={uid=635f5d02-5574-11ef-be03-0242ac110005, privileges=[seasonal railroad already], name=produces consequence selling}}, xattributes={}, uid=635ef6dc-5574-11ef-a3ad-0242ac110005, file={signature={certificate={subject=durham sitting hiv, expiration_time=1723114384349769, serial_number=field geek theater, version=1.1.0, issuer=eq designers loc, fingerprints=[{value=B133E6238B0833E7D12E8F6E64EABBFE2780E49FD028477670556B99E873D6C8CC7E38E25BAF9228F2324C513ECA25C63FF88415399CBD0FF61001ACC2BD0B10, algorithm_id=6, algorithm=TLSH}, {value=8B4AB0E3B292ED97FB8DCFB7C0267D1F7366F45CE8FDC2E3F0EAE57312A3F4D83BB72E25B072DF7E3416CF022B3276885495F9F245FE9CB67704AFD4B94EBF99, algorithm_id=7, algorithm=quickXorHash}]}, algorithm_id=2, algorithm=RSA}, type_id=4, type=Block Device, xattributes={}, path=newsletter tulsa locale/wait.cab/closing.3ds, uid=635ed24c-5574-11ef-9b19-0242ac110005, parent_folder=newsletter tulsa locale/wait.cab, modified_time=1723114384350131, size=2333859778, mime_type=radio/minolta, security_descriptor=went stick curious, name=closing.3ds, hashes=[{value=65BD10756687E64C347423BA3836F065, algorithm_id=1, algorithm=MD5}, {value=B3140286AC71AD2ACF69681F4F2A907B0B83D8EDFBFFDD4E0A38C05A23180495, algorithm_id=3, algorithm=SHA-256}]}, cmd_line=statutes columnists commerce, name=Lm, created_time_dt=2024-08-08T10:53:04.407027Z, user={uid=635ee0e8-5574-11ef-ac61-0242ac110005, type_id=3, name=Gossip, type=System, credential_uid=635ee75a-5574-11ef-ac0c-0242ac110005}, group={uid=635ef114-5574-11ef-8c2b-0242ac110005, name=alcohol surprise http, desc=wales if adams}}, xattributes={}, terminated_time_dt=2024-08-08T10:53:04.407047Z, uid=635e817a-5574-11ef-850e-0242ac110005, integrity=ag disagree anymore, file={path=monkey refused genesis/pictures.cs/modification.php, parent_folder=monkey refused genesis/pictures.cs, confidentiality_id=1, type_id=1, confidentiality=Not Confidential, name=modification.php, attributes=27, type=Regular File}, cmd_line=rides vids label, name=Door, user={uid=635e6e38-5574-11ef-9132-0242ac110005, type_id=3, name=Roller, type=System}, group={uid=635e79b4-5574-11ef-b9e2-0242ac110005, privileges=[later conversion foreign, shadows phpbb ate], name=dogs republic occurrence, type=headers brunei ontario}}, user={uid=635e09a2-5574-11ef-8b02-0242ac110005, name=Greenhouse, uid_alt=nu tiny challenging}, terminated_time_dt=2024-08-08T10:53:04.407054Z, group={uid=635e1960-5574-11ef-bc86-0242ac110005, name=function bought terrace, desc=oo phase relocation}}, terminated_time_dt=2024-08-08T10:53:04.407066Z, uid=635d7fa0-5574-11ef-9af0-0242ac110005, file={created_time=1723114384339821, creator={uid=635ce108-5574-11ef-b897-0242ac110005, type_id=3, name=Heel, uid_alt=rapidly specification instructional, type=System, account={uid=635d0a66-5574-11ef-bcd7-0242ac110005, type_id=4, name=discs sure enclosed, type=AWS IAM Role}}, signature={certificate={uid=635c43c4-5574-11ef-a8eb-0242ac110005, created_time=1723114384334572, expiration_time_dt=2024-08-08T10:53:04.334601Z, subject=pets documentary mutual, expiration_time=1723114384334590, serial_number=anything repair rank, version=1.1.0, issuer=rounds eds contests, fingerprints=[{value=4D78419C492968B9564F7F87CEBFA246405627A31D833B60027D564FB453A9F76CDBDF3D6229EFE19244F6B38DC9C1E531EC641A042F38CE33A3E62DEEB1E115, algorithm_id=7, algorithm=quickXorHash}]}, developer_uid=635c7e16-5574-11ef-b814-0242ac110005, algorithm_id=3, algorithm=ECDSA}, type_id=5, accessor={uid=635cc204-5574-11ef-85ce-0242ac110005, type_id=0, domain=weighted organize jim, name=Contents, type=Unknown}, type=Local Socket, version=1.1.0, xattributes={}, path=justin jm kenya/acknowledged.cgi/settled.exe, parent_folder=justin jm kenya/acknowledged.cgi, modified_time=1723114384340026, accessed_time_dt=2024-08-08T10:53:04.340128Z, name=settled.exe, hashes=[{value=E3406337AAEB1C0AC1339EA8DBC6212C72E6551C007F921C64EADEDFC50CEAF2D661F48148C64A04B17DEC7D46C8D70913DA02218205F62B8170DF4110BEE8BE, algorithm_id=0, algorithm=Unknown}, {value=3F9D17F4A6D80A19A14E6E6464F3E85457666C674359CE0CCEBD5BF88B46CD79CC44F0213344FB06287280BC58AA62C13301DEC710F880AE66297C4F2F4477F4, algorithm_id=7, algorithm=quickXorHash}], created_time_dt=2024-08-08T10:53:04.340139Z}, cmd_line=masters treatments custody, name=Surprise, loaded_modules=[/desert/arch/conditional/mas/zinc.cgi, /direct/appendix/stated/partition/awareness.gam], user={uid=635d5bd8-5574-11ef-a7e3-0242ac110005, type_id=0, uid_alt=charging build burning, type=Unknown}, group={uid=635d7852-5574-11ef-8eaa-0242ac110005, privileges=[verbal spokesman stuart, audio mozambique mae], domain=remove ix couple, name=pendant alike china}}, terminated_time=1723114384407071, uid=635bb51c-5574-11ef-96c1-0242ac110005, integrity=Low, file={creator={uid=635ab20c-5574-11ef-8a49-0242ac110005, type_id=99, name=Televisions, type=restaurant, ldap_person={modified_time=1723114384328321, created_time_dt=2024-08-08T10:53:04.328333Z}}, type_id=2, confidentiality=dare assembly conflicts, modified_time_dt=2024-08-08T10:53:04.328440Z, type=Folder, path=qc stunning upcoming/freelance.b/stop.rom, parent_folder=qc stunning upcoming/freelance.b, size=184463636, accessed_time_dt=2024-08-08T10:53:04.328434Z, security_descriptor=streets teacher movie, name=stop.rom, hashes=[{value=D6DF1AB7AC275F8C7AFF9D010CCFD0DB08BBE2D8, algorithm_id=2, algorithm=SHA-1}, {value=A99E2AF60B8C1ACE6169FBA74BE6B9CB5ECA5D5A24F28F39E4EC50A265F7F5F4, algorithm_id=3, algorithm=SHA-256}], attributes=8, accessed_time=1723114384328345}, cmd_line=assignment position expression, user={uid=635b94ec-5574-11ef-90e7-0242ac110005, type_id=2, name=Fountain, type=Admin}, integrity_id=2, group={uid=635baaf4-5574-11ef-8c3f-0242ac110005, name=lang drivers mood}}}, xattributes={}, uid=63581182-5574-11ef-aeb6-0242ac110005, integrity=delivering shaved mexico, egid=31, file={path=pre memo parish/bibliographic.db/kerry.sdf, product={uid=6357b6b0-5574-11ef-9715-0242ac110005, cpe_name=realty contributions melissa, name=forum activists cancelled, vendor_name=actress mess enjoyed, version=1.1.0}, creator={uid=6357f01c-5574-11ef-9c74-0242ac110005, type_id=0, name=Filme, type=Unknown}, parent_folder=pre memo parish/bibliographic.db, mime_type=architecture/hall, type_id=99, modifier={uid=6357d28a-5574-11ef-b53e-0242ac110005, type_id=3, domain=theology suzuki inn, name=Criterion, groups=[{name=meanwhile vid contributed}, {uid=6357dc9e-5574-11ef-a420-0242ac110005, name=difference white sensors, type=chef laos flat, desc=undertake carried ones}], uid_alt=repair trains victim, type=System, account={type_id=9, name=fans car enable, type=Linux Account}, credential_uid=6357e5f4-5574-11ef-8af6-0242ac110005}, security_descriptor=volvo workflow pros, name=kerry.sdf, hashes=[{value=35431593FE35166DB2935F72C55A3E0A8F8255878BACFF713A775559201158B2429DDF8B60D7FC65E8A640435ECA4BE8239A740FE91DA7560AC32207BF2F73AB, algorithm_id=6, algorithm=TLSH}, {value=BA2F52D229E66F7D965D4AAFDBB382D12FBA5669FBE91F4700E0B7A9355279E7FC2108CAA3AAB2AA5DDAD12B63AC6953845DD468A203773BE8FC734CE9FF93AB, algorithm_id=5, algorithm=CTPH}], type=terrorist}, cmd_line=mentor dust attending, group={uid=63580af2-5574-11ef-88eb-0242ac110005, name=mad integrity assessment, type=glossary scotia pete}}, user={uid=63576804-5574-11ef-9ed9-0242ac110005, type_id=0, name=Pavilion, type=Unknown, credential_uid=63576e4e-5574-11ef-85ed-0242ac110005}, tid=93, group={uid=6357784e-5574-11ef-9c0c-0242ac110005, name=sale point solutions}}, tid=82, uid=6356ef50-5574-11ef-9f3f-0242ac110005, integrity=System, file={owner={uid=6356c534-5574-11ef-9ab7-0242ac110005, full_name=Henry Tonja, name=Answer}, path=defining inch factors/ist.mpa/creations.ico, created_time=1723114384297596, product={uid=6356cfa2-5574-11ef-a798-0242ac110005, name=amateur bristol cuba, vendor_name=gentleman quit confirm, version=1.1.0}, parent_folder=defining inch factors/ist.mpa, accessed_time_dt=2024-08-08T10:53:04.297651Z, type_id=99, name=creations.ico, hashes=[{value=0976ABA0D430405622A00981BC58C6F16D2A40F1, algorithm_id=2, algorithm=SHA-1}, {value=36324C961DBB9EF924720EB1C5F7E53B29AD9EF8D2A5A4CF1FD2686CCF8FC21A7A1368175B23CFFF36A4DB33D4F7C399148E923594A5667C996C53E9AB311088, algorithm_id=4, algorithm=SHA-512}], created_time_dt=2024-08-08T10:53:04.297659Z, type=ti}, cmd_line=capable homepage reject, name=Dead, user={uid=6356e906-5574-11ef-bcbc-0242ac110005, type_id=2, name=Theatre, type=Admin}, integrity_id=5}, user={uid=63568cfe-5574-11ef-9336-0242ac110005, full_name=Gussie Leila, email_addr=Claire@longitude.arpa, type_id=99, name=Paint, type=creative}, group={uid=635698ac-5574-11ef-a457-0242ac110005, name=prince enhance terrain, desc=dual yacht replace}}", + "parent_process_keyword": "{container={uid=6356a234-5574-11ef-a31f-0242ac110005, image={uid=6356aaae-5574-11ef-80e9-0242ac110005, name=bag belief such, labels=[memorabilia, producers]}, size=3349958052, name=diving invited scoring, pod_uuid=pp, runtime=louise demanding pontiac, tag=witness indicators oral, hash={value=5EF93A057B5E36A7F6F0880E87F5CF4B, algorithm_id=1, algorithm=MD5}}, created_time=1723114384296, egid=16, cmd_line=tools aluminium combinations, namespace_pid=42, name=Hung, pid=85, parent_process={container={uid=6356f91e-5574-11ef-ae76-0242ac110005, image={uid=635701a2-5574-11ef-bc46-0242ac110005, name=sao naked toddler, labels=[toolbox, taught]}, size=420397581, name=slovenia anybody colors, pod_uuid=arranged, runtime=organic worked yn, hash={value=E6E7B71309D96CA832137A8E06B9E34906F7A42708F8EBD9C2B75A423AC058A7F0DD0B2AB768E8090DF7E6E6C89E95D7D80DCC4FD0F84464C499AFA89D9AE294, algorithm_id=7, algorithm=quickXorHash}}, created_time=1723114384298, namespace_pid=34, pid=15, parent_process={container={uid=6357871c-5574-11ef-9b53-0242ac110005, image={uid=63578f78-5574-11ef-83eb-0242ac110005, name=lots time boolean}, orchestrator=board luis adopted, size=2152153573, name=loving revealed remarkable, hash={value=EA7F1EC6B430560FE1BA023D62E5D33D29746DD5F0355FB118B1E4536D6230111964615215FCE2BE609D341EACB3B42869EE304F80BBAEC3F6720FA8FD50AD97, algorithm_id=5, algorithm=CTPH}}, uid=63577e16-5574-11ef-8086-0242ac110005, created_time=1723114384302, auid=39, file={owner={uid=63572f2e-5574-11ef-80bc-0242ac110005, full_name=Mistie Belkis, type_id=3, domain=harmony served deadly, name=Excessive, groups=[{uid=635738e8-5574-11ef-b1ba-0242ac110005, name=recruiting member combine}], type=System, account={uid=6357423e-5574-11ef-bd28-0242ac110005, type_id=7, type=Mac OS Account}}, is_system=false, creator={uid=635752c4-5574-11ef-9816-0242ac110005, full_name=Lauralee Thomasine, type_id=1, domain=cabinet satisfaction excitement, name=Health, type=User, ldap_person={ldap_dn=roy noticed vertical, surname=tract olympus editor, created_time_dt=2024-08-08T10:53:04.301134Z, location={continent=Europe, country=RS, city=Princeton judy, coordinates=[-170.2881, -62.2248], desc=Serbia, Republic of}}}, type_id=5, type=Local Socket, xattributes={}, path=everything packaging fears/sat.crdownload/sitting.bmp, uid=635748e2-5574-11ef-9899-0242ac110005, parent_folder=everything packaging fears/sat.crdownload, modified_time=1723114384301, name=sitting.bmp, hashes=[{value=D496B4FAFB1139B1F80F1B60D5AB3A22EF18A1625889B6793BDD41EAF1EB68F093E7AF5254D7DB838F22711DAA2F5E3A0CA6BF5F983AAAC163D7D525C760277B, algorithm_id=0, algorithm=Unknown}], accessed_time=1723114384301}, cmd_line=consists posters menus, name=Whilst, pid=51, parent_process={container={uid=63597a54-5574-11ef-acbb-0242ac110005, image={uid=63599c96-5574-11ef-8abe-0242ac110005, name=hanging assume mill}, size=3636193350, name=drill modern difference, hash={value=90C9EFE0343A584FD260823A0B266073C0E319EDC8D3C7CD2CCF69E236CF45D870E30646022FDB667F085AEA84B64830C3B3DC702C35A111DCCB3F05F05F9529, algorithm_id=6, algorithm=TLSH}}, created_time=1723114384316, euid=77, session={uid=6357a396-5574-11ef-8ef4-0242ac110005, created_time=1723114384303, is_remote=false, is_mfa=true, issuer=demonstration holmes california}, namespace_pid=49, pid=93, parent_process={container={uid=635a7206-5574-11ef-b9d6-0242ac110005, image={uid=635a8282-5574-11ef-8212-0242ac110005}, size=560452224, name=answers camera televisions, hash={value=FAF5EB7985BA4C9CBED8EED0D046F77F7C6ADCB15B9F3537256D717C2D370E448132CECC73264489D250CE463844ECFF1DC62C554DC6654B0C11659842BD7828, algorithm_id=7, algorithm=quickXorHash}}, uid=635a5c26-5574-11ef-8945-0242ac110005, created_time=1723114384322, egid=67, file={path=proper unified cingular/outsourcing.cs/venice.pct, created_time=1723114384320, product={vendor_name=staying attachment med, version=1.1.0}, parent_folder=proper unified cingular/outsourcing.cs, type_id=3, name=venice.pct, accessor={uid=635a477c-5574-11ef-8dd3-0242ac110005, type_id=2, name=Arlington, type=Admin, credential_uid=635a4f2e-5574-11ef-b0c1-0242ac110005}, hashes=[{value=5B54C0A045F179BCBBBC9ABCB8B5CD4C, algorithm_id=1, algorithm=MD5}, {value=B1A66BA2E7D51C706F9A2CA80905DF475AE44EDC79EC60CA4D7580FBD6548B91, algorithm_id=99, algorithm=magic}], accessed_time=1723114384320, modified_time_dt=2024-08-08T10:53:04.320622Z, type=Character Device, desc=advantage profit fall}, cmd_line=cup rights charger, namespace_pid=14, name=Ft, pid=85, parent_process={container={uid=635bd29a-5574-11ef-a523-0242ac110005, image={uid=635c0198-5574-11ef-ba77-0242ac110005, name=junction naval insulation, tag=watches wellington muscle}, size=1841031275, name=ink bio mileage, pod_uuid=nuclear, runtime=effort des lu, hash={value=FA987EC04918567E13A7554C7DDC4D86FB705EAD55207E05ED4E224FB0A9F1570BE1D51F9AE581D415E2D13894EECAEEF402D9901F8C9E70CD839691DD428BBD, algorithm_id=5, algorithm=CTPH}}, created_time=1723114384332, euid=45, namespace_pid=91, pid=1, parent_process={container={uid=635d91e8-5574-11ef-bfc1-0242ac110005, image={uid=635dba88-5574-11ef-a7d2-0242ac110005, name=bring president swap}, network_driver=crawford invitation pierce, orchestrator=differences lycos cut, size=175725837, name=ate worth powerpoint, runtime=society mem dependence, hash={value=7D1BDD4F5CF16C23DEE15E0673B9B700804F55D5AC5DAA8E6A6F6DD1951AB502D960DF687EDC47B11A696C8F4A969208DFC7E3E4043EE2C907B4FCC244E9FD74, algorithm_id=5, algorithm=CTPH}}, created_time=1723114384343, auid=31, euid=40, namespace_pid=17, sandbox=conversations poker oriented, pid=46, parent_process={container={uid=635e290a-5574-11ef-8290-0242ac110005, image={uid=635e31d4-5574-11ef-8b11-0242ac110005, tag=developer characterized chelsea}, size=1634165265, name=dry age their, tag=revised bytes swingers, hash={value=D5F2E5C77054C44C2C72A1B017DECA06FC637C99, algorithm_id=2, algorithm=SHA-1}}, uid=635e1f5a-5574-11ef-aad7-0242ac110005, created_time=1723114384346, file={owner={uid=635ddb94-5574-11ef-ab3f-0242ac110005, org={name=whom demand thereof, ou_name=weighted fundraising drainage}, type_id=1, name=Tissue, type=User}, is_system=false, type_id=1, confidentiality=Unknown, modified_time_dt=2024-08-08T10:53:04.344556Z, type=Regular File, path=commons employ nickel/humanity.swf/earnings.otf, parent_folder=commons employ nickel/humanity.swf, confidentiality_id=0, company_name=Abby Cyrus, security_descriptor=correctly screenshots reached, name=earnings.otf, hashes=[{value=EE1150845FA3041CEB3A3FCDBE42D68A, algorithm_id=1, algorithm=MD5}, {value=DC684E0A948E820C9B32AE34F0E147CCCAEAB3646C95D1FBF6E5EA257B9107251945EB892CD81A3750D89799ADF86C76382C60E73A85B10D110CE39164882C8F, algorithm_id=7, algorithm=quickXorHash}], created_time_dt=2024-08-08T10:53:04.344543Z}, cmd_line=macedonia reid wanna, name=During, pid=22, parent_process={container={uid=635eaa7e-5574-11ef-99fc-0242ac110005, image={uid=635eb3a2-5574-11ef-8a60-0242ac110005, name=carolina bio conversion}, orchestrator=wto murray posted, size=2909077433, name=car ericsson vary, pod_uuid=designed, tag=apparent philadelphia southern, hash={value=62B8E80D982A1EF7D7764527C89E80FE2D9EFE4990B43078E143E4C6EDD2F407, algorithm_id=3, algorithm=SHA-256}}, created_time=1723114384349, euid=11, namespace_pid=5, pid=15, parent_process={container={uid=635f000a-5574-11ef-bd88-0242ac110005, image={uid=635f0898-5574-11ef-a44a-0242ac110005, name=procedures later palestinian}, orchestrator=teens motion deaths, size=22516444, name=thomson multi reliable, hash={value=B330ECA1D2F13AB95C1C8C41637D9CD297E8221B1DBE869BDE2ACD408F9548B864002FB987EEDA759EF00CDF20345836767C45CA1D40C2DCACE6B6A569E48F09, algorithm_id=6, algorithm=TLSH}}, created_time=1723114384351, namespace_pid=7, sandbox=em therefore spoke, pid=58, parent_process={container={uid=635f7e18-5574-11ef-84ec-0242ac110005, image={uid=635f891c-5574-11ef-9147-0242ac110005, name=packs auction technical}, size=574926482, name=inquire justice risks, runtime=fragrance instances sun}, lineage=[lying advertisements renew, buf prescribed puerto], created_time=1723114384354, namespace_pid=80, pid=86, parent_process={lineage=[trees saving alias, ssl september rack], uid=635fa406-5574-11ef-809b-0242ac110005, auid=32, cmd_line=information propecia md, namespace_pid=50, name=Blogger, pid=77, parent_process={container={uid=63600950-5574-11ef-aae8-0242ac110005, image={path=trades mess wishlist, uid=6360136e-5574-11ef-8aec-0242ac110005, name=jersey elected projector, tag=members breathing powers}, size=3538073681, name=homes commonwealth recall}, created_time=1723114384358, euid=92, namespace_pid=6, pid=15, parent_process={container={image={uid=636066de-5574-11ef-9bc9-0242ac110005, name=listing hardwood defined}, orchestrator=australian future sponsor, size=119356271, name=heather troubleshooting considerable, hash={value=F0F33A03B88C641E422DA78295DB088A0C19D463F4BD44A1CE20D3BB9892A0063ABB61D6124EB7D79EF56FC55ADEFAF30542712C4C8D0A1B952AFB4A346C0876, algorithm_id=4, algorithm=SHA-512}}, lineage=[seeds spouse noble, lifestyle fault floors], uid=636054f0-5574-11ef-8588-0242ac110005, created_time=1723114384360, file={path=throws additions myspace/jackets.b/patches.tar, uid=636040d2-5574-11ef-965c-0242ac110005, parent_folder=throws additions myspace/jackets.b, confidentiality_id=4, signature={certificate={created_time=1723114384358, subject=donate tons media, expiration_time=1723114384358, serial_number=fell lab weddings, version=1.1.0, issuer=italic hamburg judges, fingerprints=[{value=F13F9E344F8839E5D7D17303ABAE106FC66E7D519B232C80C8D6066EF1A5148A796818425ED64282D159C7D8749343FBF193D9C83256C16B72857EBE0151F543, algorithm_id=5, algorithm=CTPH}]}, developer_uid=63603196-5574-11ef-ac47-0242ac110005, algorithm_id=1, algorithm=DSA}, type_id=0, confidentiality=Top Secret, name=patches.tar, hashes=[{value=04ACD168BF6D98D85736E4DB0EF815B53830AF1882C47ABFC357172729DFCD84EF6553958C4CB4593A3844E5D7FC9136FDDF5C82B1171ACAD84F52F7F133AA21, algorithm_id=4, algorithm=SHA-512}, {value=6B85712C92509BE057A8284F4CBF4868755DC0FFB2611096D26209767429967390E3CADE2D1733A0C8D9217CFF1BFA985A184E36695A411B7DEAC20411C9DED8, algorithm_id=7, algorithm=quickXorHash}], modified_time_dt=2024-08-08T10:53:04.359528Z, type=Unknown}, cmd_line=swingers centers burke, namespace_pid=18, sandbox=representing stationery affiliated, pid=31, parent_process={container={uid=63613c44-5574-11ef-bd50-0242ac110005, image={uid=63614568-5574-11ef-bf7a-0242ac110005, name=rate ben fish}, size=1952448709, name=obligation catalyst concentrations, runtime=tex strings mounted, hash={value=43CF305C9FBAF25955B6B640407705DE473A6AECC1D3684D43A7E6E113AD35E3, algorithm_id=99, algorithm=magic}}, uid=636132c6-5574-11ef-83af-0242ac110005, created_time=1723114384366, auid=5, file={path=calcium amateur harmony/ltd.toast/implemented.rom, creator={uid=6360d920-5574-11ef-a83a-0242ac110005, type_id=0, domain=adjustment container harris, name=With, type=Unknown, account={uid=6360e442-5574-11ef-9167-0242ac110005, type_id=9, name=europe eating mailing, type=Linux Account}}, parent_folder=calcium amateur harmony/ltd.toast, type_id=0, modifier={uid=6360b08a-5574-11ef-ae8e-0242ac110005, type_id=2, type=Admin, ldap_person={ldap_dn=census doors though, ldap_cn=racing morgan volt, cost_center=verify nut levels, location={continent=Europe, country=HR, city=Regulations technician, coordinates=[-57.4552, 63.8901], desc=Croatia, Republic of}, modified_time_dt=2024-08-08T10:53:04.363022Z}}, name=implemented.rom, hashes=[{value=19C64195EB8F22C39B4BAD63078823DDD82E6D61847B25F1F5B969BE6C891661, algorithm_id=3, algorithm=SHA-256}, {value=652D75F9BAFB25E55C0E8DB77C3A9EA11F87C5167431C08F827375741D1B0C2F, algorithm_id=3, algorithm=SHA-256}], modified_time_dt=2024-08-08T10:53:04.363717Z, type=Unknown}, cmd_line=psp bush feet, namespace_pid=17, pid=42, parent_process={container={uid=63620160-5574-11ef-b37a-0242ac110005, image={path=gulf brian arrow, uid=63620bec-5574-11ef-8f30-0242ac110005, name=apt lp screen}, network_driver=ks field roger, size=3565502421, name=waste counties homepage, pod_uuid=breathing}, created_time=1723114384371, euid=20, session={uid=6361567a-5574-11ef-b26b-0242ac110005, created_time=1723114384366, is_remote=false, issuer=level boc morrison, credential_uid=63615e22-5574-11ef-b196-0242ac110005}, namespace_pid=72, pid=16, parent_process={container={uid=6362bb3c-5574-11ef-8a12-0242ac110005, image={uid=6362c56e-5574-11ef-8c25-0242ac110005, name=pi churches es}, orchestrator=asking jerry namespace, size=1384069832, name=calvin actor describe, tag=automobiles gratuit tower, hash={value=67C09C289C121B7595556E03199ABF1EC4E85049DC99DB50BBB35FD8B5E2636C89497184BE8F2ED184301E2A5411B5565E97D87BCC951CB5F2CA9C8E696E6341, algorithm_id=5, algorithm=CTPH}}, created_time=1723114384376, namespace_pid=67, pid=14, parent_process={container={uid=63633e40-5574-11ef-9825-0242ac110005, image={uid=6363469c-5574-11ef-9299-0242ac110005}, size=2004032787, name=deputy mirror eagle, tag=magazine looking deemed, hash={value=55601A1804A5DD2CDDC702A8DBFD7D6EF6FB18BBD4EF25B7BA0FDF2AF274DC5BDD0AA03C3DF2E03891033BB6780C2DFC3D777203E7CC6D1D1B6AAA24A5B53037, algorithm_id=4, algorithm=SHA-512}}, uid=63633300-5574-11ef-80ee-0242ac110005, created_time=1723114384379, file={path=pennsylvania matthew somewhere/saw.dbf/tennessee.wsf, uid=6362dc0c-5574-11ef-b631-0242ac110005, is_system=false, creator={uid=6362e6ac-5574-11ef-a13c-0242ac110005, email_addr=Lorretta@components.nato, type_id=1, name=Cognitive, type=User}, parent_folder=pennsylvania matthew somewhere/saw.dbf, type_id=2, security_descriptor=lcd elementary surround, name=tennessee.wsf, hashes=[{value=1701CFB023A18B1534D60983D25660944BF18C8928D27C2658306664990BC734, algorithm_id=3, algorithm=SHA-256}, {value=DEF35473338568D93D88C11638B8777B05D03931E8939FF2B7E675DB82DA9434, algorithm_id=99, algorithm=magic}], attributes=1, type=Folder}, cmd_line=magazines spin aaron, namespace_pid=66, name=Animal, created_time_dt=2024-08-08T10:53:04.406974Z, pid=95, parent_process={container={uid=63638544-5574-11ef-bbd6-0242ac110005, image={uid=63638df0-5574-11ef-8d90-0242ac110005, name=exist acceptance britney}, network_driver=shops congratulations variance, name=contain accepted gba, runtime=admin hammer variance, tag=geographical registered suspension, hash={value=83D3D1C470830C64B9B04152B2CD1D11DD99205143049050D298FD7C21CC125A, algorithm_id=99, algorithm=magic}}, created_time=1723114384381, euid=11, namespace_pid=1, sandbox=delays fighting soonest, parent_process={container={uid=6363dbde-5574-11ef-a3c5-0242ac110005, image={uid=6363e57a-5574-11ef-8bf7-0242ac110005, name=errors request zdnet}, orchestrator=viral lindsay intellectual, size=2306842201, name=astronomy routing grocery, tag=exchange timber candles, hash={value=237ED8923CABFCED8263F1C5E537EDA9F4C9DF97C64000C74437C23D8564FDCB9AB6A7D16DD6E62D0915824B5BFF1CF112DD0BAEAA89171E14E068515290265E, algorithm_id=4, algorithm=SHA-512}}, uid=6363d120-5574-11ef-b647-0242ac110005, created_time=1723114384383, file={is_system=true, type_id=7, confidentiality=Confidential, type=Symbolic Link, path=watts leave ukraine/ringtones.rtf/fits.cfm, parent_folder=watts leave ukraine/ringtones.rtf, confidentiality_id=2, accessed_time_dt=2024-08-08T10:53:04.381694Z, security_descriptor=selling dt few, name=fits.cfm, hashes=[{value=B90D6FEF7CE6A21866AE315B5A971CA7C32531C74C5A720508ED5490C80E51AF7F2194E67D30333457C00E700B4CAACF979ECA995DF46837A0D1ED6847A7CE7E, algorithm_id=4, algorithm=SHA-512}, {value=3F2C9248EE951C2D98A3CD5B4AF06BD317DB2124, algorithm_id=2, algorithm=SHA-1}], created_time_dt=2024-08-08T10:53:04.381707Z, attributes=2}, cmd_line=effects day pocket, namespace_pid=39, sandbox=declare indication occupations, pid=44, parent_process={container={uid=63642e36-5574-11ef-aac4-0242ac110005, orchestrator=preview contractors helps, size=639972788, name=texas comments creator, hash={value=1C073A2AE40F35C9E559128C518EF6BB606F87F47F7A6D8AF51E96DEBBDCF7E746F35B0E8CF42CF24B80034B359D710FF883F08C153BB4B4717E83FAED4E08A6, algorithm_id=7, algorithm=quickXorHash}}, created_time=1723114384385, file={owner={uid=63640244-5574-11ef-864e-0242ac110005, type_id=99, name=Priorities, type=uploaded, account={uid=63640bea-5574-11ef-881a-0242ac110005, type_id=0, name=charles verification grave, type=Unknown}}, path=alter checked emperor/toner.htm/photo.gadget, created_time=1723114384384, parent_folder=alter checked emperor/toner.htm, confidentiality_id=1, type_id=7, confidentiality=Not Confidential, name=photo.gadget, hashes=[{value=DB52AE7062C6819F07456657BE8F96A41BD461DAB2FF0DB18FF7DFABECA6AB0522C141821715890230BE5D35FDE767FE5CB592C5B2A8CD9CE93B3396F2701EA0, algorithm_id=4, algorithm=SHA-512}, {value=5CC3F82838BA7260203E4590CE03D00E1663D41F6A5167144F5C95D6BE2166A0, algorithm_id=3, algorithm=SHA-256}], type=Symbolic Link, version=1.1.0}, cmd_line=lung mega nn, namespace_pid=8, name=Vessels, sandbox=challenged profiles family, pid=73, parent_process={container={uid=636474e0-5574-11ef-bca8-0242ac110005, image={path=advantage bm record, uid=63647df0-5574-11ef-b02b-0242ac110005, name=advertisement metabolism bound, tag=parent prostores taste}, orchestrator=child railroad thehun, name=katrina commonly sweet, hash={value=36604EB0C3355689302D7694E45FA957071097E28B061276AABCBAC610B98FCE4F7A18C5D7566551D4EBC9F0E6D2EE5157C288FE26459003392E240F8FBEB605, algorithm_id=0, algorithm=Unknown}}, created_time=1723114384387, euid=78, namespace_pid=4, pid=56, parent_process={container={image={uid=636511ac-5574-11ef-b939-0242ac110005, name=federation technical rally}, orchestrator=winning business collaborative, size=117561636, hash={value=1C6EE66D49C991A2FC79EC6D6B64F4AB5B8E29D3C774F3B6DD10F3A024271023CD29C66DA147EADA969690FFC2FA73C8B9EC6C4377580CF3CE89AEF8A8136657, algorithm_id=4, algorithm=SHA-512}}, created_time=1723114384391, auid=30, session={created_time=1723114384387, is_vpn=true, is_remote=true, issuer=mounts burns budgets}, pid=34, parent_process={container={uid=6365ab4e-5574-11ef-a5b2-0242ac110005, image={uid=6365b47c-5574-11ef-94cc-0242ac110005, name=graphs uni learned}, network_driver=nh essentials blogs, size=2490340163, name=hack aud canadian, pod_uuid=automobiles, hash={value=1348CB592CE159B2F0A3E0A0B20233BF7F40585376BD14ED638003DF65CE6028072010B42D85244F83CA87E928EA1C229FCDC44AFE29B22E34B99D3C8B26EB98, algorithm_id=6, algorithm=TLSH}}, uid=6365a1b2-5574-11ef-847c-0242ac110005, created_time=1723114384395, file={owner={uid=63653dee-5574-11ef-8c70-0242ac110005, type_id=3, domain=affiliation arab invision, type=System, ldap_person={created_time=1723114384392, leave_time=1723114384392, email_addrs=[Olympia@jesse.travel, Mina@seeking.com], ldap_cn=professionals worm eng, given_name=pulse waiver footwear, employee_uid=63654de8-5574-11ef-a8ac-0242ac110005}}, is_system=true, product={uid=6365590a-5574-11ef-aaa7-0242ac110005, name=mumbai determined nobody, vendor_name=infected listen uk, lang=en, version=1.1.0}, creator={uid=636569d6-5574-11ef-bef4-0242ac110005, type_id=99, name=Kurt, uid_alt=rack fake bleeding, type=examines, account={uid=63657340-5574-11ef-b69a-0242ac110005, type_id=10, name=petite suggestions british, type=AWS Account}}, type_id=2, confidentiality=Secret, type=Folder, version=1.1.0, path=gotten unique thereafter/championship.deskthemepack/medication.pdf, uid=63655f9a-5574-11ef-add1-0242ac110005, parent_folder=gotten unique thereafter/championship.deskthemepack, size=1001943972, confidentiality_id=3, name=medication.pdf, hashes=[{value=C67541E14008D6AF094C938459E575DFB5FA24FD50ADAFC615DB56E4A773FD0BEBA072C2A8F3ECB17D4CBB51818B31ECE4F0A810CB8E5C42C622592DB55DA0A1, algorithm_id=7, algorithm=quickXorHash}]}, cmd_line=sorts sites obtained, session={uid=636527dc-5574-11ef-a1e5-0242ac110005, created_time=1723114384391, is_vpn=false, expiration_reason=declined attorney sunday, expiration_time_dt=2024-08-08T10:53:04.391655Z, count=58, is_remote=false, uid_alt=sim yorkshire adaptation, issuer=petition disclaimer clara}, namespace_pid=90, name=Vic, pid=16, parent_process={container={uid=636616ce-5574-11ef-bd26-0242ac110005, image={uid=63661fac-5574-11ef-9e80-0242ac110005, name=handy derek tb}, name=barriers cheaper logged, runtime=logos drilling schools, hash={value=6F08C5DDCDD0BE06D83AA3E0E3D5A09E, algorithm_id=1, algorithm=MD5}}, created_time=1723114384397, session={created_time=1723114384396, expiration_reason=politics nt username, expiration_time_dt=2024-08-08T10:53:04.396343Z, expiration_time=1723114384396, is_remote=true, uuid=6365e014-5574-11ef-a98e-0242ac110005, issuer=bluetooth raise shopping}, namespace_pid=82, pid=2, parent_process={container={uid=6366e1b2-5574-11ef-a230-0242ac110005, image={uid=6366ed6a-5574-11ef-9f59-0242ac110005, name=newspapers marriage translations}, size=1994539178, name=butter repeated annie, hash={value=E94025BE336B1F89159AF64B1F6EDA5D470AC8D6, algorithm_id=2, algorithm=SHA-1}}, created_time=1723114384403, auid=58, euid=32, namespace_pid=98, pid=76, parent_process={lineage=[operational pilot citysearch], uid=63677a6e-5574-11ef-9578-0242ac110005, created_time=1723114384406, file={is_system=false, product={uid=6367296a-5574-11ef-8136-0242ac110005, vendor_name=cindy specifications frontpage, lang=en, version=1.1.0}, signature={certificate={created_time=1723114384404, subject=lion struggle widespread, expiration_time=1723114384404, serial_number=negotiation feel cole, version=1.1.0, issuer=clocks suppose products, fingerprints=[{value=83624D02DEDBF131BC80643811BDE31BB6FCBCDD128849E01A630F99100E4AEE2BF55A6610961457C3AA9B403628F34BC835B62EC068589F520AB344681A174E, algorithm_id=6, algorithm=TLSH}]}, algorithm_id=99, algorithm=gotten}, type_id=3, confidentiality=Top Secret, type=Character Device, version=1.1.0, path=breast enjoying verbal/assure.gam/accuracy.kmz, uid=63673090-5574-11ef-ad66-0242ac110005, parent_folder=breast enjoying verbal/assure.gam, confidentiality_id=4, accessed_time_dt=2024-08-08T10:53:04.404997Z, name=accuracy.kmz, hashes=[{value=D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C, algorithm_id=7, algorithm=quickXorHash}, {value=990D4710B15458E3EDAA8601CDF5B44648B4FC61, algorithm_id=2, algorithm=SHA-1}]}, cmd_line=mere loaded similar, session={uid=636701d8-5574-11ef-a4f1-0242ac110005, expiration_reason=washing sunday reaching, expiration_time_dt=2024-08-08T10:53:04.403964Z, expiration_time=1723114384403, is_remote=true, created_time_dt=2024-08-08T10:53:04.403955Z, credential_uid=6367082c-5574-11ef-aaa8-0242ac110005}, name=Exotic, pid=64, user={uid=6367417a-5574-11ef-8cd6-0242ac110005, full_name=Mayme Lurline, type_id=2, name=Saver, groups=[{uid=63676952-5574-11ef-a883-0242ac110005, domain=identification browsing structures, name=guyana applied attribute}], type=Admin}, tid=41, group={uid=63677460-5574-11ef-a07f-0242ac110005, name=executive mathematical signals}}, uid=6366be8a-5574-11ef-a313-0242ac110005, integrity=applying observe nba, file={creator={uid=63667ca4-5574-11ef-a8ae-0242ac110005, type_id=3, name=Quotes, groups=[{uid=636685fa-5574-11ef-8fd9-0242ac110005, name=engineers constitute papers}, {uid=63668c80-5574-11ef-bd3d-0242ac110005, type=introducing amendments portuguese}], type=System, ldap_person={modified_time=1723114384401, last_login_time_dt=2024-08-08T10:53:04.401225Z, location={continent=Asia, country=CY, city=Bibliographic selections, coordinates=[-120.1139, 17.5612], desc=Cyprus, Republic of}, office_location=dl td transition}, account={uid=636695b8-5574-11ef-8e13-0242ac110005, type_id=5, name=hewlett beats hit, type=GCP Account}}, type_id=7, modifier={uid=63663aa0-5574-11ef-89ff-0242ac110005, type_id=2, name=Incident, groups=[{uid=63665ca6-5574-11ef-abfa-0242ac110005, domain=adventure charter tom, name=guest demographic terry}, {uid=636664f8-5574-11ef-96ca-0242ac110005, name=moderators broker asian}], uid_alt=notre sponsorship elections, type=Admin, account={uid=63666f0c-5574-11ef-98ef-0242ac110005, type_id=2, type=Windows Account}}, type=Symbolic Link, version=1.1.0, xattributes={}, path=arizona concentrations widescreen/wire.tax2020/placement.3dm, parent_folder=arizona concentrations widescreen/wire.tax2020, company_name=Christa Marta, name=placement.3dm, hashes=[{value=5509CE62AD4908E35D559F0487FCFAFEAA7A7AA2B4771FF42C45FF34397DF6E1F848AF224697A1C8BB77C1A81AFAA825437582905189C5346490D5121B91F366, algorithm_id=7, algorithm=quickXorHash}, {value=E2A4DD55AA0F76F85A047DAF5B859095, algorithm_id=1, algorithm=MD5}], created_time_dt=2024-08-08T10:53:04.401316Z, attributes=9, accessed_time=1723114384401, desc=populations servers environments}, cmd_line=accessible annotated plus, name=Recommendations, created_time_dt=2024-08-08T10:53:04.406843Z, user={uid=6366aed6-5574-11ef-855a-0242ac110005, type_id=3, name=Taxes, type=System}, group={uid=6366b8c2-5574-11ef-a4e8-0242ac110005, domain=apollo clicking incorrect, name=split viking nike}}, terminated_time=1723114384406, uid=63660b34-5574-11ef-bbcf-0242ac110005, file={created_time=1723114384396, signature={certificate={subject=national garmin even, expiration_time=1723114384396, serial_number=rhode realty talented, version=1.1.0, issuer=cut duo agencies, fingerprints=[{value=E8D8654C197E7B3BEED4D69E3EDD3A5B, algorithm_id=1, algorithm=MD5}, {value=75529D527C6CDFA48546F9F7ED5AFD587F24AB584370D91EBFC1743E519B936C7780070A7709D4FECA4C639302E40E1BD1F842B3613B900269D77BEA17429361, algorithm_id=0, algorithm=Unknown}]}, algorithm_id=99, algorithm=vendor}, type_id=7, confidentiality=freelance pty ferrari, modified_time_dt=2024-08-08T10:53:04.396853Z, type=Symbolic Link, xattributes={}, path=rear biology finest/nintendo.class/atlantic.icns, parent_folder=rear biology finest/nintendo.class, modified_time=1723114384396, name=atlantic.icns, hashes=[{value=0C900BDED46D1122DBC26B7D537D76633CD9937DF7B4C9C56ECFC151D2E269764BD92568B8FFD9877177AA338BB4EEE65DC5AE4D07BE354D503F9D3EF0B36007, algorithm_id=0, algorithm=Unknown}, {value=D0278DE5F6E5DF29D9C928BCB6D5A285EA17CE11, algorithm_id=2, algorithm=SHA-1}], desc=specific aside io}, cmd_line=canada federation computational, name=Offline, user={uid=6366010c-5574-11ef-bfe7-0242ac110005, type_id=1, domain=crops midi hope, name=Collectables, uid_alt=thunder pickup tab, type=User}, group={desc=muze comply jets}}, user={uid=6365822c-5574-11ef-95fb-0242ac110005, email_addr=Lynetta@lib.jobs, org={uid=63658ac4-5574-11ef-bea5-0242ac110005, name=jerry calling mardi, ou_name=motion ampland acknowledged}, type_id=99, type=recent, credential_uid=63659186-5574-11ef-a13d-0242ac110005}, group={uid=63659b86-5574-11ef-ac1a-0242ac110005, domain=explicitly retreat de, name=phys dollar not, type=foster prefer phys}}, tid=42, xattributes={}, uid=636504b4-5574-11ef-af4a-0242ac110005, file={owner={uid=6364960a-5574-11ef-ad32-0242ac110005, org={ou_uid=6364acb2-5574-11ef-b1ce-0242ac110005, uid=6364a60e-5574-11ef-aaf1-0242ac110005, name=arrive protecting fy, ou_name=cat saints infringement}, type_id=1, name=Nov, groups=[{uid=6364d64c-5574-11ef-a880-0242ac110005, name=head state rubber}, {uid=6364de3a-5574-11ef-9448-0242ac110005, name=catalyst strong mins, desc=consortium bald removing}], type=User}, product={path=internship progress gun, vendor_name=sp protection requests, lang=en, version=1.1.0}, type_id=7, type=Symbolic Link, version=1.1.0, path=executed removal years/among.yuv/employment.wma, parent_folder=executed removal years/among.yuv, accessed_time_dt=2024-08-08T10:53:04.389945Z, mime_type=medal/nearly, name=employment.wma, hashes=[{value=5E759101C609F4B740EF80E765AE365B2AF502D28946FFDB14A008BA3B8F3B38D22724597DB1A2727631E47BE95BF3DBC91421426B178885ABB756996AA2ED28, algorithm_id=5, algorithm=CTPH}, {value=BA5273E243BB87B0BDE0E2E45609708C95F1B8CD05342C435BFE11DDFE05790E8640967A0D5DB90EE7DC886350B9345D9484533BB633B821A82462D74B3318A8, algorithm_id=6, algorithm=TLSH}], created_time_dt=2024-08-08T10:53:04.389957Z, attributes=97}, cmd_line=macintosh enjoying disposal, name=Burning, user={uid=6364f62c-5574-11ef-be1d-0242ac110005, type_id=99, name=Without, type=celebs}, group={desc=allowance vacation ae}}, xattributes={}, terminated_time_dt=2024-08-08T10:53:04.406915Z, uid=63646b44-5574-11ef-a77a-0242ac110005, file={path=diagnosis angeles portsmouth/travels.mpa/ba.3ds, created_time=1723114384386, parent_folder=diagnosis angeles portsmouth/travels.mpa, type_id=4, name=ba.3ds, hashes=[{value=50D299D6D7966A2DC1E0CF7FEB739E33, algorithm_id=1, algorithm=MD5}, {value=328AFE7E94B22225322E3B4913F934C50B1CBF2E70837C0DC87BE27DA150B3EBA052395D9A4CC1FB7FC4E8C89E2EFEB5DF2FD8EC79D5A1215267ABF6EE2505F9, algorithm_id=6, algorithm=TLSH}], created_time_dt=2024-08-08T10:53:04.386239Z, accessed_time=1723114384386, type=Block Device}, cmd_line=notre cameras draw, name=Scott, user={type_id=2, domain=amendment spot sudan, name=Kit, type=Admin}, group={uid=63646496-5574-11ef-bfc5-0242ac110005, name=passed rankings affects}}, user={uid=63641a22-5574-11ef-8919-0242ac110005, email_addr=Lauryn@reliance.travel, type_id=99, type=carmen, account={uid=636423be-5574-11ef-8304-0242ac110005, type_id=10, name=reef terrorist graduation, type=AWS Account}}, xattributes={}}, user={uid=6363b992-5574-11ef-9143-0242ac110005, name=Edgar, ldap_person={email_addrs=[Mariann@routine.net], deleted_time_dt=2024-08-08T10:53:04.382339Z, job_title=alto languages tanks}}, xattributes={}, group={uid=6363ca0e-5574-11ef-837d-0242ac110005, privileges=[ingredients pins connector], name=thinking offices worcester}}, tid=66, uid=63637afe-5574-11ef-b99b-0242ac110005, integrity=Protected, file={path=important companion consultancy/wallpaper.drv/plasma.3dm, parent_folder=important companion consultancy/wallpaper.drv, confidentiality_id=3, signature={certificate={created_time=1723114384380, subject=assuming remarks brass, expiration_time=1723114384380, serial_number=provinces medicine it, version=1.1.0, issuer=sheet registry concord, fingerprints=[{value=EC6B1A9A8BA16A6F215D2D1F3906D6499B49BE59A250E976C526E3C93470BEAF, algorithm_id=3, algorithm=SHA-256}, {value=E8F0948E22757C48DC176AC0971E4DC26962E907CD0016E2D3F3F85B10496DB3ADA83ABE28D5C02C0E75801F09CE16ECBC57DC728CA43C1AF4A195603D2E9D59, algorithm_id=5, algorithm=CTPH}]}, algorithm_id=0, algorithm=Unknown}, type_id=2, confidentiality=Secret, name=plasma.3dm, hashes=[{value=9159E7F170D8AC61900DA4485A05F8FA752EBB6B1271EB39B603C7BD22C9F591, algorithm_id=3, algorithm=SHA-256}, {value=208252F637543172F0D9AA5A077FB15DC8E779E2AB911FADCC37F9C807EB56EFBAC0FC78C2916944595F6C58BE380B5BA4AC2E0A76A1D10091E0847D61B627D5, algorithm_id=6, algorithm=TLSH}], type=Folder}, cmd_line=felt essay relax, name=Delight, user={email_addr=Numbers@si.coop, type_id=2, name=Focused, uid_alt=biggest stupid linking, type=Admin}, integrity_id=6, group={privileges=[costs anthropology nickname, nbc dns flex], name=jar transparency sing}}, user={uid=63630eca-5574-11ef-b29c-0242ac110005, email_addr=Classie@municipality.pro, org={uid=636317ee-5574-11ef-b39a-0242ac110005, name=mighty thou ff, ou_name=companies functions hockey}, type_id=0, name=Guys, groups=[{uid=636321d0-5574-11ef-ae4b-0242ac110005, domain=parties entertainment lemon, name=hood powers merely}, {privileges=[etc survey at, cohen mails bio], name=rise parcel bookmarks}], type=Unknown}, group={uid=63632d38-5574-11ef-85c8-0242ac110005, name=legislature normal lectures}}, terminated_time=1723114384406, uid=6362b0ec-5574-11ef-bb67-0242ac110005, integrity=System, file={path=regularly drivers sacred/rational.fla/wing.crdownload, created_time=1723114384374, product={uid=636288ba-5574-11ef-b671-0242ac110005, name=cr fat generators, vendor_name=conflicts feed receivers, lang=en, version=1.1.0}, parent_folder=regularly drivers sacred/rational.fla, modified_time=1723114384374, type_id=2, name=wing.crdownload, hashes=[{value=140C02576C0D51BBE84B1C70EEE68AD61D116AA6E8F7BBD899753EB4599951C5E2DF128141610C2F838E0C7181B50795297C0E8D1398FDAD5ED2095EA783FC02, algorithm_id=7, algorithm=quickXorHash}, {value=E405FA83FE9CFE003B49FD852D4429D0EFF2F914, algorithm_id=2, algorithm=SHA-1}], created_time_dt=2024-08-08T10:53:04.374525Z, attributes=39, type=Folder, xattributes={}}, cmd_line=railway filling consistent, name=Definitely, loaded_modules=[/fri/tall/bit/rap/meyer.hqx], user={uid=63629a58-5574-11ef-8c2b-0242ac110005, type_id=1, domain=adding merit extend, name=Influenced, type=User, credential_uid=6362a124-5574-11ef-a23f-0242ac110005}, integrity_id=5, group={uid=6362ab10-5574-11ef-adda-0242ac110005, domain=enterprises civil knowledge, desc=patch celebration lancaster}}, uid=6361f634-5574-11ef-87d8-0242ac110005, file={owner={type_id=2, name=Yoga, type=Admin}, path=variable their precipitation/moving.sql/python.bin, parent_folder=variable their precipitation/moving.sql, signature={certificate={created_time=1723114384368, subject=x tide described, expiration_time=1723114384368, serial_number=ultimate nervous george, version=1.1.0, issuer=equations different edward, fingerprints=[{value=90290C4ADF68C053210274BB5414BED2BC4FCB71C37F521FF4EDBF5AFF66421A60FED68A12C81359536FCF2B89DB3463979F17F089E68FEA0B179D5DEF6F3A00, algorithm_id=6, algorithm=TLSH}]}, algorithm_id=4, algorithm=Authenticode}, mime_type=personnel/bids, type_id=99, name=python.bin, accessor={uid=6361bec6-5574-11ef-81b5-0242ac110005, type_id=99, domain=elizabeth cheapest solution, name=Jd, type=deviant}, hashes=[{value=2056009EE1A3B111E2E00906EDA7AD1AAC1EF242387CFB2CEE5B57763863C0EF228A7536B36C462A03C687D2F886BE6C218F00A2FC11674F8FF5454966830CB3, algorithm_id=5, algorithm=CTPH}], type=afghanistan}, cmd_line=distances participating maintenance, name=Versions, user={uid=6361cccc-5574-11ef-994f-0242ac110005, email_addr=Kristin@tion.net, org={uid=6361d546-5574-11ef-b2b3-0242ac110005, name=watts desktop hong}, type_id=99, name=Spring, type=nu, account={uid=6361dec4-5574-11ef-80de-0242ac110005, type_id=8, name=bd atom berkeley, type=Apple Account}}, group={uid=6361ef22-5574-11ef-8892-0242ac110005, name=academics secondary simon}}, user={uid=6360f752-5574-11ef-a1db-0242ac110005, type_id=3, name=Satisfaction, type=System, account={uid=636119d0-5574-11ef-a86d-0242ac110005, type_id=1, type=LDAP Account}, credential_uid=6361204c-5574-11ef-8854-0242ac110005}, group={uid=63612c22-5574-11ef-800b-0242ac110005, privileges=[joining boots aw, gang robust transport], name=flags gang blow, desc=mistakes prediction toy}}, group={uid=63604e4c-5574-11ef-9f32-0242ac110005, name=recommends pollution humans}}, tid=26, uid=635ffed8-5574-11ef-b0fd-0242ac110005, integrity=High, file={path=seem party existence/buried.3dm/lotus.pkg, created_time=1723114384355, is_system=true, parent_folder=seem party existence/buried.3dm, accessed_time_dt=2024-08-08T10:53:04.355980Z, type_id=5, confidentiality=belief hard romania, name=lotus.pkg, hashes=[{value=921DB9BE9AB2B726859E733D87A56CDEB799FBC45281315CFE4A7BAAF6BB9A1DD4359096B697BBB33B1DCA573CD79CB87614124DFA2B3C79768B3F29A7DBF0EF, algorithm_id=5, algorithm=CTPH}, {value=E9C848387AB1784EBC52FD937D18A8D44D2CF6BDBEB2BAB7B04E28413AE39FA4C07EAFA782325DD3B65A30B4AE8538D0ACCE7FC48BF1A3AB1B4651A5CFB050AA, algorithm_id=7, algorithm=quickXorHash}], attributes=31, type=Local Socket}, cmd_line=gamecube forbes described, name=Defense, user={uid=635fca94-5574-11ef-82f0-0242ac110005, type_id=99, name=Blogs, groups=[{uid=635fd57a-5574-11ef-84bc-0242ac110005, type=buyer spirit webcam}, {uid=635fe13c-5574-11ef-85a3-0242ac110005, name=cooperation meditation memo, desc=discretion fantastic tactics}], type=novel, ldap_person={leave_time=1723114384357, email_addrs=[Kimberley@sip.int], modified_time_dt=2024-08-08T10:53:04.357320Z}, credential_uid=635fe862-5574-11ef-ba0c-0242ac110005}, integrity_id=4, group={uid=635ff8a2-5574-11ef-af7e-0242ac110005, name=care viii external, type=right crowd crops, desc=appointed opponent written}}, user={uid=635f9c7c-5574-11ef-b4d1-0242ac110005, type_id=99, name=Lenses, uid_alt=penalty spray weight, type=dairy}}, uid=635f63d8-5574-11ef-8afe-0242ac110005, integrity=deutsche what indians, file={path=sports amp assess/explosion.sln/offered.avi, parent_folder=sports amp assess/explosion.sln, type_id=2, security_descriptor=salmon sister tucson, name=offered.avi, accessed_time=1723114384352, type=Folder}, cmd_line=reflects champion naughty, name=Gen, user={uid=635f51c2-5574-11ef-bad8-0242ac110005, type_id=0, name=Rest, type=Unknown}, group={uid=635f5d02-5574-11ef-be03-0242ac110005, privileges=[seasonal railroad already], name=produces consequence selling}}, xattributes={}, uid=635ef6dc-5574-11ef-a3ad-0242ac110005, file={signature={certificate={subject=durham sitting hiv, expiration_time=1723114384349, serial_number=field geek theater, version=1.1.0, issuer=eq designers loc, fingerprints=[{value=B133E6238B0833E7D12E8F6E64EABBFE2780E49FD028477670556B99E873D6C8CC7E38E25BAF9228F2324C513ECA25C63FF88415399CBD0FF61001ACC2BD0B10, algorithm_id=6, algorithm=TLSH}, {value=8B4AB0E3B292ED97FB8DCFB7C0267D1F7366F45CE8FDC2E3F0EAE57312A3F4D83BB72E25B072DF7E3416CF022B3276885495F9F245FE9CB67704AFD4B94EBF99, algorithm_id=7, algorithm=quickXorHash}]}, algorithm_id=2, algorithm=RSA}, type_id=4, type=Block Device, xattributes={}, path=newsletter tulsa locale/wait.cab/closing.3ds, uid=635ed24c-5574-11ef-9b19-0242ac110005, parent_folder=newsletter tulsa locale/wait.cab, modified_time=1723114384350, size=2333859778, mime_type=radio/minolta, security_descriptor=went stick curious, name=closing.3ds, hashes=[{value=65BD10756687E64C347423BA3836F065, algorithm_id=1, algorithm=MD5}, {value=B3140286AC71AD2ACF69681F4F2A907B0B83D8EDFBFFDD4E0A38C05A23180495, algorithm_id=3, algorithm=SHA-256}]}, cmd_line=statutes columnists commerce, name=Lm, created_time_dt=2024-08-08T10:53:04.407027Z, user={uid=635ee0e8-5574-11ef-ac61-0242ac110005, type_id=3, name=Gossip, type=System, credential_uid=635ee75a-5574-11ef-ac0c-0242ac110005}, group={uid=635ef114-5574-11ef-8c2b-0242ac110005, name=alcohol surprise http, desc=wales if adams}}, xattributes={}, terminated_time_dt=2024-08-08T10:53:04.407047Z, uid=635e817a-5574-11ef-850e-0242ac110005, integrity=ag disagree anymore, file={path=monkey refused genesis/pictures.cs/modification.php, parent_folder=monkey refused genesis/pictures.cs, confidentiality_id=1, type_id=1, confidentiality=Not Confidential, name=modification.php, attributes=27, type=Regular File}, cmd_line=rides vids label, name=Door, user={uid=635e6e38-5574-11ef-9132-0242ac110005, type_id=3, name=Roller, type=System}, group={uid=635e79b4-5574-11ef-b9e2-0242ac110005, privileges=[later conversion foreign, shadows phpbb ate], name=dogs republic occurrence, type=headers brunei ontario}}, user={uid=635e09a2-5574-11ef-8b02-0242ac110005, name=Greenhouse, uid_alt=nu tiny challenging}, terminated_time_dt=2024-08-08T10:53:04.407054Z, group={uid=635e1960-5574-11ef-bc86-0242ac110005, name=function bought terrace, desc=oo phase relocation}}, terminated_time_dt=2024-08-08T10:53:04.407066Z, uid=635d7fa0-5574-11ef-9af0-0242ac110005, file={created_time=1723114384339, creator={uid=635ce108-5574-11ef-b897-0242ac110005, type_id=3, name=Heel, uid_alt=rapidly specification instructional, type=System, account={uid=635d0a66-5574-11ef-bcd7-0242ac110005, type_id=4, name=discs sure enclosed, type=AWS IAM Role}}, signature={certificate={uid=635c43c4-5574-11ef-a8eb-0242ac110005, created_time=1723114384334, expiration_time_dt=2024-08-08T10:53:04.334601Z, subject=pets documentary mutual, expiration_time=1723114384334, serial_number=anything repair rank, version=1.1.0, issuer=rounds eds contests, fingerprints=[{value=4D78419C492968B9564F7F87CEBFA246405627A31D833B60027D564FB453A9F76CDBDF3D6229EFE19244F6B38DC9C1E531EC641A042F38CE33A3E62DEEB1E115, algorithm_id=7, algorithm=quickXorHash}]}, developer_uid=635c7e16-5574-11ef-b814-0242ac110005, algorithm_id=3, algorithm=ECDSA}, type_id=5, accessor={uid=635cc204-5574-11ef-85ce-0242ac110005, type_id=0, domain=weighted organize jim, name=Contents, type=Unknown}, type=Local Socket, version=1.1.0, xattributes={}, path=justin jm kenya/acknowledged.cgi/settled.exe, parent_folder=justin jm kenya/acknowledged.cgi, modified_time=1723114384340, accessed_time_dt=2024-08-08T10:53:04.340128Z, name=settled.exe, hashes=[{value=E3406337AAEB1C0AC1339EA8DBC6212C72E6551C007F921C64EADEDFC50CEAF2D661F48148C64A04B17DEC7D46C8D70913DA02218205F62B8170DF4110BEE8BE, algorithm_id=0, algorithm=Unknown}, {value=3F9D17F4A6D80A19A14E6E6464F3E85457666C674359CE0CCEBD5BF88B46CD79CC44F0213344FB06287280BC58AA62C13301DEC710F880AE66297C4F2F4477F4, algorithm_id=7, algorithm=quickXorHash}], created_time_dt=2024-08-08T10:53:04.340139Z}, cmd_line=masters treatments custody, name=Surprise, loaded_modules=[/desert/arch/conditional/mas/zinc.cgi, /direct/appendix/stated/partition/awareness.gam], user={uid=635d5bd8-5574-11ef-a7e3-0242ac110005, type_id=0, uid_alt=charging build burning, type=Unknown}, group={uid=635d7852-5574-11ef-8eaa-0242ac110005, privileges=[verbal spokesman stuart, audio mozambique mae], domain=remove ix couple, name=pendant alike china}}, terminated_time=1723114384407, uid=635bb51c-5574-11ef-96c1-0242ac110005, integrity=Low, file={creator={uid=635ab20c-5574-11ef-8a49-0242ac110005, type_id=99, name=Televisions, type=restaurant, ldap_person={modified_time=1723114384328, created_time_dt=2024-08-08T10:53:04.328333Z}}, type_id=2, confidentiality=dare assembly conflicts, modified_time_dt=2024-08-08T10:53:04.328440Z, type=Folder, path=qc stunning upcoming/freelance.b/stop.rom, parent_folder=qc stunning upcoming/freelance.b, size=184463636, accessed_time_dt=2024-08-08T10:53:04.328434Z, security_descriptor=streets teacher movie, name=stop.rom, hashes=[{value=D6DF1AB7AC275F8C7AFF9D010CCFD0DB08BBE2D8, algorithm_id=2, algorithm=SHA-1}, {value=A99E2AF60B8C1ACE6169FBA74BE6B9CB5ECA5D5A24F28F39E4EC50A265F7F5F4, algorithm_id=3, algorithm=SHA-256}], attributes=8, accessed_time=1723114384328}, cmd_line=assignment position expression, user={uid=635b94ec-5574-11ef-90e7-0242ac110005, type_id=2, name=Fountain, type=Admin}, integrity_id=2, group={uid=635baaf4-5574-11ef-8c3f-0242ac110005, name=lang drivers mood}}}, xattributes={}, uid=63581182-5574-11ef-aeb6-0242ac110005, integrity=delivering shaved mexico, egid=31, file={path=pre memo parish/bibliographic.db/kerry.sdf, product={uid=6357b6b0-5574-11ef-9715-0242ac110005, cpe_name=realty contributions melissa, name=forum activists cancelled, vendor_name=actress mess enjoyed, version=1.1.0}, creator={uid=6357f01c-5574-11ef-9c74-0242ac110005, type_id=0, name=Filme, type=Unknown}, parent_folder=pre memo parish/bibliographic.db, mime_type=architecture/hall, type_id=99, modifier={uid=6357d28a-5574-11ef-b53e-0242ac110005, type_id=3, domain=theology suzuki inn, name=Criterion, groups=[{name=meanwhile vid contributed}, {uid=6357dc9e-5574-11ef-a420-0242ac110005, name=difference white sensors, type=chef laos flat, desc=undertake carried ones}], uid_alt=repair trains victim, type=System, account={type_id=9, name=fans car enable, type=Linux Account}, credential_uid=6357e5f4-5574-11ef-8af6-0242ac110005}, security_descriptor=volvo workflow pros, name=kerry.sdf, hashes=[{value=35431593FE35166DB2935F72C55A3E0A8F8255878BACFF713A775559201158B2429DDF8B60D7FC65E8A640435ECA4BE8239A740FE91DA7560AC32207BF2F73AB, algorithm_id=6, algorithm=TLSH}, {value=BA2F52D229E66F7D965D4AAFDBB382D12FBA5669FBE91F4700E0B7A9355279E7FC2108CAA3AAB2AA5DDAD12B63AC6953845DD468A203773BE8FC734CE9FF93AB, algorithm_id=5, algorithm=CTPH}], type=terrorist}, cmd_line=mentor dust attending, group={uid=63580af2-5574-11ef-88eb-0242ac110005, name=mad integrity assessment, type=glossary scotia pete}}, user={uid=63576804-5574-11ef-9ed9-0242ac110005, type_id=0, name=Pavilion, type=Unknown, credential_uid=63576e4e-5574-11ef-85ed-0242ac110005}, tid=93, group={uid=6357784e-5574-11ef-9c0c-0242ac110005, name=sale point solutions}}, tid=82, uid=6356ef50-5574-11ef-9f3f-0242ac110005, integrity=System, file={owner={uid=6356c534-5574-11ef-9ab7-0242ac110005, full_name=Henry Tonja, name=Answer}, path=defining inch factors/ist.mpa/creations.ico, created_time=1723114384297, product={uid=6356cfa2-5574-11ef-a798-0242ac110005, name=amateur bristol cuba, vendor_name=gentleman quit confirm, version=1.1.0}, parent_folder=defining inch factors/ist.mpa, accessed_time_dt=2024-08-08T10:53:04.297651Z, type_id=99, name=creations.ico, hashes=[{value=0976ABA0D430405622A00981BC58C6F16D2A40F1, algorithm_id=2, algorithm=SHA-1}, {value=36324C961DBB9EF924720EB1C5F7E53B29AD9EF8D2A5A4CF1FD2686CCF8FC21A7A1368175B23CFFF36A4DB33D4F7C399148E923594A5667C996C53E9AB311088, algorithm_id=4, algorithm=SHA-512}], created_time_dt=2024-08-08T10:53:04.297659Z, type=ti}, cmd_line=capable homepage reject, name=Dead, user={uid=6356e906-5574-11ef-bcbc-0242ac110005, type_id=2, name=Theatre, type=Admin}, integrity_id=5}, user={uid=63568cfe-5574-11ef-9336-0242ac110005, full_name=Gussie Leila, email_addr=Claire@longitude.arpa, type_id=99, name=Paint, type=creative}, group={uid=635698ac-5574-11ef-a457-0242ac110005, name=prince enhance terrain, desc=dual yacht replace}}", "pid": 24, "session": { - "created_time": "+56573-04-27T12:31:33.568Z", - "expiration_time": "+56573-04-27T12:31:33.578Z", + "created_time": "2024-08-08T10:53:04.293Z", + "expiration_time": "2024-08-08T10:53:04.293Z", "expiration_time_dt": "2024-08-08T10:53:04.293Z", "is_remote": false, "issuer": "watt ips cash", @@ -2837,15 +2837,15 @@ }, "credential_uid": "63534eea-5574-11ef-8a7c-0242ac110005", "ldap_person": { - "created_time": 1723114384275284, + "created_time": 1723114384275, "email_addrs": [ "Leonida@consoles.gov" ], "given_name": "routines identical brunswick", - "hire_time": 1723114384275320, + "hire_time": 1723114384275, "job_title": "voted awareness pt", "leave_time_dt": "2024-08-08T10:53:04.275331Z", - "modified_time": 1723114384275329 + "modified_time": 1723114384275 }, "name": "Scenic", "type": "User", @@ -2859,9 +2859,9 @@ "algorithm": "Unknown", "algorithm_id": "0", "certificate": { - "created_time": "+56573-04-27T12:31:13.661Z", + "created_time": "2024-08-08T10:53:04.273Z", "created_time_dt": "2024-08-08T10:53:04.273Z", - "expiration_time": "+56573-04-27T12:31:13.675Z", + "expiration_time": "2024-08-08T10:53:04.273Z", "fingerprints": [ { "algorithm": "SHA-512", @@ -2879,7 +2879,7 @@ "subject": "advised chess egyptian", "version": "1.1.0" }, - "created_time": "+56573-04-27T12:31:13.699Z" + "created_time": "2024-08-08T10:53:04.273Z" }, "type": "Folder", "type_id": "2", @@ -2890,7 +2890,7 @@ "correlation_uid": "635472c0-5574-11ef-8c5d-0242ac110005", "event_code": "sessions", "log_name": "standing band submission", - "logged_time": "+56573-04-27T12:31:22.107Z", + "logged_time": "2024-08-08T10:53:04.282Z", "original_time": "sum shipped decreased", "product": { "name": "cooling florist anna", @@ -2959,7 +2959,7 @@ }, "status": "Unknown", "status_id": "0", - "time": "+56573-04-27T12:31:27.674Z", + "time": "2024-08-08T10:53:04.287Z", "timezone_offset": 56, "type_name": "File Hosting Activity: Move", "type_uid": "600607" @@ -2985,7 +2985,7 @@ }, "name": "Outreach", "pid": 24, - "start": "+56573-04-27T12:31:35.435Z", + "start": "2024-08-08T10:53:04.295Z", "user": { "domain": "shortly payments endorsement", "id": [ @@ -2994,7 +2994,7 @@ } }, "pid": 95, - "start": "+56573-04-27T12:31:32.928Z", + "start": "2024-08-08T10:53:04.292Z", "user": { "domain": "random john findlaw", "full_name": "Alexander Helena", diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json index b69074b1add6..cb6ffa1f004b 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json @@ -318,7 +318,7 @@ ] }, { - "@timestamp": "1970-01-20T08:34:04.800Z", + "@timestamp": "2022-12-31T00:00:00.000Z", "data_stream": { "dataset": "amazon_security_lake.discovery", "namespace": "default", @@ -331,7 +331,7 @@ "action": "login-attempt", "code": "login_attempt", "duration": 3600000000, - "end": "1970-01-20T08:35:31.200Z", + "end": "2023-01-01T00:00:00.000Z", "id": "evt-1234", "kind": "event", "original": "{\"activity_id\":1,\"activity_name\":\"Login Attempt\",\"actor\":{\"authorizations\":[{\"decision\":\"allow\",\"policy\":{\"desc\":\"Allow login\",\"group\":{\"desc\":\"Employee Group\",\"domain\":\"example.com\",\"name\":\"employees\",\"privileges\":[\"read\",\"write\"],\"type\":\"internal\",\"uid\":\"grp101\"},\"name\":\"Login Policy\",\"uid\":\"pol101\",\"version\":\"1.0\"}}],\"idp\":{\"name\":\"IDP Service\",\"uid\":\"idp101\"},\"invoked_by\":\"web_app\",\"process\":{\"cmd_line\":\"/usr/bin/login\",\"created_time\":1672444800,\"file\":{\"accessed_time\":1672531200,\"accessor\":{\"account\":{\"name\":\"john.doe\",\"type\":\"user\",\"type_id\":1,\"uid\":\"acc101\"},\"credential_uid\":\"cred101\",\"domain\":\"example.com\",\"email_addr\":\"john.doe@example.com\",\"full_name\":\"John Doe\",\"groups\":[{\"desc\":\"Employee Group\",\"domain\":\"example.com\",\"name\":\"employees\",\"privileges\":[\"read\",\"write\"],\"type\":\"internal\",\"uid\":\"grp101\"}],\"ldap_person\":null,\"name\":\"John Doe\",\"org\":{\"name\":\"Example Corp\",\"ou_name\":\"IT\",\"ou_uid\":\"ou101\",\"uid\":\"org101\"},\"type\":\"user\",\"type_id\":1,\"uid\":\"usr101\",\"uid_alt\":\"john_doe_alt\"},\"attributes\":777,\"company_name\":\"Example Corp\",\"confidentiality\":\"high\",\"confidentiality_id\":2,\"created_time\":1672444800,\"creator\":null,\"desc\":\"Login script\",\"hashes\":[{\"algorithm\":\"SHA-256\",\"algorithm_id\":4,\"value\":\"abcd1234\"}],\"is_system\":true,\"mime_type\":\"application/x-sh\",\"modified_time\":1672444800,\"modifier\":null,\"name\":\"login.sh\",\"owner\":null,\"parent_folder\":\"/usr/bin\",\"path\":\"/usr/bin/login.sh\",\"product\":null,\"security_descriptor\":\"D:P(A;;FA;;;BA)\",\"signature\":{\"algorithm\":\"RSA\",\"algorithm_id\":1,\"certificate\":{\"created_time\":1577836800,\"expiration_time\":1893456000,\"fingerprints\":[{\"algorithm\":\"SHA-1\",\"algorithm_id\":3,\"value\":\"abc123\"}],\"issuer\":\"Example CA\",\"serial_number\":\"123456\",\"subject\":\"Example Corp\",\"uid\":\"cert101\",\"version\":\"1\"},\"created_time\":1672444800,\"developer_uid\":\"dev101\",\"digest\":{\"algorithm\":\"SHA-256\",\"algorithm_id\":4,\"value\":\"abcd1234\"}},\"size\":2048,\"type\":\"script\",\"type_id\":1,\"uid\":\"file101\",\"version\":\"1.0\",\"xattributes\":{}},\"integrity\":\"valid\",\"integrity_id\":1,\"lineage\":[\"/sbin/init\",\"/usr/bin/login\"],\"loaded_modules\":[\"pam\",\"bash\"],\"name\":\"login\",\"parent_process\":null,\"pid\":1234,\"sandbox\":\"none\",\"session\":null,\"terminated_time\":1672531200,\"tid\":5678,\"uid\":\"proc101\",\"user\":null,\"xattributes\":{}},\"session\":{\"count\":1,\"created_time\":1672444800,\"credential_uid\":\"cred101\",\"expiration_reason\":\"timeout\",\"expiration_time\":1672531200,\"is_mfa\":true,\"is_remote\":false,\"is_vpn\":false,\"issuer\":\"IDP Service\",\"terminal\":\"pts/1\",\"uid\":\"sess101\",\"uid_alt\":\"sess102\",\"uuid\":\"uuid-1234\"},\"user\":{\"account\":{\"name\":\"john.doe\",\"type\":\"user\",\"type_id\":1,\"uid\":\"acc101\"},\"credential_uid\":\"cred101\",\"domain\":\"example.com\",\"email_addr\":\"john.doe@example.com\",\"full_name\":\"John Doe\",\"groups\":[{\"desc\":\"Employee Group\",\"domain\":\"example.com\",\"name\":\"employees\",\"privileges\":[\"read\",\"write\"],\"type\":\"internal\",\"uid\":\"grp101\"}],\"ldap_person\":{\"cost_center\":\"IT\",\"created_time\":1577836800,\"deleted_time\":null,\"email_addrs\":[\"john.doe@example.com\"],\"employee_uid\":\"emp101\",\"given_name\":\"John\",\"hire_time\":1546300800,\"job_title\":\"System Administrator\",\"labels\":[\"full-time\"],\"last_login_time\":1672444800,\"ldap_cn\":\"john_doe_cn\",\"ldap_dn\":\"cn=John Doe,ou=users,dc=example,dc=com\",\"leave_time\":null,\"location\":{\"city\":\"San Francisco\",\"continent\":\"North America\",\"coordinates\":[37.7749,-122.4194],\"country\":\"USA\",\"desc\":\"Head Office\",\"is_on_premises\":true,\"isp\":\"Example ISP\",\"postal_code\":\"94103\",\"provider\":\"Example Provider\",\"region\":\"California\"},\"manager\":{\"account\":{\"name\":\"jane.manager\",\"type\":\"user\",\"type_id\":1,\"uid\":\"acc102\"},\"credential_uid\":\"cred102\",\"domain\":\"example.com\",\"email_addr\":\"jane.manager@example.com\",\"full_name\":\"Jane Manager\",\"groups\":[{\"desc\":\"Managers Group\",\"domain\":\"example.com\",\"name\":\"managers\",\"privileges\":[\"read\",\"write\",\"manage\"],\"type\":\"internal\",\"uid\":\"grp102\"}],\"ldap_person\":null,\"name\":\"Jane Manager\",\"org\":{\"name\":\"Example Corp\",\"ou_name\":\"IT\",\"ou_uid\":\"ou101\",\"uid\":\"org101\"},\"type\":\"user\",\"type_id\":1,\"uid\":\"usr102\",\"uid_alt\":\"jane_manager_alt\"},\"modified_time\":1622505600,\"office_location\":\"Building A\",\"surname\":\"Doe\"},\"name\":\"John Doe\",\"org\":{\"name\":\"Example Corp\",\"ou_name\":\"IT\",\"ou_uid\":\"ou101\",\"uid\":\"org101\"},\"type\":\"user\",\"type_id\":1,\"uid\":\"usr101\",\"uid_alt\":\"john_doe_alt\"}},\"category_name\":\"User Activity\",\"category_uid\":5,\"class_name\":\"Login Events\",\"class_uid\":5003,\"count\":1,\"duration\":3600,\"end_time\":1672531200,\"enrichments\":[{\"data\":{},\"name\":\"GeoIP Enrichment\",\"provider\":\"GeoIP Service\",\"type\":\"location\",\"value\":\"San Francisco, USA\"}],\"message\":\"User John Doe attempted a login from San Francisco.\",\"metadata\":{\"correlation_uid\":\"cor-1234\",\"event_code\":\"login_attempt\",\"extension\":{\"name\":\"Login Extension\",\"uid\":\"ext-1234\",\"version\":\"1.0\"},\"extensions\":[],\"labels\":[\"security\"],\"log_level\":\"info\",\"log_name\":\"user_activity\",\"log_provider\":\"Example Provider\",\"log_version\":\"1.0\",\"logged_time\":1672444800,\"loggers\":[],\"modified_time\":1672444800,\"original_time\":\"2023-01-01T00:00:00Z\",\"processed_time\":1672531200,\"product\":{\"cpe_name\":\"cpe:/a:example:product\",\"feature\":{\"name\":\"Login Feature\",\"uid\":\"fea-1234\",\"version\":\"1.0\"},\"lang\":\"en\",\"name\":\"User Activity Logger\",\"path\":\"/var/log/user_activity\",\"uid\":\"prod-1234\",\"url_string\":\"https://example.com\",\"vendor_name\":\"Example Vendor\",\"version\":\"1.0\"},\"profiles\":[\"default\"],\"sequence\":1,\"tenant_uid\":\"tenant123\",\"uid\":\"evt-1234\",\"version\":\"1.0\"},\"observables\":[{\"name\":\"San Francisco\",\"reputation\":{\"base_score\":90,\"provider\":\"GeoIP Service\",\"score\":\"high\",\"score_id\":1},\"type\":\"location\",\"type_id\":2,\"value\":\"San Francisco, USA\"}],\"raw_data\":\"raw_event_data\",\"severity\":\"medium\",\"severity_id\":2,\"start_time\":1672444800,\"status\":\"processed\",\"status_code\":\"200\",\"status_detail\":\"Event processed successfully.\",\"status_id\":1,\"time\":1672444800,\"timezone_offset\":-8,\"type_name\":\"login_event\",\"type_uid\":1001,\"unmapped\":{},\"user\":{\"account\":{\"name\":\"john.doe\",\"type\":\"user\",\"type_id\":1,\"uid\":\"acc101\"},\"credential_uid\":\"cred101\",\"domain\":\"example.com\",\"email_addr\":\"john.doe@example.com\",\"full_name\":\"John Doe\",\"groups\":[{\"desc\":\"Employee Group\",\"domain\":\"example.com\",\"name\":\"employees\",\"privileges\":[\"read\",\"write\"],\"type\":\"internal\",\"uid\":\"grp101\"}],\"ldap_person\":{\"cost_center\":\"IT\",\"created_time\":1577836800,\"deleted_time\":null,\"email_addrs\":[\"john.doe@example.com\"],\"employee_uid\":\"emp101\",\"given_name\":\"John\",\"hire_time\":1546300800,\"job_title\":\"System Administrator\",\"labels\":[\"full-time\"],\"last_login_time\":1672444800,\"ldap_cn\":\"john_doe_cn\",\"ldap_dn\":\"cn=John Doe,ou=users,dc=example,dc=com\",\"leave_time\":null,\"location\":{\"city\":\"San Francisco\",\"continent\":\"North America\",\"coordinates\":[37.7749,-122.4194],\"country\":\"USA\",\"desc\":\"Head Office\",\"is_on_premises\":true,\"isp\":\"Example ISP\",\"postal_code\":\"94103\",\"provider\":\"Example Provider\",\"region\":\"California\"},\"manager\":{\"account\":{\"name\":\"jane.manager\",\"type\":\"user\",\"type_id\":1,\"uid\":\"acc102\"},\"credential_uid\":\"cred102\",\"domain\":\"example.com\",\"email_addr\":\"jane.manager@example.com\",\"full_name\":\"Jane Manager\",\"groups\":[{\"desc\":\"Managers Group\",\"domain\":\"example.com\",\"name\":\"managers\",\"privileges\":[\"read\",\"write\",\"manage\"],\"type\":\"internal\",\"uid\":\"grp102\"}],\"ldap_person\":null,\"name\":\"Jane Manager\",\"org\":{\"name\":\"Example Corp\",\"ou_name\":\"IT\",\"ou_uid\":\"ou101\",\"uid\":\"org101\"},\"type\":\"user\",\"type_id\":1,\"uid\":\"usr102\",\"uid_alt\":\"jane_manager_alt\"},\"modified_time\":1622505600,\"office_location\":\"Building A\",\"surname\":\"Doe\"},\"name\":\"John Doe\",\"org\":{\"name\":\"Example Corp\",\"ou_name\":\"IT\",\"ou_uid\":\"ou101\",\"uid\":\"org101\"},\"type\":\"user\",\"type_id\":1,\"uid\":\"usr101\",\"uid_alt\":\"john_doe_alt\"}}", @@ -339,14 +339,14 @@ "provider": "Example Provider", "sequence": 1, "severity": 2, - "start": "1970-01-20T08:34:04.800Z", + "start": "2022-12-31T00:00:00.000Z", "type": [ "info" ] }, "file": { - "accessed": "1970-01-20T08:35:31.200Z", - "created": "1970-01-20T08:34:04.800Z", + "accessed": "2023-01-01T00:00:00.000Z", + "created": "2022-12-31T00:00:00.000Z", "directory": "/usr/bin", "hash": { "sha256": [ @@ -355,7 +355,7 @@ }, "inode": "file101", "mime_type": "application/x-sh", - "mtime": "1970-01-20T08:34:04.800Z", + "mtime": "2022-12-31T00:00:00.000Z", "name": "login.sh", "path": "/usr/bin/login.sh", "size": 2048, @@ -364,7 +364,7 @@ "issuer": { "distinguished_name": "Example CA" }, - "not_after": "1970-01-22T21:57:36.000Z", + "not_after": "2030-01-01T00:00:00.000Z", "serial_number": "123456", "subject": { "distinguished_name": "Example Corp" @@ -406,9 +406,9 @@ "invoked_by": "web_app", "process": { "cmd_line": "/usr/bin/login", - "created_time": "1970-01-20T08:34:04.800Z", + "created_time": "2022-12-31T00:00:00.000Z", "file": { - "accessed_time": "1970-01-20T08:35:31.200Z", + "accessed_time": "2023-01-01T00:00:00.000Z", "accessor": { "account": { "name": "john.doe", @@ -449,7 +449,7 @@ "company_name": "Example Corp", "confidentiality": "high", "confidentiality_id": "2", - "created_time": "1970-01-20T08:34:04.800Z", + "created_time": "2022-12-31T00:00:00.000Z", "desc": "Login script", "hashes": [ { @@ -460,7 +460,7 @@ ], "is_system": true, "mime_type": "application/x-sh", - "modified_time": "1970-01-20T08:34:04.800Z", + "modified_time": "2022-12-31T00:00:00.000Z", "name": "login.sh", "parent_folder": "/usr/bin", "path": "/usr/bin/login.sh", @@ -469,8 +469,8 @@ "algorithm": "RSA", "algorithm_id": "1", "certificate": { - "created_time": "1970-01-19T06:17:16.800Z", - "expiration_time": "1970-01-22T21:57:36.000Z", + "created_time": "2020-01-01T00:00:00.000Z", + "expiration_time": "2030-01-01T00:00:00.000Z", "fingerprints": [ { "algorithm": "SHA-1", @@ -484,7 +484,7 @@ "uid": "cert101", "version": "1" }, - "created_time": "1970-01-20T08:34:04.800Z", + "created_time": "2022-12-31T00:00:00.000Z", "developer_uid": "dev101", "digest": { "algorithm": "SHA-256", @@ -511,16 +511,16 @@ "name": "login", "pid": 1234, "sandbox": "none", - "terminated_time": "1970-01-20T08:35:31.200Z", + "terminated_time": "2023-01-01T00:00:00.000Z", "tid": 5678, "uid": "proc101" }, "session": { "count": 1, - "created_time": "1970-01-20T08:34:04.800Z", + "created_time": "2022-12-31T00:00:00.000Z", "credential_uid": "cred101", "expiration_reason": "timeout", - "expiration_time": "1970-01-20T08:35:31.200Z", + "expiration_time": "2023-01-01T00:00:00.000Z", "is_mfa": true, "is_remote": false, "is_vpn": false, @@ -556,18 +556,18 @@ ], "ldap_person": { "cost_center": "IT", - "created_time": 1577836800, + "created_time": 1577836800000, "email_addrs": [ "john.doe@example.com" ], "employee_uid": "emp101", "given_name": "John", - "hire_time": 1546300800, + "hire_time": 1546300800000, "job_title": "System Administrator", "labels": [ "full-time" ], - "last_login_time": 1672444800, + "last_login_time": 1672444800000, "ldap_cn": "john_doe_cn", "ldap_dn": "cn=John Doe,ou=users,dc=example,dc=com", "location": { @@ -622,7 +622,7 @@ "uid": "usr102", "uid_alt": "jane_manager_alt" }, - "modified_time": 1622505600, + "modified_time": 1622505600000, "office_location": "Building A", "surname": "Doe" }, @@ -645,7 +645,7 @@ "class_uid": "5003", "count": 1, "duration": 3600, - "end_time": "1970-01-20T08:35:31.200Z", + "end_time": "2023-01-01T00:00:00.000Z", "enrichments": [ { "name": "GeoIP Enrichment", @@ -670,10 +670,10 @@ "log_name": "user_activity", "log_provider": "Example Provider", "log_version": "1.0", - "logged_time": "1970-01-20T08:34:04.800Z", - "modified_time": "1970-01-20T08:34:04.800Z", + "logged_time": "2022-12-31T00:00:00.000Z", + "modified_time": "2022-12-31T00:00:00.000Z", "original_time": "2023-01-01T00:00:00Z", - "processed_time": "1970-01-20T08:35:31.200Z", + "processed_time": "2023-01-01T00:00:00.000Z", "product": { "cpe_name": "cpe:/a:example:product", "feature": { @@ -714,12 +714,12 @@ "raw_data_keyword": "raw_event_data", "severity": "medium", "severity_id": 2, - "start_time": "1970-01-20T08:34:04.800Z", + "start_time": "2022-12-31T00:00:00.000Z", "status": "processed", "status_code": "200", "status_detail": "Event processed successfully.", "status_id": "1", - "time": "1970-01-20T08:34:04.800Z", + "time": "2022-12-31T00:00:00.000Z", "timezone_offset": -8, "type_name": "login_event", "type_uid": "1001", @@ -749,18 +749,18 @@ ], "ldap_person": { "cost_center": "IT", - "created_time": 1577836800, + "created_time": 1577836800000, "email_addrs": [ "john.doe@example.com" ], "employee_uid": "emp101", "given_name": "John", - "hire_time": 1546300800, + "hire_time": 1546300800000, "job_title": "System Administrator", "labels": [ "full-time" ], - "last_login_time": 1672444800, + "last_login_time": 1672444800000, "ldap_cn": "john_doe_cn", "ldap_dn": "cn=John Doe,ou=users,dc=example,dc=com", "location": { @@ -815,7 +815,7 @@ "uid": "usr102", "uid_alt": "jane_manager_alt" }, - "modified_time": 1622505600, + "modified_time": 1622505600000, "office_location": "Building A", "surname": "Doe" }, @@ -834,11 +834,11 @@ }, "process": { "command_line": "/usr/bin/login", - "end": "1970-01-20T08:35:31.200Z", + "end": "2023-01-01T00:00:00.000Z", "entity_id": "proc101", "name": "login", "pid": 1234, - "start": "1970-01-20T08:34:04.800Z", + "start": "2022-12-31T00:00:00.000Z", "thread": { "id": 5678 } @@ -892,7 +892,7 @@ } }, { - "@timestamp": "+56556-10-12T11:59:14.199Z", + "@timestamp": "2024-08-02T09:53:59.954Z", "cloud": { "project": { "id": "244256a6-50b5-11ef-b514-0242ac110005" @@ -990,7 +990,7 @@ "ip": "81.2.69.144", "is_managed": false, "is_trusted": true, - "last_seen_time": "+56556-10-12T11:59:10.666Z", + "last_seen_time": "2024-08-02T09:53:59.950Z", "location": { "city": "Randy wellington", "continent": "Africa", @@ -1115,10 +1115,10 @@ "transmit_time_dt": "2024-08-02T09:53:59.950077Z" } ], - "modified_time": "+56556-10-12T11:59:10.096Z", + "modified_time": "2024-08-02T09:53:59.950Z", "modified_time_dt": "2024-08-02T09:53:59.950Z", "original_time": "livecam yearly isbn", - "processed_time": "+56556-10-12T11:59:10.110Z", + "processed_time": "2024-08-02T09:53:59.950Z", "product": { "name": "semi boston electric", "path": "norm eggs ranges", @@ -1143,7 +1143,7 @@ "severity_id": 2, "status": "jim", "status_id": "99", - "time": "+56556-10-12T11:59:14.199Z", + "time": "2024-08-02T09:53:59.954Z", "timezone_offset": 54, "type_name": "Operating System Patch State: Unknown", "type_uid": "500400" @@ -1163,7 +1163,7 @@ ] }, { - "@timestamp": "+56573-01-17T09:11:20.760Z", + "@timestamp": "2024-08-08T08:28:52.280Z", "cloud": { "availability_zone": "median conference permalink", "provider": "prepaid policy genetic", @@ -1252,14 +1252,14 @@ "size": 72520595, "uid": "3e55b7a4-5560-11ef-96a7-0242ac110005" }, - "first_seen_time": "+56573-01-17T09:11:19.498Z", + "first_seen_time": "2024-08-08T08:28:52.279Z", "hostname": "scores.museum", "imei": "opt specializing courses", "instance_uid": "3e559fb2-5560-11ef-b12b-0242ac110005", "interface_name": "wet logos memorial", "interface_uid": "3e55cfbe-5560-11ef-b385-0242ac110005", "ip": "233.56.87.14", - "last_seen_time": "+56573-01-17T09:11:18.612Z", + "last_seen_time": "2024-08-08T08:28:52.278Z", "namespace_pid": 42, "network_interfaces": [ { @@ -1290,9 +1290,9 @@ "event_code": "exceptional", "log_name": "should ld recruiting", "log_provider": "reducing descriptions andrea", - "modified_time": "+56573-01-17T09:11:14.878Z", + "modified_time": "2024-08-08T08:28:52.274Z", "original_time": "gorgeous sometimes normal", - "processed_time": "+56573-01-17T09:11:14.895Z", + "processed_time": "2024-08-08T08:28:52.274Z", "product": { "name": "unions held pal", "uid": "3e54e914-5560-11ef-a37e-0242ac110005", @@ -1335,7 +1335,7 @@ "severity": "Unknown", "severity_id": 0, "status": "mayor jewel fixes", - "time": "+56573-01-17T09:11:20.760Z", + "time": "2024-08-08T08:28:52.280Z", "timezone_offset": 41, "type_name": "Device Config State Change: Unknown", "type_uid": "501900" @@ -1356,7 +1356,7 @@ ] }, { - "@timestamp": "+56573-01-28T12:49:45.986Z", + "@timestamp": "2024-08-08T08:44:55.785Z", "data_stream": { "dataset": "amazon_security_lake.discovery", "namespace": "default", @@ -1368,7 +1368,7 @@ "event": { "action": "fraser", "code": "recognized", - "end": "+56573-01-28T12:49:44.773Z", + "end": "2024-08-08T08:44:55.784Z", "kind": "event", "original": "{\"message\":\"enabling pushing tee\",\"status\":\"Failure\",\"time\":1723106695785986,\"device\":{\"type\":\"Laptop\",\"domain\":\"parts patents bios\",\"ip\":\"175.16.199.0\",\"hostname\":\"apparel.store\",\"uid\":\"7ca10520-5562-11ef-994f-0242ac110005\",\"image\":{\"name\":\"you therapy gaming\",\"uid\":\"7ca0ff12-5562-11ef-a321-0242ac110005\"},\"type_id\":3,\"created_time\":1723106695785069,\"hypervisor\":\"weblog operates spanish\",\"instance_uid\":\"7ca0f4f4-5562-11ef-9585-0242ac110005\",\"interface_name\":\"individually assembled riders\",\"interface_uid\":\"7ca10bd8-5562-11ef-a0b4-0242ac110005\",\"is_compliant\":true,\"modified_time\":1723106695785112,\"region\":\"click added cars\"},\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"use four webpage\",\"version\":\"1.1.0\",\"uid\":\"7c9fb288-5562-11ef-850c-0242ac110005\",\"feature\":{\"name\":\"iii exceptional erotica\",\"version\":\"1.1.0\",\"uid\":\"7c9fbdfa-5562-11ef-b36a-0242ac110005\"},\"url_string\":\"light\",\"vendor_name\":\"whatever chan might\"},\"profiles\":[],\"event_code\":\"recognized\",\"log_name\":\"durable flex field\",\"loggers\":[{\"name\":\"senator babies ou\",\"device\":{\"name\":\"camcorder zoning projector\",\"type\":\"Server\",\"os\":{\"name\":\"pottery laws resident\",\"type\":\"Unknown\",\"country\":\"Haiti, Republic of\",\"type_id\":0},\"domain\":\"pain brilliant html\",\"ip\":\"177.30.168.240\",\"hostname\":\"array.mil\",\"uid\":\"7ca01610-5562-11ef-80c2-0242ac110005\",\"image\":{\"name\":\"threaded reduction registry\",\"uid\":\"7ca00f80-5562-11ef-9605-0242ac110005\"},\"type_id\":1,\"instance_uid\":\"7ca00508-5562-11ef-aef5-0242ac110005\",\"interface_name\":\"smoke shorts historic\",\"interface_uid\":\"7ca01d0e-5562-11ef-8a28-0242ac110005\",\"is_personal\":true,\"modified_time\":1723106695779060,\"network_interfaces\":[{\"type\":\"Wired\",\"ip\":\"162.67.186.104\",\"hostname\":\"majority.int\",\"mac\":\"A5:AD:3C:E2:45:BB:1F:BD\",\"type_id\":1,\"subnet_prefix\":63},{\"name\":\"fujitsu specials encourages\",\"type\":\"Mobile\",\"ip\":\"61.37.184.176\",\"hostname\":\"signal.biz\",\"mac\":\"42:EC:71:C:44:87:4D:3F\",\"type_id\":3}],\"region\":\"enforcement mls cabinet\",\"risk_score\":32,\"subnet_uid\":\"7c9ff360-5562-11ef-a23d-0242ac110005\"},\"product\":{\"version\":\"1.1.0\",\"uid\":\"7ca028a8-5562-11ef-9f4e-0242ac110005\",\"lang\":\"en\",\"cpe_name\":\"eddie m loop\",\"vendor_name\":\"wild stack ing\"},\"uid\":\"7ca02fe2-5562-11ef-85c4-0242ac110005\",\"log_name\":\"virus estimated hospitality\",\"log_provider\":\"snapshot survive ruled\"},{\"name\":\"photo missing lions\",\"version\":\"1.1.0\",\"device\":{\"name\":\"barrier problems southampton\",\"type\":\"Unknown\",\"ip\":\"178.130.62.185\",\"location\":{\"desc\":\"Nauru, Republic of\",\"city\":\"Corrections presence\",\"country\":\"NR\",\"coordinates\":[-87.1695,-2.0139],\"continent\":\"Oceania\"},\"hostname\":\"traveller.org\",\"uid\":\"7ca0bd86-5562-11ef-913a-0242ac110005\",\"groups\":[{\"type\":\"train fm brain\",\"uid\":\"7ca0a350-5562-11ef-a3c7-0242ac110005\",\"privileges\":[\"airlines ricky practitioner\",\"hometown nh fair\"]}],\"type_id\":0,\"subnet\":\"239.0.0.0/8\",\"instance_uid\":\"7ca0b64c-5562-11ef-9d6d-0242ac110005\",\"interface_name\":\"accompanied lesson color\",\"interface_uid\":\"7ca0c466-5562-11ef-abf1-0242ac110005\",\"is_compliant\":true,\"is_personal\":true,\"modified_time\":1723106695783536,\"region\":\"careers eval haiti\",\"subnet_uid\":\"7ca0aaf8-5562-11ef-825e-0242ac110005\",\"uid_alt\":\"square washington foster\"},\"product\":{\"name\":\"sh buttons specialties\",\"version\":\"1.1.0\",\"vendor_name\":\"acrylic pace draws\"},\"uid\":\"7ca0ceca-5562-11ef-844f-0242ac110005\",\"log_name\":\"tagged mainstream equal\",\"log_provider\":\"certified denial agree\"}],\"original_time\":\"fireplace chapel support\",\"tenant_uid\":\"7ca0d924-5562-11ef-9d5f-0242ac110005\"},\"severity\":\"Critical\",\"type_name\":\"Device Config State Change: Other\",\"activity_id\":99,\"type_uid\":501999,\"observables\":[{\"name\":\"savage humanity jail\",\"type\":\"shots\",\"value\":\"lived creator planning\",\"type_id\":99}],\"category_name\":\"Discovery\",\"class_uid\":5019,\"category_uid\":5,\"class_name\":\"Device Config State Change\",\"timezone_offset\":85,\"end_time\":1723106695784773,\"activity_name\":\"fraser\",\"security_states\":[{},{\"state\":\"Protection malfunction\",\"state_id\":5}],\"enrichments\":[{\"data\":\"mpeg\",\"name\":\"needs included bag\",\"type\":\"palestine spin down\",\"value\":\"gay from titans\",\"provider\":\"sherman centers profession\"}],\"prev_security_states\":[{},{}],\"severity_id\":5,\"status_id\":2}", "outcome": "failure", @@ -1396,7 +1396,7 @@ "class_name": "Device Config State Change", "class_uid": "5019", "device": { - "created_time": "+56573-01-28T12:49:45.069Z", + "created_time": "2024-08-08T08:44:55.785Z", "domain": "parts patents bios", "hostname": "apparel.store", "hypervisor": "weblog operates spanish", @@ -1409,13 +1409,13 @@ "interface_uid": "7ca10bd8-5562-11ef-a0b4-0242ac110005", "ip": "175.16.199.0", "is_compliant": true, - "modified_time": "+56573-01-28T12:49:45.112Z", + "modified_time": "2024-08-08T08:44:55.785Z", "region": "click added cars", "type": "Laptop", "type_id": "3", "uid": "7ca10520-5562-11ef-994f-0242ac110005" }, - "end_time": "+56573-01-28T12:49:44.773Z", + "end_time": "2024-08-08T08:44:55.784Z", "enrichments": [ { "data": "mpeg", @@ -1573,7 +1573,7 @@ "severity_id": 5, "status": "Failure", "status_id": "2", - "time": "+56573-01-28T12:49:45.986Z", + "time": "2024-08-08T08:44:55.785Z", "timezone_offset": 85, "type_name": "Device Config State Change: Other", "type_uid": "501999" diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json index be56ce5703fc..61c102599563 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json @@ -224,7 +224,7 @@ } }, { - "@timestamp": "+56548-05-23T12:42:47.320Z", + "@timestamp": "2024-07-30T08:21:52.967Z", "cloud": { "project": { "id": "c6b00a0c-4e4c-11ef-a1c9-0242ac110005" @@ -357,7 +357,7 @@ "start_time_dt": "2024-07-30T08:21:52.968Z", "status": "In Progress", "status_id": "2", - "time": "+56548-05-23T12:42:47.320Z", + "time": "2024-07-30T08:21:52.967Z", "timezone_offset": 17, "type_name": "Vulnerability Finding: Create", "type_uid": "200201", @@ -465,7 +465,7 @@ } }, { - "@timestamp": "+56568-03-02T00:43:35.847Z", + "@timestamp": "2024-08-06T13:42:17.015Z", "data_stream": { "dataset": "amazon_security_lake.findings", "namespace": "default", @@ -1546,7 +1546,7 @@ "type_id": 3, "uid": "b200b234-53f9-11ef-88a2-0242ac110005" }, - "first_seen_time": 1722951737012703, + "first_seen_time": 1722951737012, "kill_chain": [ { "phase": "Unknown", @@ -1621,7 +1621,7 @@ "severity_id": 2, "status": "Suppressed", "status_id": "3", - "time": "+56568-03-02T00:43:35.847Z", + "time": "2024-08-06T13:42:17.015Z", "type_name": "Detection Finding: Create", "type_uid": "200401" }, @@ -1640,7 +1640,7 @@ ] }, { - "@timestamp": "+56570-03-27T04:55:20.626Z", + "@timestamp": "2024-08-07T07:49:44.120Z", "cloud": { "availability_zone": "arrested turkey actual", "provider": "video protected tea", @@ -1750,7 +1750,7 @@ "severity_id": 3, "status": "Unknown", "status_id": "0", - "time": "+56570-03-27T04:55:20.626Z", + "time": "2024-08-07T07:49:44.120Z", "timezone_offset": 98, "type_name": "Compliance Finding: Close", "type_uid": "200303" @@ -1761,7 +1761,7 @@ ] }, { - "@timestamp": "+56570-04-25T14:45:38.425Z", + "@timestamp": "2024-08-07T08:32:05.138Z", "cloud": { "availability_zone": "proceed combines pets", "provider": "leone semester automated", @@ -2036,7 +2036,7 @@ "src_url": "unity", "status": "Closed", "status_id": "5", - "time": "+56570-04-25T14:45:38.425Z", + "time": "2024-08-07T08:32:05.138Z", "timezone_offset": 75, "type_name": "Incident Finding: Other", "type_uid": "200599", diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-iam.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-iam.log-expected.json index ee700160f6ba..0526d7bfb89e 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-iam.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-iam.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "1970-01-20T15:16:10.109Z", + "@timestamp": "2023-10-06T05:28:29.000Z", "data_stream": { "dataset": "amazon_security_lake.iam", "namespace": "default", @@ -49,7 +49,7 @@ "metadata": { "log_name": "ebony pay tablets", "log_provider": "medline putting movie", - "logged_time": "1970-01-20T15:16:10.109Z", + "logged_time": "2023-10-06T05:28:29.000Z", "original_time": "gentleman brings relationship", "product": { "lang": "en", @@ -77,7 +77,7 @@ "status": "Unknown", "status_code": "seo", "status_id": "0", - "time": "1970-01-20T15:16:10.109Z", + "time": "2023-10-06T05:28:29.000Z", "timezone_offset": 34, "type_name": "Authorize Session: Unknown", "type_uid": "300300", @@ -111,7 +111,7 @@ } }, { - "@timestamp": "1970-01-20T15:16:10.795Z", + "@timestamp": "2023-10-06T05:39:55.000Z", "data_stream": { "dataset": "amazon_security_lake.iam", "namespace": "default", @@ -163,7 +163,7 @@ "severity": "Unknown", "severity_id": 0, "status": "authors technology bible", - "time": "1970-01-20T15:16:10.795Z", + "time": "2023-10-06T05:39:55.000Z", "timezone_offset": 36, "type_name": "Entity Management: Read", "type_uid": "300402" @@ -175,7 +175,7 @@ ] }, { - "@timestamp": "1970-01-20T15:16:23.206Z", + "@timestamp": "2023-10-06T09:06:46.000Z", "data_stream": { "dataset": "amazon_security_lake.iam", "namespace": "default", @@ -248,7 +248,7 @@ "severity_id": 2, "status": "Success", "status_id": "1", - "time": "1970-01-20T15:16:23.206Z", + "time": "2023-10-06T09:06:46.000Z", "timezone_offset": 81, "type_name": "Group Management: Add User", "type_uid": "300603", @@ -312,7 +312,7 @@ } }, { - "@timestamp": "1970-01-20T15:16:21.958Z", + "@timestamp": "2023-10-06T08:45:58.000Z", "data_stream": { "dataset": "amazon_security_lake.iam", "namespace": "default", @@ -330,7 +330,7 @@ "original": "{\"message\":\"isaac uncertainty replication\",\"status\":\"abstracts\",\"time\":1696581958,\"group\":{\"name\":\"then nevada berkeley md\",\"uid\":\"c63f1e24-6424-11ee-af05-0242ac110005\"},\"user\":{\"name\":\"Dd\",\"type\":\"System\",\"uid\":\"c52f5236-6424-11ee-9c16-0242ac110005\",\"type_id\":3,\"credential_uid\":\"c52f57ae-6424-11ee-b8be-0242ac110005\"},\"metadata\":{\"version\":\"1.0.0\",\"product\":{\"name\":\"advance wellness phentermine\",\"version\":\"1.0.0\",\"uid\":\"c52f3210-6424-11ee-b807-0242ac110005\",\"feature\":{\"name\":\"services cultural ali\",\"version\":\"1.0.0\",\"uid\":\"c52f43f4-6424-11ee-9b6e-0242ac110005\"},\"lang\":\"en\",\"vendor_name\":\"sphere chef physicians\"},\"profiles\":[],\"log_name\":\"gravity bill gp\",\"logged_time\":1696581958,\"original_time\":\"escape mic warner\"},\"resource\":{\"owner\":{\"name\":\"Fatty\",\"type\":\"forecast\",\"domain\":\"regions gr dean\",\"uid\":\"c52f060a-6424-11ee-b378-0242ac110005\",\"type_id\":99,\"email_addr\":\"Art@his.name\"},\"group\":{\"name\":\"then nevada berkeley\",\"uid\":\"c52f1e24-6424-11ee-af05-0242ac110005\"}},\"start_time\":1696581958,\"severity\":\"Medium\",\"type_name\":\"User Access Management: Unknown\",\"activity_id\":0,\"type_uid\":300500,\"observables\":[{\"name\":\"devices arguments label\",\"type\":\"Fingerprint\",\"type_id\":30},{\"name\":\"line nightlife expo\",\"type\":\"Container\",\"type_id\":27,\"reputation\":{\"base_score\":45.5971,\"provider\":\"marcus magnetic expressed\",\"score\":\"May not be Safe\",\"score_id\":5}}],\"category_name\":\"Identity & Access Management\",\"class_uid\":3005,\"category_uid\":3,\"class_name\":\"User Access Management\",\"timezone_offset\":28,\"activity_name\":\"Unknown\",\"privileges\":[\"returned funeral cave\"],\"severity_id\":3,\"status_id\":99}", "provider": "sphere chef physicians", "severity": 3, - "start": "1970-01-20T15:16:21.958Z", + "start": "2023-10-06T08:45:58.000Z", "type": [ "info", "group" @@ -355,7 +355,7 @@ "message": "isaac uncertainty replication", "metadata": { "log_name": "gravity bill gp", - "logged_time": "1970-01-20T15:16:21.958Z", + "logged_time": "2023-10-06T08:45:58.000Z", "original_time": "escape mic warner", "product": { "feature": { @@ -408,10 +408,10 @@ }, "severity": "Medium", "severity_id": 3, - "start_time": "1970-01-20T15:16:21.958Z", + "start_time": "2023-10-06T08:45:58.000Z", "status": "abstracts", "status_id": "99", - "time": "1970-01-20T15:16:21.958Z", + "time": "2023-10-06T08:45:58.000Z", "timezone_offset": 28, "type_name": "User Access Management: Unknown", "type_uid": "300500", diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log index ef0a463fad02..59544a2d99d3 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log @@ -11,3 +11,4 @@ {"message":"distances authorization packed","status":"annually","time":1695676084572,"file":{"name":"revenge.ged","size":123,"type":"Block Device","path":"pensions lightning push/congress.icns/revenge.ged","type_id":4,"parent_folder":"pensions lightning push/congress.icns","confidentiality":"Top Secret","confidentiality_id":4,"hashes":[{"value":"55F23C756971F835627DAD00E0FEAF38D62993462CA63631FDF93D0E8130CDFF","algorithm":"magic","algorithm_id":99}],"modified_time":1695676084549,"security_descriptor":"procedure amsterdam belarus","accessed_time_dt":"2023-09-25T21:08:04.549340Z"},"device":{"name":"walter qt hitting","type":"Tablet","ip":"67.43.156.0","uid":"9e3dbfa4-5be7-11ee-8f05-0242ac110005","hostname":"rule.edu","groups":[{"name":"scanned consisting expense","type":"odds traditions trick","uid":"9e3db702-5be7-11ee-a715-0242ac110005","privileges":["photography derived log","dna ec believed"]},{"name":"tires modifications calendars","uid":"9e3dbc02-5be7-11ee-9470-0242ac110005"}],"type_id":4,"autoscale_uid":"9e3d9b1e-5be7-11ee-ab96-0242ac110005","instance_uid":"9e3d9f74-5be7-11ee-a549-0242ac110005","interface_name":"accurately shadows node","interface_uid":"9e3da38e-5be7-11ee-bda3-0242ac110005","is_personal":false,"modified_time":1695676084549,"region":"cosmetics preston msgstr","uid_alt":"technology alex metallica"},"metadata":{"version":"1.0.0","extension":{"name":"editor nerve offset","version":"1.0.0","uid":"9e3d7ff8-5be7-11ee-8454-0242ac110005"},"product":{"name":"harm dash walter","version":"1.0.0","path":"contributors rest worried","uid":"9e3d893a-5be7-11ee-9bf6-0242ac110005","lang":"en","vendor_name":"acre shut suzuki"},"profiles":["cloud","container","datetime","host","security_control"],"log_version":"flow tribunal aging","original_time":"consistently sauce duke","processed_time_dt":"2023-09-25T21:08:04.547033Z"},"severity":"Critical","disposition":"Blocked","type_name":"Email File Activity: Send","activity_id":1,"disposition_id":2,"type_uid":401101,"category_name":"Network Activity","class_uid":4011,"category_uid":4,"class_name":"Email File Activity","timezone_offset":0,"attacks":[{"version":"12.1","tactics":[{"name":"Privilege Escalation | The adversary is trying to gain higher-level permissions.","uid":"TA0004"}],"technique":{"name":"CMSTP","uid":"T1191"}}],"activity_name":"Send","cloud":{"account":{"type":"AWS Account","uid":"9e3d6a4a-5be7-11ee-9095-0242ac110005","type_id":10},"provider":"antique camp pin"},"email_uid":"9e3d9088-5be7-11ee-b651-0242ac110005","enrichments":[{"data":{"meat":"meattt"},"name":"another polyester collectors","type":"gen cap beauty","value":"recipes generating stored","provider":"companion fy mat"},{"data":{"meatd":"meattt"},"name":"brandon fraser seed","type":"grove bradley ddr","value":"written thumbnail looksmart","provider":"hearings gossip shadows"}],"severity_id":5,"status_id":99} {"count":43,"message":"carb fujitsu spots","status":"Success","time":1695676101376,"device":{"name":"experiments old guides","type":"Virtual","ip":"67.43.156.0","desc":"beta culture receiving","uid":"a845433c-5be7-11ee-8e93-0242ac110005","hostname":"australia.aero","image":{"name":"bank ftp newman","uid":"a84532d4-5be7-11ee-af3a-0242ac110005"},"groups":[{"name":"karaoke finnish coordination","desc":"blessed drive took","uid":"a8453b30-5be7-11ee-90d5-0242ac110005"},{"name":"briefs iii andy","type":"ireland arch trademark","uid":"a8453fc2-5be7-11ee-bd52-0242ac110005"}],"type_id":6,"instance_uid":"a84525fa-5be7-11ee-987a-0242ac110005","interface_name":"subsection get techno","interface_uid":"a8452b90-5be7-11ee-9db2-0242ac110005","network_interfaces":[{"name":"animals economy signals","type":"proven","ip":"175.16.199.1","hostname":"personalized.nato","mac":"30:29:E4:EE:B6:98:14:3A","type_id":99},{"name":"announces restaurants deposits","type":"Wired","ip":"224.61.168.94","hostname":"mitchell.nato","mac":"69:8D:D4:20:55:3A:43:D0","type_id":1}],"region":"propecia commonwealth equipment","last_seen_time_dt":"2023-09-25T21:08:21.374251Z"},"metadata":{"version":"1.0.0","product":{"name":"erotica ladies hero","version":"1.0.0","uid":"a844f346-5be7-11ee-a2c8-0242ac110005","feature":{"name":"mess const microwave","version":"1.0.0","uid":"a8450084-5be7-11ee-93f7-0242ac110005"},"lang":"en","url_string":"washer","vendor_name":"feelings tide perry"},"profiles":["cloud","container","datetime","host","security_control"],"log_name":"cleaners villa historic","log_provider":"immediately accused charlie","logged_time":1695676101375,"original_time":"medline prospect ict"},"severity":"electrical","url":{"port":23624,"scheme":"yoga thesaurus regardless","path":"flows affiliation global","hostname":"sage.mil","query_string":"mattress betting covers","category_ids":[49,54],"url_string":"vocal"},"duration":2,"disposition":"Delayed","type_name":"Email URL Activity: Receive","activity_id":2,"disposition_id":14,"type_uid":401202,"category_name":"Network Activity","class_uid":4012,"category_uid":4,"class_name":"Email URL Activity","timezone_offset":34,"activity_name":"Receive","cloud":{"account":{"name":"bubble prototype interstate","type":"Azure AD Account","uid":"a844c1f0-5be7-11ee-83dc-0242ac110005","type_id":6},"provider":"indicated electro washer","region":"crucial mysimon exit"},"email_uid":"a8450be2-5be7-11ee-bf7c-0242ac110005","severity_id":99,"status_detail":"released oxygen reasonable","status_id":1} {"actor":{"process":{"pid":55,"file":{"name":"demonstrates.xlsx","size":1700247011,"type":"Character Device","path":"simpson alice serum/loud.key/demonstrates.xlsx","desc":"suits peru therapist","type_id":3,"accessor":{"name":"Dinner","type":"User","uid":"8241051e-4ff6-11ef-8c1c-0242ac110005","type_id":1,"uid_alt":"tiny democrats map"},"creator":{"name":"Clock","type":"System","uid":"824111ee-4ff6-11ef-80d5-0242ac110005","type_id":3,"email_addr":"Clelia@servers.arpa"},"parent_folder":"simpson alice serum/loud.key","confidentiality":"Not Confidential","confidentiality_id":1,"hashes":[{"value":"866B6A4496BE310906297BA18911C77BFAE1C93BC72E9928D71B99CA7DB9BBFB64011AE273A934FB07149E380121579F8F57C8B70195D5893BE983497C7401A9","algorithm":"SHA-512","algorithm_id":4},{"value":"9F8E773E3B9D47BE47FA380985087C12F510973FD173B27657A4BAB7D0932A136A0A5D5AC53B909689AE6CC0439BFC3DE52907BC8DD305994F8D5955D3319D7C","algorithm":"CTPH","algorithm_id":5}]},"uid":"82411bb2-4ff6-11ef-a29d-0242ac110005","cmd_line":"composer oriented salt","container":{"name":"essential service beverage","size":3850921168,"uid":"8241251c-4ff6-11ef-bfb4-0242ac110005","image":{"name":"ports ide john","uid":"82412df0-4ff6-11ef-bb20-0242ac110005"},"hash":{"value":"FB62C3D023C80BF37169DFFD866BD30AF45E2274F6D63654E805AA43C6D23A16","algorithm":"magic","algorithm_id":99}},"created_time":1722510563763413,"namespace_pid":26,"parent_process":{"name":"Peripheral","file":{"name":"ebook.xls","type":"Named Pipe","path":"sheffield specs folks/ab.dll/ebook.xls","uid":"824151a4-4ff6-11ef-baa0-0242ac110005","type_id":6,"accessor":{"name":"Mp","type":"Admin","uid":"82415dc0-4ff6-11ef-8589-0242ac110005","type_id":2},"creator":{"name":"Contemporary","type":"User","uid":"82416b62-4ff6-11ef-bb14-0242ac110005","groups":[{"name":"differences rachel activity","uid":"824174ea-4ff6-11ef-858b-0242ac110005"},{"name":"philips facility sure","desc":"richardson silly malpractice"}],"type_id":1,"credential_uid":"82417bf2-4ff6-11ef-9b27-0242ac110005"},"parent_folder":"sheffield specs folks/ab.dll","confidentiality":"ws rage bedford","hashes":[{"value":"8879181273A51CEAC15FF28D95FEF4690E668D3565C680638C1FEADEA3A66CCFA9845C83F22F56EA7ED164C8D919019373A1F877DA156F876D0358EB0DEF36E6","algorithm":"TLSH","algorithm_id":6},{"value":"8735D62A700225288A69C4C58805E742E91D287FC59A68C297753E5B7D1E420B","algorithm":"magic","algorithm_id":99}],"xattributes":{},"accessed_time_dt":"2024-08-01T11:09:23.765455Z"},"user":{"type":"System","uid":"82418dcc-4ff6-11ef-ad9d-0242ac110005","groups":[{"name":"minneapolis listen accounts","uid":"82419740-4ff6-11ef-8605-0242ac110005"},{"name":"convert temporal sees","type":"pointer launch particle","uid":"82419e0c-4ff6-11ef-a40e-0242ac110005"}],"type_id":3,"account":{"name":"person catalogs assembled","type":"AWS IAM Role","uid":"8241a78a-4ff6-11ef-a514-0242ac110005","type_id":4},"email_addr":"Mabel@appointment.cat"},"group":{"name":"crisis vulnerable challenge","desc":"understand charlie shorts"},"tid":31,"uid":"8241b414-4ff6-11ef-942e-0242ac110005","cmd_line":"scientist discover md","container":{"name":"basement canada const","size":3047246820,"uid":"8241bd6a-4ff6-11ef-b2aa-0242ac110005","image":{"uid":"8241c562-4ff6-11ef-8fe7-0242ac110005"},"orchestrator":"leslie contribute pixel"},"created_time":1722510563767250,"namespace_pid":1,"parent_process":{"name":"Racks","pid":74,"file":{"name":"lightning.htm","type":"valve","path":"deer oils respected/blood.ico/lightning.htm","desc":"differently maldives brand","product":{"name":"relevant adaptation midwest","version":"1.1.0","lang":"en","vendor_name":"eclipse korean ghost"},"type_id":99,"accessor":{"name":"Request","type":"Admin","uid":"8241ede4-4ff6-11ef-acc4-0242ac110005","groups":[{"name":"well characterization holocaust","uid":"82421e4a-4ff6-11ef-8980-0242ac110005"},{"name":"levitra against glen"}],"type_id":2},"parent_folder":"deer oils respected/blood.ico","confidentiality":"median twelve ha","created_time":1722510563769556,"hashes":[{"value":"06B04AF04D46617C543D3B3E00B99E504838DD15737ADA44AD4294FDDDAFF6D9585FAC5FD5DFA5754AEB22DC9103B558FAB9AF00B6CA8EB2A9D69B81032A20DD","algorithm":"Unknown","algorithm_id":0},{"value":"7076AC494351B52696279B3745D5340FC3AFD5121F4D18647E4A29796EEFD6C57363BC0ACDEC4D9552DDA8D642B25D9B81BC08AEBF9B01A05F288053FB1AEB98","algorithm":"quickXorHash","algorithm_id":7}],"created_time_dt":"2024-08-01T11:09:23.769628Z"},"user":{"name":"Prep","type":"Unknown","uid":"82422f2a-4ff6-11ef-8418-0242ac110005","type_id":0},"group":{"name":"bet dictionaries peace"},"uid":"82423a2e-4ff6-11ef-ac30-0242ac110005","cmd_line":"checking yeast mark","container":{"name":"ireland subcommittee falling","size":1936688053,"uid":"82424474-4ff6-11ef-82f8-0242ac110005","image":{"name":"write paper recognized","uid":"82424de8-4ff6-11ef-8d6b-0242ac110005"},"hash":{"value":"D74C708F707DAB0C2242DD6D42285F3C7EE4E2A184638F20C51CBA94CBA1FC8712D9EC20451FFE4C09C4E3660F8F154D048927419E81E2A55F1ABFDCCF4F767B","algorithm":"quickXorHash","algorithm_id":7},"pod_uuid":"blues"},"created_time":1722510563770786,"parent_process":{"name":"Chile","pid":51,"file":{"name":"eyed.csr","owner":{"name":"Recent","type":"User","uid":"82426be8-4ff6-11ef-807f-0242ac110005","type_id":1,"uid_alt":"affiliation locks chance"},"type":"Regular File","path":"michigan prague acting/perfume.cer/eyed.csr","product":{"name":"classics problem furnished","version":"1.1.0","uid":"82427804-4ff6-11ef-92e9-0242ac110005","vendor_name":"mathematical chat duration"},"type_id":1,"accessor":{"name":"Reducing","type":"Admin","uid":"82428894-4ff6-11ef-aa8a-0242ac110005","type_id":2},"parent_folder":"michigan prague acting/perfume.cer","confidentiality":"coach","confidentiality_id":99,"hashes":[{"value":"44C87B3E980B5D5906C47A44899C53ECEAA127EF07D4DADDC5BEEB648A5EBD979F5D54C7002601E0148D642C58F1AFF229C9C50C02365ED263295529F74A9AB2","algorithm":"SHA-512","algorithm_id":4}],"security_descriptor":"hamilton samsung subsidiary"},"user":{"name":"Fitted","type":"Admin","uid":"82429a96-4ff6-11ef-ac59-0242ac110005","type_id":2},"group":{"name":"lightbox lay brad","uid":"8242f608-4ff6-11ef-aea1-0242ac110005"},"uid":"8242ff90-4ff6-11ef-b85f-0242ac110005","cmd_line":"fixed marketing wear","container":{"name":"disagree replied romania","size":940803910,"uid":"82430aa8-4ff6-11ef-83eb-0242ac110005","image":{"name":"venice shipment thursday","tag":"worst lamb depends","uid":"8243169c-4ff6-11ef-9bd9-0242ac110005"},"orchestrator":"syndrome permissions shark"},"created_time":1722510563775908,"integrity":"tired random grown","namespace_pid":4,"parent_process":{"pid":17,"file":{"name":"freedom.bat","owner":{"name":"Lake","type":"Unknown","type_id":0,"credential_uid":"82433334-4ff6-11ef-9df3-0242ac110005"},"type":"Symbolic Link","path":"ko phantom flights/ground.dtd/freedom.bat","desc":"beatles collar exposure","product":{"name":"gave thomson circumstances","uid":"82433e6a-4ff6-11ef-8379-0242ac110005","url_string":"copyrights","vendor_name":"poetry lived fy"},"uid":"82434784-4ff6-11ef-98ca-0242ac110005","type_id":7,"mime_type":"law/apparent","parent_folder":"ko phantom flights/ground.dtd","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"CD0EE6AF5EAA1C114A915FA7096E3060AE27D1892461BFA5EE7896B183FC87987940FD470777B47DC0709EED93E2EBCED33B3D3E0C4870660C470F1D1DCCDD45","algorithm":"quickXorHash","algorithm_id":7}],"is_system":false,"xattributes":{}},"user":{"name":"Ak","type":"System","domain":"km msgid creek","uid":"82436e80-4ff6-11ef-b543-0242ac110005","type_id":3,"credential_uid":"824374de-4ff6-11ef-a10e-0242ac110005"},"group":{"name":"via capabilities manufacturing","uid":"82437e84-4ff6-11ef-a820-0242ac110005","privileges":["tv glasses retrieval"]},"uid":"824384d8-4ff6-11ef-8982-0242ac110005","cmd_line":"smile builders sanyo","container":{"name":"arrange lips hoped","size":3752277430,"uid":"82438e24-4ff6-11ef-9a2b-0242ac110005","image":{"name":"surfing harvest additionally","tag":"instrumentation mi dim","uid":"82439680-4ff6-11ef-b7fa-0242ac110005"},"hash":{"value":"37F2759ED75FB07B29E4F1A5A51072ADD7EC16769903AAA33DBBA5DEA773A7E3CBA90D3152ADBA24BF6E54372233D78D69D964F32AC2E3973C91C1FAB5D51B26","algorithm":"SHA-512","algorithm_id":4}},"created_time":1722510563779192,"namespace_pid":23,"parent_process":{"name":"Miles","pid":44,"file":{"name":"naturally.dmp","type":"apparently","version":"1.1.0","path":"eligible terms landscapes/those.accdb/naturally.dmp","product":{"name":"viruses dancing dirty","version":"1.1.0","uid":"8243ae0e-4ff6-11ef-9d4a-0242ac110005","lang":"en","vendor_name":"ricky junk daniel"},"type_id":99,"accessor":{"name":"Profiles","type":"hall","uid":"8243c31c-4ff6-11ef-b7ce-0242ac110005","type_id":99,"email_addr":"Benita@instrument.com","uid_alt":"zope unsubscribe be"},"parent_folder":"eligible terms landscapes/those.accdb","hashes":[{"value":"75017A36EC07FD4C377A0D2A011400AB193E61DB","algorithm":"SHA-1","algorithm_id":2}],"created_time_dt":"2024-08-01T11:09:23.780361Z","modified_time_dt":"2024-08-01T11:09:23.780372Z"},"user":{"name":"Translated","type":"User","uid":"8243ea5e-4ff6-11ef-af0a-0242ac110005","type_id":1,"full_name":"Bronwyn Kandi"},"group":{"name":"secure escape dui","type":"vault vocational aerospace","uid":"8243f65c-4ff6-11ef-a514-0242ac110005","privileges":["doug producing distributor","discover uri conscious"]},"uid":"8243fda0-4ff6-11ef-9876-0242ac110005","cmd_line":"compiler homework usually","container":{"name":"vietnamese sixth good","runtime":"paragraph pizza ing","size":3917616377,"uid":"82440a5c-4ff6-11ef-ad41-0242ac110005","image":{"name":"pr request boy","uid":"824413e4-4ff6-11ef-bb4f-0242ac110005"},"hash":{"value":"818853F7CD4B4D46AD3612755274DC4BE0689988A1BDBC0D8A5F54BA585D7FA5","algorithm":"SHA-256","algorithm_id":3},"orchestrator":"maintain cargo awarded"},"terminated_time":1722510563782421}},"terminated_time":1722510563782432,"euid":44,"egid":29,"created_time_dt":"2024-08-01T11:09:23.782438Z","terminated_time_dt":"2024-08-01T11:09:23.782445Z"},"terminated_time":1722510563782452,"auid":78,"terminated_time_dt":"2024-08-01T11:09:23.782458Z"},"euid":21,"created_time_dt":"2024-08-01T11:09:23.782465Z","terminated_time_dt":"2024-08-01T11:09:23.782471Z"},"euid":20},"user":{"name":"Villa","type":"seek","uid":"824425be-4ff6-11ef-8b9f-0242ac110005","org":{"name":"replied reservation circles","uid":"82442fdc-4ff6-11ef-b680-0242ac110005","ou_name":"dale halloween convenience"},"type_id":99,"uid_alt":"trout americans substance"}},"activity_name":"Client Synchronization","action":"Denied","proxy_endpoint":{"name":"resources contracts treasury","port":32431,"type":"Hub","ip":"175.16.199.0","hostname":"fashion.aero","uid":"8240c996-4ff6-11ef-a9b6-0242ac110005","mac":"AA:9E:EF:FA:F6:8C:22:78","type_id":11,"container":{"name":"actions bullet populations","size":1551677878,"uid":"8240d5bc-4ff6-11ef-8e32-0242ac110005","image":{"name":"jewish rating housewives","uid":"8240de40-4ff6-11ef-8dac-0242ac110005"},"hash":{"value":"428AC4813390324C88145AE1CB67084A8DA3386B","algorithm":"SHA-1","algorithm_id":2},"network_driver":"midi florists tired","orchestrator":"contract girl traditional"},"instance_uid":"8240e746-4ff6-11ef-a2e6-0242ac110005","interface_name":"bring ana ex","namespace_pid":71,"svc_name":"democratic benefits supplier"},"stratum_id":16,"severity":"indirect","category_name":"Network Activity","message":"c attended regulated","class_uid":4013,"severity_id":99,"version":"1.1.0","proxy_connection_info":{"uid":"8240bb40-4ff6-11ef-9482-0242ac110005","direction":"commodity","direction_id":99,"protocol_num":62,"protocol_ver":"Internet Protocol version 4 (IPv4)","protocol_ver_id":4},"time":1722510563760083,"precision":47,"device":{"name":"keyboards sudan tp","type":"Unknown","ip":"216.160.83.56","location":{"desc":"Guadeloupe","city":"Vic screenshot","country":"GP","coordinates":[22.1588,28.2006],"continent":"North America"},"hostname":"teeth.nato","image":{"uid":"8240911a-4ff6-11ef-a984-0242ac110005","labels":["microsoft"]},"type_id":0,"subnet":"38.80.125.0/24","container":{"name":"hormone investigated performances","size":793369097,"uid":"82409b10-4ff6-11ef-b701-0242ac110005","image":{"name":"distance beautifully maximum","tag":"passed contribution studied","uid":"8240a3d0-4ff6-11ef-be39-0242ac110005"},"hash":{"value":"CB553813B87B309D428B27D4E5A9457DCAD28C846E4C0EFAB7A1A8FA2345B199","algorithm":"magic","algorithm_id":99},"orchestrator":"genes thick degree"},"created_time":1722510563758738,"instance_uid":"8240879c-4ff6-11ef-af64-0242ac110005","interface_name":"abstracts cj highs","interface_uid":"8240ade4-4ff6-11ef-b741-0242ac110005","is_managed":false,"namespace_pid":56,"region":"painful lifetime significant","vlan_uid":"824080b2-4ff6-11ef-a395-0242ac110005"},"observables":[{"name":"logged nasdaq hosts","type":"Hash","type_id":8},{"name":"trading friends request","type":"gentle","type_id":99}],"type_name":"NTP Activity: Client Synchronization","type_uid":401303,"src_endpoint":{"name":"brandon attacked blonde","port":23430,"type":"Virtual","ip":"89.160.20.128","location":{"desc":"Macao, Special Administrative Region of China","city":"Death stars","country":"MO","coordinates":[-54.8511,61.8154],"continent":"Asia"},"hostname":"sacrifice.jobs","uid":"82403698-4ff6-11ef-bb82-0242ac110005","type_id":6,"container":{"name":"variety summary focused","size":1038161419,"uid":"824041c4-4ff6-11ef-916a-0242ac110005","image":{"name":"toddler yahoo dressing","uid":"82405042-4ff6-11ef-9809-0242ac110005"},"hash":{"value":"FEA9B0C8FDA936ECB33171CEBCAB7B574A0BD1A0A1D6B08474F8E20388709CAA28CB19DD8A53F0238CDD07712528D0AC7DE36988DE03147B1524257D6C190823","algorithm":"SHA-512","algorithm_id":4}},"instance_uid":"8240592a-4ff6-11ef-a917-0242ac110005","interface_name":"bobby machines drink","interface_uid":"82405fb0-4ff6-11ef-8580-0242ac110005","namespace_pid":19,"vpc_uid":"824065c8-4ff6-11ef-83f7-0242ac110005","zone":"admitted freebsd lazy"},"metadata":{"version":"1.1.0","product":{"name":"raising sodium preliminary","version":"1.1.0","uid":"82400ab0-4ff6-11ef-abab-0242ac110005","cpe_name":"skilled ru contributions","url_string":"mad","vendor_name":"answer probe affiliation"},"labels":["martin","lil"],"log_level":"recovered device retail","sequence":44,"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"planets van wine","log_provider":"execute lite utah","original_time":"fairy affecting agricultural","tenant_uid":"8240179e-4ff6-11ef-b399-0242ac110005","processed_time_dt":"2024-08-01T11:09:23.756232Z"},"activity_id":3,"proxy_tls":{"version":"1.1.0","key_length":36,"cipher":"cent memories rochester","sni":"identification vincent breakfast","certificate_chain":["pack menu plot"],"ja3_hash":{"value":"AC725768466500046904D27B548D75C5","algorithm":"MD5","algorithm_id":1},"ja3s_hash":{"value":"FF1E2DBC60149EBF225BBC13B2E100CEC2DF9FE5A8024345B354723618C4A4B74622930D7ED086F5B727F66E3E617E0DA4E39B3BFB4B67378F600594D2C05396","algorithm":"Unknown","algorithm_id":0},"tls_extension_list":[{"data":"recruitment","type":"server_name","type_id":0}]},"stratum":"Unsynchronized","count":97,"status":"Success","connection_info":{"direction":"Lateral","direction_id":3,"protocol_num":24,"protocol_ver":"1"},"proxy_traffic":{"packets":3436547282},"timezone_offset":59,"category_uid":4,"proxy_http_response":{"code":84,"status":"accident around gamespot","http_headers":[{"name":"valid involving problem","value":"swiss navigator focused"}]},"cloud":{"account":{"name":"diet services amazon","type":"Linux Account","uid":"823f3676-4ff6-11ef-87ce-0242ac110005","type_id":9},"provider":"son fits additions","region":"stick aurora admission"},"dst_endpoint":{"name":"foul coming meetings","port":26803,"type":"Virtual","ip":"67.43.156.0","hostname":"sporting.edu","uid":"823eaf30-4ff6-11ef-9671-0242ac110005","type_id":6,"container":{"name":"fisher invite serial","size":480391375,"uid":"823eb962-4ff6-11ef-b477-0242ac110005","image":{"name":"scientific isa thrown","path":"isbn phones proof","uid":"823ec95c-4ff6-11ef-9378-0242ac110005","labels":["oc","inside"]},"hash":{"value":"0A2D96EB4F44895D58B6441A0129F11199AB967C178305172B83A039B4E6D41287DD945B3BCB4937343A8E4ECB95E4A9C84B495FF73B7F404EC88A0A0FA286F3","algorithm":"Unknown","algorithm_id":0}},"interface_name":"active rc saying","interface_uid":"823ed398-4ff6-11ef-9896-0242ac110005","intermediate_ips":["81.2.69.142","81.2.69.144"],"namespace_pid":38,"svc_name":"cyber influence simon","vpc_uid":"823edb22-4ff6-11ef-bd25-0242ac110005"},"action_id":2,"authorizations":[{},{}],"load_balancer":{"code":47,"name":"threats invoice popularity","uid":"823df61c-4ff6-11ef-a0b1-0242ac110005","dst_endpoint":{"name":"aspect attempted credit","port":42720,"type":"Laptop","ip":"31.13.253.50","hostname":"brake.jobs","uid":"823e06ac-4ff6-11ef-949d-0242ac110005","type_id":3,"container":{"name":"allowed entered philippines","size":4007710700,"tag":"items preservation orleans","uid":"823e1200-4ff6-11ef-833f-0242ac110005","image":{"name":"repairs opposed condos","tag":"melissa post courage","path":"circulation franklin everybody","uid":"823e1c46-4ff6-11ef-a5a8-0242ac110005"},"hash":{"value":"5733974066CC8F9646E6E1E170DB95F2B5D0E7DCDADF8A62A35EB47B61FCE172316B9A40AFD4FC58EC1B104C1DB4D1E2F0858866EDF563DE649A755940BCD18C","algorithm":"CTPH","algorithm_id":5}},"instance_uid":"823e25ec-4ff6-11ef-8a0b-0242ac110005","interface_name":"adelaide hewlett housewives","interface_uid":"823e2c9a-4ff6-11ef-9dc6-0242ac110005","namespace_pid":0,"svc_name":"layout radius connectors","vpc_uid":"823e3352-4ff6-11ef-8cdc-0242ac110005"},"endpoint_connections":[{"code":7,"network_endpoint":{"port":9631,"type":"Mobile","ip":"155.162.119.5","hostname":"principle.nato","uid":"823e6124-4ff6-11ef-83b0-0242ac110005","type_id":5,"hw_info":{"keyboard_info":{"ime":"mark least sean"},"ram_size":94,"serial_number":"invest spring distributors"},"instance_uid":"823e6bd8-4ff6-11ef-9050-0242ac110005","interface_name":"bouquet shorter node","interface_uid":"823e7290-4ff6-11ef-b82d-0242ac110005","svc_name":"surfing lynn leonard"}},{"code":95,"network_endpoint":{"name":"ambien thermal advance","port":58409,"type":"Browser","ip":"102.249.60.133","hostname":"ranging.pro","type_id":8,"container":{"name":"cad xanax businesses","size":2100136552,"uid":"823e83fc-4ff6-11ef-9497-0242ac110005","image":{"name":"usda ian manitoba","uid":"823e8d8e-4ff6-11ef-ae19-0242ac110005"},"orchestrator":"control flame phrases"},"instance_uid":"823e94a0-4ff6-11ef-bdd0-0242ac110005","interface_name":"platform boat nav","interface_uid":"823e9f2c-4ff6-11ef-8022-0242ac110005","namespace_pid":32,"svc_name":"intention currency persons","zone":"beverly fm stage"}}]},"class_name":"NTP Activity","status_id":1} +{"message":"andale freely producers","status":"Success","time":1723455177274626,"metadata":{"version":"1.1.0","product":{"name":"sunshine lopez dimension","version":"1.1.0","path":"correctly was books","uid":"dbc81042-588d-11ef-aff0-0242ac110005","vendor_name":"common posting displayed"},"uid":"dbc818a8-588d-11ef-aa74-0242ac110005","profiles":[],"event_code":"cats","log_name":"queen lexmark honolulu","log_provider":"technique wc mountains","modified_time":1723455177273194,"original_time":"china compact prototype","tenant_uid":"dbc8214a-588d-11ef-8173-0242ac110005"},"severity":"Medium","email":{"size":3113926462,"uid":"dbc8706e-588d-11ef-af1b-0242ac110005","from":"Francoise@audi.museum","cc":["Loren@receivers.info","Madeline@sue.net"],"to":["Lizzie@keyword.net"],"message_uid":"dbc878de-588d-11ef-9c86-0242ac110005","reply_to":"Twana@optimization.aero","smtp_from":"Shenita@endangered.jobs","smtp_to":["Lydia@or.gov","Malena@writing.firm"]},"direction":"Inbound","type_uid":1046489335,"category_name":"Network Activity","class_uid":4009,"category_uid":4,"class_name":"Email Activity","timezone_offset":29,"activity_name":"sense cheat builder","direction_id":1,"email_auth":{"dkim":"asbestos equal pass","dkim_domain":"gibraltar res hip","dkim_signature":"phys coordinate pointing","dmarc":"bulk stud occasion","dmarc_override":"specification adobe dam","dmarc_policy":"oem over educated"},"enrichments":[{"data":{"healthcare":"hddhj"},"name":"dip follow theta","type":"eastern eleven ratio","value":"yards playstation passwords","provider":"belkin humanity vid"},{"data":"ja","name":"lang advertise sharp","type":"croatia housewives wan","value":"thumb routing firms","provider":"determining delay team"}],"severity_id":3,"smtp_hello":"isbn purposes yea","src_endpoint":{"name":"vietnam chamber rational","port":59948,"ip":"67.43.156.0","hostname":"while.mobi","uid":"dbc831da-588d-11ef-8bc6-0242ac110005","hw_info":{"bios_manufacturer":"restricted while suspension","cpu_count":98,"keyboard_info":null,"ram_size":54,"serial_number":"ps lol launched"},"instance_uid":"dbc83cde-588d-11ef-8ecb-0242ac110005","interface_name":"buses variation russia","interface_uid":"dbc843f0-588d-11ef-8f5a-0242ac110005","svc_name":"drunk m week","vlan_uid":"dbc84ae4-588d-11ef-89b1-0242ac110005","vpc_uid":"dbc85138-588d-11ef-bcda-0242ac110005"},"status_detail":"croatia ks compile","status_id":1} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log-expected.json index ca075c74cd85..055845831cbd 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log-expected.json @@ -2374,7 +2374,7 @@ "/ourselves/lynn/gpl/helped/narrow.tga" ], "namespace_pid": 97, - "parent_process_keyword": "{container={uid=849829cc-5be7-11ee-bb7a-0242ac110005, size=2387392206, name=kg sources houses, pod_uuid=kiss, runtime=kate through furniture, hash={value=6A9A10210588981DD8FAA6BE10E39F2C65E816FEFE4768884F7B0BB0A10CD9D6, algorithm_id=3, algorithm=SHA-256}}, lineage=[attraction cord adjustment, announcements summer introduce], created_time=1695676041517, namespace_pid=49, sandbox=species tourism system, pid=26, parent_process={container={uid=84985df2-5be7-11ee-be06-0242ac110005, size=3179758248, name=hunt indicating radiation, tag=reader prevention as, hash={value=666334EB7A1E55E189435FFF3F0CA7266F484FB44970AAFF3E72546D8B04B02ABB1A66B209CAFD44267701CA1392DF35B8EC3EECE0DC492D093880F2E4FF352C, algorithm_id=6, algorithm=TLSH}}, uid=8498530c-5be7-11ee-86f3-0242ac110005, created_time=1695676041527, file={path=conflicts disability citysearch/ieee.dtd/seq.wpd, created_time=1695676041520845, parent_folder=conflicts disability citysearch/ieee.dtd, confidentiality_id=0, type_id=3, modifier={uid=84984362-5be7-11ee-af2c-0242ac110005, type_id=2, name=Officer, type=Admin}, confidentiality=Unknown, name=seq.wpd, hashes=[{value=7D875B5EB312ADEF7D530DD6E43468170B094A5F54CA1AC26E7788A81A01238428E62D581423E70B05DA11F15513291EB10776B4E14DE1844072ACDF11BBDFD1, algorithm_id=5, algorithm=CTPH}, {value=1100511F3469E3CDE7D081EC6E78154C8476D546F615EEEB37C4CDFBD41740440FC77660EE3A4B9C67DE81C63172A49F835656F85ED5E36A65A2A25E2A733358, algorithm_id=6, algorithm=TLSH}], type=Character Device}, cmd_line=creation defense carolina, namespace_pid=46, name=Jamie, pid=28, parent_process={container={uid=84989948-5be7-11ee-b4fb-0242ac110005, image={path=empirical precipitation builder, uid=84989f42-5be7-11ee-8820-0242ac110005, name=extending construction inkjet, labels=[golf, nov]}, size=2099983603, name=thongs routine an, hash={value=E7EFDA40B1C94805070CD9BF9638AE27, algorithm_id=1, algorithm=MD5}}, uid=84989376-5be7-11ee-9216-0242ac110005, created_time=1695676041523226, integrity=conspiracy unions allocated, file={uid=84987ae4-5be7-11ee-b247-0242ac110005, created_time=1695676042262, size=3504413585, signature={certificate={created_time=1695676041522, subject=shades bad tradition, expiration_time=1695676041526, created_time_dt=2023-09-25T21:07:21.521904Z, serial_number=files the parish, issuer=previous price thing, fingerprints=[{value=8E4DE5CC0D59311697B0D4061FDBFB4CB99E38121EA17CF740789A0CBC85B56703E1341C940E7A2220C02211CC84447A19061569BE42AC4A2C03010FB6CB1A75, algorithm_id=4, algorithm=SHA-512}, {value=205D64FF9B580AADBF4829EC41DD4EF0, algorithm_id=1, algorithm=MD5}]}, algorithm_id=2, algorithm=RSA}, type_id=6, name=startup.3dm, hashes=[{value=60F202A3BE4EF214E24EA9D3555D194C, algorithm_id=1, algorithm=MD5}, {value=B0B2D200728B0DACE6CB6829F90EE31A9AD123FF1982012B003249D4F2C5351924E6DBBD1242EE722D4C5A0B80C983DC7B94DDD594FCFCEF4E63552956E2B26A, algorithm_id=6, algorithm=TLSH}], modified_time_dt=2023-09-25T21:07:21.522441Z, type=Named Pipe, version=1.0.0}, cmd_line=plan agents converter, name=Arbor, sandbox=keeps pour rent, pid=20, parent_process={container={uid=8498da2a-5be7-11ee-9d00-0242ac110005, image={uid=8498df20-5be7-11ee-8257-0242ac110005, name=version treating tall}, size=2697694450, name=warrior document workflow, pod_uuid=sas, hash={value=F4001D4FD76B73412DB0EFD2C66F0AB3C27D9FE9BD375B1659A1DDDA68C17DC1C0F5402A6AE571DC073E94F1B720821E4208595D5BB4B13D917A12CE3DA53C1E, algorithm_id=6, algorithm=TLSH}}, uid=8498d430-5be7-11ee-b1bf-0242ac110005, created_time=1695676041523, integrity=aviation blame tion, file={path=roger economy macro/mesh.gadget/considerations.jar, created_time=1695676041524, parent_folder=roger economy macro/mesh.gadget, mime_type=star/flyer, type_id=5, name=considerations.jar, accessor={uid=8498c030-5be7-11ee-80d9-0242ac110005, full_name=Twyla Cherise, email_addr=Shin@cause.mobi, type_id=2, name=Wildlife, uid_alt=excellent far varied, type=Admin}, hashes=[{value=707CF5E50A11D69874235DED9A045B6AB42439F7495DED03049CB7E997949E8B014295A25059CD1A9F06BFE9E4101ED176615E69D43FE199E849DEC0BC4AEB4D, algorithm_id=5, algorithm=CTPH}, {value=6F487B974BDB9DBDF014F50502D9F70BC2630E6C974E4C6E6AA2EB3BEC95A3BDCA7AE609DA34179E0677F042734A767ADA4F6CA04788916644262CDC60BC2FB2, algorithm_id=5, algorithm=CTPH}], type=Local Socket}, cmd_line=sixth pc peoples, namespace_pid=76, name=Processes, pid=49, parent_process={container={uid=84993ce0-5be7-11ee-8a18-0242ac110005, image={uid=849944f6-5be7-11ee-bc62-0242ac110005, tag=vocal trim jon}, size=2257875576, name=acquired minority slip}, uid=8499377c-5be7-11ee-9164-0242ac110005, file={owner={uid=849901e4-5be7-11ee-bfe1-0242ac110005, full_name=Blythe Jamie, type_id=99, name=Enquiry, type=minneapolis}, is_system=false, signature={certificate={created_time=1695676041526, subject=strap liz boulder, expiration_time=1695676045872, serial_number=approaches symbol assembly, version=1.0.0, issuer=everybody brunei disciplinary, fingerprints=[{value=9E41EB47ABD226D92CFE27DBDA0C924C190A1B0C0136B09923B419089B013DF14CB58C38F651F710540E348BF800DFE364197904B11FFFAD98BB2B10006B28E2, algorithm_id=5, algorithm=CTPH}, {value=3DE877DDFB06DB510E63893D98DDAC9524696C14, algorithm_id=2, algorithm=SHA-1}]}, created_time_dt=2023-09-25T21:07:21.526203Z, developer_uid=84991526-5be7-11ee-a2ca-0242ac110005, algorithm_id=3, algorithm=ECDSA}, type_id=99, confidentiality=suburban ati mostly, modified_time_dt=2023-09-25T21:07:21.526727Z, type=charged, path=const foreign pressed/among.ged/pic.vcd, uid=84992264-5be7-11ee-8071-0242ac110005, parent_folder=const foreign pressed/among.ged, name=pic.vcd, hashes=[{value=00EF9DADDE482AF5432B0BFC5F69023736D4A0ECD59F74884C4B8AD83D21429B78023351C5DBD07407EAB2BFA527A0586016DE3C92F37913920E221F7D452802, algorithm_id=0, algorithm=Unknown}], created_time_dt=2023-09-25T21:07:21.526737Z, accessed_time=1695676041556}, namespace_pid=29, name=Job, pid=86, parent_process={container={uid=84996db4-5be7-11ee-bada-0242ac110005, image={uid=849984fc-5be7-11ee-af4c-0242ac110005, name=adipex into polo}, size=797071549, name=deutschland pic newcastle, hash={value=82B5F7770097973F2962C241C557369EC2D38E9A1BDA03176B9CA511F1CA56CF, algorithm_id=3, algorithm=SHA-256}}, lineage=[familiar privilege canvas], uid=84996800-5be7-11ee-8754-0242ac110005, created_time=1695676041528, file={path=architectural pink phil/overview.dtd/tuner.pdb, parent_folder=architectural pink phil/overview.dtd, type_id=6, name=tuner.pdb, hashes=[{value=44CA9EA761C2131C73960AD47472741B13D305EE2D07FE91E8F1B47F4F062B8A16DD3611E4439E4C163A7CF42F1AE5989CF9683117DB801FD1BC222A16618E19, algorithm_id=7, algorithm=quickXorHash}, {value=C25DDA249CDECE9D908CC33ADCD16AA05E20290F, algorithm_id=2, algorithm=SHA-1}], type=Named Pipe, version=1.0.0, xattributes={}}, cmd_line=brush bouquet alto, namespace_pid=23, pid=67, parent_process={container={uid=8499d164-5be7-11ee-a7e8-0242ac110005, image={uid=8499d704-5be7-11ee-b617-0242ac110005, name=robert through mailing, tag=struggle gerald weather}, network_driver=catch sun general, orchestrator=sf varieties queries, size=1048383191, name=france sg charger, tag=deserve focused select, hash={value=6B2A589B76A482CD379A7FF8AF13EE0F9ABF937DE60010068FEC808F5B6B22521C2A28C7F48BC5C2EDC81EAE5E5812D95F5E0F3DF5685571E5DB36B146DB82EC, algorithm_id=6, algorithm=TLSH}}, uid=8499bc88-5be7-11ee-b028-0242ac110005, created_time=1695676041539, integrity=faculty hardcover generated, file={owner={uid=84999e10-5be7-11ee-914b-0242ac110005, email_addr=Pamelia@directed.com, type_id=1, name=Friend, type=User}, path=fish largest alberta/solutions.deskthemepack/spirit.max, parent_folder=fish largest alberta/solutions.deskthemepack, type_id=1, name=spirit.max, hashes=[{value=718C92FD5ECC9B483CA9A76E309BD60F7DAD6035254FAD5EA9430568F36EB16D5532657DE90C3B3B41896C8A9B601BF1E1083D5BB299127118B535C347D13549, algorithm_id=5, algorithm=CTPH}, {value=D13D53927A745D27511C298846343093D7E92D919905B6C22ABBF727AD18EF7E3B3850949F8CC772390749C8644B5CF6F8618FEF524E9589DB73F57FE128AA88, algorithm_id=0, algorithm=Unknown}], attributes=83, type=Regular File, version=1.0.0, desc=escape steady bow}, cmd_line=in blowing memorial, session={uid=8499ca0c-5be7-11ee-aae9-0242ac110005, created_time=1695676041534, expiration_time=1695676041542, is_remote=true}, namespace_pid=79, name=Cialis, pid=21, parent_process={container={uid=849a2420-5be7-11ee-94c5-0242ac110005, image={uid=849a32bc-5be7-11ee-86bb-0242ac110005, name=layers branch lucas, tag=nations chances trips}, size=1512724327, name=own drawing acute, hash={value=79F7EED760813BF63DC0EE7F986F1CC6345DD170AB03CA1350684CB8720E3C67F9FCE3B075A22266EB0C66A1CDA2D3BD540E777D9A294433377B83DB6DE3D6DB, algorithm_id=6, algorithm=TLSH}}, lineage=[guru hosted bradley], created_time=1695676041533, namespace_pid=39, sandbox=moon exercise starring, pid=90, parent_process={container={uid=849a646c-5be7-11ee-90ce-0242ac110005, image={uid=849a6a66-5be7-11ee-95e4-0242ac110005, name=evaluating apartments disaster}, size=3702557326, name=apartment drunk amateur, hash={value=12FC9239ABF2C07159EBC92013171DA43175589170BD05B55220534634A9D1FEFC88B117A95FCE4FE3C5A5FEDB9DC4EB3F700C0386931C889F815E86BCD4B509, algorithm_id=0, algorithm=Unknown}}, uid=849a5d78-5be7-11ee-ac24-0242ac110005, created_time=1695676041535, file={is_system=false, confidentiality_id=2, type_id=5, confidentiality=Confidential, name=hunt.ppt, hashes=[{value=6FD1E1613C3918067E01585E32D4AA461C485DF01C56BD5A294FD82B353B5EC64A7EBAED614D28451E3AECB3ACA75900593A20D8AE7F7A1E2CF9DD4F0496B9C4, algorithm_id=7, algorithm=quickXorHash}, {value=B66E94D9133A6E41392C5AFCBF3F6EEB29E45C041350255AEE34ADD6C4E6BD15FF9060177954793B5D078A8802B4B1ADDD73BECACB7D5827D9A1CB9F96D5E153, algorithm_id=7, algorithm=quickXorHash}], attributes=22, modified_time_dt=2023-09-25T21:07:21.533963Z, type=Local Socket}, cmd_line=merchandise initiatives accessibility, namespace_pid=29, name=Bags, parent_process={container={uid=849aa490-5be7-11ee-bb98-0242ac110005, image={uid=849aaa9e-5be7-11ee-a47a-0242ac110005, name=evanescence plans courts, tag=buy archives predict}, name=distant modeling monaco, runtime=peace up sailing, hash={value=383B6630E8241D34D54BFD689DECC0CAB88770D935667989A3A1DE8397F5520F, algorithm_id=3, algorithm=SHA-256}}, lineage=[lanka manufacture bra, gibson implementation pope], uid=849a9ed2-5be7-11ee-ae61-0242ac110005, created_time=1695676041539, integrity=bookings qc dictionaries, file={owner={uid=849a7ac4-5be7-11ee-a06d-0242ac110005, type_id=99, name=Asia, type=meetup}, path=interactions malta thoughts/laden.pdf/hardware.wma, parent_folder=interactions malta thoughts/laden.pdf, signature={digest={value=3188206324B062751CE36D4251C19C94, algorithm_id=1, algorithm=MD5}, algorithm_id=4, algorithm=Authenticode}, type_id=0, name=hardware.wma, hashes=[{value=6BD48B1E57856137037BFEE4DEC8D57F, algorithm_id=1, algorithm=MD5}], attributes=35, type=Unknown}, cmd_line=recordings countries slides, namespace_pid=6, name=Sen, pid=13, parent_process={container={uid=849aff08-5be7-11ee-80bd-0242ac110005, image={uid=849b1f7e-5be7-11ee-bb9d-0242ac110005, name=cross tray influenced, tag=afternoon counseling governance}, network_driver=slovakia friend username, size=191473515, name=author channel disappointed, hash={value=B7F1BFFEB47BCFB30F891852F769572A9816784BF4A4073805850F9F969A5335CFC878CACC9E0F8A71B547F60832FE712A59A7DD7DBD6E94BB9D155309EB3581, algorithm_id=7, algorithm=quickXorHash}}, uid=849adea6-5be7-11ee-aa53-0242ac110005, created_time=1695676041539630, file={path=jeff puts assignments/thing.msi/removal.obj, parent_folder=jeff puts assignments/thing.msi, type_id=6, security_descriptor=bureau myspace barrel, name=removal.obj, hashes=[{value=CE850E16E049A60B4B8F465DC00ADBFB7207CC76FD94F5EBC335F637B8052B77, algorithm_id=99, algorithm=magic}], accessed_time=1695676041534, type=Named Pipe}, cmd_line=amount anywhere suffered, namespace_pid=49, name=Impacts, sandbox=romance volunteer entrepreneurs, pid=86, parent_process={lineage=[qualify insight reproduce, placing download tomato], uid=849b6dee-5be7-11ee-84f0-0242ac110005, created_time=1695676041593, file={path=let dawn representing/surrounding.dwg/human.pdb, product={uid=849b3fd6-5be7-11ee-83d2-0242ac110005, feature={uid=849b46a2-5be7-11ee-824d-0242ac110005, name=metric th alt, version=1.0.0}, name=heavy payroll timothy, vendor_name=rv brother vaccine, version=1.0.0}, parent_folder=let dawn representing/surrounding.dwg, modified_time=1695676041541, type_id=7, name=human.pdb, accessor={uid=849b52b4-5be7-11ee-863c-0242ac110005, type_id=3, name=Dragon, type=System, credential_uid=849b5b88-5be7-11ee-af7a-0242ac110005}, hashes=[{value=AABE45CE23939AE53AA3AF15C6123A6ED98FC106E4C7491B89A814D8EB040F3B9D5842B5A215D1D27ED1B4DC8DD3D3F0D50197DD105E37461661D98A23E0917C, algorithm_id=7, algorithm=quickXorHash}], created_time_dt=2023-09-25T21:07:21.541195Z, attributes=78, modified_time_dt=2023-09-25T21:07:21.541163Z, type=Symbolic Link}, cmd_line=techno now vid, namespace_pid=91, name=Sampling, sandbox=compounds s time, pid=71, parent_process={lineage=[tenant surveillance nature, securities joining bite], created_time=1695676041548, session={uid=849bd89c-5be7-11ee-bbae-0242ac110005, created_time=1695676041544, is_remote=true, issuer=mind file superior}, sandbox=facial gossip lopez, pid=41, parent_process={container={uid=849c059c-5be7-11ee-b620-0242ac110005, image={uid=849c105a-5be7-11ee-8337-0242ac110005, name=titten live cvs}, size=2006500672, name=anthony serial medline, hash={value=53CB2A3DF41EA583C9DAD815CC228E623D600CA69DD3B138EBA03828A95C399AC2319E8C246FAF2EB345362B0931618009C8A5FF4C8E100C7B414107D51F849D, algorithm_id=6, algorithm=TLSH}}, created_time=1695676041542, namespace_pid=8, sandbox=upload stages deutsch, pid=74, parent_process={container={uid=849c6776-5be7-11ee-94b5-0242ac110005, image={uid=849c6d2a-5be7-11ee-a411-0242ac110005, name=capabilities huge hometown, labels=[mumbai]}, name=yahoo plains basically, hash={value=FC25F43E993A1FB725021E78097481FDD1FECA2EC91BF14AE34067FC31DBCD1005D4B0AFC4F050872672CC3EAB72236EADE80DFF4CCBB844F8ED0489F697D2F1, algorithm_id=6, algorithm=TLSH}}, uid=849c61f4-5be7-11ee-8006-0242ac110005, created_time=1695676041544, file={owner={uid=849c24fa-5be7-11ee-93d2-0242ac110005, email_addr=Suzan@communicate.coop, type_id=0, name=Sunny, type=Unknown}, is_system=false, product={uid=849c3e4a-5be7-11ee-80be-0242ac110005, name=pci invasion producers, vendor_name=australian payments crm, lang=en, version=1.0.0}, creator={uid=849c4b2e-5be7-11ee-9c0b-0242ac110005, org={ou_uid=849c5470-5be7-11ee-b89d-0242ac110005, uid=849c5060-5be7-11ee-b740-0242ac110005, name=reproductive balloon stanley, ou_name=pick rear governance}, type_id=99, domain=glass outlet lopez, groups=[{uid=849c5ae2-5be7-11ee-97a7-0242ac110005, name=suspected contributor counting, type=vacations wines biological}], type=selected}, signature={certificate={created_time=1695676041548, subject=microwave marriott okay, expiration_time=1695676041514, serial_number=windsor sponsor google, version=1.0.0, issuer=foundation review shaft, fingerprints=[{value=35C90137B6BD19F8D464173B9904DBFA60D62BFF8BCBCF99235987ACC2D4840DBA02F991522C533C211C54B3A1016A0A76AF0578E30D0190414926A1EA56FEB7, algorithm_id=6, algorithm=TLSH}]}, algorithm_id=3, algorithm=ECDSA}, type_id=2, confidentiality=Top Secret, accessor={full_name=Crysta Damaris, type_id=99, name=Class, uid_alt=linux has luis, type=pie, account={type_id=8, name=cards gratis necklace, type=Apple Account}}, type=Folder, version=1.0.0, path=nintendo smilies thank/ought.vb/revolution.vcf, parent_folder=nintendo smilies thank/ought.vb, confidentiality_id=4, company_name=Mckenzie Ardith, security_descriptor=recommended approve environment, name=revolution.vcf, hashes=[{value=1B8BF6AF4C4E0F5A64ED59860F5673F5762D1E214D4B3127BAC626D3811952EAF98972460DF098DEAB2B6D4FF02723546AEBA4108F2A03A20044552141A4447E, algorithm_id=7, algorithm=quickXorHash}, {value=221C1DF278F5DBE8C04CCC89DB66A355ABA13C3F27B4E23A19D0E73C64E5E9A7951D5102BA2F416429122A6110C57ED22F7216EB73939FF0E7E4BDB574A90CC4, algorithm_id=6, algorithm=TLSH}], attributes=79}, cmd_line=arrangements makes handy, namespace_pid=13, pid=20, parent_process={container={uid=849cdd28-5be7-11ee-9250-0242ac110005, image={uid=849ce32c-5be7-11ee-b7a9-0242ac110005, name=audio miracle leader}, size=1224758347, name=hospitality walker vs, hash={value=A813ED16B0B3E58FA959C0BA26A47058, algorithm_id=1, algorithm=MD5}}, lineage=[achievement courage send, expansion instructional agreements], created_time=1695676041555, session={uid=849ccebe-5be7-11ee-a1ca-0242ac110005, created_time=1695676041550, expiration_time_dt=2023-09-25T21:07:21.550638Z, is_remote=false, issuer=volunteer meetings medline}, namespace_pid=62, sandbox=distributor workshops maldives, parent_process={container={uid=849d0e7e-5be7-11ee-a8e4-0242ac110005, image={uid=849d1342-5be7-11ee-a4ca-0242ac110005, name=charges fragrances complex}, network_driver=familiar movies legitimate, size=2138922450, name=develop affiliates required, pod_uuid=legally, hash={value=6E73C76AD0B2D03EB35088BB834D7A1949E2174F0288EAC8066F5CC920923FEC2568825E7A9B3B3B871DC2AA82AD34DAC42A8E327CAD3D3E720D2ADD7C13CAB0, algorithm_id=4, algorithm=SHA-512}}, integrity=Unknown, file={product={name=external polar galaxy, vendor_name=hack infection generator, lang=en, version=1.0.0}, modified_time=1695676041500, mime_type=silicon/limousines, type_id=2, confidentiality=venue rl epa, name=flexible.vcxproj, hashes=[{value=2347F66D3EE9CCBD7191F650BE1EF4F94E8B6ED61D543709A1A907FBC76BFC089577CB78BFA772DA65746573746C4AB26AF19E7A8E9DB821E3979ED04051B9BC, algorithm_id=4, algorithm=SHA-512}, {value=256D62122A8BA5E06B613EAD639B79BA7875995217AC6E2C854DBB610631D33C, algorithm_id=99, algorithm=magic}], created_time_dt=2023-09-25T21:07:21.551631Z, type=Folder, xattributes={}}, cmd_line=challenges prompt cumulative, namespace_pid=2, name=Airfare, parent_process={container={uid=849d3caa-5be7-11ee-9fe6-0242ac110005, image={uid=849d468c-5be7-11ee-85e3-0242ac110005, labels=[responsibility]}, orchestrator=helpful pasta matthew, size=1820268463, name=cpu mission hacker, runtime=cables vanilla amendments, hash={value=0895F371F264F7E3AA4A79B16A3C6EEAABE10BBF6A7DC2B7D8DD4F14B3C6F05D, algorithm_id=99, algorithm=magic}}, uid=849d308e-5be7-11ee-a5ad-0242ac110005, file={uid=849d2170-5be7-11ee-a637-0242ac110005, mime_type=will/executed, type_id=4, name=uzbekistan.jar, hashes=[{value=8A25185F3C5523EF3B08C1ECDD83016224863C95, algorithm_id=2, algorithm=SHA-1}, {value=6B9ED75DAE7A1E692073FC400B558EA4, algorithm_id=1, algorithm=MD5}], attributes=44, type=Block Device, xattributes={}}, cmd_line=reporter techno regarded, namespace_pid=84, name=Eternal, pid=76, parent_process={container={uid=849d7cce-5be7-11ee-80f3-0242ac110005, image={uid=849d83f4-5be7-11ee-8f40-0242ac110005, name=curtis burns park, labels=[fix]}, network_driver=surely assistance actively, size=1668291787, pod_uuid=gardening, hash={value=308FD1FED7D34B9AFAB9224FF617D64E4CA9AC20FC59F1FB3B80AB2CBB1511245EC668E138B6C330D86E2B874BD66ED33E16E931B3D344A8365BE63CAB39562C, algorithm_id=0, algorithm=Unknown}}, uid=849d64dc-5be7-11ee-b02a-0242ac110005, created_time=1695676041553, integrity=System, file={created_time=1695676041554, type_id=0, confidentiality=Top Secret, type=Unknown, xattributes={}, path=slideshow configurations lens/nations.flv/titanium.avi, parent_folder=slideshow configurations lens/nations.flv, confidentiality_id=4, company_name=Frederica Hertha, name=titanium.avi, hashes=[{value=5C5069744142886E3127F2CCFE145C68A0B1A4DFA3BB504B858390D851E16A9F, algorithm_id=99, algorithm=magic}], created_time_dt=2023-09-25T21:07:21.554150Z, desc=closed hydraulic connecting}, name=Music, pid=28, parent_process={container={uid=849e031a-5be7-11ee-b55b-0242ac110005, image={path=hairy pixel time, uid=849e0ebe-5be7-11ee-8341-0242ac110005, name=bubble architects vancouver}, size=220440282, name=insight style ca, runtime=williams ng xhtml, hash={value=8876489CE00D6D9FDF61ED1C773F047E, algorithm_id=1, algorithm=MD5}}, lineage=[bk destinations est, whose playback congressional], created_time=1695676041558, file={path=venezuela flyer seller/os.kml/opening.vob, parent_folder=venezuela flyer seller/os.kml, modified_time=1695676041557, type_id=5, modifier={uid=849d94de-5be7-11ee-b30d-0242ac110005, full_name=Katheryn Kena, type_id=1, name=Infected, type=User}, security_descriptor=graham occupations become, name=opening.vob, accessor={uid=849da17c-5be7-11ee-9d3a-0242ac110005, type_id=99, name=Mine, type=fcc, account={uid=849dabd6-5be7-11ee-ba6a-0242ac110005, name=hourly toll disappointed}, credential_uid=849db838-5be7-11ee-8a18-0242ac110005}, hashes=[{value=599DCCE2998A6B40B1E38E8C6006CB0A, algorithm_id=1, algorithm=MD5}, {value=E3C48119D2F351FBEB28EABE137BB8D7969A9AA7CEBF71A153DA4670481EFAAB267B6B39C0EDBDDAF4DD1B9E9B5FF0B28D72E0A5FA27336A282A0FDBA4D0C9D4, algorithm_id=6, algorithm=TLSH}], type=Local Socket}, cmd_line=pursuant proceed discussed, namespace_pid=54, name=Surprise, sandbox=final corporations performances, pid=50, parent_process={container={uid=849e509a-5be7-11ee-ad75-0242ac110005, image={uid=849e6972-5be7-11ee-b803-0242ac110005, name=committed plastic does}, network_driver=conduct linking lb, size=2559819198, name=priority mirrors although, runtime=rock relation block}, lineage=[desktop lakes moscow, barrel touch increasing], created_time=1695676041434, file={path=disc dividend incentives/crucial.wps/filled.mdb, product={path=costumes somewhat qui, uid=849e3088-5be7-11ee-8510-0242ac110005, name=michigan slight torture, vendor_name=franchise portland experiment, lang=en, version=1.0.0}, parent_folder=disc dividend incentives/crucial.wps, modified_time=1695676041563, size=2881440001, signature={certificate={created_time=1695676041558, subject=infectious replication lock, expiration_time=1695676041554, serial_number=durham graham course, version=1.0.0, issuer=worker attended mel, fingerprints=[{value=372885B9675F31EF37D14F711A430940E777638ADCB2F77B36D079076E38606F, algorithm_id=99, algorithm=magic}]}, algorithm_id=0, algorithm=Unknown}, type_id=3, modifier={uid=849e2a2a-5be7-11ee-82b2-0242ac110005, type_id=0, domain=informational advisory mg, name=Constraints, type=Unknown}, name=filled.mdb, accessor={uid=849e39a2-5be7-11ee-b3b8-0242ac110005, full_name=Lorna Francisco, type_id=0, name=Intl, type=Unknown}, hashes=[{value=9471ED19416B8099E51855CB0EF61AE3, algorithm_id=1, algorithm=MD5}], type=Character Device}, cmd_line=peer rail specialist, namespace_pid=13, name=Courage, pid=5, parent_process={container={uid=849f0878-5be7-11ee-b335-0242ac110005, image={uid=849f1dc2-5be7-11ee-b432-0242ac110005, name=belfast interests activation}, size=903476370, name=missed foreign palmer, hash={value=7CA5C1BF6D37F1E7389DB34F7617B7101F65DED1, algorithm_id=2, algorithm=SHA-1}}, uid=849f00ee-5be7-11ee-954b-0242ac110005, created_time=1695676041565, file={owner={uid=849e86dc-5be7-11ee-9b00-0242ac110005, org={ou_uid=849e9852-5be7-11ee-9c6a-0242ac110005, uid=849e8ff6-5be7-11ee-be3f-0242ac110005, name=syndication joseph realized, ou_name=advertise scored usr}, type_id=3, type=System}, path=patch attempting mf/nashville.dxf/metabolism.gadget, creator={uid=849edfe2-5be7-11ee-97f0-0242ac110005, email_addr=Myrta@of.cat, type_id=0, type=Unknown, account={uid=849ef310-5be7-11ee-b8e1-0242ac110005, type_id=5, name=workers observer lonely, type=GCP Account}}, parent_folder=patch attempting mf/nashville.dxf, accessed_time_dt=2023-09-25T21:07:21.564734Z, signature={certificate={created_time=1695676041504, subject=signals book follow, expiration_time=1695676041569, serial_number=termination vi limitation, version=1.0.0, issuer=database verse prince, fingerprints=[{value=6467C5C0EA62DB25016E724973C845BA50F0BBD72AE91F11E4CB5F3884CF1852EC05AA4B971CA59B372F8DC7B8E49562276E89C888FFDE3DD41BFC2E88336E98, algorithm_id=7, algorithm=quickXorHash}, {value=80A346634E5CD09AAFC3C417ABCE0C6A156B40EBB910123FAC486DC6197D24EC4C575301A8CC06D58FBAEEAE6F40E42B6D84FDA6996E06EE2F68282EA73FDA93, algorithm_id=0, algorithm=Unknown}]}, algorithm_id=3, algorithm=ECDSA}, type_id=3, name=metabolism.gadget, hashes=[{value=5F8105C9976CE93253600A074BD373A5286734FB9650F503EF4AD611A9422D3554C34BD6C2672159C2F485A59C83965804D6F2532A8DADF2749DF74B1B089C10, algorithm_id=6, algorithm=TLSH}, {value=C1E19A5C30DB36D9FEA3088EBBCF2E05B7F2E3B108DA82565EF183591D036A615456960CA1BF3DEDAEF8450140669F4E45A239D12DE570D5B2322AEADAE0EE7B, algorithm_id=5, algorithm=CTPH}], type=Character Device}, cmd_line=institutes yes inputs, namespace_pid=44, name=Harley, created_time_dt=2023-09-25T21:07:21.565824Z, pid=38, user={full_name=Lyndsay Ricky, type_id=2, name=Referenced, type=Admin}, xattributes={}, terminated_time=1695676041566}, user={uid=849e4a46-5be7-11ee-bc81-0242ac110005, type_id=2, name=Motorcycle, type=Admin}}, user={uid=849debb4-5be7-11ee-bfac-0242ac110005, type_id=1, name=Simulations, type=User, account={uid=849df820-5be7-11ee-82f1-0242ac110005, type_id=2, type=Windows Account}, credential_uid=849dfc62-5be7-11ee-a9bc-0242ac110005}}, user={uid=849d60a4-5be7-11ee-98cb-0242ac110005, type_id=99, name=Be, type=types}, integrity_id=5}, user={uid=849d2c24-5be7-11ee-953d-0242ac110005, email_addr=Josefina@holders.museum, type_id=99, name=Manager, type=legs}, xattributes={}}, user={uid=849cfe70-5be7-11ee-b38b-0242ac110005, type_id=0, name=Track, type=Unknown, account={uid=849d0500-5be7-11ee-97bd-0242ac110005, type_id=3, name=strict manufactured invest, type=AWS IAM User}, credential_uid=849d08ca-5be7-11ee-bfe2-0242ac110005}, integrity_id=0}, uid=849cc522-5be7-11ee-aa87-0242ac110005, file={path=blend roommates closed/died.docx/world.jpg, is_system=true, parent_folder=blend roommates closed/died.docx, confidentiality_id=0, mime_type=engineer/habitat, type_id=4, modifier={uid=849c8878-5be7-11ee-98bd-0242ac110005, email_addr=Deloise@agreed.arpa, type_id=3, domain=ln resolved couple, name=Heritage, type=System}, confidentiality=Unknown, name=world.jpg, hashes=[{value=3BC175E9CE56D1FC2D86AB6EA2EC56EB21930540B56A5B6E3840DFB64287ACAB, algorithm_id=3, algorithm=SHA-256}, {value=31588C71F04798D44E2202431AE7025AF3BC67EC8192E94F362A9B9121FB5AC23510026F8391A0A54234D8D0DB8D2DEBD112DEEF6AC598A11A194875191A4975, algorithm_id=6, algorithm=TLSH}], type=Block Device}, cmd_line=well absent shoe, name=Tell, loaded_modules=[/rev/amazon/casino/june/fails.bin, /credit/potential/lawsuit/clause/nine.bmp], user={uid=849ca4ca-5be7-11ee-b39c-0242ac110005, org={uid=849cb208-5be7-11ee-a4a6-0242ac110005, name=top riverside asthma, ou_name=stats dans soviet}, type_id=2, domain=our installing clinical, name=Weather, type=Admin, credential_uid=849cc0f4-5be7-11ee-9c36-0242ac110005}}}, xattributes={}, terminated_time_dt=2023-09-25T21:07:21.565891Z, integrity=High, file={path=suit who pics/arrange.torrent/moral.kmz, created_time=1695676041545, is_system=false, parent_folder=suit who pics/arrange.torrent, type_id=5, name=moral.kmz, accessor={uid=849bf00c-5be7-11ee-a0de-0242ac110005, type_id=0, domain=operates collectables presentations, name=Qualities, uid_alt=welsh constraints elimination, type=Unknown}, hashes=[{value=BADBDA50632954800C02D40EB49D1BEF8E5A883D, algorithm_id=2, algorithm=SHA-1}, {value=22B65F9CC3DDECE17BC92C741314C0C01D6C398B477BCFE22CCB63F4975A066119C2A3F4E9BDC342383345BCEEA9046C0573AEA278C1EBD8E1578337B1640606, algorithm_id=7, algorithm=quickXorHash}], accessed_time=1695676044937, type=Local Socket}, cmd_line=remain weird municipal, name=Restore, created_time_dt=2023-09-25T21:07:21.565886Z, integrity_id=4}, tid=86, terminated_time_dt=2023-09-25T21:07:21.565908Z, terminated_time=1695676041561, uid=849bcfb4-5be7-11ee-b896-0242ac110005, integrity=written, file={is_system=true, product={uid=849b866c-5be7-11ee-a7ff-0242ac110005, feature={uid=849b9742-5be7-11ee-9904-0242ac110005, name=seminar automatic gui, version=1.0.0}, name=nights validity updated, vendor_name=favorite album ncaa, lang=en, version=1.0.0, url_string=however}, creator={full_name=Otelia Kori, org={uid=849bad9a-5be7-11ee-9fa0-0242ac110005, name=timing process palestinian, ou_name=step mouth drunk}, type_id=1, domain=neural fig colin, name=Tap, type=User}, signature={certificate={created_time=1695676041542, subject=annually ic quest, expiration_time=1695676041577, serial_number=distributed characters bin, version=1.0.0, issuer=cooperation worldcat southwest, fingerprints=[{value=A1636B226D49D354EAD09345190417B47EC13762648D8C196823FB556456DD5A2ED39FDF2ADE536CF2D0AFA33A47F9404800085FE205A49A4DA6C280AF603AA9, algorithm_id=0, algorithm=Unknown}]}, created_time_dt=2023-09-25T21:07:21.542032Z, algorithm_id=0, algorithm=Unknown}, type_id=0, accessor={uid=849ba016-5be7-11ee-8738-0242ac110005, email_addr=Stormy@postcard.mobi, type_id=99, name=Xhtml, type=disabilities}, type=Unknown, path=designing designed kim/butts.crx/sunday.crdownload, parent_folder=designing designed kim/butts.crx, modified_time=1695676041546, size=1384349588, mime_type=talked/wishlist, name=sunday.crdownload, hashes=[{value=A5064ED27DDBDCBA4CBCADF1DB39DA3F2EEE6B58C7A1239C64CABA643C220D3F292A1DE7E239A9314ECD04E09E02E1289265DB1375370F0E2CB9844F235B40B9, algorithm_id=6, algorithm=TLSH}]}, cmd_line=treatments proceeding assumed, name=Foundation, created_time_dt=2023-09-25T21:07:21.565904Z, loaded_modules=[/aims/hammer/duke/implementation/roland.jar, /illustration/reads/adaptation/ppc/footage.cab], user={uid=849bb81c-5be7-11ee-bbec-0242ac110005, email_addr=Reba@contemporary.mobi, type_id=0, name=Certain, groups=[{uid=849bbdee-5be7-11ee-95a2-0242ac110005, name=penn laundry woods, type=powerpoint jump hospitality, desc=twenty protection innovative}, {uid=849bc780-5be7-11ee-9955-0242ac110005}], uid_alt=technical critics nationally, type=Unknown}, integrity_id=99}, user={uid=849b6916-5be7-11ee-a01e-0242ac110005, email_addr=Yelena@communities.nato, type_id=1, domain=lexmark refers dylan, name=Particles, type=User}, terminated_time=1695676041567}, user={uid=849abe76-5be7-11ee-a5a1-0242ac110005, full_name=Paul Julian, org={uid=849accae-5be7-11ee-af7b-0242ac110005, name=nyc kidney drawings}, type_id=2, domain=statistical poland gregory, name=Alliance, groups=[{uid=849ad5fa-5be7-11ee-a0e9-0242ac110005, privileges=[flashing aol autumn], name=accessed thanks instructions, desc=luggage species belkin}, {uid=849ada50-5be7-11ee-824e-0242ac110005, privileges=[sodium believed housing, incorporated jungle asian], name=cognitive times agent}], type=Admin}}, user={uid=849a900e-5be7-11ee-9894-0242ac110005, full_name=Marisela Towanda, email_addr=Wava@promises.info, type_id=3, name=Round, type=System, account={uid=849a9702-5be7-11ee-9f5d-0242ac110005, type_id=1, name=fragrances bulk specialty, type=LDAP Account}, credential_uid=849a9afe-5be7-11ee-b27a-0242ac110005}}, user={uid=849a52ce-5be7-11ee-a468-0242ac110005, full_name=Elisa Cleora, type_id=99, name=Sisters, type=rebound}, xattributes={}}, terminated_time=1695676041562, uid=849a1af2-5be7-11ee-82a9-0242ac110005, file={owner={type_id=1, name=Welcome, type=User, account={uid=8499eb2c-5be7-11ee-86b7-0242ac110005, type_id=7, name=discs outlets general, type=Mac OS Account}}, path=ralph tales librarian/simpsons.psd/premises.sln, creator={uid=8499f1ee-5be7-11ee-a02c-0242ac110005, type_id=3, domain=coupons dropped pantyhose, name=Booking, type=System}, parent_folder=ralph tales librarian/simpsons.psd, type_id=99, name=premises.sln, hashes=[{value=F01EB1DD5E5D955CF3DA810E1FAABA4136E09F5EF69DA3753223183EF836741A617AAAEB52D8B014D900A4A11B94974298F7D3C4EAE57C107CF3A3230AD34188, algorithm_id=6, algorithm=TLSH}], modified_time_dt=2023-09-25T21:07:21.531893Z, type=ships}, cmd_line=text ana range, name=Devices, user={uid=849a06c0-5be7-11ee-acfe-0242ac110005, org={name=velvet days pubs, ou_name=brake craps campaign}, type_id=0, name=Immediate, groups=[{uid=849a1124-5be7-11ee-9a8e-0242ac110005, privileges=[independent vegetables assisted, refinance lee seating]}, {uid=849a1674-5be7-11ee-aa3b-0242ac110005, name=div violence strange}], type=Unknown}}, user={uid=8499b5da-5be7-11ee-b276-0242ac110005, type_id=99, name=Apartments, uid_alt=serving turbo spy, type=ad}}, user={uid=84995d06-5be7-11ee-8223-0242ac110005, org={uid=849963aa-5be7-11ee-b57a-0242ac110005, name=dryer asn trying, ou_name=wr r gibraltar}, type_id=2, name=Fantastic, type=Admin}, terminated_time=1695676041561}, user={uid=84993312-5be7-11ee-b956-0242ac110005, email_addr=Renita@pete.cat, type_id=0, name=Rice, type=Unknown}, xattributes={}}, user={uid=8498cd14-5be7-11ee-94d7-0242ac110005, type_id=99, name=Hour, uid_alt=organizations guild beds, type=insert}}, user={uid=84988e80-5be7-11ee-bf3c-0242ac110005, full_name=Karoline Meggan, email_addr=Elza@girls.mil, type_id=2, name=Provided, type=Admin}, terminated_time=1695676041566}, user={uid=84984db2-5be7-11ee-ba4e-0242ac110005, type_id=1, domain=sao uri flesh, name=Knows, type=User}, xattributes={}}, xattributes={}, terminated_time=1695676041564, uid=849823d2-5be7-11ee-92d1-0242ac110005, integrity=they thermal eau, file={path=wives pamela karl/articles.c/dame.svg, parent_folder=wives pamela karl/articles.c, type_id=1, modifier={uid=8497f38a-5be7-11ee-97c6-0242ac110005, type_id=0, name=Complete, groups=[{uid=8497fde4-5be7-11ee-9733-0242ac110005, name=winds seeking reply}, {uid=8498099c-5be7-11ee-ac6f-0242ac110005, name=hamburg roommate environment}], type=Unknown}, security_descriptor=robinson queens graduate, name=dame.svg, hashes=[{value=E7B2EBCA4F63795EBE380FFBEAB194BCF3E2EB5C74F10C6B8AAB95F4C0B8D7AC, algorithm_id=99, algorithm=magic}, {value=AFD9AD7A88CFF487A60962E99C6219806726EB352DD1591D375AD3BB143C0DABBFBC6DBFFA5D99B3662AE82C9B7EED847E30B7EA516D2AD9DFF07D8775F8AE36, algorithm_id=7, algorithm=quickXorHash}], created_time_dt=2023-09-25T21:07:21.519646Z, type=Regular File}, cmd_line=harder interventions pb, name=Bid, user={uid=84981f68-5be7-11ee-b652-0242ac110005, type_id=0, name=Shipment, uid_alt=singh dim static, type=Unknown}}", + "parent_process_keyword": "{container={uid=849829cc-5be7-11ee-bb7a-0242ac110005, size=2387392206, name=kg sources houses, pod_uuid=kiss, runtime=kate through furniture, hash={value=6A9A10210588981DD8FAA6BE10E39F2C65E816FEFE4768884F7B0BB0A10CD9D6, algorithm_id=3, algorithm=SHA-256}}, lineage=[attraction cord adjustment, announcements summer introduce], created_time=1695676041517, namespace_pid=49, sandbox=species tourism system, pid=26, parent_process={container={uid=84985df2-5be7-11ee-be06-0242ac110005, size=3179758248, name=hunt indicating radiation, tag=reader prevention as, hash={value=666334EB7A1E55E189435FFF3F0CA7266F484FB44970AAFF3E72546D8B04B02ABB1A66B209CAFD44267701CA1392DF35B8EC3EECE0DC492D093880F2E4FF352C, algorithm_id=6, algorithm=TLSH}}, uid=8498530c-5be7-11ee-86f3-0242ac110005, created_time=1695676041527, file={path=conflicts disability citysearch/ieee.dtd/seq.wpd, created_time=1695676041520, parent_folder=conflicts disability citysearch/ieee.dtd, confidentiality_id=0, type_id=3, modifier={uid=84984362-5be7-11ee-af2c-0242ac110005, type_id=2, name=Officer, type=Admin}, confidentiality=Unknown, name=seq.wpd, hashes=[{value=7D875B5EB312ADEF7D530DD6E43468170B094A5F54CA1AC26E7788A81A01238428E62D581423E70B05DA11F15513291EB10776B4E14DE1844072ACDF11BBDFD1, algorithm_id=5, algorithm=CTPH}, {value=1100511F3469E3CDE7D081EC6E78154C8476D546F615EEEB37C4CDFBD41740440FC77660EE3A4B9C67DE81C63172A49F835656F85ED5E36A65A2A25E2A733358, algorithm_id=6, algorithm=TLSH}], type=Character Device}, cmd_line=creation defense carolina, namespace_pid=46, name=Jamie, pid=28, parent_process={container={uid=84989948-5be7-11ee-b4fb-0242ac110005, image={path=empirical precipitation builder, uid=84989f42-5be7-11ee-8820-0242ac110005, name=extending construction inkjet, labels=[golf, nov]}, size=2099983603, name=thongs routine an, hash={value=E7EFDA40B1C94805070CD9BF9638AE27, algorithm_id=1, algorithm=MD5}}, uid=84989376-5be7-11ee-9216-0242ac110005, created_time=1695676041523, integrity=conspiracy unions allocated, file={uid=84987ae4-5be7-11ee-b247-0242ac110005, created_time=1695676042262, size=3504413585, signature={certificate={created_time=1695676041522, subject=shades bad tradition, expiration_time=1695676041526, created_time_dt=2023-09-25T21:07:21.521904Z, serial_number=files the parish, issuer=previous price thing, fingerprints=[{value=8E4DE5CC0D59311697B0D4061FDBFB4CB99E38121EA17CF740789A0CBC85B56703E1341C940E7A2220C02211CC84447A19061569BE42AC4A2C03010FB6CB1A75, algorithm_id=4, algorithm=SHA-512}, {value=205D64FF9B580AADBF4829EC41DD4EF0, algorithm_id=1, algorithm=MD5}]}, algorithm_id=2, algorithm=RSA}, type_id=6, name=startup.3dm, hashes=[{value=60F202A3BE4EF214E24EA9D3555D194C, algorithm_id=1, algorithm=MD5}, {value=B0B2D200728B0DACE6CB6829F90EE31A9AD123FF1982012B003249D4F2C5351924E6DBBD1242EE722D4C5A0B80C983DC7B94DDD594FCFCEF4E63552956E2B26A, algorithm_id=6, algorithm=TLSH}], modified_time_dt=2023-09-25T21:07:21.522441Z, type=Named Pipe, version=1.0.0}, cmd_line=plan agents converter, name=Arbor, sandbox=keeps pour rent, pid=20, parent_process={container={uid=8498da2a-5be7-11ee-9d00-0242ac110005, image={uid=8498df20-5be7-11ee-8257-0242ac110005, name=version treating tall}, size=2697694450, name=warrior document workflow, pod_uuid=sas, hash={value=F4001D4FD76B73412DB0EFD2C66F0AB3C27D9FE9BD375B1659A1DDDA68C17DC1C0F5402A6AE571DC073E94F1B720821E4208595D5BB4B13D917A12CE3DA53C1E, algorithm_id=6, algorithm=TLSH}}, uid=8498d430-5be7-11ee-b1bf-0242ac110005, created_time=1695676041523, integrity=aviation blame tion, file={path=roger economy macro/mesh.gadget/considerations.jar, created_time=1695676041524, parent_folder=roger economy macro/mesh.gadget, mime_type=star/flyer, type_id=5, name=considerations.jar, accessor={uid=8498c030-5be7-11ee-80d9-0242ac110005, full_name=Twyla Cherise, email_addr=Shin@cause.mobi, type_id=2, name=Wildlife, uid_alt=excellent far varied, type=Admin}, hashes=[{value=707CF5E50A11D69874235DED9A045B6AB42439F7495DED03049CB7E997949E8B014295A25059CD1A9F06BFE9E4101ED176615E69D43FE199E849DEC0BC4AEB4D, algorithm_id=5, algorithm=CTPH}, {value=6F487B974BDB9DBDF014F50502D9F70BC2630E6C974E4C6E6AA2EB3BEC95A3BDCA7AE609DA34179E0677F042734A767ADA4F6CA04788916644262CDC60BC2FB2, algorithm_id=5, algorithm=CTPH}], type=Local Socket}, cmd_line=sixth pc peoples, namespace_pid=76, name=Processes, pid=49, parent_process={container={uid=84993ce0-5be7-11ee-8a18-0242ac110005, image={uid=849944f6-5be7-11ee-bc62-0242ac110005, tag=vocal trim jon}, size=2257875576, name=acquired minority slip}, uid=8499377c-5be7-11ee-9164-0242ac110005, file={owner={uid=849901e4-5be7-11ee-bfe1-0242ac110005, full_name=Blythe Jamie, type_id=99, name=Enquiry, type=minneapolis}, is_system=false, signature={certificate={created_time=1695676041526, subject=strap liz boulder, expiration_time=1695676045872, serial_number=approaches symbol assembly, version=1.0.0, issuer=everybody brunei disciplinary, fingerprints=[{value=9E41EB47ABD226D92CFE27DBDA0C924C190A1B0C0136B09923B419089B013DF14CB58C38F651F710540E348BF800DFE364197904B11FFFAD98BB2B10006B28E2, algorithm_id=5, algorithm=CTPH}, {value=3DE877DDFB06DB510E63893D98DDAC9524696C14, algorithm_id=2, algorithm=SHA-1}]}, created_time_dt=2023-09-25T21:07:21.526203Z, developer_uid=84991526-5be7-11ee-a2ca-0242ac110005, algorithm_id=3, algorithm=ECDSA}, type_id=99, confidentiality=suburban ati mostly, modified_time_dt=2023-09-25T21:07:21.526727Z, type=charged, path=const foreign pressed/among.ged/pic.vcd, uid=84992264-5be7-11ee-8071-0242ac110005, parent_folder=const foreign pressed/among.ged, name=pic.vcd, hashes=[{value=00EF9DADDE482AF5432B0BFC5F69023736D4A0ECD59F74884C4B8AD83D21429B78023351C5DBD07407EAB2BFA527A0586016DE3C92F37913920E221F7D452802, algorithm_id=0, algorithm=Unknown}], created_time_dt=2023-09-25T21:07:21.526737Z, accessed_time=1695676041556}, namespace_pid=29, name=Job, pid=86, parent_process={container={uid=84996db4-5be7-11ee-bada-0242ac110005, image={uid=849984fc-5be7-11ee-af4c-0242ac110005, name=adipex into polo}, size=797071549, name=deutschland pic newcastle, hash={value=82B5F7770097973F2962C241C557369EC2D38E9A1BDA03176B9CA511F1CA56CF, algorithm_id=3, algorithm=SHA-256}}, lineage=[familiar privilege canvas], uid=84996800-5be7-11ee-8754-0242ac110005, created_time=1695676041528, file={path=architectural pink phil/overview.dtd/tuner.pdb, parent_folder=architectural pink phil/overview.dtd, type_id=6, name=tuner.pdb, hashes=[{value=44CA9EA761C2131C73960AD47472741B13D305EE2D07FE91E8F1B47F4F062B8A16DD3611E4439E4C163A7CF42F1AE5989CF9683117DB801FD1BC222A16618E19, algorithm_id=7, algorithm=quickXorHash}, {value=C25DDA249CDECE9D908CC33ADCD16AA05E20290F, algorithm_id=2, algorithm=SHA-1}], type=Named Pipe, version=1.0.0, xattributes={}}, cmd_line=brush bouquet alto, namespace_pid=23, pid=67, parent_process={container={uid=8499d164-5be7-11ee-a7e8-0242ac110005, image={uid=8499d704-5be7-11ee-b617-0242ac110005, name=robert through mailing, tag=struggle gerald weather}, network_driver=catch sun general, orchestrator=sf varieties queries, size=1048383191, name=france sg charger, tag=deserve focused select, hash={value=6B2A589B76A482CD379A7FF8AF13EE0F9ABF937DE60010068FEC808F5B6B22521C2A28C7F48BC5C2EDC81EAE5E5812D95F5E0F3DF5685571E5DB36B146DB82EC, algorithm_id=6, algorithm=TLSH}}, uid=8499bc88-5be7-11ee-b028-0242ac110005, created_time=1695676041539, integrity=faculty hardcover generated, file={owner={uid=84999e10-5be7-11ee-914b-0242ac110005, email_addr=Pamelia@directed.com, type_id=1, name=Friend, type=User}, path=fish largest alberta/solutions.deskthemepack/spirit.max, parent_folder=fish largest alberta/solutions.deskthemepack, type_id=1, name=spirit.max, hashes=[{value=718C92FD5ECC9B483CA9A76E309BD60F7DAD6035254FAD5EA9430568F36EB16D5532657DE90C3B3B41896C8A9B601BF1E1083D5BB299127118B535C347D13549, algorithm_id=5, algorithm=CTPH}, {value=D13D53927A745D27511C298846343093D7E92D919905B6C22ABBF727AD18EF7E3B3850949F8CC772390749C8644B5CF6F8618FEF524E9589DB73F57FE128AA88, algorithm_id=0, algorithm=Unknown}], attributes=83, type=Regular File, version=1.0.0, desc=escape steady bow}, cmd_line=in blowing memorial, session={uid=8499ca0c-5be7-11ee-aae9-0242ac110005, created_time=1695676041534, expiration_time=1695676041542, is_remote=true}, namespace_pid=79, name=Cialis, pid=21, parent_process={container={uid=849a2420-5be7-11ee-94c5-0242ac110005, image={uid=849a32bc-5be7-11ee-86bb-0242ac110005, name=layers branch lucas, tag=nations chances trips}, size=1512724327, name=own drawing acute, hash={value=79F7EED760813BF63DC0EE7F986F1CC6345DD170AB03CA1350684CB8720E3C67F9FCE3B075A22266EB0C66A1CDA2D3BD540E777D9A294433377B83DB6DE3D6DB, algorithm_id=6, algorithm=TLSH}}, lineage=[guru hosted bradley], created_time=1695676041533, namespace_pid=39, sandbox=moon exercise starring, pid=90, parent_process={container={uid=849a646c-5be7-11ee-90ce-0242ac110005, image={uid=849a6a66-5be7-11ee-95e4-0242ac110005, name=evaluating apartments disaster}, size=3702557326, name=apartment drunk amateur, hash={value=12FC9239ABF2C07159EBC92013171DA43175589170BD05B55220534634A9D1FEFC88B117A95FCE4FE3C5A5FEDB9DC4EB3F700C0386931C889F815E86BCD4B509, algorithm_id=0, algorithm=Unknown}}, uid=849a5d78-5be7-11ee-ac24-0242ac110005, created_time=1695676041535, file={is_system=false, confidentiality_id=2, type_id=5, confidentiality=Confidential, name=hunt.ppt, hashes=[{value=6FD1E1613C3918067E01585E32D4AA461C485DF01C56BD5A294FD82B353B5EC64A7EBAED614D28451E3AECB3ACA75900593A20D8AE7F7A1E2CF9DD4F0496B9C4, algorithm_id=7, algorithm=quickXorHash}, {value=B66E94D9133A6E41392C5AFCBF3F6EEB29E45C041350255AEE34ADD6C4E6BD15FF9060177954793B5D078A8802B4B1ADDD73BECACB7D5827D9A1CB9F96D5E153, algorithm_id=7, algorithm=quickXorHash}], attributes=22, modified_time_dt=2023-09-25T21:07:21.533963Z, type=Local Socket}, cmd_line=merchandise initiatives accessibility, namespace_pid=29, name=Bags, parent_process={container={uid=849aa490-5be7-11ee-bb98-0242ac110005, image={uid=849aaa9e-5be7-11ee-a47a-0242ac110005, name=evanescence plans courts, tag=buy archives predict}, name=distant modeling monaco, runtime=peace up sailing, hash={value=383B6630E8241D34D54BFD689DECC0CAB88770D935667989A3A1DE8397F5520F, algorithm_id=3, algorithm=SHA-256}}, lineage=[lanka manufacture bra, gibson implementation pope], uid=849a9ed2-5be7-11ee-ae61-0242ac110005, created_time=1695676041539, integrity=bookings qc dictionaries, file={owner={uid=849a7ac4-5be7-11ee-a06d-0242ac110005, type_id=99, name=Asia, type=meetup}, path=interactions malta thoughts/laden.pdf/hardware.wma, parent_folder=interactions malta thoughts/laden.pdf, signature={digest={value=3188206324B062751CE36D4251C19C94, algorithm_id=1, algorithm=MD5}, algorithm_id=4, algorithm=Authenticode}, type_id=0, name=hardware.wma, hashes=[{value=6BD48B1E57856137037BFEE4DEC8D57F, algorithm_id=1, algorithm=MD5}], attributes=35, type=Unknown}, cmd_line=recordings countries slides, namespace_pid=6, name=Sen, pid=13, parent_process={container={uid=849aff08-5be7-11ee-80bd-0242ac110005, image={uid=849b1f7e-5be7-11ee-bb9d-0242ac110005, name=cross tray influenced, tag=afternoon counseling governance}, network_driver=slovakia friend username, size=191473515, name=author channel disappointed, hash={value=B7F1BFFEB47BCFB30F891852F769572A9816784BF4A4073805850F9F969A5335CFC878CACC9E0F8A71B547F60832FE712A59A7DD7DBD6E94BB9D155309EB3581, algorithm_id=7, algorithm=quickXorHash}}, uid=849adea6-5be7-11ee-aa53-0242ac110005, created_time=1695676041539, file={path=jeff puts assignments/thing.msi/removal.obj, parent_folder=jeff puts assignments/thing.msi, type_id=6, security_descriptor=bureau myspace barrel, name=removal.obj, hashes=[{value=CE850E16E049A60B4B8F465DC00ADBFB7207CC76FD94F5EBC335F637B8052B77, algorithm_id=99, algorithm=magic}], accessed_time=1695676041534, type=Named Pipe}, cmd_line=amount anywhere suffered, namespace_pid=49, name=Impacts, sandbox=romance volunteer entrepreneurs, pid=86, parent_process={lineage=[qualify insight reproduce, placing download tomato], uid=849b6dee-5be7-11ee-84f0-0242ac110005, created_time=1695676041593, file={path=let dawn representing/surrounding.dwg/human.pdb, product={uid=849b3fd6-5be7-11ee-83d2-0242ac110005, feature={uid=849b46a2-5be7-11ee-824d-0242ac110005, name=metric th alt, version=1.0.0}, name=heavy payroll timothy, vendor_name=rv brother vaccine, version=1.0.0}, parent_folder=let dawn representing/surrounding.dwg, modified_time=1695676041541, type_id=7, name=human.pdb, accessor={uid=849b52b4-5be7-11ee-863c-0242ac110005, type_id=3, name=Dragon, type=System, credential_uid=849b5b88-5be7-11ee-af7a-0242ac110005}, hashes=[{value=AABE45CE23939AE53AA3AF15C6123A6ED98FC106E4C7491B89A814D8EB040F3B9D5842B5A215D1D27ED1B4DC8DD3D3F0D50197DD105E37461661D98A23E0917C, algorithm_id=7, algorithm=quickXorHash}], created_time_dt=2023-09-25T21:07:21.541195Z, attributes=78, modified_time_dt=2023-09-25T21:07:21.541163Z, type=Symbolic Link}, cmd_line=techno now vid, namespace_pid=91, name=Sampling, sandbox=compounds s time, pid=71, parent_process={lineage=[tenant surveillance nature, securities joining bite], created_time=1695676041548, session={uid=849bd89c-5be7-11ee-bbae-0242ac110005, created_time=1695676041544, is_remote=true, issuer=mind file superior}, sandbox=facial gossip lopez, pid=41, parent_process={container={uid=849c059c-5be7-11ee-b620-0242ac110005, image={uid=849c105a-5be7-11ee-8337-0242ac110005, name=titten live cvs}, size=2006500672, name=anthony serial medline, hash={value=53CB2A3DF41EA583C9DAD815CC228E623D600CA69DD3B138EBA03828A95C399AC2319E8C246FAF2EB345362B0931618009C8A5FF4C8E100C7B414107D51F849D, algorithm_id=6, algorithm=TLSH}}, created_time=1695676041542, namespace_pid=8, sandbox=upload stages deutsch, pid=74, parent_process={container={uid=849c6776-5be7-11ee-94b5-0242ac110005, image={uid=849c6d2a-5be7-11ee-a411-0242ac110005, name=capabilities huge hometown, labels=[mumbai]}, name=yahoo plains basically, hash={value=FC25F43E993A1FB725021E78097481FDD1FECA2EC91BF14AE34067FC31DBCD1005D4B0AFC4F050872672CC3EAB72236EADE80DFF4CCBB844F8ED0489F697D2F1, algorithm_id=6, algorithm=TLSH}}, uid=849c61f4-5be7-11ee-8006-0242ac110005, created_time=1695676041544, file={owner={uid=849c24fa-5be7-11ee-93d2-0242ac110005, email_addr=Suzan@communicate.coop, type_id=0, name=Sunny, type=Unknown}, is_system=false, product={uid=849c3e4a-5be7-11ee-80be-0242ac110005, name=pci invasion producers, vendor_name=australian payments crm, lang=en, version=1.0.0}, creator={uid=849c4b2e-5be7-11ee-9c0b-0242ac110005, org={ou_uid=849c5470-5be7-11ee-b89d-0242ac110005, uid=849c5060-5be7-11ee-b740-0242ac110005, name=reproductive balloon stanley, ou_name=pick rear governance}, type_id=99, domain=glass outlet lopez, groups=[{uid=849c5ae2-5be7-11ee-97a7-0242ac110005, name=suspected contributor counting, type=vacations wines biological}], type=selected}, signature={certificate={created_time=1695676041548, subject=microwave marriott okay, expiration_time=1695676041514, serial_number=windsor sponsor google, version=1.0.0, issuer=foundation review shaft, fingerprints=[{value=35C90137B6BD19F8D464173B9904DBFA60D62BFF8BCBCF99235987ACC2D4840DBA02F991522C533C211C54B3A1016A0A76AF0578E30D0190414926A1EA56FEB7, algorithm_id=6, algorithm=TLSH}]}, algorithm_id=3, algorithm=ECDSA}, type_id=2, confidentiality=Top Secret, accessor={full_name=Crysta Damaris, type_id=99, name=Class, uid_alt=linux has luis, type=pie, account={type_id=8, name=cards gratis necklace, type=Apple Account}}, type=Folder, version=1.0.0, path=nintendo smilies thank/ought.vb/revolution.vcf, parent_folder=nintendo smilies thank/ought.vb, confidentiality_id=4, company_name=Mckenzie Ardith, security_descriptor=recommended approve environment, name=revolution.vcf, hashes=[{value=1B8BF6AF4C4E0F5A64ED59860F5673F5762D1E214D4B3127BAC626D3811952EAF98972460DF098DEAB2B6D4FF02723546AEBA4108F2A03A20044552141A4447E, algorithm_id=7, algorithm=quickXorHash}, {value=221C1DF278F5DBE8C04CCC89DB66A355ABA13C3F27B4E23A19D0E73C64E5E9A7951D5102BA2F416429122A6110C57ED22F7216EB73939FF0E7E4BDB574A90CC4, algorithm_id=6, algorithm=TLSH}], attributes=79}, cmd_line=arrangements makes handy, namespace_pid=13, pid=20, parent_process={container={uid=849cdd28-5be7-11ee-9250-0242ac110005, image={uid=849ce32c-5be7-11ee-b7a9-0242ac110005, name=audio miracle leader}, size=1224758347, name=hospitality walker vs, hash={value=A813ED16B0B3E58FA959C0BA26A47058, algorithm_id=1, algorithm=MD5}}, lineage=[achievement courage send, expansion instructional agreements], created_time=1695676041555, session={uid=849ccebe-5be7-11ee-a1ca-0242ac110005, created_time=1695676041550, expiration_time_dt=2023-09-25T21:07:21.550638Z, is_remote=false, issuer=volunteer meetings medline}, namespace_pid=62, sandbox=distributor workshops maldives, parent_process={container={uid=849d0e7e-5be7-11ee-a8e4-0242ac110005, image={uid=849d1342-5be7-11ee-a4ca-0242ac110005, name=charges fragrances complex}, network_driver=familiar movies legitimate, size=2138922450, name=develop affiliates required, pod_uuid=legally, hash={value=6E73C76AD0B2D03EB35088BB834D7A1949E2174F0288EAC8066F5CC920923FEC2568825E7A9B3B3B871DC2AA82AD34DAC42A8E327CAD3D3E720D2ADD7C13CAB0, algorithm_id=4, algorithm=SHA-512}}, integrity=Unknown, file={product={name=external polar galaxy, vendor_name=hack infection generator, lang=en, version=1.0.0}, modified_time=1695676041500, mime_type=silicon/limousines, type_id=2, confidentiality=venue rl epa, name=flexible.vcxproj, hashes=[{value=2347F66D3EE9CCBD7191F650BE1EF4F94E8B6ED61D543709A1A907FBC76BFC089577CB78BFA772DA65746573746C4AB26AF19E7A8E9DB821E3979ED04051B9BC, algorithm_id=4, algorithm=SHA-512}, {value=256D62122A8BA5E06B613EAD639B79BA7875995217AC6E2C854DBB610631D33C, algorithm_id=99, algorithm=magic}], created_time_dt=2023-09-25T21:07:21.551631Z, type=Folder, xattributes={}}, cmd_line=challenges prompt cumulative, namespace_pid=2, name=Airfare, parent_process={container={uid=849d3caa-5be7-11ee-9fe6-0242ac110005, image={uid=849d468c-5be7-11ee-85e3-0242ac110005, labels=[responsibility]}, orchestrator=helpful pasta matthew, size=1820268463, name=cpu mission hacker, runtime=cables vanilla amendments, hash={value=0895F371F264F7E3AA4A79B16A3C6EEAABE10BBF6A7DC2B7D8DD4F14B3C6F05D, algorithm_id=99, algorithm=magic}}, uid=849d308e-5be7-11ee-a5ad-0242ac110005, file={uid=849d2170-5be7-11ee-a637-0242ac110005, mime_type=will/executed, type_id=4, name=uzbekistan.jar, hashes=[{value=8A25185F3C5523EF3B08C1ECDD83016224863C95, algorithm_id=2, algorithm=SHA-1}, {value=6B9ED75DAE7A1E692073FC400B558EA4, algorithm_id=1, algorithm=MD5}], attributes=44, type=Block Device, xattributes={}}, cmd_line=reporter techno regarded, namespace_pid=84, name=Eternal, pid=76, parent_process={container={uid=849d7cce-5be7-11ee-80f3-0242ac110005, image={uid=849d83f4-5be7-11ee-8f40-0242ac110005, name=curtis burns park, labels=[fix]}, network_driver=surely assistance actively, size=1668291787, pod_uuid=gardening, hash={value=308FD1FED7D34B9AFAB9224FF617D64E4CA9AC20FC59F1FB3B80AB2CBB1511245EC668E138B6C330D86E2B874BD66ED33E16E931B3D344A8365BE63CAB39562C, algorithm_id=0, algorithm=Unknown}}, uid=849d64dc-5be7-11ee-b02a-0242ac110005, created_time=1695676041553, integrity=System, file={created_time=1695676041554, type_id=0, confidentiality=Top Secret, type=Unknown, xattributes={}, path=slideshow configurations lens/nations.flv/titanium.avi, parent_folder=slideshow configurations lens/nations.flv, confidentiality_id=4, company_name=Frederica Hertha, name=titanium.avi, hashes=[{value=5C5069744142886E3127F2CCFE145C68A0B1A4DFA3BB504B858390D851E16A9F, algorithm_id=99, algorithm=magic}], created_time_dt=2023-09-25T21:07:21.554150Z, desc=closed hydraulic connecting}, name=Music, pid=28, parent_process={container={uid=849e031a-5be7-11ee-b55b-0242ac110005, image={path=hairy pixel time, uid=849e0ebe-5be7-11ee-8341-0242ac110005, name=bubble architects vancouver}, size=220440282, name=insight style ca, runtime=williams ng xhtml, hash={value=8876489CE00D6D9FDF61ED1C773F047E, algorithm_id=1, algorithm=MD5}}, lineage=[bk destinations est, whose playback congressional], created_time=1695676041558, file={path=venezuela flyer seller/os.kml/opening.vob, parent_folder=venezuela flyer seller/os.kml, modified_time=1695676041557, type_id=5, modifier={uid=849d94de-5be7-11ee-b30d-0242ac110005, full_name=Katheryn Kena, type_id=1, name=Infected, type=User}, security_descriptor=graham occupations become, name=opening.vob, accessor={uid=849da17c-5be7-11ee-9d3a-0242ac110005, type_id=99, name=Mine, type=fcc, account={uid=849dabd6-5be7-11ee-ba6a-0242ac110005, name=hourly toll disappointed}, credential_uid=849db838-5be7-11ee-8a18-0242ac110005}, hashes=[{value=599DCCE2998A6B40B1E38E8C6006CB0A, algorithm_id=1, algorithm=MD5}, {value=E3C48119D2F351FBEB28EABE137BB8D7969A9AA7CEBF71A153DA4670481EFAAB267B6B39C0EDBDDAF4DD1B9E9B5FF0B28D72E0A5FA27336A282A0FDBA4D0C9D4, algorithm_id=6, algorithm=TLSH}], type=Local Socket}, cmd_line=pursuant proceed discussed, namespace_pid=54, name=Surprise, sandbox=final corporations performances, pid=50, parent_process={container={uid=849e509a-5be7-11ee-ad75-0242ac110005, image={uid=849e6972-5be7-11ee-b803-0242ac110005, name=committed plastic does}, network_driver=conduct linking lb, size=2559819198, name=priority mirrors although, runtime=rock relation block}, lineage=[desktop lakes moscow, barrel touch increasing], created_time=1695676041434, file={path=disc dividend incentives/crucial.wps/filled.mdb, product={path=costumes somewhat qui, uid=849e3088-5be7-11ee-8510-0242ac110005, name=michigan slight torture, vendor_name=franchise portland experiment, lang=en, version=1.0.0}, parent_folder=disc dividend incentives/crucial.wps, modified_time=1695676041563, size=2881440001, signature={certificate={created_time=1695676041558, subject=infectious replication lock, expiration_time=1695676041554, serial_number=durham graham course, version=1.0.0, issuer=worker attended mel, fingerprints=[{value=372885B9675F31EF37D14F711A430940E777638ADCB2F77B36D079076E38606F, algorithm_id=99, algorithm=magic}]}, algorithm_id=0, algorithm=Unknown}, type_id=3, modifier={uid=849e2a2a-5be7-11ee-82b2-0242ac110005, type_id=0, domain=informational advisory mg, name=Constraints, type=Unknown}, name=filled.mdb, accessor={uid=849e39a2-5be7-11ee-b3b8-0242ac110005, full_name=Lorna Francisco, type_id=0, name=Intl, type=Unknown}, hashes=[{value=9471ED19416B8099E51855CB0EF61AE3, algorithm_id=1, algorithm=MD5}], type=Character Device}, cmd_line=peer rail specialist, namespace_pid=13, name=Courage, pid=5, parent_process={container={uid=849f0878-5be7-11ee-b335-0242ac110005, image={uid=849f1dc2-5be7-11ee-b432-0242ac110005, name=belfast interests activation}, size=903476370, name=missed foreign palmer, hash={value=7CA5C1BF6D37F1E7389DB34F7617B7101F65DED1, algorithm_id=2, algorithm=SHA-1}}, uid=849f00ee-5be7-11ee-954b-0242ac110005, created_time=1695676041565, file={owner={uid=849e86dc-5be7-11ee-9b00-0242ac110005, org={ou_uid=849e9852-5be7-11ee-9c6a-0242ac110005, uid=849e8ff6-5be7-11ee-be3f-0242ac110005, name=syndication joseph realized, ou_name=advertise scored usr}, type_id=3, type=System}, path=patch attempting mf/nashville.dxf/metabolism.gadget, creator={uid=849edfe2-5be7-11ee-97f0-0242ac110005, email_addr=Myrta@of.cat, type_id=0, type=Unknown, account={uid=849ef310-5be7-11ee-b8e1-0242ac110005, type_id=5, name=workers observer lonely, type=GCP Account}}, parent_folder=patch attempting mf/nashville.dxf, accessed_time_dt=2023-09-25T21:07:21.564734Z, signature={certificate={created_time=1695676041504, subject=signals book follow, expiration_time=1695676041569, serial_number=termination vi limitation, version=1.0.0, issuer=database verse prince, fingerprints=[{value=6467C5C0EA62DB25016E724973C845BA50F0BBD72AE91F11E4CB5F3884CF1852EC05AA4B971CA59B372F8DC7B8E49562276E89C888FFDE3DD41BFC2E88336E98, algorithm_id=7, algorithm=quickXorHash}, {value=80A346634E5CD09AAFC3C417ABCE0C6A156B40EBB910123FAC486DC6197D24EC4C575301A8CC06D58FBAEEAE6F40E42B6D84FDA6996E06EE2F68282EA73FDA93, algorithm_id=0, algorithm=Unknown}]}, algorithm_id=3, algorithm=ECDSA}, type_id=3, name=metabolism.gadget, hashes=[{value=5F8105C9976CE93253600A074BD373A5286734FB9650F503EF4AD611A9422D3554C34BD6C2672159C2F485A59C83965804D6F2532A8DADF2749DF74B1B089C10, algorithm_id=6, algorithm=TLSH}, {value=C1E19A5C30DB36D9FEA3088EBBCF2E05B7F2E3B108DA82565EF183591D036A615456960CA1BF3DEDAEF8450140669F4E45A239D12DE570D5B2322AEADAE0EE7B, algorithm_id=5, algorithm=CTPH}], type=Character Device}, cmd_line=institutes yes inputs, namespace_pid=44, name=Harley, created_time_dt=2023-09-25T21:07:21.565824Z, pid=38, user={full_name=Lyndsay Ricky, type_id=2, name=Referenced, type=Admin}, xattributes={}, terminated_time=1695676041566}, user={uid=849e4a46-5be7-11ee-bc81-0242ac110005, type_id=2, name=Motorcycle, type=Admin}}, user={uid=849debb4-5be7-11ee-bfac-0242ac110005, type_id=1, name=Simulations, type=User, account={uid=849df820-5be7-11ee-82f1-0242ac110005, type_id=2, type=Windows Account}, credential_uid=849dfc62-5be7-11ee-a9bc-0242ac110005}}, user={uid=849d60a4-5be7-11ee-98cb-0242ac110005, type_id=99, name=Be, type=types}, integrity_id=5}, user={uid=849d2c24-5be7-11ee-953d-0242ac110005, email_addr=Josefina@holders.museum, type_id=99, name=Manager, type=legs}, xattributes={}}, user={uid=849cfe70-5be7-11ee-b38b-0242ac110005, type_id=0, name=Track, type=Unknown, account={uid=849d0500-5be7-11ee-97bd-0242ac110005, type_id=3, name=strict manufactured invest, type=AWS IAM User}, credential_uid=849d08ca-5be7-11ee-bfe2-0242ac110005}, integrity_id=0}, uid=849cc522-5be7-11ee-aa87-0242ac110005, file={path=blend roommates closed/died.docx/world.jpg, is_system=true, parent_folder=blend roommates closed/died.docx, confidentiality_id=0, mime_type=engineer/habitat, type_id=4, modifier={uid=849c8878-5be7-11ee-98bd-0242ac110005, email_addr=Deloise@agreed.arpa, type_id=3, domain=ln resolved couple, name=Heritage, type=System}, confidentiality=Unknown, name=world.jpg, hashes=[{value=3BC175E9CE56D1FC2D86AB6EA2EC56EB21930540B56A5B6E3840DFB64287ACAB, algorithm_id=3, algorithm=SHA-256}, {value=31588C71F04798D44E2202431AE7025AF3BC67EC8192E94F362A9B9121FB5AC23510026F8391A0A54234D8D0DB8D2DEBD112DEEF6AC598A11A194875191A4975, algorithm_id=6, algorithm=TLSH}], type=Block Device}, cmd_line=well absent shoe, name=Tell, loaded_modules=[/rev/amazon/casino/june/fails.bin, /credit/potential/lawsuit/clause/nine.bmp], user={uid=849ca4ca-5be7-11ee-b39c-0242ac110005, org={uid=849cb208-5be7-11ee-a4a6-0242ac110005, name=top riverside asthma, ou_name=stats dans soviet}, type_id=2, domain=our installing clinical, name=Weather, type=Admin, credential_uid=849cc0f4-5be7-11ee-9c36-0242ac110005}}}, xattributes={}, terminated_time_dt=2023-09-25T21:07:21.565891Z, integrity=High, file={path=suit who pics/arrange.torrent/moral.kmz, created_time=1695676041545, is_system=false, parent_folder=suit who pics/arrange.torrent, type_id=5, name=moral.kmz, accessor={uid=849bf00c-5be7-11ee-a0de-0242ac110005, type_id=0, domain=operates collectables presentations, name=Qualities, uid_alt=welsh constraints elimination, type=Unknown}, hashes=[{value=BADBDA50632954800C02D40EB49D1BEF8E5A883D, algorithm_id=2, algorithm=SHA-1}, {value=22B65F9CC3DDECE17BC92C741314C0C01D6C398B477BCFE22CCB63F4975A066119C2A3F4E9BDC342383345BCEEA9046C0573AEA278C1EBD8E1578337B1640606, algorithm_id=7, algorithm=quickXorHash}], accessed_time=1695676044937, type=Local Socket}, cmd_line=remain weird municipal, name=Restore, created_time_dt=2023-09-25T21:07:21.565886Z, integrity_id=4}, tid=86, terminated_time_dt=2023-09-25T21:07:21.565908Z, terminated_time=1695676041561, uid=849bcfb4-5be7-11ee-b896-0242ac110005, integrity=written, file={is_system=true, product={uid=849b866c-5be7-11ee-a7ff-0242ac110005, feature={uid=849b9742-5be7-11ee-9904-0242ac110005, name=seminar automatic gui, version=1.0.0}, name=nights validity updated, vendor_name=favorite album ncaa, lang=en, version=1.0.0, url_string=however}, creator={full_name=Otelia Kori, org={uid=849bad9a-5be7-11ee-9fa0-0242ac110005, name=timing process palestinian, ou_name=step mouth drunk}, type_id=1, domain=neural fig colin, name=Tap, type=User}, signature={certificate={created_time=1695676041542, subject=annually ic quest, expiration_time=1695676041577, serial_number=distributed characters bin, version=1.0.0, issuer=cooperation worldcat southwest, fingerprints=[{value=A1636B226D49D354EAD09345190417B47EC13762648D8C196823FB556456DD5A2ED39FDF2ADE536CF2D0AFA33A47F9404800085FE205A49A4DA6C280AF603AA9, algorithm_id=0, algorithm=Unknown}]}, created_time_dt=2023-09-25T21:07:21.542032Z, algorithm_id=0, algorithm=Unknown}, type_id=0, accessor={uid=849ba016-5be7-11ee-8738-0242ac110005, email_addr=Stormy@postcard.mobi, type_id=99, name=Xhtml, type=disabilities}, type=Unknown, path=designing designed kim/butts.crx/sunday.crdownload, parent_folder=designing designed kim/butts.crx, modified_time=1695676041546, size=1384349588, mime_type=talked/wishlist, name=sunday.crdownload, hashes=[{value=A5064ED27DDBDCBA4CBCADF1DB39DA3F2EEE6B58C7A1239C64CABA643C220D3F292A1DE7E239A9314ECD04E09E02E1289265DB1375370F0E2CB9844F235B40B9, algorithm_id=6, algorithm=TLSH}]}, cmd_line=treatments proceeding assumed, name=Foundation, created_time_dt=2023-09-25T21:07:21.565904Z, loaded_modules=[/aims/hammer/duke/implementation/roland.jar, /illustration/reads/adaptation/ppc/footage.cab], user={uid=849bb81c-5be7-11ee-bbec-0242ac110005, email_addr=Reba@contemporary.mobi, type_id=0, name=Certain, groups=[{uid=849bbdee-5be7-11ee-95a2-0242ac110005, name=penn laundry woods, type=powerpoint jump hospitality, desc=twenty protection innovative}, {uid=849bc780-5be7-11ee-9955-0242ac110005}], uid_alt=technical critics nationally, type=Unknown}, integrity_id=99}, user={uid=849b6916-5be7-11ee-a01e-0242ac110005, email_addr=Yelena@communities.nato, type_id=1, domain=lexmark refers dylan, name=Particles, type=User}, terminated_time=1695676041567}, user={uid=849abe76-5be7-11ee-a5a1-0242ac110005, full_name=Paul Julian, org={uid=849accae-5be7-11ee-af7b-0242ac110005, name=nyc kidney drawings}, type_id=2, domain=statistical poland gregory, name=Alliance, groups=[{uid=849ad5fa-5be7-11ee-a0e9-0242ac110005, privileges=[flashing aol autumn], name=accessed thanks instructions, desc=luggage species belkin}, {uid=849ada50-5be7-11ee-824e-0242ac110005, privileges=[sodium believed housing, incorporated jungle asian], name=cognitive times agent}], type=Admin}}, user={uid=849a900e-5be7-11ee-9894-0242ac110005, full_name=Marisela Towanda, email_addr=Wava@promises.info, type_id=3, name=Round, type=System, account={uid=849a9702-5be7-11ee-9f5d-0242ac110005, type_id=1, name=fragrances bulk specialty, type=LDAP Account}, credential_uid=849a9afe-5be7-11ee-b27a-0242ac110005}}, user={uid=849a52ce-5be7-11ee-a468-0242ac110005, full_name=Elisa Cleora, type_id=99, name=Sisters, type=rebound}, xattributes={}}, terminated_time=1695676041562, uid=849a1af2-5be7-11ee-82a9-0242ac110005, file={owner={type_id=1, name=Welcome, type=User, account={uid=8499eb2c-5be7-11ee-86b7-0242ac110005, type_id=7, name=discs outlets general, type=Mac OS Account}}, path=ralph tales librarian/simpsons.psd/premises.sln, creator={uid=8499f1ee-5be7-11ee-a02c-0242ac110005, type_id=3, domain=coupons dropped pantyhose, name=Booking, type=System}, parent_folder=ralph tales librarian/simpsons.psd, type_id=99, name=premises.sln, hashes=[{value=F01EB1DD5E5D955CF3DA810E1FAABA4136E09F5EF69DA3753223183EF836741A617AAAEB52D8B014D900A4A11B94974298F7D3C4EAE57C107CF3A3230AD34188, algorithm_id=6, algorithm=TLSH}], modified_time_dt=2023-09-25T21:07:21.531893Z, type=ships}, cmd_line=text ana range, name=Devices, user={uid=849a06c0-5be7-11ee-acfe-0242ac110005, org={name=velvet days pubs, ou_name=brake craps campaign}, type_id=0, name=Immediate, groups=[{uid=849a1124-5be7-11ee-9a8e-0242ac110005, privileges=[independent vegetables assisted, refinance lee seating]}, {uid=849a1674-5be7-11ee-aa3b-0242ac110005, name=div violence strange}], type=Unknown}}, user={uid=8499b5da-5be7-11ee-b276-0242ac110005, type_id=99, name=Apartments, uid_alt=serving turbo spy, type=ad}}, user={uid=84995d06-5be7-11ee-8223-0242ac110005, org={uid=849963aa-5be7-11ee-b57a-0242ac110005, name=dryer asn trying, ou_name=wr r gibraltar}, type_id=2, name=Fantastic, type=Admin}, terminated_time=1695676041561}, user={uid=84993312-5be7-11ee-b956-0242ac110005, email_addr=Renita@pete.cat, type_id=0, name=Rice, type=Unknown}, xattributes={}}, user={uid=8498cd14-5be7-11ee-94d7-0242ac110005, type_id=99, name=Hour, uid_alt=organizations guild beds, type=insert}}, user={uid=84988e80-5be7-11ee-bf3c-0242ac110005, full_name=Karoline Meggan, email_addr=Elza@girls.mil, type_id=2, name=Provided, type=Admin}, terminated_time=1695676041566}, user={uid=84984db2-5be7-11ee-ba4e-0242ac110005, type_id=1, domain=sao uri flesh, name=Knows, type=User}, xattributes={}}, xattributes={}, terminated_time=1695676041564, uid=849823d2-5be7-11ee-92d1-0242ac110005, integrity=they thermal eau, file={path=wives pamela karl/articles.c/dame.svg, parent_folder=wives pamela karl/articles.c, type_id=1, modifier={uid=8497f38a-5be7-11ee-97c6-0242ac110005, type_id=0, name=Complete, groups=[{uid=8497fde4-5be7-11ee-9733-0242ac110005, name=winds seeking reply}, {uid=8498099c-5be7-11ee-ac6f-0242ac110005, name=hamburg roommate environment}], type=Unknown}, security_descriptor=robinson queens graduate, name=dame.svg, hashes=[{value=E7B2EBCA4F63795EBE380FFBEAB194BCF3E2EB5C74F10C6B8AAB95F4C0B8D7AC, algorithm_id=99, algorithm=magic}, {value=AFD9AD7A88CFF487A60962E99C6219806726EB352DD1591D375AD3BB143C0DABBFBC6DBFFA5D99B3662AE82C9B7EED847E30B7EA516D2AD9DFF07D8775F8AE36, algorithm_id=7, algorithm=quickXorHash}], created_time_dt=2023-09-25T21:07:21.519646Z, type=Regular File}, cmd_line=harder interventions pb, name=Bid, user={uid=84981f68-5be7-11ee-b652-0242ac110005, type_id=0, name=Shipment, uid_alt=singh dim static, type=Unknown}}", "session": { "created_time": "2023-09-25T21:07:21.516Z", "credential_uid": "8497c716-5be7-11ee-bd7a-0242ac110005", @@ -3018,7 +3018,7 @@ } }, { - "@timestamp": "+56554-03-09T20:36:00.083Z", + "@timestamp": "2024-08-01T11:09:23.760Z", "cloud": { "account": { "id": "823f3676-4ff6-11ef-87ce-0242ac110005", @@ -3131,7 +3131,7 @@ "size": 3850921168, "uid": "8241251c-4ff6-11ef-bfb4-0242ac110005" }, - "created_time": "+56554-03-09T20:36:03.413Z", + "created_time": "2024-08-01T11:09:23.763Z", "euid": "20", "file": { "accessor": { @@ -3182,7 +3182,7 @@ "size": 3047246820, "uid": "8241bd6a-4ff6-11ef-b2aa-0242ac110005" }, - "created_time": "+56554-03-09T20:36:07.250Z", + "created_time": "2024-08-01T11:09:23.767Z", "created_time_dt": "2024-08-01T11:09:23.782Z", "euid": "21", "file": { @@ -3254,7 +3254,7 @@ "size": 1936688053, "uid": "82424474-4ff6-11ef-82f8-0242ac110005" }, - "created_time": 1722510563770786, + "created_time": 1722510563770, "file": { "accessor": { "groups": [ @@ -3272,7 +3272,7 @@ "uid": "8241ede4-4ff6-11ef-acc4-0242ac110005" }, "confidentiality": "median twelve ha", - "created_time": 1722510563769556, + "created_time": 1722510563769, "created_time_dt": "2024-08-01T11:09:23.769628Z", "desc": "differently maldives brand", "hashes": [ @@ -3316,7 +3316,7 @@ "size": 940803910, "uid": "82430aa8-4ff6-11ef-83eb-0242ac110005" }, - "created_time": 1722510563775908, + "created_time": 1722510563775, "created_time_dt": "2024-08-01T11:09:23.782438Z", "egid": 29, "euid": 44, @@ -3380,7 +3380,7 @@ "size": 3752277430, "uid": "82438e24-4ff6-11ef-9a2b-0242ac110005" }, - "created_time": 1722510563779192, + "created_time": 1722510563779, "file": { "confidentiality": "Unknown", "confidentiality_id": 0, @@ -3482,7 +3482,7 @@ }, "name": "Miles", "pid": 44, - "terminated_time": 1722510563782421, + "terminated_time": 1722510563782, "uid": "8243fda0-4ff6-11ef-9876-0242ac110005", "user": { "full_name": "Bronwyn Kandi", @@ -3504,7 +3504,7 @@ } }, "pid": 51, - "terminated_time": 1722510563782432, + "terminated_time": 1722510563782, "terminated_time_dt": "2024-08-01T11:09:23.782445Z", "uid": "8242ff90-4ff6-11ef-b85f-0242ac110005", "user": { @@ -3515,7 +3515,7 @@ } }, "pid": 74, - "terminated_time": 1722510563782452, + "terminated_time": 1722510563782, "terminated_time_dt": "2024-08-01T11:09:23.782458Z", "uid": "82423a2e-4ff6-11ef-ac30-0242ac110005", "user": { @@ -3606,7 +3606,7 @@ "size": 793369097, "uid": "82409b10-4ff6-11ef-b701-0242ac110005" }, - "created_time": "+56554-03-09T20:35:58.738Z", + "created_time": "2024-08-01T11:09:23.758Z", "hostname": "teeth.nato", "image": { "labels": [ @@ -3930,7 +3930,7 @@ "status_id": "1", "stratum": "Unsynchronized", "stratum_id": 16, - "time": "+56554-03-09T20:36:00.083Z", + "time": "2024-08-01T11:09:23.760Z", "timezone_offset": 59, "type_name": "NTP Activity: Client Synchronization", "type_uid": "401303", @@ -3947,7 +3947,7 @@ "name": "crisis vulnerable challenge" }, "name": "Peripheral", - "start": "+56554-03-09T20:36:07.250Z", + "start": "2024-08-01T11:09:23.767Z", "thread": { "id": 31 }, @@ -3970,7 +3970,7 @@ } }, "pid": 55, - "start": "+56554-03-09T20:36:03.413Z", + "start": "2024-08-01T11:09:23.763Z", "user": { "id": [ "20" @@ -4045,6 +4045,193 @@ "id": "824425be-4ff6-11ef-8b9f-0242ac110005", "name": "Villa" } + }, + { + "@timestamp": "2024-08-12T09:32:57.274Z", + "data_stream": { + "dataset": "amazon_security_lake.network_activity", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "email": { + "cc": { + "address": [ + "Loren@receivers.info", + "Madeline@sue.net" + ] + }, + "from": { + "address": [ + "Francoise@audi.museum" + ] + }, + "local_id": "dbc8706e-588d-11ef-af1b-0242ac110005", + "message_id": "dbc878de-588d-11ef-9c86-0242ac110005", + "reply_to": { + "address": [ + "Twana@optimization.aero" + ] + }, + "to": { + "address": [ + "Lizzie@keyword.net" + ] + } + }, + "event": { + "action": "sense-cheat-builder", + "category": [ + "email" + ], + "code": "cats", + "id": "dbc818a8-588d-11ef-aa74-0242ac110005", + "kind": "event", + "original": "{\"message\":\"andale freely producers\",\"status\":\"Success\",\"time\":1723455177274626,\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"sunshine lopez dimension\",\"version\":\"1.1.0\",\"path\":\"correctly was books\",\"uid\":\"dbc81042-588d-11ef-aff0-0242ac110005\",\"vendor_name\":\"common posting displayed\"},\"uid\":\"dbc818a8-588d-11ef-aa74-0242ac110005\",\"profiles\":[],\"event_code\":\"cats\",\"log_name\":\"queen lexmark honolulu\",\"log_provider\":\"technique wc mountains\",\"modified_time\":1723455177273194,\"original_time\":\"china compact prototype\",\"tenant_uid\":\"dbc8214a-588d-11ef-8173-0242ac110005\"},\"severity\":\"Medium\",\"email\":{\"size\":3113926462,\"uid\":\"dbc8706e-588d-11ef-af1b-0242ac110005\",\"from\":\"Francoise@audi.museum\",\"cc\":[\"Loren@receivers.info\",\"Madeline@sue.net\"],\"to\":[\"Lizzie@keyword.net\"],\"message_uid\":\"dbc878de-588d-11ef-9c86-0242ac110005\",\"reply_to\":\"Twana@optimization.aero\",\"smtp_from\":\"Shenita@endangered.jobs\",\"smtp_to\":[\"Lydia@or.gov\",\"Malena@writing.firm\"]},\"direction\":\"Inbound\",\"type_uid\":1046489335,\"category_name\":\"Network Activity\",\"class_uid\":4009,\"category_uid\":4,\"class_name\":\"Email Activity\",\"timezone_offset\":29,\"activity_name\":\"sense cheat builder\",\"direction_id\":1,\"email_auth\":{\"dkim\":\"asbestos equal pass\",\"dkim_domain\":\"gibraltar res hip\",\"dkim_signature\":\"phys coordinate pointing\",\"dmarc\":\"bulk stud occasion\",\"dmarc_override\":\"specification adobe dam\",\"dmarc_policy\":\"oem over educated\"},\"enrichments\":[{\"data\":{\"healthcare\":\"hddhj\"},\"name\":\"dip follow theta\",\"type\":\"eastern eleven ratio\",\"value\":\"yards playstation passwords\",\"provider\":\"belkin humanity vid\"},{\"data\":\"ja\",\"name\":\"lang advertise sharp\",\"type\":\"croatia housewives wan\",\"value\":\"thumb routing firms\",\"provider\":\"determining delay team\"}],\"severity_id\":3,\"smtp_hello\":\"isbn purposes yea\",\"src_endpoint\":{\"name\":\"vietnam chamber rational\",\"port\":59948,\"ip\":\"67.43.156.0\",\"hostname\":\"while.mobi\",\"uid\":\"dbc831da-588d-11ef-8bc6-0242ac110005\",\"hw_info\":{\"bios_manufacturer\":\"restricted while suspension\",\"cpu_count\":98,\"keyboard_info\":null,\"ram_size\":54,\"serial_number\":\"ps lol launched\"},\"instance_uid\":\"dbc83cde-588d-11ef-8ecb-0242ac110005\",\"interface_name\":\"buses variation russia\",\"interface_uid\":\"dbc843f0-588d-11ef-8f5a-0242ac110005\",\"svc_name\":\"drunk m week\",\"vlan_uid\":\"dbc84ae4-588d-11ef-89b1-0242ac110005\",\"vpc_uid\":\"dbc85138-588d-11ef-bcda-0242ac110005\"},\"status_detail\":\"croatia ks compile\",\"status_id\":1}", + "outcome": "success", + "provider": "technique wc mountains", + "severity": 3, + "type": [ + "info" + ] + }, + "message": "andale freely producers", + "network": { + "application": [ + "drunk m week" + ] + }, + "ocsf": { + "activity_name": "sense cheat builder", + "category_name": "Network Activity", + "category_uid": "4", + "class_name": "Email Activity", + "class_uid": "4009", + "direction": "Inbound", + "direction_id": "1", + "email": { + "cc": [ + "Loren@receivers.info", + "Madeline@sue.net" + ], + "from": "Francoise@audi.museum", + "message_uid": "dbc878de-588d-11ef-9c86-0242ac110005", + "reply_to": "Twana@optimization.aero", + "size": 3113926462, + "smtp_from": "Shenita@endangered.jobs", + "smtp_to": [ + "Lydia@or.gov", + "Malena@writing.firm" + ], + "to": [ + "Lizzie@keyword.net" + ], + "uid": "dbc8706e-588d-11ef-af1b-0242ac110005" + }, + "email_auth": { + "dkim": "asbestos equal pass", + "dkim_domain": "gibraltar res hip", + "dkim_signature": "phys coordinate pointing", + "dmarc": "bulk stud occasion", + "dmarc_override": "specification adobe dam", + "dmarc_policy": "oem over educated" + }, + "enrichments": [ + { + "data": { + "healthcare": "hddhj" + }, + "name": "dip follow theta", + "provider": "belkin humanity vid", + "type": "eastern eleven ratio", + "value": "yards playstation passwords" + }, + { + "data": "ja", + "name": "lang advertise sharp", + "provider": "determining delay team", + "type": "croatia housewives wan", + "value": "thumb routing firms" + } + ], + "message": "andale freely producers", + "metadata": { + "event_code": "cats", + "log_name": "queen lexmark honolulu", + "log_provider": "technique wc mountains", + "modified_time": "2024-08-12T09:32:57.273Z", + "original_time": "china compact prototype", + "product": { + "name": "sunshine lopez dimension", + "path": "correctly was books", + "uid": "dbc81042-588d-11ef-aff0-0242ac110005", + "vendor_name": "common posting displayed", + "version": "1.1.0" + }, + "tenant_uid": "dbc8214a-588d-11ef-8173-0242ac110005", + "uid": "dbc818a8-588d-11ef-aa74-0242ac110005", + "version": "1.1.0" + }, + "severity": "Medium", + "severity_id": 3, + "smtp_hello": "isbn purposes yea", + "src_endpoint": { + "hostname": "while.mobi", + "hw_info": { + "bios_manufacturer": "restricted while suspension", + "cpu_count": 98, + "ram_size": 54, + "serial_number": "ps lol launched" + }, + "instance_uid": "dbc83cde-588d-11ef-8ecb-0242ac110005", + "interface_name": "buses variation russia", + "interface_uid": "dbc843f0-588d-11ef-8f5a-0242ac110005", + "ip": "67.43.156.0", + "name": "vietnam chamber rational", + "port": 59948, + "svc_name": "drunk m week", + "uid": "dbc831da-588d-11ef-8bc6-0242ac110005", + "vlan_uid": "dbc84ae4-588d-11ef-89b1-0242ac110005", + "vpc_uid": "dbc85138-588d-11ef-bcda-0242ac110005" + }, + "status": "Success", + "status_detail": "croatia ks compile", + "status_id": "1", + "time": "2024-08-12T09:32:57.274Z", + "timezone_offset": 29, + "type_uid": "1046489335" + }, + "related": { + "hosts": [ + "while.mobi" + ], + "ip": [ + "67.43.156.0" + ], + "user": [ + "Loren@receivers.info", + "Madeline@sue.net", + "Francoise@audi.museum", + "Twana@optimization.aero", + "Shenita@endangered.jobs", + "Lydia@or.gov", + "Malena@writing.firm", + "Lizzie@keyword.net" + ] + }, + "source": { + "domain": [ + "while.mobi" + ], + "ip": "67.43.156.0", + "port": 59948 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] } ] } \ No newline at end of file diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-application-activity-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-application-activity-config.yml new file mode 100644 index 000000000000..ca815fc33db6 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-application-activity-config.yml @@ -0,0 +1,13 @@ +input: aws-s3 +vars: + data_stream.dataset: amazon_security_lake.application_activity + event.dataset: amazon_security_lake.application_activity +data_stream: + vars: + access_key_id: '{{AWS_ACCESS_KEY_ID}}' + secret_access_key: '{{AWS_SECRET_ACCESS_KEY}}' + session_token: '{{AWS_SESSION_TOKEN}}' + bucket_arn: '{{TF_OUTPUT_bucket_arn}}' + bucket_list_prefix: 'application/' +assert: + hit_count: 1 diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-discovery-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-discovery-config.yml index 69105dae260d..97b7dadff5bd 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-discovery-config.yml +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-discovery-config.yml @@ -7,6 +7,7 @@ data_stream: access_key_id: '{{AWS_ACCESS_KEY_ID}}' secret_access_key: '{{AWS_SECRET_ACCESS_KEY}}' session_token: '{{AWS_SESSION_TOKEN}}' - bucket_arn: '{{TF_OUTPUT_bucket_arn_discovery}}' + bucket_arn: '{{TF_OUTPUT_bucket_arn}}' + bucket_list_prefix: 'discovery/' assert: hit_count: 1 diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-findings-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-findings-config.yml new file mode 100644 index 000000000000..984ecb4d0df1 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-findings-config.yml @@ -0,0 +1,13 @@ +input: aws-s3 +vars: + data_stream.dataset: amazon_security_lake.findings + event.dataset: amazon_security_lake.findings +data_stream: + vars: + access_key_id: '{{AWS_ACCESS_KEY_ID}}' + secret_access_key: '{{AWS_SECRET_ACCESS_KEY}}' + session_token: '{{AWS_SESSION_TOKEN}}' + bucket_arn: '{{TF_OUTPUT_bucket_arn}}' + bucket_list_prefix: 'findings/' +assert: + hit_count: 1 diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-iam-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-iam-config.yml new file mode 100644 index 000000000000..637fca454d82 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-iam-config.yml @@ -0,0 +1,13 @@ +input: aws-s3 +vars: + data_stream.dataset: amazon_security_lake.iam + event.dataset: amazon_security_lake.iam +data_stream: + vars: + access_key_id: '{{AWS_ACCESS_KEY_ID}}' + secret_access_key: '{{AWS_SECRET_ACCESS_KEY}}' + session_token: '{{AWS_SESSION_TOKEN}}' + bucket_arn: '{{TF_OUTPUT_bucket_arn}}' + bucket_list_prefix: 'iam/' +assert: + hit_count: 1 diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-network-activity-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-network-activity-config.yml new file mode 100644 index 000000000000..a0c6aaed17e9 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-network-activity-config.yml @@ -0,0 +1,13 @@ +input: aws-s3 +vars: + data_stream.dataset: amazon_security_lake.network_activity + event.dataset: amazon_security_lake.network_activity +data_stream: + vars: + access_key_id: '{{AWS_ACCESS_KEY_ID}}' + secret_access_key: '{{AWS_SECRET_ACCESS_KEY}}' + session_token: '{{AWS_SESSION_TOKEN}}' + bucket_arn: '{{TF_OUTPUT_bucket_arn}}' + bucket_list_prefix: 'network/' +assert: + hit_count: 1 diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-system-activity-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-system-activity-config.yml new file mode 100644 index 000000000000..69f3307274b7 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-system-activity-config.yml @@ -0,0 +1,13 @@ +input: aws-s3 +vars: + data_stream.dataset: amazon_security_lake.system_activity + event.dataset: amazon_security_lake.system_activity +data_stream: + vars: + access_key_id: '{{AWS_ACCESS_KEY_ID}}' + secret_access_key: '{{AWS_SECRET_ACCESS_KEY}}' + session_token: '{{AWS_SESSION_TOKEN}}' + bucket_arn: '{{TF_OUTPUT_bucket_arn}}' + bucket_list_prefix: 'system/' +assert: + hit_count: 1 diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml index fafac1adf707..32d3f05a0a17 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -20,6 +20,49 @@ processors: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + description: Recursively traverses the ocsf object to convert suspected timestamps to milliseconds. + tag: convert_timestamps_to_milliseconds + lang: painless + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + source: >- + def convertToMilliseconds(long timestamp) { + int digits = ("" + timestamp).length(); + if (digits > 16 && digits <= 19) { + return timestamp / 1000000; // Convert nanoseconds to milliseconds + } else if (digits > 13 && digits <= 16) { + return timestamp / 1000; // Convert microseconds to milliseconds + } else if (digits > 10 && digits <= 13) { + return timestamp; // Already in milliseconds, no conversion needed + } else if (digits <= 10) { + return timestamp * 1000; // Convert seconds to milliseconds + } else { + throw new IllegalArgumentException("Timestamp format not recognized: " + timestamp); + } + } + + def processFields(Map fields) { + for (entry in fields.entrySet()) { + def fieldName = entry.getKey(); + def fieldValue = entry.getValue(); + // Check if the field is a nested object (Map) + if (fieldValue instanceof Map) { + // Recursively process nested objects + processFields((Map) fieldValue); + } else if (fieldName.endsWith('time') || fieldName.endsWith('_time')) { + // If the field name ends with "time" or "_time" and is a number, convert it + if (fieldValue instanceof Number) { + fields[fieldName] = convertToMilliseconds(((Number) fieldValue).longValue()); + } + } + } + return null; + } + processFields(ctx.ocsf); + - rename: field: ocsf.resource target_field: ocsf.resources diff --git a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml index aac49befedc6..c2f52c90ab28 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml @@ -196,6 +196,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -285,6 +288,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The name of the city. @@ -383,6 +389,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -457,6 +466,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -782,6 +794,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -870,6 +885,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The name of the city. @@ -967,6 +985,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -1040,6 +1061,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -1270,6 +1294,9 @@ - name: uuid type: keyword description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. - name: terminated_time type: date description: The time when the process was terminated. @@ -1397,6 +1424,9 @@ - name: uuid type: keyword description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. - name: terminated_time type: date description: The time when the process was terminated. diff --git a/packages/amazon_security_lake/data_stream/event/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/device-fields.yml index 5394314a13de..1fbf81b593e4 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/device-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/device-fields.yml @@ -34,6 +34,9 @@ - name: desc type: keyword description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: name type: keyword description: The group name. diff --git a/packages/amazon_security_lake/data_stream/event/fields/fields.yml b/packages/amazon_security_lake/data_stream/event/fields/fields.yml index 4eaddb3ba42d..771d6522868a 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/fields.yml @@ -1061,6 +1061,7 @@ fields: - name: data type: flattened + ignore_malformed: true description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - name: name type: keyword diff --git a/packages/amazon_security_lake/data_stream/event/sample_event.json b/packages/amazon_security_lake/data_stream/event/sample_event.json index 7002a2938254..375284dea717 100644 --- a/packages/amazon_security_lake/data_stream/event/sample_event.json +++ b/packages/amazon_security_lake/data_stream/event/sample_event.json @@ -1,434 +1,157 @@ { - "@timestamp": "1970-01-20T08:34:04.800Z", + "@timestamp": "2023-09-21T06:27:59.358Z", "agent": { - "ephemeral_id": "18969fad-c76a-4106-b318-473dfca4dbf0", - "id": "7cf29b78-13e7-49c9-8f7d-129e499b0a81", - "name": "docker-fleet-agent", + "ephemeral_id": "997d41db-2945-4b29-a606-62cf3d2208ae", + "id": "d68b8849-ddc7-453c-b14c-d770658c905e", + "name": "elastic-agent-83792", "type": "filebeat", - "version": "8.13.2" + "version": "8.14.3" }, "cloud": { - "provider": "aws", - "region": "us-east-1" + "account": { + "id": "65194d7c-584c-11ee-8857-0242ac110005" + }, + "provider": "infrared delayed visiting", + "region": "initial lucia designer" }, "data_stream": { - "dataset": "amazon_security_lake.discovery", - "namespace": "73259", + "dataset": "amazon_security_lake.application_activity", + "namespace": "86127", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "7cf29b78-13e7-49c9-8f7d-129e499b0a81", + "id": "d68b8849-ddc7-453c-b14c-d770658c905e", "snapshot": false, - "version": "8.13.2" + "version": "8.14.3" }, "event": { - "action": "login-attempt", + "action": "look", "agent_id_status": "verified", - "dataset": "amazon_security_lake.discovery", - "duration": 3600000000, - "end": "1970-01-20T08:35:31.200Z", - "ingested": "2024-06-17T15:16:13Z", + "category": [ + "package" + ], + "dataset": "amazon_security_lake.application_activity", + "ingested": "2024-08-13T19:04:14Z", "kind": "event", "outcome": "success", - "severity": 2, - "start": "1970-01-20T08:34:04.800Z" + "provider": "jurisdiction protecting witness", + "severity": 6, + "start": "2023-09-21T06:59:23.200Z", + "type": [ + "info" + ] + }, + "host": { + "domain": "allied had insulation", + "hostname": "zinc.biz", + "id": "651987a6-584c-11ee-ad31-0242ac110005", + "ip": [ + "81.2.69.142" + ], + "name": "knows col covered", + "type": "Unknown" }, "input": { "type": "aws-s3" }, "log": { "file": { - "path": "https://elastic-package-security-lake-logs-bucket-86893.s3.us-east-1.amazonaws.com/aws_test_log" + "path": "https://security-lake-logs-bucket-19310.s3.us-east-1.amazonaws.com/application/application_lifecycle.parquet" }, "offset": 0 }, - "message": "User John Doe attempted a login from San Francisco.", + "message": "issues kings loop", "ocsf": { - "activity_id": "1", - "activity_name": "Login Attempt", - "actor.authorizations": [ - { - "decision": "allow", - "policy": { - "desc": "Allow login", - "group": { - "desc": "Employee Group", - "domain": "example.com", - "name": "employees", - "privileges": [ - "read", - "write" - ], - "type": "internal", - "uid": "grp101" - }, - "name": "Login Policy", - "uid": "pol101", - "version": "1.0" - } - } - ], - "actor.idp.name": "IDP Service", - "actor.idp.uid": "idp101", - "actor.invoked_by": "web_app", - "actor.process.cmd_line": "/usr/bin/login", - "actor.process.created_time": 1672444800, - "actor.process.file.accessed_time": 1672531200, - "actor.process.file.accessor.account.name": "john.doe", - "actor.process.file.accessor.account.type": "user", - "actor.process.file.accessor.account.type_id": 1, - "actor.process.file.accessor.account.uid": "acc101", - "actor.process.file.accessor.credential_uid": "cred101", - "actor.process.file.accessor.domain": "example.com", - "actor.process.file.accessor.email_addr": "john.doe@example.com", - "actor.process.file.accessor.full_name": "John Doe", - "actor.process.file.accessor.groups": [ - { - "desc": "Employee Group", - "domain": "example.com", - "name": "employees", - "privileges": [ - "read", - "write" - ], - "type": "internal", - "uid": "grp101" - } - ], - "actor.process.file.accessor.name": "John Doe", - "actor.process.file.accessor.org.name": "Example Corp", - "actor.process.file.accessor.org.ou_name": "IT", - "actor.process.file.accessor.org.ou_uid": "ou101", - "actor.process.file.accessor.org.uid": "org101", - "actor.process.file.accessor.type": "user", - "actor.process.file.accessor.type_id": 1, - "actor.process.file.accessor.uid": "usr101", - "actor.process.file.accessor.uid_alt": "john_doe_alt", - "actor.process.file.attributes": 777, - "actor.process.file.company_name": "Example Corp", - "actor.process.file.confidentiality": "high", - "actor.process.file.confidentiality_id": 2, - "actor.process.file.created_time": 1672444800, - "actor.process.file.desc": "Login script", - "actor.process.file.hashes": [ - { - "algorithm": "SHA-256", - "algorithm_id": 4, - "value": "abcd1234" - } - ], - "actor.process.file.is_system": true, - "actor.process.file.mime_type": "application/x-sh", - "actor.process.file.modified_time": 1672444800, - "actor.process.file.name": "login.sh", - "actor.process.file.parent_folder": "/usr/bin", - "actor.process.file.path": "/usr/bin/login.sh", - "actor.process.file.security_descriptor": "D:P(A;;FA;;;BA)", - "actor.process.file.signature.algorithm": "RSA", - "actor.process.file.signature.algorithm_id": 1, - "actor.process.file.signature.certificate.created_time": 1577836800, - "actor.process.file.signature.certificate.expiration_time": 1893456000, - "actor.process.file.signature.certificate.fingerprints": [ - { - "algorithm": "SHA-1", - "algorithm_id": 3, - "value": "abc123" - } - ], - "actor.process.file.signature.certificate.issuer": "Example CA", - "actor.process.file.signature.certificate.serial_number": "123456", - "actor.process.file.signature.certificate.subject": "Example Corp", - "actor.process.file.signature.certificate.uid": "cert101", - "actor.process.file.signature.certificate.version": "1", - "actor.process.file.signature.created_time": 1672444800, - "actor.process.file.signature.developer_uid": "dev101", - "actor.process.file.signature.digest.algorithm": "SHA-256", - "actor.process.file.signature.digest.algorithm_id": 4, - "actor.process.file.signature.digest.value": "abcd1234", - "actor.process.file.size": 2048, - "actor.process.file.type": "script", - "actor.process.file.type_id": 1, - "actor.process.file.uid": "file101", - "actor.process.file.version": "1.0", - "actor.process.integrity": "valid", - "actor.process.integrity_id": 1, - "actor.process.lineage": [ - "/sbin/init", - "/usr/bin/login" - ], - "actor.process.loaded_modules": [ - "pam", - "bash" - ], - "actor.process.name": "login", - "actor.process.pid": 1234, - "actor.process.sandbox": "none", - "actor.process.terminated_time": 1672531200, - "actor.process.tid": 5678, - "actor.process.uid": "proc101", - "actor.session.count": 1, - "actor.session.created_time": 1672444800, - "actor.session.credential_uid": "cred101", - "actor.session.expiration_reason": "timeout", - "actor.session.expiration_time": 1672531200, - "actor.session.is_mfa": true, - "actor.session.is_remote": false, - "actor.session.is_vpn": false, - "actor.session.issuer": "IDP Service", - "actor.session.terminal": "pts/1", - "actor.session.uid": "sess101", - "actor.session.uid_alt": "sess102", - "actor.session.uuid": "uuid-1234", - "actor.user.account.name": "john.doe", - "actor.user.account.type": "user", - "actor.user.account.type_id": 1, - "actor.user.account.uid": "acc101", - "actor.user.credential_uid": "cred101", - "actor.user.domain": "example.com", - "actor.user.email_addr": "john.doe@example.com", - "actor.user.full_name": "John Doe", - "actor.user.groups": [ - { - "desc": "Employee Group", - "domain": "example.com", - "name": "employees", - "privileges": [ - "read", - "write" - ], - "type": "internal", - "uid": "grp101" - } - ], - "actor.user.ldap_person.cost_center": "IT", - "actor.user.ldap_person.created_time": 1577836800, - "actor.user.ldap_person.email_addrs": [ - "john.doe@example.com" - ], - "actor.user.ldap_person.employee_uid": "emp101", - "actor.user.ldap_person.given_name": "John", - "actor.user.ldap_person.hire_time": 1546300800, - "actor.user.ldap_person.job_title": "System Administrator", - "actor.user.ldap_person.labels": [ - "full-time" - ], - "actor.user.ldap_person.last_login_time": 1672444800, - "actor.user.ldap_person.ldap_cn": "john_doe_cn", - "actor.user.ldap_person.ldap_dn": "cn=John Doe,ou=users,dc=example,dc=com", - "actor.user.ldap_person.location.city": "San Francisco", - "actor.user.ldap_person.location.continent": "North America", - "actor.user.ldap_person.location.coordinates": [ - 37.7749, - -122.4194 - ], - "actor.user.ldap_person.location.country": "USA", - "actor.user.ldap_person.location.desc": "Head Office", - "actor.user.ldap_person.location.is_on_premises": true, - "actor.user.ldap_person.location.isp": "Example ISP", - "actor.user.ldap_person.location.postal_code": "94103", - "actor.user.ldap_person.location.provider": "Example Provider", - "actor.user.ldap_person.location.region": "California", - "actor.user.ldap_person.manager.account.name": "jane.manager", - "actor.user.ldap_person.manager.account.type": "user", - "actor.user.ldap_person.manager.account.type_id": 1, - "actor.user.ldap_person.manager.account.uid": "acc102", - "actor.user.ldap_person.manager.credential_uid": "cred102", - "actor.user.ldap_person.manager.domain": "example.com", - "actor.user.ldap_person.manager.email_addr": "jane.manager@example.com", - "actor.user.ldap_person.manager.full_name": "Jane Manager", - "actor.user.ldap_person.manager.groups": [ - { - "desc": "Managers Group", - "domain": "example.com", - "name": "managers", - "privileges": [ - "read", - "write", - "manage" - ], - "type": "internal", - "uid": "grp102" - } - ], - "actor.user.ldap_person.manager.name": "Jane Manager", - "actor.user.ldap_person.manager.org.name": "Example Corp", - "actor.user.ldap_person.manager.org.ou_name": "IT", - "actor.user.ldap_person.manager.org.ou_uid": "ou101", - "actor.user.ldap_person.manager.org.uid": "org101", - "actor.user.ldap_person.manager.type": "user", - "actor.user.ldap_person.manager.type_id": 1, - "actor.user.ldap_person.manager.uid": "usr102", - "actor.user.ldap_person.manager.uid_alt": "jane_manager_alt", - "actor.user.ldap_person.modified_time": 1622505600, - "actor.user.ldap_person.office_location": "Building A", - "actor.user.ldap_person.surname": "Doe", - "actor.user.name": "John Doe", - "actor.user.org.name": "Example Corp", - "actor.user.org.ou_name": "IT", - "actor.user.org.ou_uid": "ou101", - "actor.user.org.uid": "org101", - "actor.user.type": "user", - "actor.user.type_id": 1, - "actor.user.uid": "usr101", - "actor.user.uid_alt": "john_doe_alt", - "category_name": "User Activity", - "category_uid": "5", - "class_name": "Login Events", - "class_uid": "5003", - "count": 1, - "duration": 3600, - "metadata.correlation_uid": "cor-1234", - "metadata.event_code": "login_attempt", - "metadata.extension.name": "Login Extension", - "metadata.extension.uid": "ext-1234", - "metadata.extension.version": "1.0", - "metadata.labels": [ - "security" - ], - "metadata.log_level": "info", - "metadata.log_name": "user_activity", - "metadata.log_provider": "Example Provider", - "metadata.log_version": "1.0", - "metadata.logged_time": 1672444800, - "metadata.modified_time": 1672444800, - "metadata.original_time": "2023-01-01T00:00:00Z", - "metadata.processed_time": 1672531200, - "metadata.product.cpe_name": "cpe:/a:example:product", - "metadata.product.feature.name": "Login Feature", - "metadata.product.feature.uid": "fea-1234", - "metadata.product.feature.version": "1.0", - "metadata.product.lang": "en", - "metadata.product.name": "User Activity Logger", - "metadata.product.path": "/var/log/user_activity", - "metadata.product.uid": "prod-1234", - "metadata.product.url_string": "https://example.com", - "metadata.product.vendor_name": "Example Vendor", - "metadata.product.version": "1.0", - "metadata.profiles": [ - "default" - ], - "metadata.sequence": 1, - "metadata.tenant_uid": "tenant123", - "metadata.uid": "evt-1234", - "metadata.version": "1.0", - "observables": [ - { - "name": "San Francisco", - "reputation": { - "base_score": 90, - "provider": "GeoIP Service", - "score": "high", - "score_id": "1" - }, - "type": "location", - "type_id": "2", - "value": "San Francisco, USA" + "activity_id": "99", + "activity_name": "look", + "app": { + "feature": { + "name": "mit received implemented", + "uid": "6519aa4c-584c-11ee-ac40-0242ac110005", + "version": "1.0.0" + }, + "lang": "en", + "name": "bottom loud knowledge", + "path": "path o f", + "uid": "6519a3da-584c-11ee-8c89-0242ac110005", + "vendor_name": "ss keeping administered", + "version": "1.0.0" + }, + "category_name": "Application Activity", + "category_uid": "6", + "class_name": "Application Lifecycle", + "class_uid": "6002", + "cloud": { + "account": { + "type": "AWS Account", + "type_id": "10" + }, + "org": { + "name": "exclusive variables tag", + "ou_name": "custom packard pierre", + "uid": "65193f12-584c-11ee-ae9b-0242ac110005" } - ], - "raw_data_keyword": "raw_event_data", - "severity": "medium", - "status": "processed", - "status_code": "200", - "status_detail": "Event processed successfully.", + }, + "device": { + "created_time": "2023-09-21T06:27:59.358Z", + "hw_info": { + "ram_size": 84, + "serial_number": "training blink executives" + }, + "instance_uid": "65197efa-584c-11ee-bc04-0242ac110005", + "interface_name": "lightbox bugs spain", + "interface_uid": "6519835a-584c-11ee-b813-0242ac110005", + "is_personal": false, + "org": { + "name": "chaos winner entered", + "ou_name": "music client leaf", + "uid": "65197a86-584c-11ee-96c1-0242ac110005" + }, + "region": "casio paris norway", + "subnet_uid": "6519725c-584c-11ee-b6a2-0242ac110005", + "type_id": "0", + "uid_alt": "older audience trends" + }, + "metadata": { + "log_name": "collaboration blood loan", + "modified_time_dt": "2023-09-21T06:59:23.198Z", + "original_time": "effectively dimensional reservation", + "product": { + "lang": "en", + "name": "enzyme cookie citations", + "uid": "65195f88-584c-11ee-8118-0242ac110005", + "url_string": "deck", + "vendor_name": "rochester school force", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host" + ], + "version": "1.0.0" + }, + "severity": "Fatal", + "start_time_dt": "2023-09-21T06:59:23.200Z", + "status": "Success", + "status_detail": "rat forth dishes", "status_id": "1", - "timezone_offset": -8, - "type_name": "login_event", - "type_uid": "1001", - "user.account.name": "john.doe", - "user.account.type": "user", - "user.account.type_id": 1, - "user.account.uid": "acc101", - "user.credential_uid": "cred101", - "user.domain": "example.com", - "user.email_addr": "john.doe@example.com", - "user.full_name": "John Doe", - "user.groups": [ - { - "desc": "Employee Group", - "domain": "example.com", - "name": "employees", - "privileges": [ - "read", - "write" - ], - "type": "internal", - "uid": "grp101" - } - ], - "user.ldap_person.cost_center": "IT", - "user.ldap_person.created_time": 1577836800, - "user.ldap_person.email_addrs": [ - "john.doe@example.com" - ], - "user.ldap_person.employee_uid": "emp101", - "user.ldap_person.given_name": "John", - "user.ldap_person.hire_time": 1546300800, - "user.ldap_person.job_title": "System Administrator", - "user.ldap_person.labels": [ - "full-time" - ], - "user.ldap_person.last_login_time": 1672444800, - "user.ldap_person.ldap_cn": "john_doe_cn", - "user.ldap_person.ldap_dn": "cn=John Doe,ou=users,dc=example,dc=com", - "user.ldap_person.location.city": "San Francisco", - "user.ldap_person.location.continent": "North America", - "user.ldap_person.location.coordinates": [ - 37.7749, - -122.4194 - ], - "user.ldap_person.location.country": "USA", - "user.ldap_person.location.desc": "Head Office", - "user.ldap_person.location.is_on_premises": true, - "user.ldap_person.location.isp": "Example ISP", - "user.ldap_person.location.postal_code": "94103", - "user.ldap_person.location.provider": "Example Provider", - "user.ldap_person.location.region": "California", - "user.ldap_person.manager.account.name": "jane.manager", - "user.ldap_person.manager.account.type": "user", - "user.ldap_person.manager.account.type_id": 1, - "user.ldap_person.manager.account.uid": "acc102", - "user.ldap_person.manager.credential_uid": "cred102", - "user.ldap_person.manager.domain": "example.com", - "user.ldap_person.manager.email_addr": "jane.manager@example.com", - "user.ldap_person.manager.full_name": "Jane Manager", - "user.ldap_person.manager.groups": [ - { - "desc": "Managers Group", - "domain": "example.com", - "name": "managers", - "privileges": [ - "read", - "write", - "manage" - ], - "type": "internal", - "uid": "grp102" - } - ], - "user.ldap_person.manager.name": "Jane Manager", - "user.ldap_person.manager.org.name": "Example Corp", - "user.ldap_person.manager.org.ou_name": "IT", - "user.ldap_person.manager.org.ou_uid": "ou101", - "user.ldap_person.manager.org.uid": "org101", - "user.ldap_person.manager.type": "user", - "user.ldap_person.manager.type_id": 1, - "user.ldap_person.manager.uid": "usr102", - "user.ldap_person.manager.uid_alt": "jane_manager_alt", - "user.ldap_person.modified_time": 1622505600, - "user.ldap_person.office_location": "Building A", - "user.ldap_person.surname": "Doe", - "user.name": "John Doe", - "user.org.name": "Example Corp", - "user.org.ou_name": "IT", - "user.org.ou_uid": "ou101", - "user.org.uid": "org101", - "user.type": "user", - "user.type_id": 1, - "user.uid": "usr101", - "user.uid_alt": "john_doe_alt" + "type_name": "Application Lifecycle: Other", + "type_uid": "600299" + }, + "related": { + "hosts": [ + "allied had insulation", + "zinc.biz", + "knows col covered" + ], + "ip": [ + "81.2.69.142" + ] }, "tags": [ "forwarded", diff --git a/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml index 316b1f41901a..258ecf0528f0 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml @@ -196,6 +196,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -285,6 +288,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The name of the city. @@ -383,6 +389,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -457,6 +466,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -782,6 +794,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -870,6 +885,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The name of the city. @@ -967,6 +985,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -1040,6 +1061,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -1270,6 +1294,9 @@ - name: uuid type: keyword description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. - name: terminated_time type: date description: The time when the process was terminated. @@ -1397,6 +1424,9 @@ - name: uuid type: keyword description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. - name: terminated_time type: date description: The time when the process was terminated. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml index ade2c04874b9..d19501cf9adb 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml @@ -226,6 +226,7 @@ fields: - name: data type: flattened + ignore_malformed: true description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - name: name type: keyword diff --git a/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml index 316b1f41901a..258ecf0528f0 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml @@ -196,6 +196,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -285,6 +288,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The name of the city. @@ -383,6 +389,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -457,6 +466,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -782,6 +794,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -870,6 +885,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The name of the city. @@ -967,6 +985,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -1040,6 +1061,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -1270,6 +1294,9 @@ - name: uuid type: keyword description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. - name: terminated_time type: date description: The time when the process was terminated. @@ -1397,6 +1424,9 @@ - name: uuid type: keyword description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. - name: terminated_time type: date description: The time when the process was terminated. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/device-fields.yml index 5394314a13de..1fbf81b593e4 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/device-fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/device-fields.yml @@ -34,6 +34,9 @@ - name: desc type: keyword description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: name type: keyword description: The group name. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml index 5f5386baec4e..3293c4d159c0 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml @@ -129,6 +129,7 @@ fields: - name: data type: flattened + ignore_malformed: true description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - name: name type: keyword diff --git a/packages/amazon_security_lake/data_stream/iam/manifest.yml b/packages/amazon_security_lake/data_stream/iam/manifest.yml index 647d7100d49d..cab4af81f2d6 100644 --- a/packages/amazon_security_lake/data_stream/iam/manifest.yml +++ b/packages/amazon_security_lake/data_stream/iam/manifest.yml @@ -1,3 +1,9 @@ title: Amazon Security Lake Identity and Access Management Events dataset: amazon_security_lake.iam type: logs +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml index 316b1f41901a..258ecf0528f0 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml @@ -196,6 +196,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -285,6 +288,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The name of the city. @@ -383,6 +389,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -457,6 +466,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -782,6 +794,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -870,6 +885,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The name of the city. @@ -967,6 +985,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -1040,6 +1061,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -1270,6 +1294,9 @@ - name: uuid type: keyword description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. - name: terminated_time type: date description: The time when the process was terminated. @@ -1397,6 +1424,9 @@ - name: uuid type: keyword description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. - name: terminated_time type: date description: The time when the process was terminated. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/device-fields.yml index 5394314a13de..1fbf81b593e4 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/device-fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/device-fields.yml @@ -34,6 +34,9 @@ - name: desc type: keyword description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: name type: keyword description: The group name. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml index b4591760d870..ab4c65681736 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml @@ -369,6 +369,7 @@ fields: - name: data type: flattened + ignore_malformed: true description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - name: name type: keyword diff --git a/packages/amazon_security_lake/data_stream/network_activity/manifest.yml b/packages/amazon_security_lake/data_stream/network_activity/manifest.yml index b7d7b7e7600d..bc977e86cdd4 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/manifest.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/manifest.yml @@ -1,3 +1,9 @@ title: Amazon Security Lake Network Activity Events dataset: amazon_security_lake.network_activity type: logs +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml index 316b1f41901a..258ecf0528f0 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml @@ -196,6 +196,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -285,6 +288,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The name of the city. @@ -383,6 +389,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -457,6 +466,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -782,6 +794,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -870,6 +885,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The name of the city. @@ -967,6 +985,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -1040,6 +1061,9 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. - name: name type: keyword description: The username. For example, janedoe1. @@ -1270,6 +1294,9 @@ - name: uuid type: keyword description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. - name: terminated_time type: date description: The time when the process was terminated. @@ -1397,6 +1424,9 @@ - name: uuid type: keyword description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. - name: terminated_time type: date description: The time when the process was terminated. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/device-fields.yml index 5394314a13de..1fbf81b593e4 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/device-fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/device-fields.yml @@ -34,6 +34,9 @@ - name: desc type: keyword description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: name type: keyword description: The group name. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml index c460822020e9..b9bd5cff0191 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml @@ -579,6 +579,7 @@ fields: - name: data type: flattened + ignore_malformed: true description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - name: name type: keyword diff --git a/packages/amazon_security_lake/data_stream/system_activity/manifest.yml b/packages/amazon_security_lake/data_stream/system_activity/manifest.yml index 9ed929df109b..c6a2cf87a577 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/manifest.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/manifest.yml @@ -1,3 +1,9 @@ title: Amazon Security Lake System Activity Events dataset: amazon_security_lake.system_activity type: logs +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index 6ea353f0073a..a70f338b89cf 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -142,6 +142,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.accessor.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.file.accessor.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.file.accessor.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.file.accessor.name | The username. For example, janedoe1. | keyword | | ocsf.actor.process.file.accessor.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | @@ -168,6 +169,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.creator.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.file.creator.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.file.creator.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.file.creator.name | The name of the city. | keyword | | ocsf.actor.process.file.creator.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | @@ -196,6 +198,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.modifier.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.file.modifier.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.file.modifier.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.file.modifier.name | The username. For example, janedoe1. | keyword | | ocsf.actor.process.file.modifier.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | @@ -217,6 +220,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.owner.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.file.owner.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.file.owner.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.file.owner.name | The username. For example, janedoe1. | keyword | | ocsf.actor.process.file.owner.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.owner.type | The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. | keyword | @@ -310,6 +314,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.accessor.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.file.accessor.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.parent_process.file.accessor.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.parent_process.file.accessor.name | The username. For example, janedoe1. | keyword | | ocsf.actor.process.parent_process.file.accessor.org.\* | | object | | ocsf.actor.process.parent_process.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | @@ -336,6 +341,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.creator.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.file.creator.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.parent_process.file.creator.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.parent_process.file.creator.name | The name of the city. | keyword | | ocsf.actor.process.parent_process.file.creator.org.\* | | object | | ocsf.actor.process.parent_process.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | @@ -364,6 +370,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.modifier.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.file.modifier.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.parent_process.file.modifier.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.parent_process.file.modifier.name | The username. For example, janedoe1. | keyword | | ocsf.actor.process.parent_process.file.modifier.org.\* | | object | | ocsf.actor.process.parent_process.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | @@ -385,6 +392,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.owner.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.file.owner.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.parent_process.file.owner.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.parent_process.file.owner.name | The username. For example, janedoe1. | keyword | | ocsf.actor.process.parent_process.file.owner.org.\* | | object | | ocsf.actor.process.parent_process.file.owner.type | The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. | keyword | @@ -452,6 +460,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.session.is_remote | The indication of whether the session is remote. | boolean | | ocsf.actor.process.parent_process.session.issuer | The identifier of the session issuer. | keyword | | ocsf.actor.process.parent_process.session.mfa | | boolean | +| ocsf.actor.process.parent_process.session.terminal | The Pseudo Terminal associated with the session. Ex, the tty or pts value. | keyword | | ocsf.actor.process.parent_process.session.uid | The unique identifier of the session. | keyword | | ocsf.actor.process.parent_process.session.uuid | The universally unique identifier of the session. | keyword | | ocsf.actor.process.parent_process.terminated_time | The time when the process was terminated. | date | @@ -490,6 +499,7 @@ This is the `Event` dataset. | ocsf.actor.process.session.is_remote | The indication of whether the session is remote. | boolean | | ocsf.actor.process.session.issuer | The identifier of the session issuer. | keyword | | ocsf.actor.process.session.mfa | | boolean | +| ocsf.actor.process.session.terminal | The Pseudo Terminal associated with the session. Ex, the tty or pts value. | keyword | | ocsf.actor.process.session.uid | The unique identifier of the session. | keyword | | ocsf.actor.process.session.uuid | The universally unique identifier of the session. | keyword | | ocsf.actor.process.terminated_time | The time when the process was terminated. | date | @@ -748,6 +758,7 @@ This is the `Event` dataset. | ocsf.device.first_seen_time | The initial discovery time of the device. | date | | ocsf.device.first_seen_time_dt | The initial discovery time of the device. | date | | ocsf.device.groups.desc | The group description. | keyword | +| ocsf.device.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.device.groups.name | The group name. | keyword | | ocsf.device.groups.privileges | The group privileges. | keyword | | ocsf.device.groups.type | The type of the group or account. | keyword | From 22614312f73ad61f91b3479d39ed9e8c4b6a51d1 Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Mon, 19 Aug 2024 13:43:34 +0530 Subject: [PATCH 26/30] removed system test configs until respective elastic-package changes are implemented --- .../system/test-application-activity-config.yml | 13 ------------- .../_dev/test/system/test-discovery-config.yml | 13 ------------- .../event/_dev/test/system/test-findings-config.yml | 13 ------------- .../event/_dev/test/system/test-iam-config.yml | 13 ------------- .../test/system/test-network-activity-config.yml | 13 ------------- .../test/system/test-system-activity-config.yml | 13 ------------- .../data_stream/event/sample_event.json | 4 ++-- 7 files changed, 2 insertions(+), 80 deletions(-) delete mode 100644 packages/amazon_security_lake/data_stream/event/_dev/test/system/test-application-activity-config.yml delete mode 100644 packages/amazon_security_lake/data_stream/event/_dev/test/system/test-discovery-config.yml delete mode 100644 packages/amazon_security_lake/data_stream/event/_dev/test/system/test-findings-config.yml delete mode 100644 packages/amazon_security_lake/data_stream/event/_dev/test/system/test-iam-config.yml delete mode 100644 packages/amazon_security_lake/data_stream/event/_dev/test/system/test-network-activity-config.yml delete mode 100644 packages/amazon_security_lake/data_stream/event/_dev/test/system/test-system-activity-config.yml diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-application-activity-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-application-activity-config.yml deleted file mode 100644 index ca815fc33db6..000000000000 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-application-activity-config.yml +++ /dev/null @@ -1,13 +0,0 @@ -input: aws-s3 -vars: - data_stream.dataset: amazon_security_lake.application_activity - event.dataset: amazon_security_lake.application_activity -data_stream: - vars: - access_key_id: '{{AWS_ACCESS_KEY_ID}}' - secret_access_key: '{{AWS_SECRET_ACCESS_KEY}}' - session_token: '{{AWS_SESSION_TOKEN}}' - bucket_arn: '{{TF_OUTPUT_bucket_arn}}' - bucket_list_prefix: 'application/' -assert: - hit_count: 1 diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-discovery-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-discovery-config.yml deleted file mode 100644 index 97b7dadff5bd..000000000000 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-discovery-config.yml +++ /dev/null @@ -1,13 +0,0 @@ -input: aws-s3 -vars: - data_stream.dataset: amazon_security_lake.discovery - event.dataset: amazon_security_lake.discovery -data_stream: - vars: - access_key_id: '{{AWS_ACCESS_KEY_ID}}' - secret_access_key: '{{AWS_SECRET_ACCESS_KEY}}' - session_token: '{{AWS_SESSION_TOKEN}}' - bucket_arn: '{{TF_OUTPUT_bucket_arn}}' - bucket_list_prefix: 'discovery/' -assert: - hit_count: 1 diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-findings-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-findings-config.yml deleted file mode 100644 index 984ecb4d0df1..000000000000 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-findings-config.yml +++ /dev/null @@ -1,13 +0,0 @@ -input: aws-s3 -vars: - data_stream.dataset: amazon_security_lake.findings - event.dataset: amazon_security_lake.findings -data_stream: - vars: - access_key_id: '{{AWS_ACCESS_KEY_ID}}' - secret_access_key: '{{AWS_SECRET_ACCESS_KEY}}' - session_token: '{{AWS_SESSION_TOKEN}}' - bucket_arn: '{{TF_OUTPUT_bucket_arn}}' - bucket_list_prefix: 'findings/' -assert: - hit_count: 1 diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-iam-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-iam-config.yml deleted file mode 100644 index 637fca454d82..000000000000 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-iam-config.yml +++ /dev/null @@ -1,13 +0,0 @@ -input: aws-s3 -vars: - data_stream.dataset: amazon_security_lake.iam - event.dataset: amazon_security_lake.iam -data_stream: - vars: - access_key_id: '{{AWS_ACCESS_KEY_ID}}' - secret_access_key: '{{AWS_SECRET_ACCESS_KEY}}' - session_token: '{{AWS_SESSION_TOKEN}}' - bucket_arn: '{{TF_OUTPUT_bucket_arn}}' - bucket_list_prefix: 'iam/' -assert: - hit_count: 1 diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-network-activity-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-network-activity-config.yml deleted file mode 100644 index a0c6aaed17e9..000000000000 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-network-activity-config.yml +++ /dev/null @@ -1,13 +0,0 @@ -input: aws-s3 -vars: - data_stream.dataset: amazon_security_lake.network_activity - event.dataset: amazon_security_lake.network_activity -data_stream: - vars: - access_key_id: '{{AWS_ACCESS_KEY_ID}}' - secret_access_key: '{{AWS_SECRET_ACCESS_KEY}}' - session_token: '{{AWS_SESSION_TOKEN}}' - bucket_arn: '{{TF_OUTPUT_bucket_arn}}' - bucket_list_prefix: 'network/' -assert: - hit_count: 1 diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-system-activity-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-system-activity-config.yml deleted file mode 100644 index 69f3307274b7..000000000000 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/system/test-system-activity-config.yml +++ /dev/null @@ -1,13 +0,0 @@ -input: aws-s3 -vars: - data_stream.dataset: amazon_security_lake.system_activity - event.dataset: amazon_security_lake.system_activity -data_stream: - vars: - access_key_id: '{{AWS_ACCESS_KEY_ID}}' - secret_access_key: '{{AWS_SECRET_ACCESS_KEY}}' - session_token: '{{AWS_SESSION_TOKEN}}' - bucket_arn: '{{TF_OUTPUT_bucket_arn}}' - bucket_list_prefix: 'system/' -assert: - hit_count: 1 diff --git a/packages/amazon_security_lake/data_stream/event/sample_event.json b/packages/amazon_security_lake/data_stream/event/sample_event.json index 375284dea717..7c2bf8e23805 100644 --- a/packages/amazon_security_lake/data_stream/event/sample_event.json +++ b/packages/amazon_security_lake/data_stream/event/sample_event.json @@ -15,7 +15,7 @@ "region": "initial lucia designer" }, "data_stream": { - "dataset": "amazon_security_lake.application_activity", + "dataset": "amazon_security_lake.event", "namespace": "86127", "type": "logs" }, @@ -33,7 +33,7 @@ "category": [ "package" ], - "dataset": "amazon_security_lake.application_activity", + "dataset": "amazon_security_lake.event", "ingested": "2024-08-13T19:04:14Z", "kind": "event", "outcome": "success", From 14bb1a5709505f943b7f3c0975c81cf28e696618 Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Mon, 21 Oct 2024 12:41:42 +0530 Subject: [PATCH 27/30] updated docs, optimised timestamp conversion logic and changed *.type_id from integer to keyword --- .../_dev/build/docs/README.md | 2 +- packages/amazon_security_lake/changelog.yml | 2 +- .../fields/actor-fields.yml | 52 ++++++------- .../application_activity/fields/fields.yml | 10 +-- .../fields/network-endpoint-fields.yml | 4 +- .../fields/resource-fields.yml | 8 +- .../discovery/fields/actor-fields.yml | 52 ++++++------- .../data_stream/discovery/fields/fields.yml | 2 +- .../discovery/fields/user-fields.yml | 8 +- .../data_stream/event/_dev/deploy/tf/main.tf | 2 +- .../_dev/test/pipeline/test-common-config.yml | 13 ++++ .../elasticsearch/ingest_pipeline/default.yml | 13 ++-- .../data_stream/event/fields/actor-fields.yml | 48 ++++++------ .../data_stream/event/fields/fields.yml | 4 +- .../data_stream/event/fields/misc-fields.yml | 2 +- .../event/fields/network-endpoint-fields.yml | 4 +- .../event/fields/proxy-endpoint-fields.yml | 2 +- .../event/fields/resource-fields.yml | 8 +- .../data_stream/event/fields/user-fields.yml | 8 +- .../data_stream/event/manifest.yml | 7 +- .../findings/fields/actor-fields.yml | 52 ++++++------- .../findings/fields/assignee-fields.yml | 8 +- .../data_stream/findings/fields/fields.yml | 2 +- .../findings/fields/finding-info-fields.yml | 2 +- .../findings/fields/resource-fields.yml | 8 +- .../data_stream/iam/fields/actor-fields.yml | 52 ++++++------- .../data_stream/iam/fields/fields.yml | 2 +- .../iam/fields/network-endpoint-fields.yml | 4 +- .../iam/fields/resource-fields.yml | 8 +- .../data_stream/iam/fields/user-fields.yml | 8 +- .../network_activity/fields/actor-fields.yml | 52 ++++++------- .../network_activity/fields/fields.yml | 2 +- .../fields/network-endpoint-fields.yml | 4 +- .../fields/proxy-endpoint-fields.yml | 2 +- .../system_activity/fields/actor-fields.yml | 52 ++++++------- .../system_activity/fields/fields.yml | 2 +- packages/amazon_security_lake/docs/README.md | 78 +++++++++---------- 37 files changed, 298 insertions(+), 291 deletions(-) diff --git a/packages/amazon_security_lake/_dev/build/docs/README.md b/packages/amazon_security_lake/_dev/build/docs/README.md index 44594e586b95..18008fd0da68 100644 --- a/packages/amazon_security_lake/_dev/build/docs/README.md +++ b/packages/amazon_security_lake/_dev/build/docs/README.md @@ -19,7 +19,7 @@ The Amazon Security Lake integration collects logs from both [Third-party servic ### **NOTE**: - The Amazon Security Lake integration supports events collected from [AWS services](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html) and [third-party services](https://docs.aws.amazon.com/security-lake/latest/userguide/custom-sources.html). -- Due to the nature and structure of the OCSF schema, this integration has limitations on how deep the mappings run. Some important objects like 'Actor', 'User' and 'Product' have more fleshed-out mappings compared to others which get flattened after the initial 2-3 levels of nesting to keep them maintainable in a YAML format. This will evolve on a need-by-need basis going forward. +- Due to the nature and structure of the OCSF schema, this integration has limitations on how deep the mappings run. Some important objects like 'Actor', 'User' and 'Product' have more fleshed-out mappings compared to others which get flattened after the initial 2-3 levels of nesting to keep them maintainable and stay within field mapping [limits](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-settings-limit.html). This will evolve as needed. ## Requirements diff --git a/packages/amazon_security_lake/changelog.yml b/packages/amazon_security_lake/changelog.yml index 652ad031942c..294689e3035f 100644 --- a/packages/amazon_security_lake/changelog.yml +++ b/packages/amazon_security_lake/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "2.0.0" changes: - - description: Updated to support OCSF v1.1.0. with major pipeline rework and dynamic template support. + - description: Updated to support OCSF v1.1.0. with major pipeline rework and dynamic mapping support. type: enhancement link: https://github.com/elastic/integrations/pull/10405 - version: "1.5.0" diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml index 258ecf0528f0..e5ebbdba302f 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml @@ -158,7 +158,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -211,7 +211,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -250,7 +250,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -303,7 +303,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -351,7 +351,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -404,7 +404,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -428,7 +428,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -481,7 +481,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -606,7 +606,7 @@ type: keyword description: The file type. - name: type_id - type: integer + type: keyword description: The file type ID. - name: uid type: keyword @@ -756,7 +756,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -808,7 +808,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -847,7 +847,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -899,7 +899,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -947,7 +947,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -999,7 +999,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1023,7 +1023,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1075,7 +1075,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1200,7 +1200,7 @@ type: keyword description: The file type. - name: type_id - type: integer + type: keyword description: The file type ID. - name: uid type: keyword @@ -1322,7 +1322,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1372,7 +1372,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1452,7 +1452,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1501,7 +1501,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1575,7 +1575,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1625,7 +1625,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1755,7 +1755,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1805,7 +1805,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml index 1fcab231a18d..e7f961422619 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml @@ -187,7 +187,7 @@ type: keyword description: The database type. - name: type_id - type: integer + type: keyword description: The normalized identifier of the database type. - name: databucket type: group @@ -244,7 +244,7 @@ type: keyword description: The databucket type. - name: type_id - type: integer + type: keyword description: The normalized identifier of the databucket type. - name: end_time type: date @@ -585,7 +585,7 @@ type: flattened description: The event data as received from the event source. - name: raw_data_keyword - type: keyword + type: match_only_text description: The raw event data keyword as received from the event source. - name: scan type: group @@ -598,7 +598,7 @@ type: keyword description: The type of scan. - name: type_id - type: integer + type: keyword description: The type id of the scan. - name: uid type: keyword @@ -808,7 +808,7 @@ type: keyword description: The event type name, as defined by the type_id. - name: type_id - type: integer + type: keyword description: The normalized event type identifier. - name: type_name type: keyword diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/network-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/network-endpoint-fields.yml index fdb8f2040fcd..91fca432e6eb 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/network-endpoint-fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/network-endpoint-fields.yml @@ -92,7 +92,7 @@ type: keyword description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - name: type_id - type: integer + type: keyword description: The network endpoint type ID. - name: uid type: keyword @@ -197,7 +197,7 @@ type: keyword description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - name: type_id - type: integer + type: keyword description: The network endpoint type ID. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/resource-fields.yml index 7b751ea16a07..e3d9d54d6704 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/resource-fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/resource-fields.yml @@ -53,7 +53,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -86,7 +86,7 @@ type: keyword description: The type of the group or account. - name: type_id - type: integer + type: keyword description: The resource group type identifier. - name: uid type: keyword @@ -116,7 +116,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -131,7 +131,7 @@ type: keyword description: The resource type as defined by the event source. - name: type_id - type: integer + type: keyword description: The resource type identifier. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml index 258ecf0528f0..e5ebbdba302f 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml @@ -158,7 +158,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -211,7 +211,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -250,7 +250,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -303,7 +303,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -351,7 +351,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -404,7 +404,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -428,7 +428,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -481,7 +481,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -606,7 +606,7 @@ type: keyword description: The file type. - name: type_id - type: integer + type: keyword description: The file type ID. - name: uid type: keyword @@ -756,7 +756,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -808,7 +808,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -847,7 +847,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -899,7 +899,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -947,7 +947,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -999,7 +999,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1023,7 +1023,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1075,7 +1075,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1200,7 +1200,7 @@ type: keyword description: The file type. - name: type_id - type: integer + type: keyword description: The file type ID. - name: uid type: keyword @@ -1322,7 +1322,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1372,7 +1372,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1452,7 +1452,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1501,7 +1501,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1575,7 +1575,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1625,7 +1625,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1755,7 +1755,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1805,7 +1805,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml index 62327894c949..9f512626e38c 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml @@ -227,7 +227,7 @@ type: flattened description: The event data as received from the event source. - name: raw_data_keyword - type: keyword + type: match_only_text description: The raw event data keyword as received from the event source. - name: security_level type: keyword diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml index 8ce12477ebc7..904fd937ffa0 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml @@ -14,7 +14,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -64,7 +64,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -194,7 +194,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -244,7 +244,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/main.tf b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/main.tf index 3f1db2d1e896..623a4846d444 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/main.tf +++ b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/main.tf @@ -41,4 +41,4 @@ resource "aws_s3_object" "objects" { output "bucket_arn" { value = aws_s3_bucket.security_lake_logs.arn description = "The ARN of the S3 bucket" -} \ No newline at end of file +} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-common-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-common-config.yml index 08ff342ecf4b..b7a4ac20d306 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-common-config.yml +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-common-config.yml @@ -4,3 +4,16 @@ fields: - preserve_duplicate_custom_fields numeric_keyword_fields: - ocsf.malware.classification_ids + - ocsf.user.ldap_person.manager.account.type_id + - ocsf.dst_endpoint.type_id + - ocsf.scan.type_id + - ocsf.scan.type_id + - ocsf.src_endpoint.type_id + - ocsf.src_endpoint.type_id + - ocsf.type_id + - ocsf.user.ldap_person.manager.type_id + - ocsf.resources.owner.type_id + - ocsf.resources.owner.type_id + - ocsf.dst_endpoint.type_id + - ocsf.proxy_endpoint.type_id + - ocsf.src_endpoint.type_id diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml index 7a15fc2967be..d5d8455fec40 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -30,17 +30,16 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' source: >- def convertToMilliseconds(long timestamp) { - int digits = ("" + timestamp).length(); - if (digits > 16 && digits <= 19) { + if ((long)1e19 - 1 < timestamp) { + throw new IllegalArgumentException("Timestamp format not recognized: " + timestamp); + } else if ((long)1e16 - 1 < timestamp) { return timestamp / 1000000; // Convert nanoseconds to milliseconds - } else if (digits > 13 && digits <= 16) { + } else if ((long)1e13 - 1 < timestamp) { return timestamp / 1000; // Convert microseconds to milliseconds - } else if (digits > 10 && digits <= 13) { + } else if ((long)1e10 - 1 < timestamp) { return timestamp; // Already in milliseconds, no conversion needed - } else if (digits <= 10) { - return timestamp * 1000; // Convert seconds to milliseconds } else { - throw new IllegalArgumentException("Timestamp format not recognized: " + timestamp); + return timestamp * 1000; // Convert seconds to milliseconds } } diff --git a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml index c2f52c90ab28..c27e46bc1b4c 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml @@ -158,7 +158,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -211,7 +211,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -250,7 +250,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -303,7 +303,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -351,7 +351,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -404,7 +404,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -428,7 +428,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -481,7 +481,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -606,7 +606,7 @@ type: keyword description: The file type. - name: type_id - type: integer + type: keyword description: The file type ID. - name: uid type: keyword @@ -756,7 +756,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -808,7 +808,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -847,7 +847,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -899,7 +899,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -947,7 +947,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -999,7 +999,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1023,7 +1023,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1075,7 +1075,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1200,7 +1200,7 @@ type: keyword description: The file type. - name: type_id - type: integer + type: keyword description: The file type ID. - name: uid type: keyword @@ -1322,7 +1322,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1372,7 +1372,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1452,7 +1452,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1501,7 +1501,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1575,7 +1575,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1625,7 +1625,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/event/fields/fields.yml b/packages/amazon_security_lake/data_stream/event/fields/fields.yml index 771d6522868a..bfa26366a867 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/fields.yml @@ -2605,7 +2605,7 @@ type: flattened description: The event data as received from the event source. - name: raw_data_keyword - type: keyword + type: match_only_text description: The event data as received from the event source. - name: rcode type: keyword @@ -2994,7 +2994,7 @@ type: keyword description: The type the event. - name: type_id - type: integer + type: keyword description: The normalized event type identifier. - name: type_name type: keyword diff --git a/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml index 4b306f6a4389..3e3226bdb23c 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml @@ -76,7 +76,7 @@ type: keyword description: The type of scan. - name: type_id - type: integer + type: keyword description: The type id of the scan. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/event/fields/network-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/network-endpoint-fields.yml index fdb8f2040fcd..91fca432e6eb 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/network-endpoint-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/network-endpoint-fields.yml @@ -92,7 +92,7 @@ type: keyword description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - name: type_id - type: integer + type: keyword description: The network endpoint type ID. - name: uid type: keyword @@ -197,7 +197,7 @@ type: keyword description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - name: type_id - type: integer + type: keyword description: The network endpoint type ID. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/event/fields/proxy-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/proxy-endpoint-fields.yml index 629037c600e3..898740ab4d10 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/proxy-endpoint-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/proxy-endpoint-fields.yml @@ -92,7 +92,7 @@ type: keyword description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - name: type_id - type: integer + type: keyword description: The network endpoint type ID. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml index 7b751ea16a07..e3d9d54d6704 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml @@ -53,7 +53,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -86,7 +86,7 @@ type: keyword description: The type of the group or account. - name: type_id - type: integer + type: keyword description: The resource group type identifier. - name: uid type: keyword @@ -116,7 +116,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -131,7 +131,7 @@ type: keyword description: The resource type as defined by the event source. - name: type_id - type: integer + type: keyword description: The resource type identifier. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml index 8ce12477ebc7..904fd937ffa0 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml @@ -14,7 +14,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -64,7 +64,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -194,7 +194,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -244,7 +244,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/event/manifest.yml b/packages/amazon_security_lake/data_stream/event/manifest.yml index aad3ef420bef..3ae37f501ab3 100644 --- a/packages/amazon_security_lake/data_stream/event/manifest.yml +++ b/packages/amazon_security_lake/data_stream/event/manifest.yml @@ -122,12 +122,7 @@ streams: required: false show_user: false description: If the SQS queue will have events that correspond to files that this integration shouldn't process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - default: | - # Example: if you want to consume events that contain 'CloudTrail' in the S3 object key and apply parquet decoding to the events. - # - regex: '/CloudTrail/' - # decoding.codec.parquet.enabled: true - # decoding.codec.parquet.batch_size: 100 - # decoding.codec.parquet.process_parallel: true + default: "# Example: if you want to consume events that contain 'CloudTrail' in the S3 object key and apply parquet decoding to the events.\n# - regex: '/CloudTrail/'\n# decoding.codec.parquet.enabled: true\n# decoding.codec.parquet.batch_size: 100\n# decoding.codec.parquet.process_parallel: true \n" - name: region type: text title: "[SQS] Region" diff --git a/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml index 258ecf0528f0..e5ebbdba302f 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml @@ -158,7 +158,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -211,7 +211,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -250,7 +250,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -303,7 +303,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -351,7 +351,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -404,7 +404,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -428,7 +428,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -481,7 +481,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -606,7 +606,7 @@ type: keyword description: The file type. - name: type_id - type: integer + type: keyword description: The file type ID. - name: uid type: keyword @@ -756,7 +756,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -808,7 +808,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -847,7 +847,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -899,7 +899,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -947,7 +947,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -999,7 +999,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1023,7 +1023,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1075,7 +1075,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1200,7 +1200,7 @@ type: keyword description: The file type. - name: type_id - type: integer + type: keyword description: The file type ID. - name: uid type: keyword @@ -1322,7 +1322,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1372,7 +1372,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1452,7 +1452,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1501,7 +1501,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1575,7 +1575,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1625,7 +1625,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1755,7 +1755,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1805,7 +1805,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/findings/fields/assignee-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/assignee-fields.yml index d3df3ca6d629..74d4ea4ae382 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/assignee-fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/assignee-fields.yml @@ -14,7 +14,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -64,7 +64,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -194,7 +194,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -244,7 +244,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml index d19501cf9adb..cde591e75479 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml @@ -550,7 +550,7 @@ type: flattened description: The event data as received from the event source. - name: raw_data_keyword - type: keyword + type: match_only_text description: The raw event data keyword as received from the event source. - name: risk_level type: keyword diff --git a/packages/amazon_security_lake/data_stream/findings/fields/finding-info-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/finding-info-fields.yml index 526037c0a092..3349999ea2bc 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/finding-info-fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/finding-info-fields.yml @@ -70,7 +70,7 @@ type: keyword description: The analytic type. - name: type_id - type: integer + type: keyword description: The analytic type ID. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/findings/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/resource-fields.yml index 7b751ea16a07..e3d9d54d6704 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/resource-fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/resource-fields.yml @@ -53,7 +53,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -86,7 +86,7 @@ type: keyword description: The type of the group or account. - name: type_id - type: integer + type: keyword description: The resource group type identifier. - name: uid type: keyword @@ -116,7 +116,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -131,7 +131,7 @@ type: keyword description: The resource type as defined by the event source. - name: type_id - type: integer + type: keyword description: The resource type identifier. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml index 258ecf0528f0..e5ebbdba302f 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml @@ -158,7 +158,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -211,7 +211,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -250,7 +250,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -303,7 +303,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -351,7 +351,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -404,7 +404,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -428,7 +428,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -481,7 +481,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -606,7 +606,7 @@ type: keyword description: The file type. - name: type_id - type: integer + type: keyword description: The file type ID. - name: uid type: keyword @@ -756,7 +756,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -808,7 +808,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -847,7 +847,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -899,7 +899,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -947,7 +947,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -999,7 +999,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1023,7 +1023,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1075,7 +1075,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1200,7 +1200,7 @@ type: keyword description: The file type. - name: type_id - type: integer + type: keyword description: The file type ID. - name: uid type: keyword @@ -1322,7 +1322,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1372,7 +1372,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1452,7 +1452,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1501,7 +1501,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1575,7 +1575,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1625,7 +1625,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1755,7 +1755,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1805,7 +1805,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml index 3293c4d159c0..604c94947a96 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml @@ -1704,7 +1704,7 @@ type: flattened description: The event data as received from the event source. - name: raw_data_keyword - type: keyword + type: match_only_text description: The raw event data keyword as received from the event source. - name: service type: group diff --git a/packages/amazon_security_lake/data_stream/iam/fields/network-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/network-endpoint-fields.yml index fdb8f2040fcd..91fca432e6eb 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/network-endpoint-fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/network-endpoint-fields.yml @@ -92,7 +92,7 @@ type: keyword description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - name: type_id - type: integer + type: keyword description: The network endpoint type ID. - name: uid type: keyword @@ -197,7 +197,7 @@ type: keyword description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - name: type_id - type: integer + type: keyword description: The network endpoint type ID. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml index 7b751ea16a07..e3d9d54d6704 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml @@ -53,7 +53,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -86,7 +86,7 @@ type: keyword description: The type of the group or account. - name: type_id - type: integer + type: keyword description: The resource group type identifier. - name: uid type: keyword @@ -116,7 +116,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -131,7 +131,7 @@ type: keyword description: The resource type as defined by the event source. - name: type_id - type: integer + type: keyword description: The resource type identifier. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/iam/fields/user-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/user-fields.yml index 8ce12477ebc7..904fd937ffa0 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/user-fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/user-fields.yml @@ -14,7 +14,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -64,7 +64,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -194,7 +194,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -244,7 +244,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml index 258ecf0528f0..e5ebbdba302f 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml @@ -158,7 +158,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -211,7 +211,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -250,7 +250,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -303,7 +303,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -351,7 +351,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -404,7 +404,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -428,7 +428,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -481,7 +481,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -606,7 +606,7 @@ type: keyword description: The file type. - name: type_id - type: integer + type: keyword description: The file type ID. - name: uid type: keyword @@ -756,7 +756,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -808,7 +808,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -847,7 +847,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -899,7 +899,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -947,7 +947,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -999,7 +999,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1023,7 +1023,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1075,7 +1075,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1200,7 +1200,7 @@ type: keyword description: The file type. - name: type_id - type: integer + type: keyword description: The file type ID. - name: uid type: keyword @@ -1322,7 +1322,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1372,7 +1372,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1452,7 +1452,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1501,7 +1501,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1575,7 +1575,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1625,7 +1625,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1755,7 +1755,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1805,7 +1805,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml index ab4c65681736..247eefdfaa72 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml @@ -732,7 +732,7 @@ type: flattened description: The event data as received from the event source. - name: raw_data_keyword - type: keyword + type: match_only_text description: The raw event data keyword as received from the event source. - name: rcode type: keyword diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/network-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/network-endpoint-fields.yml index fdb8f2040fcd..91fca432e6eb 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/network-endpoint-fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/network-endpoint-fields.yml @@ -92,7 +92,7 @@ type: keyword description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - name: type_id - type: integer + type: keyword description: The network endpoint type ID. - name: uid type: keyword @@ -197,7 +197,7 @@ type: keyword description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - name: type_id - type: integer + type: keyword description: The network endpoint type ID. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-endpoint-fields.yml index 629037c600e3..898740ab4d10 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-endpoint-fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-endpoint-fields.yml @@ -92,7 +92,7 @@ type: keyword description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - name: type_id - type: integer + type: keyword description: The network endpoint type ID. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml index 258ecf0528f0..e5ebbdba302f 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml @@ -158,7 +158,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -211,7 +211,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -250,7 +250,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -303,7 +303,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -351,7 +351,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -404,7 +404,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -428,7 +428,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -481,7 +481,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -606,7 +606,7 @@ type: keyword description: The file type. - name: type_id - type: integer + type: keyword description: The file type ID. - name: uid type: keyword @@ -756,7 +756,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -808,7 +808,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -847,7 +847,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -899,7 +899,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -947,7 +947,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -999,7 +999,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1023,7 +1023,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1075,7 +1075,7 @@ type: keyword description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1200,7 +1200,7 @@ type: keyword description: The file type. - name: type_id - type: integer + type: keyword description: The file type ID. - name: uid type: keyword @@ -1322,7 +1322,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1372,7 +1372,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1452,7 +1452,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1501,7 +1501,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1575,7 +1575,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1625,7 +1625,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword @@ -1755,7 +1755,7 @@ type: keyword description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id - type: integer + type: keyword description: The normalized account type identifier. - name: uid type: keyword @@ -1805,7 +1805,7 @@ type: keyword description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id - type: integer + type: keyword description: The account type identifier. - name: uid type: keyword diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml index b9bd5cff0191..86d2c79e1692 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml @@ -3715,7 +3715,7 @@ type: flattened description: The event data as received from the event source. - name: raw_data_keyword - type: keyword + type: match_only_text description: The raw event data keyword as received from the event source. - name: requested_permissions type: long diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index 5416b577f2d5..b52c3e70296f 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -19,7 +19,7 @@ The Amazon Security Lake integration collects logs from both [Third-party servic ### **NOTE**: - The Amazon Security Lake integration supports events collected from [AWS services](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html) and [third-party services](https://docs.aws.amazon.com/security-lake/latest/userguide/custom-sources.html). -- Due to the nature and structure of the OCSF schema, this integration has limitations on how deep the mappings run. Some important objects like 'Actor', 'User' and 'Product' have more fleshed-out mappings compared to others which get flattened after the initial 2-3 levels of nesting to keep them maintainable in a YAML format. This will evolve on a need-by-need basis going forward. +- Due to the nature and structure of the OCSF schema, this integration has limitations on how deep the mappings run. Some important objects like 'Actor', 'User' and 'Product' have more fleshed-out mappings compared to others which get flattened after the initial 2-3 levels of nesting to keep them maintainable and stay within field mapping [limits](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-settings-limit.html). This will evolve as needed. ## Requirements @@ -138,7 +138,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.accessed_time_dt | The time when the file was last accessed. | date | | ocsf.actor.process.file.accessor.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.file.accessor.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.file.accessor.account.type_id | The normalized account type identifier. | integer | +| ocsf.actor.process.file.accessor.account.type_id | The normalized account type identifier. | keyword | | ocsf.actor.process.file.accessor.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.file.accessor.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.file.accessor.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -154,7 +154,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.accessor.name | The username. For example, janedoe1. | keyword | | ocsf.actor.process.file.accessor.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.file.accessor.type_id | The account type identifier. | integer | +| ocsf.actor.process.file.accessor.type_id | The account type identifier. | keyword | | ocsf.actor.process.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.file.accessor.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.file.attributes | The Bitmask value that represents the file attributes. | long | @@ -165,7 +165,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.created_time_dt | The time when the file was created. | date | | ocsf.actor.process.file.creator.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.file.creator.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.file.creator.account.type_id | The normalized account type identifier. | integer | +| ocsf.actor.process.file.creator.account.type_id | The normalized account type identifier. | keyword | | ocsf.actor.process.file.creator.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.file.creator.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.file.creator.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -181,7 +181,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.creator.name | The name of the city. | keyword | | ocsf.actor.process.file.creator.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.file.creator.type_id | The account type identifier. | integer | +| ocsf.actor.process.file.creator.type_id | The account type identifier. | keyword | | ocsf.actor.process.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.file.creator.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.file.desc | The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type. | keyword | @@ -194,7 +194,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.modified_time_dt | The time when the file was last modified. | date | | ocsf.actor.process.file.modifier.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.file.modifier.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.file.modifier.account.type_id | The normalized account type identifier. | integer | +| ocsf.actor.process.file.modifier.account.type_id | The normalized account type identifier. | keyword | | ocsf.actor.process.file.modifier.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.file.modifier.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.file.modifier.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -210,13 +210,13 @@ This is the `Event` dataset. | ocsf.actor.process.file.modifier.name | The username. For example, janedoe1. | keyword | | ocsf.actor.process.file.modifier.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.file.modifier.type_id | The account type identifier. | integer | +| ocsf.actor.process.file.modifier.type_id | The account type identifier. | keyword | | ocsf.actor.process.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.file.modifier.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.file.name | The name of the file. For example: svchost.exe. | keyword | | ocsf.actor.process.file.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.file.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.file.owner.account.type_id | The normalized account type identifier. | integer | +| ocsf.actor.process.file.owner.account.type_id | The normalized account type identifier. | keyword | | ocsf.actor.process.file.owner.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.file.owner.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.file.owner.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -232,7 +232,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.owner.name | The username. For example, janedoe1. | keyword | | ocsf.actor.process.file.owner.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.owner.type | The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.file.owner.type_id | The account type identifier. | integer | +| ocsf.actor.process.file.owner.type_id | The account type identifier. | keyword | | ocsf.actor.process.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | @@ -268,7 +268,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.signature.digest.value | The digital fingerprint value. | keyword | | ocsf.actor.process.file.size | The size of data, in bytes. | long | | ocsf.actor.process.file.type | The file type. | keyword | -| ocsf.actor.process.file.type_id | The file type ID. | integer | +| ocsf.actor.process.file.type_id | The file type ID. | keyword | | ocsf.actor.process.file.uid | The unique identifier of the file as defined by the storage system, such the file system file ID. | keyword | | ocsf.actor.process.file.version | The file version. For example: 8.0.7601.17514. | keyword | | ocsf.actor.process.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened | @@ -310,7 +310,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.accessed_time_dt | The time when the file was last accessed. | date | | ocsf.actor.process.parent_process.file.accessor.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.parent_process.file.accessor.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.file.accessor.account.type_id | The normalized account type identifier. | integer | +| ocsf.actor.process.parent_process.file.accessor.account.type_id | The normalized account type identifier. | keyword | | ocsf.actor.process.parent_process.file.accessor.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.parent_process.file.accessor.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.parent_process.file.accessor.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -326,7 +326,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.accessor.name | The username. For example, janedoe1. | keyword | | ocsf.actor.process.parent_process.file.accessor.org.\* | | object | | ocsf.actor.process.parent_process.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.parent_process.file.accessor.type_id | The account type identifier. | integer | +| ocsf.actor.process.parent_process.file.accessor.type_id | The account type identifier. | keyword | | ocsf.actor.process.parent_process.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.parent_process.file.accessor.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.parent_process.file.attributes | The Bitmask value that represents the file attributes. | long | @@ -337,7 +337,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.created_time_dt | The time when the file was created. | date | | ocsf.actor.process.parent_process.file.creator.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.parent_process.file.creator.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.file.creator.account.type_id | The normalized account type identifier. | integer | +| ocsf.actor.process.parent_process.file.creator.account.type_id | The normalized account type identifier. | keyword | | ocsf.actor.process.parent_process.file.creator.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.parent_process.file.creator.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.parent_process.file.creator.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -353,7 +353,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.creator.name | The name of the city. | keyword | | ocsf.actor.process.parent_process.file.creator.org.\* | | object | | ocsf.actor.process.parent_process.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.parent_process.file.creator.type_id | The account type identifier. | integer | +| ocsf.actor.process.parent_process.file.creator.type_id | The account type identifier. | keyword | | ocsf.actor.process.parent_process.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.parent_process.file.creator.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.parent_process.file.desc | The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type. | keyword | @@ -366,7 +366,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.modified_time_dt | The time when the file was last modified. | date | | ocsf.actor.process.parent_process.file.modifier.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.parent_process.file.modifier.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.file.modifier.account.type_id | The normalized account type identifier. | integer | +| ocsf.actor.process.parent_process.file.modifier.account.type_id | The normalized account type identifier. | keyword | | ocsf.actor.process.parent_process.file.modifier.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.parent_process.file.modifier.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.parent_process.file.modifier.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -382,13 +382,13 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.modifier.name | The username. For example, janedoe1. | keyword | | ocsf.actor.process.parent_process.file.modifier.org.\* | | object | | ocsf.actor.process.parent_process.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.parent_process.file.modifier.type_id | The account type identifier. | integer | +| ocsf.actor.process.parent_process.file.modifier.type_id | The account type identifier. | keyword | | ocsf.actor.process.parent_process.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.parent_process.file.modifier.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.parent_process.file.name | The name of the file. For example: svchost.exe. | keyword | | ocsf.actor.process.parent_process.file.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.parent_process.file.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.file.owner.account.type_id | The normalized account type identifier. | integer | +| ocsf.actor.process.parent_process.file.owner.account.type_id | The normalized account type identifier. | keyword | | ocsf.actor.process.parent_process.file.owner.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.parent_process.file.owner.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.parent_process.file.owner.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -404,7 +404,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.owner.name | The username. For example, janedoe1. | keyword | | ocsf.actor.process.parent_process.file.owner.org.\* | | object | | ocsf.actor.process.parent_process.file.owner.type | The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.parent_process.file.owner.type_id | The account type identifier. | integer | +| ocsf.actor.process.parent_process.file.owner.type_id | The account type identifier. | keyword | | ocsf.actor.process.parent_process.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.parent_process.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.parent_process.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | @@ -440,7 +440,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.signature.digest.value | The digital fingerprint value. | keyword | | ocsf.actor.process.parent_process.file.size | The size of data, in bytes. | long | | ocsf.actor.process.parent_process.file.type | The file type. | keyword | -| ocsf.actor.process.parent_process.file.type_id | The file type ID. | integer | +| ocsf.actor.process.parent_process.file.type_id | The file type ID. | keyword | | ocsf.actor.process.parent_process.file.uid | The unique identifier of the file as defined by the storage system, such the file system file ID. | keyword | | ocsf.actor.process.parent_process.file.version | The file version. For example: 8.0.7601.17514. | keyword | | ocsf.actor.process.parent_process.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened | @@ -477,7 +477,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.uid | A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. | keyword | | ocsf.actor.process.parent_process.user.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.parent_process.user.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.user.account.type_id | The normalized account type identifier. | integer | +| ocsf.actor.process.parent_process.user.account.type_id | The normalized account type identifier. | keyword | | ocsf.actor.process.parent_process.user.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.parent_process.user.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.parent_process.user.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -493,7 +493,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.user.name | The username. For example, janedoe1. | keyword | | ocsf.actor.process.parent_process.user.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.parent_process.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.parent_process.user.type_id | The account type identifier. | integer | +| ocsf.actor.process.parent_process.user.type_id | The account type identifier. | keyword | | ocsf.actor.process.parent_process.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.parent_process.user.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.parent_process.xattributes | An unordered collection of zero or more name/value pairs that represent a process extended attribute. | flattened | @@ -516,7 +516,7 @@ This is the `Event` dataset. | ocsf.actor.process.uid | A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. | keyword | | ocsf.actor.process.user.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.process.user.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.user.account.type_id | The normalized account type identifier. | integer | +| ocsf.actor.process.user.account.type_id | The normalized account type identifier. | keyword | | ocsf.actor.process.user.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.process.user.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.process.user.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -531,7 +531,7 @@ This is the `Event` dataset. | ocsf.actor.process.user.name | The username. For example, janedoe1. | keyword | | ocsf.actor.process.user.org.\* | | object | | ocsf.actor.process.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.process.user.type_id | The account type identifier. | integer | +| ocsf.actor.process.user.type_id | The account type identifier. | keyword | | ocsf.actor.process.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.user.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.xattributes | An unordered collection of zero or more name/value pairs that represent a process extended attribute. | flattened | @@ -553,7 +553,7 @@ This is the `Event` dataset. | ocsf.actor.session.uuid | The universally unique identifier of the session. | keyword | | ocsf.actor.user.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.user.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.user.account.type_id | The normalized account type identifier. | integer | +| ocsf.actor.user.account.type_id | The normalized account type identifier. | keyword | | ocsf.actor.user.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.actor.user.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.actor.user.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -569,7 +569,7 @@ This is the `Event` dataset. | ocsf.actor.user.name | The username. For example, janedoe1. | keyword | | ocsf.actor.user.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.actor.user.type_id | The account type identifier. | integer | +| ocsf.actor.user.type_id | The account type identifier. | keyword | | ocsf.actor.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.user.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actual_permissions | The permissions that were granted to the in a platform-native format. | long | @@ -1023,7 +1023,7 @@ This is the `Event` dataset. | ocsf.dst_endpoint.subnet_uid | The unique identifier of a virtual subnet. | keyword | | ocsf.dst_endpoint.svc_name | The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. | keyword | | ocsf.dst_endpoint.type | The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. | keyword | -| ocsf.dst_endpoint.type_id | The network endpoint type ID. | integer | +| ocsf.dst_endpoint.type_id | The network endpoint type ID. | keyword | | ocsf.dst_endpoint.uid | The unique identifier of the endpoint. | keyword | | ocsf.dst_endpoint.vlan_uid | The Virtual LAN identifier. | keyword | | ocsf.dst_endpoint.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | @@ -1724,7 +1724,7 @@ This is the `Event` dataset. | ocsf.proxy_endpoint.subnet_uid | The unique identifier of a virtual subnet. | keyword | | ocsf.proxy_endpoint.svc_name | The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. | keyword | | ocsf.proxy_endpoint.type | The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. | keyword | -| ocsf.proxy_endpoint.type_id | The network endpoint type ID. | integer | +| ocsf.proxy_endpoint.type_id | The network endpoint type ID. | keyword | | ocsf.proxy_endpoint.uid | The unique identifier of the endpoint. | keyword | | ocsf.proxy_endpoint.vlan_uid | The Virtual LAN identifier. | keyword | | ocsf.proxy_endpoint.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | @@ -1743,7 +1743,7 @@ This is the `Event` dataset. | ocsf.query_time | The Domain Name System (DNS) query time. | date | | ocsf.query_time_dt | The Domain Name System (DNS) query time. | date | | ocsf.raw_data | The event data as received from the event source. | flattened | -| ocsf.raw_data_keyword | The event data as received from the event source. | keyword | +| ocsf.raw_data_keyword | The event data as received from the event source. | match_only_text | | ocsf.rcode | The DNS server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.rcode_id | The normalized identifier of the DNS server response code. | keyword | | ocsf.relay.hostname | The hostname associated with the network interface. | keyword | @@ -1780,7 +1780,7 @@ This is the `Event` dataset. | ocsf.resources.namespace | The namespace is useful when similar entities exist that you need to keep separate. | keyword | | ocsf.resources.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.resources.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.resources.owner.account.type_id | The normalized account type identifier. | integer | +| ocsf.resources.owner.account.type_id | The normalized account type identifier. | keyword | | ocsf.resources.owner.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.resources.owner.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.resources.owner.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -1790,7 +1790,7 @@ This is the `Event` dataset. | ocsf.resources.owner.groups.name | The group name. | keyword | | ocsf.resources.owner.groups.privileges | The group privileges. | keyword | | ocsf.resources.owner.groups.type | The type of the group or account. | keyword | -| ocsf.resources.owner.groups.type_id | The resource group type identifier. | integer | +| ocsf.resources.owner.groups.type_id | The resource group type identifier. | keyword | | ocsf.resources.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.resources.owner.ldap_person | The LDAP person object. | flattened | | ocsf.resources.owner.name | The username. For example, janedoe1. | keyword | @@ -1799,12 +1799,12 @@ This is the `Event` dataset. | ocsf.resources.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | | ocsf.resources.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | | ocsf.resources.owner.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.resources.owner.type_id | The account type identifier. | integer | +| ocsf.resources.owner.type_id | The account type identifier. | keyword | | ocsf.resources.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.resources.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.resources.region | The cloud region of the resource. | keyword | | ocsf.resources.type | The resource type as defined by the event source. | keyword | -| ocsf.resources.type_id | The resource type identifier. | integer | +| ocsf.resources.type_id | The resource type identifier. | keyword | | ocsf.resources.uid | The unique identifier of the resource. | keyword | | ocsf.resources.version | The version of the resource. For example 1.2.3. | keyword | | ocsf.response.code | The numeric response sent to a request. | long | @@ -1819,7 +1819,7 @@ This is the `Event` dataset. | ocsf.risk_score | The risk score as reported by the event source. | long | | ocsf.scan.name | The administrator-supplied or application-generated name of the scan. | keyword | | ocsf.scan.type | The type of scan. | keyword | -| ocsf.scan.type_id | The type id of the scan. | integer | +| ocsf.scan.type_id | The type id of the scan. | keyword | | ocsf.scan.uid | The application-defined unique identifier assigned to an instance of a scan. | keyword | | ocsf.schedule_uid | The unique identifier of the schedule associated with a scan job. | keyword | | ocsf.security_level | The current security level of the entity. | keyword | @@ -1879,7 +1879,7 @@ This is the `Event` dataset. | ocsf.src_endpoint.subnet_uid | The unique identifier of a virtual subnet. | keyword | | ocsf.src_endpoint.svc_name | The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. | keyword | | ocsf.src_endpoint.type | The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. | keyword | -| ocsf.src_endpoint.type_id | The network endpoint type ID. | integer | +| ocsf.src_endpoint.type_id | The network endpoint type ID. | keyword | | ocsf.src_endpoint.uid | The unique identifier of the endpoint. | keyword | | ocsf.src_endpoint.vlan_uid | The Virtual LAN identifier. | keyword | | ocsf.src_endpoint.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | @@ -1940,7 +1940,7 @@ This is the `Event` dataset. | ocsf.transaction_uid | The unique identifier of the transaction. This is typically a random number generated from the client to associate a dhcp request/response pair. | keyword | | ocsf.tree_uid | The tree id is a unique SMB identifier which represents an open connection to a share. | keyword | | ocsf.type | The type the event. | keyword | -| ocsf.type_id | The normalized event type identifier. | integer | +| ocsf.type_id | The normalized event type identifier. | keyword | | ocsf.type_name | The event type name, as defined by the type_uid. | keyword | | ocsf.type_uid | The event type ID. It identifies the events semantics and structure. The value is calculated by the logging system as: class_uid \* 100 + activity_id. | keyword | | ocsf.unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | flattened | @@ -1956,7 +1956,7 @@ This is the `Event` dataset. | ocsf.url.url_string | The URL string. See RFC 1738. | keyword | | ocsf.user.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.user.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.user.account.type_id | The normalized account type identifier. | integer | +| ocsf.user.account.type_id | The normalized account type identifier. | keyword | | ocsf.user.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.user.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.user.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -1998,7 +1998,7 @@ This is the `Event` dataset. | ocsf.user.ldap_person.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. | keyword | | ocsf.user.ldap_person.manager.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.user.ldap_person.manager.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.user.ldap_person.manager.account.type_id | The normalized account type identifier. | integer | +| ocsf.user.ldap_person.manager.account.type_id | The normalized account type identifier. | keyword | | ocsf.user.ldap_person.manager.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | | ocsf.user.ldap_person.manager.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | | ocsf.user.ldap_person.manager.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | @@ -2013,7 +2013,7 @@ This is the `Event` dataset. | ocsf.user.ldap_person.manager.name | The username. For example, janedoe1. | keyword | | ocsf.user.ldap_person.manager.org.\* | Organization and org unit related to the user. | object | | ocsf.user.ldap_person.manager.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.user.ldap_person.manager.type_id | The account type identifier. | integer | +| ocsf.user.ldap_person.manager.type_id | The account type identifier. | keyword | | ocsf.user.ldap_person.manager.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.user.ldap_person.manager.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.user.ldap_person.modified_time | The timestamp when the user entry was last modified. | date | @@ -2023,7 +2023,7 @@ This is the `Event` dataset. | ocsf.user.name | The username. For example, janedoe1. | keyword | | ocsf.user.org.\* | Organization and org unit related to the user. | object | | ocsf.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.user.type_id | The account type identifier. | integer | +| ocsf.user.type_id | The account type identifier. | keyword | | ocsf.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.user.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.user_result.account.name | The name of the account (e.g. GCP Account Name). | keyword | From 3ec9e2864878134ef816089749525fa747ec3197 Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Mon, 21 Oct 2024 12:50:15 +0530 Subject: [PATCH 28/30] changed algorithm_id from integer to keyword type mapping --- .../fields/actor-fields.yml | 20 +++++++++---------- .../discovery/fields/actor-fields.yml | 20 +++++++++---------- .../data_stream/event/fields/actor-fields.yml | 20 +++++++++---------- .../findings/fields/actor-fields.yml | 20 +++++++++---------- .../data_stream/iam/fields/actor-fields.yml | 20 +++++++++---------- .../network_activity/fields/actor-fields.yml | 20 +++++++++---------- .../system_activity/fields/actor-fields.yml | 20 +++++++++---------- packages/amazon_security_lake/docs/README.md | 20 +++++++++---------- 8 files changed, 80 insertions(+), 80 deletions(-) diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml index e5ebbdba302f..76096c38c9bb 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml @@ -77,7 +77,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -321,7 +321,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -534,7 +534,7 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized digital signature algorithm. - name: certificate type: group @@ -561,7 +561,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -594,7 +594,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -675,7 +675,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -917,7 +917,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1128,7 +1128,7 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized digital signature algorithm. - name: certificate type: group @@ -1155,7 +1155,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1188,7 +1188,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml index e5ebbdba302f..76096c38c9bb 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml @@ -77,7 +77,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -321,7 +321,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -534,7 +534,7 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized digital signature algorithm. - name: certificate type: group @@ -561,7 +561,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -594,7 +594,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -675,7 +675,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -917,7 +917,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1128,7 +1128,7 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized digital signature algorithm. - name: certificate type: group @@ -1155,7 +1155,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1188,7 +1188,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword diff --git a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml index c27e46bc1b4c..03904b41c3a0 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml @@ -77,7 +77,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -321,7 +321,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -534,7 +534,7 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized digital signature algorithm. - name: certificate type: group @@ -561,7 +561,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -594,7 +594,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -675,7 +675,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -917,7 +917,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1128,7 +1128,7 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized digital signature algorithm. - name: certificate type: group @@ -1155,7 +1155,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1188,7 +1188,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword diff --git a/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml index e5ebbdba302f..76096c38c9bb 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml @@ -77,7 +77,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -321,7 +321,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -534,7 +534,7 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized digital signature algorithm. - name: certificate type: group @@ -561,7 +561,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -594,7 +594,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -675,7 +675,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -917,7 +917,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1128,7 +1128,7 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized digital signature algorithm. - name: certificate type: group @@ -1155,7 +1155,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1188,7 +1188,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword diff --git a/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml index e5ebbdba302f..76096c38c9bb 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml @@ -77,7 +77,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -321,7 +321,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -534,7 +534,7 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized digital signature algorithm. - name: certificate type: group @@ -561,7 +561,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -594,7 +594,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -675,7 +675,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -917,7 +917,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1128,7 +1128,7 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized digital signature algorithm. - name: certificate type: group @@ -1155,7 +1155,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1188,7 +1188,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml index e5ebbdba302f..76096c38c9bb 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml @@ -77,7 +77,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -321,7 +321,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -534,7 +534,7 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized digital signature algorithm. - name: certificate type: group @@ -561,7 +561,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -594,7 +594,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -675,7 +675,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -917,7 +917,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1128,7 +1128,7 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized digital signature algorithm. - name: certificate type: group @@ -1155,7 +1155,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1188,7 +1188,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml index e5ebbdba302f..76096c38c9bb 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml @@ -77,7 +77,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -321,7 +321,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -534,7 +534,7 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized digital signature algorithm. - name: certificate type: group @@ -561,7 +561,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -594,7 +594,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -675,7 +675,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -917,7 +917,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1128,7 +1128,7 @@ type: keyword description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized digital signature algorithm. - name: certificate type: group @@ -1155,7 +1155,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword @@ -1188,7 +1188,7 @@ type: keyword description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - name: algorithm_id - type: integer + type: keyword description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - name: value type: keyword diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index b52c3e70296f..9e07f1b00fd4 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -115,7 +115,7 @@ This is the `Event` dataset. | ocsf.actor.process.auid | The audit user assigned at login by the audit subsystem. | keyword | | ocsf.actor.process.cmd_line | The full command line used to launch an application, service, process, or job. | keyword | | ocsf.actor.process.container.hash.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.container.hash.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | integer | +| ocsf.actor.process.container.hash.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | | ocsf.actor.process.container.hash.value | The digital fingerprint value. | keyword | | ocsf.actor.process.container.image.labels | The image labels. | keyword | | ocsf.actor.process.container.image.name | The image name. | keyword | @@ -186,7 +186,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.creator.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.file.desc | The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type. | keyword | | ocsf.actor.process.file.hashes.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.file.hashes.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | integer | +| ocsf.actor.process.file.hashes.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | | ocsf.actor.process.file.hashes.value | The digital fingerprint value. | keyword | | ocsf.actor.process.file.is_system | The indication of whether the object is part of the operating system. | boolean | | ocsf.actor.process.file.mime_type | The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. | keyword | @@ -247,13 +247,13 @@ This is the `Event` dataset. | ocsf.actor.process.file.product.version | The version of the product, as defined by the event source. For example: 2013.1.3-beta. | keyword | | ocsf.actor.process.file.security_descriptor | The object security descriptor. | keyword | | ocsf.actor.process.file.signature.algorithm | The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.file.signature.algorithm_id | The identifier of the normalized digital signature algorithm. | integer | +| ocsf.actor.process.file.signature.algorithm_id | The identifier of the normalized digital signature algorithm. | keyword | | ocsf.actor.process.file.signature.certificate.created_time | The time when the certificate was created. | date | | ocsf.actor.process.file.signature.certificate.created_time_dt | The time when the certificate was created. | date | | ocsf.actor.process.file.signature.certificate.expiration_time | The expiration time of the certificate. | date | | ocsf.actor.process.file.signature.certificate.expiration_time_dt | The expiration time of the certificate. | date | | ocsf.actor.process.file.signature.certificate.fingerprints.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.file.signature.certificate.fingerprints.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | integer | +| ocsf.actor.process.file.signature.certificate.fingerprints.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | | ocsf.actor.process.file.signature.certificate.fingerprints.value | The digital fingerprint value. | keyword | | ocsf.actor.process.file.signature.certificate.issuer | The certificate issuer distinguished name. | keyword | | ocsf.actor.process.file.signature.certificate.serial_number | The serial number of the certificate used to create the digital signature. | keyword | @@ -264,7 +264,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.signature.created_time_dt | The time when the digital signature was created. | date | | ocsf.actor.process.file.signature.developer_uid | The developer ID on the certificate that signed the file. | keyword | | ocsf.actor.process.file.signature.digest.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.file.signature.digest.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | integer | +| ocsf.actor.process.file.signature.digest.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | | ocsf.actor.process.file.signature.digest.value | The digital fingerprint value. | keyword | | ocsf.actor.process.file.size | The size of data, in bytes. | long | | ocsf.actor.process.file.type | The file type. | keyword | @@ -287,7 +287,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.auid | The audit user assigned at login by the audit subsystem. | keyword | | ocsf.actor.process.parent_process.cmd_line | The full command line used to launch an application, service, process, or job. | keyword | | ocsf.actor.process.parent_process.container.hash.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.container.hash.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | integer | +| ocsf.actor.process.parent_process.container.hash.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | | ocsf.actor.process.parent_process.container.hash.value | The digital fingerprint value. | keyword | | ocsf.actor.process.parent_process.container.image.labels | The image labels. | keyword | | ocsf.actor.process.parent_process.container.image.name | The image name. | keyword | @@ -358,7 +358,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.creator.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.parent_process.file.desc | The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type. | keyword | | ocsf.actor.process.parent_process.file.hashes.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.file.hashes.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | integer | +| ocsf.actor.process.parent_process.file.hashes.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | | ocsf.actor.process.parent_process.file.hashes.value | The digital fingerprint value. | keyword | | ocsf.actor.process.parent_process.file.is_system | The indication of whether the object is part of the operating system. | boolean | | ocsf.actor.process.parent_process.file.mime_type | The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. | keyword | @@ -419,13 +419,13 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.product.version | The version of the product, as defined by the event source. For example: 2013.1.3-beta. | keyword | | ocsf.actor.process.parent_process.file.security_descriptor | The object security descriptor. | keyword | | ocsf.actor.process.parent_process.file.signature.algorithm | The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.file.signature.algorithm_id | The identifier of the normalized digital signature algorithm. | integer | +| ocsf.actor.process.parent_process.file.signature.algorithm_id | The identifier of the normalized digital signature algorithm. | keyword | | ocsf.actor.process.parent_process.file.signature.certificate.created_time | The time when the certificate was created. | date | | ocsf.actor.process.parent_process.file.signature.certificate.created_time_dt | The time when the certificate was created. | date | | ocsf.actor.process.parent_process.file.signature.certificate.expiration_time | The expiration time of the certificate. | date | | ocsf.actor.process.parent_process.file.signature.certificate.expiration_time_dt | The expiration time of the certificate. | date | | ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | integer | +| ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | | ocsf.actor.process.parent_process.file.signature.certificate.fingerprints.value | The digital fingerprint value. | keyword | | ocsf.actor.process.parent_process.file.signature.certificate.issuer | The certificate issuer distinguished name. | keyword | | ocsf.actor.process.parent_process.file.signature.certificate.serial_number | The serial number of the certificate used to create the digital signature. | keyword | @@ -436,7 +436,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.signature.created_time_dt | The time when the digital signature was created. | date | | ocsf.actor.process.parent_process.file.signature.developer_uid | The developer ID on the certificate that signed the file. | keyword | | ocsf.actor.process.parent_process.file.signature.digest.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.file.signature.digest.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | integer | +| ocsf.actor.process.parent_process.file.signature.digest.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | | ocsf.actor.process.parent_process.file.signature.digest.value | The digital fingerprint value. | keyword | | ocsf.actor.process.parent_process.file.size | The size of data, in bytes. | long | | ocsf.actor.process.parent_process.file.type | The file type. | keyword | From 06209ba02a64ae39f7c68be8d0cf63662b82c5ba Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Mon, 21 Oct 2024 12:54:35 +0530 Subject: [PATCH 29/30] updated state_id mappings from integer to keyword --- .../data_stream/discovery/fields/fields.yml | 4 ++-- .../event/_dev/test/pipeline/test-common-config.yml | 1 + .../data_stream/event/fields/misc-fields.yml | 4 ++-- packages/amazon_security_lake/docs/README.md | 4 ++-- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml index 9f512626e38c..bfbe2228e057 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml @@ -221,7 +221,7 @@ type: keyword description: The security state of the discovery. - name: state_id - type: integer + type: keyword description: The security state of the managed entity. - name: raw_data type: flattened @@ -243,7 +243,7 @@ type: keyword description: The security state of the discovery. - name: state_id - type: integer + type: keyword description: The security state of the managed entity. - name: severity type: keyword diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-common-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-common-config.yml index b7a4ac20d306..b990043214a2 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-common-config.yml +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-common-config.yml @@ -17,3 +17,4 @@ numeric_keyword_fields: - ocsf.dst_endpoint.type_id - ocsf.proxy_endpoint.type_id - ocsf.src_endpoint.type_id + - ocsf.security_states.state_id diff --git a/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml index 3e3226bdb23c..55a1bbb690d6 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml @@ -37,7 +37,7 @@ type: keyword description: The security state, normalized to the caption of the state_id value. - name: state_id - type: integer + type: keyword description: The security state of the managed entity. - name: security_level type: keyword @@ -53,7 +53,7 @@ type: keyword description: The security state, normalized to the caption of the state_id value. - name: state_id - type: integer + type: keyword description: The security state of the managed entity. # These fields are used to store misc information about an application activity category event. - name: command_uid diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index 9e07f1b00fd4..f1944de5df49 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -1665,7 +1665,7 @@ This is the `Event` dataset. | ocsf.port | The dynamic port established for impending data transfers. | long | | ocsf.precision | The NTP precision quantifies a clock's accuracy and stability in log2 seconds, as defined in RFC-5905. | integer | | ocsf.prev_security_states.state | The security state, normalized to the caption of the state_id value. | keyword | -| ocsf.prev_security_states.state_id | The security state of the managed entity. | integer | +| ocsf.prev_security_states.state_id | The security state of the managed entity. | keyword | | ocsf.priority | The priority, normalized to the caption of the priority_id value. | keyword | | ocsf.priority_id | The priority, normalized to the ID of the priority_id value. | integer | | ocsf.privileges | The list of sensitive privileges, assigned to the new user session. | keyword | @@ -1825,7 +1825,7 @@ This is the `Event` dataset. | ocsf.security_level | The current security level of the entity. | keyword | | ocsf.security_level_id | The current security level of the entity. | integer | | ocsf.security_states.state | The security state, normalized to the caption of the state_id value. | keyword | -| ocsf.security_states.state_id | The security state of the managed entity. | integer | +| ocsf.security_states.state_id | The security state of the managed entity. | keyword | | ocsf.server_hassh.algorithm | The concatenation of key exchange, encryption, authentication and compression algorithms (separated by ';'). NOTE: This is not the underlying algorithm for the hash implementation. | keyword | | ocsf.server_hassh.fingerprint.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.server_hassh.fingerprint.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | From 69b2f19fc0dcd18d4291fa1e3e2affcea7beee3b Mon Sep 17 00:00:00 2001 From: Shourie Ganguly Date: Wed, 23 Oct 2024 17:39:49 +0530 Subject: [PATCH 30/30] addressed PR comments and updated pipelines, file names and field mappings accordingly --- .../test-application-activity.log-expected.json | 2 +- .../test/pipeline/test-discovery.log-expected.json | 2 +- .../test/pipeline/test-findings.log-expected.json | 2 +- .../_dev/test/pipeline/test-iam.log-expected.json | 2 +- .../test-network-activity.log-expected.json | 2 +- .../test-system-activity.log-expected.json | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 5 ++++- ...actor-fields.yml => actor-fields-flattened.yml} | 0 .../data_stream/event/fields/beats.yml | 14 ++++++++++---- packages/amazon_security_lake/docs/README.md | 6 ++++-- 10 files changed, 24 insertions(+), 13 deletions(-) rename packages/amazon_security_lake/data_stream/event/fields/{actor-fields.yml => actor-fields-flattened.yml} (100%) diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json index 515227166387..7506f05dd7f7 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json @@ -3065,4 +3065,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json index cb6ffa1f004b..0a003b0f2c21 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json @@ -1593,4 +1593,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json index 61c102599563..15c9895c1bb3 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json @@ -2051,4 +2051,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-iam.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-iam.log-expected.json index 0526d7bfb89e..8adb7dd20bbe 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-iam.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-iam.log-expected.json @@ -441,4 +441,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log-expected.json index 055845831cbd..6f294362b81f 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log-expected.json @@ -4234,4 +4234,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-system-activity.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-system-activity.log-expected.json index 7a5d75f1c414..701072c46df1 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-system-activity.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-system-activity.log-expected.json @@ -5565,4 +5565,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml index d5d8455fec40..8a553ded23de 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -1042,6 +1042,10 @@ processors: tag: remove_duplicate_custom_fields_from_malware_cves_array ignore_missing: true if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + - remove: + field: aws + tag: remove_aws_fields + ignore_missing: true - remove: field: - ocsf.time @@ -1382,7 +1386,6 @@ processors: - ocsf.url.scheme - ocsf.url.subdomain - ocsf.url.url_string - - aws tag: remove_duplicate_custom_fields ignore_missing: true if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) diff --git a/packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/actor-fields-flattened.yml similarity index 100% rename from packages/amazon_security_lake/data_stream/event/fields/actor-fields.yml rename to packages/amazon_security_lake/data_stream/event/fields/actor-fields-flattened.yml diff --git a/packages/amazon_security_lake/data_stream/event/fields/beats.yml b/packages/amazon_security_lake/data_stream/event/fields/beats.yml index 4084f1dc7f51..e2a02e078e81 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/beats.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/beats.yml @@ -1,6 +1,12 @@ -- name: input.type +- description: Type of Filebeat input. + name: input.type type: keyword - description: Type of filebeat input. -- name: log.offset +- description: Flags for the log file. + name: log.flags + type: keyword +- description: Offset of the entry in the log file. + name: log.offset type: long - description: Log offset. +- description: Log message optimized for viewing in a log viewer. + name: event.message + type: text diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index f1944de5df49..f5ca56c338b8 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -90,9 +90,11 @@ This is the `Event` dataset. | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | event.dataset | Event dataset. | constant_keyword | +| event.message | Log message optimized for viewing in a log viewer. | text | | event.module | Event module. | constant_keyword | -| input.type | Type of filebeat input. | keyword | -| log.offset | Log offset. | long | +| input.type | Type of Filebeat input. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | | ocsf.access_mask | The access mask in a platform-native format. | long | | ocsf.action | The normalized caption of action_id. | keyword | | ocsf.action_id | The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. | integer |